UNIVERSITY OF THE PHILIPPINES DILIMAN
DATA SUBJECT RIGHTS AND RESPONSIBILITIES
In recognition of the constitutional and inherent right of people to data privacy and the need to define the scope of concomitant responsibilities to respect the privacy of others, the University of the Philippines Diliman (“UP Diliman”) promulgates this policy on UP Diliman Data Subject Rights and Responsibilities.
PART I. DATA SUBJECT RIGHTS
In UP Diliman’s processing of their Personal Data, the following rights shall be afforded to students, parents, guardians, faculty, visiting faculty, staff, Research, Extension and Professional Staff (REPS), UP contractual personnel, Non-UP contractual personnel, retirees, applicant students, applicant faculty, applicant staff, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, subcontractors, outsourcees, licensors, licensees and other persons with a juridical link with UP Diliman (each a “Data Subject” or collectively, “Data Subjects”):
(A) Right to be Informed
- The Data Subject has a right to be informed whether Personal Data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
- The Data Subject shall be notified and furnished with information indicated hereunder before the entry of his or her Personal Data into the processing system of UP Diliman, or at the next practical opportunity:
(a) Description of the Personal Data to be entered into the system;
(b) Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
(c) Basis of processing, when processing is not based on the consent of the Data Subject;
(d) Scope and method of the Personal Data processing;
(e) Third-party recipients or classes of recipients to whom the Personal Data are or may be disclosed. As the University of the Philippines (“UP”) is a single juridical entity and instrumentality of the government, all transmission and flow of information within the UP System, its constituent universities, and their respective units are neither sharing nor disclosure of information to third parties;
(f) Methods utilized for automated access, if the same is allowed by the Data Subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject;
(g) The identity and contact details of UP Diliman or its representative;
(h) The period for which the information will be stored; and
(i) The existence of their rights as Data Subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the National Privacy Commission.
(B) Right to Object
The Data Subject shall have the right to object to the processing of his or her Personal Data, including processing for direct marketing, automated processing or profiling. The Data Subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the Data Subject in the preceding paragraph.
When a Data Subject objects or withholds consent, UP Diliman may not be able to conduct academic, administrative and other functions or services related to the Data Subject.
When a Data Subject objects or withholds consent, UP Diliman shall no longer process the Personal Data, unless:
(1) The Personal Data is needed pursuant to a subpoena;
(2) The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the Data Subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the Data Subject;
(3)The information is being collected and processed as a result of a legal obligation; or
(4) UP Diliman’s functions as the national university or as an instrumentality of the government will be impaired.
(C) Right to Access
The Data Subject has the right to reasonable access to, upon demand providing sufficient time for preparation, the following:
(1) Contents of his or her Personal Data that were processed;
(2) Sources from which Personal Data were obtained;
(3) Names and addresses of recipients of the Personal Data;
(4) Manner by which such data were processed;
(5) Reasons for the disclosure of the Personal Data to recipients, if any;
(6) Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the Data Subject;
(7) Date when his or her Personal Data concerning the Data Subject were last accessed and modified; and
(8) The description of UP Diliman under Act No. 1870 and Republic Act No. 9500 and address of UP Diliman.
(D) Right to Rectification
The Data Subject has the right to dispute the inaccuracy or error in the Personal Data and have UP Diliman correct it within a reasonable period and accordingly, unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, UP Diliman shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed Personal Data shall be informed of its inaccuracy and its rectification, upon reasonable request of the Data Subject.
(E) Right to Erasure or Blocking
These rights of erasure and blocking do not apply to Personal Data, documents, records and accounts which are part of UP Diliman’s public records as an instrumentality of the government or as the national university.
The Data Subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her Personal Data from UP Diliman’s filing system.
(1) This right may be exercised upon discovery and substantial proof of any of the following:
(a) The Personal Data is incomplete, outdated, false, or unlawfully obtained;
(b) The Personal Data is being used for purpose not authorized by the Data Subject;
(c) The Personal Data is no longer necessary for the purposes for which they were collected;
(d) The Data Subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
(e) The Personal Data concerns private information that is prejudicial to Data Subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
(f) The processing is unlawful;
(g) UP Diliman or UP Diliman’s Personal Data processor violated the rights of the Data Subject.
(2) UP Diliman may notify third parties who have previously received such processed Personal Data.
(F) Right to Damages
This right to damages is subordinate to:
- The presumption of UP Diliman’s regularity in the performance of government functions;
- As applicable, the principle that the State may not be sued without its consent; and
- The non-liability of UP Diliman arising from the incidental damages due to UP Diliman’s pursuance of its mandates or compliance with its legal obligations.
The Data Subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, taking into account any violation of his or her rights and freedoms as Data Subject.
PART II. RESPONSIBILITIES OF DATA SUBJECTS
Concomitant to the exercise of rights are responsibilities to respect the privacy of others and comply with UP Diliman’s regulations in its administration of data privacy.
Data Subjects shall have the following responsibilities:
- Respect the data privacy rights of others;
- Report any suspected Security Incident or Personal Data Breach to UP Diliman to the UP Diliman Data Protection Officer by visiting privacy.upd.edu.ph;
- Provide the UP true and accurate Personal Data and other information. Before submitting Personal Data of other people to UP, obtain the consent of such people;
- Not disclose to any unauthorized party any non-public confidential, sensitive or personal information obtained or learned in confidence from UP; and
- Abide by the policies, guidelines and rules of the UP System and UP Diliman on data privacy, information security, records management, research and ethical conduct. From time-to-time check for and comply with updates on these policies, guidelines and rules. UP Diliman’s policies on data privacy are at privacy.upd.edu.ph. For students, the UP System’s UP Privacy Notice for Students is at https://upd.edu.ph/privacy/studentnotice/
PART III. ENFORCEMENT
The following parameters govern the enforcement of this Policy:
(A) Transmissibility of Rights of the Data Subject
The lawful heirs and assigns of the Data Subject may invoke the rights of the Data Subject to which he or she is an heir or an assignee, at any time after the death of the Data Subject, or when the Data Subject is incapacitated or incapable of exercising the rights as enumerated herein.
(B) Right to Data Portability
Where his or her Personal Data is processed by electronic means and in a structured and commonly used format, the Data Subject shall have the right to obtain from UP Diliman a copy of such data in an electronic or structured format that is commonly used and allows for further use by the Data Subject. The exercise of this right shall primarily take into account the right of Data Subject to have control over his or her Personal Data being processed based on consent or contract, for commercial purpose, or through automated means. The National Privacy Commission may specify the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer.
(C) Limitation on Rights
The exercise of any right in this Policy is subject to UP Diliman’s legal, administrative, logistic, financial, technical and other limitations. As an instrumentality of the government operating on state-appropriated funds, UP Diliman’s acts and omissions arising from this Policy is limited on available public financial, infrastructure and manpower resources.
All rights in this Policy shall not be applicable if the processed Personal Data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the Data Subject: Provided, that the Personal Data shall be held under strict confidentiality and shall be used only for the declared purpose. The above rights are also not applicable to the processing of Personal Data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a Data Subject. Any limitations on the rights of the Data Subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.
(D) Non-Applicability of Rights
This rights under this Policy do not apply to the following:
- Personal Data processed for journalistic, artistic, literary or research purposes;
- Information necessary in order to carry out the functions of UP Diliman and other public authorities which include the processing of Personal Data for the performance by law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions;
- Information necessary to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
- Personal Data originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
(E) Definition of Terms
“Personal Data” refers to all types of personal information, sensitive personal information and privileged information under the Data Privacy Act of 2012 and its Implementing Rules and Regulations.
“Processing” in any of its verb tense refers to the collecting, recording, organizing, storing, retaining, using, analyzing, copying, transmitting, porting, sharing, exhibiting, deleting, or destroying of Personal Data regarding Data Subjects.
“Data Subject” or collectively, “Data Subjects” refer to students, parents, guardians, faculty, visiting faculty, staff, Research, Extension and Professional Staff (REPS), UP contractual personnel, Non-UP contractual personnel, retirees, applicant students, applicant faculty, applicant staff, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, subcontractors, outsourcees, licensors, licensees and other persons with a juridical link with UP Diliman.
The UP Diliman Data Protection Officer may promulgate policies, guidelines and rules which are not inconsistent with this Policy.
If any law or regulation cited in this Policy is amended or superseded, then it shall be considered that this Policy is referring to such amending or superseding law or regulation, without prejudice to a person’s right against retroactive effect of laws.
If any part of this Policy is declared null and void, then the other unaffected parts shall remain in full force and effect.
A copy of this UP Diliman Data Subject Rights and Responsibilities is found here.