Privacy Policy

1. What is a privacy policy?
2. How many privacy policies does the University have?
3. Where can I find the University's privacy policies?
4. What is the legal basis for having a privacy policy?
5. Is it mandatory for the University to have a privacy policy?
6. Is the Ateneo de Manila University the only school with a privacy policy?
7. Do I need to give my consent to a privacy policy before it becomes effective?
8. Can I inquire about or clarify the contents of the Privacy Policy? If so, how?
9. Can I challenge the Privacy Policy or some parts of it? If so, how?
10. What can I do if I think the University is violating its own Privacy Policies?

What is a privacy policy?

A Privacy Policy (also known as a Privacy Notice or Privacy Statement) informs a person about the way his or her personal data will be collected and used by an organization, group, or another individual engaged in the processing of personal data. It promotes transparency and accountability on the part of the disclosing party.

How many privacy policies does the University have?

The Ateneo de Manila University currently has four (4) institution-wide privacy policies directed at its primary constituents, namely: (a) students, including applicants and alumni; (b) personnel; (c) campus guests and visitors; and (d) website visitors.

There is no prescribed number of privacy policies that an organization should have. Within the University, a specific unit or office may even develop its own, provided it is consistent with those of the University’s. A separate policy may also be drafted for particular data processing systems.

Where can I find the University’s privacy policies?

You can find all the  policies at the University website, specifically at: https://www.ateneo.edu/privacy.

All units and offices are also encouraged to put copies of the policies in conspicuous places where they may easily be accessed and read. For example, the Privacy Notice for Campus Visitors are posted in practically every entry and exit point of the University.

What is the legal basis for having a privacy policy?

According to Sections 16(a) and (b) of Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), a person has the right to be informed about the way his or her personal data will be collected and used by an organization, group, or another individual engaged in the processing of personal data, save for a few recognized exceptions. To uphold this right, the entity engaged in data processing usually develops a privacy policy. This is consistent with the principle of transparency, and also reflects such data privacy principles as fairness, purpose specification, openness, and accountability.

All data protection laws provide for these legal bases (i.e., right and principles).

Is it mandatory for the University to have a privacy policy?

In a manner of speaking, YES, because: (a) the DPA recognizes the right of a person to be informed about the processing of his or her personal data; and (b) upholding this right is most effectively done via the use of a privacy policy.

It is important to remember, though, that the law does not specifically say that it has to be written down, printed, or published. It may be relayed in any format deemed most appropriate given the prevailing circumstances.

Is the Ateneo de Manila University the only school with a privacy policy?

NO. Other schools already complying with the DPA and other applicable data protection laws and policies also have one.

Do I need to give my consent to a privacy policy before it becomes effective?

NO. A privacy policy is only meant to inform. As in the case of other policies of the University or other organizations, your permission is not necessary before a privacy policy is developed and published.

A few months ago, you will recall receiving e-mails informing you about changes in the privacy policies of various internet or online platforms you are using. You may have noticed that the companies did not ask for your permission or consent before they made changes to their privacy policies. By continuing to use their platforms, you are deemed to have agreed to their policies.

Who determines what will be included in the Privacy Policy?

While the DPA determines the types of information that should be relayed in a privacy policy, it is ultimately the entity engaged in data processing that determines what information will actually be collected and processed.  For example, while the law says that the different uses personal data will be subjected to should be in its policy, it is actually Ateneo that determines how it uses the personal data it collects or generates.

To learn more about the information that ought to be included in a privacy policy, you may refer to Section 16 (a) and (b) of the DPA.

Can I inquire about or clarify the contents of the Privacy Policy? If so, how?

YES. You may send your inquiries and clarifications to UDPO. In some cases, you may be referred to another unit or office of the University which may be better positioned to answer your question.
 

Can I challenge the Privacy Policy or some parts of it? If so, how?

YES. You may raise your concern to the UDPO through their contact information.
 

What can I do if I think the University is violating its own Privacy Policies?

You may report your concern to the UDPO for appropriate action. If not acted upon, or you are not satisfied with the response of the University, you may bring the matter to the NPC.