A. Scope

The Staff perform a vital role in the fulfillment of the University’s mandate as the country’s national university.[1] In the course of the latter’s discharge of its mandate, it must protect the personal information of its Staff.

This Derivative Policy aims to outline and discuss how the University handles the processing of the Staff’s personal information in accordance with the Data Privacy Act of 2012.

B. Definition of Terms

For the purposes of this Policy, the following definitions shall apply: 

  1. Data Privacy Act (DPA) refers to Republic Act No. 10173 or the Data Privacy Act of 2012;
  2. Data Processing System refers to either computerized system or physical records which stores, processes or transmits personal information or sensitive personal information owned or managed by your UP Diliman unit or office;
  3. Data Subject refers to an individual whose personal information is processed.[2] For the purposes of this Policy, the term Data Subject shall refer to the Staff, REPS, and Contractuals;
  4. IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
  5. NPC refers to the National Privacy Commission of the Philippines as created by the Data Privacy Act of 2012;
  6. Personal Data refers to personal information, sensitive personal information, and privileged information as defined by the Data Privacy Act of 2012;
  7. Privacy Risk refers to the potential loss of control over personal information when a threat exploits vulnerability;
  8. Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data;
  9. Staff refers to the University’s Staff, including Research, Extension and Professional Staff (REPS), UP contractual personnel, Non-UP contractual personnel, and retired REPS and Administrative Staff; and
  10. Units and Offices refers to UP Diliman academic units and administrative offices.




A. Transparency

The University shall process the personal information of its staff only after ensuring that the latter are apprised of the identification of the office or unit collecting their personal data; and the nature, purpose, and extent of its processing.

B. Legitimate Purpose

The University shall process its data subjects’ personal information in accordance with its declared and specified purpose only. Furthermore, its processing must not be contrary to law, morals, public policy, and pertinent issuances of this University.

The University processes personal data on the following grounds, to wit:

  1. In the performance of its obligations, exercise its rights, and conduct its associated functions as a:
    1. Government instrumentality; and
    2. Higher education institution and the national university;
  2. For all purposes beneficial to the Staff as determined by the University;
  3. For purposes of assessing whether or not to provide or add assistance, housing, medical or other benefits for his person or family;
  4. For purposes of assessment for his/her promotion, transfer, granting of benefits, increase of emoluments, steps or rank;
  5. For each particular unit of UP Diliman, for the conduct of all acts reasonably foreseeable from and they customarily perform;
  6. Managing and administering its internal and external affairs as an academic and research institution, government instrumentality, and juridical entity having its own rights and interest.[3]

Corollary thereto, the University processes the collected personal data in accordance with the following laws, viz:

  1. The Data Privacy Act of 2012;
  2. The National Archives of the Philippines Act of 2007, including its Implementing Rules and Regulations, and other issuances;
  3. Republic Act 6713 Code of Conduct and Ethical Standards for Public Officials and Employees where employees in the government mustat all times be accountable to the people, serve them with utmost responsibility, integrity, loyalty and efficiency;
  4. The UP Diliman Privacy Manual;
  5. The UP Diliman Records Management Policy;[4]
  6. Policies, guidelines, and rules of the University of the Philippines System and UP Diliman;
  7. Executive Order No. 2, series of 2016 or the Freedom of Information and its related issuances; and
  8. Other laws or regulations in relation to, or which amend or repeal the foregoing.

C. Proportionality

The University shall constantly abide by the principle of data minimization wherein it shall only process personal data that are accurate, relevant, and necessary for the declared purpose(s).[5]

Furthermore, it will not process personal data if the purposes of the processing could be reasonably fulfilled by other means.





The processing should be done only with the staff’s knowledge and consent. However, the University should only collect personal information necessary for its stated purpose and collect it by fair and lawful means.

A. Collection of Personal Data

Collection of staff’s personal data may be done through various data-gathering forms such as but not limited to, written records (e.g., Personal Data Sheet), and photographic and video images.

Collected personal data may include any of the following:

  1. Personal details (e.g., name, date of birth, sex, civil status);
  2. Contact information (e.g., mobile number, email address, home address);
  3. Academic information (e.g., educational background, scholastic records);
  4. Employment information (e.g., Tax Identification Number (TIN), Philhealth ID Number, GSIS Membership, employee number);
  5. Applicant information (e.g., former employment history, affiliations);
  6. Medical information (e.g., physical examination, psychiatric evaluation, and drug test results); and
  7. Photographs or Videos (e.g., for the official documentation of University activities or events).

B. Use of Personal Data

The use of the staff’s personal data shall, at all times, be in line with the University’s mandate.[6] More particularly, the use of personal data may be any of the following:

  1. Academic, research, extra-curricular, student welfare and disciplinary purposes; [7]
  2. Administrative disciplinary purposes;
  3. Supervision of academic and research endeavors; [8]
  4. Management of human resources and supervision of work conduct; [9]
  5. Employee application processing and identity verification purposes;
  6. Documentation and record keeping purposes; [10]
  7. Customer, client, patent, or community service purposes; [11]
  8. Contractual and financial purposes; [12]
  9. Corporate governance and housekeeping; [13]
  10. Regulatory and audit purposes[14]
  11. Performance evaluation;
  12. Documentation of the Universities’ official activities and events;
  13. Recognition and awards;
  14. Identification of the necessity and legality of the purposes before or at the time the personal information is collected, used and disclosed; and
  15. Other similar purposes.

C. Storage, Retention, Disposal, and Destruction of Personal Data 

The University shall ensure that all the personal data it collects and uses are stored in secured storage facilities in order to avoid any unauthorized access or use to the same. Moreover, it shall employ the necessary physical, organizational, and technical security measures to ensure that the stored personal data shall remain confidential, available, and unaltered.

It shall retain the staff’s personal data only for as long as necessary and required by the pertinent laws, rules, and regulations such as the National Archives’ Circulars and the UP Diliman Records Management Policy.

Personal data shall be disposed of and destroyed in such a way that no part of the data will be exposed and its reconstitution rendered impossible.

D. Access

The University shall ensure that only the authorized personnel shall have access to the personal data of its staff. Moreover, their access to the same shall be strictly limited to the fulfillment of their respective duties in relation to the personal data involved. The access to personal data shall likewise be in line with the UP Diliman Data Classification Policy.[15]

E. Disclosure 

The University may send text messages or email the staff for work, operations, health, emergency, and community matters. A resort to online meetings may also be used to relay and discuss work-related concerns. These may apply to situations of work-from-home-arrangement.

The arrangement presupposes that the staff and personnel consented UPD to gather their contact information for purposes of contacting them as a continuing requirement to complete work assignments. Adherence to the University’s data privacy, security, and confidentiality policies are necessary in using the text messaging platform which also applies to emails.

Only the authorized University personnel may disclose or transfer personal data within the University as well as to external entities. Provided, however, that the same remains to be in line with the cardinal principles of data privacy.





Generally, a data subject’s consent is a prerequisite to the lawful processing of their personal data. However, the same is not absolute, as under the following conditions, the University may process a staff’s personal data without the latter’s consent:[16] 

  1. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
  2. The processing is necessary for compliance with a legal obligation to which the personal information controller (in this case, University of the Philippines Diliman) is subject;
  3. The processing is necessary to protect vitally important interests of the data subject, including life and health;
  4. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
  5. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.





A. Organizational Security Measures

The University shall continuously develop and apply the appropriate organizational security measures such as, but not limited to the following, in order to ensure the confidentiality, integrity, and availability of its staff’s personal data: 

  1. UP Diliman Privacy Manual;
  2. UP Diliman Data Classification Policy;[17]
  3. Remote Work Privacy Guidelines;[18]
  4. Data Protection in the Work Processes;[19]
  5. UP Diliman Message and Communications Policy;[20]
  6. UP Diliman Email Policy;[21]
  7. Other pertinent University issuances

B. Physical Security Measures 

The University shall ensure that the physical storage of its staff’s personal data is always secured. Moreover, access to these storage facilities shall be limited only to authorized personnel.

Furthermore, the University shall ensure that in the course of processing staff’s personal data, the physical security measures prescribed by the UP Diliman Privacy Manual are observed.[22]

C. Technical Security Measures 

The University shall apply the appropriate technical security measures to ensure that its staff’s personal data remain confidential, available, and unaltered at all times. It shall adopt the necessary provisions on the Technical Security Measures[23] in the UP Diliman Data Privacy Manual and the National Privacy Commission’s Circular on the Security of Personal Data in Government Agencies.[24]




A. Right to be Informed

Every staff has the right to be informed of the purpose of the collection, use, disclosure, and other operations involving the processing of their personal data. This includes how the data will be processed, and the offices or units that will process or handle the same.

B. Right to Access 

Every staff has the right, subject to pertinent laws and University rules and regulations, to the reasonable access to their personal data processed by the University.

C. Right to Object, and Right to Correct or Rectify 

Every staff has the right to dispute the accuracy in their personal data and have the same rectified or corrected.

D. Right to Erasure or Blocking

These rights of erasure and blocking do not apply to Personal Data, documents, records and accounts which are part of UP Diliman’s public records as an instrumentality of the government or as the national university. It may be exercised if there is a substantial proof that the processing of Personal Data is unlawful.[25]

E. Right to Data Portability 

Every staff has the right, subject to pertinent laws and University rules and regulations to request for a copy of their personal data in a format that is commonly used and allows further use.

F. Right to File a Complaint and Right to Damages

Every staff has the right to file a complaint in the event that their personal information has been misused, maliciously or improperly disclosed, or any of the aforementioned rights have been violated. Moreover, they have the right to be indemnified for any damage they have suffered by reason of the said violation(s).


[1] Section 2, Republic Act No. 9500 provides:

SEC. 2. Declaration of Policy. – The University of the Philippines is hereby declared as the national university.

[2] Sec. 3(b), Republic Act No. 10173

[3] University of the Philippines Privacy Manual, Data Protection Team Memorandum No. EBM 19-02, 11 November 2019

[4] Data Protection Office Memorandum No. EBM 20-07, 26 May 2020

[5] Art. 5(1)(c), General Data Protection Regulation (GDPR)

[6] UP Diliman Privacy Manual, Data Protection Team Memorandum No. EBM 19-02, 11 November 2019

[7] Ibid

[8] Ibid

[9] Ibid

[10] Ibid

[11] Ibid

[12] Ibid

[13] Ibid

[14] Ibid

[15] Data Protection Office Memorandum No. EBM 20-06, 11 May 2020

[16] Sec. 12, R.A. No. 10173

[17] Data Protection Office Memorandum No. EBM 20-06, 11 May 2020

[18] Data Protection Office Memorandum No. EBM 20-04, 20 March 2020

[19] Office of the Chancellor Memorandum No. MLT 19-112, 25 March 2019

[20] Office of the Chancellor Memorandum No. MLT 18-135

[21] Data Protection Office Memorandum No. 20-05, 05 May 2020

[22] UP Diliman Privacy Manual, Data Protection Team Memorandum No. EBM 19-02, 11 November 2019

[23] Ibid

[24] National Privacy Commission Circular No. 16-01, 10 October 2016

[25] UP Diliman Data Subject Rights and Responsibilities, Part I (E).

error: Content is protected !!