Rights of the Data Subject
The University respects the rights of all its data subjects and commits to comply with Republic Act 10173. As being defined in the act, Data subjects are the people whose personal information is collected, stored, and processed.
A. The right to be informed.
Personal data is treated almost literally in the same way as personal property. Thus, it should never be collected, processed and stored without explicit consent, unless otherwise provided by law. The data subject has the right to be informed that personal data will be, are being, or were, collected and processed. The right to be informed is the most basic right as it empowers the data subject to consider other actions to protect his data privacy and assert other privacy rights.
B. The right to access
This is the right to find out whether an organization holds any personal data about the data subject and if so again “reasonable access” to them. Through this right, the data subject may ask to provide a written description of the kind of information they have about the data subject as well as the purpose/s for holding them.
Under the Data Privacy Act of 2012, the data subject has a right to obtain from an organization a copy of any information that they have on their computer database and/or manual system. It should be provided in an easy-to-access format, accompanied by a full explanation executed in plain language.
The data subject may demand to access the following:
a. The contents of personal data were processed.
b. The sources from which they were obtained.
c. Names and addresses of the recipients of the data
d. The manner by which they were processed
e. Reasons for disclosure to recipients, if there were any
f. Information on automated systems where the data is or may be available, and how it may affect the data subject
g. Date when the data was last accessed and modified
h. The identity and address of the personal information controller.
C. The right to object
The consent of the data subject is necessary before any organization can lawfully collect and process personal data. If without the consent, any such collection and processing of personal information by any organization can be contested as unlawful or illegal, and would, therefore, be answerable to the Data Privacy Act of 2012.
In case the data subject already gave the consent by agreeing to an organization’s privacy notice, he/she can withdraw consent if the personal information processor decided to amend said notice. In fact, the personal information processor has the obligation to notify the data subject of changes to their privacy notice and must explicitly solicit once again.
D. The right to erasure or blocking
The data subject has the right to suspend, withdraw or order the blocking, removal or destruction his personal. He can exercise the right upon the discovery and substantial proof of the following:
a. Personal data is incomplete, outdated, false, or unlawfully obtained.
b. It is being used for purposes he did not authorize.
c. The data is no longer necessary for the purpose for which they were collected.
d. The data subject decided to withdraw consent or object to its processing.
e. The data concerns information prejudicial to the data subject-unless justified by freedom of speech, of expression, or of the press; or otherwise authorized (by a court of law).
E. The right to damages
The data subject may claim compensation if he suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of the rights and freedoms as data subjects.
F. The right to file a complaint with the National Privacy Commission
If the data subject feels that his/her personal information has been misused, maliciously disclosed, or improperly disposed, or that any of his/her data privacy rights have been violated, the data subject have a right to file a complaint with the National Privacy Commission.
G. The right to rectify
The data subject has the right to rectify and has corrected any inaccuracy or error in the data that the University holds about the data subject.
Section 14. The right to data portability
This right assures that the data subject remains in full control of his data. Data portability allows the data subject to obtain and electronically move, copy or transfer his the data in a secure manner, for further use. It enables the free flow of personal information across the internet and organizations, according to the data subject’s preference. This is important especially now that several organizations and services can reuse the same data. Data portability allows the data subject to manage personal data in a private device and to transmit data from one personal information controller to another. (Chapter IV, Sec. 17, DPA of 2012).
Section 15. Transmissibility of Data Subject Rights
The data subject can assign his rights as a data subject to the legal assignee or lawful heir. Similarly, the data subject may assert another person’s rights as a data subject, provided he or she authorized as a “legal assignee”.The data subject may also invoke another person’s data privacy rights after his or her death if the data subject is his or her legal heir. This same principle applies to parents of minors, or their legal guardian, who is responsible for asserting their rights on their behalf.
This right, however, is not applicable in case the processed personal data being contested are used only for scientific and statistical research. (Chapter IV, Sec. 18, DPA of 2012).
Section 16. Limitations on Rights (RA 10173)
The University follows the provisions of RA 10173 regarding transmissibility of rights and the right to data portability will not apply if the processed personal data are used only for the needs of scientific and statistical research and, based on such, no activities are carried out and no decisions are taken regarding the data subject. There should also be an assurance that the personal data will be held under strict confidentiality and used only for the declared purpose.
Likewise, the immediately preceding sections are not applicable to the processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject. (Chapter IV, Sec. 19, DPA of 2012).