The National Privacy Commission (NPC) has recently issued a reminder to all personal information controllers (PICs) to get the consent of vaccinees before using any personal information in their vaccination cards for promos, raffles, or discounts.
The agency issued the reminder after it received concerns about the collection of copies of coronavirus disease (COVID-19) vaccination cards by certain companies wishing to reward vaccinated individuals by offering them rewards.
NPC Commissioner Raymund Liboro said that vaccination cards contained sensitive personal information such as the vaccinee’s age, date of birth, and health information.
“While we laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against COVID-19, we must also remind all PICs of the need to establish a lawful basis in the conduct of their respective personal data processing activities,” Liboro said in a statement.
“Securing the free and informed consent of the individuals may be a lawful basis,” he added.
For consent to be valid, Liboro said it must be freely given, specific, informed, and an indication of will.
“This means that the vaccinee should explicitly agree to the collection and processing of his or her vaccine card. Consent must also be evidenced by written, electronic, or recorded means,” he said.
According to the NPC chief, a privacy notice must be provided to inform the vaccinees wishing to avail of the promos, raffles, or discounts on the details of the processing of their personal data and their rights as data subjects, among other necessary information, for PICs to demonstrate transparency.
He also reminded the PICs that the use of the vaccine card must be limited to the intended purpose of giving promos, raffles, or discounts.
“It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose,” he said.
The privacy commission stressed that vaccine cards should never be posted by PICs on public platforms.
Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws, it noted.