Data Privacy Policies

Republic Act No. 10173, commonly referred to as the Data Privacy Act of 2012 (DPA), is designed to safeguard personal data within information and communication systems in both governmental and private sectors. The Act led to the creation of the National Privacy Commission (NPC), which is responsible for its enforcement. It governs the processing of personal and sensitive personal information, stipulating that data subjects must give direct consent before their information can be processed.Under the DPA, all government and private entities that handle personal data are required to develop policies and implement measures to ensure the protection and security of personal data under their jurisdiction, thereby protecting individual data privacy rights. Additionally, these entities must take appropriate steps to shield personal data from natural hazards like accidental loss or destruction, as well as from human threats such as unauthorized access, fraudulent misuse, unlawful destruction, alteration, and contamination.

To educate their staff and inform data subjects about these protective measures, all organizations must create a Privacy Manual. This document acts as a comprehensive guide to ensure adherence to the DPA, its Implementing Rules and Regulations (IRR), and other directives issued by the NPC. It also details the privacy and data protection practices to be followed within the organization, from data collection to destruction, aiming to uphold and fulfill the data privacy rights of individuals.

I. Introduction

The Dominican College of Tarlac is committed to protecting the privacy and personal data of its students, parents, staff, and other stakeholders in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173). Our institution upholds the highest standards of data protection to foster an environment of trust and safety. This policy outlines our practices and principles regarding data collection, use, storage, and protection. At Dominican College of Tarlac, our commitment to data privacy is aligned with our core objectives of Wisdom, Social Responsibility, and Christian Witness. We aim to equip our students with the knowledge and skills necessary for effective social communication, while also fostering a sensitive awareness of their roles in social building and encouraging positive engagement in relevant social issues.

II. Definition of Terms

A. Authorized Personnel

B. Breach

C. Consent

D. Data Privacy Act (DPA) refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations.

E. Data Protection Officer (DPO)

F. Data Subject

G. Institution refers to the Dominican College of Tarlac.

H. Personal Data is any type of personal information collected and processed by the Institution from the data subjects that can be used to directly or indirectly identify an individual.

i. The following are the personal data collected from the
students:

1. Full Name
2. Birthday
3. Gender
4. Civil Status
5. Religion
6. Nationality
7. Name of parents and guardians
8. Address
9. Contact Information
10. Educational Background
11. Medical Records
12. PSA Birth Certificate

ii. The following are the personal data collected from the
Employees and Administrative officers:

1. Full Name
2. Birthday
3. Gender
4. Civil Status
5. Religion
6. Nationality
7. Name of parents
8. Address
9. Contact Information
10. SSS Number
11. Pag-ibig Number
12. PhilHealth Number
13. TIN Number
14. PSA Birth Certificate
15. Educational Background
16. Resume
17. Medical Certificate

I. Personal Data Classification refers to the types of Personal Information collected and processed by the Institution.

i. Public – Information readily accessible and available to all interested individuals and institutions.
⚫ Examples:
a. Information in the Institution’s website (https://dct.edu.ph/)
b. Course catalogs and brochures
c. Program offerings
d. Names of officer, Deans and faculty
e. Published research containing the names of faculty members and students
ii. Confidential/Private – Those which are declared confidential by law or policy of DCT, and which may only be processed or shared with only a few people, for a designated purpose, and if disclosed may cause material harm to the Institution or the individuals in the Institution. Mainly the personal information of the data subjects.
⚫ Examples:
a. Employee and student names, addresses, contact numbers, SSS, PhilHealth, Passport numbers, student and employee’s health information, student counselling and medical records;
b. Financial information of parents and students and employees, and student records, Employee files and the information contained therein.
iii. Classified/Restricted – These are sensitive personal information to which access is restricted by law or regulation to particular classes of people, and if disclosed may cause severe or serious harm to the employee, student or third party.
⚫ Examples:
a. Employee and student account or computer passwords, bank account numbers, PIN numbers of employee and student ATM’s.

J. Personal Information

K. Processing

L. Privileged Information

M. Security Incident

N. Sensitive Personal Information

III. Scope and Limitations

This Privacy Manual applies to all departments of the Institution, employees regardless of the type, students, officers and third parties whose information (applicants for admission or employment and former students or alumni whose school records are required to be kept and secured by the Institution. The data covered by this Manual is limited to personal information as defined under Section III (I), collected and processed by the Institution.

IV. Information We Collect

Personal Identification Information – Name, Address, Email, Phone Number, Date of Birth, Guardian Information: Personal Information and Average Financial Income.

Academic Information – Grades, Attendance, Course Enrollment, Academic Progress.

Health Information – Medical Records, Vaccination Status, Health Surveys.

Financial Information – Tuition Fees, Vouchers, Payment Details, Certificate of Registration.

Technical Information – IP Address, Browser Type, Device Information.

Communication Records – Emails, Messages through google mail accounts between students and staff.

V. How We Use Your Information

At Dominican College of Tarlac, we use your information for various essential purposes to enhance your educational experience and ensure smooth operation of our institution, in compliance with the legal bases outlined in the Data Privacy Act of 2012 (Republic Act No. 10173). Primarily, we use personal data to provide educational services and support, which is necessary for the performance of our contractual obligations with students and parents. This includes maintaining accurate academic records and tracking student progress to help each student achieve their academic goals.

We are committed to complying with legal and regulatory requirements. This involves processing and sharing data as necessary with regulatory bodies and government agencies to meet our legal obligations. By using your information in these ways, we strive to create a supportive, efficient, and legally compliant educational environment.

VI. Our Use of Cookies

We use cookies to improve our browsing experience, remember your preferences, and analyze site traffic. By storing information such as language settings and login details, cookies allow us to personalize your experience and make your visits more convenient and efficient.

Types of cookies we use include session cookies, and third-party cookies. These are temporary and deleted after you close your browser, and persistent cookies, which remain on your device for future visits. Additionally, third-party cookies help us gather analytics data to understand user behavior and improve our website’s performance and content.

VII. Use of Third-Party Services

Cloudflare and SiteGround

To ensure the security, performance, and reliability of our website, Dominican College of Tarlac utilizes third-party services, including Cloudflare for security and SiteGround for hosting.

Cloudflare provides web optimization and security services, such as distributed denial-of-service (DDoS) protection, content delivery network (CDN) services, and web application firewalls. These services help ensure that our website remains secure and operates efficiently. Cloudflare may collect certain information about your interaction with our website, such as IP addresses, system configuration information, and other data regarding traffic to and from our site. This data is collected and processed by Cloudflare in accordance with their privacy policy to enhance security and optimize performance.

Siteground serves as our hosting provider, storing the data necessary for the operation of our website. SiteGround ensures the reliability and accessibility of our providing server infrastructure and hosting services. Your data stored on SiteGround servers is subject to their privacy policy, and SiteGround is committed to maintaining the confidentiality and security of your data.

We ensure that both services comply with applicable data protection laws and maintain appropriate safeguards to protect your personal data. Fore more information on how Cloudflare and SiteGround handle your data, you can review their respective privacy policies:

By using our website, you consent to the processing of data by Cloudflare and SiteGround as described in their respective privacy policies.

VIII. Children’s Privacy

Safeguards for Protecting the Personal Data of Minors

At Dominican College of Tarlac, we prioritize the protection of minors’ personal data. We implement strict safeguards, including restricted access to data, data minimization, encryption, and regular security audits, to ensure the highest level of security and confidentiality.

Requirements for Parental or Guardian Consent for Data Collection and Use

In compliance with the Data Privacy Act of 2012 (Republic Act No. 10173), specifically Section 13 (a), we require explicit consent from parents or legal guardians before collecting or using a minor’s personal data. We provide clear information about data use, require signed consent forms, and allow consent to be withdrawn at any time, ensuring transparency and control over children’s data.

IX. Processing of Personal Data

A. Collection

i. Registrar
ii. Human Resources Management
iii. Accounting Office
iv. Clinic
v. Guidance Office
vi. MIS

B. Use

C. Storage, Retention and Destruction

D. Access

E. Disclosure and Sharing

X. Security Measures

The Institution shall implement reasonable and appropriate physical, technical, and organizational measures for the protection of personal data. These security measures aim to maintain the availability, integrity, and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

A. Organizational Security Measures

i. Data Protection Officer

A Data Protection Officer (DPO) shall be appointed by the institution. The DPO ensures the Institution’s compliance with applicable laws and regulations for the protection of data privacy and security.

ii. Functions of the DPO
The DPO’s functions and responsibilities shall particularly include the following:

⚫Monitoring the Institution’s Personal Data Processing activities in order to guarantee compliance with relevant Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all data privacy policies are adequately implemented by its employees and authorized people;

⚫Developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the Data Privacy Act and other pertinent laws and regulations on Personal Data privacy;

⚫Acting as the primary point of contact whom Data Subject may coordinate and consult with for all concerns relating to their Personal Data;

⚫Conduct orientations and trainings for employees regarding Personal Data privacy and security policies;

⚫Preparing and filing the annual report of the summary of documented security incidents and Personal Data breaches, if any, as required under the Data Privacy Act, and of compliance with other requirements that may be provided in other issuances of the National Privacy Commission.

iii. Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security

The Institution shall sponsor a mandatory training on data privacy and security at least annually. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.

iv. Conduct of Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) is a process which assists Institutions in identifying and minimizing the privacy risks of new projects or policies. The Institution shall conduct a PIA relative to all activities, projects and systems involving the processing of personal data.

v. Duty of Confidentiality

All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.

vi. Review of Privacy Manual

This Manual should be checked on and assessed annually. Privacy and security policies and practices within the Institution shall be updated to stay consistent with current data privacy best practices.

B. Physical Security Measures

The DPO, with the assistance of specific departments collecting or processing the information, shall develop and implement policies and procedures for the Institution to monitor and limit access to, and activities in the departments and/or workstations in the Institution where Personal Data is processed, including guidelines that specify the proper use of, and access to, electronic media.

i. Format of data to be collected

Personal data in the custody of the Institution may be in digital/electronic format and paper-based/physical format.

ii. Storage type and location

Aside from access restriction, the storage facilities for the printed copies of records containing personal information are also secured in cabinets or storage facilities. Only authorized personnel can open or have access to keys to the storage facilities. The storage units or facilities are set in zones which are not normally open to people in general, safe from physical hazards such as rain, wind and dust, and located in areas which are usually manned by the authorized personnel.

iii. Access procedure of agency personnel

Personal Data of students and employees collected and processed by the Institution are only accessible by authorized personnel, in general. As provided under the DPA, data subjects also have the right to access their Personal data. Requestors (students or parents or guardians or employees) who wish to access their own personal information shall submit duly accomplished request form to be approved by the department head involved and DPO. The requestor may be allowed access to their specific individual information or given copies pursuant to the policies and guidelines on requesting for access or copies of records. The department involved shall secure the requested document/s, have the same photocopied, and hand this/these over to the official/employee concerned. In such cases where any individual or entity [other than the student, parent or guardian in case of minors, or employee] wishes to have access pursuant to the instances or exceptions provided under Data Privacy Act, they need to submit duly accomplished request form to the Department Head who may either endorse or reject the same. If approved, the endorsed request shall be submitted to the DPO for approval. If the request involves digital or digitized data, then the approval of the MIS head is required prior to endorsement of the Department Head to the DPO. Only written requests properly endorsed by the Department Head shall be considered for approval. The request form has the name of the requestor, the purpose, the type of access requested (i.e. copying or viewing only), and the time frame or time limit within which access shall be given with a guarantee that the information shall be used solely for purposes allowed by law and a statement that such shall be treated with utmost confidentiality.

In cases where government agencies empowered under the law to request for personal information (i.e. BIR, DOH), request for access, Institution’s personnel must ensure that the request is in writing, citing the authority upon which the request is made. In cases where the request is a result of a valid order or decision of a tribunal or court, a copy of such order shall be attached to the request form. Once approved by the DPO, it shall be transmitted to the Department Head or appropriate Department for implementation. The Department Head who endorsed the same shall be responsible for monitoring compliance of the requestor on the terms of the approved request (i.e. time limit and confidentiality). In case there is doubt on the propriety of any request for access, Institution’s personnel should consult or seek clearance from the Legal Affairs Department or the DPO.

iv. Monitoring and Limitation of Access to room or facility

Only authorized personnel shall access and enter departments involved in collecting and processing of data. All offices where Personal Data is processed are protected with CCTV cameras to monitor the security of data. v. Design of Office Space/Work Station The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data. The design and layout of the office spaces and work stations, including the physical arrangement of furniture and equipment, shall be periodically evaluated and readjusted in order to provide privacy to anyone Processing Personal Data, taking into consideration the environment and accessibility to unauthorized persons.

vi. Maintenance of Confidentiality

Persons involved in processing shall always maintain confidentiality and integrity of personal data.

vii. Modes of Transfer of Personal Data within the Institution, or to Other Parties

viii. Retention and Disposal Procedure

The Institution shall retain personal data in its custody following the schedule identified in the item Storage, Retention, and Destruction under the Processing of Data in this Manual. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.

C. Technical Security Measures

The DPO, with the cooperation and assistance of MIS, shall continuously develop and evaluate the Institution’s security policy with respect to the
Processing of Personal Data.

i. Monitoring for security breaches

The IT Administrator shall regularly read the firewall logs to monitor security breaches and alert the DPO of any unauthorized attempt to access the Institution’s network.

ii. Security features of the software/s and application/s used

The DPO with the MIS officers shall first review and evaluate software applications before the deployment thereof in computers and devices of the employees to ensure compatibility of security features with the data privacy policies. On existing software applications, which involves processing of personal data of Institution’s employees, the following shall be observed:

The end user, with the technical assistance of the IT Unit of the MIS, shall evaluate and assess the security protocols of the system with regards to saving, backup, and data recovery. If such protocol runs counter with the data privacy principles stated in the Data Privacy Act of 2012, remedial steps should have made to correct such flaws.

The DPO, during its IT annual maintenance activities, shall check software applications installed in all IT hardware and devices for compliance with the Institution’s data privacy policy. If a software/application is found to be a security risk that it may disturb or interrupt the normal operations of the Institution’s network, the DPO shall notify the end user of the risk and the software/application shall immediately be uninstalled. The DPO shall thereafter prepare an incident report.

iii. Process for regularly testing, assessment and evaluation of effectiveness of security measures

The DPO together with the IT Administrator shall make regular penetration testing of the firewall appliance from outside the Institution’s premises and from within to conduct vulnerability assessment of the same.

iv. Encryption, authentication process, and other technical security measures that control and limit access to personal data

Computers used in Data Processing are secured with passwords. Software is up to date.

XI. Breach and Security Incidents

A. Measures to prevent and minimize occurrence of breach and security incidents

All employees and agents of the Institution involved in the Processing of Personal Data are tasked with regularly monitoring for signs of a possible data breach or Security Incident.

B. Procedure for recovery and restoration of personal data

The Institution shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

C. Notification protocol

In the event that such signs are discovered, the employee or agent shall immediately report the facts and circumstances to the DPO within twenty- four (24) hours from his or her discovery for verification as to whether or not a breach requiring notification under the Data Privacy Act has occurred as well as for the determination of the relevant circumstances surrounding the reported breach and/or Security Incident. The DPO shall notify the National Privacy Commission and the affected Data Subjects within 72 hours from knowledge thereof, pursuant to requirements and procedures prescribed by the DPA.

D. Documentation and Reporting Procedure of Security Incidents or a Personal Data Breach

All Security Incidents and Personal Data breaches shall be documented through written reports. The report to the National Privacy Commission and the affected Data Subjects shall at least describe the following:

1. Nature of the breach;
2. The Personal Data possibly involved;
3. The measures taken by the Institution to address the breach. The
report shall also include measures taken to reduce the harm or
negative consequences of the breach;
4. The name and contact details of the DPO.

The form and procedure for report shall conform to the regulations and circulars issued by the National Privacy Commission, as may be updated from time to time.

In the case of Personal Data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the Institution. In other security incidents not involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the National Privacy Commission. A general summary of the reports shall be submitted by the DPO to the National Privacy Commission annually.

XII. Inquiries and Complaints

A. Inquiry on Data Privacy issues

Data subjects may inquire or request for information to the concerned department, regarding any matter relating to the processing of their personal data under the custody of the Institution, including the data privacy and security policies implemented to ensure the protection of their personal data.

B. Procedure for Complaints

Any suspected or actual breach of the Institution Data privacy policy, violation of data privacy rights, or any breach, loss or unauthorized access or disclosure of personal information in the possession or under the custody of the Institution must be reported immediately to the any member of the Data Privacy Response Team.

In case of a complaint for violation of the Institution Data Privacy Policies as contained in the provisions of this Manual, or any serious breach, loss or unauthorized access, disclosure or destruction of personal information in the possession or under the custody of the Institution and within reasonable time, the DPO shall conduct a verification of the allegations in the complaint, and if warranted, and an official investigation in cases of serious security breach as provided under Republic Act No. 10173 or the Data Privacy Act of 2012 and its Implementing Rules and Regulations Act, and shall report the same to the National Privacy Commission within seventy-two (72) hours from knowledge thereof, and if possible, after conducting the investigation on the matter pursuant to the provisions of said laws.

XIII. Changes to This Policy

We might occasionally update this Policy to reflect changes in our practices or for other reasons. When permissible, we will inform you of these updates through various communication methods, such as email or notifications on our website. However, please note that any changes will become effective immediately once they are posted on this website. This Policy is effective as of June 06, 2024.