Atty. Marcia Ruth Gabriela Fernandez, UP System Data Protection Officer (DPO), and the DPOs of the constituent universities have a complicated job: helping UP, an institution mandated under its Charter to teach, do research and generate and disseminate knowledge and provide public service, to navigate Republic Act No. 10173 or the Data Privacy Act (DPA) of 2012.
Fernandez notes that a common misconception of the DPA is that consent of the data subject is needed to process information all the time. The law lists several conditions or cases, aside from consent, where personal information can be processed. Personal information may be processed (i.e., collected, used, stored, etc.) when needed to comply with a legal obligation, to protect the vital interests of the data subject to life and health, to respond to national emergency, and to fulfill the functions of public authority. Sensitive personal information (i.e., confidential education records, age, civil status, health information) may be processed, for example, when allowed by law. Regulatory enactments provide for the following: to protect such information, and the consent of the data subject is not required for such processing; to protect the life and health of the data subject or another person when the data subject cannot physically or legally express consent, and when needed for medical treatment subject to conditions; and, to protect lawful rights and interests of natural and legal persons in the exercise or defense of legal claims and where these are provided to public authority.
“It is possible for UP to invoke, in applicable cases, our mandate under the Constitution and the UP Charter to exercise the right and responsibility of academic freedom as our lawful basis for processing personal and sensitive personal information,” Fernandez said. The DPA itself also provides for exemptions from the applicability of the DPA such as when the processing of information is necessary in order to carry out the functions of public authority and personal information processed for journalistic, artistic, literary or research purposes. Still, the law itself is complex, and the UP community needs to know how to traverse it.
UP researchers and the DPA
With the penalty of imprisonment as well as hefty fines for the punishment of various acts or omissions involved, the DPA can feel like a sword hanging over the heads of UP researchers, especially for those in the social sciences, who often use approaches that may or may not involve written, electronic or recorded consent. Fernandez herself, before her appointment as DPO, pointed out in position papers she submitted to the National Privacy Commission (NPC) in her personal capacity the dysfunctional unintended consequences of a too narrow interpretation of the DPA that requires written, electronic or recorded consent in all instances from research participants for the processing of sensitive personal information. This could be used by groups or agencies with ulterior motives to force researchers to divulge their research participants’ personal data under threat of jail time and/or other penalties.
“That’s why I said, such an interpretation of the DPA could have a chilling effect,” Fernandez said. “We have to go back to the spirit, the purpose behind the law. The law recognizes that while the State has the duty to protect the right to privacy of individuals, the State must also promote the free flow of information by upholding other Constitutional rights and freedoms.”
There are laws and issuances that UP researchers can invoke to lawfully process sensitive personal information under Section 13b of the DPA. These include the Philippine Statistical Act, the Philippine National Health Research System (PNHRS) Act, and the National Ethical Guidelines on Health and Health Related Research (NEGHHR). The NEGHHR, which was issued pursuant to the PNHRS Act, provides for instances when research ethics committees (RECs) or research ethics boards (REBs) may waive the requirement of informed consent, as in the case of archival research or naturalistic observation, or alter some of the requirements of informed consent, such as waiving the requirement of a signed consent form.
Noting that the Philippine Health Research Ethics Board, which was established pursuant to the PNHRS Act, allows for several REBs or RECs in one academic unit, Fernandez recommended that constituent universities that have yet to establish REBs or RECs consider the creation of RECs at the college level, considering the diverse range of disciplines throughout the UP System. “It is really our duty, as the national university and as a research institution, to uphold research ethics, which requires among others the protection of the privacy of research participants and the establishment of research ethics committees or boards.”
UP students and the DPA
The UP System has a privacy notice (https://www.up.edu.ph/index.php/university-of-the-philippines-up-privacy-notice-foi/) informing UP students on what personal and sensitive personal information will be collected from them, for what purpose, the legal basis for processing such information, as well as measures adopted by UP to safeguard the same. Students are asked to indicate on their Form-5s that they have read the notice, recognize the authority of UP to process such information, and give their consent.
The notice also informs students that UP will disclose their personal and sensitive personal information when required or allowed by applicable laws or with their consent. For example, the notice states that UP may disclose a student’s personal and sensitive personal information to their family or next of kin to promote the student’s best interests as required by law; when necessary to respond to an emergency, to uphold the student’s vitally important interests including her/his life and health or to prevent harm to her/him and/or others; or with the student’s consent. UP recognizes that there are cases where the student may be struggling with a serious condition or has become suicidal or his or her life is in jeopardy.
UP employees and the DPA
For UP employees, personal information not covered by the DPA under Section 4 include names, salary grades, and official job functions. UP processes employee information in order to make decisions regarding their respective appointments, promotions and other personnel actions, as well as to process their applications for grants, leaves, benefits and the like, pursuant to the UP Charter. UP is also duty-bound to process information of University personnel in order to comply with the requirements of other existing laws and regulations. For example, UP must process information pursuant to R.A. 6713, which requires the submission of Statements of Assets Liabilities and Net Worth (SALN), and comply with the GSIS, Philhealth, Pag-ibig, tax and other applicable laws and issuances.
UP alumni and the DPA
The UP System also has a privacy notice for UP alumni (https://alum.up.edu.ph/index.php/university-of-the-philippines-system-up-privacy-notice-for-alumni/), informing them that various UP offices and the UP Office of Alumni Relations (OAR) will be collecting their information and for what purpose. The UP Registrar’s Offices archive all student records in accordance with the National Archives of the Philippines Act of 2007, and provide relevant information to the OAR in order to enable UP to comply with its duty under the UP Charter to promote the participation of alumni. UP alumni may voluntarily update their records with the OAR through an alumni update form.
Fernandez also helped the UPAA draft their own consent form. The UPAA chapters and the UP alumni foundations can get in touch with the UPAA to get a copy of this consent form.
UP Webmail and the DPA
Fernandez urges all members of the UP community to use the Mail service (@up.edu.ph). “UP Mail is our official mail, and uses a two-step verification process to reduce the probability of accounts being hacked.” The goal is to have UP Mail serve as the sign-on system for the various online processing systems of UP to help prevent security incidents and personal data breaches.
“Aside from safeguarding their email communications, faculty, staff and students can get Microsoft Office 365 when they use their UP Webmail account,” she added with a smile (https://itdc.up.edu.ph/uis/microsoft-office-365-for-up).
The University’s duty to process personal and sensitive personal information in order to carry out its functions entails the responsibility of securing and protecting such information.
UP’s DPOs need the help and cooperation of all members of the UP community in order to uphold the right to data privacy.
Get your FREE copy of the UP Forum magazine now. Please send an email to [email protected] or visit the UP Media and Public Relations Office at Room 6B, Fonacier Hall, Magsaysay Avenue, UP Diliman, Quezon City.
You may access the digital copy here.