Approved by the University President on August 20, 2018.
Section 1: Description
The Data Privacy Act of 2012 is protecting individual personal information in information and communications systems in the government and the private sector. This act protects the fundamental human right of privacy, of communication while ensuring the free flow of information to promote innovation and growth. It ensures that personal information is secured and protected.
Central Mindanao University needs to collect, process, store, disclose and dispose of personal, sensitive and privileged information about its employees, students, and other individuals to manage the academic career and monitor the progress of employees and students, and complying with legal or lawful obligations. Information in any form (electronic/manual/paper-based) that reveals the identity of an individual is considered “personal information” under the Data Privacy Act of 2012.
The University has formally adopted this policy to ensure compliance with the Data Privacy Act of 2012. This policy will be subject for review as required
To comply with the Act, the University operates in accordance with the Data Privacy Principles as set out in the Act.
The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
B. Legitimate purpose.
The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Section 2: Scope of the Policy
This policy covers all personal information processed and used in the administration of the University and all of its offices/units. This policy includes print, electronic, audio-visual, backup and archived data. Any failure to follow this policy can, therefore, result in disciplinary proceedings under RA10173.
Section 3: Purpose of the Policy
This Policy is developed in order to:
a. define the roles and responsibilities for different data usage and establish clear lines of accountability;
b. develop best practices for effective data management and protection measures;
c. protect the University from data breaches of privacy and confidentiality;
d. ensure that the University complies with applicable laws, regulations, and standards set by Data Privacy Act of 2012; and
e. ensure that all data is effectively documented within the processes associated with accessing, retrieving, reporting, managing and storing of data.
Section 4: Statement of Policy
The University is committed to the principles underlying the Data Privacy Act of 2012 and protects the rights of the employees, students and another individual with respect to the processing of their personal data. The University uses personal data for management and administration, however, the processing of the personal data must conform with this Policy and other related privacy policies.
THE PROCESSING, COLLECTION, AND USE OF PERSONAL INFORMATION
Section 5: Processing of Personal Information
The University processes personal information in adherence with the principles of transparency, legitimate purpose, and proportionality. Moreover, the University permits the access of personal information with the conditions presented in Chapter III, Section 12 of the Data Privacy Act of 2012.
The University ensures strict confidentiality in processing Sensitive Personal Information and Privileged Information and prohibits the disclosure of information to unauthorized persons and with the cases presented in Chapter III, Section 13 of the Data Privacy Act of 2012.
Section 6: Collection of Personal Data
The University collects personal information to administer application, enrolment, and financial information and to manage its core functions in Instruction, Administration, Research and Extension, and Production.
Section 7: Use of Personal Data
The University uses information relating to individuals who have a connection with the University according to the consent given by the individual.
THE COMPLIANCE OFFICER
Section 8: The Personal Information Controller (PIC)
The Personal Information Controller (PIC) is a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
The Personal Information Controller (PIC) of the University personnel is the University President, who has the full control of the collection, holding, processing or use of information in the University.
Section 9: The Data Protection Officer (DPO)
The Data Protection Officer is accountable for ensuring compliance by the PIC or PIP with the Data Privacy Act, its IRR, related issuance of the National Privacy Commission, and other applicable laws and regulations relating to data privacy and security.
The Data Protection Officer of the University carries out these functions. As the DPO, he should:
A. monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. This includes the following:
collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
analyze and check the compliance of processing activities, including the issuance of security clearances too and compliance by third-party service providers;
inform, advise, and issue recommendations to the PIC or PIP;
ascertain renewal of accreditation or certification necessary to maintain the required standards in personal data processing; and
advice the PIP or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
B. ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
C. advise the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
D. ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
E. inform and cultivate awareness on privacy and data protection within your organization, including all relevant laws, rules and regulations, and issuances of the NPC;
F. advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting privacy by design approach;
G. serves as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
H. cooperate, coordinate and seek the advice of the NPC regarding matters concerning data privacy and security; and
I. perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.
Section 10: Security of Data
The Data Handlers of the University are responsible for ensuring that any personal, sensitive and privileged information which they hold are kept securely (either by physical storage means i.e. locked cabinets/drawers or by using appropriate IT equipment/security measures), and personal, sensitive and privileged information are not disclosed either orally or in writing, accidentally or otherwise, to any unauthorized third party.
Section 11: Disposal of Data
The University must only retain personal data for the length of time the data is required and for the specific purpose for which it was collected.
Some personal data will be retained permanently by the University to ensure a permanent record of attendance at the University exists. However, the vast majority of personal data that the University holds will only be required for a restricted period of time and thereafter should be disposed of appropriately.
The destruction of personal data is carried out confidentially and completely. Where multiple copies of the data exist, all paper and electronic copies must be destroyed/deleted.
Section 12: Disclosure of Data
The University prohibits the disclosure of personal, sensitive and privileged information without the consent from the Data Subjects. Disclosure of information shall be allowed if permitted by existing laws.
DATA PRIVACY RIGHTS
Section 13: Rights of the Data Subjects
The University respects the rights of all its data subjects and commits to comply with Republic Act 10173. As being defined in the act, Data subjects are the people whose personal information is collected, stored, and processed.
A. The right to be informed.
Personal data is treated almost literally in the same way as personal property. Thus, it should never be collected, processed and stored without explicit consent, unless otherwise provided by law. The data subject has the right to be informed that personal data will be, are being, or were, collected and processed. The right to be informed is the most basic right as it empowers the data subject to consider other actions to protect his data privacy and assert other privacy rights.
B. The right to access
This is the right to find out whether an organization holds any personal data about the data subject and if so again “reasonable access” to them. Through this right, the data subject may ask to provide a written description of the kind of information they have about the data subject as well as the purpose/s for holding them.
Under the Data Privacy Act of 2012, the data subject has a right to obtain from an organization a copy of any information that they have on their computer database and/or manual system. It should be provided in an easy-to-access format, accompanied by a full explanation executed in plain language.
The data subject may demand to access the following:
a. The contents of personal data were processed.
b. The sources from which they were obtained.
c. Names and addresses of the recipients of the data
d. The manner by which they were processed
e. Reasons for disclosure to recipients, if there were any
f. Information on automated systems where the data is or may be available, and how it may affect the data subject
g. Date when the data was last accessed and modified
h. The identity and address of the personal information controller.
C. The right to object
The consent of the data subject is necessary before any organization can lawfully collect and process personal data. If without the consent, any such collection and processing of personal information by any organization can be contested as unlawful or illegal, and would, therefore, be answerable to the Data Privacy Act of 2012.
In case the data subject already gave the consent by agreeing to an organization’s privacy notice, he/she can withdraw consent if the personal information processor decided to amend said notice. In fact, the personal information processor has the obligation to notify the data subject of changes to their privacy notice and must explicitly solicit once again.
D. The right to erasure or blocking
The data subject has the right to suspend, withdraw or order the blocking, removal or destruction his personal. He can exercise the right upon the discovery and substantial proof of the following:
a. Personal data is incomplete, outdated, false, or unlawfully obtained.
b. It is being used for purposes he did not authorize.
c. The data is no longer necessary for the purpose for which they were collected.
d. The data subject decided to withdraw consent or object to its processing.
e. The data concerns information prejudicial to the data subject-unless justified by freedom of speech, of expression, or of the press; or otherwise authorized (by a court of law).
E. The right to damages
The data subject may claim compensation if he suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of the rights and freedoms as data subjects.
F. The right to file a complaint with the National Privacy Commission
If the data subject feels that his/her personal information has been misused, maliciously disclosed, or improperly disposed, or that any of his/her data privacy rights have been violated, the data subject have a right to file a complaint with the National Privacy Commission.
G. The right to rectify
The data subject has the right to rectify and has corrected any inaccuracy or error in the data that the University holds about the data subject.
Section 14. The right to data portability
This right assures that the data subject remains in full control of his data. Data portability allows the data subject to obtain and electronically move, copy or transfer his the data in a secure manner, for further use. It enables the free flow of personal information across the internet and organizations, according to the data subject’s preference. This is important especially now that several organizations and services can reuse the same data. Data portability allows the data subject to manage personal data in a private device and to transmit data from one personal information controller to another. (Chapter IV, Sec. 17, DPA of 2012).
Section 15. Transmissibility of Data Subject Rights
The data subject can assign his rights as a data subject to the legal assignee or lawful heir. Similarly, the data subject may assert another person’s rights as a data subject, provided he or she authorized as a “legal assignee”.The data subject may also invoke another person’s data privacy rights after his or her death if the data subject is his or her legal heir. This same principle applies to parents of minors, or their legal guardian, who is responsible for asserting their rights on their behalf.
This right, however, is not applicable in case the processed personal data being contested are used only for scientific and statistical research. (Chapter IV, Sec. 18, DPA of 2012).
Section 16. Limitations on Rights (RA 10173)
The University follows the provisions of RA 10173 regarding transmissibility of rights and the right to data portability will not apply if the processed personal data are used only for the needs of scientific and statistical research and, based on such, no activities are carried out and no decisions are taken regarding the data subject. There should also be an assurance that the personal data will be held under strict confidentiality and used only for the declared purpose.
Likewise, the immediately preceding sections are not applicable to the processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject. (Chapter IV, Sec. 19, DPA of 2012).
TYPES OF DATA BREACHES
Section 17: Breaches of the Data Privacy Act
A data breach happens when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Data breaches are classified into:
1. Availability breach. – The loss of accidental or unlawful destruction of personal data;
2. Integrity breach. – The unauthorized alteration of personal data; and
3. Confidentiality breach. – The unauthorized disclosure of or access to personal data.
If a breach of the Act occurs in the University, any possible actions to mitigate the breach should be taken by the relevant area immediately upon discovery of the breach. The Data Privacy Office should be informed of the breach at the earliest possible opportunity.
The breach shall be investigated by the University Data Protection Officer (DPO) in line with current guidance from the National Privacy Commission. The Data Protection Officer shall follow internal University procedures to progress the investigation.
OTHER RELATED PRIVACY POLICIES
Section 18: Data wiping for electronic devices.
Electronic devices which contain licensed software programs and/or institutional data must be erased and/or destroyed before the device is transferred out of University control, or erased before being transferred from individual to another.
All electronic storage media should be properly sanitized when it is no longer necessary for business use before its disposal.
Section 19: Use of photographs and video
This guidance covers photos or video (images) of people taken for University purposes.
Personal Information includes images that can be used to identify an individual and tell something about them. The data subjects have the right to be informed upon using their photos and videos. Consent forms must explain clearly and fully on how the image will be used and how long it will be retained. Moreover, image publication on the web is a form of disclosure to the world at large. Particular care must be taken therefore to obtain appropriate consent where the image constitutes personal data.
Section 20: CCTV Images
The University uses Closed Circuit Television (CCTV) images to provide a safe and secure environment for students, employees and other individuals in the University premises, and to protect the University’s property.Access to, and disclosure of, images recorded on CCTV is restricted. This ensures that the rights of individuals are retained. Images can only be disclosed in accordance with the purposes for which they were originally collected.
Data Privacy Act of 2012: Implementing Rules and Regulations. (2012).