COVID-19: Can organizations release personal information of employees to the government or a public agency?

In the Philippines, the simple answer is YES.

Due to the COVID-19 pandemic, organizations are in uncharted territory on how to keep employees safe and still be able to follow the data privacy/protection law. Most organizations are in a quandary on whether personal information about the health of employees can be shared with the government or a public agency, “particularly without the consent of the relevant individual”. The secret to unlocking that quandary lies in understanding the principles that underpin data privacy / protection law and applying them in any particular set of circumstances. See ‘What Can Organizations Do?’ below for a checklist to help organizations get started. 

What we have to deal with 

Due to the COVID-19 pandemic, many new terminologies have become bywords in the corporate world - person under monitoring (PUM), person under investigation (PUI), social distancing, self-isolation, home quarantine, etc. Government use words such as enhanced community quarantine (ECQ) or circuit breaker. The general public still say “lockdown”. 

Who would have imagined that aside from surrendering an ID to enter an office or building, visitors now also need to submit to temperature checks. Companies are monitoring the health status of their employees in unprecedented ways due to the contagiousness of the coronavirus. They are collecting personal information such as employees’ contact exposures, travel history, client meetings and maybe even the health status of employees’ family members. 

In most ASEAN countries, there are laws and regulations that require infectious diseases to be reported to the government. In the Philippines, there is the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act (RA11332). In Singapore, there is the Infectious Diseases Act (Chapter 137), while in Malaysia there is the Prevention and Control of Infectious Diseases Act 1998. These laws require not only medical institutions and medical professionals, but also private institutions and workplaces to accurately and immediately report notifiable diseases and health events of public interest to the relevant government agency. In some cases, the national government, together with local authorities, sets up disease surveillance units. 

There are also various laws that require employers to provide a safe working environment. Employers generally do so: installing guards on dangerous machinery, controlling noxious chemicals, fumes and dangerous liquids, properly ventilating factories and offices, guarding against various other physical hazards, providing first aid facilities, reporting workplace incidents and accidents, etc. Taking at least reasonable steps to shield employees from diseases, including infectious diseases is always on the list too. But generally this does not appear high up on an employer’s ‘to do’ list. Employees might catch a cold or even a seasonal ‘flu, but beyond perhaps keeping them away from the workplace for a few days and causing some loss in productivity, such infectious diseases are little more than minor irritants. COVID-19 and its potential health consequences is very clearly different. There is debate around the extent to which employers may need to protect their employees from COVID-19 infection in the workplace, but little or no argument about employers