These guidelines shall apply to all University units.
The Process Owner or Head of Office shall be responsible for the implementation of these guidelines.
- What information is collected, stored and retained
• All units should ensure that they collect and process only the information which are absolutely needed to be known; hence, over-collection of information should be avoided.
• Personal Information shall not be collected in anticipation that it may be useful in the future.
• There must be a statement that authorized university personnel shall collect personal information which is reasonably necessary or directly related to the University’s functions or activities or legitimate interests.
- What is the purpose of the collection and how is the information used
• The purpose should be specific and they may be numerous.
• While there may be a statement that information shall be used as may be permitted or required by law to pursue SLU’s interests as an educational institution which include a variety of academic, administrative, historical and statistical purposes, still, the specific legitimate purposes should be identified.
- Who has access to and who processes the information
• Only authorized personnel are allowed to access and process the personal information collected from data subjects, and these authorized personnel shall be identified (state functions and not the names of the current holder of the position).
• Each unit shall develop and implement policies and procedures for the University to monitor and limit access to, and activities in, the units where personal data is processed.
• For electronic media, the Technology Management and Development Department shall come up with mechanisms concerning its proper use and access.
- To whom is the information shared
• “Data sharing” is the disclosure or transfer to a third party of personal data under the custody of the University or its units. This includes sharing of data to the public through the posting of notices or publications, or the sharing of information to others (parents, guardians, relatives, other academic institutions, researchers, government offices, and many others).
• As a general rule, no University personnel is allowed to disclose personal data unless it is for institutional purposes in line with University policy. The policy shall prevent disclosure to a third party (including a concerned parent) unless written consent has been obtained from the data subject.
• The University shall never share any personal information for commercial purposes.
- How long is the information retained and the manner by which the data is disposed
• Subject to applicable requirements of the DPA and other relevant laws and regulations, personal data shall not be retained by the University for a period longer than necessary or disproportionate to the purposes for which such data was collected.
• Do note, however, that under the provisions of the MORPHE and existing Labor Laws, the University is required to permanently keep the student and employee records including the information contained therein. Thus, no personal information may be destroyed unless allowed by such laws, and such destruction, if allowed or authorized by law and the University, must be documented in writing by the University. Unauthorized destruction should be immediately reported to the DPO.
- A statement of the rights of the data subject and how they could enforce such rights, and the mechanism of how data breach is handled by the University
- A mechanism of obtaining the consent of the data subject
• When required by the DPA or other applicable laws or regulations, the consent of the data subjects should be properly obtained and must be evidenced by written, electronic, or recorded means.
• This may be done by indicating in the various data collection and processing forms a statement that the data subject is allowing SLU to collect, use and process his or her personal data where a legitimate educational or institutional interest exists in SLU’s determination, as enumerated in its Privacy Policies.
- A statement of the existence of this Manual and that the data subjects may refer to this document to know more about the details concerning their right to privacy vis-à-vis SLU’s legitimate interests.
Within ninety (90) days from effectivity of this Manual, all units within the University should come up with their respective MOPG for Data Processing. The MOPG shall be submitted to the DPC for review and appropriate action