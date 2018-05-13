In the past few years, I noticed an increased use of wearable technology that monitors heart rates, number of steps, and the like. These slowly replaced luxury watches or often found to be worn to match with a timepiece—a watch on the left wrist and a Fitbit (or a similar product) on the right.

This reminds me of a conversation back in the law office about the number of steps that the partner’s Fitbit had recorded and his stories about his schemes on how to increase them effortlessly.

Quite recently, Google collaborated with Fitbit—a company famous for their wearable health monitors and activity trackers—in further utilizing the new Google Cloud Healthcare platform and push the boundaries of healthcare made available to the public. The idea is to connect the Fitbit user’s Electronic Medical Records (EMR) to healthcare professionals having access to the Google Healthcare application. This is aimed to help ensure a prompt and a more personalized treatment of its users and for healthcare professionals to have easier access to the user’s medical records. An added feature is the use of a digital coaching platform—Twine Health (acquired by Fitbit in February 2018)—that can help address chronic illnesses, such as hypertension, as symptoms manifest and as recorded by the wearable monitor.

Indeed, we now live in a world where most information is stored in the “cloud”. Clouds, however, are designed to carry only enough “water” until they begin to pour. In this context, present-day cloud storage is no stranger to security and privacy breaches or just sheer faultiness. Aside from some flawed measurements or glitches of the system brought about by its users, this partnership between Fitbit and Google may pose several risks for its users—especially on data privacy.

Under the Data Privacy Act of 2012, health records are classified as “sensitive personal information” (SPI) and may only be processed under strict requirements such as: (1) prior consent to the specific purpose of processing or transfer to third parties; (2) provided for by existing laws or for the protection and enforcement of a person’s rights; (3) being necessary for lawful and non-commercial objectives; (4) being necessary to protect the life or health of the person who cannot express his/her prior consent; or (5) being necessary for medical treatment to be conducted by a medical practitioner or institution where personal information is secured.

To help enforce these requirements, steep penalties are laid down by the Data Privacy Act in the form of imprisonment and payment of fines. To illustrate, unauthorized processing or negligent access of SPI shall be penalized by imprisonment ranging from three (3) to six (6) years AND a fine of not less than Five Hundred Thousand Pesos (PhP500,000) but not more than Four Million Pesos (PhP4,000,000).

All this prompts users and processors of information (i.e. employers, healthcare facilities, or service providers) to be more careful in the sharing and handling of information—especially sensitive personal information. While this wearable technology is literally “at hand”, participants in this industry should be mindful of the information they hold to maintain the balance between convenience and confidentiality of personal information.

Atty. Mike is a proud Kapampangan who took up BS Accountancy in Holy Angel University and later finished his law studies in Ateneo de Manila. Upon passing the bar, he engaged in private practice at Ong Meneses Gonzalez & Gupit Law Offices and began his teaching career in De La Salle University. He now serves as the Assoc. Legal counsel of DLSU and legal consultant to both private and government organizations.