Privacy is a fundamental human right. Recognizing this, the Camarines Sur Polytechnic Colleges strives to protect the data privacy of its stakeholders by conforming to data privacy principles and using industry-standard security measures when collecting, processing, disclosing, and retaining personal data.
The privacy policy of CSPC outlines the privacy practices that apply to all of the organization’s Personal Information processing activities. Furthermore, all relevant Philippine laws and rules, including the Data Privacy Act of 2012 and its Implementing Rules and Regulations, and issuances of the National Telecommunications Commission (NTC), should be construed and applied in accordance with the CSPC’s privacy policy and guidelines.
This Privacy Notice explains how the Camarines Sur Polytechnic Colleges (CSPC) collects and utilizes Data Subjects’ personally identifiable information (hereafter referred to as “Personal Information”). Personal Information may be gathered manually through forms or documents or electronically through http://www.cspc.edu.ph and the related Uniform Resource Locators (URLs) available to Data Subjects.
Who are covered by this Policy?
This policy applies to students, parents, guardians, faculty, visiting faculty, staff, teaching and non-teaching contract of service personnel, retirees, applicant students, industry partners, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, and subcontractors.
What are the Privacy Principles espoused by the College?
The processing of personal information shall be allowed, subject to compliance with the requirements of this Manual and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality:
What are the principles for collection, processing and retention of Personal Information?
The processing of personal data shall adhere to the following general principles in the collection, processing, and retention of personal data:
Example: “All information shall be used by the College for legitimate purposes specifically for__________ and shall be processed by authorized personnel in accordance with the Data Privacy Policies of the College.”
Example: “I hereby allow/authorize CSPC to use, collect and process the information provided by me for legitimate purposes specifically for ________________, and also allow authorized personnel to process said information.”In case, there is no form or written document containing the privacy statement, the authorized personnel tasked to collect the information should verbally notify them of the purpose and ask the Data Subject to allow the College personnel to collect and process the information and shall record the processing of information with consent in writing.
What are the rights of the Data Subject?
The data subject is entitled to the following rights:
What Personal Information the College may be collected and processed?
Only the type and amount of data required to conduct the CSPC’s core and auxiliary operations are collected and processed. CSPC may collect a range of personal information in a number of circumstances and for various specific purposes as an organization which is made up of diverse entities.
Personal data can only be collected and processed when the College acquires the Data Subject’s consent, after the latter has been notified of the nature and scope of data collection and processing, either explicitly or implicitly.
When a Data Subject has given his or her consent to the processing of his or her personal data, CSPC may collect Personal Information about him or her. The Data Subject’s Personal Information will only be used in conjunction with his or her access to the use of electronic services, applications for school enrollment or employment and web-based applications, or any other transaction with CSPC. CSPC may keep all Personal Information acquired until it is no longer needed for the above-mentioned purposes and in line with applicable laws and school policy.
Moreover, authorized College personnel shall collect personal information which is reasonably necessary or directly related to the College’s primary or secondary functions or activities. Personal Information shall not be collected in anticipation that it may be useful in the future (“just in case” it is needed). The physical records or those which are not digital stored and secured in the CSPC data base are stored in the particular offices of the each Office. For student records from previous years which are required to perpetually stored and maintained by the College, a stockroom in a secured location is maintained by a third party tasked to physically store and secure the records. Access is restricted where such records may only be retrieved upon specific instructions of the College Registrar and only for legitimate purposes or upon request of the student or alumni for copies of their individual school record or pursuant to the College Registrar’s procedures and policies on request for records.
Personal information shall be collected by lawful and fair means, which is allowed under the College’s policies and the provisions of other existing regulations.
The Data Subject has the right to refuse, withdraw consent, or object to the use of his or her Personal Information, which CSPC upholds. The Data Subject’s application for admission or employment, request, access and use of school services, and other transactions may be denied by CSPC.
What are the uses of the Personal Information collected?
CSPC may collect Personal Information for the stated and legitimate purposes stated and consented to by the Data Subject when such information is obtained. CSPC may also use such Personal Information to contact the Data Subject about its services and goods, as well as for official publication or posting reasons, with the Data Subject’s explicit consent. CSPC may also utilize Personal Information for research and survey purposes to better understand and predict customer demands to improve its services and products.
How does Personal Information be disclosed?
With the Data Subject’s approval as to the purpose of the disclosure and the identity of the third parties, CSPC may release Personal Information to third parties. CSPC will ensure that these third parties’ privacy policies provide a comparable degree of protection to CSPC and are in compliance with all applicable Philippine laws and guidelines, including the Data Privacy Act of 2012 and its Implementing Rules and Regulations (IRR).
In connection with any alleged violations by the Data Subject of the terms and conditions of his or her contract or agreement with CSPC, violations of law, subpoena, or inquiry by a governmental authority, CSPC may disclose Personal Information to law enforcement authorities, regulators, or other public authorities. CSPC maintains the right to report any action to law enforcement authorities that its workers believe unlawful in good faith.
Authorized College personnel are allowed to access, use and process said information for legitimate primary or secondary purposes of the College and/or that which is stated in the privacy statement contained in the forms or documents signed by the students or employees.
How will Personal Information be stored and secured?
Manually-obtained Personal Information is physically maintained and safeguarded. Electronically-obtained Personal Information is saved and secured in a CSPC data center database and in a cloud-based storage provider. The CSPC’s authorized service provider protects the electronic database.
CSPC takes reasonable steps to protect electronically obtained Personal Information, such as using an industry-standard firewall system and a Secure Socket Layer (SSL) certificate (SSL). SSL is a cryptographic protocol that ensures the security and integrity of data transmitted over networks like the internet. This information is only accessible to approved CSPC workers and contractors who have agreed to keep it private and confidential. Their access to Personal Information is restricted to the stated and specified legitimate purpose alone.
On demand, the Data Subject has reasonable access to his or her Personal Information. Unless the request is vexatious or otherwise unjustified, the Data Subject has the right to challenge any inaccuracy or error in his or her Personal Information and have CSPC fix said inaccuracy or error.
These are covered by the National Privacy Commission’s Data Privacy Act of 2012, its Implementing Rules, and relevant issuances; the National Archives of the Philippines Act of 2007, its Implementing Rules, and relevant issuances; and Executive Order No. 2, series of 2016 on Freedom of Information and subsequent related executive orders.
How long does the College retain Personal Information and disposed of?
Personal Information is only kept for as long as it is required to fulfill its stated purpose or meet regulatory and legal requirements. The retention time could range from days to years, depending on the nature of the data and the purpose for which it is used (e.g., student academic information). When retention is no longer necessary, the College will adequately dispose of personal data securely and discreetly.
Liability and Exclusion
CSPC shall not be liable for any loss, expense, or damage arising out of or in connection with the wrongful use or reliance by the Data Subject or other third party upon the information in this privacy notice.
Effectivity of this Policy
The CSPC Data Privacy Officer has the authority to issue policies, guidelines, and rules that are not in opposition with this Policy. Suppose any legislation or regulation listed in this Policy is altered or superseded. In that case, it will be assumed that this Policy refers to the amended or superseding law or regulation, without prejudice to a person’s right to be free of laws that apply retroactively. If any part of this Policy is deemed null and void, the remaining portions will continue to be in full force and effect.
Definition of Terms
The following terms shall have the following definitions for this Privacy Notice:
“Data Subject” refers to an individual whose Personal Information is processed;
“Personal Information” refers to any information from which a person in possession of said information can reasonably and directly ascertain the identity of a Data Subject, and includes, but is not limited to, the name, date of birth, email and physical addresses, demographic information, and contact information; and
“Processing” refers to any activity conducted on the Personal Information including, but not limited to, collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, and erasure or destruction.
The CSPC Data Protection Officer
The CSPC Data Protection Officer is tasked to protect the privacy of personal information to, in, and from CSPC with the following functions:
For data protection concerns and inquiries relating to the CSPC’s Privacy Notice or to report privacy incidents, please contact the CSPC Data Protection Officer through any of the following channels:
Address: Administration Building, 2nd floor, Records and Freedom of Information Office
Phone: (065) 288-4421 to 23 loc. 113 or 09190770432
Email: dpo@cspc.edu.ph
The CSPC Privacy resources are on the CSPC Privacy Portal at https://cspc.edu.ph/privacy.
A copy of this Policy is at https://cspc.edu.ph/privacy/privacy-policy/
Also, the approved Data Privacy Manual of the College can be viewed here: https://cspc.edu.ph/privacy/data-privacy-manual/