THE DATA PRIVACY OFFICE (DPO)
SPU Manila respects and values the privacy rights of data subjects—students, employees, clients, stakeholders, and customers, and, all personal data collected from these subjects are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
In the conduct of collection of personal information, these seven guidelines are hereby maintained, i.e., that the information will be:
- processed fairly and lawfully while meeting certain conditions;
- utilized for specific and lawful purposes;
- made sufficient, relevant, and not excessive;
- kept accurate and updated;
- maintained not longer than necessary;
- processed in accordance with an individual's rights; and
- provided with adequate safeguards.
The DPO allows the further processing of personal data prior to or, in certain instances, subsequent to, the consent of the data subject. Thus, the recording, storage, updating, modification, retrieval, use, consolidation, and destruction of personal information may be made with or without the consent of the data subject. In all cases, however, the processing of personal data shall be made in such a manner as to ensure adequate safeguards for the rights of the data subjects.
SCOPE and LIMITATION of the DPO
In emergency and/or grave circumstances, specific to the processing of Privileged Data the University President and/or the DPO are/is authorized to access the pertinent information of the data subject to immediately address the need of the moment guided by the general principles of transparency, legitimate purpose, and proportionality.
GENERAL POLICIES of the DPO
- Shredding is the acceptable method of disposal of documents within the University.
- Employees’ curriculum vitae and portfolios can be shredded with the Unit Head’s approval.
- Anything posted in the University website is for public use, e.g., Organizational Chart.
- Financial accounts of students, as verified by outside institutions for work purposes, are confidential in the Finance Office; the latter have to deal with student personally.
- For employee verification, Human Resource Services must be informed by the employee of this matter as regard bank loan/car/mobile/employment or similar purposes.
- Declaring SPU Manila as delivery address is permitted as long as the employee pays for the item upon delivery.
- Documents (sensitive and privileged) forwarded to another unit/office must be sealed to maintain confidentiality.
DATA BEING PROTECTED IN ST. PAUL UNIVERSITY MANILA
- Personal Information – refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Privileged Data – refers to information that constitutes privileged communication under the Rules of Court and other pertinent laws (e.g. marital privilege, attorney-client privilege, clergy-penitent privilege, doctor-patient privilege).
- Public Data – refers to any information generated and intended to be made accessible to a general audience, posing little to no risk to the University and its affiliates (e.g. press releases, course information, and research publications). These data are handled with the least amount of control, accounting only for the prevention of unauthorized modification or destruction.
- Sensitive Data – refers to information different from ordinary personal data, such as but not limited to an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; about an individual’s health, education, genetic or sexual life; pertaining to any proceeding or any offense committed or alleged to have been committed; issued by government agencies “peculiar” (unique) to an individual, such as social security number, licenses, tax returns. These require much stricter conditions of processing.
PROCESSING OF PERSONAL DATA
Given the nature of the institution’s enterprise, SPU Manila processes personal data through its various offices with respect to the unit’s mandated duties and obligations. Each office collects data, then processes it for the institution’s record, only to be procured by the same or the data subject, in the performance of its mandate or with prior consent, respectively.
Thereby, the types of personal data processing are identified into three:
- Employee Information refers to the data gathered from the employees, generated within their work or as pertinent employment information.
- Student Information refers to data as students pass through the cycle of admission, enrollment, retention, assessment, and exit procedures.
- Client Information refers to the data of external clients who have transactional activities with the University.
The aforementioned data are presumed to be locally collected and requested information. In the event that information from SPU Manila will be requested by an external source, locally or internationally, the following protocol shall be implemented:
- The data subject consents the transfer;
- The university reasonably believes that the recipient is subject to laws or a contract is substantially similar to the DPA of 2012;
- The transfer is necessary for the performance of a contract between the individual and the university;
- The transfer is necessary as part of a contract in the interest of the individual between the university and a third party; and
- The transfer is for the benefit of the individual.
All collection, processing, and retention of personal data shall be done with informed consent of the data subject by signing the DATA PRIVACY CONSENT (on-site application and registration forms) or by uploading the DATA PRIVACY CONSENT AND CONFIDENTIALITY NOTICE (online application and registration forms).
Under the DPA, the processing of personal data comes with the duty of implementing proper safeguards to uphold the right to information privacy at all times. Given the urgent need to implement these safeguards, three vital areas are hereby cited as necessary security measures in the organization to maintain the confidentiality, integrity, and availability of personal data being processed, namely: Organizational Security, Physical Security, and Technical Security. Each of these measures is categorized into two levels: Personnel, i.e., the persons overseeing the implementation and monitoring of security, and Process, i.e., the activities that directly support maintenance of security.
SPU MANILA DATA PRIVACY PROTECTION AND SOCIAL MEDIA POLICY
In SPU Manila, social media, by analogy is a deck prism i.e., a prism inserted into a small deck opening of a ship to provide light at the rooms down below. Thus, this DPP-SMP is grounded on three affirmations regarding the use of social media:
- Social media is a “tool for learning”—a potent means for growth in life.
In SPU Manila, an academic institution, learning is like a journey, symbolized by the “ship” whereby the St. Paul of Chartres Congregation spread from France since 1710, on the death of its founder, Fr. Louis Chauvet.
- Social media is a “resource for right choices,” particularly when in rough and dark moments—an encounter in the new evangelization.
As a Catholic school, SPU Manila upholds that Jesus—the Truth—is the solid source of learning, who illuminates the journey of life, which oftentimes “seems rough and the way is dark.” (Paulinian Mission Song).
- Social media is a “venue for engagement”—a provision of opportunities amidst hazardous threats.
As a tertiary academic institution, SPU Manila contributes to the formation of a Disciple of Jesus Christ, Model of Excellence, Servant Leader, Community Builder, and Compassionate Steward.
Inserting this policy within the implementation of RA 10173—Data Privacy Act of 2012, the above affirmations promote the general principles of transparency, legitimate purpose, and proportionality respectively in the control and processing of personal information.
A Data Breach Response (DBR) Team composed of five members—designated by the DPP Team representative of the Division, shall be responsible for ensuring immediate action in the event of personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
The report shall include full and accurate details of the incident be submitted immediately to the DPO. The DPO convenes the DPP and recommends actions for the University President’s approval and endorsement to the National Privacy Commission. An appeal on such approved recommendation/decision may be made by any of the affected parties within 15 days from the receipt of the approved decision.
INQUIRIES and COMPLAINTS
Every data subject has the right to reasonable access to his or her personal data being processed by the University. Other available rights include:
- right to dispute error in the personal data;
- right to request the suspension, withdrawal, blocking, removal, or destruction of personal data; and
- right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data.
For inquiries, data subjects may inquire or request for information from the DPP Team through firstname.lastname@example.org, regarding any matter relating to the processing of their personal data under the custody of the University. They need to put in writing their inquiry together with their contact details for reference. The DPP Manual is to be made available in all office units for reference purposes of inquiries.
For complaints, data subjects shall file three printed copies addressed to the DPO specifying the complaint within the concerned unit; upon receipt of the DPO, one copy is returned to the complainant, a second copy is given to the concerned Unit Manager, and the third is for DPO reference. The concerned Unit Manager is given 48 hours to respond to the complaint in writing and submit the same to the DPO who will in turn, inform the complainant of the response and set resolution of the complaint within the next 48 hours. All proceedings will be annotated as attachment to the DPO complaint copy with proper signatures of the concerned encoded.
REPUBLIC ACT NO. 10173
The promulgation of Republic Act No. 10173, referred to as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems in both the government and the private sectors.
The law ensures that institutions or organizations processing personal data enact policies and implement procedures that guarantee the security of personal data under their control, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is directed to implement adequate measures to protect personal data against natural dangers, such as loss or destruction, and human dangers, such as unlawful access, fraudulent misuse, and malicious destruction or alteration.
RIGHTS AND DUTIES OF A DATA SUBJECT IN RA 10173
Data Privacy Act of 2012
|• Reasonable access to one’s personal data.||• Protect one’s access to personal data.|
|• Dispute error in one’s personal data.||• Report immediately any inaccuracy or error in one’s personal data to the personal information controller/processor (PIC/PIP).|
|• Request the suspension, withdrawal, blocking, removal or destruction of one’s personal data.||• Submit, in writing, any request to suspend, withdraw, block, remove or destroy one’s personal data.|
|• Complain and be indemnified for any damages, sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of one’s personal data.||• Adhere to principles of honesty and justice in the filing of complaint with regard to breach of one’s personal data to the PIC/PIP.|