UNIVERSITY OF THE PHILIPPINES DILIMAN
REVISED DATA CLASSIFICATION POLICY
This Policy governs all documents and information in UP Diliman whether in physical or electronic format. If needed, a section of a document or file may be given a classification different from the document or file containing it.
The responsibilities in classifying documents and processing data in accordance with their document are as follows:
A. Privacy and Confidentiality – All UP People who are processing DOCUMENTS are responsible to uphold the privacy and confidentiality of data under this Policy.
B. Document Classification – Privacy Focal Persons shall be ultimately responsible to ensure that all DOCUMENTS and files administered by their unit or office have a classification under this Policy.
C. Compliance with Policies – All UP People shall be responsible to ensure all DOCUMENTS used by them are kept private and confidential under all privacy policies of UP Diliman.
D. Document Administration – UP Diliman academic unit or administrative office that has authority to generate or revise a DOCUMENT is considered to be the DOCUMENT ADMINISTRATOR of such DOCUMENT. The DOCUMENT ADMINISTRATOR has responsibility to enforce the application of this Policy to a specific DOCUMENT.
E. Document Use – UP People that access or utilize a DOCUMENT is considered to be the DOCUMENT USERS of such DOCUMENT. The DOCUMENT USER has the responsibility to comply with this Policy at all times
Documents and files, as well as the information contained in them, may either be classified as restricted (internal, confidential, or sensitive confidential) or public. Examples are:
- Data which are customarily processed by specific UP Diliman units and offices are restricted as Internal.
- Personal Information under the Data Privacy Act of 2012 are restricted as Confidential.
- Sensitive Personal Information under the Data Privacy Act of 2012 are restricted as Sensitive Confidential.
- Citizens‘ Charters are not restricted and hence are public.
IV. Restricted Data
Access to data in UP Diliman are restricted to varying classes of users according to risk level:
A. Internal – Data which generally pose a low risk to the rights of data subjects and UP Diliman.
B. Confidential – Data which generally pose a medium risk to the rights of data subjects and UP Diliman.
C. Sensitive Confidential – Data which generally pose a high risk to the rights of data subjects and UP Diliman
Definition: Data which should be internally contained within certain UP Diliman units or offices.
Restriction: May be accessed only by UP Diliman units or offices which need such data to perform their roles and responsibilities.
Risk: Low. UP Diliman may incur financial losses, reputational damage, or lose opportunities.
- Employee benefits may be accessed by HRDO and Accounting Office but not by unconcerned offices.
- Draft documents not yet cleared for release may not be demanded by other offices.
Definition: Information which in may only be disclosed only to a limited number of individuals to protect UP Diliman from legal, regulatory, financial, strategic, operational or reputational risks.
Restriction: May be accessed only by specific UP Diliman officials, staff or faculty if the data is necessary to perform an official task.
Risk: Medium. UP Diliman may be incur judicial or administrative liability. Rights of individuals may be violated.
- Personal information such as home address, email, and photos.
- Patent application documents.
IV–C. Sensitive Confidential
Definition: Information that may likely cause serious harm to UP Diliman or individuals if not strictly protected.
Restriction: May be accessed on a need–to–know basis only by the minimum number of UP Diliman officials, staff or faculty whose knowledge of the information is highly necessary to address a need.
- Sensitive personal information such as age, political affiliation, health, education, and government-issued I.D. numbers.
- Privileged information such as those in sexual harassment cases disclosed to officials, adjudicators, lawyers and doctors.
V. Public Data
Public data should be freely accessible to parties internal and external to UP Diliman. Except for reasonable procedural requirements, there should be no restrictions to access public data.
In requests invoking the freedom of information, the procedure in the UP Diliman Freedom of Information Manual should be followed.
VI. Security Measures
Whether restricted data or public data, appropriate physical, organizational and technical security measures in the UP Diliman Privacy Manual and other relevant rules should be complied with.
“DOCUMENT” is any form, template, record, list, table, report, issuance, invoice, receipt or other document that contain personal information of individuals or confidential information.
“DOCUMENT ADMINISTRATOR” is the academic unit or administrative office that has authority to generate or revise a DOCUMENT.
“DOCUMENT USER” is any UP People that accesses or utilizes a DOCUMENT.
“Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
“UP Diliman” refers to the University of the Philippines Diliman, an autonomous constituent university of the University of the Philippines System.
“UP People” refers to all types of students, parents, guardians, faculty, visiting faculty, staff, Research, Extension and Professional Staff (REPS), UP contractual personnel, Non-UP contractual personnel, retirees, applicant students, applicant faculty, applicant staff, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, subcontractors, outsourcees, licensors, licensees and other persons whose personal data are directly or indirectly processed by UP Diliman.