The National Privacy Commission (NPC) affirmed that the Commission on Audit (COA) has the constitutional mandate to examine resources owned or held in trust by the state-owned Philippine Health Insurance Corp. (PhilHealth), which is under investigation on corruption charges.
In Advisory Opinion No. 2020-016, NPC reiterates that the Data Privacy Act (DPA) does not obstruct the functions of public authorities.
“DPA is not a restriction on COA’s gaining access to the personal information of data subjects collection by PhilHealth,” said NPC Commissioner Raymund E. Liboro.
NPC released this opinion in light of PhilHealth’s concern that allowing COA to acquire personal information under its custody and safekeeping, if done through remote access or database cloning, may lead to a personal data breach.
“It falls on COA and its sound judgment in determining what methods to use in the collection or gathering of personal data to perform its auditing function,” said Liboro.
In processing personal data, the COA must ensure that “personal data collected and processed shall be adequate, relevant, suitable, necessary and not excessive in relation to its declared and specified purpose, and that personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means,” said Liboro.