Data Privacy Act Compliance-related Documents (OP Memo 10 Oct 2018)

It was early last year when the Ateneo de Manila University embarked on a difficult but necessary compliance journey vis-à-vis Republic Act No 10173, also known as the Data Privacy Act of 2012 (DPA).

Initially assembling a task force to jumpstart its efforts, the Ateneo now has its University Data Protection Office (UDPO) whose mandate is to ensure compliance of the University with the DPA and other applicable data protection laws.

The UDPO aims to fulfill its mandate by establishing an effective and comprehensive Privacy Management Program (PMP) for the University. One that is made up of distinct but interconnected parts working seamlessly to achieve the ultimate goal of protecting individual privacy while allowing the free flow of information within the Ateneo, whenever possible. Foremost of these parts are those that clearly establish the legal bases of an organization’s data processing activities and maintain the confidentiality of personal data.

In view of these, the University has developed three sets of compliance-related documents:

• Privacy Policies. The University now has four (4) institution-wide privacy policies. As a transparency tool, they describe its main data processing activities, including the kinds of information it collects, what it uses them for, and the entities it may share them with from time to time. The DPA requires every person or organization engaged in data processing to inform people about its activities. This is best done via a privacy policy. You may view the University’s policies at: http://www.ateneo.edu/udpo/ADMU-Privacy-Policies
• Terms of Agreement. The University has also developed at least nine (9) Terms of Agreement (ToA) documents. Eight pertain to students, while one is meant for personnel. Through these documents, the University obtains an individual’s consent so that it may process his or her personal data in specific instances or for specific purposes. This, too, is required under the DPA, if it hopes to continue performing some of its regular functions, especially if they involve sensitive personal information.
• Non-Disclosure Agreement. Finally, there is the Non-Disclosure Agreement (NDA), which is a staple in most work environments. Under the DPA, the University is specifically required to make sure that its employees, agents, or representatives who are involved in data processing operate and hold personal data under strict confidentiality unless it is meant for public disclosure.

These three make up the first of many DPA compliance-related initiatives of the University. Privacy policies and ToAs provide the legal foundation that underpin its data processing systems and activities, while the NDA is a prescribed security measure meant to curb unauthorized disclosure of confidential information.

In the next few weeks, the UDPO, in coordination with other concerned units and offices, will be distributing these forms for us to accomplish. A primer will also be given out to address questions frequently asked by various parties.

As one community, let us all work together to ensure the successful implementation of these measures, as well as the establishment of our institution’s privacy management program. Such an accomplishment would do more than demonstrate Ateneo’s willingness to comply with the law. Indeed, it would also inspire greater trust in the school and its systems, and promote accountability among its different units and personnel.

Should there be questions or clarifications regarding these initiatives or any other aspect of the University’s DPA compliance efforts, you may direct them to the UDPO who are ready to accommodate your concerns.

Thank you for your support and cooperation.

amdg,

Jose Ramon T Villarin SJ
President