Baliuag University Data Privacy Statement
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
This Data Privacy Manual serves as a guide or handbook for ensuring the University’s full compliance with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also enumerates and summarizes all the privacy and data protection protocols it observes and carries out directed toward the fulfillment and realization of the rights of data subjects.
This Baliuag University Data Privacy Manual is hereby adopted in compliance with Republic Act No. 10173, its Implementing Rules and Regulations, and other relevant policies and issuances of the National Privacy Commission.
The University respects and values the data privacy rights of its employees, students, visitors, and guests, and makes sure that all personal data collected, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
This Manual shall inform all data subjects of the University’s data protection and security measures, and serves as a guide in exercising rights granted under the DPA.
Baliuag University (hereinafter referred to as “BU” or the “University”) is committed to full protection of the privacy rights of individuals on personal information pursuant to the provisions of Republic Act No. 10173, its Implementing Rules as well as Republic Act No. 9155 or the Governance of Basic Education Act of 2001.
All employees, students, and administration officials are enjoined to comply in good faith with and to share in the responsibility to secure and protect all personal information collected and processed by the University in pursuit of any and all legitimate purposes.
As used in this Data Privacy Manual, the following terms shall have the respective meanings set forth:
(a) Commission shall refer to the National Privacy Commission created by virtue of Republic Act No.10173.
(b) Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
(c) Data subject refers to an individual whose personal, sensitive or privileged information is processed.
(d) Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.
(e) Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
(f) Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.
(g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.
(h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
(i) Personal information processor refers to any natural or juridical person qualified to act as such under this Manual to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
(j) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
(k) Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
(l) Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
(m) School records refer to any and all information relating to a student’s acts, events, accomplishments, results or research and all documents depicting the various activities undertaken by the student. These records include, but are not limited to the following:
(1) Personal and academic;
(2) Birth and baptismal certificates;
(3) Academic reports;
(4) Health, medical and guidance records;
(5) Disciplinary records;
(6) Alien Certificate for foreign students; and
(7) Individual financial records.
All University personnel, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Data Privacy Manual.
The collection and processing of personal data by the University shall be allowed, subject to compliance with the provisions of the DPA. All personal data processed must adhere to the principles of Transparency, Legitimate Purpose, and Proportionality.
(a) Transparency – The data subject must be aware of the nature, purpose and extent of the processing of his personal data including the risks and safeguards involved as well as his rights as the data subject. Any personal data that is processed must be easy to access utilizing plain and clear language.
(b) Legitimate Purpose – The processing of information shall be compatible with a declared or specific purpose which must not be contrary to laws, morals, and public policy.
(c) Proportionality – The processing of information shall be adequate, relevant, suitable, necessary and not excessive in relation to the declared or specified purpose.
The University through various departments and offices collects basic information from its employees, students, job applicants and prospective students including their full name, address, email address, contact numbers, names of parents, educational background, etc.
Upon collection of a data subject’s personal data, the University shall inform him/her of the description of the data collected, the purposes for which it will be processed, the scope and method of data processing, the recipients of the data, the period for which the data will be retained and his/her rights as data subjects. As much as possible and practicable, written consent of the data subject will be secured before collecting and processing the data.
The University conducted Privacy Impact Assessments of the following colleges, departments, and offices on various dates in order to fully understand their collection of personal data:
- Admissions and Marketing Services Office
- CMAPS Enterprise
- Management Information Systems
- Center for Instructional Technology and Services
- Center for Research and Publications
- Basic Education Department
- Printing and Bookstore
- Health Services
- National Service Training Program
- Office of Student Affairs
- Office of Alumni Affairs
- Facilities Management Services
- Center for Academic Development and Assessment
- College for Information Technology Education
- College of Arts and Sciences
- Center for Career and Counselling
- College of Business Administration and Accountancy
- College of Education
- College of Environmental Design and Engineering
- Quality Assurance Department
- College of Nursing
- Office of the University Registrar
- College of Hospitality Management and Tourism
- School of Graduate Studies and Continuing Education
- Accounting Office
- Finance Office
- Human Resources Department
- Physical Education Department
- Senior High School Department
Noteworthy of these departments are the following departments and offices that do most of the personal data collection, storage and utilization:
(a) The Admissions and Marketing Services Office (AMSO)
The AMSO collects personal data from prospective students to determine eligibility for admission into the University. In case of current and returning students the personal data is used for enrollment purposes and to update student records.
(b) The University Registrar
The Registrar collects personal data from students as well as grades and other student records, activities, and results that form part of the student’s permanent record.
(c) The Accounting and Finance Offices
The Accounting and Finance Offices collect personal data from students related to financial transactions with the University.
(d) The Center for Career and Counseling
The Center for Career and Counseling collects personal data from students like scores on intelligence tests, personality assessments, and other similar evaluations for various purposes. In addition, the Center provides career placement and counseling services to students. The Center likewise collects personal data from job applicants for possible employment with the University through pre-employment examinations.
(e) The Human Resources Department
The Human Resources Department collects personal information from prospective employees for purposes of determining eligibility for employment as well as personal information from current employees for record keeping and the availment of government mandated (example, Social Security and Philhealth enrollment) and company-initiated benefits (example, Private Education Retirement Annuity Association [PERAA] or Health Maintenance Organization [HMO] enrollment).
(f) The Health Services Section
The Health Services Section collects personal and medical information from students and employees relative to their enrollment and employment respectively. The information may include the results of laboratory and diagnostic examinations as well as health information needed for proper diagnosis and treatment.
(g) The Office of Alumni Affairs
The Office of Alumni Affairs collects personal data from alumni of the school for documentation and monitoring purposes.
(h) Other Colleges, Departments or Units
All other colleges, departments, and offices that collect, process or store personal information of prospective students, current students, job applicants or employees, are subject to the policies provided in this Manual. Department heads are responsible for ensuring full compliance with the provisions of this Manual within their respective Departments.
All of the above colleges, departments, and offices may store the personal data in physical format or hard copy or they may be stored electronically provided all the security measures included in this Manual are strictly observed. Access to and sharing of the personal data should also follow the provisions of this Manual.
Personal data shall be used by the University for any lawful purpose related to its Vision and Mission. The personal data may also be used for any purpose to which the data subject has consented. In particular, the University may use the personal data in the following ways:
(a) To identify the data subject;
(b) To comply with University requirements to develop and update employee and student documentation;
(c) For the tracking and documentation of student progress employee performance;
(d) To ensure compliance with applicable laws, policies, rules, and regulations, and investigate possible breaches thereof; and
(e) To facilitate business transactions of the University.
A data subject has the right to object to the processing of his/her personal data, and to withhold consent in case of any amendment to the use of the information.
A data subject has the right to dispute the inaccuracy or error in his/her personal data and have it immediately corrected. He/she may also have his/her personal data suspended, withdrawn, blocked, removed or destroyed upon discovery and substantial proof that:
(a) The personal data is incomplete, outdated, false or unlawfully obtained;
(b) The personal data is being used for a purpose not authorized by the data subject;
(c) The personal data is no longer necessary for the purposes for which collected;
(d) The data subject withdraws consent or objects to the processing of his/her information, and there is legal ground or overriding legitimate interest for the processing;
(e) The personal data concerns private information that is prejudicial to the data subject unless justified by constitutional right or otherwise authorized;
(f) The processing is unlawful; or
(g) The University violated the rights of the data subject.
Storage, Retention and Destruction of Personal Data
The University ensures that personal data under its custody are stored and protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The University will implement appropriate security measures in storing collected personal information, depending on the nature of the information.
The storage of personal data may be done through conventional or hard copies or electronically which may be placed at servers within the campus or “in the cloud” which means that the personal data resides in servers which are situated off-site either in the Philippines or abroad.
As a general rule all personal data in the possession and custody of the University shall be stored and retained indefinitely or on a permanent basis for historical and statistical purposes. However, a general cleanup and disposal of personal data may be allowed when recommended by the University DPO and expressly approved in writing by the University President. Said approved general cleanup and disposal activity will clearly enumerate the documents that will be destroyed, the secure manner of disposal and the names and designation of the persons primarily responsible therefor. A Document Destruction Report signed by the persons assigned as well as witnesses to the activity shall be submitted to the DPO as evidence of the disposal.
Due to the sensitive and confidential nature of the personal data under the custody of the University, only authorized employees or representatives of the University shall be allowed to access such personal data.
All employees and authorized representatives of the University shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after their resignation or the termination of any contractual relations they may have with the University. Personal data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of said personal data.
The University may reveal and share personal data, subject to compliance with applicable laws and regulations, on a need to know basis, and in all cases only for the purposes stated below:
(a) To third-party service providers, vendors, suppliers, customers or clients, directors, officers, other employees, shareholders, agents, consultants, advisers, banks and other financial entities, contracting parties or such other business-related third parties in relation to the business transactions of the University;
(b) To the government, both national and local, law enforcement agencies, and other government agencies or regulatory bodies;
(c) To comply with lawful orders of the courts, government agencies, regulatory bodies, stock exchanges, and all applicable laws and regulations;
(d) To protect the rights and properties of the University and ensure the safety of all its employees and third parties;
(e) To conduct investigations of breaches of policies, laws and regulations, enforce appropriate sanctions and pursue legal actions if necessary;
(f) During emergency situations or where necessary to protect the safety of a person or a group of persons; and
(g) In such other instances as may be reasonably determined by the University in order to accomplish the above-mentioned purposes and in relation to the above uses of personal data.
Where personal data is processed by electronic means and in a structured and commonly used format, the data subject has the right to obtain from the University a copy of such data in electronic or structured format that is commonly used and allows further use.
Data subjects have the right to file a complaint with the NPC if their personal information has been misused, disclosed, or improperly disposed, or if any of their privacy rights have been violated.
A data subject has the right to get indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, or unlawfully obtained information, or to any misuse, disclosure, or improper disposal of his/her information, or if any of his/her privacy rights have been violated.
The University implements reasonable and appropriate organizational, physical and technical measures for the protection of personal data. Security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination. This section gives a general description of those measures.
This section outlines the organizational security measures adopted by the University in order to reasonably protect the personal data in its possession, including the appointment of a Data Privacy Officer as well as the functions of the position. This section also includes a description of the activities and steps to be undertaken to ensure continued compliance with the DPA.
(1) Appointment of the University Data Protection Officer (DPO)
The University has appointed a Data Protection Officer (DPO). It may also appoint one or more Compliance Officers (COP) to perform some of the functions of the DPO.
The DPO shall have overall supervision of the University’s compliance with the DPA, its Implementing Rules and Regulations and other related polices, pronouncements and regulations. These duties include the conduct of an organization wide Privacy Impact Assessment, implementation of security measures (organizational, physical and technical), the preparation of a security incident and data breach protocol, as well as the corollary complaints procedure.
(2) Conduct of Trainings and Seminars
The University shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
(3) Conduct of Privacy Impact Assessments
Between September 3, 2018, and October 8, 2018, the University met with relevant stakeholders for the conduct of an initial Privacy Impact Assessment of their various activities.
The University shall conduct periodic Privacy Impact Assessments relative to all activities, projects and systems involving the processing of personal data, not less than once every two (2) years. It may choose to outsource the conduct of the PIA to a third party.
(4) Duty of Confidentiality and Non-Disclosure
All employees will be asked to sign a Confidentiality and Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
(5) Duty to Immediately Report any Possible Data Breach
All employees should immediately report to their immediate superior in case they have personal knowledge or a well-founded belief that any personal data kept by the University has been breached or compromised. The immediate superior will then notify the Data Breach Response Team in Article XVI (A) below.
(6) Review of the Data Privacy Manual
This Data Privacy Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the University shall be updated to remain consistent with current data privacy best practices.
This section outlines the physical security measures to be implemented to ensure the security and confidentiality of personal data in the possession of the University. The objectives of these physical security measures are: (i) to prevent unauthorized access, use, copying or disclosure of information; (ii) to protect the information during the process of collection, storage, transfer and disposal; and (iii) to protect the integrity of the information by preventing unauthorized modification or disposal.
All University personnel with access to personal data must comply with the following rules and procedures:
(1) All documents with personal data contained in hard copy, paper based or physical format must be kept in a drawer or filing cabinet with a lock and key. Keys must be distributed to accountable personnel only.
(2) All documents with personal data contained in digital or electronic format must be kept in a secure flash drive or computer hard drive as provided by the University. All these files must be password protected. Such passwords must be chosen with care and changed periodically.
(3) In configuring an office or facility layout, care must be taken that computer screens where personal data may be viewed are not visible to a visitor or casual observer in the office.
(4) Computers in an office or facility must be positioned with appropriate spaces between them to maintain privacy and protect the confidentiality of the personal data being processed.
(5) At the end of every working day or when an employee will be away from his work station for an extended period of time all documents must be returned to the drawer or filing cabinet and locked. Documents should not be left on top of desks or in a place or manner where a guest, visitor or any unauthorized third party may access the same.
(6) At the end of the working day or when an employee will be away from his work station for an extended period of time the room or office must be locked.
(7) Entry and access to a room or facility where personnel data is stored should be limited and signs indicating “AUTHORIZED PERSONNEL ONLY” may be placed.
(8) All personnel authorized to enter and access a room or facility where personal data is stored must ensure that unauthorized persons are not granted entry or access without the express permission of the University’s DPO, COP or the Head of the Office or Department.
(9) All personnel involved in the processing of personal data must always maintain the confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering their workplace or facility.
(10) When the DPO has authorized the release of sensitive personal information to another party, care must be exercised that the transfer of said information is through a secure physical manner.
(11) When the DPO has authorized the release of sensitive personal information to another party electronically, the sender must use a secure email facility with proper encryption of the data, including any or all attachments.
(12) The University recognizes the inherent risks associated with the transmission of information over the internet. In sending sensitive personal information to another party electronically, employees CAN NOT and SHOULD NOT use their personal email accounts like Yahoo Mail, Gmail or Hotmail. Only the official email facility of the University should be used. The personal information to be transmitted must be contained in a password-protected attachment and said password is relayed to the email recipient through other means (examples, telephone call, text messages). All emails sent using the email facility of the University shall contain a security or privacy notice at the bottom portion thereof.
(13) It is prohibited to display or disclose personal information on online bulletin boards, online platforms or any social media platform;
(14) It is prohibited to send sensitive personal information through facsimile technology (fax).
(15) The campuses of the University are protected by security guards 24 hours a day, 7 days a week. They assist in keeping all personal data secure. All personnel are enjoined to follow all security rules and guidelines particularly as they relate to the protection of sensitive personal data.
The University will implement technical security measures to ensure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access.
In particular, the following steps and measures must be undertaken and followed:
(1) The Management Information Systems (MIS) Department shall regularly and rigorously monitor possible security breaches of its service provider, and immediately alert the University Data Breach Response Team of any attempt to disturb, interrupt or hack the system
(2) The University shall review and evaluate all software applications before the installation thereof in computers and devices to ensure the compatibility of security features with overall operations.
(3) The University will not install, utilize or allow the installation or utilization of any “pirated” or illegal software application in computers and devices.
(4) Each University personnel with access to personal data shall verify his or her identity using a security feature with a minimum requirement of password encryption. Said passwords must be chosen with care and changed periodically.
The University shall develop and implement policies and procedures for the management of possible personal data breach, including security incidents. This section describes and outlines these policies and procedures.
A Data Breach Response Team is hereby constituted and appointed composed of the following:
(i) the University DPOI acting as Team Leader;
(ii) the University Officer in charge of Risk Management;
(iii) the University Management Information Systems (MIS) Officer;
(iv) the Department Head Concerned;
(v) the Head of the Security Department in case of physical breaches (like office break-ins and unlawful access); and
(vi) such other University officer(s) as determined by the DPO.
The Data Breach Response Team shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
A security incident is any event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.
A data breach is a kind of security incident. A data breach happens when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
There are three kinds of data breaches:
(1) Availability breach – from the loss accidental or unlawful destruction of personal data;
(2) Integrity breach – from the unauthorized alteration of personal data; and
(3) Confidentiality breach – from the unauthorized disclosure of or access to personal data.
Within two (2) hours after discovery of any security incident or data breach, said incident or breach must be relayed to the University’s DPO.
The University shall conduct a Privacy Impact Assessment on a regular basis but no less than once every two years to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. The University shall also provide relevant training to all personnel directly involved in the processing of personal data.
The University shall at all times maintain a backup file for all personal data under its custody. Currently this backup file is located at servers outside the University. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the security incident or data breach.
The University DPO shall inform the University Administration of the need to notify the NPC and the data subjects affected by the security incident or data breach within the period prescribed by law. The University hereby delegates and assigns the duty to notify the NPC and the data subjects affected by the security incident or data breach to the University DPO.
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.
The University acknowledges the need to provide data subjects with reasonable access to the personal data it processes as well as opportunity to file a request for correction or erasure thereof or to file any complaint in relation thereto. Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the University or any of its officers or staff, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the University DPO by email at email@example.com or by postal mail at Baliuag University, 1069 Gil Carlos Street, Baliwag, Bulacan 2006 Philippines.
Complaints shall be filed in writing in three (3) printed copies with the Office of the Corporate Secretary, Baliuag University at its address at 1069Gil Carlos Street, Baliwag, Bulacan, 3006 Philippines or sent by email to firstname.lastname@example.org. The University will reply to the complainant within a reasonable time acknowledging receipt of the complaint.
The provisions of this Manual are effective this 1st day of May, 2019, until revoked or amended by the University through a Resolution approved by the University Board of Trustees.
NAME AND CONTACT DETAILS OF THE PERSON DESIGNATED TO PROVIDE ADDITIONAL INFORMATION:
Name: ATTY. SUSAN B. JACINTO
Contact No.: +6344 766 2045
Email Address: email@example.com