Framework

UNIVERSITY OF THE PHILIPPINES DILIMAN

Privacy Management Program Framework

I. Background

In the information age, personal information is both a commodity and a vulnerability. It is paramount that the University of the Philippines Diliman (UP Diliman) upholds the privacy of personal information. Beyond compliance with regulations, the Data Protection Office advances a multi–faceted approach to instill a culture of vigilance in preserving the sanctity of privacy. UP Diliman‘s Privacy Management Program is a holistic set of initiatives guided by the general direction and structure provided by this Framework. 

II. Vision–Strategies–Plans

UP Diliman‘s levels of objectives in data privacy are:

III. Organizational Structure

The Data Protection Office is led by the UP Diliman Data Protection Officer and mandated to protect the privacy of personal information in UP Diliman. The Data Protection Officer reports directly and exclusively to the Chancellor. 

The Data Protection Officer may engage officers and personnel of the Data Protection Office necessary and convenient to fulfill the roles and responsibilities of the Data Protection Officer. The Data Protection Officer shall have autonomous jurisdiction and authority over the appointment, management and supervision of Privacy Focal Persons of UP Diliman. 

In the fulfillment of the its roles and responsibilities, the Data Protection Officer may collaborate with or seek assistance from UP Diliman units and offices. As an autonomous constituent, UP Diliman and its Data Protection Officer shall exercise the autonomy and independence mandated by NPC Advisory No. 2017–01. The Data Protection Officer may coordinate with Data Protection Officers of other Constituent Universities (CU) for inter-CU endeavors.

IV. Data Protection Officer

The Data Protection Officer has exclusive and autonomous jurisdiction and authority to conduct necessary acts and decisions to manage, supervise and execute all matters related to the data privacy and protection of UP Diliman. The Data Protection Officer has the following roles:

1. Comply with data privacy laws and regulations;
2. Provide units of UP Diliman support services;
3. Prevent legal, financial, and operational risks; and
4. Develop in UP Diliman a culture of respect for privacy. 

The Roles and Responsibilities of the Data Protection Officer are detailed in Office of the Chancellor Administrative Order No. MLT–19–073.

V. Privacy Focal Persons

All academic units and administrative offices of UP Diliman are mandated to appoint a Privacy Focal Persons (PFP) to administer the concerned unit‘s or office‘s data privacy compliance. 

PFPs are tasked to coordinate with and assist the Data Protection Officer in all matters related to data privacy as well as perform functions in Office of the Chancellor Memorandum No. MLT 18–022. 

PFPs are hereby required to formulate a unit–level privacy management program to be responsive to the specific context and needs of their respective units and offices. This unit level program shall be consistent with this Framework and initiatives of the Data Protection Officer. PFPs may adapt policies, security measures and oversight plans from the Data Protection Officer and customize such for their respective units and offices.

VI. Privacy Policy

The UP Diliman Privacy Policy advances UP Diliman‘s commitment to protect and uphold the privacy of personal information by establishing the framework for processing personal information through its units and offices. 

The Data Protection Officer has issued the following policies that define and regulate the parameters of personal information processing with sensitivity to varying classes of data subjects: 

a. Students, parents and guardians;

b. Faculty, including visiting faculty;

c. Staff, including REPS, UP contractual, Non–UP contractual personnel and retirees;

d. Applicant students, faculty and staff;

e. Researchers and research subjects;

f. Patients, clients and customers; 

g. Alumni, donors, donees; h. Contract counterparties, partners, subcontractors, licensors and licensees; and i. Other persons with a judicial link with UP Diliman.

The UP Diliman Data Subject Rights and Responsibilities recognizes the right of people to data privacy and defines the scope of concomitant responsibilities to each other of members of UP Diliman. 

UP Diliman‘s Privacy Policy and Data Subject Rights and Responsibilities were promulgated as the Twin Policies on Data Privacy under Office of the Chancellor Memorandum No. MLT 19–061. 

VII. Security Measures

The UP Diliman Privacy Manual shall establish the minimum data privacy requirements for UP Diliman, identify the functions of Data Protection Officer, Data Protection Office and Privacy Focal Persons, and provide baseline protocols in processing, security measures and notification protocols.

The UP Diliman Information Security Policy shall set measures to ensure that all information and systems of UP Diliman are protected. It shall have guidelines to keep the confidentiality, integrity and availability of UP Diliman’s information and information systems continuously in order.

The UP Diliman Organizational and Physical Data Protection Measures Policy shall set measures on organization and physical security in UP Diliman. It shall provide baseline protocols to UP Diliman units and offices on organization and physical data protection measures.

The UP Diliman Records Management Policy shall ensure records in UP Diliman are properly safeguarded, protected and preserved. It shall set standards in the management, handling, transmission, storage, archiving and disposal of UP Diliman records.

The UP Diliman General Privacy Notice is an overall statement on UP Diliman’s data processing activities to notify data subjects of categories of personal information processed and the purpose and extent of processing. It is not a consent form but a notice to all how UP Diliman processes personal information.

The Chancellor and the Data Protection Officer shall continually issue and update policies on specific matters related to data privacy and protection. 

VIII. Incident and Breach Management

The UP Diliman Security and Incident Management Policy in Office of the Chancellor Administrative Order No. MLT-19-072 formed data breach response teams and established the response procedure for these teams to handle security incidents and personal data breaches in a timely and comprehensive manner. It mandates Privacy Focal Persons to monitor, mitigate, investigate, respond to, contain, reporting and aid in resolving security incidents and personal data breaches. It also set out security measures in the processing, storage, encryption, access and transfer of personal information.

IX. Oversight and Review Plan

The UP Diliman Oversight and Review Plan is embodied in Office of the Chancellor Memorandum No. MLT–19–149. Its objectives are to: 

• Set measures in ensuring that the policies and procedures for data privacy are followed and updated;
• Define roles and responsibilities of academic units and administrative offices in the oversight and review of UP Diliman‘s privacy policies and initiatives; and
• Identify which Generally Accepted Privacy Principles UP Diliman shall utilize to review its overall privacy management program. 
• The Plan governs UP Diliman and its staff, faculty, Research, Extension and Professional Staff, other researchers, alumni, subcontractors, outsourcees, agents and representatives.

X. Roadmap

UP Diliman’s roadmap to privacy commences in rooting privacy to the foundations organic to the University. Such will enable data protection capabilities of its UP Diliman people and enhances their practices. The endgame is to build privacy resilience while empowering the University to fulfill its mandate to serve as a university of the people. The roadmap directs UP Diliman to be: 

• Rooted – Root privacy in organic foundations
• Robust – Strengthen people and practices
• Resilient – Build privacy resilience