Can i delete patient’s record from the system when patients withdraw consent?

Under R.A. 10173, your personal data is treated almost literally in the same way as your own personal property. Thus, it should never be collected, processed and stored by any organization without your explicit consent, unless otherwise provided by law. Information controllers usually solicit your consent through a consent form. Aside from protecting you against unfair means of personal data collection, this right also requires personal information controllers (PICs) to notify you if your data have been compromised, in a timely manner.

As a data subject, you have the right to be informed that your personal data will be, are being, or were, collected and processed.

The Right to be Informed is a most basic right as it empowers you as a data subject to consider other actions to protect your data privacy and assert your other privacy rights.

Can i delete patient’s record from the system when patients withdraw consent?

Example:

A medical doctor in a private hospital in Manila recorded a conversation with his lady patient without the patient’s knowledge and prior consent. Upon realizing what was happening, the patient immediately confronted the doctor and expressed her strong dismay, pointing out the physician’s lack of professionalism in recognizing his personal right to privacy. She said she could have given her consent anyway if only she was asked politely. The doctor apologized and explained that his action was just meant to aid his recall, especially when he later examined the case, saying he just wanted to provide the best possible service, which the patient deserves. The patient, however, demanded the doctor to delete the recorded conversation and canceled on the medical consultation. She said if the doctor does not even know the basic courtesy of asking for consent, then how can he expect to win the patients’ confidence in his competence as a medical practitioner.

Can i delete patient’s record from the system when patients withdraw consent?

Take note of this:

To protect your privacy, the Philippine data privacy law explicitly require organizations to notify and furnish you the following information before they enter your personal data into any processing system (or at the next practical opportunity at least):

  • Description of the personal data to be entered into the system
  • Exact Purposes for which they will be processed (such as for direct marketing, statistical, scientific etc.)
  • Basis for processing, especially when it is not based on your consent
  • Scope and method of the personal data processing
  • Recipients, to whom your data may be disclosed
  • Methods used for automated access by the recipient, and its expected consequences for you as a data subject
  • Identity and contact details of the personal information controller
  • The duration for which your data will be kept
  • You also have to be informed of the existence of your rights as a data subject.

Can i delete patient’s record from the system when patients withdraw consent?

Additional notes:

In recording a conversation or interview with someone, it is enough to verbally ask for a direct consent from an individual data subject. If the subject yields, it would be useful to also mention as part of the recorded conversation that the subject knows the conversation is being recorded and that you asked and were given the consent. It would even be better if you could get the subject to verbally confirm his consent.

Banks involved in phone banking tell their callers that the conversation with their call center agent would be recorded, and that proceeding with the call is indication of their consent. This practice is considered sufficient notice.

Websites resort to publishing a Privacy Notice page, which essentially accomplishes the same thing. Similar privacy notices should be made in public establishments equipped with security CCTVs.

Whenever anyone is making an audio or video recording of you, or even just taking your pictures, you have a right to know, and you must always be given the chance to opt out when you don’t feel comfortable.

A salesman may be collecting detailed personal data about you and your family without your permission, under the pretext of targeting you as a prospective customer to tailor-fit their offerings to your individual needs. This, by itself, may be potentially beneficial to you. But since your personal privacy and safety becomes potentially at risk, you have a right to be informed if you are being individually targeted in a sales campaign like this.

It should be as easy to withdraw as to give consent. If consent is withdrawn your company/organisation can no longer process the data. Once consent has been withdrawn, your company/organisation needs to ensure that the data is deleted unless it can be processed on another legal ground (for example storage requirements or as far as it is a necessity to fulfil the contract).

If the data was being processed for several purposes your company/organisation can’t use the personal data for the part of the processing for which consent has been withdrawn or for any of the purposes, depending on the nature of the withdrawal of consent.

Example

You’re providing an online newsletter. Your client gives their consent to subscribe to the online newsletter that allows you to process all the data on their interests to build a profile of what articles they consult. One year on, they inform you that they no longer wish to receive the online newsletter. You must delete all personal data relating to that person collected in the context of the newsletter subscription from your database, including the profile(s) relating to that person.

Consent Obligation Only collect, use or disclose personal data for purposes which an individual has given his/her consent to. Allow the individual to withdraw consent, with reasonable notice, and inform him/her of the likely consequences of withdrawal.

What is considered personal data under the PDPA by itself?

Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.

What action must take place before an organization may collect personal data?

Organisations generally have to obtain your consent and inform you of the purpose(s) for the collection, use and disclosure of your personal data. If you have any questions, you may contact the organisation's data protection officer (DPO).

What constitutes breach of PDPA?

First, the organisation failed to put in place reasonable measures to protect personal data on its website database. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to comply with the PDPA.