The right to privacy is a fundamental human right. Acknowledging this, the University of Southeastern Philippines, hereafter referred to as “University”, endeavors to safeguard its stakeholders’ data privacy by adhering to data privacy principles and employing standard safety measures in the collection, processing, disclosure and retention of personal data in accordance with the Data Privacy Act of 2012 (R.A. 10173), its Implementing Rules and Regulations (IRR) and to issuances of the National Privacy Commission.
This University Data Privacy Statement (the “UDPS”) contains an outline of the general practices of the University in the context of data collection and processing. All other data privacy statements released or to be released by the University specific to a particular office, function or procedure shall be in congruence with the UDPS. Designed for general knowledge, the UDPS may not include specific information pertaining to the data collection and processing mechanism of a specific office, function or procedure. Thus, whenever applicable, a more specific data privacy statement or notice should be consulted.
For a comprehensive and detailed view of the University’s data privacy policies, please refer to the *University’s Data Privacy Manual.
(*) The University Data Privacy Manual is still to be confirmed by the Board.
What personal data the University may collect and process?
The University collects and processes only the type and amount of data necessary to perform its core and auxiliary functions. As an institution composed of heterogeneous entities, the University may collect a variety of personal information in different contexts and for different specific purposes.
In general, among the common personal data the University may collect include:
- Specimen signatures
- Home address
- Email address
- Biographical information
- Academic information
- Phone number
- Government or Non-government Identification Number / Card
- Financial information
- Employment details
- Images via CCTV and other similar recording devices
- Internet Protocol (IP) addresses
- Session Cookie data
As a premiere research institution, the University may also collect sensitive personal information in the conduct of relevant researches and studies. For instance, a University-affiliated researcher may collect data pertaining to an individual’s ethnic origin, political opinions or criminal history to achieve the objectives of a particular study.
All personal data collection and processing can only be done when the University acquires the consent of the data subject, either explicitly or implicitly, after the latter has been informed of the nature and extent of data collection and processing.
Why does the University collect and process personal data?
The purpose of personal data collection and processing may vary from one University procedure (e.g. student admission, visitor entry, human resource management, etc.) to another. However, the general principle governing the University’s data collection process is legitimacy of purpose.
The University shall only collect and process data for legitimate purposes in consonance with its inherent functions and in compliance with legal requirements. These legitimate purposes may include, but may not be limited to, the following:
- To verify students’ and employees’ identity;
- To generate statistics and analytics useful for administrative decisions;
- To strengthen security measures and facilitate investigations of reported violations;
- To easily generate statutory reports;
- For employee and human resources management purposes (as may be required by applicable laws);
- For research purposes or endeavors contributing to the body of knowledge;
- To comply with legal or regulatory obligations;
- To establish, exercise or defend legal claims
How does the University share or disclose personal data?
Utmost care and due diligence are practiced by the University in handling personal data. The University shall never share or disclose data to third-parties without prior consent from the data subjects. Whenever disclosure of data is necessary and permitted, the University conscientiously reviews the privacy and security policies of the authorized third-party service providers or external partners. The University may also be required to disclose data in compliance with legal or regulatory obligations.
Internal disclosure of personal data from one University entity to another shall be subjected to an institutionalized standard data request procedure. This ensures that data is transmitted through official channels and shared for legitimate purposes.
Regardless of the context of data disclosure, the University shall always practice the principle of data minimization which means that only the minimum amount of data needed to serve a particular purpose is shared to the requesting entity.
How does the University protect personal data?
The University shall employ necessary or reasonable safeguards in the form of physical, technological, logical and administrative controls. Internal access to stored personal data will be kept to a minimum number of authorized individuals and bounded by confidentiality agreements. These individuals are subjected to regular training for proper handling of information in accordance to the University’s data privacy policies and other related laws, regulations or issuances.
How long does the University retain personal data?
Personal data are retained only for as long as necessary to serve its declared purpose or comply with regulatory and legal requirements. Depending on the nature of data and purpose it serves, the retention period could range from days (e.g. CCTV recording) to years (e.g. student academic information). Whenever retention becomes unnecessary, the University shall dispose the personal data properly through a secure and confidential means.