On Saturday February 14, 2026 the facilitator discussed various topics related to Research and Data Privacy. The Department of Science and Technology in the Philippines(DOST) 6P’s aims to quantify all outputs which will be compared to the total budget of the project and the outputs may be quantitative or qualitative but must be measurable during an assistance agreement funding period. Expected outputs from the projects to be funded may include any of the following: Publication: defines as the contribution to the general body of knowledge through scientific publications, Patent: tangible measure of innovation, Product: commercial value of outputs, People Services: increase in scientific workforce, Places and Partnerships: facilities and networks that enable increased 6P’s outputs and Policies: adopted science-based guidelines. This is how the institution measures, checks the impact and success of the funded projects that produce tangible results that benefit the people and society.
Think, reflect and write is the next topic the facilitator had mentioned. Under Think, you have to ask questions no one asked before, to reflect on them you have to do the necessary work to find that answer and finally you have to communicate the knowledge you have obtained by writing.
The research must be controlled, systematic, valid, verifiable, rigorous, empirical and critical for it to have a quality. I have learned the process of research on my Research subject that when deciding on what research questions to answer, it has to be identified what you intend to research. The problem statement should be clear and concise. The problem must be evaluated in light of the resources at your disposal financially, time available, expertise and knowledge. For data collection, we can use an existing tool to extract the primary data, and we need to develop a mechanism to extract the required data and address the issues of validity and reliability. To select a sample, accuracy of estimates largely depends upon the way you select the sample.
The objective is to minimize the gap between what you obtain from your data and what is prevalent in the population. The characteristics of the sample need to match the population as closely as possible closely and extremely dependent on the resource availability. You have this
information and it’s time to write the research proposal which tells the reader about your research problem and how you plan to investigate it.
The facilitator also discusses the differences of Data and Information. Data basically comprises the raw, unprocessed facts/data while information is the data that has been processed, organized and interpreted to add value and meaning. Under Republic Act 10173 defines data section 1 paragraph (c) Data subject refers to an individual whose personal information is processed. The name, age, etc. are the information.
The class talked about Physical Security. This describes the security measures designed to deny unauthorized access to facilities, equipment, resources and to protect people and property from any damage. On every Data Centers, we impose Physical Security to protect the servers, networks, telephony equipment and other IT devices that process data. It is very strict and guarded by security guards. No one can enter the data center without approvals from the leadership. Most of the time, the backbone IT professionals working in the field of Network, Telecom and Servers have the approvals to enter in a specific time having them 30 days access and can be renewed once expiration is near. Vendors by default are not allowed to enter, approval from IT leaders is a must before entry. Physical security adds up a security layer to prevent exploitation of data and it is indeed required by our law to protect it under Republic Act 10173 Chapter V Section 20 paragraph a states that “The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.” Non compliance of this will face the penalties stated on the Chapter VIII of the provision.
The Data Privacy Manual was discussed next. To inform its personnel of such measures, each personal information controller or personal information process is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the Data Privacy Act (DPA), its Implementing Rules and Regulations (IRR) and other relevant issuances of the National Privacy Commission (NPC) (The Data Privacy Law, 2021 edition Dr/Atty Jose C. Montemayour, Jr.). Republic Act 10173 Chapter III Section 11 provides a guidelines on how we should process the Personal Information subject to compliance with the requirements of the act, Section 12 provides guidelines on processing of personal information shall permitted only if the requirements provided on paragraph a to f is met and finally Section 13 refers to the processing of Sensitive Personal Information (SPI) and Privileged Information (PI) which paragraph a to f provided as the guidelines of this act. Also under Chapter V Section 20 paragraph C-2 states that A security policy with respect to the processing of personal information must be implemented. With these sections, it is reasonable to have a Privacy Manual wherein all the rules and regulations on processing the data according to the law shall be followed.
The facilitator started talking about how privacy and security should be maintained. I did not actually get this initially and was able to grasp it by reading the provision written under Chapter IV The rights of the Data Subject from Section 16 that tells the right of the data subject and entitle to be informed (a) and furnished (b) the information indicated before the entry of his or her personal information into the processing system of the personal information controller. It also stated the reasonable access to upon demand provided on sub-paragraph from 1 to 8. We have the rights to dispute the inaccuracy or error in the personal information, the rights to suspend, withdraw are the rights of data subject. The Act protects us under Chapter V Security of Personal Information that on (a) the personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the
protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
A scenario was given to the class saying your privacy is compromised and your security is maintained. Your data can be got by social engineering, phishing attacks, to name a few. Educating people not clicking suspicious emails and having them know the impact is a standard that people need to adhere on. Even if your organization has these advanced systems and networks to prevent and detect threats, if the users inside the organization do not know the possible attacks that the bad people/black hackers do, data compromise is inevitable. For example, you have a Christmas party and you need to get an address from the people for the courier to send the Christmas package at home, and suddenly the sheet got shared without restrictions. Bad people can get those addresses and start bad doing and using it with bad intentions. So it is important to invest also in educating people about Cybersecurity.
A scenario was given to the class saying your privacy is compromised and your security is compromised. Data got compromised and the system got compromised. Security of an organization is like an onion, each layer you add on it will contribute to mitigate security breach. If you have no budget to have security appliances, antivirus not updated, you only use firewalls with no threat detection, your organization does not use proxy for added protection, the likelihood for your data to be compromised is very high. I remember during my early days as IT professional, the desktops are infected by worms and its a lightning speed, all desktops on the organization got infected and the only thing we did to fix it is we disconnected the desktops to prevent the worm spreading across the organization and the only fix we did was by reformatting the desktops because antivirus installed on each desktop was not able to fix the issue. Having a security perimeter like Firewall with Intrusion Prevention System (IPS) is a must for each organization. The firewall allows and denies valid traffic across the organization and the IPS can detect threats because each threat uses a signature and the IPS has a database wherein all the
threat signatures are listed, so the traffic has it, it will automatically block the traffic. It is also important to have a very good Antivirus protection that can protect the computers from Malwares, Symantec is one of the good providers to secure the endpoints of the organization. The network devices software shall be updated, because hackers can exploit the vulnerabilities of those devices. Each vendor has its release notes about the security patches. The upgrade does not only solve the issue of vulnerabilities, it can also solve issues on the performance and added features of the devices. Having a proxy for your web traffic is advisable as well. It can be an internal proxy or external proxy, everytime you access applications towards the internet, a proxy is a must to add up on the security. If the organization is hosting applications, it is good to have a reverse proxy as well, cloudflare is one good provider for this application hosting. Lastly, you can introduce the concept of Zero Trust Network Access to the organization, following the principle of having all users have no access by not trusting them until such time their identity gets validated.
The facilitator discussed sharing specific information to the person requested it. I agree with this because Chapter III Processing Personal Information Section 11 paragraph (d) talks about the Adequate and not excessive in relation to the purposes for which they are collected and processed. The provision is also clear under paragraph (a) that the Personal information must be collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection
A NDS or Non-disclosure agreement was mentioned during the class. It is a contract to a collection agency that lawfully binds them to establish confidentiality and restricts them to disclose sensitive information. The law stated under Chapter III Processing of Personal Information Section 12 paragraph (b) the processing of personal information is necessary and is related to the fulfillment of a contract..
The facilitator discussed that the new oil is data. According to the research study “Is Data Really the New Oil?” December 2025, (Malatyinszki Szilard, et al.) data only becomes a valuable resource when it is properly collected, processed, analysed, and embedded into
decision-making processes. Organisations and national economies that invest in digital capabilities, analytical expertise, and data culture gain a sustainable competitive advantage in the digital age.
If you lose money, you lose only money, But if you lose data, you lose both money and data. I really believed this was true. If you lose money, you can easily bring the losses back to you by improving marketing and sales. However, if you lose your customer’s data, trust will fall, people will not trust your organization thus, they will not purchase services or products resulting in low revenue. Furthermore, you will face legal responsibilities that will result in penalties and fines. If the data is lost, we presumed that it can be a security breach and improper disposal of personal information and sensitive personal information. Under Chapter VIII Penalties Section 27 Improper disposal of personal information and sensitive personal information shall be penalized by imprisonment ranging from six months to 2 years and a fine of not less than one hundred thousand pesos but not more than five hundred thousand pesos shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public. Data loss can fall also under Section 29 unauthorized access or intentional breach the penalty of imprisonment ranging from 1 year to 3 years and a fine or not less than five hundred thousand but not more than 2 million pesos shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
The USEP’s official Documents Archiving System (UDAS) was mentioned by the facilitator, landing page is https://udas.usep.edu.ph/landing-page . I tried accessing this page and it will show information on each department but it is grayed out, unable to open any of them. Perhaps access is only given to those people who need and require access to it.
The Republic Act No. 10173 an act of protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a National Privacy Commission and for other Purposes also known as the “The Data Privacy Act of 2012” under section 1 of this provision is a good resource to my journey of studying this field. There is a lot of it and I will learn more.