Republic of the Philippines

NATIONAL PRIVACY COMMISSION

KRL,
Complainant,

-versus- CID Case No. 17-K-003

For: Violation of the Data
Privacy Act of 2012

TRINITY UNIVERSITY OF
ASIA, AA, MC, NCB, RG GV,
GCT, RR, MR, PB
Respondents.
x-----------------------------------------x

DECISION
AGUIRRE, D.P.C.

For consideration before this Commission is a complaint filed by

KRL against Trinity University Of Asia, AA, MC, NCB, RG GV, GCT,
RR, MR, and PB, for an indeterminate violation of the Data Privacy
Act (DPA).1

These Proceedings

On 19 April 2018, this Commission, through the Complaints and

Investigation Division, conducted a Discovery Conference. At the
Conference, the respondents were directed to submit a responsive
Comment within ten (10) days from receipt of the Order dated 26 April
2018.2

On 30 April 2018, the respondent university, through counsel,

filed a Notice of Entry of Appearance with Motion for Clarification of
Procedure. The respondent university raised an issue regarding the
propriety of the Commission’s act of taking immediate action on the
complaint without having the complainant exhaust all the

1 An Act Protecting Individual Personal Information in Information and Communications

Systems in the Government and the Private Sector, Creating for this Purpose a National
Privacy Commission, and for Other Purposes [DATA PRIVACY ACT].
2 Records, p. 46; see NPC Circular No. 16-04, Rule III, Section 15.

5th Floor West Banquet Hall (A. Imao Hall), Delegation Building, PICC Complex, Pasay City
URL: http://privacy.gov.ph Email Address: [email protected]
 Decision
CID Case No. 17-K-003
Page 6 of 8

administrative remedies available to him. The respondent university

also argued that the complaint should have been referred to a
Mediation Officer to explore the possibility of first reaching an
amicable settlement.

On 18 May 2018, the respondent university filed a Motion to

Admit Comment with Partial Compliance, citing the “amount of
documentary evidence being required from the respondent
University.”3 The individual respondents, AA, MC, NCB, RG, GV,
GCT, RR, MR, and PB have not submitted their individual comments.
The Comment of the respondent university contained a narration of
the incidents and arguments against the complainant’s allegation, and
attached as annexes a Privacy Impact Assessment (PIA), DTR and
Payroll processes, attendance records of the complainant, as well as
affidavits from the Human Resources and Development Unit (HRDU)
Director, the Clerk of the College of Business Management and
Accountancy (CBMA), the Secretary of the CBMA, a part-time faculty
member of the CBMA, the Department Head of the Real Estate
Management (REM) of CBMA, and the Finance Director.

Facts

On the basis of these, the following facts were established:

The complainant was a part-time faculty member in the Trinity

University of Asia. He was named in a letter-complaint written by the
respondents, who are all faculty members of the Trinity University of
Asia, informing WUT, president of the university, about alleged
unreasonable and oppressive practices of the newly-appointed dean of
the College of Business Management and Accountancy (CBMA), CS.
Dean CS was the one who informed the complainant about the letter-
complaint on 10 November 2017.

Copies of the letter-complaint were also furnished to the

Chairman of the Board, the Commission on Higher Education
(CHED), and the Regional Director of the Department of Labor and
Employment (DOLE).

The pertinent portion of the letter-complaint stated as follows:

Gross ignorance of labor management

3 Id, p. 76
 Decision
CID Case No. 17-K-003
Page 6 of 8

She called HR office and asked if [respondent university] follows the

principle “no work, no pay.” She received an affirmative answer. She did not
further inquire as to other details. She has no knowledge that holidays and those
declared no classes for reason of fortuitous events and force majeure shall be paid
to the employees as provided for by Labor Code provisions. She deducted all the
hours/period for the holiday and no classes to the prejudice of the faculty
members, and erased the total number of days we reported. But for one of her
recruited faculty, by the name of KRL, this dean, favorably endorsed the former’s
DTR. The dates (August 21 and 28) included are the same dates for the other
faculty members who were deducted from them but no deduction for Mr. Legaspi.
Is she at liberty to make a mockery of the provisions of the Labor Code? To apply
the law negatively to those employees, she doesn’t like and to apply the same
provisions positively to those employees, she likes? Are we changing now the core
values of [respondent university]?4

Based on those statements, complainant concludes that the

respondents were able to access his DTR and pay slip because they are
specific about the deductions and have a strong conviction that he was
paid for the dated holidays.5 The letter-complaint did not, however,
attach copies of the complainant’s daily time record (DTR) or pay slips.

The respondents do not deny having accessed the complainant’s

DTR. In fact, one of the respondents, RR, a Department Head of Real
Estate Management and faculty member, admits that he chanced upon
it when he was scanning the bundled DTRs of the entire CBMA for the
month of August 2017.6 According to him, as a Department Head, he
is sometimes asked to turn over accomplished DTRs of the faculty to
the College Clerk or “attendance-in-charge” from the College
Secretary when the latter is not present to personally receive it.7 He
was looking for his DTR in a pile that was alphabetically-arranged
when he caught sight of the complainant’s DTR.8

Complainant wrote a letter-complaint to the NPC to hold the

respondents liable for the damages caused to him personally and
professionally.9 He stated that he intentionally did not file the
complaint with Trinity University of Asia as he already lost trust and
confidence in the institution.10

4 Id., at p. 6-7. Emphasis in the original.

5 Id. at p. 1.
6 Id. at p. 117.
7 Id. at p.118.
8 Ibid.
9 Id., at p.2.
10 Id., at p. 2.
 Decision
CID Case No. 17-K-003
Page 6 of 8

Arguments of the Parties

The complainant now comes to the Commission saying that he

feels his right to privacy has been violated.11 According to him, the
respondents’ act of copy furnishing CHED with their letter-complaint
caused his personal information to be exposed to a more severe extent
which caused him dismay.12 He asserts that as a human resource
management professor and someone who has been working in the
industry for quite some time, he is fully aware that such information
should be confidential.13 He states that he has experienced sleepless
nights from the time he knew about the incident and feels threatened
that all the personal information he submitted to the institution is at
risk of exposure.14

The respondent university, in their Notice of Entry of

Appearance with Motion for Clarification of Procedure, argues that the
complainant failed to allege that he has exhausted all remedies
available to him.15 Citing the Commission’s Rules on the Alternative
Modes of Dispute Resolution,16 it likewise raises that the complaint
should have been referred to a Mediation Officer for assistance in
reaching an amicable settlement17 since the complaint is devoid of any
serious allegations that would warrant immediate conduct of
investigation by the Commission.18

In their comment, the respondent university allege that they

have substantially complied with the requirements of Republic Act
No. 10173 or the Data Privacy Act of 2012 (“DPA”), having completed
phases 1 and 2 of the registration process of the Commission. While it
has already completed privacy impact assessments for most of its
processes, the DTR system is not one of them. The respondent
university conducted a privacy impact assessment on the DTR system
after the Discovery Conference.19

11 Id., at p.1.
12 Ibid.
13 Id., at p.1.
14 Id., at p.2.
15 Id., at p.52.
16 NPC Circular 16-04, Sections 25-27.
17 Records, p. 55.
18 Id., at p.55-56.
19 Id., At p. 92-103.
 Decision
CID Case No. 17-K-003
Page 6 of 8

The respondent university asserts that consent of data subjects is

not required for the processing of the DTRs, because it is an
administrative matter inherent in the operation and legitimate
purpose of the university.20 It vehemently denies that there was
unauthorized processing of complainant’s personal data, as DTRs
contain no personal or sensitive personal information, nor are the
DTRs considered confidential by the University and its faculty
members.

According to them, the DTRs are processed in the following

manner:

1. The full time faculty members with overload, and part-time

faculty members fill up the DTRs regularly and turn them
over to the designated Attendance-in-Charge (usually, the
Secretary/Clerk of the College).

2. On every cut-off date (the 15th and 20th of the month), the
designated Attendance-in-Charge will check the DTRs for
completeness and accuracy. They will forward the same to the
office of the Dean for checking, signature, and endorsement
to the HRDU.

3. The HRDU staff will check the data in the DTRs and will
determine whether the DTR data match the data gathered
from the biometrics. Once confirmed, the HRDU staff
concerned forwards the attendance records to the HRDU
Director for approval.

4. The HRDU forwards the DTR to Finance Unit for payroll

processing.21

There are instances when the College Clerk or “attendance-in-

charge” in the Office of the College Secretary is not around to
personally receive the DTRs, particularly for the part-time faculty
members who have limited time in the University and who rarely
chance upon the College Clerk.22 For purposes of meeting the cut-off
date for submission of the DTRs, as a matter of practice, faculty
members transmit the DTRs to the College Secretary through the

20 Id., At p. 85.
21 Id., At p.107.
22 Id., At p.109.
 Decision
CID Case No. 17-K-003
Page 6 of 8

following methods: (a) by posting it in the corkboard inside the Dean’s

Office; (b) by asking a co-faculty to submit it to the College Clerk; (c)
by asking their respective personal staff to submit the DTR to the
College Clerk; (d) by submitting it through the Department Head, and
the latter will transmit the DTR to the College Clerk; (e) by asking the
class beadle/president to submit the DTR of the faculty concerned to
the College Clerk; or (f) course it through the Student Apprentice
available.23

The respondent university denies that the professors illegally

accessed complainant’s pay slip. According to them, the payroll
system of the University is web-based and can only be accessed
through the internet by the employee concerned. The pay slips are
downloaded by the Payroll Master for viewing and printing by the
concerned employee using his/her unique Employee ID code and
password.24

Issues

The issues to be resolved in this case are:

1. Whether the Commission erred in taking immediate

cognizance of the complaint;
2. Whether the Commission erred in not requiring the parties to
submit the complaint to alternative dispute resolution;
3. Whether the complainant’s DTR contains personal
information; and
4. Whether the respondents committed a violation in relation to
the complainant’s DTR, warranting a recommendation for
prosecution under the Data Privacy Act of 2012.
5. Whether the respondents committed a violation in relation to
the complainant’s pay slip, warranting a recommendation for
prosecution under the Data Privacy Act of 2012.

Discussion

The NPC committed no error in taking

immediate cognizance of the
complaint.

23 Id., at p.109.
24 Id., at p.124.
 Decision
CID Case No. 17-K-003
Page 6 of 8

Section 4 of NPC Circular No. 16-04 provides that no complaint

shall be entertained unless it has been shown that the complainant has
informed, in writing, the concerned entity of the privacy violation or
personal data breach and if there was no response within 15 days or
timely and appropriate action on the claimed privacy violation or
personal data breach.

In his complaint filed on 28 November 2017, the complainant

admitted the following:

I intentionally did not file the complaint to [respondent university] as I

already lost my trust and confidence to the institution knowing that such
information was given and exposed to and by the faculty members.25

Nevertheless, the following exchange during the discovery

conference shows that there was an attempt to comply with the
requirement of exhaustion of administrative remedies:

KRL: Your honor just to answer that, I approach NPC on

November 28, 2017 and they advised me to write a letter
first to Trinity University of Asia, so I was advised correctly
of what the process is all about and then they ask me to wait
for 15 days if there will be no action, that’s the time that we
will pursue it and I informed them that “after 15 days there
was no response from the Human Resource Department
regarding my complaint, they weren’t able to reach out to
me: so that’s the time I pursued it.26

The respondent university indeed received a copy of the

complaint on the same day it was received by Commission. The
complainant stated for the record that when he submitted his
complaint with the Commission, he had been advised to wait at least
15 days to afford the respondent university the opportunity to take
appropriate action. However, no action was taken on his complaint.

At any rate, the same Section in Circular 16-04 provides that the
Commission may waive any or all of the requirements for exhaustion
of remedies, at its discretion, upon good cause shown, or if the
complaint involves a serious violation or breach of the Data Privacy
Act, taking into account the risk of harm to the affected data subject.
Considering the allegations on the face of the complaint that the
complainant’s DTR and pay slips may have been illegally accessed and

25 Id., At p.2.
26 Id., at p.32.
 Decision
CID Case No. 17-K-003
Page 6 of 8

disclosed by the respondents, it is well within the authority of the

Commission to take action on this serious allegation of a violation of
the DPA.

The decision to submit a case for

alternative dispute resolution lies
with the parties.

The Alternative Dispute Resolution Act of 2004 (the ADR Act of

2004) embodies the policy of the state to actively promote party
autonomy in the resolution of disputes, or the freedom of the parties
to make their own arrangements to resolve their disputes.27 Mediation,
in particular, is an alternative dispute resolution mechanism
characterized by the principles of voluntariness, integrity of
determination, and the policy that the decision-making authority in
the mediation process rests with the parties.28

At the onset of the Discovery Conference, the complainant was

asked if he was willing to compromise and settle amicably.29 To this,
the complainant answered in the negative.30 To insist on the conduct
of a mediation at this point would have been a violation of not only the
ADR Act of 2004 but of the Commission’s own alternative dispute
mechanisms at that time as well.

The DTR contains personal information.

In their Comment with Partial Compliance, the respondent

university attached a Privacy Impact Assessment (PIA) report on the
DTR System of Trinity University of Asia.31 In the submitted PIA, the
threshold analysis contained several questions, including: “(a) Will the
project or system involve the collection of new information about
individuals?”32 To this, the respondent answered “no.”33

A perusal of the complainant’s DTRs, however, would show that

the DTR document contains the complainant’s handwritten name, the
college or unit where he teaches, and the month covered.34 The

27 R.A. 9285, Section 2.

28 Ibid., at Section 8.
29 Records, p. 27-28.
30 Id., at p.28.
31 Records, p. 92.
32 Records, p. 93.
33 Ibid.
34 Records, p. 125-129.
 Decision
CID Case No. 17-K-003
Page 6 of 8

majority of the document is a table of dates with filled-out “time in”

and “time out” fields. At the bottom of the document, there is a
“prepared by” field with the complainant’s handwritten name and
signature.35

The DPA provides that personal information is any information,

whether recorded in a material form or not, from which the identity of
an individual is apparent or can be reasonably and directly ascertained
by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.36

In this case, the complainant’s name, college/unit, and signature

are information from which his identity can be directly ascertained.
The DTRs of the complainant, then, are considered to contain personal
information.

The failure of the respondent university to treat the information

collected in the monthly DTRs as personal information resulted in the
lack of clearly documented and implemented policies regarding its
processing. In conducting a PIA, the personal information controller –
the respondent Trinity University of Asia, in this case - must refer to
the law to determine what it should consider as personal information.
If such collected information meets the definition or enumeration
provided by the DPA for personal or sensitive personal information,
then the obligations provided by law should be complied with: its
processing must be based on any of the lawful criteria under the law,
and it must be accorded the adequate organizational, technical, and
physical security measures, to name a few. Hence, even if the personal
information controller views certain information as “public
knowledge,” it should still be properly classified according based on
the definition provided by the law in the PIA and treated and
protected accordingly.

It should be stressed that a PIA, however, is not an end in itself.

In conducting a PIA, a personal information controller is tasked to
evaluate and manage impacts on privacy of a particular program,
project, process, measure, system or technology product of a personal
information controller.37 When no PIA has been conducted yet, it
should be done on a per-process basis across all the processes of the of

35 Ibid.
36 R.A. 10173, Section 3(g).
37 NPC Advisory 2017-03.
 Decision
CID Case No. 17-K-003
Page 6 of 8

the organization in order to assess the current situation, the existing

controls in place, the compliance gaps that have been overlooked, the
privacy risks associated with them, and identify the measures needed
to address them.

In order to specifically assess these risks, the personal

information controllers should carry out their organization’s data
inventory and data map since both will help in classifying different
categories and uses of personal data, and how they flow across the
organization.

A PIA should be conducted prior to the deployment of a project,

product, or service that involves the collection of personal information.
When there are new or revised industry standards, organization
policy, law or regulation, or when there are changes to methods in
which personal information is handled, a personal information
controller should conduct a PIA again on the pertinent process.

To emphasize, it should not only identify the existing controls

and risks a project, product, or service may have upon personal data
privacy, but it should lead to the identification of remedial actions or
mitigation measures necessary to avoid or reduce those risks. These
remedial actions and mitigation measures may be incorporated in the
organization’s Privacy Management Program (PMP).

In this case, the submitted PIA by the respondent university

stated the existence of organizational, physical, and technical
measures in place for the DTR system. After this, however, the
respondent university did not provide details on these or how it
intended to address what the Comment referred to as “long-standing
practices” of the faculty regarding their submission of DTRs.38 The
affidavits of the College Clerk,39 the Secretary of CBMA,40 one of the
part-time faculty,41 and a Department Head from the CBMA,42
admitted as well that there are several long-standing practices where
the DTRs are transmitted through different routes43 that deviate from
the official process in handling the employees’ DTR.44

38 Records, p. 86.
39 Id., at p. 109.
40 Id., at p.112.
41 Id., at p.114.
42 Id., at p. 116.
43 Supra note 24.
44 Supra note 22.
 Decision
CID Case No. 17-K-003
Page 6 of 8

Nowhere in the respondent university’s submitted PIA were

these practices even mentioned, despite the fact that these should been
considered as compliance gaps resulting in privacy risks that needed
to be mitigated by reasonable and appropriate organizational,
physical, and technical measures. By simply treating it as a checklist,
the respondent university treated the PIA as the ultimate result, when
it should have considered it as a tool to improve its processes and
systems for the protection of its stakeholder’s privacy.

It is incumbent upon the respondent university to revise its PIA

in general and on the DTR system in particular to reflect and address
the gaps brought about by actual, current practices and as identified in
the letter-complaint.

Respondents did not commit a

violation in relation to the complainant’s
DTR to warrant a recommendation for
prosecution.

In analyzing whether there are possible violations by the

respondent faculty members of the DPA that warrant a
recommendation for prosecution, we primarily look into the different
stages of processing that the personal information undergoes, and
determine whether each one is supported by one or more lawful basis
for processing enumerated in the DPA.

The lack of either a uniform policy or process that covers the

actual practices in the handling of the employees’ DTR, including the
ones identified by the aforementioned affiants, cannot by itself give
rise to a cause of action for unauthorized or illegal access to personal
information as provided by the DPA.45 It was admitted by respondent
RR that as a Department Head, he is sometimes asked to turn over
accomplished DTRs of the faculty to the attendance-in-charge from the
College Secretary when the latter is not present to personally receive

45 SEC. 26. Accessing Personal Information and Sensitive Personal Infor2mation Due to
Negligence. – (a) Accessing personal information due to negligence shall be penalized by
imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access
to personal information without being authorized under this Act or any existing law.
 Decision
CID Case No. 17-K-003
Page 6 of 8

it.46 This color of authority to access the DTRs, with the acquiescence
of the faculty members over time, cannot be overlooked.

Indeed, the interests and fundamental rights of the data subject

could in particular override the interest of the data controller where
personal data are processed in circumstances where data subjects do
not reasonably expect further processing.47 That cannot be said to be
the case here, as the complainant and other faculty members could
have reasonably expected the further access of their DTRs by different
persons in the college upon submission thereof based on the existing
practice of the school.

This Commission has previously decided that this concept of

“reasonable expectation” is considered in determining the legitimacy
of the additional processing by examining whether such further
processing is compatible with the original business purpose
communicated to the data subject and not beyond what the data
subject may reasonably expect as to the purpose, scope, manner, and
extent of the processing of their personal data.48

Having discussed respondent professors’ initial access, the next

stage of processing in this case was the use of the information in the
DTR to support their claim of “gross ignorance of labor management”
in their letter-complaint about Dean CS.

The individual respondents used the complainant’s name to give

a specific case of “gross ignorance of labor management,” which was
one of the allegations against Dean CS. The letter-complaint
questioned the Dean’s alleged unequal treatment regarding holidays
and suspended class days due to fortuitous events in the DTRs of
faculty members, in relation to the provisions of the Labor Code on
holiday pay. To the respondent professors’ personal knowledge, the
complainant was the only faculty member who did not receive
deductions on the holidays of August 21 and 28 of 2017. The use of the
complainant’s name, therefore, was necessary for the protection of the
respondents’ lawful rights and interests as contemplated by Section
13(f) of the DPA. The fact that the respondents copy-furnished both
the CHED and DOLE does not veer away from that lawful criteria,

46 Supra note 8.
47 NPC Advisory Opinion 2018-20.
48 See, Villegas v. Revilles, NPC Case 17-047, citing EU General Data Protection Regulation,

Recital 47.
 Decision
CID Case No. 17-K-003
Page 6 of 8

considering the allegations of the letter-complaint may possibly be the

concern of these agencies as well.

Although Section 13(f) applies to sensitive personal information

while the information involved in this case is just personal
information, the protection of lawful rights and interests under Section
13(f) by the respondent faculty members in this case is considered as
legitimate interest pursuant to Section 12(f) of the DPA. This section
provides that it is lawful to process personal information if it is
necessary for the purposes of the legitimate interests pursued by the
personal information controller or by a third party or parties to whom
the data is disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject which require
protection under the Philippine Constitution.49

The DPA is not intended to cover every possible infraction in the

workplace or even society. While the complainant may feel aggrieved
with the mention of his name in the letter-complaint, it cannot be said,
however, that the complainant incurred actual damage, considering
the objective of that letter-complaint was to inform the President of
Trinity University of their concerns about the Dean and not the
complainant. In the event that the circumstances stated in the letter-
complaint about the complainant are untrue, there are other remedies
available to him under existing laws, although not the DPA. The merits
of the letter-complaint and the truth of their claims are irrelevant to
our determination whether there was a violation of the DPA in the
processing of complainant’s DTR.

The respondents did not commit a

violation in relation to the
complainants pay slip to warrant a
recommendation for prosecution under
the Data Privacy Act of 2012.

In the complaint, the complainant alleges that “based on [the

statements in the respondents’ letter], they were able to access [his] pay
slip.”50

In cases filed before administrative or quasi-judicial bodies such

as the Commission, a fact may be deemed established if it is supported

49 R.A. 10173, Section 12(f).

50 Records, p. 1.
 Decision
CID Case No. 17-K-003
Page 6 of 8

by substantial evidence, or that amount of relevant evidence which a

reasonable mind might accept as adequate to justify a conclusion.51

The complainant’s allegation in relation to his pay slip remains

unsubstantiated. This is all the more true considering the affidavit of
the Finance Director that stated “any figures or computation in
determining one’s payroll is done within the department’s office and
the finance personnel are the only ones who are authorized to view
and do the computation” and that “no other department computes the
figure, the HRD only provides the supplementary documents in order
to arrive with the figure.”52 There is nothing in the allegations of the
complainant that explain how the respondent faculty members could
have circumvented the university process on the processing of pay slip
to access the same aside from his mere speculation. Notice must also
be made that there was no mention of the complainant’s salary in the
subject letter-complaint to WUT

WHEREFORE, premises considered, the Commission finds no

violation of the Data Privacy Act on the part of the respondents Trinity
University Of Asia, AA, MC, NCB, RG GV, GCT, RR, MR, PB, to
warrant a recommendation for prosecution. The complaint filed by
complainant KRL is hereby DISMISSED.

SO ORDERED.

Pasay City, 19 November 2019.

(Sgd.)
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

Concurring:

(Sgd.) (Sgd.)
IVY D. PATDU RAYMUND ENRIQUEZ LIBORO
Deputy Privacy Commissioner Privacy Commissioner

51 Rules of Court, Rule 133, Section 5.

52 Records, p. 177
 Decision
CID Case No. 17-K-003
Page 6 of 8

COPY FURNISHED

KRL
Complainant
Quezon City

ABAD ABAD & ASSOCIATES

Counsel for Respondent
Makati City

COMPLIANCE AND MONITORING DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission