UP PHILIPPINE GENOME CENTER PRIVACY POLICY[1] 

To advance its commitment to protect and uphold the privacy of personal information, the University of the Philippines Philippine Genome Center (“PGC”) hereby establishes a framework for processing personal information through this PGC Privacy Policy.

This Policy is complementary with the PGC Data Subject Rights and Responsibilities.

PART I. DEFINITION OF TERMS

  • “Personal Data” refers to all types of personal information, sensitive personal information and privileged information under the Data Privacy Act of 2012 and its Implementing Rules and Regulations.
  • “Personal Information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • “Sensitive Personal Information” refers to personal information:
  1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
  2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
  4. Specifically established by an executive order or an act of Congress to be kept classified.
  • “Privileged information” refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
  • “Processing” in any of its verb tense refers to the collecting, recording, organizing, storing, retaining, using, analyzing, copying, transmitting, porting, sharing, exhibiting, deleting, or destroying of Personal Data regarding Data Subjects.
  • “Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place
  • “Personal Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
    • An availability breach resulting from loss, accidental or unlawful destruction of personal data;
    • Integrity breach resulting from alteration of personal data; and/or
    • A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.
  • “Purposes” are the purposes of PGC in processing Personal Data of Data Subjects outlined in this Policy’s Section II on “What Personal Data are processed?”
  • “PGC” refers to the University of the Philippines Philippine Genome Center, a research and service unit under the Office of the Vice President for Academic Affairs of the University of the Philippines System.
  • “Data Subjects” refers to all types of students, parents, faculty, visiting faculty, staff, Research, Extension and Professional Staff (REPS), UP contractual personnel, non-UP contractual personnel, retirees, applicant students, applicant faculty, applicant staff, researchers, research subjects, patients, clients, customers, UP alumni, donors, donees, contract counterparties, partners, subcontractors, outsourcees, licensors, licensees and other persons whose personal data are directly or indirectly processed by PGC.

Any new or revised definition of any of the above terms under relevant laws shall accordingly supersede the definitions herein.

PART II. WHO ARE COVERED BY THIS POLICY?

This Policy governs all Data Subjects whose Personal Data are processed by PGC.

PART III. WHY ARE PERSONAL DATA PROCESSED?

PGC processes Personal Data to:

(1) Perform its obligations, exercise its rights, and conduct its associated functions as an instrumentality of the government and a research and service institution;
(2) Pursue its purposes and mandates as a unit of the University of the Philippines, whose purposes and mandates in turn are indicated in relevant provisions under Act No. 1870[2] as “a university for the Philippine Islands” and under Republic Act 9500[3] as “the national university”;
(3) For each particular unit of PGC, conduct all acts reasonably foreseeable from and customarily performed by similar bodies;
(4) Decide and act to respond to certain needs and concerns of Data Subjects; and
(5) Manage and administer its internal and external affairs as a research and service institution, as an instrumentality of the government, and as a juridical entity with its own rights and interests.

PART IV. WHAT PERSONAL DATA ARE PROCESSED

PGC processes Personal Data including but not limited to:

  • Personal details such as name, birth, gender, civil status and affiliations;
  • Contact information such as address, email, mobile and telephone numbers;
  • Academic information such as grades, course and academic standing;
  • Employment information such as government-issued numbers, position and functions;
  • Applicant information such as academic background and previous employments;
  • Medical information such as physical and clinical information.

PGC processes other Personal Data necessary for the following Purposes:

(1) Purposes applicable to all classes of Data Subjects

  1. Purposes necessary for PGC to perform its obligations, exercise its rights, and conduct its associated functions as an instrumentality of the government and as a research and service institution;
  2. Purposes to pursue PGC’s mandates under existing laws and regulations;
  3. Purposes to perform acts and decisions necessary for PGC to manage and administer its internal and external affairs as a juridical entity with its own rights and interests;
  4. Compliance with legal, regulatory, administrative or judicial requirements including audit, reporting and transparency requirements;
  5. Records and account purposes such as:
    (a) Creation and update of record entries and accounts;
    (b) Creation and maintenance of student, faculty or staff records and accounts, electronic or otherwise;
    (6) Security and community affairs purposes such as:
    (a) Maintenance of safety, security, peace and order in and around PGC premises as well as venues which PGC has presence or activities;
    (b) Prevention of crimes and damages to persons or property within or outside the premises of PGC.

(2) Students, parents and guardians

  1. Academic purposes such as:
    (a) Processing of raw or final grades, including evaluation and use of grades to make and act on decisions about students;
    (b) Formulation, study of, and implementation of PGC’s policies, guidelines, procedures, processes, rules and regulations;
  2. Extra-curricular purposes such as:
    (a) Regulation of student organizations and bodies;
    (b) Collaborations with public and private agencies and institutions;
  3. Medical purposes particularly in rendering of medical aid, whether in emergency situations or otherwise;
  4. Student assistance purposes particularly in the provision of tutorial, mentorship, or internship assistance;
  5. Student disciplinary purposes such as:
    (a) Conducting investigations or evaluating matters related to PGC policies, guidelines and rules;
    (b) Implementation of laws or orders of government authorities.

(3) Faculty, including visiting faculty

  1. Administration, management and supervision of faculty as PGC employees (see Purposes for Staff);
  2. Administration, management and supervision of faculty in academic and non- academic functions such as:
    (a) Evaluation of performance and promotion or transfer;
    (b) Research, ethics and intellectual property matters.

(4) Staff, including Research, Extension and Professional Staff (REPS), PGC contractual, Non-PGC contractual personnel, and retirees

  1. Administration of human resources such as:
    (a) Processing and provision of employee rights;
    (b) Provision of compensation and benefits;
  2. Management and supervision of employees and work conduct such as:
    (a) Employee administration, assignment, work supervision, evaluation, promotion, discipline, and transfer;
    (b) Preservation of labor relations and industrial peace.

(5) Applicant students, faculty, and staff

  1. Application purposes such as:
    (a) Processing of application and application requirements;
    (b) Evaluation of eligibility to enroll, teach or work in the University of the Philippines and/or PGC;
  2. Verification purposes such as:
    (a) Determination of veracity of claims;
    (b) Background investigation relevant to the position applied for.

(6) Researchers and research subjects

The Data Privacy Act is not applicable if the processed personal information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose.

As such, this Policy’s Section VII on “What are the rights of Data Subjects?” will not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject. However, this inapplicability shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

The Data Privacy Act and its Implementing Rules and Regulations shall not apply to specified information, only to the minimum extent of collection, access, use, disclosure or other processing necessary to the purpose, function, or activity concerned when personal information will be processed for research purpose, intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards adopted by PGC.

(7) Patients, clients and customers

  1. Processing of medical, physical, psychiatric and psychological information of patients is necessary for the purpose of medical treatment: Provided, that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured;
  2. Processing of Personal Data of clients and customers compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy wherein there is transparency in obtaining consent and proportionality in processing data.

(8) Alumni, donors and donees

Personal Data collected and processed from alumni, donors, and/or donees is mainly for donation processing. This includes:

(a) Legal requirements such as filing of tax returns and anti-money laundering requirements;
(b) Recording sources and uses of donations for transparency in the Center’s funds.

(9) Contract counterparties, partners, subcontractors, outsourcees, licensors, licensees, lessors, lessees, vendors, purchasers and customers

  1. Timely realization of PGC’s legitimate rights, interests, obligations and responsibilities in law, contract, equity or public policy;
  2. Compliance with the spirit and intent of PGC in engaging the counterparty involved.

(10) Other persons with a juridical link with PGC

  1. Any of the purposes above as applicable to the circumstances;
  2. For each particular PGC unit, the purposes used by analogous bodies performing similar functions.

PART V. HOW DOES PGC PROCESS PERSONAL DATA AND HOW LONG ARE PERSONAL DATA RETAINED?

PGC processes and retains Personal Data as necessary for the Purposes in accordance with:

(1) The Data Privacy Act of 2012, its Implementing Rules, and relevant issuances of the National Privacy Commission;
(2) The National Archives of the Philippines Act of 2007 its Implementing Rules, and relevant issuances of the National Archives of the Philippines;
(3) Policies, guidelines, and rules of the UP System and PGC;
(4) Research guidelines and ethical codes of conduct adopted by the University of the Philippines System; and
(5) Executive Order No. 2, series of 2016 on Freedom of Information and subsequent related executive orders.

In the absence of an applicable rule of retention, Personal Data shall be retained by a PGC unit in accordance with the practices of government bodies with analogous functions.

PART VI. WHERE ARE PERSONAL DATA STORED AND HOW ARE THESE TRANSMITTED?

Personal Data are stored in physical and electronic “Data Processing Systems” of PGC as defined under National Privacy Commission Circular No. 17-01. Personal Data are transmitted in accordance with Chapter III of the Data Privacy Act of 2012 and Rule V of its Implementing Rules and Regulations.

PART VII. WHAT ARE THE RIGHTS OF DATA SUBJECTS?

Under the PGC Data Subject Rights and Responsibilities, Data Subjects have the following rights:

(1)  Right to be informed;
(2) Right to object subject to PGC’s possible consequent failure to conduct academic, administrative and other functions or services;
(3)  Right to access;
(4)  Right to rectification;
(5)  Right to erasure or blocking of Personal Data which are not part of PGC’s public records as an instrumentality of the government and of the national university; and
(6)  Right to damages which is subordinate to the non-liability of PGC arising from the incidental damages due to PGC’s pursuance of its mandates or compliance with its legal obligations.

PART VIII. WHAT ARE THE RESPONSIBILITIES OF DATA SUBJECTS?

Under the PGC Data Subject Rights and Responsibilities, Data Subjects have the following responsibilities:

(1) Respect the data privacy rights of others;
(2) Report any suspected Security Incident or Personal Data Breach to PGC through the contact information in Section X “The PGC Data Protection Officer”;
(3) Provide PGC true and accurate Personal Data and other information. Before submitting Personal Data of other people to PGC, obtain the consent of such people;
(4) Not disclose to any unauthorized party any non-public confidential, sensitive or personal information obtained or learned in confidence from PGC; and
(5) Abide by the policies, guidelines and rules of the PGC System and PGC on data privacy, information security, records management, research and ethical conduct. From time-to-time check for and comply with updates on these policies, guidelines and rules. PGC’s policies on data privacy are at https://pgc.up.edu.ph/privacy.

PART IX. EFFECTIVITY OF THIS POLICY

The PGC Data Protection Officer may promulgate policies, guidelines and rules which are not inconsistent with this Policy.

If any law or regulation cited in this Policy is amended or superseded, then it shall be considered that this Policy is referring to such amending or superseding law or regulation, without prejudice to a person’s right against retroactive effect of laws.

If any part of this Policy is declared null and void, then the other unaffected parts shall remain in full force and effect.

PART X. THE PGC DATA PROTECTION OFFICER

The PGC Data Protection Officer, reporting to the PGC Executive Director, is tasked to protect the privacy of personal information to, in, and from PGC with the following functions:

  • Comply with data privacy laws and regulations including implementing data protection measures, submitting regulatory requirements, and managing privacy incidents.
  • Provide PGC units support services including formulating policies, training people, and conducting audits with remediation solutions.
  • Prevent legal, financial, and operational risks by improving current and future forms, contracts, processes, and I.C.T. systems to secure against leakage of information.
  • Develop in the Center a culture of respect for privacy by formulating policies and establishing practices at par with domestic and international standards.

The PGC Data Privacy Portal is at https://pgc.up.edu.ph/privacy

For data protection concerns or to report privacy incidents, please contact the PGC Data Protection Officer through any of the following channels:

Address:

PGC Data Protection Officer
Room 202, 2/F, PGC Bldg.
A. Ma. Regidor St., UP Diliman, Quezon City 1101

Landline: 8981-8500 local 4706
Email: [email protected]


[1] The policy is heavily based and is almost a copy of the UP Diliman Data Privacy Policy (https://privacy.upd.edu.ph/privacy-policies/) with certain allusions to UP Diliman and other related references updated to refer to that of the UP Philippine Genome Center instead.

[2] AN ACT FOR THE PURPOSE OF FOUNDING A UNIVERSITY FOR THE PHILIPPINE ISLANDS, GIVING IT CORPORATE EXISTENCE, PROVIDING FOR A BOARD OF REGENTS, DEFINING THE BOARD’S RESPONSIBILITIES AND DUTIES, PROVIDING HIGHER AND PROFESSIONAL INSTRUCTION, AND FOR OTHER PURPOSES, Enacted 18 June 1908

[3] AN ACT TO STRENGTHEN THE UNIVERSITY OF THE PHILIPPINES AS THE NATIONAL UNIVERSITY, Enacted 29 April 2008