A. The Privacy Notice
This Notice recognizes the obligation of St. Paul University Quezon City (SPUQC) to collect and process personal information and sensitive personal information (personal data) based on the applicable laws and regulations on data privacy, including the Philippine Data Privacy Act of 2012 (DPA) with its implementing rules and regulations (IRR). We seek to abide by the general privacy principles of transparency, legitimacy, and proportionality and other relevant principles in the collection, processing, and retention of personal data as mandated by the law.
B. Data Subjects
According to DPA-IRR, the data subject refers to an individual whose personal, sensitive personal or privileged information is processed. SPUQC recognizes the stakeholders of the University as its data subjects: students, parents, employees, suppliers, outsourced personnel and other interested parties.
C. Collection and Processing of Personal Data
We obtain personal data such as names or email addresses whether directly or through another person or entity in the following forms or means:
- Application forms, request letters, notifications and some other documents;
- Agreements with us, whether or not written including an employment contract, or other contract pertaining to academic concerns, photo and printing arrangements or suppliers or service contract;
- Inquiries before and after employment, if necessary; and
- Accesses, visits, or uses of our websites, platforms, social media existence and other online presence;
D. Purposes of Collecting and Processing of Personal Data
We collect and process personal data for the following purposes:
- As allowed by applicable law;
- Use of personal data to:
2.1 Exercise our rights and comply with specific contracts and agreements, and the law, as may be required by our school operations and objectives;
2.2 Execute and improve our services;
2.3 Conduct surveys, research, and other data gathering activities;
2.4 Market and promote the University by means of its accomplishments related to the school, personnel and students;
2.5 Application for permit/recognition, certification audits, program accreditation, compliance monitoring and other review by third parties;
2.6 Collect and process personal data from current and potential employees in order to initiate, complete the process or terminate employment.
Documented information and records (written or electronic), computer systems, devices and facilities are the property of SPUQC. These files and records may be examined and reviewed by the University at any time, whether or not an officer, employee or other staff has personal data, property or other information stored therein.
E. Scope and method of collection and processing
SPUQC makes use of manual and computerized systems and methods to collect, store and process personal information. Collection and processing of personal data will be undertaken based on this Notice and in accordance with DPA law.
Storage and retention activities of personal information will be considered for a specific period as may be required by the school to efficiently achieve the intended purposes.
F. Privacy Consent
In providing your personal data, you agree and consent to our collecting, processing, disclosing, sharing the personal information within the purposes of the University.
G. Security Measures
SPUQC shall take appropriate security measures (or technical, physical and administrative safeguards) to protect your personal data against unauthorized access or unauthorized disclosure, modification or damage. Measures include internal assessment of our data collection, retention and storage, processing practices, including physical security measures to protect your personal data against unauthorized access. The designated officers and assigned personnel of the University shall ensure all information is protected, and shall only use this information to perform their functions. All employees shall sign an affidavit of non-disclosure to ensure personal information is secured within the University.
Compliance to the provisions of the rules, regulations and circulars of DPA on the management of personal data security breaches, notification to the users or to the National Privacy Commission (NPC), shall be strictly observed by the University officials and its personnel.
H. Data Protection Officer (DPO)
The Data Protection Officer is mainly responsible for ensuring SPUQC’s compliance with the laws and regulations for the protection of data privacy. All requests, notices which a data subject may send to SPUQC under this Notice must be in writing, addressed to the Data Protection Officer. Contact details are as follows:
DATA PROTECTION OFFICER
Office of the President
St. Paul University Quezon City
G/f St. Paul Building, Gilmore Avenue corner Aurora Blvd.,
New Manila, Quezon City, Philippines
Telephone: (632) 7267986 to 88 local 112
I. Definition of Terms (under DPA-IRR):
Whenever used in this Notice, the following terms shall have the respective meanings under the Data Privacy Act of 2012:
“DPA” means the Data Privacy Act of 2012 and its implementing rules and regulations, as well as the circulars issued by the National Privacy Commission from time to time.
a. “Act” refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012;
b. “Commission” refers to the National Privacy Commission;
c. “Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so;
d. “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed;
e. “Data processing systems” refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing;
f. “Data sharing” is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor;
g. “Direct marketing” refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals;
h. “Filing system” refers to any set of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;
i. “Information and communications system” refers to a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded, transmitted, or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document
j. “Personal data” refers to all types of personal information
k. “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
l. “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
m. “Personal information controller” refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes: A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or a natural person who processes personal data in connection with his or her personal, family, or household affairs;
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing;
n. “Personal information processor” refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
o. “Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
p. “Profiling” refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
q. “Privileged information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication;
r. “Public authority” refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions;
s. “Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
t. “Sensitive personal information” refers to personal information: About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
SPUQC keeps client’s information confidential, whether or not constituting personal data. We carefully observe this professional obligation.