UNIVERSITY OF THE PHILIPPINES DILIMAN
As the country’s national university, the UP Diliman performs admission process for Students and recruitment process for Faculty and Staff. In the course of its performance, the UP Diliman collects, use, retain, and dispose personal information of the applicants. Thus, it is the responsibility of the University to protect the personal information of its applicants.
This Derivative Policy aims to outline and discuss how the University handles the processing of the applicant’s personal information in accordance with the Data Privacy Act of 2012.
B. Definition of Terms
For the purposes of this Policy, the following definitions shall apply:
- Applicant refers to individuals whose applying as Student, Faculty, or Staff of the University;
- Data Privacy Act (DPA) refers to Republic Act No. 10173 or the Data Privacy Act of 2012;
- Data Processing System refers to either computerized system or physical records which stores, processes or transmits personal information or sensitive personal information owned or managed by UP Diliman unit or office;
- Data Subject refers to an individual whose personal information is processed. For the purposes of this Policy, the term Data Subject shall refer to the applicant Students, Faculty, and Staff;
- IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
- NPC refers to the National Privacy Commission of the Philippines as created by the Data Privacy Act of 2012;
- Personal Data refers to personal information, sensitive personal information, and privileged information as defined by the Data Privacy Act of 2012;
- Processing refers to any operation or any set of operations performed upon personal information, including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data; and
- Units and Offices refer to UP Diliman academic units and administrative offices.
CARDINAL PRINCIPLES OF DATA PRIVACY IN RELATION TO THE PROCESSING OF THE APPLICANT’S PERSONAL DATA
The University shall process the personal information of its applicants only after ensuring that the latter are apprised of the identification of the unit or office collecting their personal data; and the nature, purpose, and extent of its processing.
B. Legitimate Purpose
The University shall process its data subjects’ personal information in accordance with its declared and specified purpose only. Furthermore, its processing must not be contrary to law, morals, public policy, and pertinent issuances of this University.
The University processes personal data on the following grounds, to wit:
- In the performance of its obligations, exercise its rights, and conduct its associated functions as a:
- Government instrumentality
- Higher education institution;
- In pursuance of its purpose and mandate under Act No. 1870 and Republic Act No. 9500;
- In the conduct of all acts reasonably foreseeable from and customarily performed by similar bodies;
- Deciding and acting for the holistic welfare of its students, their parents and guardians, faculty, staff, researchers, alumni, and the rest of the UP Diliman Community; and
- Managing and administering its internal and external affairs as an academic and research institution, government instrumentality, and juridical entity having its own rights and interests.
Corollary thereto, the University processes the collected personal data in accordance with the following laws, viz:
- The Data Privacy Act of 2012;
- The National Archives of the Philippines Act of 2007, including its Implementing Rules and Regulations, and other issuances;
- The UP Diliman Privacy Manual;
- The UP Diliman Records Management Policy;
- Policies, guidelines, and rules of the University of the Philippines System and UP Diliman;
- Executive Order No. 2, series of 2016 or the Freedom of Information and its related issuances; and
- Other laws or regulations in relation to, or which amend or repeal the foregoing.
The University shall constantly abide by the principle of data minimization wherein it shall only process personal data that are accurate, relevant, and necessary for the declared purpose(s).
Furthermore, it will not process personal data if the purposes of the processing could be reasonably fulfilled by other means.
PROCESSING OF PERSONAL DATA OF APPLICANTS
A. Collection of Personal Data
Collection of applicant’s personal data may be done through various data-gathering forms such as but not limited to, written records (e.g., UPCAT Form 1), data processing systems, and photographic and video images.
Collected personal data may include any of the following:
- Personal details (e.g., name, date of birth, sex, civil status);
- Contact Information (e.g., mobile number, email address, home address);
- Academic Information (e.g., educational background, scholastic records);
- Employment Information (e.g., Tax Identification Number (TIN), Philhealth ID Number, GSIS Membership, employee number)
- Applicant Information (e.g., former employment history, affiliations)
- Medical Information (e.g., physical examination, psychiatric evaluation, and drug test results); and
- Photographs or Videos (e.g., for the official documentation of University activities or events).
B. Use of Personal Data
The University’s use of the applicant’s personal data shall, at all times, be in line with its mandate. More particularly, the use of personal data may be any of the following:
- Academic, research, extra-curricular, student welfare and disciplinary purposes; 
- Administrative disciplinary purposes;
- Supervision of academic and research endeavors; 
- Management of human resources and supervision of work conduct; 
- Employee application processing and identity verification purposes;
- Documentation and record keeping purposes; 
- Customer, client, patent, or community service purposes; 
- Contractual and financial purposes; 
- Corporate governance and housekeeping; 
- Regulatory and audit purposes
- Performance evaluation;
- Documentation of the Universities’ official activities and events;
- Identification of the necessity and legality of the purposes before or at the time the personal information is collected, used, and disclosed; and
- Other similar purposes.
In any case, the University shall only use the collected personal data in line with its declared purpose and in accordance with its mandate.
C. Storage, Retention, Disposal, and Destruction of Personal Data
The University shall ensure that all the personal data it collects and uses are stored in secured storage facilities in order to avoid any unauthorized access or use of the same. Moreover, it shall employ the necessary physical, organizational, and technical security measures to ensure that the stored personal data shall remain confidential, available, and unaltered.
It shall retain the applicant’s personal data only for as long as necessary and required by the pertinent laws, rules, and regulations such as the National Archives’ Circulars and the UP Diliman Records Management Policy.
Personal data shall be disposed and destroyed in such a way that no part of the data will be exposed and its reconstitution rendered impossible.
The University shall ensure that only authorized personnel shall have access to the personal data of its applicant. Moreover, their access to the same shall be strictly limited to the fulfillment of their respective duties in relation to the personal data involved. The access to personal data shall likewise be in line with the UP Diliman Data Classification Policy.
Only authorized University personnel may disclose or transfer personal data within the University as well as to external entities. Provided, however, that the same remains to be in line with the cardinal principles of data privacy.
Generally, a data subject’s consent is a prerequisite to the lawful processing of their personal data. However, the same is not absolute, as under the following conditions, the University may process an applicant’s personal data without the latter’s consent:
- The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
- The processing is necessary to protect vitally important interests of the data subject, including life and health;
- The processing is necessary in order to respond to national emergencies, to comply with the requirements of public order and safety, or to fulfill the functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
- The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
A. Organizational Security Measures
The University shall continuously develop and apply the appropriate organizational security measures such as, but not limited to, the following, in order to ensure the confidentiality, integrity, and availability of its applicant’s personal data:
- UP Diliman Privacy Manual;
- UP Diliman Data Classification Policy;
- Remote Work Privacy Guidelines;
- Data Protection in the Work Processes;
- UP Diliman Message and Communications Policy;
- UP Diliman Email Policy;
- Other pertinent University issuances
B. Physical Security Measures
The University shall ensure that the physical storage of its applicant’s personal data is always secure. Access to these storage facilities shall also be limited to authorized personnel.
Furthermore, the University shall ensure that in the course of processing applicant’s personal data, the physical security measures prescribed by the UP Diliman Privacy Manual are observed.
C. Technical Security Measures
The University shall apply the appropriate technical security measures to ensure that its applicant’s personal data remain confidential, available, and unaltered at all times. It shall adopt the necessary provisions on the Technical Security Measures in the UP Diliman Data Privacy Manual and the National Privacy Commission’s Circular on the Security of Personal Data in Government Agencies.
RIGHTS OF THE DATA SUBJECT
A. Right to be Informed
Every applicant has the right to be informed of the purpose of the collection, use, disclosure, and other operations involving the processing of their personal data. This includes how the data will be processed, and the offices or units that will process or handle the same.
B. Right to Access
Every applicant has the right, subject to pertinent laws and University rules and regulations, to reasonable access to their personal data processed by the University.
C. Right to Object, and Right to Correct or Rectify
Every applicant member has the right to dispute the accuracy in their personal data and have the same rectified or corrected as necessary.
D. Right to Erasure or Blocking
These rights of erasure and blocking do not apply to Personal Data, documents, records and accounts which are part of UP Diliman’s public records as an instrumentality of the government or as the national university. However, this may be exercised if there is a substantial proof that the processing of Personal Data is unlawful.
E. Right to Data Portability
Every applicant has the right, subject to pertinent laws and University rules and regulations, to request for a copy of their personal data in a format that is commonly used and allows further use.
F. Right to File a Complaint and Right to Damages
Every applicant has the right to file a complaint if their personal information has been misused, maliciously or improperly disclosed, or any of the aforementioned rights have been violated. Moreover, they have the right to be indemnified for any damage they have suffered by reason of the said violation(s).
 Section 2, Republic Act No. 9500 provides:
SEC. 2. Declaration of Policy. – The University of the Philippines is hereby declared as the national university.
 University of the Philippines College Admission Test (UPCAT) Online Application https://upcatonline.up.edu.ph/ and University of the Philippines Integrated School (UPIS) Admission https://www.upis.upd.edu.ph/admissions.html.
 University of the Philippines Diliman Human Resource Development Office Job Application Process https://hrdo.upd.edu.ph/articles/3/job-application-process
 Sec. 3(b), Republic Act No. 10173
 AN ACT FOR THE PURPOSE OF FOUNDING A UNIVERSITY FOR THE PHILIPPINE ISLANDS, GIVING IT CORPORATE EXISTENCE, PROVIDING FOR A BOARD OF REGENTS, DEFINING THE BOARD’S RESPONSIBILITIES AND DUTIES, PROVIDING HIGHER AND PROFESSIONAL INSTRUCTION, AND FOR OTHER PURPOSES, 18 June 1908
 AN ACT TO STRENGTHEN THE UNIVERSITY OF THE PHILIPPINES AS THE NATIONAL UNIVERSITY, 29 April 2008
 University of the Philippines Privacy Manual, Data Protection Team Memorandum No. EBM 19-02, 11 November 2019
 Data Protection Office Memorandum No. EBM 20-07, 26 May 2020
 Art. 5(1)(c), General Data Protection Regulation (GDPR)
 See Note 7
 Data Protection Office Memorandum No. EBM 20-06, 11 May 2020
 Sec. 12, R.A. No. 10173
 See Note 19
 Data Protection Office Memorandum No. 20-04, 20 March 2020
 Office of the Chancellor Memorandum No. MLT 19-112, 25 March 2019
 Office of the Chancellor Memorandum No. MLT 18-135
 Data Protection Office Memorandum No. 20-05, 05 May 2020
 See Note 7
 National Privacy Commission Circular No. 16-01, 10 October 2016
 UP Diliman Data Subject Rights and Responsibilities, Part I (E).