STATEMENT OF POLICY

Data Privacy Notice for Membership Information System – MeMIS

The National Research Council of the Philippines (NRCP), an attached agency of the Department of Science and Technology (DOST), is a collegial body of researchers, engineers, scientists, and artists. As a collegial body, the NRCP is committed to protecting the privacy and security of the personal data of the clients we serve, particularly our NRCP members.
We strictly adhere to the principles of the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR). This Data Privacy Notice outlines our procedures for collecting, processing, and protecting your personal data in accordance with the applicable provisions of the Data Privacy Act of 2012.
NRCP implements appropriate measures in accordance with its internal data governance structure, which includes the Personal Information Controller (PIC), Personal Information Processors (PIP), and the Compliance Officer for Privacy (COP) who oversee the responsible handling of personal data.

1. TYPES OF INFORMATION WE COLLECT
We collect various types of personal data based on your engagement with the NRCP and the services you wish to avail of, following your explicit expression of consent. This may include:
Identity Data: Your full name, birthdate, sex, nationality, and civil status.
Contact Data: Your home and office addresses, email address, and contact numbers.
Professional Data: Your profession, research and creative works, educational attainment, employment history, and affiliations.
Biometric Data: Your photograph and e-signature.
Online and Communication Data: Information collected from your interactions with our website and official social media accounts, including comments, messages, and any data you voluntarily provide.
Technical Data: Information about your device and connection when you access our websites and online services, including your IP address, browser type and version, and operating system and version.

2. MODE OF COLLECTION
We collect your personal data through various official online platforms and communication channels of the NRCP, including:
Directly from you: When you apply for membership, register for events, submit research proposals, fill out forms, or communicate with us in person, via email, or through our official communication channels.
From our official agency website: Through online forms, registration portals, and data provided in online inquiries.
From our social media accounts: When you send us direct messages, comment on our posts, or participate in our online activities.
Through publicly available sources: We may collect data that you have voluntarily made public on platforms such as academic or professional social networks.
Through internal and external coordination: We may obtain your data from other divisions or sections within the NRCP or DOST and other institutions when necessary to fulfill a legitimate purpose.

3. PURPOSE OF COLLECTION
We collect your data for specific, legitimate, and declared purposes based on the explicit consent, including:
To process your applications for membership, grants, and other NRCP services.
To manage and coordinate our research and development programs.
To communicate with you regarding our activities, events, and important announcements.
To comply with our legal and regulatory obligations as a government agency.
To maintain internal records and databases of NRCP members, grantees, and partners.
To respond to your inquiries, requests, and concerns.
To generate statistical data and reports for analytics, planning, and policy formulation.
To promote our programs and the achievements of our members and researchers.
To share your name and basic contact information (e.g., email and affiliation) with third parties (i.e. institutions outside DOST and NRCP) requiring your services or expertise.
To maintain, secure and operate our systems and services; detect, prevent and investigate fraud abuse, and cybersecurity incidents.
Social Media and Website Use

The NRCP uses social media platforms to disseminate information, engage with stakeholders, and promote its mission.
Use of Names and Information

We may use the names, professional affiliations, and research contributions of our members, grantees, and awardees in our social media posts and on our website to recognize their achievements and promote their work. This is done in line with NRCP’s public mandate and with the understanding that such information is necessary for public recognition and based on the explicit consent provided during membership or grant application.

  1. PROTECTION OF YOUR DATA

We implement appropriate organizational, technical, and physical security measures to protect your data against unauthorized access, use, disclosure, alteration, or destruction. Our security measures include:

  • Organizational Measures: Restricting access to personal data to authorized personnel and officials of NRCP, including the NRCP Governing Board, in the delivery of services under a Non-Disclosure Agreement (NDA).
  • Technical Measures: Utilizing firewalls, encryption, and password-protected systems to secure electronic data.
  • Physical Measures: Storing physical records in locked filing cabinets and secure facilities with restricted access.
  • Account Retention upon Non-Action

Personal data of active members shall be retained for the duration of their membership. Data will be retained only for as long as necessary to fulfill historical, statistical or legal obligations, in accordance with the National Archives of the Philippines (NAP) guidelines.

Data from unsuccessful membership applications shall be retained for up to six (6) months only, in cases where there has been no update or activity after submission to the NRCP, and the application has been evaluated as incomplete or found not to meet the membership criteria and requirements.

The disposition shall be conducted once every semester and shall be witnessed by designated representatives from the National Archives of the Philippines (NAP), the Commission on Audit (COA), and the NRCP Membership Secretariat.

The deletion of unsuccessful applications scheduled for disposition shall be carried out by authorized or designated staff from the NRCP Research Information and Dissemination Division-Management Information Section (RIDD-MIS).

Archived personal data will remain subject to the same security controls, safeguards, and access restrictions as active data until the end of the authorized retention period and its secure destruction.

  1. DATA BREACH MANAGEMENT

In the event of a data breach involving personal information, the NRCP shall follow an internal Data Breach Management Protocol to ensure timely response, mitigation, and proper handling of incidents. Our process includes:

    • Identification and Containment: Any suspected or confirmed data breach is promptly assessed and contained to prevent further unauthorized access, disclosure, or loss.

    • Risk Evaluation: We evaluate the nature and scope of the breach, including the type of personal data affected and the possible risks to individuals.

    • Notification (Internal): Relevant NRCP units, officials, and designated personnel will be informed to coordinate appropriate actions and determine if external communication is necessary.

    • Remediation: We implement corrective measures to address vulnerabilities, recover data when possible, and prevent similar incidents in the future.

    • Documentation: All data breach incidents are documented, reviewed, and analyzed to strengthen our organizational, technical, and physical security measures.
  • The NRCP shall notify the DOST DPO/CERT within twelve (12) hours upon knowledge of, or reasonable belief that, a personal data breach or security incident requiring notification has occurred.
  1. YOUR RIGHTS UNDER THE DATA PRIVACY ACT

Under the Data Privacy Act of 2012, you have the following rights as a data subject:

  • Right to be Informed: To be informed that your personal data will be, are being, or have been processed.
  • Right to Object: To object to the processing of your personal data, including for direct marketing, automated processing, or profiling.
  • Right to Access: To request access to your personal data that we hold, as well as a description of how your data is being processed.
  • Right to Rectification: To dispute inaccuracies or errors in your personal data and request their immediate correction.
  • Right to Erasure or Blocking: To suspend, withdraw, or order the blocking, removal, or destruction of your personal data from our filing system under certain circumstances.
  • Right to Data Portability: To obtain a copy of your personal data in an electronic or structured format when such data is processed electronically.
  • Right to Damages: To be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data.
  • Right to File a Complaint: To lodge a complaint before the National Privacy Commission if you believe your privacy rights have been violated. 
  • Transmissibility of Rights: Your lawful heirs and assigns may invoke your rights if you passed away or become incapacitated.

7. HOW TO CONTACT US

If you have any questions, concerns, or requests regarding this Data Privacy Notice or the processing of your personal data, you may contact the following:

  1. NRCP Data Protection Officer (DPO)
    Mr. Joselito A. Carteciano
    Chief Science Research Specialist, Research Information and Management Division (RIDD)
    National Research Council of the Philippines (NRCP)
    Department of Science and Technology (DOST)
    General Santos Avenue, Bicutan, Taguig City, 1631 Philippines
    Email: nrcpinfo@nrcp.dost.gov.ph
    Telephone: (02) 8837-6142 / (02) 8837-6143
  2. DOST Central Office Data Protection Officer (DPO)
    Dr. Cezar R. Pedraza
    Director IV, Planning and Evaluation Service and Chief Information Officer (CIO)
    Department of Science and Technology (DOST)
    General Santos Avenue, Bicutan, Taguig City, 1631 Philippines
    DOST Trunk Line : (02) 8837 2071 to 82 Local 2010

Email address: crpedraza@dost.gov.ph

Telephone No.: (02) 8837 2932

Fax No.: (02) 8837 2932

This notice may be updated from time to time to reflect changes in our practices or in the relevant legal framework. Any updates will be posted on our official website.

Data Privacy Notice for DOST-NRCP Mobile Game APP

The Department of Science and Technology-National Research Council of the Philippines (DOST-NRCP) guarantees the privacy of personal information and is committed to protecting personal data in accordance with R.A. 1073, also known as Data Privacy Act of 2012.

DOST-NRCP produced mobile games under the project “Leveraging Basic Research Information Translation for Empowerment in the Regions” program (BRITER).

DOST- NRCP is committed to protecting the personal information it may collect about its players. DOST-NRCP respects players’ rights to privacy under the Data Privacy Act and it complies with the requirements for the collection and management of personal information. To guarantee compliance with Data Privacy Act, DOST-NRCP has issued this Privacy Policy.

In this privacy policy, the terms, “personal data” and “information” are used interchangeably. The term “personal data” includes the concepts of personal information, sensitive personal information, and privileged information. The first two are typically used to distinctively identify players.

For purposes of this Data Privacy Policy and as defined by Data Privacy Act of 2012, please refer to the definitions below:

Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Sensitive personal information refers to personal information:

  1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
  2. About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  3. Issued by government agencies peculiar to an individual which includes, but is not limited to social security numbers, previous or current health records, licenses or their denials, suspension or revocation, and tax returns; and
  4. Specifically established by an executive order or an act of Congress to be kept

Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

PROCESSING OF PERSONAL DATA

A. Collection

DOST-NRCP collects personal information that is reasonably necessary for, or directly related to, its functions and activities. The agency will only use and disclose personal information for the purposes it was collected, or otherwise in accordance with the Privacy Act.

DOST-NRCP mobile games do not collect any personal information.

B. Use

DOST-NRCP does not use any personal information as the mobile games it produced do not have the means to collect personal information.

DATA PROTECTION

  1. Storage, Retention, and Destruction

The Records Section of DOST-NRCP manages documented information in accordance with ISO 9001:2015 rules on documented procedures on control of documents and records and with the National Archives of the Philippines (NAP) Act of 2007 and it’s Implementing Rules and Regulations, from creation, protection, use, storage, and disposition of government records.

DOST-NRCP may store other personal information in documentary or electronic form. It will exercise physical security on those documents and electronic versions of the data contained therein. It will also take reasonable steps to permanently dispose of any personal information no longer needed for the purpose for which it was collected or for meeting legal requirements. Documents will be stored and protected in locked filing cabinets or in locked offices, while electronic versions of personal information will be secured through encryption and password-protected computer files.

2. Data Access

The purpose of this policy is to maintain an adequate level of security to protect the data and information systems of DOST-NRCP from unauthorized access.

Players may request access to their personal information at any time, subject to any relevant legal requirements and exemptions, including identity verification procedures. As a prerequisite, DOST-NRCP will ask for proof of identity and other relevant information as a security precaution prior to locating and allowing data access.

In case certain personal information possessed by DOST-NRCP is deemed incorrect, incomplete, or inaccurate, the player may request amendment/correction of information by sending an email to nrcpinfo@nrcp.dost.gov.ph. Data updates or corrections to personal information will be free of charge.

DISCLOSURE AND SHARING

DOST-NRCP does not share any information collected from the game with other government agencies, companies, organizations, and individuals outside of DOST-NRCP.

SECURITY MEASURES

To prevent unauthorized access and disclosure and to ensure the appropriate use of personal information, DOST-NRCP implements organizational, technical, and physical security measures to safeguard the information it collects and processes.

Organizational Security Measures

  • Appointment of a Data Protection Officer who oversees the compliance of DOST-NRCP with the Data Privacy Act, its IRR, and other related policies;
  • Conduct Privacy Impact Assessment, implementation of security measures, security incident, data breach protocol, and customer feedback/complaints procedure;
  • Periodic review of documented procedures on control of documents and control of records, for adequacy and effectiveness

Physical Measures

  • Secured storage of data and Digital/electronic files are password-protected.
  • Restricted access to storage/data room for authorized personnel

Technical Security Measures

  • Installation of a firewall in all its servers to prevent unauthorized access to the data
  • Review and evaluation of software applications before its installation in computers and devices to ensure compatibility of security features with the overall

RIGHTS OF THE DATA SUBJECT

Under the Data Privacy Act of 2012, people whose personal information is collected and processed are called data subjects. DOST-NRCP is duty-bound to observe and respect their privacy rights. Subject to the requirements, conditions, and exemptions under the Data Privacy Laws, they are entitled to the following rights:

  • To be informed. DOST-NRCP shall inform data subjects when their personal data shall be, are being, or have been processed. This includes the purpose for which data is being processed and the method of
  • To object. Incidental to consent, data subjects have the right to object to the processing of personal data to withdraw their consent. However, such refusal may disqualify them from availing of the services of the agency, where the processing of the data is necessary.
  • To require the correction of erroneous data. Upon submission of legitimate documents proving errors, Player may request for the correction of their information with the
  • To data portability. Player may obtain a copy of their personal data in an electronic or structured format for further
  • To suspend, withdraw, or order the blocking, removal, or destruction of personal data. Consequently, DOST-NRCP may terminate any services which necessarily involve the processing of personal data.
  • To file a complaint with the National Privacy Commission

Contact Details of the DOST-SEI Data Privacy Officer (DPO)

DR. CEZAR R. PEDRAZA
Data Protection Officer
Director IV, Planning and Evaluation Service and Chief Information Officer (CIO)
Department of Science and Technology