The Data Privacy Act of 2012 (DPA), under its declaration of policy, states that “It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.”

While the DPA does not apply to the personal information “processed for journalistic, artistic, literary or research purposes”, this exception is not absolute.2 “ Note, however, that the law does not provide for blanket exemption for research. Such exemption is limited to the minimum extent of collection, access, use, disclosure or other processing necessary to achieve the specific purpose, function or activity.”

“Hence, researchers have the concomitant obligations to implement the necessary security measures to protect the personal data they process,7 uphold the rights of data subjects, and adhere to data privacy principles9 and the other provisions of the DPA.”

“Thus, researchers should always keep in mind that though the DPA recognizes that the processing of personal data is critical to quality research, the rights and freedoms of individuals is likewise of utmost importance. This view is consistent with Section 38 of the DPA, which calls for an interpretation of the law that is mindful of the rights and interests of data subjects.”


De La Salle Medical and Health Sciences Institute is adhering to the following guidelines when processing personal data for research purposes.

  1. 1. Consent

    As a general rule, the use of personal data for research must have the consent of the data subject in accordance with the provisions of Sections 12(a) and 13(a) of the DPA. Such consent is evidenced by the Informed Consent Statement duly signed by the research participant or respondent. In case of patient’s records, the Data Processing Consent Form (DPCF) is document to attest as to the consent. The patient should have signed the DPCF and have agreed as to the use of their medical records for “medical training, research or education” purposes as enumerated in the DPCF before his medical records can be used for research.

    In the absence of the consent from the patient or if it is already impossible to obtain the patient’s consent, DLSMHSI adopts the following alternatives as suggested by the National Privacy Commission based on its advisory opinions.The two alternatives are:

    1. Get the data from the Record Section in a “redacted” format (meaning, the 18-identifiers are not included) as provided under the HIPAA Privacy Rule’s Safe Harbor Method; or,
    2. Get the approval of the PHREB-accredited research ethics committee for the waiver of the consent.
  2. 2. Redacted Documents

    Under alternative A, the patient’s records will be made available to the researcher in a “redacted format”. A redacted document has simply had the personal data deleted or blackened out; as a consequence, redacted is often used to describe documents from which sensitive information has been expunged. Under the Privacy Rule of HIPAA (Safe Harbor Method), the redacted document should not have the following 18 identifiers:

    1. Names
    2. Addresses (all geographic subdivisions smaller than a state usually except for the initial three digits of the ZIP code)
    3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
    4. Telephone numbers
    5. Fax numbers
    6. Email addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers including license plates
    13. Device identifiers and serial numbers
    14. Web URLs
    15. Internet protocol (IP) addresses
    16. Biometric identifiers (i.e. retinal scans, fingerprints, voiceprints, etc.)
    17. Photographic images – (not limited to images of the face)
    18. Any unique identifying number, characteristic or code
  3. 3. PHREB-Accredited Research Ethics Board

    If Alternative A is not possible or the result of the research will be substantially affected in the absence of data that included in the 18 identifiers, the researcher can the approval of any PHREB-accredited research ethics committee. “Likewise, apart from the laws and regulations on privacy, any code of ethics or any rules and regulations on research issued and implemented by institutions involved in research must be complied with by the researchers. After all, personal information used for research remains to be subject to a range of policies, including internal ones maintained by organizations, and other laws, as enacted or issued by the appropriate legislating authority.”

    In one of the NPC Advisory Opinions, it is stated that “As to Institutional Review Boards (IRBs), the approval of the IRB means that the research protocol or proposal has been reviewed and found to have met the standards of the board, including ethical considerations. An IRB approval is one of the ways to demonstrate that ethical standards have been considered in the research.”


As of this moment, data privacy in research has generated several issues and concerns from the different sectors of the research community and the privacy advocates as well. There may be some areas of research activities where the provisions of the DPA may not exactly applies. These situations or cases can be best evaluated in a more detailed discussion of the circumstances and how will this intrude to the privacy of the subject.

In the question of which way to take in case of no clear applicability of the DPA, the governing principle is stated in Section 38 of the DPA which states that “Any doubt in the interpretation of any provision of this Act shall be liberally interpreted in a manner mindful of the rights and interests of the individual about whom personal information is processed.”

(For any clarifications regarding this policy, you can get in touch with the DLSMHSI Data Protection Officer at local 1464 or thru email: dpo@dlsmhsi.edu.ph.)

May 1, 2024