Who are covered by this Policy?
This Policy governs refers to students, parents, guardians, faculty, visiting faculty, staff, Research, Extension and Professional Staff (REPS), UP contractual personnel, Non-UP contractual personnel, retirees, applicant students, applicant faculty, applicant staff, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, subcontractors, outsourcees, licensors, licensees and other persons with a juridical link with UP Diliman (“UP People”) whose personal information, sensitive personal information or privileged information (“Personal Data”) are processed by UP Diliman.
Why are Personal Data processed?
UP Diliman processes Personal Data to –
- Perform its obligations, exercise its rights, and conduct its associated functions as:
- an instrumentality of the government;
- a higher education institution.
- Pursue its purposes and mandates:
- under Act No. 1870 as “a university for the Philippine Islands”;
- under Republic Act 9500 as “the national university”.
- For each particular unit of UP Diliman, conduct all acts reasonably foreseeable from and customarily performed by similar bodies;
- Decide and act for the holistic welfare of its students, their parents and guardians, faculty, staff, researchers, alumni, and UP Diliman community; and
- Manage and administer its internal and external affairs as an academic institution, as an instrumentality of the government, and as a juridical entity with its own rights and interests.
What Personal Data are processed?
UP Diliman processes Personal Data including but not limited to:
- Personal details such as name, birth, gender, civil status and affiliations;
- Contact information such as address, email, mobile and telephone numbers;
- Academic information such as grades, course and academic standing;
- Employment information such as government-issued numbers, position and
- Applicant information such as academic background and previous employments;
- Medical information such as physical, psychiatric and psychological information.
UP Diliman processes other Personal Data necessary for the following purposes (the “Purposes”):
- Purposes applicable to all classes of UP People
- Purposes necessary for UP Diliman to perform its obligations, exercise its rights, and conduct its associated functions as an instrumentality of the government and as a higher education institution;
- Purposes to pursue UP Diliman’s mandates under existing laws and regulations;
- Purposes to perform acts and decisions necessary for UP Diliman to manage and administer its internal and external affairs as a juridical entity with its own rights and interests;
- Compliance with legal, regulatory, administrative or judicial requirements including audit, reporting and transparency requirements;
- Records and account purposes such as:
- Creation and update of record entries and accounts;
- Creation and maintenance of student, faculty or staff records and accounts, electronic or otherwise;
- Security and community affairs purposes
- Maintenance of safety, security, peace and order in and around UP Diliman campuses as well as venues which UP Diliman has presence or activities;
- Prevention of crimes and damages to persons or property within or outside the premises of UP Diliman.
- Students, parents and guardians
- Academic purposes such as:
- Processing of raw or final grades, including evaluation and use of grades to make and act on decisions about students;
- Formulation, study of, and implementation of UP Diliman’s policies, guidelines, procedures, processes, rules and regulations;
- Extra-curricular purposes such as:
- Regulation of student organizations and bodies;
- Collaborations with public and private agencies and institutions;
- Medical purposes such as:
- Rendering of medical, dental, psychiatric and psychological aid, whether in emergency situations or otherwise;
- Keeping of health records and medical histories to understand patient context and tendencies;
- Student assistance purposes such as:
- Provision of legal, scholarship, financial, athletic, dormitory assistance;
- Provision of tutorial, mentorship or internship assistance;
- Student disciplinary purposes such as:
- Conducting investigations, hearing of cases or evaluating matters related to UP Diliman policies, guidelines and rules;
- Implementation of laws or orders of government authorities.
- Academic purposes such as:
- Faculty, including visiting faculty
- Administration, management and supervision of faculty as UP Diliman employees (see Purposes for Staff);
- Administration, management and supervision of faculty in academic and nonacademic functions such as:
- Assignment of teaching load and functions, evaluation of performance, and promotion or transfer;
- Research, ethics and intellectual property matters.
- Staff, including Research, Extension and Professional Staff (REPS), UP contractual, Non-UP contractual personnel and retirees
- Administration of human resources such as:
- Processing and provision of employee rights;
- Provision of compensation and benefits;
- Management and supervision of employees and work conduct such as:
- Employee administration, assignment, work supervision, evaluation, promotion, discipline, and transfer;
- Preservation of labor relations and industrial peace.
- Administration of human resources such as:
- Applicant students, faculty and staff
- Application purposes such as:
- Processing of application and application requirements;
- Evaluation of eligibility to enroll, teach or work in the University of the Philippines;
- Verification purposes such as:
- Determination of veracity of claims;
- Background investigation relevant to the position applied for.
- Application purposes such as:
- Researchers and research subjectsThe Data Privacy Act is not applicable if the processed personal information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose.As such, this Policy’s Section VI on “What are the rights of UP People?” is not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject. However, this inapplicability shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.The Data Privacy Act and it’s Implementing Rules and Regulations shall not apply to specified information, only to the minimum extent of collection, access, use, disclosure or other processing necessary to the purpose, function, or activity concerned when personal information will be processed for research purpose, intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards adopted by UP Diliman.
- Patients, clients and customers
- Processing of medical, physical, psychiatric and psychological information of patients is necessary for the purpose of medical treatment: Provided, that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured;
- Processing of Personal Data of clients and customers compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy wherein there is transparency in obtaining consent and proportionality in processing data.
- Alumni, donors and donees
- Alumni linkage purposes such as:
- Upkeep of alumni database for alumni linkage and job placement;
- Knowing career paths and performance of alumni.
- Donation processing such as:
- Legal requirements such as filing of tax returns and anti-money laundering requirements;
- Recording sources and uses of donations for transparency in the University’s funds.
- Alumni linkage purposes such as:
- Contract counterparties, partners, subcontractors, outsourcees, licensors, licensees, lessors, lessees, vendors, purchasers and customers
- Timely realization of UP Diliman’s legitimate rights, interests, obligations and responsibilities in law, contract, equity or public policy;
- Compliance with the spirit and intent of UP Diliman in engaging the counterparty involved.
- Other persons with a juridical link with UP Diliman
- Any of the purposes above as applicable to the circumstances;
- For each particular UP Diliman unit, the purposes used by analogous bodies performing similar functions.
How does UP Diliman process Personal Data and how long are Personal Data retained?
- UP Diliman processes and retains Personal Data as necessary for the Purposes in accordance with:
- The Data Privacy Act of 2012, its Implementing Rules, and relevant issuances of the National Privacy Commission;
- The National Archives of the Philippines Act of 2007 its Implementing Rules, and relevant issuances of the National Archives of the Philippines;
- Policies, guidelines, and rules of the UP System and UP Diliman;
- Research guidelines and ethical codes of conduct adopted by the University of the Philippines Diliman; and
- Executive Order No. 2, series of 2016 on Freedom of Information and subsequent related executive orders.
- In the absence of an applicable rule of retention, Personal Data shall be retained by a UP Diliman unit in accordance with the practices of government bodies with analogous functions.
Where are Personal Data stored and how are these transmitted?
Personal Data are stored in physical and electronic “Data Processing Systems” of UP Diliman as defined under National Privacy Commission Circular No. 17-01. Personal Data are transmitted in accordance with Chapter III of the Data Privacy Act of 2012 and Rule V of its Implementing Rules and Regulations.
What are the rights of UP People?
Under the UP Diliman Data Subject Rights and Responsibilities, UP People have the following rights:
- Right to be informed;
- Right to object subject to UP Diliman’s possible consequent failure to conduct academic, administrative and other functions or services;
- Right to access;
- Right to rectification;
- Right to erasure or blocking of Personal Data which are not part of UP Diliman’s public records as an instrumentality of the government or as the national university; and
- Right to damages which is subordinate to the non-liability of UP Diliman arising from the incidental damages due to UP Diliman’s pursuance of its mandates or compliance with its legal obligations.
What are the responsibilities of UP People?
Under the UP Diliman Data Subject Rights and Responsibilities, UP People have the following responsibilities:
- Respect the data privacy rights of others;
- Report any suspected Security Incident or Personal Data Breach to UP Diliman through the contact information in this Policy’s Section on “The UP Diliman Data Protection Officer”;
- Provide the University of the Philippines (“UP”) true and accurate Personal Data and other information. Before submitting Personal Data of other people to UP, obtain the consent of such people;
- Not disclose to any unauthorized party any non-public confidential, sensitive or personal information obtained or learned in confidence from UP; and
- Abide by the policies, guidelines and rules of the UP System and UP Diliman on data privacy, information security, records management, research and ethical conduct. From time-to-time check for and comply with updates on these policies, guidelines and rules. UP Diliman’s policies on data privacy are at https://upd.edu.ph/privacy/. For students, the UP System’s UP Privacy Notice for Students is at https://upd.edu.ph/privacy/studentnotice/
Effectivity of this Policy
The UP Diliman Data Protection Officer may promulgate policies, guidelines and rules which are not inconsistent with this Policy.
If any law or regulation cited in this Policy is amended or superseded, then it shall be considered that this Policy is referring to such amending or superseding law or regulation, without prejudice to a person’s right against retroactive effect of laws.
If any part of this Policy is declared null and void, then the other unaffected parts shall remain in full force and effect.
Definition of terms
“Personal Data” refers to all types of personal information, sensitive personal information
and privileged information under the Data Privacy Act of 2012 and its Implementing Rules
“Personal Information” refers to any information whether recorded in a material form or not,
from which the identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put together with other information
would directly and certainly identify an individual.
“Sensitive Personal Information” refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
“Privileged information” refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
“Processing” in any of its verb tense refers to the collecting, recording, organizing, storing, retaining, using, analyzing, copying, transmitting, porting, sharing, exhibiting, deleting, or destroying of Personal Data regarding UP People.
“Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place
“Personal Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
- An availability breach resulting from loss, accidental or unlawful destruction of personal data;
- Integrity breach resulting from alteration of personal data; and/or
- A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.
“Purposes” are the purposes of UP Diliman in processing Personal Data of UP People outlined in this Policy’s Section II on “What Personal Data are processed?”
“UP People” refers to students, parents, guardians, faculty, visiting faculty, staff, Research, Extension and Professional Staff (REPS), UP contractual personnel, Non-UP contractual personnel, retirees, applicant students, applicant faculty, applicant staff, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, subcontractors, outsourcees, licensors, licensees and other persons with a juridical link with UP Diliman.
“University of the Philippines Diliman” means the Diliman Constituent University of the University of the Philippines (“UP”), a university system entity established by Act No. 1870 and strengthened by Republic Act No. 9500. As UP is a single juridical entity and instrumentality of the government, all transmission and flow of information within the UP System, its constituent universities, and their respective units are neither sharing nor disclosure of information to third parties.
Any new or revised definition of any of the above terms under relevant laws shall accordingly supersede the definitions herein.
The UP Diliman Data Protection Officer
The UP Diliman Data Protection Officer, reporting to the UP Diliman Chancellor, is tasked to protect the privacy of personal information to, in, and from UP Diliman with the following functions:
- Comply with data privacy laws and regulations including implementing data protection measures, submitting regulatory requirements, and managing privacy incidents.
- Provide units of the University support services including formulating policies, training people, and conducting audits with remediation solutions.
- Prevent legal, financial, and operational risks by improving current and future forms, contracts, processes, and I.T. systems to secure against leakage of information.
- Develop in the University a culture of respect for privacy by formulating policies and establishing practices at par with domestic and international standards.
The UP Diliman Data Privacy Portal is at https://upd.edu.ph/privacy/
For data protection concerns or to report privacy incidents, please contact the UP Diliman
Data Protection Officer through any of the following channels:
UP Diliman Data Protection Team
L/GF, Phivolcs Bldg.
C.P. Garcia Avenue
Diliman, Quezon City 1101
981-8500 local 2621
A copy of this Policy is at https://upd.edu.ph/privacy/policies/dilimanprivacy
Copies of other data privacy policies of UP Diliman are at https://upd.edu.ph/privacy/policies/