Rights of the Data Subject
Right to be Informed
The Data Subject has the right to be informed before data collection and Processing. Before the entry of his or her Personal Data to the Information Communications System/s or Filling System/s, a consent form shall be given to the Data Subject. The consent form shall have the following:
- description of data to be entered into the Information and Communications System/s or Filling System/s;
- purpose/s for which the Personal Data is being or will be processed;
- basis of Processing, when Processing is not based on the Consent of the Data Subject;
- scope and method of Personal Data Processing;
- the recipient/s or type/s or class/es or recipient/s to whom the Personal Data be shared or disclosed;
- the identity and contact details of the Data Protection Officer;
- the period of which the Personal Data will be stored; and
- the existence of their rights as Data Subject, including the right to complain before the Commission.
Right to Object
The Data Subject has the right to object to the Processing of his or her Personal Data. The Data Subject shall also be notified or allowed to withhold the Processing of his or her Personal Data. When the Data Subject performs such, the Institution is prohibited to process the Data Subject’s Personal Data except:
- the Personal Data is needed pursuant to a subpoena and/or disciplinary action which is ongoing investigation;
- the collection and Processing are for the benefits of the Data Subject such as, but not limited to, scholarship contracts, Educational Service Contracting (ESC), and submissions to government educational agency such as the Department of Education (DepEd) and Commission on Higher Education (CHED).
- the collection and Processing are for obvious purposes, including, when it is necessary for the performance of, or in relation to a contract or service to which the Data Subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the Institution and the Data Subject. This includes, but not limited to, the applicant’s assessment during application and personnel’s promotion or transfer; or
- the information is being collected and processed as a result of legal obligation. This includes the mandatory contribution of the personnel’s Social Security System, Pag-IBIG Home Development Mutual Fund, PhilHealth account. Thus, the Institution is required to collect their SSS, Pag-IBIG, and PhilHealth account numbers.
Right to Access
The Data Subject has the right to reasonable access to, upon demand, the following:
- content of his or her Personal Data that were processed;
- sources from which Personal Data were obtained;
- name and address of recipients of the Personal Data;
- how the Personal Data was processed;
- reasons for the disclosure of the Personal Data to the recipients, if any;
- information on the automated processes where the Personal Data will, or is likely to, be made as to the sole basis for any decision that significantly affects or will affect the Data Subject;
- date when Personal Data concerning the Data Subject was last accessed and modified; and
- the designation, name or identity, and address of the PIC.
Right to Rectification
The Data Subject has the right to dispute the inaccuracy of hir or her Personal Data, and have the PIC correct it immediately or accordingly unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, the PIC shall ensure the accessibility of both the new and the retracted Personal Data, and the simultaneous receipt of the new and the retracted information by the intended recipients thereof. Provided that the recipient or third parties who have previously received such processed Personal Data shall be informed of its inaccuracy and its rectification, upon reasonable request of the Data Subject.
Right to Erasure or Blocking
The Data Subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her Personal Data from the PIC’s Information and Communications System/s and/or Filing System/s if the Data Subject discover/s with substantial proof of any of the following:
- the Personal Data is incomplete, outdated, false, or unlawfully obtained;
- the Personal Data is being used for a purpose not authorized by the Data Subject;
- the Personal Data is no longer necessary for the purposes for which they are collected;
- The Data Subject withdraws consent or objects to the Processing, and there is no other legal ground or overriding legitimate interest for the Processing;
- The Personal Data concerns private information that is prejudicial to the Data Subject unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
- The Processing is unlawful;
- The right/s of the Data Subject is violated.
Right to Data Portability
The Data Subject has the right to obtain from the Institution his or her Personal Information in an electronic or digital format that is commonly used and allows for further usage by the Data Subject.
Right to Complain before the Commission
If the PIC violated the Data Privacy of the Data Subject, if any, the Data Subject has the right to file his or her complaint before the National Privacy Commission.
Security of Rights
In cases where the Data Subject is incapacitated or incapable of exercising his or her rights, the Data Subject can invoke his or her rights to a lawful heir he or she may assign. This should be executed via Special Power of Attorney. However, in case of death of the Data Subject, the Institution is required to completely delete all his or her Personal Data in any Information and Communications System/s or Filling System/s.
Processing of Personal Data
Collection
The Institution is only allowed to collect and process the Data Subject’s Personal Data if the following condition/s are satisfied:
- the Institution shall inform the Data Subject on the following:
- the specific purpose for the collection of the Personal Data;
- the extent of Processing of Personal Data;
- the retention period of the data; and
- his or her rights as the Data Subject.
- the Institution shall have obtained the Consent of the Data Subject, whose the owner of the Personal Data which is to be collected. The Consent Form can either be in a form of electronic, written, or recorded following the format in Annex “D”, hereof. However, in cases of CCTV Footages recording, Consent from the Data Subject is no longer required provided that the Institution shall display a notice that it has CCTV cameras installed and recording 24 hours a day, 7 days a week, placed in a selected strategic place within the Institution.
- the Data Subject shall be informed through the Data Protection Officer, about the purpose/s of the collection and Processing, the extent of Processing, and the rights of the Data Subject, using the Privacy Notice shown in Annex “B”, thereof.
For other government or private agencies requires the Institution to submit documents which contains Personal Information of the Data Subject, the governments or private agency should sign an agreement laid down in Annex “G”.
Only the PIC or PIP is required to collect the Personal Data of the Data Subject. Moreover, the Data Subject can assign a lawful heir to give Consent to the PIC or PIP on his behalf if the Data Subject is incapacitated or incapable of giving such Consent. This should be executed via Special Power of Attorney.
Use
The Institution can only use the Personal Data of the Data Subject based on the specified purpose/s and with consent from the Data Subject.
If the Data Subject is a student, the Institution may collect, use, or process his or her Personal Data to:
- assess application for admission to the Institution;
- assess the scholastic standing of the student by recording his or her works such as assignments, quizzes, recitations, and examination results;
- record the attendances in the classroom, participation in curricular, and extra-curricular activities by means of electronic or manual recording;
- record the attendances upon entering in the library in all departments;
- record the attendances in all activities attended;
- record the Promissory history for consolidation and monitoring of the Treasury Office;
- exchange the scholastic records of the Data Subject among the teachers and any lawful AdHoc committees which will be created by the Institution for academic deliberations and sectioning;
- assess and deliberate for honors and awards;
- process scholarship applications, grants, and other forms of assistance;
- process any disciplinary action or reports for misbehavior;
- record student’s health status for clinic’s records and other assessment need to be performed by the Guidance Office;
- compile for alumni records;
- generate statistical reports for reporting to the School President and Board of Trustees. This includes the statistical reports generated by the Office of Student Affairs, Prefect of Discipline, Library, Guidance Office, Record’s Offices, and Business Office;
- report to the parents with regards to their scholastic performances;
- inform their parents through a text message upon entering and leaving the school premise; or
- support the Institution’s legal obligation and duty.
If the Data Subject is an applicant, the Institution may collect, use, or process his or her Personal Data to:
- assess the applicant’s qualification based on the position he or she is applying;
- verify the supplied or submitted information;
- check applicant’s background information; and
- evaluate the applicant’s academic qualification.
If the Data Subject is personnel, the Institution may collect, use, or process his or her Personal Data to:
- assess the personnel’s qualification for a transfer of office or promotion;
- assess for loan approval or disapproval;
- process his or her payroll, refunds processing, tax processing, and retirement benefits, if applicable.
- monitor and evaluate his or her performance in the Institution and career growth;
- provide assistance in case of emergency; and
- support the Human Resource and Development Office’s obligation and duty.
If the Data Subject is a visitor, the Institution may collect, use, or process his or her Personal Data to:
- ensure the visitor and Institution’s safety.
For government regulatory compliance like Social Security System, PAGIBIG claims, and PhilHealth remittances, and any lawful order of any court or tribunal, the Institution may collect, process, or use the Personal Data of the Data Subject.
The processed Personal Data of the Data Subject by the Institution shall be accurate, correct, and up-to-date. Inaccurate, wrong, and outdated Personal Data shall be updated, corrected, or supplemented by the PIC or PIP provided that the Data Subject who is the rightful owner of the Personal Data had filled-out the Data Subject’s Data Privacy Right Form substantially in the form provided in Annex “F” hereof. However, such updating, correcting, and deleting of Personal Data shall not vexatious and/or unreasonable. If deemed necessary, or upon the death of the Data Subject, the PIC or PIP shall completely delete or remove the Personal Data of the Data Subject from the Information and Communications System/s and/or Filling System/s.
Retention
The Institution shall store the Data Subject’s Personal Data depending on the type of the Personal Data collected:
- ELECTRONIC. Depending on the PIC or PIP which collects the Personal Data, the PIC or PIP may store the Data Subject’s Personal Data based on how it is used. Usage shall always abide this Manual and shall not compromise the Data Privacy of the Data Subject. The length of retention shall be specified in Annex “A”.
- MANUAL. Depending on the PIC or PIP which collects the Personal Data, the PIC or PIP may store the Data Subject’s Personal Data based in how it is used. Usage shall always abide this Manual and shall not compromise the Data Privacy of the Data Subject. The length of retention shall be specified in Annex “A”.
- CCTV FOOTAGES. As prescribed by law, CCTV footages can be stored for a period of two (2) months. However, the Institution has the right to extend its retention if the recording is currently being used for investigation to solve a case or upon the instruction of any court of law in the Philippines. This extension shall be properly documented specified in Data Privacy Tracker.
Disclosure and Sharing
The Institution, at any cost, shall retain the confidentiality of the Personal Data of its Data Subject. This shall start upon the collection until its removal or deletion into any Information and Communications System/s and/or Filling System/s the Institution may use.
Only the Authorized Personnel of the Institution, its PIC or PIP are the only personnel allowed to access, use, and process the Personal Data of the Data Subject. Further, the Authorized Personnel, and the PIC or PIP, including the personnel who requested and granted access and Processing of the Personal Data shall abide all the provisions laid down by this Manual.
Any personnel who wishes to gain access to the Personal Data of the Data Subject shall fill-out the Access Request Form found in Annex “G” hereof, and seek approval from the Head of the Department duly noted by the Authorized Personnel of the Institution who has custody of the Personal Data such as, but not limited to the following:
- College Registrar – for the college students’ records;
- Basic Education Records In-charge – for the Basic Education students’ records;
- Human Resource and Development Officer – for the personnel records;
- Director for Student Affairs – for College students’ disciplinary records;
- Head of Guidance Services – for other students’ Personal Data which the Registrar and the Records In-charge not allowed to collect;
- School Nurse – for students’ medical records;
- Basic Education Prefect of Discipline – for Basic Education students’ disciplinary records; and
- Head of the Security Services – for the review of CCTV footages.
Verbal access for the request shall not be allowed. The Head of the Department has all the right to approve or reject the request depending on the merits of the reasons provided for the access. In no case shall be approved if no meritorious reason is provided in the Access Request Form. If approved, the Access Request Form shall be transmitted to the Data Protection Officer, or upon his or her absence, the School President, for final approval of the request. Once approved, the Access Request Form shall be transmitted back to the Authorized Personnel, where the form was filled, for implementation or execution. The Head of the Department concerned shall supervise or monitor the implementation of this Manual during the execution.
In case of doubt on the appropriateness of the exercise of rights and/or access request, as the case may be, the Authorized Personnel, if any, or the Head of the Department concerned shall consult and/or seek clearance from the Data Protection Officer or the Legal Counsel of the Institution.
For CCTV Footages, disclosure to the recorded footages shall only be granted for the following reasons:
- to aid criminal proceedings;
- to solve cases within the Institution, provided that the case was already raised to its AdHoc committee duly authorized by the Institution to process the case;
- to save the students and/or personnel from any harm or criminal acts;
- upon the request of the Department Head concerned to aid his or her own lawful investigation to a certain case, provided that the Access Request Form was approved; and
- upon the request of the parents of the student, who is the Data Subject, provided that the Access Request Form was approved.
If the requested Personal Data is considered as Confidential Personal Data, a Consent Form, substantially in a form prescribed in Annex “D”, shall be acquired from the Data Subject before the disclosure or sharing of his or her Personal Data. Consent Form shall be accompanied with the following information:
- identity of the PIC and/or PIP which will be given access to the Personal Data;
- purpose/s of the Data Sharing;
- duration of which the Personal Data will be kept; and
- existence of the Rights of the Data Subject.
Important Clause:
Any personnel, authorized or not by the Institution, obtain access to the Personal Data of the Data Subject in the course of their functions of the Institution shall observe the Security Measures set by this Manual. Anyone with access to Personal Data of the Data Subject shall only process the same in accordance with the purpose of the Processing. Sharing, disclosure, and distribution to this Personal Data is strictly forbidden unless instructed by the Institution, and with the consent of the Data Subject, who’s the owner of the Personal Data processed.
Personal Data coming from the Office of Student Affairs, Prefect of Discipline, Guidance Office, and Clinic are considered Sensitive Personal Data. Disclosure and sharing of Sensitive Personal Data shall follow the following conditions only:
- to aid any court proceedings;
- to aid further investigation of an existing case of the Data Subject already raised to a lawful AdHoc committee which the Institution created specifically to the mentioned case;
- if disclosure and sharing to the Personal Data means saving the life of the Data Subject;
- if disclosure and sharing to the Personal Data means saving the life of others; and
- if the disclosure and sharing can benefit both the Data Subject and the Institution.
Disposal
Specified in the Data Processing System is the duration or the Retention Period of which the Personal Data will be kept by its respective PIC or PIP. If the Retention Period was reached, the Institution shall destroy or delete all physical or electronic copies of the Personal Data using secure means that would render the Personal Data unreadable and irretrievable and prevent the occurrence of any Personal Data Breach and other Security Incidents. The procedure of disposal shall follow the disposal procedure in Data Processing System in each respective PIC or PIP.