'Protecting data is protecting people’

In August 2017, the Office of the President announced the creation of the University Data Protection Office (UDPO) to ensure the University’s compliance with the Data Privacy Act of 2012 (RA 10173), its implementing rules and regulations, and related laws. Atty. Jamael A. Jacob stepped into the role as its director. 
 

In a Q & A session with the University Marketing and Communications Office, Atty. Jacob shares his vision about data protection and how the new law is affecting the way we view data.
 

Why is data protection important?
 

There are a number of reasons. There’s the fact that it is an effective safeguard against crimes like identity theft and other types of fraud. There are also indirect benefits like how privacy allows and nurtures intimacy. After all, no one can afford an intimate relationship if we all lived in glasshouses—a world without boundaries or private spaces. Privacy, in particular, allows us to develop better as individuals by giving us more freedom to explore the world, and by allowing us to define our own identity. Studies show that people are more creative and more likely to innovate during their private moments. Privacy also facilitates both social and professional relationships which are right there at the core of democratic societies. Can you imagine how difficult it would be to live with others knowing anything and everything the next person is thinking? Finally, true to their form, privacy and data protection—as fundamental civil liberties—are also great enablers of other human rights like freedom of expression and even the right to information. They relate to one another so much that privacy intrusions are often seen as precursors to graver human rights violations.
 

How did the University’s compliance with the RA 10173 affect the way we do things?
 

The University’s effort to comply with the Data Protection Act (DPA) has changed the way we do things. And it will continue to do so as data protection plants its roots further into our daily lives. There are a few things we can no longer do, like collect people’s information with no particular reason in mind. Neither can we simply do anything we want with them, because that wouldn’t be considered fair under the law. People can get into serious trouble if they continue to do it. In most cases, though—and I cannot stress this enough—complying with the DPA simply asks us to do things differently now. For instance, people often have this misconception that just because we now have a data protection law, sharing of information is already prohibited. That is definitely not true. Most of the data sharing practices we’ve been doing are still allowed. The only difference this time is we may have to take a couple of extra steps before we get to the sharing part. We’ll need to set conditions, and clarify the terms of the sharing. That’s it!
 

When data protection as a concept was developed, it was not to put a hard stop to the free flow of information. On the contrary, it came to be because people recognized how essential and inevitable the movement of information is to our future. They knew then something had to be done to keep it secure and to prevent it from being used to cause harm. They realized that data has to be protected—because in protecting (personal) data, we are in fact protecting people.
 

UDPO was created in 2017. What initiatives and policies regarding data protection have been put in place?
 

There’s been a lot of them already; some are more apparent than others. There are privacy notices that inform people how the University typically processes their personal data. Consent forms and non-disclosure agreements have also been put to use. When dealing with external parties, we have also developed templates for contracts that feature data protection clauses. These are required under the implementing rules of our data protection law. We have also released a number of advisories to help people better appreciate how data protection plays out in concrete situations like when using emails and mailing lists, or when sharing information with other offices of the University. We have also developed a system for addressing data breaches or security incidents. What has us preoccupied the most, though, would be the inquiries and requests for document review we receive almost on a daily basis. With us now providing this service, there is a more effective and more efficient consultative process when it comes to data protection issues—unlike before when the school had to rely on the services of external firms who sometimes provided different and inconsistent advice.

 

Moving forward, people can expert more tools meant to help them embed data protection in their regular activities and practices. Hopefully, these lead to fewer questions, as more people become familiar with the fundamentals of data protection.
 

What do you hope to see from your colleagues across the University? What role do they play in the matter of data protection and privacy? How do you want them to engage with the issue of data protection and privacy?
 

Everyone has a role to play if we want privacy and data protection to be upheld in any community. It only takes one person who’s indifferent to the collective effort to protect privacy and information to stall things indefinitely.

This is why I look forward to members of the Ateneo community being more open to changes when dealing with data protection and privacy. The toughest part of our job at the UDPO—more than the novelty of the field itself—has been the battle against long-standing practices that are inconsistent with the basic tenets of data protection. Some people find it inconvenient and unnecessary. Others, I guess, just don’t like being told there are things they can no longer do, or that there are things they need to change to avoid getting into trouble.
 

When we at the UDPO encounter these types of situations, we have to remind ourselves that it’s a difficult but necessary part of the process. Anytime you aspire to build a new culture (of privacy, this case), you will have to tear down the existing one first. There will always be those who won’t like that, but eventually they do come around once they see how it benefits everyone, themselves included.
 

What are your next steps? And where do you hope to see data protection and privacy in the academic setting be 5-10 years from now?
 

The goal right now is to complete the foundation of the University’s Privacy Program. We’re about 60-70% done. There are just a few critical policies we need to put in place before we can claim to have a “complete”—albeit basic—framework. After that, it’s going to be about enhancements and filling the gaps. That means coming up with more specific regulations and improving those we’ve already established. We’ll need to come up with more tools, too, in order to make things easier for everyone. Then, we will be gradually shifting more of our time towards awareness-raising and training initiatives. It’s no use to have all these new policies and procedures if no one is aware of them. Let’s just say then that the University community will hear more from us from here on out.

(photos from UDPO)

 

To learn more about the University’s Privacy Notices, visit https://ateneo.edu/udpo/ADMU-Privacy-Policies