1. Objective

To provide guidelines for data collection, processing, retention and disposal of data.

  • Scope

These guidelines shall apply to all University units.

  • Responsibility

The Process Owner or Head of Office shall be responsible for the implementation of these guidelines.

  • Guidelines
  1. Collection

Collection must be for a declared, specified, and legitimate purpose.

  1. Consent is required prior to the collection and processing of personal data.
    1. The data subject is provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for data sharing.
    1. Purpose should be determined and declared before, or as soon as reasonably practicable, after collection.
    1. Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected.
  • Processing
    • Personal data shall be processed fairly and lawfully.
      • Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent and allow the data subject sufficient information to know the nature and extent of processing.
      • Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access.
      • Processing must be in a manner compatible with declared, specified, and legitimate purpose.
      • Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
      • Processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards.
  • Processing should ensure data quality.
    • Personal data should be accurate and where necessary for declared, specified and legitimate purpose, kept up to date.
    • Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted.
  • Retention
    • Personal Information must be retained only for as long as necessary for the fulfillment of the purposes for which data was obtained. The following are the purposes:
      • For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated.
      • For the establishment, exercise, or defense of legal claims.
      • For legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency.
      • And in any case provided by law
  • Responsibilities when retaining personal data:
    • To be clear about how long you will retain personal data and its reason/s.
    • To ensure quality of the data being retained.
    • To ensure the security of the archived personal data.
    • To ensure restricted access to personal data.
    • To give access and inform the data subjects about their data being retained.
  • Disposal
    • Personal data whether such files are stored on paper, film, optical or magnetic media shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or public, or prejudice the interests of the data subject. Disposal can be any of the following:
      • Shredding either cross-cut or micro-cut for non-digital (paper).
      • Secure erase for digital data.
      • Physical destruction such as disk shredding.
    • Data shall be disposed of properly in a way that the data should be unreadable (for paper) or irretrievable (for digital records).