⚖ The Advocate
Privacy & Data Rights

Employer Shares Employee's Medical Information Without Consent

An employer discloses an employee's confidential medical condition to clients or colleagues without the employee's knowledge or consent

Premium foundational 8 minutes
The Situation

What They Said

“I told the client you have been unwell because of your condition — I just wanted them to understand why the project was delayed. It was not a big deal.”
Disclosure of employee medical information without consent is a serious violation under the Data Privacy Act of 2012 (RA 10173). Medical information falls under the category of 'sensitive personal information' — a higher-protection category that requires explicit consent for processing and is subject to stricter obligations. Employers regularly process employee health data for legitimate HR purposes, but sharing it with clients, customers, or colleagues without the employee's consent is an unlawful act under RA 10173. The National Privacy Commission (NPC) has jurisdiction to investigate complaints and can impose administrative fines and recommend prosecution.
The Fallacy

Practical Context Justifies Privacy Breach Fallacy

The employer frames the disclosure as a reasonable communication made in good faith for a practical purpose (client relations), implying the employee should accept the breach as a minor necessity. Under RA 10173, the employer's practical purpose does not override the employee's right to control their sensitive personal information. Sensitive personal information may only be processed (including disclosed) with the data subject's explicit consent, or under one of the specific lawful grounds enumerated by the law. 'I needed to explain' is not one of those grounds.

What the Law Says

Your Legal Foundation

Republic Act No. 10173 (Data Privacy Act of 2012)
Section 13 — Sensitive Personal Information and Privileged Information — Special Protection for Medical Information
“The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases: (a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in cases where the processing of the same is provided by existing laws and regulations; (b) The processing of the same is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing; (c) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured; or (d) The processing concerns sensitive personal information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defence of legal claims.”
Your medical condition is sensitive personal information under RA 10173. Disclosing it to a client without your consent falls within none of the permitted grounds. The employer violated Section 13. File a complaint with the National Privacy Commission at privacy.gov.ph.
Republic Act No. 10173 (Data Privacy Act of 2012)
Sections 25-31 — Penalties — Criminal and Administrative Penalties for Unauthorised Disclosure
“Any person who, without the knowledge and consent of the data subject, discloses unwarranted or false information relative to personal data shall be subject to imprisonment of one year and six months to five years and a fine of not less than five hundred thousand pesos but not more than one million pesos.”
Unauthorised disclosure of sensitive personal information carries criminal penalties. File an administrative complaint with the NPC, which can also recommend criminal prosecution to the DOJ. Document all evidence of the disclosure — emails, witness statements, and the employer's admission.
What Scripture Says

God's Word on This

Proverbs 11:13 (NIV)
“A gossip betrays a confidence, but a trustworthy person keeps a secret.”
The disclosure of personal information entrusted to us in confidence is identified in Scripture as a betrayal of trust — not a neutral act. An employer who is privy to an employee's medical condition holds that information in trust. Sharing it with a client because it was convenient is precisely what Proverbs identifies as the gossip's pattern: using information that was given in trust to manage one's own interests. The law agrees: your medical information belongs to you, and no one may share it without your consent.
🔒
You Know the Law — But Do You Know What to Say?
Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.
Unlock This Scenario — R89/month
Workers' Rights is free · All 10 domains from R89/month · Cancel anytime
Not ready to subscribe? Get the free checklist first.
10 real rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.
What They'll Say Next

Common Counter-Arguments

After you respond, they may push back with these arguments. Members get the full rebuttal for each.

They might say: “This is an employment matter — the Data Privacy Act does not cover employers.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
They might say: “The client already knew you were sick — it was not a real disclosure of anything new.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
Know Your Rights. Know Your Word.
389 Filipino law and Scripture scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start.
Try Free — Workers' Rights
No credit card · Upgrade anytime for all 10 domains
Think you know your rights? 5 real rights scenarios — find out where you’re at risk.
Take the Quiz →