The DPO

UNIVERSITY OF THE PHILIPPINES DILIMAN

Roles and Responsibilities of the Data Protection Officer

The UP Diliman Data Protection Officer (DPO) shall protect the privacy of personal information to, in, and from University of the Philippines Diliman in the following roles: 

1. Complying with data privacy laws and regulations. This includes implementing data protection measures, submitting regulatory requirements, and managing privacy incidents.

2. Providing units of UP Diliman support services. This includes formulating policies, training people, and conducting audits with remediation solutions.

3. Preventing legal, financial, and operational risks. This includes improving current and future forms, contracts, processes, and I.T. systems to secure against leakage of information.

4. Developing in UP Diliman a culture of respect for privacy. This includes formulating policies and establishing practices at par with domestic and international standards. 

The UP Diliman DPO shall have jurisdiction and authority on all matters related to the data privacy and protection of related to UP Diliman and has the following responsibilities:

I. Regulatory Compliance

a. Discharge legal obligations 

i. Observe the requirements of privacy laws, including the Data Privacy Act of 2012 and its Implementing Rules and Regulations

ii. Comply with orders and issuances of the National Privacy Commission (NPC) and other relevant regulatory agencies

b. Submit reportorial requirements to the NPC 

i. Breach Notification (within 72 hours of a data breach)

ii. Annual Incident Report (for each calendar year)

iii. Register data processing systems (used or controlled by UP Diliman)

iv. Register Compliance Officers for Privacy (including personnel movement)

v. Report completion of Data Breach Drill (periodically conducted)

c. Investigate security incidents and data breaches

i. Identify transgressions and people involved 

ii. Remedy threats and breaches

d. Ensure formal and substantial compliance with regulatory requirements of current and future documents of UP Diliman 

i. Revise forms to properly obtain the consent of data subjects

ii. Amend contracts to obligate counterparties to observe confidentiality

iii. Rework process manuals to include (or remove) steps to protect privacy

e. Assess current and future processes performed by administrative and academic units to identify violations of laws and regulations

i. Prohibit collection of excessive or unnecessary information

ii. Identify and address vulnerabilities to security attacks and data leakages 

iii. Minimize UP Diliman‘s legal, financial, and reputational risks in processing and transmitting personal information 

II. Support Services

a. Guide and assist units to maintain privacy in their functions and projects

b. Supervise and exercise jurisdiction, authority and oversight over all acts, initiatives, processes and projects relating to the data privacy, data protection and information security of UP Diliman and its units

c. Liaise with government regulators and external parties

d. Audit flow of information to, within, and out of UP Diliman 

i. Inspect physical and electronic data storage and information processing systems to ensure adherence to NPC standards

ii. Carry out requested studies on privacy risks and vulnerability assessments

iii. Maintain inventory of types of data collected and stored by each unit of UP Diliman

e. Educate stakeholders and community 

i. Train key officials and compliance officers

ii. Develop online and printed training modules in handling personal information for use of faculty and staff

iii. Partner with administrative and academic units in drafting their respective policies and manuals

iv. Launch privacy awareness campaigns 

v. Update community in latest security threats and countermeasures 

III. Enforcement of Rules and Institution of Best Practices

a. Promulgate policies rules and guidelines related to data privacy, information security, data governance, and related frameworks

b. Institute privacy safeguards and best practices

c. Render opinions upon request and issue advisories

d. Notify erring parties of deficiencies and report them to concerned university officials

e. Adjudicate cases of unauthorized disclosure of or access to personal information 

IV. Infrastructure Development

a. Assist developing secure I.T. systems, networks, and flow of information

b. Work with units to remediate security gaps and inadequacies

c. Make recommendations to the Office of the Chancellor on infrastructure projects and partnerships 

V. Autonomy and Independence

The UP Diliman DPO reports directly and exclusively to the UP Diliman Chancellor. In the fulfillment of the its roles and responsibilities, the UP Diliman DPO may collaborate with or seek assistance from UP Diliman units and offices. As an autonomous constituent university, UP Diliman and its DPO shall exercise the autonomy and independence mandated by NPC Advisory No. 2017–01. The UP Diliman DPO may coordinate with data protection officers of other Constituent Universities (CU) for inter–CU endeavors.