UNIT V- POLICIES,

GUIDELINES AND LAWS IN

NURSING INFORMATICS
Nursing Informatics
 Intrusive acts
Collecting and storing
unnecessary personal data
Disclosing data to individuals
or organizations that do not
have a genuine need for it
Using private information for
Who stores something other than the
data about original purpose could be
considered intrusive
you?
What is more
important, Data or
Money?
Data is more valuable than money. If
someone takes you money, that’s all they
have. If you let someone take your data,
they may eventually take your money too!”
Republic Act
10173 or Data
Privacy Act of
2012
Data Privacy Act of the
Philippines
What is privileged
communication?
• is an interaction between two
parties in which the law
recognizes a private, protected
relationship.
• Whatever is communicated
between the two parties must
remain confidential, and the
law cannot force their
disclosure.
• Even disclosure by one of the
parties comes with legal
limitations.
What is privileged
information?

refers to any and all

forms of data which
under the Rules of Court
and other pertinent laws
constitute privileged
communication.
 refers to an individual
whose personal
information is processed.
Who is data
subject?
 refers to a person or organization who
controls the collection, holding,
Who are the processing or use of personal information,
Personal including a person or organization who
information instructs another person or organization to
collect, hold, process, use, transfer or
controller? disclose personal information on his or her
behalf. The term excludes:
Personal information controller
• The term excludes:
• (1) A person or organization who performs such functions as
instructed by another person or organization; and
• (2) An individual who collects, holds, processes or uses
personal information in connection with the individual’s personal,
family or household affairs.
 • refers to data that, if exposed or
misused, could result in harm,
embarrassment, or
discrimination to the individual
Sensitive concerned. This type of
information typically includes
personal details about an individual's
race or ethnic origin, political
information opinions, religious beliefs, trade
union membership, genetic
data, biometric data, health
information, or sexual
orientation.
Sensitive personal information refers to
personal information:
• (1) About an individual’s race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations;
• (2) About an individual’s health, education, genetic or sexual life
of a person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal of
suc h proc eedings, or the sentenc e of any c ourt in suc h
proceedings;
• (3) Issued by government agencies peculiar to an individual
which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and
• (4) Specif ic ally established by an executive order or an act of
Congress to be kept classified.
Data
encryption
• translates data into another
form, or code, so that only
people with access to a secret
key (formally called a
decryption key) or password
can read it. Encrypted data is
commonly referred to as
ciphertext, while unencrypted
data is called plaintext
CHAPTER III PROCESSING OF PERSONAL
INFORMATION

SEC. 11. General Data Privacy Principles. –

The processing of personal information
shall be allowed, subject to compliance with
the requirements of this Act and other laws
allowing disclosure of information to the
public and adherence to the principles of
transparency, legitimate purpose and
proportionality.
Transparency

The data subject must be aware of the nature,

purpose and extent of the processing of his or
her personal data, including the risks and
safeguards involved, the identity of personal
information controller, his or her rights as data
subject, and how these can be exercised,
Legitimate purpose

• Process of information shall be compatible

with a declared and specified purpose
which must not be contrary to law, morals
and public policy
Proportionality

• Processing of information shall be adequate, relevant,

suitable, necessary and not excessive in relation to a
declared and specified purpose. Personal data shall
be processed only if the purpose of the processing
could not reasonably be fulfilled by other means.
 Personal information must, be:,
Chapter III,
Sec. 11 (a) Collected for specified and
legitimate purposes determined and
General declared before, or as soon as
Data reasonably practicable after
collection, and later processed in a
Privacy way compatible with such declared,
Principle specified and legitimate purposes
only;
 Personal
Chapter III,
Sec. 11
information must,
General be:,
Data
Privacy (b) Processed
Principle fairly and lawfully;
 Personal information must, be:,

Chapter III,
Sec. 11 (c) Accurate, relevant and, where
necessary for purposes for which
General it is to be used the processing of
Data personal information, kept up to
Privacy date; inaccurate or incomplete
data must be rectified,
Principle supplemented, destroyed or their
further processing restricted;
 Personal information must,
be:,
Chapter III,
Sec. 11
General (d) Adequate and not
Data excessive in relation to the
Privacy purposes for which they are
Principle collected and processed;
 Personal information must, be:,
Chapter III,
Sec. 11 (e) Retained only for as long as
necessary for the fulfillment of
General the purposes for which the data
Data was obtained or for the
Privacy establishment, exercise or
defense of legal claims, or for
Principle legitimate business purposes, or
as provided by law; and
 Personal information must, be:,
Chapter III,
Sec. 11 (f) Kept in a form which permits
identification of data subjects for no longer
than is necessary for the purposes for which
General the data were collected and processed:
Provided, That personal information
Data collected for other purposes may lie
processed for historical, statistical or
Privacy scientific purposes, and in cases laid down
in law may be stored for longer periods:
Principle Provided, further, That adequate safeguards
are guaranteed by said laws authorizing their
processing.
 Summary
a. Collected for specified and legitimate
purposes determined and declared
Chapter III, before,
b. Processed fairly and lawfully
Sec. 11 c. Accurate, relevant and, where necessary
General for purposes for which it is to be used
the processing of personal information,
Data d. Adequate and not excessive
Privacy e. Retained only for as long as necessary
Principle f. Kept in a form which permits
identification of data subjects for no
longer than is necessary
Chapter III, SEC. 12. Criteria
for Lawful Processing of
Personal Information.
The processing of
personal information
shall be permitted only
if not otherwise
prohibited by law, and
when at least one of
the following
conditions exists:
Chapter III, SEC. 12.
Criteria for Lawful
Processing of
Personal Information.

(a) The data

subject has given
his or her
consent;
Chapter III, SEC. 12. Criteria for
Lawful Processing of Personal
Information.

(b) The processing of

personal information is
necessary and is related to
the fulfillment of a contract
with the data subject or in
order to take steps at the
request of the data subject
prior to entering into a
contract;
Chapter III, SEC. 12. Criteria
for Lawful Processing of
Personal Information.

(c) The processing is

necessary for
compliance with a
legal obligation to
which the personal
information controller
is subject;
Chapter III, SEC. 12.
Criteria for Lawful
Processing of
Personal Information.

(d) The processing

is necessary to
protect vitally
important interests
of the data subject,
including life and
health;
Chapter III, SEC. 12. Criteria for
Lawful Processing of Personal
Information.

(e) The processing is necessary

in order to respond to national
emergency, to comply with the
requirements of public order and
safety, or to fulfill functions of
public authority which
necessarily includes the
processing of personal data for
the fulfillment of its mandate; or
Chapter III, SEC. 12. Criteria for
Lawful Processing of Personal
Information.

(f) The processing is necessary for

the purposes of the legitimate
interests pursued by the personal
information controller or by a third
party or parties to whom the data is
disclosed, except where such
interests are overridden by
fundamental rights and freedoms
of the data subject which require
protection under the Philippine
Constitution.
Chapter III, SEC. 13. Sensitive
Personal Information and
Privileged Information.

• The processing of sensitive

personal information and
privileged information shall
be prohibited, except in the
following cases:
 The processing of sensitive personal
information and privileged information
Chapter III, shall be prohibited, except in the
following cases:
SEC. 13.
Sensitive (a) The data subject has given
Personal his or her consent, specific to
Information the purpose prior to the
and processing, or in the case of
Privileged privileged information, all
parties to the exchange have
Information. given their consent prior to
processing;
 The processing of sensitive personal information and
privileged information shall be prohibited, except in the
Chapter III, following cases:

SEC. 13.
(b) The processing of the same is
Sensitive provided for by existing laws and
Personal regulations: Provided, That such
regulatory enactments guarantee the
Information protection of the sensitive personal
information and the privileged
and information: Provided, further, That the
Privileged consent of the data subjects are not
required by law or regulation permitting
Information. the processing of the sensitive personal
information or the privileged information;
Chapter III, The processing of sensitive personal
SEC. 13. information and privileged information
shall be prohibited, except in the
Sensitive following cases:
Personal
Information (c) The processing is necessary to
protect the life and health of the data
and subject or another person, and the data
Privileged subject is not legally or physically able
to express his or her consent prior to
Information. the processing; (c)
Chapter III, SEC. 13. Sensitive Personal Information and
Privileged Information.

The processing of sensitive personal information and privileged

information shall be prohibited, except in the following cases:

(d) The processing is necessary to achieve the lawful and

noncommercial objectives of public organizations and their
associations: Provided, That such processing is only confined
and related to the bona fide members of these organizations or
their associations: Provided, further, That the sensitive personal
information are not transferred to third parties: Provided, finally,
That consent of the data subject was obtained prior to
processing;
Chapter III, SEC. 13. Sensitive Personal Information and
Privileged Information.

The processing of sensitive personal information and

privileged information shall be prohibited, except in the
following cases:

(e) The processing is necessary for purposes of medical

treatment, is carried out by a medical practitioner or a
medical treatment institution, and an adequate level of
protection of personal information is ensured; or
Chapter III, SEC. 13. Sensitive Personal Information and
Privileged Information.

The processing of sensitive personal information and privileged

information shall be prohibited, except in the following cases:

(f) The processing concerns such personal

information as is necessary for the protection
of lawful rights and interests of natural or legal
persons in court proceedings, or the
establishment, exercise or defense of legal
claims, or when provided to government or
public authority.
SEC. 14. Subcontract of Personal Information.

A personal information controller may subcontract the processing of

personal information:

Provided, That the personal information controller shall be

responsible for ensuring that proper safeguards are in place to
ensure the confidentiality of the personal information processed,
prevent its use for unauthorized purposes, and generally, comply
with the requirements of this Act and other laws for processing of
personal information. The personal information processor shall
comply with all the requirements of this Act and other applicable
laws.
SEC. 15. Extension of Privileged Communication.

Personal information controllers may

invoke the principle of privileged
communication over privileged information
that they lawfully control or process.
Subject to existing laws and regulations,
any evidence gathered on privileged
information is inadmissible
SEC. 16. Rights of the Data Subject. – The data
subject is entitled to:

(a) Be informed
whether personal
information pertaining
to him or her shall be,
are being or have been
processed;
SEC. 16. Rights of the Data Subject. – The data
subject is entitled to:
(b) Be furnished the information indicated hereunder before the entry of his or her personal
information into the processing system of the personal information controller, or at the next
practical opportunity:
(1) Description of the personal information to be entered into the system;

(2) Purposes for which they are being or are to be processed;

(3) Scope and method of the personal information processing;

(4) The recipients or classes of recipients to whom they are or may be

disclosed;
SEC. 16. Rights of the Data Subject. – The data
subject is entitled to:
(b) Be furnished the information indicated hereunder before the entry of his or her personal information
into the processing system of the personal information controller, or at the next practical opportunity:

(5) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized;

(6) The identity and contact details of the personal information controller or
its representative;

(7) The period for which the information will be stored; and

(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a
complaint before the Commission.
 The data subject shall have the right to
RIGHT TO object to the processing of his or her
personal data including processing of
OBJECT direct marketing, automated processing or
profiling.
 1. The personal data is needed pursuant to
When a subject a subpoena:
objects or 2. The collection are for obvious purposes
withholds including when it is necessary for the
consent, the performance of or in relation to a
personal contract or service to which the data is a
information party, or when necessary or desirable in
controller shall no the context of an employer-employee
longer process relationship between the collector and
the personal data the data subject: or
unless: 3. The information is being collected and
processed as a result of legal obligation.
Right to access
The contents of his or her personal data were processed
The data
subject Sources from which personal data were obtained

has the Names and addresses of recipients of the personal data

right to Manner by which such data were processed
reasonabl
Reasons for the disclosure of the personal data to recipients, if any:
e access
to upon Information on automated process where the data will, or is likely to be made as the sole basis for any
decision that significantly affects or will affect the data subject

demand, Date when his or her personal data, concerning the data subject were last
accessed and modified; and
the The designation, name or identity, and address of the personal information
following: controller.
 The data subject has the right to dispute
the inaccuracy or error in the personal data
Right to and have personal information controller
correct it immediately and accordingly,
rectification unless the request is vexatious or
otherwise unreasonable.
Right to erasure or
blocking

The right may be exercised upon discovery

and substantial proof of any of the following:
1. The personal data is incomplete,
outdated, false, or unlawfully obtained.
2. The personal data is being used for
purpose not authorized by the data
subject
3. The personal data is no longer
necessary for the purpose for which
they were collected
Right to erasure or
blocking
The right may be exercised upon discovery and
substantial proof of any of the following:
4. The data subject withdraws consent or
objects to the processing and there is no legal
ground or overriding legitimate interest for the
processing;
5. The personal data concerns private
information that is prejudicial to data subject
6. The processing is unlawful
7. The personal information controller or
personal information processor violated the
rights of the data subject.
SEC. 17. Transmissibility of Rights of the Data
Subject.

The lawful heirs and assigns of the data

subject may invoke the rights of the data
subject for, which he or she is an heir or
assignee at any time after the death of the
data subject or when the data subject is
incapacitated or incapable of exercising the
rights as enumerated in the immediately
preceding section.
SEC. 18. Right to Data Portability

The data subject shall have the right, where

personal information is processed by electronic
means and in a structured and commonly used
format, to obtain from the personal information
controller a copy of data undergoing processing
in an electronic or structured format, which is
commonly used and allows for further use by the
data subject.
SEC. 19. Non-Applicability

The immediately preceding sections are not applicable if the

processed personal information are used only for the needs of
scientific and statistical research and, on the basis of such, no
activities are carried out and no decisions are taken regarding the
data subject: Provided, That the personal information shall be held
under strict confidentiality and shall be used only for the declared
purpose. Likewise, the immediately preceding sections are not
applicable to processing of personal information gathered for the
purpose of investigations in relation to any criminal, administrative
or tax liabilities of a data subject.
CHAPTER V
SECURITY OF
PERSONAL
INFORMATION

• SEC. 20. Security of Personal

Information. – (a) The personal
information controller must
implement reasonable and
appropriate organizational, physical
and technical measures intended
for the protection of personal
information against any accidental
or unlawful destruction, alteration
and disclosure, as well as against
any other unlawful processing.
CHAPTER V SECURITY
OF PERSONAL
• SEC. 20. Security of Personal
INFORMATION Information. –
(b) The personal information
controller shall implement
reasonable and appropriate
measures to protect personal
information against natural
dangers such as accidental loss
or destruction, and human
dangers such as unlawful
access, fraudulent misuse,
unlawful destruction, alteration
and contamination.
CHAPTER V
SECURITY OF
• SEC. 20. Security of Personal
PERSONAL
Information. –
INFORMATION
• (c) The determination of the
appropriate level of security under
this section must take into account
the nature of the personal
information to be protected, the
risks represented by the processing,
the size of the organization and
complexity of its operations, current
data privacy best practices and the
cost of security implementation.
Subject to guidelines as the Commission may issue from
time to time, the measures implemented must include:

(1) Safeguards to protect its

computer network against
accidental, unlawful or
unauthorized usage or interference
with or hindering of their
functioning or availability;
Subject to guidelines as the Commission may issue from
time to time, the measures implemented must include:

(2) A security policy with

respect to the processing
of personal information;
Subject to guidelines as the Commission may issue from
time to time, the measures implemented must include:

(3) A process for identifying and

accessing reasonably foreseeable
vulnerabilities in its computer networks,
and for taking preventive, corrective and
mitigating action against security
incidents that can lead to a security
breach; and
Subject to guidelines as the Commission may issue from
time to time, the measures implemented must include:

(4) Regular monitoring for security

breaches and a process for taking
preventive, corrective and
mitigating action against security
incidents that can lead to a
security breach.
CHAPTER V SECURITY
OF PERSONAL • SEC. 20. Security of
INFORMATION Personal Information. –
•( d ) T h e p e r s o n a l
i n f o r m a ti o n c o n tr o l l e r
must further ensure that
third parties processing
personal information on
its behalf shall implement
th e s e c u r i ty me a s u r e s
required by this provision.
 • SEC. 20. Security of Personal
CHAPTER V SECURITY Information. –
OF PERSONAL
INFORMATION • ( e) The em ployees, agents or
re p re s e n t a t i v e s o f a p e r s o n a l
i nf o rm ati o n c o ntro l l e r who are
i nv o l v e d i n the p ro c e ssi ng o f
personal information shall operate
and hold personal information under
strict conf identiality if the personal
information are not intended for
public disclosure. This obligation
shall continue even after leaving the
public service, transfer to another
position or upon term ination of
employment or contractual relations.
CHAPTER V SECURITY OF PERSONAL
INFORMATION
• SEC. 20. Security of Personal Information. –
(f) The personal information controller shall promptly notify the
Commission and affected data subjects when sensitive personal
information or other information that may, under the circumstances, be
used to enable identity fraud are reasonably believed to have been
acquired by an unauthorized person, and the personal information
controller or the Commission believes (bat such unauthorized
acquisition is likely to give rise to a real risk of serious harm to any
affected data subject. The notif ic ation shall at least describe the
nature of the breach, the sensitive personal information possibly
involved, and the measures taken by the entity to address the breach.
Notif ication may be delayed only to the extent necessary to determine
the scope of the breach, to prevent further disclosures, or to restore
reasonable integrity to the information and communications system.
Let’s summarize
Organizational
Security measures
• Where appropriate, personal information
controllers and personal information
processors shall comply with the following
guidelines for organizational security
a. Compliance officers
b. Data protection policies
c. Records of processing activities
d. Management of human resources
e. Processing of personal data
 a. Policies and procedures shall be
implemented to monitor and limit
Physical access to and activities in the
security room, workstation or facility,
including guidelines that specify
measures the proper use of and access to
electronic media:
 b. Design of office space and work
stations, including the physical
Physical arrangement of furniture and equipment,
security shall provide privacy to anyone processing
personal personal data and taking into
measures consideration the environment and
accessibility to the public:
 c. The duties, responsibilities and
schedule of individuals involved in the
processing of personal data shall be
Physical clearly defined to ensure that only
security individuals actually performing official
duties shall be clearly defined to ensure
measures that only the individuals actually
performing official duties shall be in the
room or work station at any given time
 Any natural or juridical person of
other body involved in the
processing of personal data
Physical shall implement policies and
security procedures regarding the
measures transfer, removal, disposal and
reuse of electronic media, to
ensure appropriate protection of
personal data
 Policies and procedures that prevent
the mechanical destruction of files
and equipment shall be established.
Physical The room and workstation used in
security the processing of peronal data shall,
as far as practicable, be secured
measures against natural disaster, power
disturbances external access and
other similar threats.