DOH Kontra Covid Platform Privacy Policy

Last Updated: July 23, 2020 4:00PM (GMT+8)

Introduction

The Department of Health (DOH) KontraCOVID system is a cloud-based platform that integrates passive surveillance tools and channels such as TanodCOVID (SMS-based) and KIRA (chat and digital triage web application) where citizens may report or update their symptoms and exposure information to conduct self-assessments and check the possible risk of COVID-19 infection, subject to verification of local health authorities. The KontraCOVID web application collects personal information that links to the LGU portal of KontraCOVID for information verification.

The LGU portal of KontraCOVID enables LGUs to view and verify citizen-reported information sourced from different channels (SMS, Chat, Web application). The verification is conducted by local health units or assigned personnel to provide appropriate response and forwarding verified data to the COVID Kaya system for proactive contact tracing.

This is a public service application co-developed by DOH with technology and development partners to aid in the proactive response of the Philippine government to the COVID-19 pandemic in the Philippines.

The Department of Health (“we” or “us” or “DOH”) recognizes the importance of protecting your rights as a data subject. This privacy policy will inform you of how the DOH KontraCOVID system collects and uses your personal and health-related data. By clicking “I agree” in the application interface and by using the services, you consent to the terms and conditions of data collection and processing described in this Privacy Policy.

What kind of data is collected and processed by the DOH KIRA KontraCOVID system?

We collect different categories of data whenever you use the KontraCOVID system:

    a. Personal Information and Sensitive Personal Information (collectively, Personal Data)

    Information Title Type of Personal Information
    Name Regular Personal Information
    Contact Number Regular Personal Information
    Location Data Regular Personal Information
    Nationality Sensitive Personal Information
    Biological Sex Sensitive Personal Information
    Birthyear Sensitive Personal Information
    Health-related information Sensitive Personal Information
    Messenger or Viber ID Sensitive Personal Information

    The collection of this type of information is necessary in order to conduct digital triage and verification of health data of citizens with a possible risk of COVID infection.

    b. Usage Data

    By accessing the web application, you share some information that will be processed for the purpose of monitoring and analyzing web traffic. This will allow us to maintain and improve our services for the benefit of DOH. The information processed may include but is not limited to IP addresses, system configuration information, and other information about traffic to and from the web application, devices, and/or networks.

    c. Tracking Cookies Data

    We use cookies, such as session cookies and security cookies, to track or monitor activity on the system. Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from this website and stored on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some features of the web application.

    Third-party service providers such as software or individuals that support analytical and operational processes may have access to your data to perform these services on our behalf and are obligated not to disclose or use it for any other purpose.

How is data collected?

We collect your data when you submit information through the web application, through third-party applications such as, but not limited to, Facebook Messenger and Viber, and through any of our partner local government units. No Personal Data shall be collected unless you agree to this Privacy Policy. Usage Data and Tracking Cookies Data, which constitute anonymized data, may still be collected.

You may inform us of the specific data you do not want to be processed beyond the Permitted Purposes. We will respect your request insofar as it is feasible to fulfill the purposes for which the Personal Data was collected.

What are the permitted purposes for the collection and use of data under this privacy policy?

The collection and processing of your Personal Data are necessary in order for DOH to perform its mandate to collect, analyze and disseminate statistical and other relevant information on the country’s health situation and to deliver health services to the Filipino people.

Your data shall also be collected and processed for the following purposes:

  1. To provide provisional health risk assessment and appropriate advice
  2. To conduct digital triage and verification
  3. To assess the health situation of each local government unit and the whole country
  4. To conduct data management and analysis to aid in responsive action and public health policy programming
  5. To monitor and analyze web traffic and activity
  6. To identify and secure security incidents and data breaches
  7. To establish, exercise, or defend legal claims; and
  8. To fulfill any other purposes directly related to the above-stated purposes

The DOH will not process your information in ways incompatible with the above-stated purposes. Your data may also be anonymized in order to conduct statistical analysis and information dissemination on the country’s situation with regard to the Covid-19 pandemic.

Who is the Personal Information Controller?

The Department of Health is the personal information controller of any Personal Data you submit through the DOH KontraCOVID system under the Data Privacy Act of 2012. It may also be that your Personal Data is disclosed by DOH to third parties pursuant to a data-sharing agreement, in which case such third parties are considered as the personal information controllers of your Personal Data.

Where your Personal Data is submitted through a third-party application such as Facebook Messenger or Viber, such Personal Data shall be subject to the third-party system’s privacy policy.

Is the data shared with third parties?

Your information may be shared only to authorized third parties under data sharing and data outsourcing agreements. These written agreements specify the rights and obligations of each party and will provide that the third party has adequate security measures in place and will only process your personal information on the specific written instructions of the DOH.

    At present, your information shall be shared with the following entities:
  • DOH Epidemiology Surveillance Units
  • Local Government Units - for verification, updating, and as the basis for timely response and guidance with their constituents.
  • Third-party service providers, such as web hosts and analytical and operational support service providers

We may also transfer your Personal Data to third parties as required by law or legal instrument, and in emergencies where the health or safety of a person is endangered.

We will not sell, rent, share, trade, or disclose any of your Personal Data to any other party without your prior written consent.

How do we secure your data and for how long will it be retained?

The DOH has put in place physical, electronic, and managerial procedures designed to help prevent unauthorized access, maintain data security and ensure proper handling of your data. These safeguards vary based on the sensitivity of the information that we collect and store. Only authorized DOH personnel and staff and the above-mentioned third parties will have access to your data on a need-to-know basis. Your data will have standard encryption in the application and stored in a secured database. All data collected will either be anonymized or destroyed along with its erasure from the database after the purpose for which they are permitted to be processed has ceased to exist. All data processed by the DOH and the authorized third-parties shall be kept under strict confidentiality for the entire period of retention.

What are your rights as a data subject?

You have the following rights under the Data Privacy Act of 2012 (the “DPA”), which you may exercise at your discretion:

a. The right to access personal information

Subject access requests may be made by emailing the data protection officer. You may do this by accessing your personal information through the link that will be shared upon submission. The DOH may take reasonable steps to confirm the requestor's identity as a data subject before granting access to the Personal Data and allowing updates thereto. Your information is secured and can be accessed through a one-time password (OTP) sent to your registered mobile number on the system.

b. The right to make corrections to personal information

The DOH shall take reasonable steps to ensure that any personal data it processes is accurate and up-to-date. However, ensuring the accuracy of your data requires your cooperation. Should there be any changes to the data submitted through the DOH KontraCOVIDd system, we encourage you to inform us as soon as reasonably possible.

c. The right to object to the processing of personal information

You have the right to object to the processing of your Personal Data, including processing for direct marketing, automated processing, or profiling. You shall also be notified and be given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to you in this Privacy Policy.

d. The right to erasure or blocking of personal information

You have the right to suspend, withdraw or order the blocking, removal or destruction of your data from our database

Please contact the National eHealth Program, through the following email address: [email protected]

e. The right to be informed of the existence of processing of personal information

You have the right to be informed whether there is a change in how personal information pertaining to you shall be, is being, or has been processed, including the existence of automated decision-making and profiling.

f. The right to damages

Upon presentation of a valid court decision, the DOH recognizes your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information, taking into account any violation of your rights and freedoms as a data subject.

g. The right to data portability

Data portability allows you to obtain and electronically move, copy or transfer your personal data in a secure manner, for further use, or via transmittal within systems as long as the format for storage of data is uniform across similar systems.

h. The right to lodge a complaint before the National Privacy Commission

Informed Consent

Children, aged 10 - 17 years old, are required to seek consent from parents or guardian in providing personal information through this application.

Amendments to this Privacy Policy

This privacy policy may be updated from time to time. You will be notified whenever there are any updates that will significantly affect your rights.

Concerns and Questions

In case of complaints, concerns, or questions regarding the processing of your Personal Data, or if you wish to exercise your data subject rights, you may address them to:

DOH Knowledge Management and Information Technology Service
Data Privacy Officer
Name: DR. ENRIQUE A. TAYAG, PHSAE, FPSMID, CESO III
Contact: 651-7800 local 1926-1928
Address: Building 9, San Lazaro Compound, Tayuman, Sta. Cruz, Manila Philippines 1003
Email: [email protected], [email protected]