SEA Health Tech Investment Insights

Healthtech ventures must manage the Philippines' comprehensive data privacy measures INSEAD Comprehensive data privacy measures are enforced by a relatively active independent watchdog Data Privacy Act (DPA) 2012: The comprehensive DPA was passed in 2012 "to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth". It has extraterritorial application, applying not only to businesses located in the Philippines, but also when equipment based in the Philippines is used for processing data, as well as to the processing of Philippines' citizens' personal information, regardless of where they reside. The law has relatively extensive requirements for businesses, including mandatory data protection officers and breach reporting rules, as well as an annual written report documenting all security incidents and personal data breaches. Infringement penalties extend up to six years' imprisonment. National Privacy Commission (NPC): The NPC is the independent body responsible for administering the DPA and is vested with a relatively extensive range of powers including receiving complaints, instituting investigations on data privacy incidents, and compelling entities to abide by its orders in matters affecting data privacy. For instance, in Feb 2020, it directed that Grab Philippines cease its selfie-verification and in-vehicle audio and video recording systems due to data privacy deficiencies. It also shut down a number of online lending apps in Oct 2019 because they had violated the DPA by publicly sharing information on defaulting borrowers to shame them. Covid-19 pandemic has prompted efforts to clarify how data privacy applies to healthcare DPA Implications for Contact Tracing During Covid-19 Pandemic: In Aug 2020, Interior Secretary Eduardo Año reportedly acknowledged that the DPA posed a challenge in contact tracing during the Covid-19 pandemic, as it limited the types of information hospitals could collect from patients. The Philippines' business sector (as represented by major business associations including the Philippine Chamber of Commerce and Industry) also publicly called for the temporary suspension of the DPA in order to reduce the expenses involved in contact tracing. The NPC subsequently clarified that the DPA should not prevent hospitals from sharing patient information with the relevant authorities, but advised against publicly naming patients even for contact tracing efforts, due to the risk of possible harassment or humiliation. Department of Health (DOH) and NPC Collaboration on Telemedicine Framework: In Apr 2020, the DOH and NPC jointly developed a framework for telemedicine services in an effort to decongest hospitals and provide access to healthcare during the Enhanced Community Quarantine (i.e. lockdown). It established that licensed healthcare providers conducting medical consultations over the phone, chat, SMS, and other audio and visual-conferencing platforms were formally considered telemedicine services in the country, and were allowed to issue electronic case reports and prescriptions. Sources: Various sources including Philippines National Privacy Commission; Philippine Department of Health; GrowYourBusiness.org; Manila Bulletin ("Business sector suggests suspension of Data Privacy Law") 47

View entire presentation