Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector. The DPA created the National Privacy Commission (NPC) which is tasked to monitor its implementation. It covers the processing of personal information and sensitive personal information and sets, as its basic premise, the grant of direct consent by a data subject before data processing of personal information be allowed.
The law requires all government and private entities or organizations processing personal data establish policies, and implement measures and procedures to ensure and guarantee the safety and security of personal data under their control or custody, thereby upholding an individual's data privacy rights. In addition, they are required to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
To inform its personnel and data subjects of such measures, all agencies are expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfilment and realization of the rights of the data subjects.
The Bulacan State University (BulSU), in its commitment to uphold, respect and value data privacy rights hereby adopts this Data Privacy Manual in compliance with the DPA, its Implementing Rules and Regulations, and other relevant policies, including issuances of the NPC.
The university ensures that through this Manual all personal data collected from all its officials, personnel, higher education institutions, students and other data subject shall be processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. To guide the university and its data subjects in exercising their rights under the DPA, the Manual shall include data protection and security measures.
Consent of Data Subject - refers to any freely given, specific, informed indication of will, whereby the data subject agrees to collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by a written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so or by the parent/s or legal guardian of a minor or children below 18 years of age.
Data Subject - refers to an individual whose personal, sensitive personal or privileged information is processed by BulSU. It may refer to University officials and employees as well as faculty, staff and students of Bulacan State University.
Higher Education Institutions (HEIS) - means an educational institution, private or public, undertaking operations of higher education program/s with an organized group of students pursuing defined studies in higher education, receiving instructions from teachers, usually located in building or group of buildings in a particular site specifically intended for educational purposes.
Information and Communication Systems refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission, storage of electronic data, electronic message or electronic document.
Personal Information refers to any information such as but not limited to name, address, email address and mobile numbers whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Personal Information Controller refers to a natural or juridical person, or any other body who controls the processing, of personal data, or instructs another to process personal data on his behalf.
Personal Information Processor refers to any natural of juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
"Processing" refers to any operation or any set of operations performed upon personal information including, but not limited to collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
This Privacy Manual applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines. This Manual does not apply the following:
Information about an individual who is or wad performing service under contract for a government institution that relates to the service performed, including the terms of the contract, and the name of the individual given in the course of the performance of those service;
Information relating to any discretionary benefit of a financial nature such as the granting of license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
Personal information processed for journalistic, artistic, and literary or research purposes;
Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposit Act; and Republic Act No. 6426, otherwise known as the foreign Currency Deposit Act; and Republic Act no, 9510, otherwise known as the Credit Information System Act (CISA);
Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended other known as the AntiĀ Money Laundering Act and other applicable laws; and
Personal information originally collected from residents of foreign jurisdiction in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
The act, practice or processing relates to personal information about a Philippine citizen or a resident;
General Data Privacy Principles. - The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.
Personal information must, be:The personal information controller must ensure implementation of personal information processing principles set out herein.
Criteria for Lawful Processing of Personal Information. - The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
Sensitive Personal Information and Privileged Information. - The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
The processing concerns such personal information as is necessary for the protection of lawful rights and interest of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government of public authority.
Collection
The collection of both personal information and sensitive personal information is done by lawful means and for a lawful purpose and is directly related and necessary in the achievement of the university's vision and mission.
Personal information of data subject are obtained openly and straightforwardly without any hidden motive through the data subjects filling up of official forms. These forms are essential in the provision of service to clients such as scholarship and research grants, request for certification, authentication and verification, among others.
Similarly, personal data of the university officials and employees (including project and/or agency-based employees), applicants to vacant positions and Accredited Technical Panel Members, consultants and others are obtained through the requisite Personal Data Sheet (PDS) and by accomplishing forms essential in training and other developmental interventions.
Use
Personal data collected shall be used by the university solely for the purpose that it was gathered and for reportage and documentation purposes. In all this, the individual that is not deemed identified as data shall be presented in statistics form. The Board shall ensure no manipulation of personal data and that the same shall not be used against any individual.
Storage, Retention and Destruction
BulSU shall ensure that personal data under its custody are protected against any accidental or unlawful destruction, altercation and disclosure as well as against any other unlawful processing. It shall implement appropriate security measures in storing collected personal information, depending on the nature of the information. The retention period of personal information gathered shall be as follows:
BulSU Officials and employees - ten (10) yearsAfter said period, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.
Access
Access to personal data of officials and employees of CHED and applicants to vacancies shall be limited to the DPO or COP, Director of the Administrative Financial and Mangement Division, Chief of Human Resource and Development Division, its regional counterpart and other authorized employees. At no time should anyone be given access to the personal files of other employees. For personal information of data subjects, only the data subjects, the DPO and the authorized representative of the university shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
Disclosure and Sharing
All employees and personnel of the university shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the university shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
Subcontract of Personal Information A personal information controller may subcontract the processing of personal information: Provided, that the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposed, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with requirements of this Act and other applicable laws.
The university shall implement reasonable and appropriate physical, technical, and organizational measures for the protection of personal data. These security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
The Office of Planning, Research and Knowledge Management (OPKRM) shall first review and evaluate software applications before the deployment thereof in computers and devices of the BulSU Officials to ensure compatibility of security features with the data privacy policies.
On existing software applications, which involves processing of personal data of BulSU employees, the following shall be observed:
The end user, with the technical assistance of the OPKRM, shall evaluate and assess the security protocols of the system with regards to saving, backup and data recovery. If such protocol runs counter with the data privacy principles stated in the Data Privacy Act of 2012, remedial steps should made to correct such flaws.
The OPKRM, during its IT semestral maintenance activities, shall check software applications installed in all IT hardware and devices for compliance with the Board's data privacy policy. If a software/application is found to be a security risk that it may disturb or interrupt the normal operations of the BulSU network, the IT technical personnel shall notify the end user of the risk and the software/application shall immediately be uninstalled. The IT personnel shall thereafter prepare an incident report.
The Unit of the OPKRM shall make regular penetration testing of the firewall appliance from outside the BulSU premises and from within to conduct vulnerability assessment of the same.
Creation of a Data Breach Response Team
A Data Breach Response Team comprising of the DPO, the OPKRM Director, the Chief Administrative Officer and MIS personnel of the OPKRM, under the direct supervision of the Executive Director is responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
Measures to Prevent and Minimize Occurrence of Breach and Security Incidents
The Data Breach Response Team shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data shall attend trainings and seminars for capacity building. A periodic review of policies and procedures being implemented in the BulSU shall be undertaken.
Procedure for Recovery and Restoration of Personal Data
The BulSU shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
Notification Protocol
The Head of the Data Breach Response Team shall inform the Executive Director of the need to notify the National Privacy Commission (NPC) and the data subjects affected by the incident or breach within 72 hours from knowledge thereof.
Documentation and Reporting Procedure of Security Incidents or Personal Data Breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to the Executive Director and the NPC within the prescribed period. The report shall contain the following:
Data sharing
The BulSU may share or transfer personal data under its control or custody to a third party through a data sharing agreement: Provided, that nothing in this Manual shall be construed as prohibiting or limiting the sharing or transfer of any personal data that is already authorized or required by law. This shall apply only to personal data under the control or custody of the BulSU that is being shared with or transferred to a third party, for the purposes of performing a public function, or providing of a public service:
Provided, that it shall also cover personal data under the control or custody of a private entity or of another agency that is being shared with or transferred to the BulSU; Provided further, that where the personal data is in the custody of a personal information processor, the sharing or transfer of personal data shall only be allowed if it is pursuant to the instructions of the personal information controller concerned. Data sharing agreements shall be in accordance with the Implementing Rules and Regulations of the Data Privacy Act of 2012, or other issuances of the National Privacy Commission.
Be notified and furnished with his or her information before entry into the processing system within 48 hours when such data shall be used for direct marketing, profiling, or historical or scientific purpose. Notification shall be made through an Office Memoranda and/or email.
View and recommend corrections to his or her data being processed. The data subject may also write or email BulSU at bulsu.edu ph with a brief discussion of the inquiry and/or correction/s together with his/her contact details for reference.
Complain and be indemnified for any damages sustained when the data subject's recommendations for corrections to his or her data was not acted upon which resulted in damages due to inaccurate, incomplete, outdated and false information, unlawfully obtained or unauthorized use of personal data. Complaints shall be filed in three printed copies, or sent to ___________. The department or division concerned shall confirm with the complainant its receipt of the complaint.
Violation of any provisions of this CMO shall be subject to appropriate actions pursuant Section 8 of RA 7722
This Manual takes effect fifteen (15) days after its publication in the Official Gazette or in a newspaper of general circulation.