Embedding Privacy in Practice: UP holds privacy and records management workshop
31 March 2026 | Written by: Veronica Marie B. Consolacion
DILIMAN, QUEZON CITY — 23-24 February 2026. The University of the Philippines Office of the Vice President for Digital Transformation – Data Governance Program (OVPDx DG), in partnership with the UP Diliman Data Protection Office, held a two-day workshop on Enhancing Data Governance: A Data Privacy and Records Management Workshop on 23-24 February 2026 at the UP School of Labor and Industrial Relations, UP Diliman.
The workshop brought together over 35 participants — data protection officers, university registrars, records evaluators, and their support teams — from across the UP System, with the goal of moving beyond compliance checklists and into embedding a culture of privacy in daily operations and institutional practice.
Assistant Vice President for Data Governance, Elvira B. Lapuz, opened the workshop, underscoring participant accountability in managing the University’s data assets. According to AVP Lapuz, sound data governance is foundational to evidence-based, data-driven decision-making across the University.
“Napakayaman sa data ng University of the Philippines, at ito ay kinakailangan upang magkaroon ng sound decision-making. Tulong natin ito sa’ting mga opisyales, at tulong din natin ito sa’ting mga kasamahan. Hindi lang para protektahan kundi para magamit ito nang maayos,” said AVP Lapuz.
[The University of the Philippines is very rich in data, and this is necessary for sound decision-making. This helps our officials, and it also helps our colleagues. It is not only for protection, but also so data can be used properly]
Data Privacy Compliance and Risk Assessment
The first day of the workshop commenced with a grounding in the National Privacy Commission’s Five Pillars of Compliance and the Data Privacy Act of 2012 (R.A. No. 10173). Out of the five pillars, the opening session focused on Pillar 1: Appointing a Data Protection Officer (DPO), particularly the Compliance Officer for Privacy (COP).
In the UPD Data Protection Office, the Privacy Focal Persons (PFPs) are the COPs who act as first responders to data incidents and champion privacy safeguards in daily operations. Together, DPOs and PFPs are stewards of an institution-wide culture of data privacy. This session was led by Atty. Regine Estillore-Gonda, the UPD DPO.
The succeeding sessions were facilitated by Mr. Michael E. Laxina, CPA, UPD DPO’s Privacy Auditor, discussing the conduct of Privacy Impact Assessments (PIAs) and Privacy Check-ups. Mr. Laxina conducted a walkthrough of the PIA process from the questionnaire to implementation. Participants also evaluated their current data collection and storage systems in place to surface risks and vulnerabilities. These assessments were later turned into 90-day actionable plans that they can readily implement after the workshop.
Day 1 concluded with an open dialogue wherein participants shared both significant progress and persistent challenges across the units present. While some constituent universities have established structured governance processes, others flagged the absence of institutionalized privacy policies, misconceptions about the scope of the Data Privacy Act, and limited inter-unit coordination as concerns requiring immediate attention.
Records Management and Disposition
The second day bridged data protection with records management, grounded in the recognition that privacy risks persist not only through unlawful collection, but through retention that outlasts legitimate purpose. Atty. Estillore-Gonda opened with a session on the lawful bases for processing personal data — consent, public order and functions of public authority, and legitimate interest — and the conditions governing each. Institutional scenarios such as CCTV policies and case-by-case disclosure of footage were discussed alongside processing under constitutional or statutory mandates. The session closed on the principles of transparency and proportionality: data collected must be adequate, relevant, and not excessive relative to its declared purpose.
Asst. Prof. Jonathan D. Isip of the UP School of Library and Information Science then took up records retention and disposition, connecting archival principles with the National Archives of the Philippines (NAP) and Data Privacy Act’s data minimization requirements. They emphasized that not all documents qualify as records, not all records become archives, and disposition is an accountable process — not mere deletion. Guided by NAP General Circulars 4 and 5, retention must be as purpose-bound as collection, and once a record’s value has been exhausted, secure disposition becomes a privacy obligation in itself, subject to formal NAP approval.
Participants concluded the two-day workshop with an Alignment Mapping exercise, translating learnings into concrete, time-bound unit-level action plans. Building on a similar exercise from the May 2025 “Technical De-identification and Open Data Publishing Workshop,” participants produced consolidated Alignment Maps identifying responsible parties, actionable solutions, and cross-unit concerns requiring systemic responses — a living institutional resource for coordinated data privacy and records management action across the UP System.
The discussions, assessments, and action plans from the two-day workshop feed into a broader effort to strengthen data governance across the University. Through sustained collaboration among its campuses and units, UP builds a culture of privacy by ensuring that the systems behind academic excellence and public service are built on data that is collected with purpose, managed with integrity, and disposed of with accountability.
“We’ve been putting up dashboards and data analytics for decision-support because we want our leaders, our managers, our bosses, to make decisions on the basis and driven by data — evidence-based decision-making,” said Vice President for Digital Transformation Peter A. Sy in his closing remarks.
To better equip UP units driving these efforts, the OVPDx Data Governance Program is set to roll out a series of capacity-building initiatives centered on privacy-preserving digital records management across the UP System. This move underscores the commitment to building strong, resilient, and privacy-consciousness as the foundation for data-driven governance.
About the Organizers
OVPDx Data Governance Program works toward developing and implementing data governance frameworks across UP. In collaboration with data protection officers and units across its campuses, the Program supports efforts to embed data privacy, promote responsible data use, and build a culture of data literacy throughout the University.
Stay in the loop for UP’s data governance efforts: https://www.facebook.com/upovpdxdatagov
The UP Diliman Data Protection Office is responsible for implementing and overseeing data privacy policies and compliance in accordance with the Data Privacy Act of 2012 within the UP Diliman constituent university, including the designation and support of Privacy Focal Persons across its colleges and administrative units.
Visit their website to learn more: https://privacy.upd.edu.ph/