REVISED PRIVACY POLICY FOR PATIENTS, CLIENTS AND CUSTOMERS

UNIVERSITY OF THE PHILIPPINES DILIMAN

REVISED PRIVACY POLICY FOR PATIENTS, CLIENTS AND CUSTOMERS

PART I.

PRELIMINARY PROVISIONS

A. Scope

The University of the Philippines – Diliman (“University”), in the performance of its mandate not only as the country’s national univeristy, [1] but also as a government agency, and a juridical entity having a separate and distinct set of rights and interests, processes the personal information of its patients, clients, and customers.

Thus, there is a need to ensure that in the fulfillment of its mandate, the personal information of its patients, clients, and customers is protected.

This Derivative Policy aims to outline and discuss how the University handles the processing of its patients, clients, and customers’ personal information in accordance with the Data Privacy Act of 2012.

B. Definition of Terms 

For the purposes of this Policy, the following definitions shall apply:

  1. Data Privacy Act (DPA) refers to Republic Act No. 10173 or the Data Privacy Act of 2012;
  2. Data Processing System refers to either computerized system or physical records which stores, processes or transmits personal information or sensitive personal information owned or managed by your UP Diliman unit or office;
  3. Data Subject refers to an individual whose personal information is processed.[2] For the purposes of this Policy, the term Data Subject shall refer to the University’s patients, clients, and customers;
  4. Health care refers to services provided to an individual to promote, maintain, monitor, or restore health.[3] These services shall both refer to in-patient and out-patient service;
  5. IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
  6. NPC refers to the National Privacy Commission of the Philippines as created by the Data Privacy Act of 2012;
  7. Patient refers to a person receiving health care;[4]
  8. Personal Data refers to personal information, sensitive personal information, and privileged information as defined by the Data Privacy Act of 2012;
  9. Privacy Risk refers to the potential loss of control over personal information when a threat exploits vulnerability;
  10. Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data; and
  11. Units and Offices refers to UP Diliman academic units and administrative offices;

 

PART II.

CARDINAL PRINCIPLES OF DATA PRIVACY IN RELATION TO THE PROCESSING OF THE PERSONAL DATA OF IT’S PATIENTS, CLIENTS, AND CUSTOMERS 

 

A. Transparency

The University shall process the personal information of its patients, clients, and customers only after ensuring that the latter are apprised of the identification of the office or unit collecting their personal data; and the nature, purpose, and extent of its processing.

B. Legitimate Purpose

The University shall process its data subjects’ personal information in accordance with its declared and specified purpose only. Furthermore, its processing must not be contrary to law, morals, public policy, and pertinent issuances of this University. 

The University processes personal data on the following grounds, to wit: 

  1. In the performance of its obligations, exercise its rights, and conduct its associated functions as a:
    1. Government instrumentality
    2. Higher education institution;
  2. In pursuance of its purpose and mandate under Act No. 1870[5] and Republic Act No. 9500[6];
  3. In the conduct of all acts reasonably foreseeable from and customarily performed by similar bodies;
  4. Deciding and acting for the holistic welfare of its students, their parents and guardians, faculty, staff, researchers, alumni, and the rest of the UP Diliman Community; and
  5. Managing and administering its internal and external affairs as an academic and research institution, government instrumentality, and juridical entity having its own rights and interests;[7]
  6. Processing of medical, physical, psychiatric and psychological information of patients that is necessary for the purpose of medical treatment: Provided, that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured;
  7. Processing of the data subjects’ personal data is compatible with the declared and specified purpose which must not be contrary to law, morals, or public policy wherein there is transparency in obtaining consent and proportionality in processing data.
  8. Application and verification purposes;
  9. Records and account creation, update and maintenance purposes;
  10. Security and community affairs purposes;
  11. Customer, client, patient, or community service purposes;
  12. Contractual and financial purposes;
  13. Corporate governance and housekeeping, regulatory and audit purposes;

Corollary thereto, the University processes the collected personal data in accordance with the following laws, viz

  1. The Data Privacy Act of 2012;
  2. The National Archives of the Philippines Act of 2007, including its Implementing Rules and Regulations, and other issuances;
  3. The UP Diliman Privacy Manual;
  4. The UP Diliman Records Management Policy;[8]
  5. Policies, guidelines, and rules of the University of the Philippines System and UP Diliman;
  6. Executive Order No. 2, series of 2016 or the Freedom of Information and its related issuances;
  7. Other laws or regulations in relation to, or which amend or repeal the foregoing.

C. Proportionality

The University shall constantly abide by the principle of data minimization wherein it shall only process personal data that are accurate, relevant, and necessary for the declared purpose(s).[9]

Furthermore, it will not process personal data if the purposes of the processing could be reasonably fulfilled by other means.

PART III.

PROCESSING OF PERSONAL DATA OF PATIENTS, CLIENTS, AND CUSTOMERS

 

A. Collection of Personal Data

Collection of patients, clients, and customers’ personal data may be done through various data-gathering forms, whether in electronic or online, or in printed format, (e.g., in-patient record forms, health assessment forms, information request forms), and photographic and video images.

Collected personal data may include any of the following:

  1. Personal details (e.g., name, date of birth, sex, civil status);
  2. Contact Information (e.g., mobile number, email address, home address);
  3. Academic Information (e.g., educational background, scholastic records);
  4. Employment Information (e.g., Tax Identification Number (TIN), Philhealth ID Number, GSIS Membership, employee number)
  5. Medical Information (e.g., physical examination, psychiatric evaluation, and drug test results)
  6. Photographs or Videos (e.g., for the official documentation of University activities or events, CCTV footage)

B. Use of Personal Data

The University’s use of its patients, clients, and customers’ personal data shall, at all times, be in line with its mandate.[10] More particularly, the use of personal data may be any of the following:

  1. Management of human resources and supervision of work conduct; [11]
  2. Employee application processing and identity verification purposes;
  3. Documentation and record keeping purposes; [12]
  4. Customer, client, patent, or community service purposes; [13]
  5. Regulatory and audit purposes;[14]
  6. Supervision of academic and research endeavors; [15]
  7. Documentation of the Universities’ official activities and events;
  8. Community and security affairs purposes; and
  9. Other similar purposes

In any case, the University shall only use the collected personal data in line with its declared purpose and in accordance with its mandate.

C. Storage, Retention, Disposal, and Destruction of Personal Data 

The University shall ensure that all the personal data it collects and uses are stored in secured storage facilities in order to avoid any unauthorized access or use to the same. Moreover, it shall employ the necessary physical, organizational, and technical security measures to ensure that the stored personal data shall remain confidential, available, and unaltered.

It shall retain its patients, clients, and customers’ personal data only for as long as necessary and required by the pertinent laws, rules, and regulations such as the National Archives’ Circulars and the UP Diliman Records Management Policy.

Personal data shall be disposed of and destroyed in such a way that no part of the data will be exposed and its reconstitution rendered impossible.

D. Access

The University shall ensure that only the authorized personnel shall have access to the personal data of its patients, clients, and customers. Moreover, their access to the same shall be strictly limited to the fulfillment of their respective duties in relation to the personal data involved. The access to personal data shall likewise be in line with the UP Diliman Data Classification Policy.[16]

E. Disclosure 

Only the authorized University personnel may disclose or transfer personal data within the University as well as to external entities. Provided, however, that the same remains to be in line with the cardinal principles of data privacy.

 

PART IV.

CONSENT

 

Generally, a data subject’s consent is a prerequisite to the lawful processing of their personal data. However, the same is not absolute, as under the following conditions, the University may process a patient, client, and customer’s personal data without the latter’s consent:[17]

  1. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
  2. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
  3. The processing is necessary to protect vitally important interests of the data subject, including life and health;
  4. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
  5. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

 

PART V.

SECURITY MEASURES

 

A. Organizational Security Measures 

The University shall continuously develop and apply the appropriate organizational security measures such as, but not limited to the following, in order to ensure the confidentiality, integrity, and availability of its faculty’s personal data:

  1. UP Diliman Privacy Manual;
  2. UP Diliman Data Classification Policy;[18]
  3. Remote Work Privacy Guidelines;[19]
  4. Data Protection in the Work Processes;[20]
  5. UP Diliman Message and Communications Policy;[21]
  6. UP Diliman Email Policy;[22]
  7. Magna Carta of Patients Rights and Obligations Act of 2017;
  8. Other pertinent University issuances

B. Physical Security Measures 

The University shall ensure that the physical storage of its patients, clients, and customer’s personal data is always secured. Moreover, access to these storage facilities shall be limited only to authorized personnel.

Furthermore, the University shall ensure that in the course of processing its patients, clients, and customers’ personal data, the physical security measures prescribed by the UP Diliman Privacy Manual are observed.[23]

C. Technical Security Measures 

The University shall apply the appropriate technical security measures to ensure that its patients, clients, and customers’ personal data remain confidential, available, and unaltered at all times. It shall adopt the necessary provisions on the Technical Security Measures[24] in the UP Diliman Data Privacy Manual and the National Privacy Commission’s Circular on the Security of Personal Data in Government Agencies.[25]

 

PART VI.

RIGHTS OF THE DATA SUBJECT

 

A. Right to be Informed

Every patient, client, or customer has the right to be informed of the purpose of the collection, use, disclosure, and other operations involving the processing of their personal data. This includes how the data will be processed, and the offices or units that will process or handle the same.

B. Right to Access

Every patient, client, or customer has the right, subject to pertinent laws and University rules and regulations, to the reasonable access to their personal data processed by the University.

C. Right to Object, and Right to Correct or Rectify

Every patient, client, or customer has the right to dispute the accuracy in their personal data and have the same rectified or corrected.

D. Right to Erasure or Blocking 

These rights of erasure and blocking do not apply to Personal Data, documents, records and accounts which are part of UP Diliman’s public records as an instrumentality of the government or as the national university. It may be exercised if there is a substantial proof that the processing of Personal Data is unlawful.[26]

E. Right to Data Portability 

Every patient, client, or customer has the right, subject to pertinent laws and University rules and regulations to request for a copy of their personal data in a format that is commonly used and allows further use.

F. Right to File a Complaint and Right to Damages

Every patient, client, or customer has the right to file a complaint in the event that their personal information has been misused, maliciously or improperly disclosed, or any of the aforementioned rights have been violated. Moreover, they have the right to be indemnified for any damage they have suffered by reason of the said violation(s).

 

 

[1] Section 2, Republic Act No. 9500 provides:

SEC. 2. Declaration of Policy. – The University of the Philippines is hereby declared as the national university.

[2] Sec. 3(b), Republic Act No. 10173

[3] Definitions of Key Concepts from the World Health Organization Patient Safety Curriulum, https://www.who.int/patientsafety/education/curriculum/course1a_handout.pdf

[4] Ibid.

[5] AN ACT FOR THE PURPOSE OF FOUNDING A UNIVERSITY FOR THE PHILIPPINE ISLANDS, GIVING IT CORPORATE EXISTENCE, PROVIDING FOR A BOARD OF REGENTS, DEFINING THE BOARD’S RESPONSIBILITIES AND DUTIES, PROVIDING HIGHER AND PROFESSIONAL INSTRUCTION, AND FOR OTHER PURPOSES, 18 June 1908

[6] AN ACT TO STRENGTHEN THE UNIVERSITY OF THE PHILIPPINES AS THE NATIONAL UNIVERSITY, 29 April 2008

[7] University of the Philippines Privacy Manual, Data Protection Team Memorandum No. EBM 19-02, 11 November 2019

[8] Data Protection Office Memorandum No. EBM 20-07, 26 May 2020

[9] Art. 5(1)(c), General Data Protection Regulation (GDPR)

[10] See Note 7

[11] Ibid

[12] Ibid

[13] Ibid

[14] Ibid

[15] Ibid

[16] Data Protection Office Memorandum No. EBM 20-06, 11 May 2020

[17] Sec. 12, R.A. No. 10173

[18] See Note 16

[19] Data Protection Office Memorandum No. 20-04, 20 March 2020

[20] Office of the Chancellor Memorandum No. MLT 19-112, 25 March 2019

[21] Office of the Chancellor Memorandum No. MLT 18-135

[22] Data Protection Office Memorandum No. 20-05, 05 May 2020

[23] See Note 7

[24] Ibid.

[25] National Privacy Commission Circular No. 16-01, 10 October 2016

[26] UP Diliman Data Subject Rights and Responsibilities, Part I (E).

error: Content is protected !!