The increasing reliance on technology over the past two decades has fully thrusted society into the digital age, wherein information is easily accessed at any person’s fingertips. As developments in this realm continue, concerns are also starting to arise with regard to the exploitation of the wealth of data being shared and made available. There is no international standard that regulates data privacy, as each country has differing laws that vary in the scope and degree to which information is protected.

In the Philippines, for instance, Republic Act No. 10173 or the Data Privacy Act was passed in 2012 in response to the increasing need for safeguarding data. The law “seeks to protect all forms of information, be it private, personal, or sensitive” with the National Privacy Commission (NPC) responsible for overseeing it.

However, the recent controversy regarding the possible breach of passport information involving the Department of Foreign Affairs (DFA) puts into question the security of our personal information even in light of protective measures and legislation. With Ateneo’s push towards digitization, assurances have to be made that our data is being handled properly by the people in charge.

Information storage

The issue of data privacy covers several aspects: the collection and storage of information, accessibility and usage, and disclosure to other parties. Given the multi-faceted nature of this issue, the responsibility of data privacy is shared among several offices in the Ateneo.

The storage of data depends on whether the information is recorded physically or digitally. Physical documents are handled by the respective departments and offices that collect them. For the Loyola Schools (LS), any information that is collected digitally and sent to the Ateneo’s databases are handled by the Office for Management Information Systems (OMIS). The Information Technology Resource Management Office (ITRMO) assists the OMIS by providing the necessary resources to store the collected data.

ITRMO Director Sandra Lovenia explains that there are three main areas of data storage and protection: physical, organizational, and information technology (IT). While keeping physical documents gets around the technical shortcomings of the digital means, it also has its fair share of issues. For one, protection of the physical locations of documents and how they are handled can become causes for concern, Lovenia states.

The protection and maintenance of physical documents also taps into the organizational area, which involves the actual people in charge of safekeeping.

Lovenia stresses that there are steep penalties in place for employees who do not follow protocols and end up mishandling data, which speaks of the thoroughness and diligence required of the job.

The final area of IT falls under the responsibility of the ITRMO. The office controls the operations of the servers and continuously develops programs that protect the stored information. “The objective is for us to deliver [and maintain] those systems [that house data],” Lovenia says.

Data protection

In 2018, the University Data Protection Office (UDPO) was established to ensure that the University’s activities comply with the Data Privacy Act of 2012. Currently led by Atty. Jam Jacob, former Director of the Privacy Policy Office for the NPC, the UDPO oversees the protection of data in the University throughout all its four campuses in Metro Manila, namely the Loyola Heights, Rockwell, Salcedo, and Medical City campuses.

An essential task of the UDPO is to supervise the formulation of privacy policies and notices given out by the LS offices, such that they abide by data protection laws. These legal documents are crucial components of data privacy, as no form of data processing can be carried out if there is no clear and well-documented agreement of disclosure between the parties involved.

Jacob also stresses that although the UDPO is tasked to consult and advise offices on writing these documents, the types of information collected and managed are ultimately decided by the LS offices. Certain kinds of information may warrant different treatments, such as stricter terms and conditions.

With the fairly recent implementation of the UDPO, the office has spurred the administration to take a more cautious approach to handling personal information. One example Jacob cites is the process for student organizations in acquiring student data. “Previously, it was really easy to request data about a specific student from the Registrar for recruitment purposes,” Jacob mentions. He states that a student organization now has to undergo a more meticulous procedure to obtain such data.

Policy-making

Although the OMIS and ITRMO mainly oversee digital safekeeping, both offices work closely with UDPO in the overall process of data privacy. “For example if there are systems that we have to build… we involve [UPDO] even at the early stages [when] we’re drafting the contract,” Lovenia mentions. The ITRMO ensures that the systems they are instructed to build fall in line with the guidelines set by UDPO.

With regard to specific policies set in the different campuses, the OMIS is consulted by UDPO on a case-to-case basis. OMIS Director James Gregorio cites password sharing as one of the prominent concerns regarding data privacy. “There’s a possibility of a data breach” when students share their username and password to their proxied during manual registration, Gregorio says. “It’s the same case for the different departments,” he adds. Newly hired employees don’t immediately have their username and password and would end up using older employees’ data to access the system.

The three offices also helps in setting guidelines for data privacy for the Office of the Registrar, which is responsible for handling an extensive amount of LS students’ personal and technical information. One of the first policies created by the offices was having a terms & conditions agreement for incoming freshmen and subsequent agreements for upperclassmen during online enlistment.

Aside from this, another policy that was created was to have students update their information in AISIS before they enlist in classes. Gregorio mentions there was initial resistance to this, and a compromise was reached wherein students could update their information as early as a week before enlistment. “That wasn’t just a decision by OMIS, it was a request by the Office for Student Services because of emergency cases,” he explains. There are students who change contact information over the course of the year and having this requirement ensures that parents and guardians will be informed in case of accidents.

Policies are made not just to comply with the data privacy regulations, but to take into account the safety of the students as well.

System tweaks

After all this however, Jacob admits that there is still a long way to go for data protection to be “fully up and running.” He claims that “people do not entirely understand the implications of data privacy.” “Most institutions just outsource law firms for their data protection manuals, which isn’t effective since law firms aren’t quite familiar with these institutions,” Jacob states.

In relation to this, the UDPO is currently working towards creating an all-encompassing data protection manual that would help the offices continue doing their work whilst abiding by the data privacy laws.

According to Jacob, this manual may prove to be the most comprehensive data protection manual in the Philippines once it’s done. He explains that since members of the UPDO staff came from the National Privacy Commission, they have past experience and familiarity in handling the topic of data protection. Aside from this, since it will not be outsourced to an external institution, the manual can be more specific and exhaustive as it will be grounded to the University’s context.

For the ITRMO, their current objective is to initiate a university-wide strategic IT plan that will allow for more consistent and efficient functionality across all campuses. Lovenia mentions the need to incorporate data privacy-related requirements in the strategies. “The challenge is really enforcement. For example, what are the policies in keeping data in your computer? We have to make it operational [once the manual is finished].”

On another note, the OMIS aims to continue auditing the systems used by the different LS departments. Gregorio recounts an incident in which the College Athletics Office had unrestricted access to students’ data.  “[They have] an access to intra-AISIS because they need to check the grades and the personal information of our athletes. We made some changes to make sure they can only access athletes’ information,” Gregorio explains.

A work in progress

With the Data Privacy Act having only been passed in 2012, the issue of data protection is still a fairly new one in the country. Most of the plans regarding improving the security of information in Ateneo are still in its infancy, and much patience is needed in realizing these objectives.

Despite this, the University has made great strides in setting a precedent for data privacy. In previous years, data protection was only relegated to a small task force composed of staff from various offices. With the recent establishment of the UDPO however, Ateneo now provides all the campuses with an office whose sole purpose is ensuring the compliance of the University with data protection laws.

In addition to this, the ITRMO has expanded to being the central hub for all IT-related responsibilities regarding data protection. Before the implementation of the Data Privacy Act, each campus would have separate office handling IT duties. Consolidating all of the resources to ITRMO has allowed them to administer university-wide changes, such as paying for SSLs or encrypted connections for all Ateneo websites.