Frequently Asked Questions
- What is a security incident?
- What is a data breach?
- What do I do if I become aware of a data breach or a security incident?
- What happens after I submit a Contact Form?
- What happens after I submit an Incident Report?
- What does the Security Incident Response Team do?
- Will the incident be reported to the NPC?
- When should the University notify the NPC?
- What happens if the University does not report a data breach to the NPC?
- Will the person who reported the incident be notified of the action taken by the University?
- What happens to the unit or office involved in the security incident or data breach?
What is a security incident?
It is an event or occurrence that affects or tends to affect data privacy or data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.
What is a data breach?
It is a security incident that leads to the accidental or unlawful destruction, loss, alteration, inaccuracy, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
All data breaches are security incidents, but not all security incidents will qualify as a data breach.
What do I do if I become aware of a data breach or a security incident?
If you come across what you think is a data breach or a security incident that involves personal data under the control or custody of the University, you should immediately contact the UDPO, by submitting its prescribed Contact Form. If you are a University Personnel and the personal data involved is under the control or custody of your particular office, you may can expedite the process by submitting an Incident Report, instead.
If the data breach or security incident involves personal data that is under the control or custody of another person, group, or organization, you may refer the matter to that person, group, or organization, for its appropriate action.
If you are not sure or are unaware who has control or custody of the data, you may report the matter directly to the National Privacy Commission.
What happens after I submit a Contact Form?
The UDPO will make an initial assessment whether or not the reported incident is a security incident or a data breach. If they have reason to believe that such is the case, they will request the primary office or unit that manages or controls the personal data involved to accomplish and submit an Incident Report.
What happens after I submit an Incident Report?
The UDPO will constitute a security incident response team that shall carry out an assessment of the incident based on the Incident Report and other available evidence or information. The team may inquire further into the matter, if necessary, in order to ascertain the true nature and/or the full extent of the incident.
The team shall prepare an Assessment Report and submit the same to the Office of the President. The Vice President in charge of the unit involved shall also be given a copy of the report, as will the unit or office that prepared the Incident Report.
What does the Security Incident Response Team do?
The Security Incident Response Team is responsible for investigating reports of a data breach or security incident. For each incident, they shall review the Incident Report submitted by the concerned University unit or office. Although they can rely on that Report for their investigation, they also have the option of carrying out a parallel or independent investigation, by conducting interviews, consultations, or reviewing relevant files or documents. When they conclude their investigation, they will submit their findings to the University President for appropriate action. The unit or office that prepared the Incident Report will also be given a copy of the Team’s findings.
Will the incident be reported to the NPC?
Only a data breach that meets all of the following conditions need to be reported to the NPC:
- It involves sensitive personal information, or any other information that may be used to enable identity fraud;
- There is reason to believe that the information may have been acquired by an unauthorized person;
- The University or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
Security incidents and all other types of data breaches must still be investigated and addressed by the University, but they need not be reported to the NPC.
When should the University notify the NPC?
After it determines that a data breach meeting the criteria set by the NPC has occurred, the University has seventy-two (72) hours to report the matter to the Commission.
What happens if the University does not report a data breach to the NPC?
The NPC may exercise its regulatory powers against the University, including the conduct of compliance checks or the issuance of cease and desist orders, compliance orders, and temporary or permanent bans on the processing of personal data.
If the data breach involves sensitive personal information, the person/s directly responsible for the University’s failure to comply with the notification requirement under the law may be charged with the crime of “concealment of security breaches involving sensitive personal information”.
Will the person who reported the incident be notified of the action taken by the University?
A person who informs or reports to the UDPO of a potential security incident or data breach may be notified of the action taken by the University if:
- His or her personal data is affected by or involved in the security incident or data breach; or
- He or she is a University personnel and his or her unit or office controls or manages the data processing system or the personal data affected or involved in the security incident or data breach.
What happens to the unit or office involved in the security incident or data breach?
Human error is the cause of many, if not most, security incidents or data breaches. In such instances, the assessment team may recommend changes in the office or unit policies, protocols, or procedures, and/or issue reminders in order to prevent a similar incident from occurring in the future.
However, if so warranted, the assessment team may also recommend that sanctions or penalties be meted out by University management on the person/s responsible for the incident or breach, particularly if it resulted in significant damage or injury on the affected data subjects and the University.
University management may or may not adopt the recommendation of the assessment team.
University Data Protection Office
Room 200, Manila Observatory,
Ateneo de Manila University Loyola Heights campus,
Katipunan Avenue, Loyola Heights,
Quezon City 1108
+63 2 426-6001 local 4801