A look into the University data privacy
Upon opening the DLSU-D student portal, students may wonder about encountering a Data Privacy Statement, clueless as to what it entails. It’s easy to skip reading and just agree, like how we do with terms and agreements that we don’t read. However, what does data privacy in the campus really mean? How is DLSU-D accountable to your personal information?
With that, The HERALDO FILIPINO delved into the data privacy policies in the University.
Enforcing Data Privacy Act
Earlier this academic year, Sancho Castro, CPA was designated as DLSU-D’s Data Protection Officer (DPO) to fulfill the role and responsibilities of upholding data security, managing information data, and enforcing data protection in compliance with the Data Privacy Act of 2012.
The act, which was put into law in 2012, only became effective in 2016 after its implementing rules and regulations (IRR) were formulated by the National Privacy Commission (NPC), which was established solely for the purpose of overseeing the country’s data privacy management and assessing how different institutions, whether academic, corporate, and government, manage its organizational information and data.
Appointing a DPO is just the first step as required by the Data Privacy Act and its IRR, as it also demands institutions to formulate privacy impact assessments and privacy management program, and to implement privacy and data protection measures, along with breach reporting procedures.
The IRR of the Data Privacy Act of 2012 states that “Any natural or juridical person or other body involved in the processing of personal data shall designate an individual or individuals who shall function as data protection officer, compliance officer or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.”
As emphasized by NPC Deputy Commissioner Ivy Patdu, in an article released in 2017, the delegation of a DPO highlights “accountability,” focusing on monitoring compliance of members to data privacy in an institution and ensuring that policies are met as asked by the republic.
The occurrence of “breaches” resulted to the formulation of the act, “This act (Data Privacy Act) basically tries to protect the data privacy of every individual because right now if you may have been aware of certain fraudulent acts being committed which involve personal information,” Castro addressed, pertaining to identity theft, scamming, among others.
Castro stated, however, that there has not been any cases of information breaches in the University. Nevertheless, with the nature of academic institutions to collect data from its students, faculty, and staff combined, information may easily be accessed and be manipulated for misuse.
He mentioned that disclosing personal information wasn’t previously acknowledged as unacceptable, citing examples of how information is gathered and may be wrongly used, like disclosing someone else’s academic performance grading, which he referred to as a “breach.” Addressing how people are unaware that disclosing information is a breach, “now, the law is giving you the right to protect your data, in effect, you can mount a suit against a person who is disclosing information. Dati noon we call that chismis … breaches, of course, of information.”
Furthering about accountability
Discussing the importance of appointing a DPO, “it is (DPO) required by law so it’s significantly important.” The DPO furthered that if a company is found not to have appointed as such, the institution may be penalized. “They (NPC) can have the head of the organization jailed for instance, or fined, if they did not comply.”
As stated in the IRR of the Data Privacy Act, other instances that may be penalized include relative to personal and sensitive personal information: unauthorized processing, improper disposal, unauthorized access or intentional breach, or unauthorized disclosure, among others.
Using improper disposal as an example, “let’s say the clinic have records, medical records of students, [which] they were not able to shred after let’s say five years after the student graduated. They did not shred the records [and] what they did is throw that to the waste basket.” He furthered that once these records are accessed due to negligence, the head of the University may be fined six months to three years jail time, or P100,000 to P1,000,000 penalty.
While he noted that it is the head of DLSU-D, Br. Augustin “Gus” Boquer, who will get penalized; if they are able to pinpoint who in the University has the direct responsibility or negligence over the breach, he or she will be penalized instead. However, Castro clarified that the penalty will not be immediate as it will be evaluated through trial in court.
Specifying its coverage
“It (data protection in the University) covers all of your information, not just, of employees, but also of students,” Castro expressed, pertaining to what is the coverage of Data Privacy in the University, which he categorized as personal information, sensitive personal information, and privileged information, or information as decided in the court.
Using our identification (ID) cards as an example, “here in your ID, you have some information, your name, your program, your student number,” he specified as personal information. While he briefly provided examples for sensitive personal information: religion, sexual preferences, medical records, legal cases—for example, “a lawsuit filed against you.”
Addressing how the University gathers sensitive personal information, “Have you given the University any of these? When you applied, what did you put in your application? Did you put there what religion you have? Did you put there where you graduated high school?,” he said. “The school has a lot of sensitive personal information but the thing is that the school needs all your personal information to be able to use these to trying to give the education that you want in effect.”
Knowing your rights
The DPO explained that the reason for the need of the government to seek security measures provided by institutions for every individual, “each and everyone of us has rights that needs to be protected.” He furthered that everyone, as data subjects, should “know their rights”, adding that these rights are classified as: right to be informed, right to object, right to access, right to rectification, right to erasure or blocking, right to damages, and right for portability and accessibility.
“Anybody giving information to the organization must explicitly indicate that a consent is given,” Castro said, explaining why everyone, students through the student portal along with faculty and staff through the staff portal, is asked for consent in a Data Privacy Statement.
At the same time, each individual has a right to be informed why the organization is getting the data, what it will be used for how they are processing it, and most importantly, how long the data will be kept.
While everyone has a choice to object, “there can be cases you say I don’t want to give my data especially if you know for instance the purpose does not merit or does not require for you to give that data,” Castro said, pertaining to information asked that does not provide an acceptable basis for acquisition of the data. Despite this, Castro addressed that if information is not provided to the organization, there are services that they may not be able to deliver.
Moreover, for the Office of the University Registrar (OUR) transactions as an example, everyone has access to their own data, like the Certificate of Registration (COR), and right to correct erroneous information.
After five years from graduation, students have a right to erase their records. This, however, is limited to certain offices. “Not all, the registrar will have to keep the records. Can you imagine if UST (University of Santo Tomas) deleted their records for students who enrolled there way back, they wouldn’t have records of Jose Rizal.”
He added that each office in DLSU-D should have policies on the duration in which the students’ records are kept, “They (departments) should have a policy that after a certain time, they must erase it (records).”
Among other, the right to damages enables filing complaints and damages when there are problems with their data; and right for portability, where the University must provide access (digital or print) as asked.
In the fulfillment of the data protection policies of the University, DPO Castro appealed to the members of the academic to know the importance of data security and their data rights. “Everybody must be aware of this because it can lead, because we have seen a lot of problems arising due to lack of awareness on data security and hopefully, nobody in this school is a victim of such.”
Along with this, the DPO has provided orientations to faculty, staff, and student organizations on the importance of the Data Privacy Act, sharing how risks can be avoided by knowing their rights as data subjects.