Privacy is a fundamental human right. Recognizing this, the Camarines Sur Polytechnic Colleges strives to protect the data privacy of its stakeholders by conforming to data privacy principles and using industry-standard security measures when collecting, processing, disclosing, and retaining personal data.
This Privacy Notice explains how the Camarines Sur Polytechnic Colleges (CSPC) collects and utilizes Data Subjects’ personally identifiable information (hereafter referred to as “Personal Information”). Personal Information may be gathered manually through forms or documents or electronically through http://www.cspc.edu.ph and the related Uniform Resource Locators (URLs) available to Data Subjects.
Who are covered by this Policy?
This policy applies to students, parents, guardians, faculty, visiting faculty, staff, teaching and non-teaching contract of service personnel, retirees, applicant students, industry partners, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, and subcontractors.
What are the Privacy Principles espoused by the College?
The processing of personal information shall be allowed, subject to compliance with the requirements of this Manual and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality:
- Transparency– The data subject must be aware of the nature, purpose, and extent of the processing of his/her personal data, including the risks and safeguards involved, the identity of PIC, his/her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.Example: In the enrolment process, upperclassmen are required to fill out the Student Data Sheet. The purpose of such collection of information is stated in the form and the consent of the student is obtained through the form which is filled out and signed by the student.
- Legitimate Purpose – The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.Example: Personal information such as student’s name, parents name and addresses and contact numbers etc., shall be used only for purposes such as enrolment, academic activities and availment of student services which is allowed under existing regulations.
- Proportionality – The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by any other means.Example: In the application for admission as a college student in CSPC, only information such as name, address, contact numbers, previous schools, parent’s or guardian’s name, which are necessary for the evaluation for eligibility for admission to the College is collected.
What are the principles for collection, processing and retention of Personal Information?
The processing of personal data shall adhere to the following general principles in the collection, processing, and retention of personal data:
- Collection must be for a declared, specified, and legitimate purpose:
- Consent is required prior to the collection and processing of personal data, subject to exemptions provided by this Manual and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn.Forms for collection of personal information include a provision or a variation of these privacy statements.
- Collection must be for a declared, specified, and legitimate purpose:
Example: “All information shall be used by the College for legitimate purposes specifically for__________ and shall be processed by authorized personnel in accordance with the Data Privacy Policies of the College.”
Example: “I hereby allow/authorize CSPC to use, collect and process the information provided by me for legitimate purposes specifically for ________________, and also allow authorized personnel to process said information.”In case, there is no form or written document containing the privacy statement, the authorized personnel tasked to collect the information should verbally notify them of the purpose and ask the Data Subject to allow the College personnel to collect and process the information and shall record the processing of information with consent in writing.
- The data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his/her personal data for profiling or data sharing.Only authorized personnel are allowed to access and process the personal information collected from the students, their parents or guardians in accordance with Data Privacy policies of the College and the other existing regulations which require that student records as well as the information contained therein are to be kept confidential.Example: Only the registrar or her duly authorized representative or personnel is allowed complete access to the student profile which includes the names, student numbers, parents names, addresses, contact numbers, grades etc.
- Purpose should be determined and declared before, or as soon as reasonably practicable, after collection.
- Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected.
- Personal data shall be processed fairly and lawfully:
- Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent, and allow the data subject sufficient information to know the nature and extent of processing.
- Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access.
- Processing must be in a manner compatible with declared, specified, and legitimate purpose.
- Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards.Authorized College personnel shall collect personal information which is reasonably necessary or directly related to the College’s primary or secondary functions or activities. Personal Information shall not be collected in anticipation that it may be useful in the future (“just in case” it is needed). The physical records or those which are not digital stored and secured in the CSPC database are stored in particular office. For student records from previous years which are required to be perpetually stored and maintained by the College, a stockroom in a secured location is maintained by a third party tasked to physically store and secure the records. Access is restricted where such records may only be retrieved upon specific instructions of the College Registrar and only for legitimate purposes or upon request of the student or alumni for copies of their individual school records or pursuant to the College Registrar’s procedures and policies on request for records.Personal information shall be collected by lawful and fair means, which is allowed under the College’s policies and the provisions of other existing regulations.Example: For foreign students, nationality, ACR numbers, passport numbers and the contact numbers of the parents are guardians are necessary in case of emergencies and other situations where the student’s parents or embassy are required to be notified.
- Processing should ensure data quality:
- Personal data should be accurate and where necessary for declared, specified and legitimate purpose, kept up to date.
- Inaccurate or incomplete data must be rectified, supplemented, destroyed or restricted for further processing.
- Personal data shall not be retained longer than necessary:
- Retention of personal data shall only be done for as long as necessary:
- for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
- for the establishment, exercise or defense of legal claims; or
- for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by National Archives;
- Retention of personal data shall be allowed in cases provided by law.
- Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.
- Retention of personal data shall only be done for as long as necessary:
- Any authorized further processing shall have adequate safeguards:
- Personal data originally collected for a declared, specified, or legitimate purpose may be processed further for historical, statistical, or scientific purposes, and, in cases laid down in law, may be stored for longer periods, subject to implementation of the appropriate organizational, physical, and technical security measures required by the DPA in order to safeguard the rights and freedoms of the data subject.
- Personal data which is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose.
- Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.
What are the rights of the Data Subject?
The data subject is entitled to the following rights:
- Right to be Informed
- The data subject has a right to be informed whether personal data pertaining to him/her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
- The data subject shall be notified and furnished with information indicated hereunder before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity:
- Description of the personal data to be entered into the system;
- Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
- Basis of processing, when processing is not based on the consent of the data subject;
- Scope and method of the personal data processing;
- The recipients or classes of recipients to whom the personal data are or may be disclosed;
- Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- The identity and contact details of the personal data controller or its representative;
- The period for which the information will be stored; and
- The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the NPC.
- Right to Object. The data subject shall have the right to object to the processing of his/her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless:
- The personal data is needed pursuant to a subpoena;
- The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
- The information is being collected and processed as a result of a legal obligation.
- Right to Access. The data subject has the right to reasonable access to, upon demand, the following:
- Contents of his/her personal data that were processed;
- Sources from which personal data were obtained;
- Names and addresses of recipients of the personal data;
- Manner by which such data were processed;
- Reasons for the disclosure of the personal data to recipients, if any;
- Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
- Date when his or her personal data concerning the data subject were last accessed and modified; and
- The designation, name or identity, and address of the personal information controller.
- Access by authorized personnel
As a general rule, only authorized personnel shall have access to student or employee personal information. Students or parents or guardians (in case of minors) who wish to have access to their own personal information may submit a written request directly to the Registrar’s Office and may be allowed access to their specific individual information or given copies, pursuant to the policies and guidelines on requesting for access or copies of student records. Request for information through telephone is not allowed. In case of email inquiry, proof of actual parent or student identity shall be submitted along with the email request.
- Viewing personal information
Employees who wish to view the personal information in their individual personnel file may file a written request or directly go to the HRM Office, and request for viewing of such information in the presence of an authorized personnel of the office.
- Access to personal information
As a general rule only authorized personnel may be allowed to have access to the personal information subject to the procedure established in this section. In such cases where any individual or entity [other than the student, parent or guardian in case of minors, or employee] wishes to have access pursuant to the instances or exceptions provided under Data Privacy Act or Item VI of this Manual, a written request shall be submitted to the Office Head who may either endorse or reject the same. If approved, the endorsed request shall be submitted to the DPO or her duly authorized representative for approval. If the request involves digital or digitized data, then the approval of the Database Administrator is required prior to endorsement of the office Head to the DPO. Only written requests properly endorsed by the office Head shall be considered for approval.
- Form of written request
The written request shall state the name of the requestor, the purpose, the type of access requested (i.e. copying or viewing only), and the time frame or time limit within which access shall be given with a guarantee that the information shall be used solely for purposes allowed by law and a statement that such shall be treated with utmost confidentiality.
- Request by government agencies
In cases where government agencies empowered under the law to request for personal information (i.e BIR, DOH), college personnel must ensure that the request is in writing, citing the authority upon which the request is made. In cases where the request is a result of a valid order or decision of a tribunal or court, a copy of such order shall be attached to the written request.
- Approved by DPO
Once approved by the DPO, it shall be transmitted to the Office Head or appropriate Department for implementation.
- Endorsement by office head
The Office Head who endorsed the same shall be responsible for monitoring compliance of the requestor on the terms of the approved request (i.e time limit and confidentiality).
In case there is doubt on the propriety of any request for access, college personnel should consult or seek clearance from the DPO.
- Access by authorized personnel
- Right to Rectification. The data subject has the right to dispute the inaccuracy or error in the personal data and have the PIC correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the PIC shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject.
- Right to Erasure or Blocking. The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his/her personal data from the PIC’s filing system.
- This right may be exercised upon discovery and substantial proof of any of the following:
- The personal data is incomplete, outdated, false, or unlawfully obtained;
- The personal data is being used for purpose not authorized by the data subject;
- The personal data is no longer necessary for the purposes for which they were collected;
- The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
- The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
- The processing is unlawful;
- The PIC or PIP violated the rights of the data subject.
- The PIC may notify third parties who have previously received such processed personal information.
- This right may be exercised upon discovery and substantial proof of any of the following:
- Right to Damages. The data subject shall be indemnified for any damage sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his/rights and freedoms as data subject.
What Personal Information the College may be collected and processed?
Only the type and amount of data required to conduct the CSPC’s core and auxiliary operations are collected and processed. CSPC may collect a range of personal information in a number of circumstances and for various specific purposes as an organization which is made up of diverse entities.
Personal data can only be collected and processed when the College acquires the Data Subject’s consent, after the latter has been notified of the nature and scope of data collection and processing, either explicitly or implicitly.
When a Data Subject has given his or her consent to the processing of his or her personal data, CSPC may collect Personal Information about him or her. The Data Subject’s Personal Information will only be used in conjunction with his or her access to the use of electronic services, applications for school enrollment or employment and web-based applications, or any other transaction with CSPC. CSPC may keep all Personal Information acquired until it is no longer needed for the above-mentioned purposes and in line with applicable laws and school policy.
Moreover, authorized College personnel shall collect personal information which is reasonably necessary or directly related to the College’s primary or secondary functions or activities. Personal Information shall not be collected in anticipation that it may be useful in the future (“just in case” it is needed). The physical records or those which are not digital stored and secured in the CSPC data base are stored in the particular offices of the each Office. For student records from previous years which are required to perpetually stored and maintained by the College, a stockroom in a secured location is maintained by a third party tasked to physically store and secure the records. Access is restricted where such records may only be retrieved upon specific instructions of the College Registrar and only for legitimate purposes or upon request of the student or alumni for copies of their individual school record or pursuant to the College Registrar’s procedures and policies on request for records.
Personal information shall be collected by lawful and fair means, which is allowed under the College’s policies and the provisions of other existing regulations.
The Data Subject has the right to refuse, withdraw consent, or object to the use of his or her Personal Information, which CSPC upholds. The Data Subject’s application for admission or employment, request, access and use of school services, and other transactions may be denied by CSPC.
What are the uses of the Personal Information collected?
CSPC may collect Personal Information for the stated and legitimate purposes stated and consented to by the Data Subject when such information is obtained. CSPC may also use such Personal Information to contact the Data Subject about its services and goods, as well as for official publication or posting reasons, with the Data Subject’s explicit consent. CSPC may also utilize Personal Information for research and survey purposes to better understand and predict customer demands to improve its services and products.
How does Personal Information be disclosed?
With the Data Subject’s approval as to the purpose of the disclosure and the identity of the third parties, CSPC may release Personal Information to third parties. CSPC will ensure that these third parties’ privacy policies provide a comparable degree of protection to CSPC and are in compliance with all applicable Philippine laws and guidelines, including the Data Privacy Act of 2012 and its Implementing Rules and Regulations (IRR).
In connection with any alleged violations by the Data Subject of the terms and conditions of his or her contract or agreement with CSPC, violations of law, subpoena, or inquiry by a governmental authority, CSPC may disclose Personal Information to law enforcement authorities, regulators, or other public authorities. CSPC maintains the right to report any action to law enforcement authorities that its workers believe unlawful in good faith.
Authorized College personnel are allowed to access, use and process said information for legitimate primary or secondary purposes of the College and/or that which is stated in the privacy statement contained in the forms or documents signed by the students or employees.
- Primary purpose
As an educational institution, personal information is collected primarily for the educational purposes of the students and employment purposes. This includes monitoring academic activities as well as extracurricular activities of students and monitoring potential and current employees in accordance with CSC rules and regulations. This also includes information collected for purposes set out in the privacy statements contained in the documents signed by students or employees. Such information is allowed to be processed and used by authorized personnel for such purposes.
- Secondary purposes
Secondary purposes are those which are collateral to the primary purposes and which are necessary to process the information. This includes monitoring the current administrative or disciplinary standing (for student and employee discipline), financial condition (for scholarship purposes) or the health and psychological wellness of students and employees (health purposes). Authorized college personnel are allowed to use personal information collected and/or processed for such purposes provided the following circumstances are present:
- The student or employee has consented to the use or disclosure for the secondary purpose; or
- The student or employee would reasonably expect the College through its authorized personnel to use, or process personal information for secondary purpose and that the secondary purposes are directly related to the primary purposes.
- Sensitive personal information
Sensitive personal information may not be disclosed or processed, except in any of the following cases:
- Consent is given by data subject, prior to the processing of the sensitive personal information or privileged information, which shall be undertaken pursuant to a declared, specified, and legitimate purpose of the College;
- The processing of the sensitive personal information provided for by existing laws and regulations, such as medical history to be disclosed by the student as part of the monitoring of the health of the student, provided, that said laws and regulations do not require the consent of the data subject for the processing, and guarantee the protection of personal data.
- The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing.
- The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations provided that the processing is confined and related to the bona fide members of these organizations or their associations; the sensitive personal information are not transferred to third parties; and consent of the data subject was obtained prior to processing.
- The processing is necessary for the purpose of medical treatment: Provided, that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured.
- The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate.
- Government-related use and disclosures
Personal information is allowed to be used and disclosed to government agencies to satisfy reportorial requirements in line with their constitutionally or legislatively mandated functions pursuant to existing education or civil service law and rules or when the use of pursuant to lawful order of a court or tribunal.
How will Personal Information be stored and secured?
Manually-obtained Personal Information is physically maintained and safeguarded. Electronically-obtained Personal Information is saved and secured in a CSPC data center database and in a cloud-based storage provider. The CSPC’s authorized service provider protects the electronic database.
CSPC takes reasonable steps to protect electronically obtained Personal Information, such as using an industry-standard firewall system and a Secure Socket Layer (SSL) certificate (SSL). SSL is a cryptographic protocol that ensures the security and integrity of data transmitted over networks like the internet. This information is only accessible to approved CSPC workers and contractors who have agreed to keep it private and confidential. Their access to Personal Information is restricted to the stated and specified legitimate purpose alone.
On demand, the Data Subject has reasonable access to his or her Personal Information. Unless the request is vexatious or otherwise unjustified, the Data Subject has the right to challenge any inaccuracy or error in his or her Personal Information and have CSPC fix said inaccuracy or error.
These are covered by the National Privacy Commission’s Data Privacy Act of 2012, its Implementing Rules, and relevant issuances; the National Archives of the Philippines Act of 2007, its Implementing Rules, and relevant issuances; and Executive Order No. 2, series of 2016 on Freedom of Information and subsequent related executive orders.
How long does the College retain Personal Information and disposed of?
Personal Information is only kept for as long as it is required to fulfill its stated purpose or meet regulatory and legal requirements. The retention time could range from days to years, depending on the nature of the data and the purpose for which it is used (e.g., student academic information). When retention is no longer necessary, the College will adequately dispose of personal data securely and discreetly.
Liability and Exclusion
CSPC shall not be liable for any loss, expense, or damage arising out of or in connection with the wrongful use or reliance by the Data Subject or other third party upon the information in this privacy notice.
Effectivity of this Policy
The CSPC Data Privacy Officer has the authority to issue policies, guidelines, and rules that are not in opposition with this Policy. Suppose any legislation or regulation listed in this Policy is altered or superseded. In that case, it will be assumed that this Policy refers to the amended or superseding law or regulation, without prejudice to a person’s right to be free of laws that apply retroactively. If any part of this Policy is deemed null and void, the remaining portions will continue to be in full force and effect.
Definition of Terms
The following terms shall have the following definitions for this Privacy Notice:
“Data Subject” refers to an individual whose Personal Information is processed;
“Personal Information” refers to any information from which a person in possession of said information can reasonably and directly ascertain the identity of a Data Subject, and includes, but is not limited to, the name, date of birth, email and physical addresses, demographic information, and contact information; and
“Processing” refers to any activity conducted on the Personal Information including, but not limited to, collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, and erasure or destruction.
The CSPC Data Protection Officer
The CSPC Data Protection Officer is tasked to protect the privacy of personal information to, in, and from CSPC with the following functions:
- Comply with data privacy laws and regulations including implementing data protection measures, submitting regulatory requirements, and managing privacy incidents.
- Provide units of the College support services including formulating policies, training people, and conducting audits with remediation solutions.
- Prevent legal, financial, and operational risks by improving current and future forms, contracts, processes, and I.T. systems to secure against information leakage.
- Develop in the College a culture of respect for privacy by formulating policies and establishing practices at par with domestic and international standards
For data protection concerns and inquiries relating to the CSPC’s Privacy Notice or to report privacy incidents, please contact the CSPC Data Protection Officer through any of the following channels:
Address: Administration Building, 2nd floor, Records and Freedom of Information Office
Phone: (065) 288-4421 to 23 loc. 113 or 09190770432
The CSPC Privacy resources are on the CSPC Privacy Portal at https://cspc.edu.ph/privacy.