Source: pexels.com.
CONTENTS the UP Forum Elena E. Pernia Editor in Chief
Frances Fatima M. Cabana Art Director
Celeste Ann L. Castillo
2 Privacy Matters
2
Protect and Leverage UP’s Research Outputs
6
Be Cautious, Not Careless
8
Managing Editor
Flora B. Cabangis Copy Editor
Celeste Ann L. Castillo Frederick E. Dabu Andre dP. Encarnacion Jo Florendo B. Lontoc Arlyn VCD Palisoc Romualdo J. Mikhail G. Solitario Writers/Researchers
Peter Paul D. Vallejos Layout Artist
Abraham Q. Arboleda Misael A. Bacani Jonathan M. Madrid A P R I L J U N E 2 0 1 9
10 UP and the Ins-and-Outs of the Data Privacy Act: Interview with DPO Atty. Gaby Fernandez
10
More Information on the Data Privacy Act
12
UP Forum Roundtable Discussion
14
Photographers
Nena R. Barcebal Databank Manager
J. Mikhail G. Solitario
Forum Online Website Administrator
Alicia B. Abear Michael R. Basco Roberto G. Eugenio Tomas M. Maglaya Cristy M. Salvador Administrative Staff
22 Let’s Get Ethical
18
Safeguarding Our Institutional Heritage
22
Coming Soon from UPOU: DPO Certification Course
26
What is UP Mail?
28
UP Media and Public Relations Office University of the Philippines System, UP Diliman, Quezon City Trunkline (632) 981-8500 local 2550, 2552, 2549 E-mail: upforum@up.edu.ph up.edu.ph
Cover design by Timi Cabana and Peter Vallejos, UP MPRO. Back cover photo by Peter Vallejos, UP MPRO.
Privacy Matters J. Mikhail G. Solitario
W
While the right to privacy and invasion of privacy have been the topics of national conversations involving data leaks from celebrities or politicians, the idea of privacy itself remains abstract among many. In fact, words like “private”
or “privatization” have loose Filipino translations, and there seems to be no exact term for “privacy” in our native language. Instead, we have vague impressions of privacy or its absence as we deal with the loss of personal space in cramped jeepneys, with gossiping neighbors or when oversharing in social media.
A P R I L J U N E 2 0 1 9
NPC Deputy Commissioner Dino Aguirre delivers the closing remarks at the Privacy Awareness Week 2019. Photo by Lauro Montellano, Jr. of the National Privacy Commission.
2
The UP Forum
Privacy Matters
The Act and its Commission In fact, when asked whether privacy has attained the status of being a household term, Deputy Commissioner Dino Aguirre of the National Privacy Commission says that appreciation of the concept of privacy is still largely limited to the academe, or those of a particular educational background or exposure. From his experience in interfacing with various stakeholders, Aguirre observes that the level of public awareness still needs a lot of work, which can be attributed mainly to culture. Even jurisprudence (e.g., Vivares v. St. Theresa’s College, GR No. 202666) has constantly confused types of privacy, often switching decisional privacy (i.e., the right to keep behavior on sensitive issues private, such as sexual preference, political activities, and religious practices) with locational or situational privacy (i.e., the right to move in spaces without being identified, tracked, or monitored) and informational privacy. The work of the National Privacy Commission as the country’s privacy watchdog deals primarily with informational privacy, i.e., the right to secure personal data and information from individuals or organizations that are not authorized to access, handle, or distribute such information. The Commission’s central mandate is to implement and ensure compliance with the Data Privacy Act of 2012 (Republic Act 10173). This important legislation aims to protect individuals by regulating the handling of data, and guarantees that the Philippines meets international standards on data protection. Since the Data Privacy Act (DPA) was enacted into law with its corresponding implementing rules and regulations (IRR), the
The UP Forum
common notion of privacy being traditionally tied to location (private or public spaces) has evolved to become one of the fundamental human rights of the individual. Privacy now revolves around the individual’s level of control over his or her personal data or information. However, one of the more common misconceptions of the coverage of the DPA needs to be dispelled: it does not only apply to digital or online data, as it applies to data on paper as well. Compliance does not merely depend on investing on the latest technology on data security. Compliance actually takes into account the installation of proper policies, procedures, and processes in handling data. In relation to the coverage of the law, Aguirre emphasized, “It would help tremendously if we would be able to properly characterize the scope of the DPA to be limited to personal information.” Personal information pertains to any data that could directly or indirectly identify a person.
A P R I L J U N E 2 0 1 9
This year, the Commission saw a significant increase in the complaints that they received compared to last year, with complaints for the first half of 2019 surpassing the 2018 aggregate total. A huge number of complaints were classified as informal and were never followed up. To address this issue, the Commission employed an institutional approach by coming up with resource materials that make compliance easier to private companies, government agencies, and organizations so that they understand what the law requires. Sectoral associations were also tapped to gather issues that are unique to each sector. Before 2018 ended, a campaign focusing on data subjects was launched to emphasize the rights of individuals.
3
Data privacy in the academe In an academic setting, there was an initial perception that data privacy and the freedom of information (FOI) would give rise to potential conflicts. “I don’t see them as two opposing concepts. People have to understand the policy behind them, which is open government,” says Aguirre. However, he also recognizes that an inaccurate understanding of the DPA could hamper efforts in implementing the FOI policy of the government, which is enshrined in Executive Order No. 2 of 2016. The DPA lists personal information classified as sensitive and lays down obvious exceptions, such as information on salaries and positions of government officials, which are vital to public interest. One key feature of the DPA is that it focuses only on personal information, which means that documents that do not bear such information, such as government contracts, are not protected by the DPA. The Commission is constantly working with the Presidential Communications Operations Office, which is tasked with implementing the FOI policy of the administration, to clarify issues arising from the implementation of these two principles.
A P R I L J U N E
One of the more typical requests that the University receives involves the validation of educational records of its alumni by third parties for various reasons, ranging from employment to public office. The DPA lists educational records as sensitive personal information, along with race, ethnic origin, marital status, age, religious or political affiliation, as well as health records, genetic or sexual life, and social security numbers.
2 0 1 9
This means that as a general rule, the University cannot disclose information to persons other than the data subject, unless he or she gives consent, or if the disclosure meets journalistic, artistic, literary, or research exceptions. Under the DPA, there are other criteria for lawful processing of sensitive personal information, which includes fulfilment of a contract, legal obligation, vitally important interests such as life and health, public order and safety, and other legitimate interests that do not go against fundamental rights and freedoms guaranteed by the Philippine Constitution. Another issue that touches on data privacy is the release of personal information, such as names, degree programs, and respective campuses of successful qualifiers in the UP College Admissions Test (UPCAT). When the Office of Admissions posted the full list of thousands of successful qualifiers, some camps raised concerns about a possible breach of data privacy. Aguirre does not agree that releasing the results en masse is a privacy violation per se, and posits that to a certain extent, a legitimate public interest to inform
4
The UP Forum
the successful qualifiers and their families overrides individual apprehension. “UP is a public institution supported by public funds, and a certain level of transparency is expected of the University,” he says. Prospective students can expect that their submitted UPCAT applications may be further processed, including being published, as they are made aware of the manner by which the University has published the results. However, UP must re-examine this method in light of student organizations using the list of passers to create groups in social media platforms to promote their organization and recruit new members. For the University and other academic institutions, Aguirre stresses the importance of paying special attention to concerns of particular members of its community, such as minors in the UP Integrated School, the UP Rural High School, the UP High Schools in Cebu and Iloilo, and other similar segments of the University System where students availing of scholarship agreements may become vulnerable to potential data privacy issues. Protocols must also be put in place for sensitive situations; for example, confidential disclosures made by students to their guidance counselors may expose them to possible health and safety risks. “UP has to understand what sets it apart from all other firms and organizations. The prescriptions in the law apply to all data controllers and processors. UP must come up with this distinction to truly appreciate the uniqueness of the situation of academic institutions,” Aguirre concludes. He believes that these nuances will necessitate various approaches for UP to comply with the DPA. The Commission’s website (privacy.gov.ph) characterizes a “digital evolution” where the “need for data is inevitable.” It also underlines the import of safeguarding the rights of data subjects while “ensuring the free flow of information, growth, and national development,” a context and environment where UP plays a critical role as the national and premier state university.
privacy.gov.ph
Participants listen to a lecture during Privacy Awareness Week 2019. Source: https://paw2019.privacy.gov.ph/#paw2018Section.
Privacy Matters
A P R I L J U N E 2 0 1 9
The UP Forum
5
Protect and Leverage UP’s Research Outputs
T
Frederick E. Dabu
The University of the Philippines (UP) faculty, researchers, students, staff, and visiting professors who are engaged in research and/or creative works using University resources are expected to protect and leverage their outputs for the benefit of the Filipino people. This sums up the role of Intellectual Property (IP) creators, the Technology Transfer and Business Development Office (TTBDO), and related offices and committees of the University. Securing IP was among the key topics discussed at the 21st anniversary conference of the National Institutes of Health (NIH)-University of the Philippines Manila (UP Manila) on February 28 at the Bayanihan Center, UNILAB Inc. Complex, Pasig City.
A P R I L J U N E
In the panel discussion on securing IP, resource speakers Patricia San Jose, a technology transfer officer of TTBDO UP Manila, and Jerry G. Ligaya, director of the Technology Licensing Office of the Technological University of the Philippines (TUP), advised the researchers to always protect their IP rights first before disseminating information about their outputs. This is in consideration of the researchers’ aim of contributing useful information and innovative outputs through publications and presentations in forums here and abroad.
2 0 1 9
San Jose and Ligaya encouraged members of the academe who are involved in the process of creating new knowledge, technologies, products, or IP, to apply international protocols (e.g., copyright, patent, and trademark), national policies (e.g., Republic Act No. 10055 or the Philippine Technology Transfer Act of 2009) and University policies in order to secure their IP to make them more useful to the public. An overview According to San Jose, “creations of the mind must be expressed” in tangible form before any type of IP protection or a right could be associated with it, either through a patent, trademark, copyright, industrial design, or other types of protection for IP. “It is part of the TTBDO service to identify what form of IP protection is suited to your research data sets,” she said. San Jose provided an overview of the process. “We search for IP in our university. We do an IP audit. Most of the time, the researchers just go to our office” to disclose a new invention or a research output, she said.
6
The UP Forum
“After we discover what the IP is, we recommend that we protect your IP.... We also have to determine what mode of technology transfer is best suited for your technologies. Technology transfer is a way to further develop a technology, and to commercialize, if it’s the track that you want to pursue,” explained San Jose. “IP protection will enable us to do more things. IP is not the only thing we have to discuss when we are talking about translating health research or other forms of research data sets into actionable policies and transferable technologies. I highly encourage everyone to approach the TTBDO,” concluded San Jose.
Protect and Leverage UP’s Research Outputs
The TTBDO offers services such as: Intellectual Property Consultation, Patent Search/ Prior Art Search, Patent Drafting, Market Study, Technology Assessment, Intellectual Property Registration, Commercial Linkages/Industry Partnerships, and Innovation Deployment (see https://www.upm.edu.ph/ node/2230).
Practical tips Ligaya further shared practical IP protection tips. “First, do not be a gossiper,” he said. This advice stems from the eagerness of various researchers to present their outputs in international conferences or to submit them to selected publications. “Most of them are destroying the novelty of their research,” lamented Ligaya. “You really have to prioritize what to do with your research. Your research should be subjected to patent searching or application, if it
upm.edu.ph/node/2230
is really patentable. If you publish it first, then you have to rush on to file for patent,” he added. “Do not disclose your research, or the methodologies of your research. Do not uncloak it yet.” Ligaya emphasized that if the research is not sufficiently protected by the University, “don’t publish yet.” He lamented that long ago, his university had this particular research, an invention made by electrical engineering students that led to the production of the present-day prepaid electricity meter. Unfortunately, the said invention is now owned by a big corporation instead of the University due to its public disclosure and absence of IP protection. “We should protect our researches, our R&D,” he said. “If one has an invention but doesn’t know what to do with it, he or she should seek the assistance of the technology transfer officer for the protection and commercialization of his or her invention for the use of the public,” Ligaya said. “Consult with the technology transfer officer. License. Commercialize. Enter into an agreement and profit from it. You have to protect first before you profit.” While “commercialization” means generating income, “as a state university, we should not be focusing on how the university will earn from the commercialization. The researches should be utilized by the poor communities of the country,” concluded Ligaya.
A P R I L J U N E 2 0 1 9
For more information, visit the UP TTBDO website.
ttbdo.up.edu.ph Participants from UP Manila showcase their “Virtual Reality for Health” devices during SYNERGY 2017, an event hosted by the USAID Science, Technology, Research, and Innovation for Development (STRIDE) Program, RTI International, and the Intellectual Property Office of the Philippines (IPOPHIL) at the Manila Hotel on September 19 to 21, 2017. Photo from UP Manila Technology Transfer and Business Development Office.
The UP Forum
7
Be Cautious, Not Careless Arlyn VCD Palisoc Romualdo
T
There’s no denying that we live in a digital world. Some of us check our emails or social media accounts upon getting up in the morning. We upload pictures and videos of where we are, what we are doing, or who we are with. The truth is, however, when it comes to personal information, sharing is not always such a good thing.
The National Privacy Commission has some useful tips in protecting our data online, but there are still things we do off the internet that can potentially compromise our information. Here are some of the other ways you can protect your personal data, offline and online:
1. A chance to get freebies or discounts is something most of us cannot resist. See those little fishbowls or trays in restaurants asking for your business card so you can get treats? Think twice before dropping in your card. Remember, if it was not hard for you to put your business card in there, then it would be just as easy for someone else to get it. A P R I L J U N E
2. It seems the need for photocopying services will not be going away just yet. Do not leave your documents on the scanner or do not forget to retrieve them if you had someone copy the documents for you. Make sure you destroy any spoiled copies where your information is visible. Some photocopying service providers may not allow you to do that, so block those pieces of information with a pen or marker instead. It may seem like such a hassle, but it is for your own security.
2 0 1 9
3. Sometimes you are asked for a copy of your debit or credit card. Do not copy the back of your card because the security code is printed there. Online payment gateways require this security code so if anyone gets hold of yours without your knowledge, you may end up paying for things you never bought. If you are being asked for a copy of both the front and back of your card, tell the requesting party that you will need to cover the security code. 4. Great service? Awful product? If your hand is itching to write on that feedback form, do not be so liberal with your personal information. You do not need to fill out all the fields, just what is necessary to get your message across. They do not need to know your home address nor your home number. 5. More and more shops are offering rewards programs for its customers and if they are your go-to stores, chances are you will be asked to fill out application forms ASAP. Just make sure you only put in the information required. Read the fine print. Do you want them to send you emails or text alerts? Do you want to be automatically enrolled in some third party services? Make sure you understand what you are signing up for.
8
The UP Forum
Be Cautious, Not Careless
6. Not everyone has a printer at home. Others need to avail of printing services. Do not allow the service provider to download your files. Do not agree to email the file to them for printing. If you are using a flash drive to have documents printed, scan it on a secure computer after it was plugged into a public terminal to ensure no malicious software infected the drive. Check your computer settings to see that it is not set to autoplay any drive plugged into it. 7. If you need to use a public computer, in the library or in a computer rental shop, for example, and you need to either save, send via email, or print your document, always check the location it was saved in. Delete the file if it was stored in the public computer and empty the recycle bin after deletion. Additionally, erase your browsing data, making sure to include passwords and autofill forms among the options to delete. It is important to note that you should never save passwords on any computer. 8. In the same manner, do not write down passwords, PIN codes, or anything that will allow access to your personal data, accounts, records, and communication. If you feel you might forget your access codes and want to write them down, keep them in a secure location, under lock and key, and away from prying eyes. If you really need to share these codes with someone else because you are unable to access your accounts (e.g., when you’re sick), change your codes the first chance you get.
A P R I L J U N E 2 0 1 9
9. Read privacy notices and policies of establishments and offices that you are giving your personal information to. Know what they are and are not allowed to do with your data. This way, it will be easier for you to lodge a complaint if you find your information was misused and handled improperly. 10. Ask your friends and relatives not to give away your personal information without your consent. With the Data Privacy Act of 2012, offices that hold your information usually have protocols in place when someone other than yourself is requesting your personal data. But things are a bit more relaxed when it comes to friends and family, so do tell them that you are not comfortable having any of your personal information being passed on to others without your permission.
The bottom line is, be careful. Know how to secure your data. Before you can expect anyone else, even the law, to protect you and your information, you need to secure it yourself. Neglecting to do so may be construed as consent.
Scan to read 30 Ways to Love Yourself Online: A Beginner’s Guide to Personal Data Privacy.
The UP Forum
9
UP and the Ins-and-Outs of the Data Privacy Act Interview with DPO Atty. Gaby Fernandez Celeste Ann Castillo
A
Atty. Marcia Ruth Gabriela Fernandez, UP System Data Protection Officer (DPO), and the DPOs of the constituent universities have a complicated job: helping UP, an institution mandated under its Charter to teach, do research and generate and disseminate knowledge and provide public service, to navigate Republic Act No. 10173 or the Data Privacy Act (DPA) of 2012.
A P R I L J U N E 2 0 1 9
10
UP researchers and the DPA
Fernandez notes that a common misconception of the DPA is that consent of the data subject is needed to process information all the time. The law lists several conditions or cases, aside from consent, where personal information can be processed. Personal information may be processed (i.e., collected, used, stored, etc.) when needed to comply with a legal obligation, to protect the vital interests of the data subject to life and health, to respond to national emergency, and to fulfill the functions of public authority. Sensitive personal information (i.e., confidential education records, age, civil status, health information) may be processed, for example, when allowed by law. Regulatory enactments provide for the following: to protect such information, and the consent of the data subject is not required for such processing; to protect the life and health of the data subject or another person when the data subject cannot physically or legally express consent, and when needed for medical treatment subject to conditions; and, to protect lawful rights and interests of natural and legal persons in the exercise or defense of legal claims and where these are provided to public authority.
With the penalty of imprisonment as well as hefty fines for the punishment of various acts or omissions involved, the DPA can feel like a sword hanging over the heads of UP researchers, especially for those in the social sciences, who often use approaches that may or may not involve written, electronic or recorded consent. Fernandez herself, before her appointment as DPO, pointed out in position papers she submitted to the National Privacy Commission (NPC) in her personal capacity the dysfunctional unintended consequences of a too narrow interpretation of the DPA that requires written, electronic or recorded consent in all instances from research participants for the processing of sensitive personal information. This could be used by groups or agencies with ulterior motives to force researchers to divulge their research participants’ personal data under threat of jail time and/or other penalties.
“It is possible for UP to invoke, in applicable cases, our mandate under the Constitution and the UP Charter to exercise the right and responsibility of academic freedom as our lawful basis for processing personal and sensitive personal information,” Fernandez said. The DPA itself also provides for exemptions from the applicability of the DPA such as when the processing of information is necessary in order to carry out the functions of public authority and personal information processed for journalistic, artistic, literary or research purposes. Still, the law itself is complex, and the UP community needs to know how to traverse it.
“That’s why I said, such an interpretation of the DPA could have a chilling effect,” Fernandez said. “We have to go back to the spirit, the purpose behind the law. The law recognizes that while the State has the duty to protect the right to privacy of individuals, the State must also promote the free flow of information by upholding other Constitutional rights and freedoms.”
The UP Forum
UP and the Ins-and-Outs of the Data Privacy Act
There are laws and issuances that UP researchers can invoke to lawfully process sensitive personal information under Section 13b of the DPA. These include the Philippine Statistical Act, the Philippine National Health Research System (PNHRS) Act, and the National Ethical Guidelines on Health and Health Related Research (NEGHHR). The NEGHHR, which was issued pursuant to the PNHRS Act, provides for instances when research ethics committees (RECs) or research ethics boards (REBs) may waive the requirement of informed consent, as in the case of archival research or naturalistic observation, or alter some of the requirements of informed consent, such as waiving the requirement of a signed consent form.
Noting that the Philippine Health Research Ethics Board, which was established pursuant to the PNHRS Act, allows for several REBs or RECs in one academic unit, Fernandez recommended that constituent universities that have yet to establish REBs or RECs consider the creation of RECs at the college level, considering the diverse range of disciplines throughout the UP System. “It is really our duty, as the national university and as a research institution, to uphold research ethics, which requires among others the protection of the privacy of research participants and the establishment of research ethics committees or boards.�
page 16
A P R I L J U N E 2 0 1 9
Photo by Jonathan M. Madrid, UP MPRO.
The UP Forum
11
More Information on the Data Privacy Act Highlights: Atty. JJ Disini’s Talk on “Data Privacy Act Compliance: Legal Issues” Celeste Ann Castillo
In mid-2017, UP College of Law Associate Professor Jose Jesus “JJ” M. Disini, Jr., one of the country’s leading experts in information technology and intellectual property, cybercrime and privacy, gave a talk on “Data Privacy Act Compliance: Legal Issues” at the UP Open University. Some highlights of Disini’s talk were the following:
Scan to watch Data Privacy Act Compliance: Legal Issues.
The Philippine Constitution looks at privacy in three ways:
1 2 Decisional Privacy, or the recognition that there are certain decisions that are intimate to us, and that the State has no right to intervene.
A P R I L J U N E
3
Privacy in Physical Spaces, or the right against unreasonable searches and seizure.
2 0 1 9
We engage in many activities involving information, such as compiling lists of customers or suppliers, signing guest books during events, filling up raffle coupons in supermarkets, applying for credit cards, etc. Data subjects are individuals, not institutions. Republic Act 10173 or the Data Privacy Act of 2012 is one of the three areas of information that UP has to deal with. The others are the Freedom of Information program and the Open Data policy for research.
12
Data or Informational Privacy for information called personal information or personally identifiable information— information about ourselves or data that we have rights over. These data belong to us, and we control how they may be collected and used.
There is a class of personal information called sensitive personal information, which includes information about an individual: race; ethnic origin; marital status; age; color; religious, philosophical or political affiliations; health; education; genetic or sexual life; any proceeding for any offense committed or alleged to have been committed; and, information issued by government agencies, such as social security numbers, licenses and tax returns. Such information are considered sensitive because there is greater harm in collecting these data (e.g., exposing a data subject to potential discrimination based on the information, for instance), and are therefore protected to a higher degree.
The UP Forum
The entities the law regulates are personal data controllers, personal information controllers, or personal information processors:
A data controller is somebody who makes decisions about the personal information, such as what and when to collect and how it will be used.
A data processor is somebody who follows instructions of the data controller and does not make any decisions about the information.
This distinction is important because the Data Privacy Act has penal provisions: imprisonment ranging from one to three years and a fine of not less than Php500,000.00.
Your rights as a data subject in relation to data controllers are: You have the right to be informed when your data are being collected, how those data will be used, and with whom they will be shared, before you give your consent for your data to be collected and processed.
You have the right to correct your data if they are wrong, and to withdraw your data from the database. You also have the right to sue for damages.
You have the right to access your personal information.
A P R I L J U N E
Aside from consent, there is another exception under the law: when personal information is necessary for the performance of a public function. Grades, for example, are necessary for the performance of an educational institution’s functions.
2 0 1 9
For institutions, the steps in the compliance process are: Do a gap analysis. Study existing processes to find out what data you are collecting, if you are getting the necessary consent from your data subjects, and how you are processing, storing, transferring and destroying data. Spot the areas where you are not compliant with the law.
2
1
Draw a roadmap. Using the information from the gap analysis, plan out the steps you need to undertake to close the gaps and implement these steps. Work with your institution’s IT department to put information security policies and procedures in place, including, for government institutions, the certain levels of encryption required for data.
Implement the solutions in the roadmap. Draft your institution’s explicit data privacy policy informing individuals how they can exercise their rights. Formulate data management policies, including policies on what to do in case of a data breach. Appoint a data privacy officer. The authority of the data privacy officer can be further delegated to a compliance officer for privacy specific to an office.
3
4
Audit your processes, policies and procedures. If everything has been found to be compliant, practice maintenance.
The UP Forum
13
UP Forum Round
“
What do you understand about What do you do to
The Medical Records Division of the Philippine General Hospital is aware of Republic Act 10173, also known as the Data Privacy Act of 2012, and is strictly complying with it. As Personal Information Controller relating to health care records, our office implements the security measures required by the provision under Chapter V – Security of Personal Information, Section 20, particularly letter (e), which states that employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality. We make sure every information collected from data subject is well-kept, stored and secured, specifically researches and chart reviews.
A P R I L J U N E
Michael P. Lagaya Chief Administrative Officer Human Resources Development Office and Data Protection Officer UP Open University
We also have guidelines on the release of sensitive information and information with clinical value, particularly: “The release of any information of a patient shall be done only with the written consent/ waiver from the patients. This consent should be explicitly expressed in their general consent both in the in-patient admissions and out-patient consults.”
2 0 1 9
When it comes to accountability for transfer particularly in research, we designate an individual/s who is/are accountable for the organization’s compliance with Chapter VI under Acceptability for Transfer of Personal Information. It is stated in Sec. 21, Principles of Accountability, letter b: The identity of the individual/s so designated shall be made known to any data subject upon request. We are also using a Non-Disclosure Agreement Form for various purposes such as research, mortality review and conferences. With regard to records disposition, particularly on records retention and disposal, we follow the legal records disposition schedule as prescribed by the National Archives of the Philippines.
Gensela L. Lacambacal Records Officer V Chief, Medical Records Division Philippine General Hospital UP Manila
14
The UP Forum
“
The Data Privacy Act of 2012 is about protecting the employees’ personal information and sensitive personal information as enumerated in the RA. It also enumerates the rights of the data subjects and the corresponding penalties if we will be violating the law. To protect my data, I do not give my personal information to anyone or even write down my personal information unless it is really required.
dtable Discussion
t the Data Privacy Act of 2012? protect your data?
“
The Data Privacy Act of 2012 is the government’s way of ensuring that personal and private data from various stakeholders are protected through law. It outlines the provisions, penalties, government responsibilities, rights and responsibilities of those who handle and own data and its implementation through the National Privacy Commission. It is an important law that every citizen must be familiar with, as our lives are now more intertwined with the Internet, and along with this comes more opportunities for criminals to take advantage of our data in the commission of crimes.
A P R I L J U N E
To protect my data, I ensure that my online accounts are enrolled in more secure protocols such as the two-step verification. I take note of security advisories against phishing schemes and avoid writing down usernames and passwords. We should also make others aware—especially the student body—as our collective security is key in mitigating the risks of living in a more online world.
2 0 1 9
In our office, we provide the personal information of an employee only to him/her. If an employee will give us consent, that is only the time that we can disclose any information about him or her to a third party. We also secure our area by seeing to it that no other employee can access our physical and digital files. Our computers are all password-protected.
Frederick P. Omalza 4th Year, BS Biology Chairperson, University Student Council University of the Philippines Mindanao
The UP Forum
15
page 11
UP and the Ins-and-Outs of the Data Privacy Act
UP students and the DPA The UP System has a privacy notice (https://www.up.edu.ph/ index.php/university-of-thephilippines-up-privacy-notice-foi/) informing UP students on what personal and sensitive personal information will be collected from them, for what purpose, the legal basis for processing such information, as well as measures adopted by UP to safeguard the same. Students are asked to indicate on their Form-5s that they have read the notice, recognize the authority of UP to process such information, and give their consent.
A P R I L J U N E
UP System Privacy Notice The notice also informs students that UP will disclose their personal and sensitive personal information when required or allowed by applicable laws or with their consent. For example, the notice states that UP may disclose a student’s personal and sensitive personal information to their family or next of kin to promote the student’s best interests as required by law; when necessary to respond to an emergency, to uphold the student’s vitally important interests including her/ his life and health or to prevent harm to her/him and/or others; or with the student’s consent. UP recognizes that there are cases where the student may be struggling with a serious condition or has become suicidal or his or her life is in jeopardy.
2 0 1 9
UP employees and the DPA For UP employees, personal information not covered by the DPA under Section 4 include
16
names, salary grades, and official job functions. UP processes employee information in order to make decisions regarding their respective appointments, promotions and other personnel actions, as well as to process their applications for grants, leaves, benefits and the like, pursuant to the UP Charter. UP is also dutybound to process information of University personnel in order to comply with the requirements of other existing laws and
The UP Forum
regulations. For example, UP must process information pursuant to R.A. 6713, which requires the submission of Statements of Assets Liabilities and Net Worth (SALN), and comply with the GSIS, Philhealth, Pag-ibig, tax and other applicable laws and issuances. UP alumni and the DPA The UP System also has a privacy notice for UP alumni (https:// alum.up.edu.ph/index.php/
UP and the Ins-and-Outs of the Data Privacy Act
to comply with its duty under the UP Charter to promote the participation of alumni. UP alumni may voluntarily update their records with the OAR through an alumni update form. Fernandez also helped the UPAA draft their own consent form. The UPAA chapters and the UP alumni foundations can get in touch with the UPAA to get a copy of this consent form. UP Webmail and the DPA
Photo by Abraham Q. Arboleda, UP MPRO.
Fernandez urges all members of the UP community to use the Mail service (@up.edu.ph). “UP Mail is our official mail, and uses a twostep verification process to reduce the probability of accounts being hacked.” The goal is to have UP Mail serve as the sign-on system for the various online processing systems of UP to help prevent security incidents and personal data breaches.
UP System Privacy Notice for UP Alumni
university-of-the-philippinessystem-up-privacy-notice-foralumni/), informing them that various UP offices and the UP Office of Alumni Relations (OAR) will be collecting their information and for what purpose. The UP Registrar’s Offices archive all student records in accordance with the National Archives of the Philippines Act of 2007, and provide relevant information to the OAR in order to enable UP
The UP Forum
A P R I L J U N E
“Aside from safeguarding their email communications, faculty, staff and students can get Microsoft Office 365 when they use their UP Webmail account,” she added with a smile (https://itdc.up.edu.ph/ uis/microsoft-office-365-for-up).
2 0 1 9
Download Microsoft Office 365 The University’s duty to process personal and sensitive personal information in order to carry out its functions entails the responsibility of securing and protecting such information. UP’s DPOs need the help and cooperation of all members of the UP community in order to uphold the right to data privacy.
17
Source: pexels.com.
Let’s Get Ethical Jo Florendo B. Lontoc
I
In a research university, not all vetting requires ethical certifications and clearances, but all work must pass standards of excellence, which cannot exclude research ethics. Incumbent upon the university is the institutionalization of ethical review. Research ethics has many components. One is data privacy. In all aspects, UP Manila has something to offer the rest of the UP System.
A P R I L J U N E
Research proposals in UP Manila by regular faculty members, students, clinical faculty members, residents and fellows of the UP Manila-Philippine General Hospital and other UP Manila researchers are reviewed by a centralized ethics board prior to implementation. “No research project happens without the prior review and approval of the board,” Dr. Cecilia Jimeno of the UP Manila College of Medicine, chair of the UP Manila Ethics Board (UPM-REB) Panel 1, reiterates. This ensures that every research work protocol complies with ethical criteria, which include the data privacy of research participants.
2 0 1 9
“We preceded the Data Privacy Act,” states Dr. Jacinto Blas Mantaring, overall chairman of the UPM-REB, which currently has six reviewing panels. The Data Privacy Act, or Republic Act No. 10173, was passed in 2012.
18
The UP Forum
Two years prior, UPM-REB was established to integrate ethics committees that had already been operating in UP Manila as far back as 1979. The National Institutes of Health, UP Manila’s resource center for health research, the UP Manila-Philippine General Hospital, which conducts hospital research, and the UP Manila College of Medicine had their own respective ethics review boards. They were three of only four internationally accredited research ethics boards in the Philippines in the 1990s, according to Dr. Mantaring. In streamlining the structure of continuing research ethics review, UP Manila harmonized these research protocols, forerunning the UP System directive. According to the UPM-REB Rationale: “This strategic move will provide a strongly supportive and enabling environment for research. In addition, it will maximize the utilization of its human and institutional resources, and ensure that all types of protocols are reviewed in accordance with international and national requirements.” According to Dr. Mantaring, UP Manila is a fitting pioneer in promoting research ethics. UP Manila is a campus where international research is conducted. As with journal publications, it requires approval of accredited ethics review committees. But foremost, UP Manila as a health sciences center deals with the health of human beings, whose rights are no less a priority when they become subjects of research. “We have to make sure that our patients and participants of research are protected.” Consequently, UP Manila has become a go-to campus for the rest of the University for research works that directly involve human subjects and those that would require formal ethical review. page 21
Science in UP: Thriving despite Constraints
A P R I L J U N E 2 0 1 9
The UP Forum
19
A P R I L J U N E 2 0 1 9
20
The UP Forum
Photo by Misael Bacani, UP MPRO.
Let’s Get Ethical
page 18
Approval from UPM-REB assumes compliance with international and national guidelines to protect human participants in research and to ensure the integrity of the scientific data. These include those of the World Medical Association Declaration of Helsinki (WMADoH); the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use: ICH Harmonised Tripartite Guidelines for Good Clinical Practice E6(R1); the Council for International Organization of Medical Sciences International Ethical Guidelines for Biomedical Research Involving Human Subjects (CIOMS-Biomedical); and, the Council for International Organization of Medical Sciences International Ethical Guidelines for Epidemiological Studies (CIOMS-Epidemiology). Nationally, UPM-REB complies with the following: the National Ethical Guidelines for Health Research, Department of Science and Technology (DOST) Administrative Order 001 Series of 2007, which requires ethics review of all health research involving human participants; the Department of Science and Technology (DOST) Administrative Order 001 Series 2008, which requires all Ethics Review Committees (ERB)/Institutional Review Committees (IRB) to register with the Philippine Health Research Ethics Board (PHREB); and, the Commission on Higher Education (CHEd) Memorandum Order 34 Series 2007 in support of the DOST memorandum, which requires all academic institutions engaged in human research to establish ethics review boards/committees. These guidelines on data privacy precede the Data Privacy Act of 2012. They are in compliance with the Act that the UP System issued earlier for the establishment of research ethics committees or boards in each CU throughout the UP System and their accreditation with the Philippine Health Research Ethics Board (PHREB). While other constituent universities may not focus on health research, “the Philippine National Health Research System (PNHRS) Act and the National Ethical Guidelines on Health and Health-Related Research 2017 (NEGHHR) define health broadly, such that social research and other research will fall under the definition of ‘health research’ and ‘health-related
The UP Forum
research’ under the PNHRS law.” This is according to the memorandum from the Office of the UP President on Organizational and Technological Security Measures for Data Privacy Act Compliance dated February 13, 2019.
A P R I L J U N E
“The CUs do a lot of health-related research where they have special expertise,” Dr. Mantaring expounds. “If UP Los Baños researchers submitted to us protocols on food and nutrition, that would not be our expertise. We would need to get a reviewer for that who would most likely come from the CU itself.” It is better a CU forms its own research ethics board.
2 0 1 9
Dr. Jimeno is glad for the affirmation brought about by the Data Privacy Act and its implementation by the UP System. “It’s easier for us to just tell [researchers] to be compliant in the way the protocols are run, the way they obtain informed consent [in the privacy and confidentiality section], even the process of securing informed consent, down to the site where the consenting will take place.” The UPM-REB, the pioneer, currently composed of 150 regular members and independent consultants, can be tapped to share these experiences with the other CUs to help the UP System implement its directive institutionalizing data privacy and, by extension, research ethics.
21
Safeguarding Our Institutional Heritage Andre DP. Encarnacion
A
A time capsule, a bridge between past and present. Visit any UP campus and such a description might come close to embodying UP’s place in Philippine history. Everything, from the structures to the discourses taking place within them, was shaped by some of the most profound ideas ever thought of. In the case of UP Diliman, there is probably no other place that embodies this role of being a memory keeper as the University Archives. Located in a nondescript place on the third floor of the Main Library, the Archives contains some of the most timeless pieces bearing the University’s cultural heritage.
A P R I L J U N E
“We are, to coin a term, the memory keeper of our University,” said Archives Head Librarian Eimee Rhea Lagrama. “What we have here are materials— paper-based for now—with cultural heritage, research, informational and historical value.”
2 0 1 9
As one might imagine of a place that contains everything, from a National Artist’s handwritten notes to the theses and dissertations of UP students, the protection of sensitive information is a pressing and constant priority. Sadly, even for a University that prides itself on its history, not many know about the contents of the Archives and, consequently, what to make of the information found therein. So what kind of information does the Archives section contain, and what are the right steps to protect them? Four sections What might appear as a unitary section is actually divided into four. According to Lagrama they are: (a) the bindery/preservation section; (b) the UPiana (containing all UP publications) section; (c) University records; and, (d) the personal papers section. Inclusion in any of these is determined by the permanent value a document gains through the course of the University’s
22
The UP Forum
Safeguarding Our Institutional Heritage
transactions, in addition to its specification under Republic Act No. 9470 or the National Archives Act.
to Lagrama, University records are defined strictly as comprising of documents that are part of regular transactions (e.g., leave forms).
Many visitors associate the Archives with either University records or the personal papers section. What distinguishes the two? According
Personal papers, on the other hand, are explicit products of UPassociated persons, be they faculty, administrators or notable alumni.
“I’ll give the example of Guillermo Tolentino,” Lagrama said. “He has personal papers with us. What exactly? Biographical information, legal documents. I think the death certificate is there, school records. Some of his drafts are also there.” page 25
A P R I L J U N E 2 0 1 9
University Archives Head Librarian Eimee Rhea Lagrama. Photo by Misael Bacani, UP MPRO.
The UP Forum
23
A P R I L J U N E 2 0 1 9
24
The UP Forum
Photo by Jonathan M. Madrid, UP MPRO.
Safeguarding Our Institutional Heritage
page 23
Sensitive and confidential While Tolentino has long since passed, his case makes it easy to imagine how sensitive or confidential information might be included in the Archives relating to living people. Lagrama admits that there are some personal papers and University records that contain information that cannot be accessed by just anyone. One basis they have for allowing access to personal papers is the actual donor’s request. “We have donors who do not want specific parts of their collections opened while they are alive. I also remember that we have a collection where even the owner’s passport was with us. Although he is long gone, we decided that for passports and other personal documents, we need to look if they are covered by data privacy and err on the side of caution.” For University records, Lagrama and her staff are careful, especially when legal documents are included for cases still being disputed. “Usually they are related to the law or, for example, to cases filed against students and facylty. These are documents that we can’t just grant access to and we are very strict about that.” Specific measures Lagrama said that it might be a good idea to review their current collection to meet the University’s data privacy needs since, while the concept of data privacy is fairly new, their office has been collecting UP’s documents since it was founded in 1974. Personal collections as well as scholarly products might contain information that could prove risky to either their owners or research participants. Luckily, at least for theses and dissertations, there exists Memorandum No. FRN 15-XXX issued in 2015 by UP Diliman Vice Chancellor for Research and Development (OVCRD) Fidel Nemenzo. The Memorandum provides guidelines to mark their titles as containing: I: a patentable/registrable innovation; P: content that the author intends to publish personally; or, C: confidential information from a third party. For studies marked as above, Lagrama said that the Archives gives the authors an embargo period of one year, which is renewable, to either publish, patent or delete the information in question before their work is made publicly available.
Institutional memory Lagrama said the primary importance of a University Archives is, recalling George Santayana, to protect the history that helps people in the here-and-now to avoid repeating its mistakes. As the UP Main Library currently undergoes renovation, however, she and her colleagues hope to start a project focused explicitly on the future. Lagrama believes that before the data privacy policy can be effectively exercised, offices in government should be well-versed in effective records management practices. It makes sense that before we protect the information we have, we should have a records retention and disposition schedule that helps everyone know what documents they should be keeping, who can access them, and how long they should be kept. Armed with an instrument that she helped design with one of her graduate students, Lagrama hopes to use the time available to her and her colleagues to strengthen record-keeping practices across UP. Guiding others towards a better future is, of course, part of what makes the University Archives a beloved reflection of what UP stands for. Lagrama says, “Having this institutional memory instills in you a sense of identity. It gives you a better sense of who you are as a UP student and Filipino citizen, and at the same time of why we are here and where we are going.”
Thankfully, Lagrama noted that in many of the colleges, students do avail of, and even extend, the embargo period if necessary. She also added that there are current plans to extend the initial embargo to three or five years. For now, students can easily request for an extension when the time is up.
The UP Forum
25
A P R I L J U N E 2 0 1 9
Photo by Misael Bacani, UP MPRO.
Coming Soon from UPOU DPO Certification Course Arlyn VCD Palisoc Romualdo
I
A P R I L J U N E
It has been three years since the implementing rules and regulations of Republic Act 10173, or the Data Privacy Act of 2012, were promulgated by the National Privacy Commission. Full compliance remains a goal to be accomplished by many organizations in the country.
2 0 1 9
One of the key players in the implementation of the law is the data protection officer (DPO), also called the compliance officer or data privacy officer, of organizations that control and process personal information. The appointment of a DPO by personal information controllers and personal information processors is a legal requirement. The DPO has the overwhelming task of ensuring compliance, mainly by: making sure data privacy policies and processes are in place; monitoring and assessing their efficiency and effectiveness; and, proposing necessary changes to improve implementation, among others.
participants’ knowledge on data privacy, followed by two modules on general privacy concepts and the fundamentals of the Data Privacy Act of 2012. The next group of modules will be on the rights and obligations of data subjects and the offices that will process and control these subjects’ personal information; and, on the enforcement of the law, including penalties for violations. Establishing a privacy management program and managing data breach incidents are the next set of modules to be discussed. In the latter, participants will be given different data breach scenarios to handle. The last two modules will be on information security for government, which DPOs from private organizations may opt out of, and on information security management system. The UPOU DPO certification course is part of its 2019 initiatives launched during its 24th anniversary celebration on March 1 in its headquarters in Los Baños, Laguna. Visit the UPOU website for updates and inquiries on this program. Links to the official social media accounts of UPOU are in the homepage.
This is why the UP Open University is set to offer a program that will train and certify DPOs. Currently being finalized, the 32-hour course will be conducted over a period of four days, with the participants taking a certification exam at the end. The program will begin with a diagnostic exam to assess the extent of the upou.edu.ph
26
The UP Forum
A P R I L J U N E 2 0 1 9
The UP Forum
27
UP Mail? The UP Mail (@up.edu.ph) is an email service available to all currently enrolled UP students and employed faculty and staff (whether regular, contractual or ICS (Individual Contract of Service), and offices in partnership with Google.
A P R I L J U N E 2 0 1 9
@up.edu.ph
Is the @UP Mail different from the@upd, @upm, @uplb, etc.? Each constituent university has its own webmail service for employees and students. This email service is maintained by each CU’s respective Computer Center or IT office and it is free to maintain such service depending on its mandate. UP Mail is different from these emails in such a way that it is used as the official access to the Core Information Systems, with simplified domain name (@up.edu.ph) and standard to all CUs.
Perks of Using UP Mail Greater file storage and file sharing capability – Unlimited file storage for Google Drive
Professionalism and Institutional Identity – UP Mail is recommended for submission of papers to local and international conferences and sending invitation for UP events
Collaboration Tools
No Advertisement – stricter spam filter
Mobility – UP Mail account can be used across all UP campuses
Get your UP Mail account now. Visit itdc.up.edu.ph/uis/the-up-mail 28
The UP Forum
Photo by Jonathan M. Madrid, UP MPRO.
What is
A P R I L J U N E 2 0 1 9
The UP Forum
29
University of the Philippines
Shaping Minds that Shape the Nation