- Objective
To implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data in its custody. These security measures are intended to maintain the confidentiality, integrity, and availability of personal data, and protect the same against natural dangers such as accidental loss or destruction, as well as human dangers such as unauthorized access or disclosure, fraudulent misuse, unlawful alteration or destruction, and other unlawful processing.
- Scope
These guidelines shall apply to all University units.
- Responsibility
The Process Owner or Head of Office shall be responsible for the implementation of these guidelines.
- Guidelines
- Organizational Security Measures
The University’s processing of personal data shall adhere to the following guidelines for organizational security:
• The University shall designate accountable personnel for ensuring its compliance with the provisions of the DPA and other applicable laws and regulations for the protection of data privacy and security and shall communicate the details of such designations to all concerned University stakeholders.
• The University shall implement data protection policies that take into consideration the nature, scope, context, and purposes of the processing of personal data, as well as the risks posed by such processing to the rights and freedoms of its data subjects. The policies shall incorporate the general data privacy principles both at the time of the determination of the means for processing and at the time of the processing itself. These policies shall include, among others:
- procedures for the collection of personal data, including those for obtaining the consent of data subjects, when applicable.
- procedures that limit the processing of personal data to ensure that it is only to the extent necessary for the declared, specified, and legitimate purpose, including determination of the amount and nature of personal data collected, the nature and extent of the processing involved, the accessibility and/or means of access to the personal data, the nature and period of the data storage and retention, and the conditions and manner of erasure or disposal of the personal data.
- procedures for data subjects to exercise their rights; and,
- procedures and protocols to follow in case of the occurrence of security incidents or personal data breaches. The data protection policies shall provide for the documentation, regular review, evaluation, and timely revisions of such policies, as well as the dissemination of the same to all concerned University stakeholders.
• The University shall maintain records that sufficiently describe its data processing systems and identify the duties and responsibilities of the University personnel who will have access to personal data. These records shall include the following:
- information about the purposes of the processing of personal data, including any intended future processing or data sharing;
- descriptions of all categories of data subjects, personal data, and recipients of such personal data that will be involved in the processing;
- general information about the data flow within the University, from the time of collection, processing, and retention, including the time limits for the disposal or erasure of personal data;
- general descriptions of the organizational, physical, and technical security measures in place; and,
- names and contact details of the University personnel accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.
• The University shall be responsible for the selection and supervision of its personnel who will have access to, or be involved in the processing of, personal data, and shall ensure that these personnel shall operate and hold personal data under strict confidentiality if the personal data are not intended for public disclosure, even upon the transfer of such personnel to other positions or the termination of their employment or contractual relations with SLU. The University shall provide capacity building, orientation, or training programs for such personnel regarding privacy or security policies and best practices.
• The University, through appropriate contractual agreements, shall ensure that its personal information processors, where applicable, shall also implement the provisions of this Manual, and shall only engage personal information processors that provide sufficient guarantees to implement appropriate security measures that ensure the protection of the data privacy rights of data subjects.
- Physical Security Measures
The University’s processing of personal data shall adhere to following guidelines for physical security:
• Policies and procedures shall be implemented to monitor and limit the activities in, and access to, the University’s data processing facilities.
- The design and layout of office spaces and workstations, including the physical arrangement of furniture and data processing equipment, shall provide reasonable privacy to personnel who are processing personal data.
- The duties, responsibilities, and schedules of personnel involved in the processing of personal data shall be clearly defined to ensure that only authorized personnel performing official duties are in the data processing facilities and have access to personal data at any given time. Each unit shall maintain a log of who obtains access to personal data and data processing facilities, and the record keeper shall ensure that only those with legitimate purpose shall be allowed to gain access, with the purpose also indicated in the log being maintained.
• Policies and procedures shall be implemented regarding the appropriate handling, storage, transfer, removal, disposal, and reuse of removable and electronic media that contain personal data. Hard copies of documents containing personal data shall be stored in secure storage facilities which can be accessed only by authorized personnel, and these storage areas shall be subject to constant monitoring by security personnel.
• Policies and procedures that prevent the mechanical destruction of data files and data processing equipment shall be established. The University’s data processing facilities shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats. Concerns for the appropriate implementation of physical security measures may be coordinated by the various University units with the Campus Planning, Maintenance, and Security Department, in consultation with the DPC.
- Technical Security Measures
The University’s processing of personal data shall adhere to the following guidelines for technical security:
• The University shall implement a security policy with respect to the electronic processing of personal data, which shall provide for the following requirements, among others:
- safeguards to protect the University’s computer network and data processing systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access; o ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the University’s data processing systems and services;
- regular monitoring for security breaches, and a process for identifying and assessing reasonably foreseeable vulnerabilities in the University’s computer network and data processing systems, and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a personal data breach;
- ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; o process for regularly testing, assessing, and evaluating the effectiveness of security measures; and,
- encryption of personal data during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto. The Technology Management and Development Department, in consultation with the DPC, shall continuously develop and evaluate the University’s security policy in connection with the processing of personal data.