BACKGROUND

Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 is a law that protects all forms of information both in the government and private sectors.

It ensures that entities or organizations processing personal data guarantee the safety and security of personal data under their control, thereby upholding an individual’s data privacy rights.

A personal information controller or personal information processor is directed to implement reasonable and appropriate measures to protect data under their custody against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC).

It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances directed toward the fulfillment and realization of the rights of data subjects.

INTRODUCTION

LORENZO RUIZ DE MANILA SCHOOL (LRMS) recognizes the inviolability of the right to privacy and commits itself to safeguard and preserve such right.

This Privacy Manual therefore explains how we handle the personal and sensitive data of our students, employees and visitors as defined by the DPA and its implementing rules and regulations, while upholding our legitimate interests and effectively carrying out our responsibilities as a private educational institution.

DEFINITION OF TERMS

The following terms were defined based on the DPA and for further understanding of LRMS privacy manual:

In this Manual, “data” and “information” are used interchangeably. When we speak of “personal data”, the term includes the concepts of personal information, sensitive personal information, and privileged information.

Personal information – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Sensitive personal information – refers to personal information:

  • About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
  • About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  • Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  • Specifically established by an executive order or an act of Congress to be kept classified.

Privileged information refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication;

Data Protection Officer (DPO) is an individual appointed by LRMS as the person who takes charge of designing and implementing data privacy compliance programs and the main person in contact with NPC.

Data processing systems refer to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing;

 Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor;

Personal information processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;

Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;

Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

Public authority refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions;

Security incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place.

School records refer to the records of students of all acts, events, accomplishments, results or research and all documents depicting the various activities of the students. These include but are not limited to the following:

  1. personal and academic records of the students
  2. baptismal and birth certificates
  3. academic reports
  4. medical and guidance records
  5. disciplinary records
  6. individual financial records

SCOPE AND LIMITATIONS

This Data Privacy Manual applies to the collection and processing of data in many forms. They may consist of written records, photographic and video images, digital material, and even biometric records. This manual shall be followed by all students, departments, personnel concerned in the collection and processing of information from the data subjects.

The offices that will be subjected for monitoring under this manual are the following: Office of the Human Resource Management and Development Department,  Records and Admissions Office, Office of the Finance Department , Student Development Center, Office of the Principal, Information, Communications and Technology Office (ICT), Academic Office, Christian Living Center and Office of the General Services Department  This manual also applies to administrators, faculty members, music and varsity coaches and records and admissions staff who are collecting personal information from the students. All personnel of this organization, regardless of the type of enrollment or contractual arrangement, must comply with the terms set out in this Privacy Manual.

PROCESSING OF PERSONAL DATA

Collection

The school collects the basic information of its students, employees and other clients including their full name, age, birthday, address, email address and contact number. The collection of data is done by the office or the person involved in the collection under the legal means and essential in the attainment of the office objectives to facilitate the data subject’s concerns and purpose to the institution. It is obtained through filling out of the official forms of the school and recording of the collected information to the school’s Portal. During the collection process, the following must be observed:

  • Transparency

Data Subject’s consent should be obtained before collecting the information and the latter should be informed of the purpose for which the information is to be collected.

During enrollment process, parents are required to fill out the online registration form thru our Parent Portal. The purpose of such collection of information is to comply with the requirements of Department of Education, and for the school to have the record of the students and their parents in case of emergency.

  • Proportionality

Personal information collected must be reasonably necessary or directly related to the School functions.

During enrollment process, only important information such as name, address, contact numbers, previous school, parent’s and guardian’s name,, contact number, office address are collected, which is necessary for evaluation for eligibility of the application.

  • For Legitimate Purpose

In collecting personal information, the School shall use the information only for legitimate purposes.

Personal information such as student’s name, parents name and addresses and contact numbers etc., shall be used only for purposes such as enrollment, academic activities and availment of student services which are allowed under the provisions of the MORPE for Secondary Education.

  • Provisions for Specific Departments
    • Records and Admissions Office and Guidance Center

Parents and/or Guardians are asked to encode parents/guardians and students data into the Student (profile) Database online form to assure that all necessary information are correct.

The Records and Admissions Office collects and processes personal information for the purpose of evaluating the eligibility of the applicant for admission or in case of current students, for enrollment and scholarships provided by the School and third parties.

Access is restricted pursuant to the provisions of the MORPE for Basic Education which specifically provides that all student records should be kept confidential.

    • Human Resources Department

The Human Resource Department collects the information from applicants for the purpose of evaluating their eligibility. Employees’ data will be used for the availment of their benefits such as retirement, educational, medical and the like. At times, data is studied and used for human resource services improvement.

The collected information is kept in the individual 201 files of the employees which is required under the provisions of the Labor Code.

Pursuant to existing labor laws and human resources policies of the School, the 201 files or employees’ individual employment records are confidential and access is restricted to authorized personnel only.

    • Other Departments

All other departments that collect process or store students’ or employees’ personal information, if any, are subject to the policies provided under this Manual. Department heads are responsible for ensuring compliance of the provisions of this Manual within their departments.

  • Privacy Policies

To ensure that the rights of the data subjects are protected, the above-mentioned departments are subject to the following policies:

  1. Data Subjects are notified and their consent secured

Collection of information is done with the consent of Data Subjects (students and their guardians) included in the forms filled-out during application for admission, enrolment or availment of student services such as scholarships and others.

Forms for collection of personal information include a provision or a variation of these privacy statements:

“All information shall be used by the School for legitimate purposes specifically for and shall be processed by authorized personnel in accordance with the Data Privacy Policies of the School.”

Use

The information collected from the students will be used for the following purposes: for admission to school; recording and maintaining student records; maintaining students’ data systems; statistical and research; deliberations and evaluation of student performance; processing of scholarship applications, grants and other forms of financial aids and evaluating academic qualifications.

USE OF STUDENTS’ DATA

  1. Processing of admission to the school;
  2. Recording, generating and maintaining of students’ records of academic, co- curricular and extra- curricular activities;
  3. Maintaining of student data systems;
  4. Compiling and generating reports for statistical and research purposes;
  5. Providing information to offices with legitimate official need for academic purposes such as advisers’ record, deliberations and evaluation of students’ performance;
  6. Processing of scholarship applications, grants and other forms of financial aids;
  7. Sharing of academic grades or honors and co-curricular or extra-curricular achievements with schools where students wish to enroll or transfer;
  8. Posting of class lists and sections in the school bulletin boards;
  9. Sharing of academic progress, and co-curricular and extra-curricular activities with the parents/guardians;
  10. Encoding of  personal and scholastic grades in the Learners Information System (LIS) of the Department of Education (DepEd);
  11. Providing the Principals & Academic Director of the loyalty awardees in preparation for and during commencement exercises;
  12. Complying with the court orders, subpoenas and/or other legal obligations;
  13. Providing information to internal research or surveys for institutional development;
  14. Marketing or advertising the school, and its activities and events;
  15. Identifying first communicants through the baptismal certificate submitted;
  16. Providing insurance provider required information of enrolled students for insurance coverage to facilitate damages claim in case of accidents. Injuries or accidents covered in insurance collect personal information to facilitate insurance claim;
  17. Providing the embassy, the consulate and the Bureau of Immigration of information details for visa application, monitoring of the academic status and length of stay in the country;
  18. Sharing with school academic partners and institutional linkages students’ information necessary for training or seminars.

USE OF EMPLOYEE’S DATA

            The information collected from school personnel will be used for the following purposes: for personnel health and medical support; employment administration; compliance with the statutory obligation and benefits; for statistical survey and research; processing scholarship and grants; and employment discipline.

  1. Processing of employment to the school;
  2. Recording, generating and maintaining employees’ data base of information;
  3. Maintaining of employees’  data systems;
  4. Compiling and generating reports for statistical and research purposes;
  5. Providing information such as contact details, deliberations and evaluation of employees’ performance, medical records;
  6. Processing of scholarship applications, grants and other forms of financial assistance;
  7. Conducting investigations on legitimate cases/incidents;
  8. Documentation of all school-related activities in the form of photo and video;
  9. Verifying the authenticity of the records submitted by the employees for application;
  10. Submission of relevant information to the insurance company to facilitate damage claims in case of accidents.

Confidential information can be disclosed only in exceptional circumstances such as when the employee inflict harm to himself/ herself, another individual and when life is in danger or his/ her health and safety is threatened.

OTHER STAKEHOLDERS

The information collected from parents shall be used for admission of their child and to communicate with them in relation to their child’s performance and scholastic records. The information is collected directly from them when they communicate with the administrators and admissions staff, when they register by mail or online; when they participate in any of the  school surveys; when they send inquiry to the school; when they transact with the school; and when they provide feedback (i.e. via our websites or in hard copy).

The information collected from visitors will be used for safety and security purposes. It is also used for generating statistics for planning and service improvement.

The information collected from our service providers are used for:

  1. Processing proposals through evaluation of different concerned departments which include sharing business profile and proposals;
  2. Maintaining stakeholders’ files;
  3. Documentation of succeeding meetings and agreements.

The data collected from parties other than the data subject for the purpose of research shall be allowed when the personal data is publicly available, or has the consent of the data subject for research purposes.

Storage, Retention and Destruction

The school ensures that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. As a general rule, we will only disclose personal and sensitive information to third parties with the individuals’ consent. We also disclose or share such information only when required or allowed by law or when authorized under the DPA.      

The school implements appropriate security measures in storing collected personal information, depending on the nature of information. Under the Data Privacy Act of 2012, personal information shall not be kept for longer than is necessary for the purposes for which it was obtained; therefore, all information gathered shall not be retained for a period indicated in the offices’ Records Control Matrix. The department Records Control Matrix contains the data storage, retention, and disposal of the collected personal information, sensitive information and other information of the data subjects. The concerned office is also responsible that the stored data is only accessible to the authorized people.

After the indicated storage period, all hard and soft copies of personal information shall be disposed through secured means. All employees and personnel of LRMS shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation or termination of contract.

Access

Due to the sensitive and confidential nature of the personal data under the custody of the school, only authorized personnel of the institution shall be allowed to access such personal data, for any purpose, except for those contrary to the law, public policy, public order or morals.

Disclosure and Sharing

As a general rule, the school will only disclose the personal and sensitive information to third parties with their consent. It will also disclose or share such information only when required or allowed by law or when authorized under the DPA.

Guidelines in Disclosing Confidential Records of Students

(NACSRA, 1987)

  1. The students are entitled to a transcript of records, but they are not entitled to know other records in their file which are confidential in nature e.g. recommendation letter from other schools and references.
  2. The students have the right to see their academic record, for which a copy was made, and is entitled to any explanation of any information recorded on it.
  3. The students’ file or folder cannot be taken out of the office unless specially authorized by the Registrar, depending on the purpose for which is needed.
  4. School officials and faculty members of the school may be permitted to look at students’ academic records if they are needed in the evaluation of their academic standing.
  5. Requests for the production of students’ records from the court are usually on a duly issued subpoena duces tecum (a writ ordering a person to attend a court and bring relevant documents), but they must be notified of the said subpoena if they are available or if they can be reached through any media of communication.
  6. The records of students’ grades may be released to their parents or guardians without their prior approval if they are still a minor or have not yet been emancipated from parental authority.
  7. The students’ transcript of academic records should only contain information about their academic status. Other matters such as disciplinary may be recorded to determine readmission.
  8. All requests regarding disclosure of students’ academic records should be made in writing and be filed in their academic folders.

 

Maintaining Accurate Personal Information

The school is required to maintain the accuracy and completeness of the student’s personal information. Parents/guardians must notify the concerned office of any changes in personal information.