UNIVERSITY OF THE PHILIPPINES DILIMAN
The members of the faculty perform a vital role in the fulfillment of the University’s mandate as the country’s national university. In the course of the latter’s discharge of its mandate, it must protect the personal information of its faculty members.
This Derivative Policy aims to outline and discuss how the University handles the processing of the faculty’s personal information in accordance with the Data Privacy Act of 2012.
B. Definition of Terms
For the purposes of this Policy, the following definitions shall apply:
- Data Privacy Act (DPA) refers to Republic Act No. 10173 or the Data Privacy Act of 2012;
- Data Processing System refers to either computerized system or physical records which stores, processes or transmits personal information or sensitive personal information owned or managed by your UP Diliman unit or office;
- Data Subject refers to an individual whose personal information is processed. For the purposes of this Policy, the term Data Subject shall refer to the members of the faculty;
- Faculty refers to the teaching staff of each academic unit, comprising of both regular and non-regular faculties;
- IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
- NPC refers to the National Privacy Commission of the Philippines as created by the Data Privacy Act of 2012;
- Personal Data refers to personal information, sensitive personal information, and privileged information as defined by the Data Privacy Act of 2012;
- Privacy Risk refers to the potential loss of control over personal information when a threat exploits vulnerability;
- Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data; and
- Units and Offices refers to UP Diliman academic units and administrative offices;
CARDINAL PRINCIPLES OF DATA PRIVACY IN RELATION TO THE PROCESSING OF THE FACULTY’S PERSONAL DATA
The University shall process the personal information of its faculty only after ensuring that the latter are apprised of the identification of the office or unit collecting their personal data; and the nature, purpose, and extent of its processing.
B. Legitimate Purpose
The University shall process its data subjects’ personal information in accordance with its declared and specified purpose only. Furthermore, its processing must not be contrary to law, morals, public policy, and pertinent issuances of this University.
The University processes personal data on the following grounds, to wit:
- In the performance of its obligations, exercise its rights, and conduct its associated functions as a:
- Government instrumentality
- Higher education institution;
- In pursuance of its purpose and mandate under Act No. 1870 and Republic Act No. 9500;
- In the conduct of all acts reasonably foreseeable from and customarily performed by similar bodies;
- Deciding and acting for the holistic welfare of its students, their parents and guardians, faculty, staff, researchers, alumni, and the rest of the UP Diliman Community; and
- Managing and administering its internal and external affairs as an academic and research institution, government instrumentality, and juridical entity having its own rights and interests.
Corollary thereto, the University processes the collected personal data in accordance with the following laws, viz:
- The Data Privacy Act of 2012;
- The National Archives of the Philippines Act of 2007, including its Implementing Rules and Regulations, and other issuances;
- The UP Diliman Privacy Manual;
- The UP Diliman Records Management Policy;
- Policies, guidelines, and rules of the University of the Philippines System and UP Diliman;
- Executive Order No. 2, series of 2016 or the Freedom of Information and its related issuances;
- Other laws or regulations in relation to, or which amend or repeal the foregoing.
The University shall constantly abide by the principle of data minimization wherein it shall only process personal data that are accurate, relevant, and necessary for the declared purpose(s).
Furthermore, it will not process personal data if the purposes of the processing could be reasonably fulfilled by other means.
PROCESSING OF PERSONAL DATA OF FACULTY
A. Collection of Personal Data
Collection of faculty’s personal data may be done through various data-gathering forms such as but not limited to, written records (e.g., Personal Data Sheet), and photographic and video images.
Collected personal data may include any of the following:
- Personal details (e.g., name, date of birth, sex, civil status);
- Contact Information (e.g., mobile number, email address, home address);
- Academic Information (e.g., educational background, scholastic records);
- Employment Information (e.g., Tax Identification Number (TIN), Philhealth ID Number, GSIS Membership, employee number)
- Applicant Information (e.g., former employment history, affiliations)
- Medical Information (e.g., physical examination, psychiatric evaluation, and drug test results)
- Photographs or Videos (e.g., for the official documentation of University activities or events)
B. Use of Personal Data
The University’s use of the faculty’s personal data shall, at all times, be in line with its mandate. More particularly, the use of personal data may be any of the following:
- Academic, research, extra-curricular, student welfare and disciplinary purposes; 
- Administrative disciplinary purposes;
- Supervision of academic and research endeavors; 
- Management of human resources and supervision of work conduct; 
- Employee application processing and identity verification purposes;
- Documentation and record keeping purposes; 
- Customer, client, patent, or community service purposes; 
- Contractual and financial purposes; 
- Corporate governance and housekeeping; 
- Regulatory and audit purposes
- Performance evaluation;
- Documentation of the Universities’ official activities and events
- Other similar purposes
In any case, the University shall only use the collected personal data in line with its declared purpose and in accordance with its mandate.
C. Storage, Retention, Disposal, and Destruction of Personal Data
The University shall ensure that all the personal data it collects and uses are stored in secured storage facilities in order to avoid any unauthorized access or use to the same. Moreover, it shall employ the necessary physical, organizational, and technical security measures to ensure that the stored personal data shall remain confidential, available, and unaltered.
It shall retain the faculty’s personal data only for as long as necessary and required by the pertinent laws, rules, and regulations such as the National Archives’ Circulars and the UP Diliman Records Management Policy.
Personal data shall be disposed of and destroyed in such a way that no part of the data will be exposed and its reconstitution rendered impossible.
The University shall ensure that only the authorized personnel shall have access to the personal data of its faculty. Moreover, their access to the same shall be strictly limited to the fulfillment of their respective duties in relation to the personal data involved. The access to personal data shall likewise be in line with the UP Diliman Data Classification Policy.
Only the authorized University personnel may disclose or transfer personal data within the University as well as to external entities. Provided, however, that the same remains to be in line with the cardinal principles of data privacy.
Generally, a data subject’s consent is a prerequisite to the lawful processing of their personal data. However, the same is not absolute, as under the following conditions, the University may process a faculty’s personal data without the latter’s consent:
- The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
- The processing is necessary to protect vitally important interests of the data subject, including life and health;
- The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
- The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
A. Organizational Security Measures
The University shall continuously develop and apply the appropriate organizational security measures such as, but not limited to the following, in order to ensure the confidentiality, integrity, and availability of its faculty’s personal data:
- UP Diliman Privacy Manual;
- UP Diliman Data Classification Policy;
- Remote Work Privacy Guidelines;
- Data Protection in the Work Processes;
- UP Diliman Message and Communications Policy;
- UP Diliman Email Policy;
- Other pertinent University issuances
B. Physical Security Measures
The University shall ensure that the physical storage of its faculty’s personal data is always secured. Moreover, access to these storage facilities shall be limited only to authorized personnel.
Furthermore, the University shall ensure that in the course of processing faculty’s personal data, the physical security measures prescribed by the UP Diliman Privacy Manual are observed.
C. Technical Security Measures
The University shall apply the appropriate technical security measures to ensure that its faculty’s personal data remain confidential, available, and unaltered at all times. It shall adopt the necessary provisions on the Technical Security Measures in the UP Diliman Data Privacy Manual and the National Privacy Commission’s Circular on the Security of Personal Data in Government Agencies.
RIGHTS OF THE DATA SUBJECT
A. Right to be Informed
Every faculty member has the right to be informed of the purpose of the collection, use, disclosure, and other operations involving the processing of their personal data. This includes how the data will be processed, and the offices or units that will process or handle the same.
B. Right to Access
Every faculty member has the right, subject to pertinent laws and University rules and regulations, to the reasonable access to their personal data processed by the University.
C. Right to Object, and Right to Correct or Rectify
Every faculty member has the right to dispute the accuracy in their personal data and have the same rectified or corrected.
D. Right to Erasure or Blocking
These rights of erasure and blocking do not apply to Personal Data, documents, records and accounts which are part of UP Diliman’s public records as an instrumentality of the government or as the national university. It may be exercised if there is a substantial proof that the processing of Personal Data is unlawful.
E. Right to Data Portability
Every faculty member has the right, subject to pertinent laws and University rules and regulations to request for a copy of their personal data in a format that is commonly used and allows further use.
F. Right to File a Complaint and Right to Damages
Every faculty member has the right to file a complaint in the event that their personal information has been misused, maliciously or improperly disclosed, or any of the aforementioned rights have been violated. Moreover, they have the right to be indemnified for any damage they have suffered by reason of the said violation(s).
 Section 2, Republic Act No. 9500 provides:
SEC. 2. Declaration of Policy. – The University of the Philippines is hereby declared as the national university.
 Sec. 3(b), Republic Act No. 10173
 University of the Philippines Diliman Faculty Manual (2003)
 The University of the Philippines Diliman Faculty Manual provides that the following are deemed as regular members of the teaching staff, to wit:
- Professors, Associate Professors, Assistant Professors, Instructors; and
- Research/Extension Faculty are researchers/extension specialists who are given teaching assignments
On the other hand, the following are considered as non-regular members of the teaching staff:
- Affiliate Faculty;
- Visiting Professor;
- Adjunct Professor;
- Exchange Professor; and
- Teaching Associate/Fellow
 AN ACT FOR THE PURPOSE OF FOUNDING A UNIVERSITY FOR THE PHILIPPINE ISLANDS, GIVING IT CORPORATE EXISTENCE, PROVIDING FOR A BOARD OF REGENTS, DEFINING THE BOARD’S RESPONSIBILITIES AND DUTIES, PROVIDING HIGHER AND PROFESSIONAL INSTRUCTION, AND FOR OTHER PURPOSES, 18 June 1908
 AN ACT TO STRENGTHEN THE UNIVERSITY OF THE PHILIPPINES AS THE NATIONAL UNIVERSITY, 29 April 2008
 University of the Philippines Privacy Manual, Data Protection Team Memorandum No. EBM 19-02, 11 November 2019
 Data Protection Office Memorandum No. EBM 20-07, 26 May 2020
 Art. 5(1)(c), General Data Protection Regulation (GDPR)
 See Note 7
 Data Protection Office Memorandum No. EBM 20-06, 11 May 2020
 Sec. 12, R.A. No. 10173
 See Note 19
 Data Protection Office Memorandum No. 20-04, 20 March 2020
 Office of the Chancellor Memorandum No. MLT 19-112, 25 March 2019
 Office of the Chancellor Memorandum No. MLT 18-135
 Data Protection Office Memorandum No. 20-05, 05 May 2020
 See Note 7
 National Privacy Commission Circular No. 16-01, 10 October 2016
 UP Diliman Data Subject Rights and Responsibilities, Part I (E).