University Administration
BOARD OF TRUSTEES PRESIDENT CENTRAL ADMINISTRATION ACADEMIC UNITS POLICIES & STATEMENTS DIRECTORY

Frequently Asked Questions

For University Personnel as Data Subjects

 

A. PRIVACY POLICY FOR UNIVERSITY PERSONNEL
  1. What is a privacy policy?
  2. Is the Privacy Policy for University Personnel the only one that applies to me?
  3. Looking at the Privacy Policy for University Personnel, it seems the University is doing a lot with my personal data. Are all of them legal?
  4. Does the Privacy Policy for University Personnel contain everything I need to know about the way Ateneo collects and uses my personal data?
 
B. CONSENT FORM FOR UNIVERSITY PERSONNEL
  1. What is a Consent Form or the Terms of Agreement?
  2. Doesn’t the DPA now require the University to ask for my consent each time it wants to collect and/or use my personal data?
  3. How is the ToA different from my employment or engagement contract with the University?
  4. Is the Ateneo de Manila University the only organization requiring its personnel to sign a ToA?
  5. Why am I being required to sign the ToA just now?
  6. Why is signing the ToA mandatory for all University Personnel?
  7. Why won’t the University just ask for my consent each time it wants to process my personal data?
  8. How long will the ToA be effective?
  9. Can I challenge the ToA or some parts of it? If so, how?
  10. Can I later revoke my signature or withdraw my consent?
  11. What happens if I violate the terms of the ToA?
  12. If another University Personnel violates the ToA:
  13. If the University transfers, discloses, or shares my personal data with a third party and something happens to such data, causing me injury or damage:
  14. Can I inquire about or clarify the contents of the ToA? If so, how?
 
C. NON-DISCLOSURE AGREEMENT (NDA) FOR UNIVERSITY PERSONNEL
  1. What is a Non-Disclosure Agreement (NDA)?
  2. What is the legal basis for the NDA?
  3. Why is signing an NDA mandatory for all University Personnel?
  4. I’ve been working for the University for years, why am I only being required to sign an NDA now?
  5. If there is already a confidentiality clause in my contract with the University, why is that not sufficient?
  6. Do I need to sign an NDA every time I need information from the University or any of its units/offices?
  7. Can I just agree with one or some portions of the NDA?
  8. Is signing the NDA mandatory?
  9. What happens if I violate the terms of the NDA?
  10. How long will the NDA last? Will it still apply even after I’ve left the University?
  11. If another University Personnel violates the terms the NDA and I am negatively affected by it:

 

D. OTHERS

 

  1. Because of the University’s Privacy Policies and/or because I signed the ToA, will the University now just give my personal data to anyone?
  2. If a fellow University personnel collects and/or uses my personal data without my consent, can I invoke any of these policies or documents in filing a complaint against him or her?
  3. If a student collects and/or uses my personal data without my consent, can I invoke any of these policies or documents in filing a complaint?


 

A. PRIVACY POLICY FOR UNIVERSITY PERSONNEL

  1. Is the Privacy Policy for University Personnel the only one that applies to me?

    NO. Depending on the circumstances, other privacy policies—current and future—may also apply to you. For instance, you may also be pursuing graduate studies in the University, or you are an alumni of the University; in which case, the Privacy Policy for Students, including Applicants and Alumni, would also apply to you. [back to top]
     
  2. Looking at the Privacy Policy for University Personnel, it seems the University is doing a lot with my personal data. Are all of them legal?

    In the regular course of its operations, the University does a lot of things with your personal data, and it is mostly out of necessity. From choosing among job applicants, to providing basic services, to processing an employee’s resignation or retirement, the University needs to process personal data to get things done. It does so in a manner that it considers to be fair and lawful.

    If any personnel believes otherwise, he or she can raise this concern with the University Data Protection Office (UDPO), and eventually, the National Privacy Commission (NPC) or the courts. [back to top]
     
  3. Does the Privacy Policy for University Personnel contain everything I need to know about the way Ateneo collects and uses my personal data?

    NO. The DPA provides for a list of information that need to be included in a privacy policy. There may be other information not on this list that a person may be interested in. According to Section 16(c) of the DPA, an individual may inquire further about the following details regarding the processing of his or her personal data:
    • a. contents of personal data that were processed
      b. sources from which the data were obtained
      c. names and addresses of the recipients of the data, if applicable
      d. manner by which the data were processed
      e. reasons for the disclosure of the data, if applicable
      f. information on automated decision-making processes, if any
      g. date when the personal data were last accessed and modified
      h. designation, name, or identity and address of the entity collecting and using the data



      •  
    The University can also choose to include in the policy other information it deems necessary, even if this is not explicitly required. [back to top]

B. CONSENT FORM FOR UNIVERSITY PERSONNEL
  1. Doesn’t the DPA now require the University to ask for my consent each time it wants to collect and/or use my personal data?

    NO, it does not. While consent is a basis for collecting and using a person’s personal data, it is just one of several lawful grounds. For instance, if a law is requiring the University to collect your data and then share it with a particular government agency, then the University has to comply with such a directive, even without your consent. 

    To learn more about these other grounds, you may refer to Sections 12 and 13 of the DPA. [back to top]
  2. How is the ToA different from my employment or engagement contract with the University?

    Both represent an agreement between you and the University. The difference is that a ToA pertains specifically to the processing of your personal data. Eventually, the two will be consolidated into one document. For now, though, since your contract is already in force, the ToA and your main contract will be two separate but complementary documents. [back to top]
  3. Is the Ateneo de Manila University the only organization requiring its personnel to sign a ToA?

    NO. As in the case of privacy policies, organizations that are already complying with the DPA and other applicable data protection laws and policies should have required their personnel to sign one by now, or should at least be in the process of doing so. [back to top]
  4. Why am I being required to sign the ToA just now?

    The ToA and its provisions should ideally be part of your contract with the University. However, since compliance with the DPA is a fairly new requirement for all organizations in the country, it is only now that specific steps are being taken to meet the same (including the use of consent forms). Developing the document and other related data protection measures also took time and involved a rigorous approval process. [back to top]
  5. Why is signing the ToA mandatory for all University Personnel?

    The data processing activities featured in the ToA generally applies to all University personnel. They include the disclosure of information to authorized third parties like the University’s health insurance providers or accrediting organizations (e.g., PAASCU). Accordingly, the document should also be necessary for everyone. Also, since it will form part of your main contract with the University, it becomes mandatory in the same way that your main contract is a prerequisite to your employment/engagement. [back to top]
  6. Why won’t the University just ask for my consent each time it wants to process my personal data?

    The ToA primarily concerns the personal data you provide, or which the University collects or generates, at the start of your work or engagement.

    Through it, you do not provide your blanket, all-encompassing consent. This means the University will still ask for your consent on separate and future occasions if it will carry out any processing activity involving your personal data that is not specified in the ToA. [back to top]
  7. How long will the ToA be effective?

    The ToA will remain effective for the duration of your work in or engagement with the University, or until you revoke or withdraw your consent, whichever is sooner. [back to top]
  8. Can I challenge the ToA or some parts of it? If so, how?

    YES. You may also raise such matters with OHRMOD and/or the UDPO through their contact information. [back to top]
  9. Can I later revoke my signature or withdraw my consent?

    As a general rule in data protection, you may withdraw your consent at any time. However, since the ToA will form part of your main contract with the University (which is not severable), revoking the same will also amount to your rescinding your contract with the University. [back to top]
     
  10. What happens if I violate the terms of the ToA?

    The University will take appropriate action against you. [back to top]
  11. If another University Personnel violates the ToA:
     
    a. What will the University do?
    The University will also take appropriate action against such person. [back to top]

    b. Can I take action against such person? If so, will the University provide me assistance? If so, what type of assistance?
    It is generally the University that stands to incur damage if a person violates the ToA. However, if you feel that you also suffered an injury or incurred damage as a direct result of that person’s action or inaction, you may take action against him or her, following the Disciplinary Action Process facilitated by OHRMOD. Remember, though, that OHRMOD can only handle internal administrative complaints. [back to top]

    c. Can I take action against the University?
    If you feel that you suffered an injury or damage as a result of the University’s failure to safeguard your personal data, you may take action against the University as you deem fit. [back to top]

    d. Can I take action against both?
    If you believe the attendant circumstances support both actions, you are free to pursue them. [back to top]
     
  12. If the University transfers, discloses, or shares my personal data with a third party and something happens to such data, causing me injury or damage:

    a. What will the University do?
    The University will take appropriate action against such third party for violating the terms of its agreement or contract with the University. [back to top]

    b. Can I take action against such third party? If yes, will the University provide me assistance? If so, what type of assistance?
    YES, you may file a complaint with the NPC or the courts. However, the University can only take appropriate action against such third party for violating the terms of its agreement or contract with the University. [back to top]

    c. Can I take action against the University?
    If you believe that any injury or damage that you suffered or incurred is a result of the University’s failure to safeguard your personal data, you may also take action against the University. [back to top]

    d. Can I take action against both?
    If you believe the attendant circumstances support both actions, you are free to pursue them. [back to top]
     
  13. Can I inquire about or clarify the contents of the ToA? If so, how?

    YES. You may inquire and clarify matters with OHRMOD and/or the UDPO via their contact information. [back to top]
 
 
C. NON-DISCLOSURE AGREEMENT (NDA) FOR UNIVERSITY PERSONNEL
  1. What is a Non-Disclosure Agreement (NDA)?

    An NDA is a contract entered into by two or more parties for the purpose of preventing the unauthorized disclosure of confidential information. In this case, it is between you and the University vis-à-vis any confidential information that you may access or come across while working for or engaged by the University. 

    Like the ToA, it will also form part of your contract with the University. [back to top]
  2. What is the legal basis for the NDA?

    As far as personal data is concerned, Section 20(e) of the DPA requires the University to make sure that all its employees, agents, or representatives hold personal data under strict confidentiality, unless they are intended for public disclosure. The obligation continues even after such persons leave the University. [back to top]
  3. Why is signing an NDA mandatory for all University Personnel?

    The University is required to comply with Section 20(e) of the DPA. On top of that, it is basically a security measure of the University against the unauthorized disclosure of its confidential information, including personal data under its control or custody, and matters covered by its intellectual property rights, among others. [back to top]
  4. I’ve been working for the University for years, why am I only being required to sign an NDA now?

    For most personnel, they are already bound to a confidentiality obligation relative to the University, courtesy of a confidentiality clause found in their existing contracts with the school. As such, this NDA only means to clarify the terms of that clause to avoid confusion or issues in the future.

    As far as data privacy is concerned, it is a recent development. This explains why it is only now that the NDA is being required in relation to the DPA. [back to top]
  5. If there is already a confidentiality clause in my contract with the University, why is that not sufficient?

    For enforcement purposes, the confidentiality clause in your contract may suffice. However, as has been pointed out, it is necessary to clarify matters in order to avoid confusion or issues in the future. For example, the existing confidentiality clause does not define what would be considered as confidential information. Neither does it provide for the effectivity period of the obligation. The NDA does both these things and more. [back to top]
  6. Do I need to sign an NDA every time I need information from the University or any of its units/offices?

    NO. The NDA covers all processing of confidential information during the course of your work for or engagement with the University. However, it does not guarantee that you are free to access or acquire any information under the control or custody of the University. The University will still exercise discretion in determining whether your access to certain types of information is justified or necessary. [back to top]
  7. Can I just agree with one or some portions of the NDA?

    NO. The provisions of the NDA are not severable. [back to top]
  8. Is signing the NDA mandatory?

    YES. The University needs to ensure that all its personnel will keep any or all confidential information they access or come across while with the University, including personal data, are kept confidential in order to be able to fully comply with Section 20(e) of the DPA.

    It is important to emphasize that it is also meant to benefit you as part of the University. First, it limits the barriers to your access to information. The NDA will also provide the University with additional legal basis for taking action against an individual who misuses or processes your personal data (under the custody of the University) without proper authorization. [back to top]
  9. What happens if I violate the terms of the NDA?

    The University will take appropriate action against you. [back to top]
  10. How long will the NDA last? Will it still apply even after I’ve left the University?

    The NDA, particularly the obligation to maintain the confidentiality of information, will remain in force even after you leave the University, unless otherwise agreed upon in writing by you and the University. This is also mandated by Section 20(e) of the DPA. [back to top]
  11. If another University Personnel violates the terms the NDA and I am negatively affected by it:

    a. What will the University do?
    The University will take appropriate action against such person for violating the terms of his or her contract with the University. [back to top]


    b. Can I take action against such person? If so, will the University provide me assistance? If so, what type of assistance?
    If you feel that you suffered an injury or incurred damage as a direct result of that person’s actions, you may take action against him or her, following the Disciplinary Action Process facilitated by OHRMOD. You are also free to pursue other legal remedies outside of the University. [back to top]

    c. Can I take action against the University?
    If you believe that any injury or damage that you suffered is a result of the University’s failure to safeguard your personal data, you may also take action against the University. [back to top]

    d. Can I take action against both?
    If you believe the attendant circumstances support both actions, you are free to pursue them. [back to top]


 
C. OTHERS
  1. Because of the University’s Privacy Policies and/or because I signed the ToA, will the University now just give my personal data to anyone?

    NO. The University does not automatically disclose, transfer, or share your personal data to any person, office, or entity, even if such disclosure is indicated in the Privacy Policy or is allowed by the ToA or any other consent form that you may have signed. The University will still assess and evaluate every request or demand for your information in order to ensure that you and your personal data are protected. [back to top]
  2. If a fellow University personnel collects and/or uses my personal data without my consent, can I invoke any of these policies or documents in filing a complaint against him or her?

    NO. A University personnel’s collection or use of your personal data for personal reasons does not fall under the privacy management program of the University, because it neither involves a data processing system of the school, a data processing activity it has authorized, nor personal data under its control or custody.

    This does not mean, though, that that person is without any liability. He or she may still be held accountable for violating other applicable University policies, such as the Code of Discipline for University Personnel. [back to top]
  3. If a student collects and/or uses my personal data without my consent, can I invoke any of these policies or documents in filing a complaint?

    NO. As in the case of University personnel, a student’s collection or use of your personal data for personal reasons does not fall under the privacy management program of the University.

    But again, this does not mean you are without recourse to any legal remedy. That student may be guilty of violating other University policies such as the Code of Conduct for Students. He or she may be held accountable under that policy. [back to top]





 
Got more questions? Let us know.[back to top]

 

University Data Protection Office

Address
Room 200, Manila Observatory,
Ateneo de Manila University Loyola Heights campus,
Katipunan Avenue, Loyola Heights,
Quezon City 1108
Philippines

Telephone
+63 2 426-6001 local 4801

Email
info.udpo@ateneo.edu (Inquiries)
alert.udpo@ateneo.edu (Complaints)

Contact Form [doc] [pdf]
Use this form to submit or file inquiries, concerns, complaints, or to report a security incident or data breach.

Incident Report Form [doc] [pdf]
For University Personnel, use this form to report a security incident or data breach.