News & Blogs
April 21 2017

MakatiMed holds forum on Social Media, Data Privacy Act

Makati Medical Center held “Privacy in the Age of Social Media: A Primer on the Data Privacy Act on 2012” with guest speaker Ivy D. Patdu, MD, JD, Deputy Commissioner of the National Privacy Commission (NPC).

The forum, held on April 21 at the 8th Floor Tower 2 Auditorium, was organized by the Human Resources Management & Development Division to keep MakatiMed’s doctors, staff, and partners updated on the recently released Implementing Rules and Regulations (IRR) of Republic Act No. 10173, known as the “Data Privacy Act of 2012”.
21st Century Law
The Data Privacy Act of 2012, according to the NPC, “is a 21st century law to address 21st century crimes and concerns. It (1) protects the privacy of individuals while ensuring free flow of information to promote innovation and growth; (2) regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data; and (3) ensures that the Philippines complies with international standards set for data protection through National Privacy Commission (NPC).”

The forum opened with a short presentation by Arlyn L. Songco, Division Head of the Marketing & Sales Services Division, who gave an overview of the social media climate in the Philippines and worldwide. “Internet use in the Philippines ranks equal to the global average at 46%,” she said, and Filipinos spend 3.7 hours on social media, leading social media usage in Southeast Asia.

Social media penetration in the Philippines is among the highest in 2017 at 58% (or 60 million users), ranking the country 6th in the world in terms of active users.

Social media plays a significant role in spreading a story—be it good or bad. According to Ms. Songco, 28% of crisis incidents spread internationally on social media within an hour, while 69% spread within 24 hours, reaching, on average, 11 countries in a single day.

More than half of companies (53%) fail to regain the good reputation they had before the social media crisis.

“Before you share, think!” Ms. Songco said. “T.H.I.N.K. Is it truthful, helpful, inspiring, nice, or kind? And are you compliant with the law?”
Reinforcement of duty
Dr. Patdu, whose areas of practice include risk management for healthcare providers, medico-legal cases, and health policy, spoke to an audience of doctors, house staff, corporate and clinical employees, and representatives from corporate, Health Maintenance Organizations (HMOs), and Strategic Hospital Alliance Program (SHAP) partners.

“Even without the Data Privacy Act, we as professionals have always been bound, for thousands of years, by the Hippocratic Oath,” Dr. Patdu said, stressing that the hospital and medical industry handle the most sensitive information. “It is our duty to protect patient information. The Data Privacy Act is only a reinforcement of this duty.”

She cited several case studies of breach of patient confidentiality, one of which was the “Cebu canister scandal”, which involved the videotaping of the rectal surgery on a patient in 2008. The video was shared on video-sharing site, YouTube.

She emphasized that the more sensitive the information, the greater the means should be to protect it.

“Admit to yourself that the information you hold is sensitive and is not for daily conversation,” she said.
Data Privacy Act Principles
She discussed the three principles of the Act: transparency, legitimate purpose, and proportionality, which were defined as:
  1. Transparency. The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
  2. Legitimate purpose. The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
  3. Proportionality. The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Violation of the Act carries stiff penalties, with imprisonment ranging from six months to three years, and fines ranging from PhP500,000 to PhP5M.

Dr. Patdu recommended that healthcare institutions create a Data Privacy Manual and appoint and train a Data Protection Officer, who will be the point person for the institution’s coordination with the NPC.
A copy of the Data Privacy Act and its IRR can be accessed online through


Ivy D. Patdu, MD, JD, Deputy Commissioner of the National Privacy Commission 

L-R: Johnny B. Sinon, MD (Medical Director), Ivy D. Patdu, MD, JD (Deputy Commissioner, National Privacy Commission),
Arlyn L. Songco (Division Head, Marketing & Sales Services Division), Jim Rommel S. Flores, LLB (Legal Counsel), Robert S. Paguia (Chief of Staff, Deputy Commissioner).

Arlyn L. Songco, Division Head of the Marketing & Sales Services Division