Home  »  Policies   »   UNIVERSITY OF THE PHILIPPINES (UP) PRIVACY NOTICE FOR FILIPINO CITIZENS REQUESTING ACCESS TO INFORMATION ON MATTERS OF PUBLIC CONCERN PURSUANT TO EO 2 SERIES OF 2016 REVISED PURSUANT TO FOI MC 21-03, 21-04, 21-05 AND NPC MC 2023-4

UNIVERSITY OF THE PHILIPPINES (UP) PRIVACY NOTICE FOR FILIPINO CITIZENS REQUESTING ACCESS TO INFORMATION ON MATTERS OF PUBLIC CONCERN PURSUANT TO EO 2 SERIES OF 2016 REVISED PURSUANT TO FOI MC 21-03, 21-04, 21-05 AND NPC MC 2023-4

| Written by UP System Media and Communication Office

The University of the Philippines is committed to uphold the right of Filipino citizens to information on matters of public concern under Article III Section 7 of the 1987 Constitution.

E.O. No. 2 Series of 2016 which applies to the Executive Branch was issued in order to implement such provision.

UP has adopted a Freedom of Information manual as required by the said E.O. Such manual was revised pursuant to the provisions of FOI MC 21-05 and MC 89 Series of 2021. In order to process FOI requests made pursuant to the above E.O., the University must necessarily process the personal and sensitive personal information (personal data) of a requesting party, that is, information that identifies a requesting party as an individual.

The University is likewise committed to uphold the Philippine Data Privacy Act (PDPA) that implements the Constitutional right to informational privacy of data subjects.

This privacy notice explains:

  1. the nature, purpose/(s) and extent of the processing of your personal data;
  2. the legal basis/(es) for such processing;
  3. the risks associated with such processing and the measures that UP has put in place to protect your data privacy; and
  4. your data privacy rights and how you may exercise the same.

The term you/your refers to Filipino citizens who make FOI requests pursuant to the provisions of E.O. No. 2 series of 2016 (“requesting parties”) that are lodged with or referred to the University of the Philippines System Administration.

Please note that there are separate FOI officials and personnel for the UP System Administration as well as the Constituent Universities and Autonomous Units. Whenever appropriate, UPSA will refer your FOI request to the proper CU or AU. Please refer to the Revised UP FOI Manual.

 

PERSONAL DATA PROCESSED, THE PURPOSE/(S) AND LEGAL BASIS/ES FOR PROCESSING THE SAME

 

 

FOI requests may be made through a paper-based application process filed with UP’s FOI Receiving Officer(s). We highly encourage requesting parties who have the means to do so to lodge requests using the eFOI portal of the Presidential Communications Operations Office at https://www.foi.gov.ph/ as UP is required to make use of such portal.

Our FOI Receiving Officers may request you to lodge your requests to the eFOI portal in order to enable the University to more efficiently process, monitor and track FOI requests.

In case you do not have the means to lodge requests via the eFOI portal and you file a paper-based application with a UP office, your image may be captured by UP’s CCTVs and your personal data may be processed in connection with other security procedures e.g. you shall be required to present a valid government issued ID and sign the relevant logbook etc. upon your entry and exit from University offices.

Your name, citizenship and a copy of your government-issued ID indicating your Filipino citizenship or in the absence thereof, a document evidencing your Filipino citizenship, the specific purpose(s) for your request are processed by UP in order to verify your identity and to ascertain that your request involves a matter of public concern and that you are qualified to make such request pursuant to the 1987 Constitution.

Please be informed of the following provisions of MC 21-04 regarding how your GIIDs are processed through the eFOI portal and the reminder that in order to protect your privacy, you should not publicly post your GIID and other personal data in the individual request page:

  • Section 2. Access to valid proof of identification (IDs). – FROs, FDMs, and FOI-PMO are allowed access to the IDs uploaded by the requesting parties during the process of signing up in the eFOI portal (Annex A). They shall advise the requesting parties to refrain from uploading or posting any ID, personal information, or sensitive personal information in the individual request page (Annex B), a portion in the eFOI portal which is accessible to the general public that contains the request for information, the agency to which the request is made, and the status of the request.

Kindly note that, in the event your request is granted, and UP provides you with the information requested, the same must be used only for the purpose(s) indicated in your request pursuant to the provisions of the FOI EO, RA 6713 and its IRR, the PDPA and related issuances as well as other applicable laws, regulations and issuances. You shall likewise hold UP free and harmless from all liabilities arising from the processing of the information received for purposes other than those stated in your application as well as those purposes allowed by applicable laws and regulations.

Your address and contact information (landline, mobile number, email) are processed in order for UP to verify your identity and contact you regarding your request.

The abovementioned personal data shall also be processed by UP in order to prevent fraud.

UP may also process personal data of requesting parties in order to do research on how to improve FOI implementation and to comply with reportorial requirements subject to the provisions of the PDPA and applicable research ethics guidelines.

CCTVs and other security measures which may involve the processing of your personal data are intended to protect your vitally important interests, for public order and safety and pursuant to the University and the public’s legitimate interests.

UP will keep your request application form, identification information as well as other documents submitted in support of your request and the records regarding your request in order to protect itself from liabilities for the unauthorized processing of information.

UP will dispose of your personal data pursuant to the provisions of FOI MC 21-03

For the paper based mode, the 2-year retention period shall be counted after the transaction has been closed, whether successful or denied. For the eFOI portal, the 2-year retention period shall be counted from the last login of the requesting party.


NON DISCLOSURE OF YOUR PERSONAL DATA TO THIRD PARTIES EXCEPT UPON YOUR CONSENT OR AS REQUIRED OR PERMITTED BY LAW

 

 

As a general rule, UP will only disclose your personal data to third parties with your consent. The University will disclose or share such information only when required or allowed by applicable laws. Note that as stated above, FOI Receiving Officers may request you to upload your request, including your personal data in the eFOI portal in order to more efficiently process, track and monitor your request. UP is required under issuances to be enrolled in the eFOI portal and to use the same to process FOI requests. The PCOO by operating and maintaining the eFOI portal also therefore processes your personal data and discloses the same to the public through such portal.

Pursuant to the no wrong door policy stated in FOI MC 21-05 UP may refer your request containing your personal data to the proper government office or agency.

STORAGE AND FURTHER PROCESSING OF YOUR PERSONAL DATA

 

We also securely store and further process your personal data in order to exercise academic freedom pursuant to the provisions of the 1987 Constitution, the UP Charter (RA 9500) and other applicable laws; comply with legal obligations; establish or defend legal claims; and to carry out other activities allowed or required by the PDPA as well as other applicable laws and issuances.

UP stores your personal data pursuant to Sec. 11 (f) of the PDPA which states Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

UP conducts research on stored, previously processed, de-identified data in order to comply with its legal obligations including its right and responsibility to exercise academic freedom under the 1987 Constitution and the UP Charter. UP as a research university must conduct scientific research in order to produce general demographic information and statistics regarding UP alumni across various time periods. Such research enables the University to assess whether its policies, programs, as well as procedures and revisions to the same in different years, enable the University, among others, to enhance the access of disadvantaged students to UPs programs and services (Sec. 9 of RA 9500 or the UP Charter), comply with the spirit of other applicable laws such as RA 10687 or the Unified Student Financial Assistance System for Tertiary Education (UniFAST) Act, and RA 10931 or the Universal Access to Quality Tertiary Education Act and to allow us to provide advice and technical assistance to public authorities such as Congress, the Commission on Higher Education, the UniFAST Board, etc. in accordance with Sec. 7 of the UP Charter.

Before any research is conducted by UP, so that we will be able to comply with our ethical obligations and uphold your right to privacy, duly authorized UP personnel will remove identifiers from the applicable dataset such that UP’s researcher or research teams who will perform operations on such dataset will not be able to associate your data with you. The research results will only include aggregate or statistical data and general demographic information that does not identify you and any other data subjects.

Kindly note that Sec. 16.C.2 of Memorandum Circular 2023-4 issued by the National Privacy Commission provides that:

  • The conduct of research where the end results will be anonymized and will only disclose the general demographic of the research subjects does not require the consent of the data subject.

On the other hand, if research will make use of identifiable personal data, when so required by applicable laws, rules and or ethical guidelines such as the guidelines issued by the Philippine Health Research Ethics Board pursuant to the Philippine National Health Research System Act, we will first obtain the proper ethics clearance as well as your informed consent prior to the conduct of such research.

DATA PRIVACY RISKS AND HOW UP PROTECTS YOUR PERSONAL DATA

 

 

The processing by UP of your personal data in order to carry out its obligations to you and to exercise its academic freedom carries risks that may involve the confidentiality, integrity, and availability of personal data or the risk that processing will violate the privacy principles and rights of data subjects.

UP has put in place reasonable physical (e.g. access control measures such as locks, security personnel, etc.) organizational (e.g. only authorised personnel who have signed the required non-disclosure undertaking and need such personal data to perform their functions are allowed to process such personal data, periodic privacy impact assessments etc.) and technical measures (e.g. use of CDN, encryption, multi factor authentication for UP mail, UP alumni email and portals, the conduct of vulnerability and penetration testing and other similar measures) to prevent or mitigate such risks.

Kindly note that these measures do not guarantee absolute protection against such risks as when systems are subject to targeted cyberattacks, malware, ransomware, computer viruses, etc. However, UP has also adopted measures in order to deal with security incidents or personal data breaches in compliance with the PDPA and National Privacy Commission (NPC) issuances.

Please refer to the Board of Regents approved UP Data Privacy Manual which includes security incident and breach response procedures (Part 7, pages 35 – 45) and the following forms:

  1. Form 1 UNIVERSITY OF THE PHILIPPINES SYSTEM ADMINISTRATION INCIDENT OR BREACH REPORT FORM
  2. Form 2 PRELIMINARY ASSESSMENT FORM FOR SECURITY INCIDENTS OR PERSONAL DATA BREACHES
  3. Form 3 Mandatory Notification to NPC
  4. Form 4 Mandatory Personal Data Breach Notification for Data Subjects
  5. Form 5 SECURITY INCIDENT OR PERSONAL DATA BREACH REPORT

We remind UP offices, officials and personnel in our various portals, privacy notices and security advisories transmitted by our IT offices to keep the processing of personal data secure by double checking that the UP mail account used for UPs portals and systems has not been compromised by using Have I Been Pwned, using a strong password for such account [2023 Reminder] [2025 Reminder] keeping all UP account credentials confidential, using when possible more stringent means for multi factor authentication (MFA) for UP mail accounts such as through the use of passkeys or hardware based MFA and not using public, unsecured networks for processing personal data or at least using VPN if use of such unsecured networks is unavoidable and periodically provide other similar advisories as well as trainings.

Please note that the security measures for the eFOI portal are determined by the Office of the President of the Republic of the Philippines through the Presidential Communications Operations Office. Kindly refer to the Privacy Statement for the eFOI portal at Privacy Statement.

 

 

ACCESS TO AND CORRECTION OF YOUR PERSONAL DATA AND YOUR RIGHTS UNDER THE PDPA

 

 

In case you request for access to, or the correction of your personal data made in relation to your FOI request which was submitted using a mode other than through the eFOI portal, UP will require you to provide a GIID to ascertain your identity and prevent fraud. In case the request is made through your representative, you must submit a letter of authorization stating the name of your authorized representative, your GIID as well as the valid GIID of your authorized representative. UP shall request a copy of the GIID that you and your representative presented.

Kindly note that since UP is under a legal obligation to use the eFOI portal to process requests there are certain requests that you may make in relation to your personal information in the portal that must be addressed to PCOO as the operator of the eFOI portal e.g. if you register via the eFOI site then the correction of your registration information must be made via the eFOI portal as UP has no means of correcting the personal information that you entered when you registered in the eFOI portal.

Aside from the right to access and correct your personal data, you have the following rights subject to the conditions and limitations provided under the PDPA and other applicable laws and regulations:

  1. The right to be informed about the processing of your personal data through this and other applicable privacy notices;
  2. The right to object to the processing of your personal data, to suspend, withdraw or order the blocking, removal or destruction thereof from our filing system. Kindly note however that, as mentioned above, there are various instances when the processing of personal data you have provided is necessary for us to comply with UP’s mandate, statutory and regulatory requirements, or is processed using a lawful basis other than consent;
  3. The right to receive, pursuant to a valid decision, damages due to the inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, taking into account any violation of your rights and freedoms as a data subject and;
  4. The right to lodge a complaint before the National Privacy Commission provided that you first exhaust administrative remedies by filing a request with the proper offices or a complaint with the proper DPO through the email address indicated below regarding the processing of your information, or the handling of your requests for access, correction, blocking of the processing of your personal data and the like.

 

REVISIONS TO THIS PRIVACY NOTICE AND QUERIES REGARDING DATA PRIVACY

 

This privacy notice was revised as of Academic Year 2024-2025 in order to comply with the privacy notice requirements contained in NPC Memo Circular 2023-4.

We encourage you to visit this site UP PRIVACY POLICIES – HOMEPAGE from time to time to see any further updates regarding this and other privacy notices that may apply to you. Changes to UP privacy notices can be seen through this site.

If you have any data privacy queries or concerns as it relates to your FOI requests that are lodged with or pending before a CU or AU of the University, you may contact the CU’s UP Data Protection Officer (contact details are found in the revised privacy notice for students) UNIVERSITY OF THE PHILIPPINES (UP) PRIVACY NOTICE FOR STUDENTS (REVISED AS OF THE 1ST SEMESTER 2024-2025.

For queries, comments or suggestions regarding this System-wide privacy notice, please contact the University of the Philippines System Data Protection Officer through the following:

a. Via post

c/o the Office of the President
2F North Wing Quezon Hall
(Admin Building) University Avenue,
UP Diliman, Quezon City 1101
Philippines

b. Through the following landlines

Phone | (632) 89280110; (632) 89818500 loc. 2521

c. Through email

dpo@up.edu.ph