In National Privacy Commission (“NPC”) Public Health Emergency (“PHE”) Bulletin No. 8, the NPC advised personal information controllers developing COVID-19-related apps, digital tools and solutions to ensure, even from the design stage, that their product’s design, functionalities, personal data collection and extent of processing must never deviate from the purpose of using collected information to defeat the COVID-19 pandemic. Once said purpose is achieved, the personal data processing must stop, while the collected and generated personal data must be disposed or discarded in a secure manner to prevent any further use.
The NPC reminded these PICs as well that they must collect only the minimum data necessary to achieve their declared and specific purpose, using the least intrusive method available. Further, they must also ensure transparency by telling individual users, through an easy-to-understand privacy notice, how the app or digital tool and solution shall collect, use, store, and dispose their personal data. Users must also be made aware of the persons to whom, if any, their personal data shall be disclosed in the course of the PICs’ processing. Finally, the NPC cautioned that PICs are obliged to put in place the appropriate security measures and inform users of their rights as data subjects. These PICs must likewise incorporate mechanisms into their apps or digital tools and solutions to enable the exercise by the users of such rights.