Data Security

Responsibilities of Data Handlers

All data handlers who can access or update (i.e. for faculty who encode grades and staff who can access grades) to student data as part of their job should at all times ensure that:

    • data are only used for the purpose(s) for which they are collected ;

    • data confidentiality is maintained at all times;

    • data accuracy is maintained;

    • data are held securely; and

    • confidential data is retained for the legitimate interests of the University, whether held in paper format or electronically, are securely destroyed when no longer required.

All data handlers should be aware of a student's right to privacy (Rights of the Data Subject, RA 10173) in relation to his/her health and welfare. Specifically, data handlers should inform the student of the nature, purpose, and disclosure of his/her personal information. Moreover, there shall be no processing of personal information of students without proper authorization.

Security of data

All data handlers should ensure that personal data of students are:

    • kept in a locked filing cabinet, drawer or room, whether it is in paper or electronic when not being worked on or when the office is left unattended (even for a short time);

    • not visible, either on desks or on computer screens, to anyone not authorized to see it — ensure screen savers and computer screen locks are used;

    • sent in a sealed envelope, if transmitted either internally or externally (i.e transporting of grade sheet, class record, grade slip and other academic records of students);

    • not sent via e-mail if it is sensitive information;

    • not disclosed orally or in writing without the permission of the data subject unless it is part of a legitimate University process (i.e releasing of grade slip to the student must ascertain the identity of the student with his/her valid ID and must be properly documented);

    • not left on shared printers/photocopiers; and

    • disposed of securely in line with the University Personal Data Disposal Policy.