- Objective
To provide each unit in the University to have its own MOPG for Data Processing, which shall contain the unit’s Privacy Policy.
- Scope
These guidelines shall apply to all University units.
- Responsibility
The Process Owner or Head of Office shall be responsible for the implementation of these guidelines.
- Guidelines
The MOPG for Data Processing and the Privacy Policy shall be guided by the following:
- What information is collected, stored and retained
• All units should ensure that they collect and process only the information which are absolutely needed to be known; hence, over-collection of information should be avoided.
• Personal Information shall not be collected in anticipation that it may be useful in the future.
• There must be a statement that authorized university personnel shall collect personal information which is reasonably necessary or directly related to the University’s functions or activities or legitimate interests.
- What is the purpose of the collection and how is the information used
• The purpose should be specific and they may be numerous.
• While there may be a statement that information shall be used as may be permitted or required by law to pursue SLU’s interests as an educational institution which include a variety of academic, administrative, historical and statistical purposes, still, the specific legitimate purposes should be identified.
- Who has access to and who processes the information
• Only authorized personnel are allowed to access and process the personal information collected from data subjects, and these authorized personnel shall be identified (state functions and not the names of the current holder of the position).
• Each unit shall develop and implement policies and procedures for the University to monitor and limit access to, and activities in, the units where personal data is processed.
• For electronic media, the Technology Management and Development Department shall come up with mechanisms concerning its proper use and access.
- To whom is the information shared
• “Data sharing” is the disclosure or transfer to a third party of personal data under the custody of the University or its units. This includes sharing of data to the public through the posting of notices or publications, or the sharing of information to others (parents, guardians, relatives, other academic institutions, researchers, government offices, and many others).
• As a general rule, no University personnel is allowed to disclose personal data unless it is for institutional purposes in line with University policy. The policy shall prevent disclosure to a third party (including a concerned parent) unless written consent has been obtained from the data subject.
• The University shall never share any personal information for commercial purposes.
- How long is the information retained and the manner by which the data is disposed
• Subject to applicable requirements of the DPA and other relevant laws and regulations, personal data shall not be retained by the University for a period longer than necessary or disproportionate to the purposes for which such data was collected.
• Do note, however, that under the provisions of the MORPHE and existing Labor Laws, the University is required to permanently keep the student and employee records including the information contained therein. Thus, no personal information may be destroyed unless allowed by such laws, and such destruction, if allowed or authorized by law and the University, must be documented in writing by the University. Unauthorized destruction should be immediately reported to the DPO.
- A statement of the rights of the data subject and how they could enforce such rights, and the mechanism of how data breach is handled by the University
• As this mechanism is already provided in detail in this Manual, the Privacy Policy may simply incorporate the provisions of this Manual by way of reference.
- A mechanism of obtaining the consent of the data subject
• When required by the DPA or other applicable laws or regulations, the consent of the data subjects should be properly obtained and must be evidenced by written, electronic, or recorded means.
• This may be done by indicating in the various data collection and processing forms a statement that the data subject is allowing SLU to collect, use and process his or her personal data where a legitimate educational or institutional interest exists in SLU’s determination, as enumerated in its Privacy Policies.
- A statement of the existence of this Manual and that the data subjects may refer to this document to know more about the details concerning their right to privacy vis-à-vis SLU’s legitimate interests.
Common data privacy issues shall be the subject of a uniform Privacy Policy.
• For student-related University-wide data privacy concerns, there shall be a Student Privacy Policy applicable to the applicants for admission, existing students, as well as the alumni. The formulation, review, and revision of the said policy shall be the collective responsibility of the Office of Student Affairs, the Registrar’s Office, the Guidance Center, and the various Schools. For administrative purposes, the Office of Student Affairs shall take the lead with respect to all matters involving the Student Privacy Policy.
• For employee-related University-wide privacy concerns, there shall be an Employee Privacy Policy. The formulation, review, and revision of the said policy shall be the collective responsibility of the Human Resources Department, in coordination with all Schools and offices. For administrative purposes, the Human Resources Department shall take the lead with respect to all matters involving the Employee Privacy Policy.
• For other common privacy matters, the unit that is directly and regularly interacting with the data subject shall take the lead in coming up with the Privacy Policy. Smaller units with similar privacy concerns like the University Clinics and Residence Halls may likewise come up with a common Privacy Policy.
Within ninety (90) days from effectivity of this Manual, all units within the University should come up with their respective MOPG for Data Processing. The MOPG shall be submitted to the DPC for review and appropriate action