What is a data breach?
It is a security incident that leads to the accidental or unlawful destruction, loss, alteration, inaccuracy, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
All data breaches are security incidents, but not all security incidents will qualify as a data breach.

 

What do I do if I become aware of a data breach or a security incident?
If you come across what you think is a data breach or a security incident that involves personal data under the control or custody of the University, you should immediately contact the UDPO, by submitting its prescribed Contact Form. If you are a University Personnel and the personal data involved is under the control or custody of your particular office, you may can expedite the process by submitting an Incident Report, instead.

If the data breach or security incident involves personal data that is under the control or custody of another person, group, or organization, you may refer the matter to that person, group, or organization, for its appropriate action.

If you are not sure or are unaware who has control or custody of the data, you may report the matter directly to the National Privacy Commission.

 

What happens after I submit a Contact Form?
The UDPO will make an initial assessment whether or not the reported incident is a security incident or a data breach. If they have reason to believe that such is the case, they will request the primary office or unit that manages or controls the personal data involved to accomplish and submit an Incident Report.

 

What happens after I submit an Incident Report?
The UDPO will constitute a security incident response team that shall carry out an assessment of the incident based on the Incident Report and other available evidence or information. The team may inquire further into the matter, if necessary, in order to ascertain the true nature and/or the full extent of the incident.

The team shall prepare an Assessment Report and submit the same to the Office of the President. The Vice President in charge of the unit involved shall also be given a copy of the report, as will the unit or office that prepared the Incident Report.

 

What does the Security Incident Response Team do?
The Security Incident Response Team is responsible for investigating reports of a data breach or security incident. For each incident, they shall review the Incident Report submitted by the concerned University unit or office. Although they can rely on that Report for their investigation, they also have the option of carrying out a parallel or independent investigation, by conducting interviews, consultations, or reviewing relevant files or documents. When they conclude their investigation, they will submit their findings to the University President for appropriate action. The unit or office that prepared the Incident Report will also be given a copy of the Team’s findings.

 

Will the incident be reported to the NPC?
Only a data breach that meets all of the following conditions need to be reported to the NPC:

1. It involves sensitive personal information, or any other information that may be used to enable identity fraud;
2. There is reason to believe that the information may have been acquired by an unauthorized person;
3. The University or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

Security incidents and all other types of data breaches must still be investigated and addressed by the University, but they need not be reported to the NPC.

 

When should the University notify the NPC?
After it determines that a data breach meeting the criteria set by the NPC has occurred, the University has seventy-two (72) hours to report the matter to the Commission.

 

What happens if the University does not report a data breach to the NPC?
The NPC may exercise its regulatory powers against the University, including the conduct of compliance checks or the issuance of cease and desist orders, compliance orders, and temporary or permanent bans on the processing of personal data.

If the data breach involves sensitive personal information, the person/s directly responsible for the University’s failure to comply with the notification requirement under the law may be charged with the crime of “concealment of security breaches involving sensitive personal information”.

 

Will the person who reported the incident be notified of the action taken by the University?
A person who informs or reports to the UDPO of a potential security incident or data breach may be notified of the action taken by the University if:

1. His or her personal data is affected by or involved in the security incident or data breach; or
2. He or she is a University personnel and his or her unit or office controls or manages the data processing system or the personal data affected or involved in the security incident or data breach.