REVISED UNIVERSITY OF THE PHILIPPINES SYSTEM (UP) PRIVACY NOTICE FOR ALUMNI

The University of the Philippines (UP) is required by Republic Act 9500 or the UP Charter to uphold the principle of democratic governance by, among others, providing that the alumni be represented in the Board of Regents by the President of the University of the Philippines Alumni Association (UPAA) and organizing public fora to enable the alumni to discuss non-academic issues affecting Philippine society. See https://osu.up.edu.ph/wp-content/uploads/2014/05/RA-9500-UP-CHARTER_1.pdf.

In order to comply with its Charter, the University must therefore necessarily process the personal and sensitive personal information (personal data) of its alumni.

The University is committed to comply with the Philippine Data Privacy Act of 2012 (DPA) in the course of processing such personal data. http://www.officialgazette.gov.ph/2012/08/15/republic-act-no-10173/.

This privacy notice explains:

(1) the nature, purpose/(s) and extent of the processing of your personal data;

(2) the legal basis/(es) for such processing;

(3) the risks associated with such processing and the measures that UP has put in place to protect your data privacy; and

(4) your data privacy rights and how you may exercise the same.

The terms UP/University/us refer to the University of the Philippines System and its Constituent Universities and autonomous units, any of its offices, or any of its officials or authorized personnel.

The terms you/your refer to alumni who obtained a degree from, or were awarded a certificate by, the University of the Philippines as well as the regular members of the University of the Philippines Alumni Association (UPAA) which include those who are former regular students of the University having earned at least sixty (60) academic units and who were not dismissed for misconduct or scholastic deficiency (Art. IV a, Amended By Laws of the UPAA).

PERSONAL DATA COLLECTED FROM ALUMNI, THE PURPOSE/(S) AND LEGAL BASIS/ES FOR PROCESSING PERSONAL DATA

As stated in the revised UP privacy notice for students, student records are securely kept by the proper Office of the University Registrar (OUR), among others, in order to verify the identity of former students, graduates and holders of certificates and provide the proper transcripts, certifications, and other documents that such persons and their legal representatives or heirs may request pursuant to applicable laws and UP policies, rules and regulations.

In the case of alumni who earned a degree or certificate from the University, you provided personal data in the course of your enrollment and when you subsequently applied for graduation.

The OUR provides relevant personal data (see below) to the UP System Office of Alumni Relations (OAR) in order for the latter to create your alumni record which is used in order to verify your status as a bona fide graduate of the University when you avail for instance of services such as your UP alumni email (@alum.up.edu.ph).

When you apply to be a member of the UPAA, the UPAA, with your consent, requests the OAR; or, when your record has yet to be created or updated, the relevant OUR to confirm whether you obtained a degree or certificate from UP.

For an alumnus or alumna who may qualify as a UPAA regular member by virtue of his/her previous enrollment, the relevant OUR provides information to the UP OAR as well as the UPAA when the UPAA requests confirmation, with your consent, that you were a former regular student of the University who earned at least sixty (60) academic units and were not dismissed for misconduct or scholastic deficiency.

Your name, contact details, information about your U.P. education including your student number, date and place of birth, sex assigned at birth and other relevant information are used to verify your identity and prevent identity fraud, create or update your UP OAR alumni record and provide services e.g. UP alumni email (note that this service is available only for those who obtained a U.P. degree or certificate). Once you have been issued a UP alumni email, we use the same and your access credentials for verifying your identity for the Alumni Profile Updating (APU) System which you may use in order to provide us with your updated information.

Information about your UP education e.g. all degrees or certificates obtained and from which campus/es, semester/s and year/s when degree/s or certificate/s were conferred, honors received if any, or in the case of those who are not degree or certificate holders, number of units earned, scholastic standing and disciplinary record, if any, are used to determine whether you are qualified to be a regular member of the UPAA entitled as a matter of right to vote and/or be voted upon during the UPAA elections.

Aside from your educational credentials, information about your professional achievements, public service and your citizenship may also be used to determine whether you are qualified to receive awards from the University and/or UPAA.

Your address(es) email and telephone or cellular phone numbers, as well as any information that you have provided in order for us to address you properly e.g. titles are used in order to contact you in the manner that you have indicated when you applied for graduation or in your application for UP alumni email or when you update your alumni record for the purpose of enabling UP to effectively communicate with you. UP may send you greetings, congratulatory and other messages, inform you of news about UP, UP events, University alumni and/or UPAA events, transmit UP and/or UPAA publications and messages, opportunities for making donations to UP in cash or through services/volunteer work, request your consent to participate in research (when applicable) especially for the quality assurance or assessment of UPs degree programs and other similar communications.

At your option, and with your consent, you may provide us information about your current employment or disclose the firm or organization with which you are connected, your current position and other similar information that UP will process for research for the assessment or quality assurance of UPs degree programs as well as UPs other research activities mentioned below in the section on storage and further processing of your data.

The abovementioned personal data may also be used by UP for providing you with other University services such as access to the University library Visitor Information – The University Library, University of the Philippines Diliman, University Health Service units, for the issuance of vehicle stickers for certain UP campuses (e.g. for UP Diliman vehicle sticker concerns, please send an email to [email protected], visit the UP Los Banos site for vehicle sticker applications Login – UVISS, etc.) and other similar services as well as for such other purposes that would enable UP through the System and Campus alumni relations offices to carry out their respective mandates pursuant to the provisions of the UP Charter.

UP, may, in the exercise of its sound discretion process your personal data that you or third parties may have made publicly available in order to exercise its right and responsibility of academic freedom, comply with legal obligations, pursue its legitimate interests or the interests of a third party, pursue or defend legal claims in a proportional manner as allowed by the PDPA and other applicable laws, rules and regulations e.g. the issuances of the National Privacy Commission (NPC) as well as jurisprudence.

CCTVs and other security measures e.g. security personnel’s request that you provide an identification card before being granted entry into UP buildings and procedures for logging in and out when you enter and leave such buildings or premises etc. which may involve the processing of your personal data are intended to protect your vitally important interests, for public order and safety, and are processed pursuant to the University’s and the public’s legitimate interests. UP processes personal data in order to comply with its duty to exercise due diligence to prevent harm or injury to you or others.

Your image may be captured by UP when you attend events that UP documents, records, broadcasts (live streams) and/or when UP publishes news or feature articles about such events. Kindly note that the DPA does not apply, among others, to the processing of personal information for journalistic, artistic, literary or research purposes (Sec. 4d).

DISCLOSURE OF YOUR PERSONAL DATA TO THIRD PARTIES ONLY WITH YOUR CONSENT OR WHEN REQUIRED OR WHEN PERMITTED BY LAW

The University will disclose or share your personal data to third parties only with your consent or when so required or allowed by law.

Please note that National Privacy Commission (NPC), the body tasked with implementing the DPA, issued Advisory Opinion 2022-14 https://privacy.gov.ph/wp-content/uploads/2022/08/Advisory-Opinion-No.-2022-014_Redacted.pdf which states:

Processing of personal data within the educational framework in relation to academic freedom.

At this juncture, the NPC would like to clarify that educational institutions may process personal data to achieve the purposes within its educational framework without the need for consent of the data subject. The data subject in an educational setting includes students, faculty and staff. It is then of utmost importance that the school delineates all processing operations, carefully identifying those that are core to the educational framework and those outside of it (e.g. marketing or public relations purposes).

STORAGE AND FURTHER PROCESSING OF YOUR PERSONAL DATA

We also securely store and further process your personal data in order to exercise academic freedom pursuant to the provisions of the 1987 Constitution, the UP Charter (RA 9500) and other applicable laws; comply with legal obligations; establish or defend legal claims; and to carry out other activities allowed or required by the DPA as well as other applicable laws and issuances.

UP stores your personal data pursuant to Sec. 11 (f) of the DPA which states Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

UP conducts research on stored, previously processed, de-identified data in order to comply with its legal obligations including its right and responsibility to exercise academic freedom under the 1987 Constitution and the UP Charter. UP as a research university must conduct scientific research in order to produce general demographic information and statistics regarding UP alumni across various time periods. Such research enables the University to assess whether its policies, programs, as well as procedures and revisions to the same in different years, enable the University, among others, to enhance the access of disadvantaged students to UPs programs and services (Sec. 9 of RA 9500 or the UP Charter), comply with the spirit of other applicable laws such as RA 10687 or the Unified Student Financial Assistance System for Tertiary Education (UniFAST) Act, and RA 10931 or the Universal Access to Quality Tertiary Education Act and to allow us to provide advice and technical assistance to public authorities such as Congress, the Commission on Higher Education, the UniFAST Board, etc. in accordance with Sec. 7 of the UP Charter.

Before any research is conducted by UP, so that we will be able to comply with our ethical obligations and uphold your right to privacy, duly authorized UP personnel will remove identifiers from the applicable dataset such that UP’s researcher or research teams who will perform operations on such dataset will not be able to associate your data with you. The research results will only include aggregate or statistical data and general demographic information that does not identify you and any other data subjects.

Kindly note that Sec. 16.C.2 of Memorandum Circular 2023-4 issued by the National Privacy Commission provides that:

The conduct of research where the end results will be anonymized and will only disclose the general demographic of the research subjects does not require the consent of the data subject.

On the other hand, if research will make use of identifiable personal data, when so required by applicable laws, rules and or ethical guidelines such as the guidelines issued by the Philippine Health Research Ethics Board pursuant to the Philippine National Health Research System Act, we will first obtain the proper ethics clearance as well as your informed consent prior to the conduct of such research.

DATA PRIVACY RISKS AND HOW UP PROTECTS YOUR PERSONAL DATA

The processing by UP of your personal data in order to carry out its obligations to you and to exercise its academic freedom carries risks that may involve the confidentiality, integrity, and availability of personal data or the risk that processing will violate the privacy principles and rights of data subjects. UP has put in place reasonable physical (e.g. access control measures such as locks, security personnel, etc.) organizational (e.g. only authorised personnel who have signed the required non-disclosure undertaking and need such personal data to perform their functions are allowed to process such personal data, periodic privacy impact assessments etc.) and technical measures (e.g. use of CDN, encryption, multi factor authentication for UP mail, UP alumni email and portals, the conduct of vulnerability and penetration testing and other similar measures) to prevent or mitigate such risks. Kindly note that these measures do not guarantee absolute protection against such risks as when systems are subject to targeted cyberattacks, malware, ransomware, computer viruses, etc. However, UP has also adopted measures in order to deal with security incidents or personal data breaches in compliance with the DPA and National Privacy Commission (NPC) issuances.

Please refer to the Board of Regents approved UP Data Privacy Manual CERTIFIED TRUE COPY_DATA PRIVACY MANUAL 2023 EDITION.pdf (up.edu.ph) which includes security incident and breach response procedures (Part 7, pages 35 – 45) and the following forms:

Form 1 UNIVERSITY OF THE PHILIPPINES SYSTEM ADMINISTRATION INCIDENT OR BREACH REPORT FORM.docx (up.edu.ph)
Form 2 PRELIMINARY ASSESSMENT FORM FOR SECURITY INCIDENTS OR PERSONAL DATA BREACHES (up.edu.ph)
Form 3 Mandatory Notification to NPC.pdf (up.edu.ph)
Form 4 Mandatory Personal Data Breach Notification for Data Subjects.docx (up.edu.ph)
Form 5 SECURITY INCIDENT OR PERSONAL DATA BREACH REPORT (up.edu.ph)

We remind UP offices, officials and personnel in our various portals, privacy notices and security advisories transmitted by our IT offices to keep the processing of personal data secure by double checking that the UP mail account used for UPs portals and systems has not been compromised by using Have I Been Pwned, using a strong password for such account 2023 12 04 REMINDER – Use Strong Passwords for UP Mail Accounts and 2025_06_20_REMINDER_Strong_Passwords_UPMail keeping all UP account credentials confidential, using when possible more stringent means for multi factor authentication (MFA) for UP mail accounts such as through the use of passkeys or hardware based MFA and not using public, unsecured networks for processing personal data or at least using VPN if use of such unsecured networks is unavoidable and periodically provide other similar advisories as well as trainings.

ACCESS TO AND CORRECTION OF YOUR PERSONAL DATA AND YOUR RIGHTS UNDER THE DPA

You have the right to access personal data being processed by UP about you. You may access your personal data, for instance, by requesting documents from relevant offices (e.g. the OAR in the case of your alumni records or the OUR for your student records, etc.). You may wish to refer to this page for the links to UP alumni online services e.g. applications for transcripts etc. Alumni Online Services – UP Alumni Website

In order for UP to see to it that your personal data are disclosed only to you, these offices will require the presentation of your UP ID or valid government-issued ID (GIID) or other documents that will enable UP to verify your identity. In case you process or request documents through a representative, in order to protect your privacy, UP requires you to provide a letter of authorization specifying the purpose for the request of documents or the processing of information, and your UP ID or other valid government-issued ID (GIID), as well as the valid GIID of your representative.

As mentioned above, UP requires you to provide correct information. In the event that your information needs to be updated please follow the instructions found in the relevant portal— the Alumni Profile Updating (APU) System.

Aside from the right to access and correct your personal data, you have the following rights subject to the conditions and limitations provided under the DPA and other applicable laws and regulations:

1. The right to be informed about the processing of your personal data through this and other applicable privacy notices.

2. The right to object to the processing of your personal data, to suspend, withdraw or order the blocking, removal or destruction thereof from our filing system. Kindly note, however, that as mentioned above, there are various instances when the processing of personal data you have provided is necessary for us to comply with UP’s mandate, statutory and regulatory requirements, or is processed using a lawful basis other than consent.

3. The right to receive, pursuant to a valid decision, damages due to the inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, taking into account any violation of your rights and freedoms as a data subject and

4. The right to lodge a complaint before the National Privacy Commission provided that you first exhaust administrative remedies by filing a request with the proper offices or a complaint with the proper DPO regarding the processing of your information, or the handling of your requests for access, correction, blocking of the processing of your personal data and the like.

HOW WE OBTAIN YOUR CONSENT AND HOW YOU CAN WITHDRAW CONSENT

When consent is UPs lawful basis for processing your personal data, UP will obtain your consent by asking you to execute the proper online or paper based form. If you wish to withdraw consent, kindly write or send an email to the proper UP office and identify the processing activity for which you are withdrawing consent. Please attach a copy of your UP ID or GIID so that the proper UP office will be able to verify your identity. Note that consent may be withdrawn only for a processing activity/ies for which consent is the only applicable lawful ground for such processing. Kindly await such UP office’s action regarding your request. Rest assured that once such office confirms that you have validly withdrawn consent for a processing activity/ies the same shall be effective.

REVISIONS TO THE PRIVACY NOTICE AND QUERIES REGARDING DATA PRIVACY

This privacy notice was revised as of Academic Year 2024-2025 in order to comply with the privacy notice requirements contained in NPC Memo Circular 2023-4.

We encourage you to visit this site UP PRIVACY POLICIES – HOMEPAGE from time to time to see any further updates regarding this and other privacy notices that may apply to you. Changes to UP privacy notices can be seen through this site.

If you have any data privacy queries or concerns as it relates to your student records, you may contact your CU’s UP Data Protection Officer (contact details are found in the revised privacy notice for students) UNIVERSITY OF THE PHILIPPINES (UP) PRIVACY NOTICE FOR STUDENTS (REVISED AS OF THE 1ST SEMESTER 2024-2025

For queries, comments or suggestions regarding this System-wide privacy notice, please contact the University of the Philippines System Data Protection Officer through the following:

a. Via post
c/o the Office of the President
2F North Wing Quezon Hall
(Admin Building) University Avenue,
UP Diliman, Quezon City 1101
Philippines

b. Through the following landlines
Phone | (632) 89280110; (632) 89818500 loc. 2521

c. Through email
[email protected]