UNIVERSITY OF THE PHILIPPINES DILIMAN
This policy guides the UP Diliman Students, Parents and Guardians whose personal information, sensitive personal information and privileged personal are processed by the University.
As mandated by Republic Act No. 9500 otherwise known as The University of the Philippines Charter of 2008, UP Diliman shall uphold the purpose of performing its unique and distinctive leadership in higher education and development.
This policy aims to give information to the Students, Parents and Guardians of UP Diliman on how the University collects and processes Personal Data.
The UP Diliman shall continue to promote the culture of privacy within the regulations and measures set by the Data Privacy Act of 2012 and issuances by the UP Diliman Data Protection Office.
B. Definition of Terms
For the purpose of this Policy, the following definitions shall apply:
- Data Privacy Act (DPA) refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
- Data Processing System refers to either computerized system or physical records which stores, processes or transmits personal information or sensitive personal information owned or managed by your UP Diliman unit or office;
- Data Subject refers to an individual whose personal information is processed. For the purposes of this Policy, the term Data Subject shall refer to Students, Parents and Guardians;
- IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
- Parents or Guardians refers to the head of the institution or foster home which has the custody of the student;
- Personal Data refers to all types of personal information, sensitive personal information and privileged information under the Data Privacy Act of 2012 and its Implementing Rules and Regulations;
- Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
- Privacy Risk refers to the potential loss of control over personal information when a threat exploits vulnerability;
- Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data;
- Security incident refers to an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place;
- Student refers to those enrolled in, engaged in formal study and who regularly attend in the University; and
- Units and Offices refers to UP Diliman academic units and administrative offices.
DATA COLLECTION AND PROTECTION OF PERSONAL DATA OF STUDENTS, PARENTS, AND GUARDIANS
A. Data Life Cycle
Personal Data collected undergoes a cycle which the University must keep track of and protect at every stage. The Students, Parents and Guardians must be mindful of the stages and cycle.
- Collection of Personal Data
The University collects Personal Data upon application for admission, registration for enrolment and during the course of Student, Parent and Guardian’s engagement in the University.
UP Diliman collects Personal Data of Students, Parents and Guardians including but not limited to:
- Personal details such as name, birth, gender, civil status and affiliations;
- Contact information such as address, email, mobile and telephone numbers;
- Academic information such as grades, course and academic standing;
- Medical information such as physical, psychiatric and psychological information.
The UP Diliman generally collects personal information, which are only necessary for the purposes identified in this Policy and line with the functions of the University, through various forms and documents depending on the procedures set by the academic units and administrative offices.
The UP Diliman collects personal information in accordance with the provisions of the UP Charter of 2008 and Data Privacy Act of 2012.
- Storage and Transmission of data
The created and collected personal data are stored in physical and electronic “Data Processing Systems” secure locations and databases assigned by each academic units and administrative offices of UP Diliman and which systems are defined under National Privacy Commission Circular No. 17-01.
These personal data are transmitted in accordance with the procedures set by UP Diliman and its units and offices. There are safety measures that should be implemented to prevent unauthorized access, disclosure or use and data loss.
The UP Diliman shall maintain applicable security measures found in the Information Security Policy and Physical and Organization Security Policy issued by UP Diliman Data Protection Office.
- Use of Personal Data
Authorized UP Staff and Faculty shall have access to use the personal data collected from Students, Parents and Guardians under the guidance and agreement of the University for the purposes given by the UP Charter of 2008 and the following:
a. Academic purposes such as:
- Admissions and in compliance with CHED Orders and Memorandum;
- Scholastic, Recognition and Award Programs;
- Processing of raw or final grades, including evaluation and use of grades to make and act on decisions about students;
- Formulation, study of, and implementation of UP Diliman’s policies, guidelines, procedures, processes, rules and regulations;
b. Extra-curricular purposes such as:
- Regulation of student organizations and bodies;
- Collaborations with public and private agencies and institutions;
- School activities, socialization programs, scouting, training programs, Guidance and similar programs;
c. Medical purposes such as:
- Rendering of medical, dental, psychiatric and psychological aid, whether in emergency situations or otherwise;
- Keeping of health records and medical histories to understand patient context and tendencies;
d. Student assistance purposes such as:
- Provision of legal, scholarship, financial, athletic, dormitory assistance;
- Provision of tutorial, mentorship or internship assistance;
- Provision of necessary assistance to the family in cases of emergency, calamities and pandemic;
e. Student disciplinary purposes such as:
- Conducting investigations and disciplinary measures for violation of the University’s rules and regulations, hearing of cases or evaluating matters related to UP Diliman policies, guidelines and rules;
- Determining sanctions;
- Implementation of laws or orders of government authorities;
f. Records and account purposes;
g. Security and community affairs purposes;
h. Purposes necessary for UP Diliman to perform its obligations, exercise its rights, and conduct its associated functions as a higher education institution, an instrumentality of the government, and as a juridical entity with its own rights, interests and internal and external affairs; and
i. Identification of the necessity and legality of the purposes before or at the time the personal information is collected, stored, used, disclosed and disposed.
- Retention of data
The retention of files or documents, containing the Personal Data both in physical or electronic format, shall be classified in accordance with the guidelines set by:
- The Data Privacy Act of 2012, National Archives of the Philippines Act of 2007 and their Implementing Rules and Regulations;
- Policies, guidelines, and rules of the UP System and UP Diliman on data privacy, record keeping, record monitoring and management, such as UP Diliman Data Classification Policy and UP Diliman Records Management Policy, research and ethical codes of conduct; and
- Executive and regulatory issuances such as those on Freedom of Information.
- Disposal and destruction of data
When the disposal or permanent deletion of records (including personal data) deemed necessary, this may be done through shredding, burning, pulping or any other means to ensure that it is impossible to reconstruct the information contained therein.
B. Data Privacy Principles
Each stages of the data life cycle shall observe the data privacy principles of transparency, legitimate purpose and proportionality.
The Data Subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller (i.e., UP Diliman and its academic units and administrative offices), his or her rights as Data Subject, and how can be exercised to invoke their rights. Any information and communication relating to the processing of personal data should be easily accessible and understandable in clear and simple language.
- Legitimate Purpose
The University of the Philippines, as the country’s national university, which was declared by the UP Charter of 2008, is mandated to exercise its purpose to be “a public and secular institution of higher learning, and a community of scholars dedicated to the search for truth and knowledge as well as the development of future leaders, the University of the Philippines shall perform its unique and distinctive leadership in higher education and development.”
The processing of Students, Parents and Guardian’s personal data are necessary to perform the purpose and function of the University.
Corollary thereto, the University processes the collected personal data in accordance with the following laws, viz:
- The Data Privacy Act of 2012;
- The National Archives of the Philippines Act of 2007, including its Implementing Rules and Regulations, and other issuances;
- The UP Diliman Privacy Manual;
- The UP Diliman Records Management Policy;
- Policies, guidelines, and rules of the University of the Philippines System and UP Diliman;
- Executive Order No. 2, series of 2016 or the Freedom of Information and its related issuances;
- Other laws or regulations in relation to, or which amend or repeal the foregoing.
The processing of personal data shall be adequate, relevant, suitable, necessary, and not excessive in relation to the legitimate purpose or its objective.
In following the privacy principles, it must be noted that in all stages of data life cycle, the UP Diliman’s units and offices shall implement the essential measures to protect the personal data of the Students, Parents and Guardians.
C. Security Measures
UP Diliman is responsible for maintaining and protecting the personal information under its control. The University assigns individuals who are in charge for the collection, safekeeping and compliance with UP Diliman’s data privacy policies.
The security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human danger such as unauthorized access, fraudulent misuse, unlawful destruction, alteration and contamination.
- Organizational Security Measures
a. UP Diliman Staff and Faculty attends the regular training provided by UP Diliman Data Protection Office.
b. Each of the academic units and administrative offices is represented by Privacy Focal Person (PFP) to support the UP Diliman Data Protection Office and implement privacy and security initiatives for the unit or office concerned.
c. The PFPs shall identify privacy risks by conducting privacy impact assessment and proposes measures intended to address the risks.
- Physical Security Measures
a. The personal data collected are either physical or electronic format. All records shall be kept in a secured location and locked filing cabinets.
b. Only authorized UP Diliman Staff and Faculty shall be allowed to enter or access storage locations, facilities and devices containing personal data. Other personnel may be granted access upon approval of the Data Protection Officer upon request of the head and the PFP of the concerned UP Diliman unit or office.
c. UP Diliman Staff and Faculty should always protect all printed and electronic personal data. The Laptop and Desktop Computers shall be locked upon leaving the workstation. Passwords/Passphrases shall not be written on or exposed to others.
- Technical Security Measures
The Technical Security Measures provide the techniques used for authentication and protection against theft of sensitive data and information. It helps authenticate the users’ login and data such that only verified user applications can read and access data and applications. The following technical security measures will guide UP Diliman Staff and Faculty to avoid risks and security breaches.
a. Communication of UP students, faculty and staff using UP Mail (@up.edu.ph) or UP Webmail (@upd.edu.ph) for standard encryption, professionalism and institutional identity.
b. Use of Passphrases such as a sentence or a combination of words, instead of word, as passwords.
c. Regular backup of the data on personal information. The more important the data and or the more data change, the more regular the backup should be made.
d. Within two (2) hours from discovery of the Security Incident or Personal Data Breach, any person – whether or not connected with UP Diliman – should report the incident via email at email@example.com and or phone call to both the UP Diliman Data Protection Officer and the Privacy Focal Person having jurisdiction over the unit involved following the Security Incident Management Policy.
UP Diliman Data Protection Office provided a guide to protect UP Diliman’s information and information systems to ensure their confidentiality, integrity and availability found in the Information Security Policy.
ACCESS TO PERSONAL DATA
Only authorized UP Diliman Staff and Faculty are allowed to access personal information. Authorized personnel may differ in every unit in UP Diliman.
Contractors, Consultants and Service Provides can access the personal information but shall be governed by strict procedures contained in formal contracts, which provisions must comply with the Data Privacy Act of 2012, its IRR, and all applicable issuances by the NPC and UP Diliman. The terms of the contract and undertakings given should be subject to review and audit to ensure compliance.
UP Diliman may disclose data subject’s personal information to others in connection with the purpose for which it was collected, or as consented to by the data subjects, or as required or permitted by law.
Authorized users of personal information shall abide with the UP System Policy on Acceptable Use of information assets found in https://upd.edu.ph/aup/.
For authorized users who access the personal information online, it shall have an authentication of their identity via a secure encrypted link and shall use security measures prescribed in this policy and other relevant security policy of the University..
Personal data can be shared to other organization or institution.
To pursue the University’s legitimate purpose, UP Diliman may share or disclose personal information to other organization or government institution.
The personal data can also be shared thru anonymization. Any information is considered anonymized if there is no possible means to identify the data subject, that is, the UP Diliman’s offices and units and/or any other persona are incapable of singling out an individual in a data set, from connecting two records within a data set (or between two separate data sets) and from any information in such dataset.
It should be noted that shared anonymized data can never be used directly or indirectly to identify a person.
Personal data can be access by the Students, Parents and Guardians.
The personal information of Students, Parents and Guardians shall be available to them upon a request and in accordance with Data Privacy Act of 2012 and UP Diliman Data Protection Office issuances.
UP Diliman’s academic units and administrative offices shall set guidelines for Students, Parents and Guardians in accessing for and requesting for up-date on their personal information. The said guidelines shall include:
- Access request form shall be given to the Data Subject upon request;
- UP Diliman units/offices shall assess and evaluate the validity of the request;
- Provide access to the Data Subject in accordance with UP Diliman’s policies and rules.
Accuracy and up-to-date personal data
UP Diliman shall make sure that personal data are, based on the DPA , “accurate, relevant, and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date” because any inaccuracy or incomplete data may result to incorrect decision and interpretation of the data collected.
The DPA further states that “inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted.”
We also note that when updating contact information, careful attention is needed to avoid risks of sending personal information and/or sensitive personal information to unintended recipient/s.
Generally, a data subject’s consent is a prerequisite to the lawful processing of their personal data. However, the same is not absolute, as under the following conditions, the University may process a faculty’s personal data without the latter’s consent:
- The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
- The processing is necessary to protect vitally important interests of the data subject, including life and health;
- The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
- The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
RIGHTS OF THE DATA SUBJECT
The access of personal is one of the rights of the Data Subjects. Other than the right to access, the Students, Parents and Guardians have the following rights that must be observed by UP Diliman:
A. Right to be Informed
This should answer the questions like, “Why you collect and what will you do to my personal data?”, “How will you process my personal data?”, “Who can I contact for questions?”, “How will you protect my personal data?”, and “How can I exercise my rights?”
UP Diliman and its academic units and administrative offices has the obligation to inform Data Subjects on how the personal information are being processed. The units or offices may use various forms (i.e., privacy notice, consent form, bulletin) to let Data Subjects be aware and understand the type of processing that UP Diliman is undertaking.
B. Right to Access
Data Subjects have the right to demand reasonable access to their personal information. It should be given in a clear and understandable format.
C. Right to Object, and Right to Correct or Rectify
Every Student, Parent and Guardian has the right to dispute the accuracy in their personal data and have the same rectified or corrected.
D. Right to Erasure or Blocking
These rights of erasure and blocking do not apply to Personal Data, documents, records and accounts which are part of UP Diliman’s public records as an instrumentality of the government or as the national university. It may be exercised if there is a substantial proof that the processing of Personal Data is unlawful.
E. Right to Data Portability
Where his or her Personal Data is processed by electronic means and in a structured and commonly used format, the Data Subject shall have the right to obtain from UP Diliman a copy of such data in an electronic or structured format that is commonly used and allows for further use by the Data Subject.
F. Right to File a Complaint
The Data Subject have a right to complain when they see that there is a violation of his or her rights as Data Subject and for any injury suffered as a result of the processing of his or her Personal Data.
The Data Subject must write to the Director of the Office or Dean of the College and an internal investigation will proceed. Should the complaint remain unresolved, the complaint may be forwarded to the UP Diliman Data Protection Office addressed to the Data Protection Officer for further investigation and resolution. The result thereof may be forwarded to the Office of the Chancellor for information and reference.
G. Right to Damages
The Data Subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, taking into account any violation of his or her rights and freedoms as Data Subject.
The exercise of these rights shall be available to the Data Subject anytime they deemed it necessary.
 Republic Act No. 9500, otherwise known as The University of the Philippines Charter of 2008, Section 3.
 Sec. 3(b), Republic Act No. 10173
 Batas Pambansa 232, otherwise known as Education Act of 1982, Section 6.
 UP Diliman Information Security Policy, Memorandum Reference No. EBM 20-09 issued 9 June 2020.
 Revised UP Diliman Data Classification Policy, Memorandum Reference No. EBM 20-06, issued 11 May 2020.
 UP Diliman Records Management Policy, Memorandum Reference No. EBM 20-07, issued 26 May 2020.
 Ibid., Section 12.
 Implementing Rules and Regulations of the Data Privacy Act of 2012, Section 26 (c) (3).
 Republic Act No. 9500.
 Ibid., Section 3. Purpose of the University.
 Data Protection Office Memorandum No. EBM 20-07, 26 May 2020
 UP Diliman Privacy Manual, Chapter IV (A) (1), Memorandum Reference No. EBM 19-02, issued 11 November 2019.
 NPC Advisory Opinion No. 2017-03
 UP Diliman Privacy Manual, Chapter IV (B) (3), Memorandum Reference No. EBM 19-02, issued 11 November 2019.
 UP Diliman Information Security Policy, Chapter VI, Memorandum Reference No. EBM 20-09, issued 9 June 2020.
 Data Privacy Security Incident Management Policy, Part IV Section A, issued 25 March 2019.
 NPC Circular 16-01 Security of Personal Data in Government Agencies, Section 16.
 NPC Advisory Opinion No. 2018-068, Processing of Anonymized Personal Data by Electronic Medical Records Provider.
 Data Privacy Act of 2012, Section 11 (c).
 Sec. 12, R.A. No. 10173
 UP Diliman Data Subject Rights and Responsibilities, Part I (E).
 Ibid., Part III (B).
 Implementing Rules and Regulations of the Data Privacy Act of 2012, Section 34 (f).