Chapter IV

THE COMPLIANCE OFFICER

Section 8: The Personal Information Controller (PIC)

The Personal Information Controller (PIC) is a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

The Personal Information Controller (PIC) of the University personnel is the University President, who has the full control of the collection, holding, processing or use of information in the University.

Section 9: The Data Protection Officer (DPO)

The Data Protection Officer is accountable for ensuring compliance by the PIC or PIP with the Data Privacy Act, its IRR, related issuance of the National Privacy Commission, and other applicable laws and regulations relating to data privacy and security.

The Data Protection Officer of the University carries out these functions. As the DPO, he should:

A. monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. This includes the following:

    1. collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
    2. analyze and check the compliance of processing activities, including the issuance of security clearances too and compliance by third-party service providers;
    3. inform, advise, and issue recommendations to the PIC or PIP;
    4. ascertain renewal of accreditation or certification necessary to maintain the required standards in personal data processing; and
    5. advice the PIP or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;

B. ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;

C. advise the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);

D. ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;

E. inform and cultivate awareness on privacy and data protection within your organization, including all relevant laws, rules and regulations, and issuances of the NPC;

F. advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting privacy by design approach;

G. serves as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;

H. cooperate, coordinate and seek the advice of the NPC regarding matters concerning data privacy and security; and

I. perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.