Background

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims
to protect personal data in information and communications systems both in the
government and the private sector.

It ensures that entities or organizations processing personal data establish

policies, and implement measures and procedures that guarantee the safety and
security of personal data under their control or custody, thereby upholding an
individual’s data privacy rights. A personal information controller or personal
information processor is instructed to implement reasonable and appropriate
measures to protect personal data against natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller

or personal information processor is expected to produce a Privacy Manual. The
Manual serves as a guide or handbook for ensuring the compliance of an organization
or entity with the Data Privacy Act (DPA), its Implementing Rules and Regulations
(IRR), and other relevant issuances of the National Privacy Commission (NPC). It also
encapsulates the privacy and data protection protocols that need to be observed and
carried out within the organization for specific circumstances (e.g., from collection to
destruction), directed toward the fulfilment and realization of the rights of data
subjects.

I. Introduction

a. This Data Privacy Policy Manual is hereby adopted by __ in compliance with

Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing
Rules and Regulations, and other relevant policies, including issuances of the
National Privacy Commission. ________ ensures that the data and personal
information will be stored properly and securely regardless it is in paper file
or electronic file in accordance to the general principles and legislation.

b. This Policy governs refers to students, parents, guardians, faculty, visiting

faculty, staff, applicant students, applicant faculty, applicant staff, clients,
customers, alumni, donors, donees, contract counterparties, partners, and
other persons with a juridical link with _________ whose personal information,
sensitive personal information or privileged information (“Personal Data”) are
processed by _______________

II. Definition of Terms

Data: means information in a form which can be processed. It includes automated data
(information on computer or information recorded with the intention of putting it on
computer) and manual data (information that is kept as part of a relevant filing system,
or with the intention that it should form part of a relevant filing system)

Personal Data: refers to all types of personal information, sensitive personal

information and privileged information under the Data Privacy Act of 2012 and its
Implementing Rules and Regulations.
Personal Information: refers to any information whether recorded in a material form or
not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with
other information would directly and certainly identify an individual.
Sensitive Personal Information: refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person,
or to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence
of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes,
but not limited to, social security numbers, previous or cm-rent health records,
licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be
kept classified.
Privileged information: refers to any and all forms of data which under the Rules of
Court and other pertinent laws constitute privileged communication.
Processing: in any of its verb tense refers to the collecting, recording, organizing,
storing, retaining, using, analyzing, copying, transmitting, porting, sharing,
exhibiting, deleting, or destroying of Personal Data.
Security incident: is an event or occurrence that affects or tends to affect data
protection, or may compromise the availability, integrity, and confidentiality of
personal data. It shall include incidents that would result to a personal data breach, if
not for safeguards that have been put in place
Personal Data Breach: refers to a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise processed. A personal data breach
may be in the nature of:
(1) An availability breach resulting from loss, accidental or unlawful destruction
of personal data;
(2) Integrity breach resulting from alteration of personal data; and/or
(3) A confidentiality breach resulting from the unauthorized disclosure of or
access to personal data.

III. Scope and Limitations

All personnel of this organization, regardless of the type of employment or contractual

arrangement, must comply with the terms set out in this Privacy Manual.

1. To what will the policy apply? The policy applies to the keeping and
processing of personal data, both in manual form and on computer, including
personal data held on all students.
 2. To whom will the policy apply? The policy applies to all students, insofar as
the measures under the policy relate to them.
IV. Processing of Personal Data

1. Students

1.1 Collection

The personal data records held by the school may include:

1.1.1. Information which may be sought and recorded at enrolment and may
be collated and compiled during the course of the student’s time in the
school. These records may include:
1.1.1.1. name, address and contact details
1.1.1.2. date and place of birth
1.1.1.3. names and addresses of parents/guardians and their contact
details (including any special arrangements with regard to
guardianship, custody or access)
1.1.1.4. religious belief
1.1.1.5. racial or ethnic origin
1.1.1.6. whether English is the student’s first language and/or whether the
student requires English language support
1.1.1.7. any relevant special conditions (e.g. special educational needs,
health issues etc.) which may apply
1.1.2. Information on previous academic record (including reports,
references, assessments and other records from any previous school(s)
attended by the student
1.1.3. Psychological, psychiatric and/or medical assessments
1.1.4. Attendance records
1.1.5. Academic record – subjects studied, class assignments, examination
results as recorded on official School reports
1.1.6. Records of significant achievements
1.1.7. Records of disciplinary issues/investigations and/or sanctions imposed
1.1.8. Other records e.g. records of any serious injuries/accidents etc. (Note:
it is advisable to inform parents that a particular incident is being
recorded).

1.2 Use and Purpose

Students’ records are kept for the purposes of:

1.2.1. to enable each student develop their full potential
1.2.2. to ensure that eligible students can benefit from the relevant additional
teaching or financial supports
1.2.3. to support the provision of religious instruction
1.2.4. to enable parents/guardians to be contacted in case of emergency or in
case of school closure, or to inform parents of their child’s educational
progress or to inform parents of school events etc.
1.2.5. to meet the educational, social, physical and emotional requirements of
the student
1.2.6. to ensure that the student meets the school’s admission criteria
1.2.7. to enable the school to comply with requirements set down by the
Department of Education, Commission on Higher Education, Philippines
Association of Colleges and Universities Commission on Accreditation
 and any other governmental, statutory and/or regulatory departments
and/or agencies.

A. Storage, Retention and Destruction

______ will ensure that any personal information, records and data under its
custody will be in a secure, locked filing cabinet for paper files and secure
computer for e-files. _______will implement appropriate security measures in
storing collected personal information, depending on the nature of the
information.
____ processes and retains Personal Data as necessary for the Purposes in
accordance with:
(1) The Data Privacy Act of 2012, its Implementing Rules, and relevant issuances
of the National Privacy Commission;
(2) The National Archives of the Philippines Act of 2007 its Implementing Rules,
and relevant issuances of the National Archives of the Philippines;
(3) Documented Information Policies and Procedures of __
(3) Policies, guidelines, and rules of the ____;
(4) Research guidelines and ethical codes of conduct adopted by the _____; and
(5) Executive Order No. 2, series of 2016 on Freedom of Information and
subsequent related executive orders. In the absence of an applicable rule
of retention, Personal Data shall be retained by a ____ unit in accordance
with the practices of government bodies with analogous functions.

_____ will implement appropriate security measures in storing collected personal

information, depending on the nature of the information. All information gathered
shall not be retained for a period longer than five (5) years. After five (5) years, all
hard and soft copies of personal information shall be disposed and destroyed,
through secured means.

B. Access

Due to sensitive and confidential nature of Personal information, records and data,
only the ____ employee and the authorize representative of _____ shall be allowed
to access such personal information, records and data, for any purpose, except for
those contrary to law, public policy, order and morals. Employees are required to
maintain the confidentiality of any data to which they have access.

C. Disclosure and Sharing

All ____ employees, personnel, student assistants, and students shall maintain
confidentiality of all personal information, records or data that comes to their
knowledge and possession, even after resignation, termination of contract, and
other form of separation in the university.
V. Security Measures

1. Organization Security Measures

A. ____ shall conduct a Privacy Impact Assessment (PIA) relative to all activities,
projects and systems involving the processing of personal data.
B. ___ designated ___, who is concurrently serving as the ____ of the university as
Data Protection Officer, reporting to the ____, is tasked to protect the privacy of
personal information to, in, and from Panpacific University with the following
functions:
(1) Comply with data privacy laws and regulations including implementing
data protection measures, submitting regulatory requirements, and
managing privacy incidents.
(2) Conduct of a Privacy Impact Assessment
(3) Provide units of the University support services including formulating
policies, training people, and conducting audits with remediation
solutions.
(4) Prevent legal, financial, and operational risks by improving current and
future forms, contracts, processes, and I.T. systems to secure against
leakage of information.
(5) Develop in the University a culture of respect for privacy by formulating
policies and establishing practices at par with domestic and
international standards.
C. ___ shall sponsor a mandatory training on data privacy and security at least
once a year. For personnel directly involved in the processing of personal data,
management shall ensure their attendance and participation in relevant
trainings and orientations, as often as necessary.
D. All students will be asked to sign a Non-Disclosure Agreement. All employees
with access to personal data shall operate and hold personal data under strict
confidentiality if the same is not intended for public disclosure.
E. This Manual shall be reviewed and evaluated annually. Privacy and security
policies and practices within the organization shall be updated to remain
consistent with current data privacy best practices.

Annexes
A. Consent Form
B. Access Request Form

**Sources:
https://www.privacy.gov.ph/creating-a-privacy-manual/
https://upd.edu.ph/wp-content/uploads/2019/02/UP-Diliman-Privacy-Policy.pdf
https://resources.workable.com/data-protection-company-policy
Template for Data Protection Policy