Retention and Disposal
Personal Information of students in the University shall not retain in a longer period. Specifically, retention of personal data shall only for as long as necessary:
(a) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
(b) for the establishment, exercise or defense of legal claims; or
(c) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by an appropriate government agency.
Moreover, the retention of personal data shall be allowed in cases provided by law.
(See National Archives of the Philippines Act of 2007 (Republic Act 9470) and the Guidelines of Data Retention).
Disposal of personal information to a third party must follow the disposal procedure stated in Section 5 (Disposal Procedure on Electronic Storage Devices) to Section 8 (Disposal Procedure of Paper-based Documents with Digitized File Copy) of this policy. Otherwise, the specific disposal procedure must be stated in the Data Sharing Agreement.
When an agreement has been terminated, that data held on third party systems must be securely disposed of. It is recommended to contact the third party and verify that disposal has been carried out and including all the details of disposal. This verification should be documented for data management purposes.
Devices with Electronic Storage Media
An agreement of sharing or passing of information through any electronic storage within the University must be executed and proper procedure in removal/deleting of the information must be followed. (See Section 5 Disposal Procedure on Electronic Storage Devices)
Disposal of Electronic Storage Devices
5.1 All electronic media should be cleaned/ factory settings prior to being transferred from its current owner to another user or custodian.
The following methods are recommended:
5.1.1. Overwritten Method
Overwriting is a method for cleaning of hard disk storage media, replacing the old data stored with meaningless information.
5.1.2. Destruction of Electronic Media
Destruction of electronic media is to physically destroy the material that is not usable by any device which is capable to read the stored information
5.1.3. Clearing the Data
Removing the data from the storage device can be done by formatting or deleting the information which makes the information unreadable unless special software is used to recover the cleared data. This method is not acceptable for disposal outside the University.
5.2. Disposal of Hard Drives and other Electronic Storage
5.2.1. Disposal of Hard Drives to Other Departments or outside the University
An overwritten method is recommended when transferring usable Hard Drives and other Electronic storage outside the University. The current owner must accomplish a written report indicating the model, serial number, and the date when the procedure was performed.
5.2.2. Transfer of Hard Drives within the University
Transfer of usable Hard Drives and other Electronic Storage from its current owner to another owner or custodian, the hard drive must be formatted prior to transfer
5.2.3. Disposal of Electronic Media Outside the University
Disposal of all electronic media other than Hard Drives must be rendered unusable before leaving the University.
Disposal Procedure of Personal Information of the Data Subjects stored in database/computer
Personal Information of the data subjects shall be deleted from the database/computer if no longer needed or has served its purpose. Moreover, the approved and secured deleting utility for any specific process or system shall be used.
It is recommended to use either File Shredder or Freeraser v184.108.40.206. File Shredder has been developed as a fast, safe, and reliable tool to shred company files. The author of this program released it free under the GNU license and use it without any restrictions. File Shredder is a simple but powerful program that surpasses commercial file shredders out there. It is believed that such a utility should be available to anyone for free and that permanent and safe removal of confidential documents is a matter of basic right to privacy.
Furthermore, Freeraser is a simple Recycle Bin-like file shredder program that sits on the desktop. It can drag and drop things directly into it to instantly start the irreversible deletion process, which is much easier than how it works with other similar software. Freeraser removes every file and folder from a whole hard drive at once, and not just specific files, it also has a place on our list of free data destruction software.
Disposal Procedure of Paper-based Documents containing Personal Information
The following are the recommended to use during the disposal of documents especially when it contains personal and sensitive information:
7.1. Disposal of documents with personal information and sensitive information through shredding.
Shredding is the most commonly used method as it is considered a fast, safe, and cost-effective. It is also considered sufficiently secure for a wide range of documents
7.2. Disposal of documents with personal information and sensitive information through Pulping.
Paper is mixed with water and chemicals to break down the paper fibers before it is processed into recycled paper.
Disposal Procedure of Paper-based Documents containing Personal Information with Digitized File Copy
All paper-based documents with digitized file copy shall be disposed of all together. Disposal of paper-based documents shall be based on Section 7 (Disposal Procedure of Paper-based Documents containing Personal Information) and the disposal of electronic documents shall be based on Section 6 (Disposal procedure of Personal Information of the Data Subjects stored in database/computer).
The standard file deletion routines shall govern the network-based files. Any extreme sensitivity required highly technical information that is deleted shall be consulted with the IT personnel to appropriately handle the digital files.