Data Privacy


Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector. The DPA created the National Privacy Commission (NPC) which is tasked to monitor its implementation. It covers the processing of personal information and sensitive personal information and sets, as its basic premise, the grant of direct consent by a data subject before data processing of personal information be allowed.

The law requires all government and private entities or organizations processing personal data establish policies, and implement measures and procedures to ensure and guarantee the safety and security of personal data under their control or custody, thereby upholding an individual's data privacy rights. In addition, they are required to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel and data subjects of such measures, all agencies are expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfilment and realization of the rights of the data subjects.


The Bulacan State University (BulSU), in its commitment to uphold, respect and value data privacy rights hereby adopts this Data Privacy Manual in compliance with the DPA, its Implementing Rules and Regulations, and other relevant policies, including issuances of the NPC.

The university ensures that through this Manual all personal data collected from all its officials, personnel, higher education institutions, students and other data subject shall be processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. To guide the university and its data subjects in exercising their rights under the DPA, the Manual shall include data protection and security measures.


For purposes of this Manual the following terms are defined as follows:
  1. Consent of Data Subject - refers to any freely given, specific, informed indication of will, whereby the data subject agrees to collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by a written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so or by the parent/s or legal guardian of a minor or children below 18 years of age.

  2. Data Subject - refers to an individual whose personal, sensitive personal or privileged information is processed by BulSU. It may refer to University officials and employees as well as faculty, staff and students of Bulacan State University.

  3. Higher Education Institutions (HEIS) - means an educational institution, private or public, undertaking operations of higher education program/s with an organized group of students pursuing defined studies in higher education, receiving instructions from teachers, usually located in building or group of buildings in a particular site specifically intended for educational purposes.

  4. Information and Communication Systems refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission, storage of electronic data, electronic message or electronic document.

  5. Personal Information refers to any information such as but not limited to name, address, email address and mobile numbers whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

  6. Personal Information Controller refers to a natural or juridical person, or any other body who controls the processing, of personal data, or instructs another to process personal data on his behalf.

  7. Personal Information Processor refers to any natural of juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.

  8. "Processing" refers to any operation or any set of operations performed upon personal information including, but not limited to collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

  9. Sensitive personal information refers to personal information:
    1. About an individual's race, ethnic origin , marital status, age, color, and religious, philosophical or political affiliations;
    2. About an individual's health education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceeding, or the sentence of any court in such proceedings;
    3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
    4. Specifically established by an executive order or an act of Congress to be kept classified.


This Privacy Manual applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines. This Manual does not apply the following:

  1. Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of individual, including:
    1. The fact that the individual is or was an officer or employee of the government institution;
    2. The title, business address and office telephone number of the individual;
    3. The classification, salary range and responsibilities of the position held by the individual; and
    4. The name of the individual on a document prepared by the individual in the course if employment with government;
  2. Information about an individual who is or wad performing service under contract for a government institution that relates to the service performed, including the terms of the contract, and the name of the individual given in the course of the performance of those service;

  3. Information relating to any discretionary benefit of a financial nature such as the granting of license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

  4. Personal information processed for journalistic, artistic, and literary or research purposes;

  5. Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposit Act; and Republic Act No. 6426, otherwise known as the foreign Currency Deposit Act; and Republic Act no, 9510, otherwise known as the Credit Information System Act (CISA);

  6. Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended other known as the AntiĀ­ Money Laundering Act and other applicable laws; and

  7. Personal information originally collected from residents of foreign jurisdiction in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.


This Manual applies to an act done in and outside of the Philippines by an entity if:
  1. The act, practice or processing relates to personal information about a Philippine citizen or a resident;

  2. The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:
    1. A contract is entered in the Philippines:
    2. juridical entity unincorporated in the Philippines But has central management and control in the country: and
    3. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and
  3. The entity has other links in the Philippines such as, but not limited to:
    1. The entity carries on business in the Philippines: and
    2. The personal information was collected or held by an entity in the Philippines.


  1. General Data Privacy Principles. - The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

    Personal information must, be:
    1. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specific and legitimate purposes and lawfully;
    2. Processed fairly and lawfully
    3. Accurate, relevant and, where necessary for purposes for which it is to be used the processing if personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
    4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
    5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
    6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

    The personal information controller must ensure implementation of personal information processing principles set out herein.

  2. Criteria for Lawful Processing of Personal Information. - The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

    1. The data subject has given his or her consent;
    2. The processing of personal information is necessary and is related to the fulfillment of a contract with data subject or in order to take steps at the request if the data subject prior to entering into a contract;
    3. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
    4. The processing is necessary to protect vitally important interests of the data subject, including life and health;
    5. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessary includes the processing of personal data for the fulfillment of its mandate; or
    6. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

  3. Sensitive Personal Information and Privileged Information. - The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

    1. he data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
    2. The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subject are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
    3. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
    4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided finally, That consent of the data subject was obtained prior to processing;
    5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
    6. The processing concerns such personal information as is necessary for the protection of lawful rights and interest of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government of public authority.

  4. Collection

    The collection of both personal information and sensitive personal information is done by lawful means and for a lawful purpose and is directly related and necessary in the achievement of the university's vision and mission.

    Personal information of data subject are obtained openly and straightforwardly without any hidden motive through the data subjects filling up of official forms. These forms are essential in the provision of service to clients such as scholarship and research grants, request for certification, authentication and verification, among others.

    Similarly, personal data of the university officials and employees (including project and/or agency-based employees), applicants to vacant positions and Accredited Technical Panel Members, consultants and others are obtained through the requisite Personal Data Sheet (PDS) and by accomplishing forms essential in training and other developmental interventions.

  5. Use

    Personal data collected shall be used by the university solely for the purpose that it was gathered and for reportage and documentation purposes. In all this, the individual that is not deemed identified as data shall be presented in statistics form. The Board shall ensure no manipulation of personal data and that the same shall not be used against any individual.

  6. Storage, Retention and Destruction

    BulSU shall ensure that personal data under its custody are protected against any accidental or unlawful destruction, altercation and disclosure as well as against any other unlawful processing. It shall implement appropriate security measures in storing collected personal information, depending on the nature of the information. The retention period of personal information gathered shall be as follows:

    BulSU Officials and employees - ten (10) years
    Former BulSU Official and employees - subject to CSC Memorandum no. 8, series of 2007
    Technical Panel Members and Consultants - Ten (10) years
    Applicant to vacancies - 1 year
    Data subjects (scholarship and research grantees, applicants for Sos, CAVs) - ten (10) years

    After said period, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.

  7. Access

    Access to personal data of officials and employees of CHED and applicants to vacancies shall be limited to the DPO or COP, Director of the Administrative Financial and Mangement Division, Chief of Human Resource and Development Division, its regional counterpart and other authorized employees. At no time should anyone be given access to the personal files of other employees. For personal information of data subjects, only the data subjects, the DPO and the authorized representative of the university shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.

  8. Disclosure and Sharing

    All employees and personnel of the university shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the university shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

  9. Subcontract of Personal Information A personal information controller may subcontract the processing of personal information: Provided, that the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposed, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with requirements of this Act and other applicable laws.

VII. RIGHTS OF DATA SUBJECT - This data subject shall be entitled to the rights provided for under Section 16, 17 and 18 of RA 10173


The university shall implement reasonable and appropriate physical, technical, and organizational measures for the protection of personal data. These security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

  1. Organization Security Measures
    1. Data Protection Officer
      he Director of the OPKRM shall be the designated Data Protection Officer (DPO)
      The Director of the Regional Offices shall appoint the Chief Administrative Officer as Compliance Officer for Privacy (COP)
    2. Function of the DPO/COP
      1. Monitor the Personal Information Controller's (PIC) or Personal Information Processor's (PIP) compliance with the DPA, its IRR, Issuance by NPC, and other applicable laws and policies. As such he/she may:
        • Collect information to identify the processing operations, activities, measures, project, programs, or system of the PIC or PIP, and maintain a record therof;
        • Analyze and check the compliance of processing activities, including the issuance of security clearance to and compliance by third-party service providers;
        • Inform, advice and issue recommendation to the PIC or PIP;
        • Ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and
        • Advice the PIP or PIC as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
        • Add provision as to personal information accountability
      2. Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
      3. Advice the PIC or PIP regarding complaints and/or the exercise by the data subjects of their rights (e.g., request for information, clarifications, rectification or deletion of personal data);
      4. Ensure proper data breach and security incident management by the NPC of reports and other documents concerning security incidents or data breaches within the prescribed period;
      5. Inform and cultivate awareness on privacy and data protection within your organization, including all relevant laws, rules and regulation and issuances of the NPC;
      6. Advocate for the development, review and/or revision of policies, guidelines, project and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
      7. Serve as the contract person of the PIC or PIP vis-a-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
      8. Cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security; and
      9. Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.
      Expect for items (1) to (3), a COP shall perform all other functions of a DPO. Where appropriate, he or she shall also assist the supervising DPO in the performance of the latter's function.
    3. Conduct of Trainings and Recording and Documentation of Activities Carried out by the DPO or by the Commission. The university shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, their attendance and participation in relevant trainings and orientations shall be ensured as often as necessary.
    4. Conduct of Privacy Impact Assessment (PIA)
      The university shall conduct a Privacy Impact Assessment (PIA) relative to all activities, project and systems involving the processing of personal data.
    5. Duty of Confidentiality
      ll employees shall be asked to sign a Non-Disclosure Agreement. All employees with access to personal data under strict confidentiality if the same is not intended for public disclosure.
    6. Review of Privacy Manual
      This Manual shall be reviewed and evaluated annualy. Privacy and security policies and practices within the university shall be updated to remain consistent wiith data privacy best practices.

  2. Physical Security Measures
    1. Format of Data
      Personal data in the custody of the university may be in digital/electronic format and paper-based/physical format.
    2. Storage Type and Location
      All personal data of the BulSU Officials and staff including those of its project and agency-based employees in paper based documents shall be stored in a locked filing cabinet located at the Records Office on the 2" floor of the Flores Hall Building.
      Papers or documents bearing personal information of clients shall be kept in locked filing cabinets at the Stock Room at the Records Office.
      Digital /electronic files shall be stored in computers protected by passwords and can be accessed only by authorized personnel.
    3. Access Procedure of Agency Personnel
      Only the DPO or COP, Director of the Administrative Financial and Management Division, Chief of the Human Resource and Development Division, its regional counterpart and other authorized employees shall have access to the stored personal information of current and former BulSU officials and staff and applicants to vacant positions. For this purpose, they shall each be given a duplicate of the keys to the filing cabinet and the Personnel Records Room.
      An official/employee who wishes to see documents on his/her personal file (201 File) shall fill up a request form to be approved by the DPO or by the COP. The Chief of the Human Resource and Development Division in the Central Office and the Chief Administrative Officer (for Regional Offices) shall secure the requested document/s, have the same photocopied, and hand this/these over to the official/employee concerned.
      To protect against inappropriate disclosure of confidential information, certain records including those containing confidential information about more than one individual and medical records shall not be allowed to be accessed.
      Directors and Division chiefs, other than those expressly mentioned in the preceding paragraphs, may have access to personal file information on a need-to-know basis.
      Unclaimed 201 Files of former BulSU employees as well as their Service Records, duplicate copies of Clearance from Property and Money Accountabilities and forwarding addresses and telephone numbers retained at the office in accordance with CSC Memorandum Circular No. 8, s. 2007 shall be treated in the same way as the 201 Files of current employees.
      As for the stored personal data subjects/clients, only the Director of the ______ and the Heads of _shall have access to the same.
      At no time should authorized official/personnel bring gadgets or storage device of any form when accessing personal files of BulSU personnel, applicants and clients.
    4. Monitoring and Limitation of Access
      All authorized personnel who accessed the stored personal data must fill out and register access details in a logbook. They shall indicate the date, time, duration and purposes of each access.
    5. Design of Office Space/Work Station
      Computers are located at the work stations of employees such that no computers are placed side by side with other computers. This is to ensure the protection of processing of personal data.
    6. Maintenance of Confidentiality
      Persons involved in processing shall always maintain confidentiality and integrity of personal data.
    7. Modes of Transfer of Personal Data within the BulSU or to Other Parties.
      Transfer of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data.
    8. Retention and Disposal Procedure
      The BulSU shall retain personal data in its custody following the schedule identified in the item Storage, Retention and Destruction under the Processing of Data in this Manual. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.

  3. Technical Security Measures
    1. Monitoring for Security Breaches
      The BulSU shall procure and install anti-virus software, on an annual basis, to devices that regularly access the internet (desktop, laptop, apple and android devices).
      The IT Administrator shall regularly read the firewall logs to monitor security breaches and alert the BulSU officials of any unauthorized attempt to access the BulSU network.
    2. Security Features of the Software/s and application/s Used

      The Office of Planning, Research and Knowledge Management (OPKRM) shall first review and evaluate software applications before the deployment thereof in computers and devices of the BulSU Officials to ensure compatibility of security features with the data privacy policies.

      On existing software applications, which involves processing of personal data of BulSU employees, the following shall be observed:

      • The end user, with the technical assistance of the OPKRM, shall evaluate and assess the security protocols of the system with regards to saving, backup and data recovery. If such protocol runs counter with the data privacy principles stated in the Data Privacy Act of 2012, remedial steps should made to correct such flaws.

      • The OPKRM, during its IT semestral maintenance activities, shall check software applications installed in all IT hardware and devices for compliance with the Board's data privacy policy. If a software/application is found to be a security risk that it may disturb or interrupt the normal operations of the BulSU network, the IT technical personnel shall notify the end user of the risk and the software/application shall immediately be uninstalled. The IT personnel shall thereafter prepare an incident report.

    3. Process for Regularly Testing, Assessment and Evaluation of Effectiveness of Security Measures

      The Unit of the OPKRM shall make regular penetration testing of the firewall appliance from outside the BulSU premises and from within to conduct vulnerability assessment of the same.


  1. Creation of a Data Breach Response Team

    A Data Breach Response Team comprising of the DPO, the OPKRM Director, the Chief Administrative Officer and MIS personnel of the OPKRM, under the direct supervision of the Executive Director is responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

  2. Measures to Prevent and Minimize Occurrence of Breach and Security Incidents

    The Data Breach Response Team shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data shall attend trainings and seminars for capacity building. A periodic review of policies and procedures being implemented in the BulSU shall be undertaken.

  3. Procedure for Recovery and Restoration of Personal Data

    The BulSU shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

  4. Notification Protocol

    The Head of the Data Breach Response Team shall inform the Executive Director of the need to notify the National Privacy Commission (NPC) and the data subjects affected by the incident or breach within 72 hours from knowledge thereof.

  5. Documentation and Reporting Procedure of Security Incidents or Personal Data Breach

    The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to the Executive Director and the NPC within the prescribed period. The report shall contain the following:

    1. Description of the nature of the breach;
    2. Personal data possibly involved;
    3. Measures undertaken by the team to address the breach and reduce the harm or its negative consequences; and
    4. Names of the personal information controller, including contact details, from whom the data subject can obtain additional information about the breach and any assistance to be provided to the affected data subjects
  6. Data sharing

    The BulSU may share or transfer personal data under its control or custody to a third party through a data sharing agreement: Provided, that nothing in this Manual shall be construed as prohibiting or limiting the sharing or transfer of any personal data that is already authorized or required by law. This shall apply only to personal data under the control or custody of the BulSU that is being shared with or transferred to a third party, for the purposes of performing a public function, or providing of a public service:

    Provided, that it shall also cover personal data under the control or custody of a private entity or of another agency that is being shared with or transferred to the BulSU; Provided further, that where the personal data is in the custody of a personal information processor, the sharing or transfer of personal data shall only be allowed if it is pursuant to the instructions of the personal information controller concerned. Data sharing agreements shall be in accordance with the Implementing Rules and Regulations of the Data Privacy Act of 2012, or other issuances of the National Privacy Commission.


Every data subject has the right to:
  1. Be notified and furnished with his or her information before entry into the processing system within 48 hours when such data shall be used for direct marketing, profiling, or historical or scientific purpose. Notification shall be made through an Office Memoranda and/or email.

  2. View and recommend corrections to his or her data being processed. The data subject may also write or email BulSU at ph with a brief discussion of the inquiry and/or correction/s together with his/her contact details for reference.

  3. Complain and be indemnified for any damages sustained when the data subject's recommendations for corrections to his or her data was not acted upon which resulted in damages due to inaccurate, incomplete, outdated and false information, unlawfully obtained or unauthorized use of personal data. Complaints shall be filed in three printed copies, or sent to ___________. The department or division concerned shall confirm with the complainant its receipt of the complaint.

Violation of any provisions of this CMO shall be subject to appropriate actions pursuant Section 8 of RA 7722


This Manual takes effect fifteen (15) days after its publication in the Official Gazette or in a newspaper of general circulation.