San Juan de Dios Educational Foundation, Inc. – College
San Juan de Dios Educational Foundation, Inc. – College (SJDEFI) recognizes the importance of protecting the personal information of all individuals connected with the institution. In the course of its operations, the College collects and processes different kinds of personal data from students, employees, parents, alumni, applicants, visitors, and partner institutions. This information are necessary for the delivery of educational services, employment administration, student support, financial transactions, research activities, and institutional operations.
With the advancement of technology and the increased use of digital systems, the risk of unauthorized access, misuse, theft, or disclosure of personal information has also increased. Because of this, SJDEFI commits itself to implementing effective privacy and security measures to ensure that all personal data are properly protected.
This Data Privacy Guide serves as the institution's framework for responsible data handling and compliance with the provisions of the Data Privacy Act of 2012 (Republic Act No. 10173) and the regulations of the National Privacy Commission (NPC). The guide establishes policies, responsibilities, and procedures that govern the collection, processing, storage, sharing, retention, and disposal of personal data within the institution.
The guide also promotes awareness among all members of the SJDEFI community regarding their duties and responsibilities in maintaining confidentiality and protecting privacy rights. Through this policy, the College aims to establish trust, accountability, transparency, and security in all information-processing activities.
One of the primary objectives of this guide is to ensure that SJDEFI complies with the requirements of Republic Act No. 10173 or the Data Privacy Act of 2012. Compliance means following the legal standards and regulations set by the National Privacy Commission regarding the proper handling of personal information.
The institution acknowledges that non-compliance may lead to legal liabilities, penalties, reputational damage, and loss of trust among stakeholders. Therefore, all offices, departments, employees, and personnel are required to adhere to the policies and procedures stated in this guide.
Compliance also means regularly reviewing institutional practices and updating procedures whenever new laws, technologies, or privacy risks emerge.
The College is responsible for protecting all personal information under its custody. Personal data such as student records, employee files, medical information, and financial details are considered valuable and sensitive. If these information fall into the wrong hands, individuals may suffer identity theft, discrimination, financial loss, emotional distress, or reputational harm.
This guide establishes security measures to ensure that personal data are:
Protecting personal information is not only a legal responsibility but also an ethical obligation of the institution.
Another objective of this guide is to provide standardized procedures in handling personal information throughout its entire life cycle. This includes:
By establishing clear procedures, the institution minimizes confusion, errors, and inconsistent practices among departments and personnel.
The guide also helps employees understand what actions are permitted and prohibited when handling personal data.
SJDEFI promotes a culture of accountability where every employee and office handling personal information is responsible for protecting the confidentiality and integrity of the data entrusted to them.
Transparency is also emphasized by ensuring that data subjects are informed about:
Transparent practices strengthen trust between the institution and its stakeholders.
The institution aims to reduce the risk of privacy incidents and personal data breaches by implementing preventive security measures and response protocols.
A data breach may occur due to:
This guide establishes preventive controls and incident response procedures to minimize risks and ensure immediate action whenever an incident occurs.
The scope of this Data Privacy Guide defines who and what are covered by the policy.
This guide applies to all individuals and offices within SJDEFI that collect, process, store, or manage personal information. It includes:
The guide also covers all forms of data processing, whether manual or automated. This includes:
The policy applies regardless of where the information is stored or processed.
By defining the scope clearly, the institution ensures that all stakeholders understand that data privacy responsibilities apply across all offices and activities.
The Data Privacy Act establishes important principles that guide institutions in processing personal data responsibly.
SJDEFI adopts these principles as the foundation of its privacy practices.
Transparency means that the institution must be honest and open with individuals regarding how their personal information is collected, processed, and used.
Before collecting any information, SJDEFI must inform the data subject about:
For example, during student enrollment, applicants must be informed that their information will be used for academic records, billing, student services, and government reporting requirements.
Transparency helps individuals make informed decisions regarding their personal information and promotes trust between the institution and the data subject.
Failure to provide proper notice may be considered a violation of data privacy rights.
Personal data must only be collected for lawful, specific, and legitimate purposes.
SJDEFI may only collect information that is necessary for institutional operations and educational services.
Examples of legitimate purposes include:
The institution must not use personal data for unrelated or unauthorized activities without obtaining proper consent.
For example, student contact information collected for enrollment cannot automatically be used for commercial marketing activities unless permission is granted.
This principle prevents misuse and abuse of personal information.
Proportionality means that the institution should collect only the minimum amount of information necessary to accomplish a legitimate purpose.
Excessive or unnecessary collection of information is discouraged because it increases privacy risks.
For example:
A seminar registration form may only require the participant’s name, department, and contact number.
It would be unnecessary to request highly sensitive personal information unrelated to the activity.
This principle ensures balance between institutional needs and the individual’s right to privacy.
Collecting unnecessary data may expose individuals to greater risks in case of unauthorized disclosure or data breach.
Personal information refers to any data that can identify an individual directly or indirectly.
Examples include:
These information are commonly used in school operations and administrative processes.
Although considered basic information, personal information must still be protected because unauthorized disclosure may lead to misuse or identity theft.
Sensitive personal information refers to highly confidential data that require stricter protection because disclosure may seriously affect the individual.
Examples include:
Because of the confidential nature of these information, access must be limited only to authorized personnel with legitimate reasons.
Improper disclosure may result in discrimination, embarrassment, financial harm, or legal consequences.
Privileged information refers to confidential communications protected by law or ethical standards.
Examples include:
This information are protected because disclosure may violate legal rights, professional ethics, or institutional confidentiality obligations.
Only authorized individuals may access privileged information.
Data classification is an important component of the Data Privacy Guide because it helps the institution determine the level of protection, security, and access control required for different kinds of information. Not all information has the same degree of sensitivity. Some information may be shared publicly, while others require strict confidentiality and limited access.
Proper classification ensures that employees understand how information should be handled, stored, transmitted, and disposed of.
SJDEFI classifies personal data into three major categories:
Public information refers to data that may be disclosed to the public without causing harm or violating privacy rights. These information are generally intended for public awareness, institutional promotion, or official communication.
Examples of public information include:
Although public information may be shared openly, SJDEFI still ensures that the information released is accurate, appropriate, and officially authorized.
Employees must avoid releasing confidential or sensitive details disguised as public information. Even publicly available information must still be handled responsibly to prevent misuse or misrepresentation.
Confidential information refers to personal data that are restricted and may only be accessed by authorized individuals for legitimate institutional purposes.
These information require protection because unauthorized disclosure may:
Examples of confidential information include:
Confidential information must only be processed by authorized personnel such as:
Access to confidential information must be controlled through:
Employees handling confidential information are expected to observe professionalism, confidentiality, and discretion at all times.
Unauthorized disclosure, sharing, or discussion of confidential information is strictly prohibited and may result in disciplinary action or legal liability.
Classified information refers to highly sensitive data that require the highest level of protection because unauthorized disclosure may result in severe harm, identity theft, financial loss, security threats, or institutional compromise.
Examples of classified information include:
Because of the extreme sensitivity of classified information, access is strictly limited to specifically authorized personnel only.
SJDEFI implements stronger safeguards for classified information such as:
Employees are prohibited from:
The institution recognizes that the compromise of classified information may lead to serious legal, operational, and financial consequences. Therefore, strict security protocols must always be followed.
| Classification | Description | Examples |
|---|---|---|
| Public | Accessible to the public | Directory, announcements |
| Confidential | Restricted access | Student records, employee files |
| Classified | Highly sensitive | Passwords, bank details |
Data collection is one of the most important stages in data processing because it is the point where personal information is obtained from individuals.
SJDEFI ensures that all personal information collected are:
The institution follows the principle that individuals have the right to know why their information is being collected and how it will be used.
SJDEFI collects personal information for legitimate educational, administrative, and operational purposes such as:
The institution only collects information necessary to fulfill these purposes.
Excessive, irrelevant, or unnecessary collection of information is avoided to reduce privacy risks.
Consent refers to the voluntary agreement of the individual to allow the institution to collect and process personal information.
Consent must be:
Before obtaining consent, SJDEFI must explain:
For example:During online enrollment, students may be asked to agree to a privacy notice before submitting their personal information.
Consent is important because it respects the individual’s right to control personal information.
However, there are situations where processing may still be allowed even without consent, such as:
A privacy notice is a statement provided to individuals explaining how their personal data will be handled.
SJDEFI ensures that privacy notices are:
Privacy notices are included in:
The purpose of the privacy notice is to maintain transparency and allow individuals to make informed decisions regarding their information.
Data processing refers to any operation performed on personal information.
This includes:
SJDEFI ensures that all processing activities are lawful, fair, secure, and aligned with institutional purposes.
The institution processes personal information only when permitted by law or supported by legitimate institutional purposes.
Processing activities must always comply with:
Unlawful processing, unauthorized access, or misuse of information is prohibited.
Access to personal information is limited only to authorized individuals who require the information to perform official duties.
Examples:
Employees are not allowed to access records outside their responsibilities.
SJDEFI implements access controls such as:
This minimizes unauthorized access and protects confidentiality.
The institution ensures that personal information is accurate, complete, and updated whenever necessary.
Inaccurate information may:
Data subjects may request corrections if they discover incorrect information in institutional records.
Personal information must be stored securely to prevent unauthorized access, loss, theft, or damage.
SJDEFI protects data through:
Physical records are kept in locked cabinets or restricted offices, while electronic records are protected through technical safeguards.
Employees must exercise caution when handling records both inside and outside the institution.
Data sharing refers to the transfer or disclosure of personal information to another person, office, organization, or third party.
SJDEFI recognizes that personal information should not be shared freely without proper authorization or legal basis.
Personal information may only be shared when:
Examples include:
Before sharing information, the institution ensures that the receiving party has adequate safeguards to protect the data.
SJDEFI may engage third-party service providers for services such as:
Third parties processing personal information on behalf of SJDEFI are required to:
Formal agreements are established to define responsibilities and obligations.
Unauthorized disclosure occurs when personal information is shared without permission or legal authority.
Examples include:
Unauthorized disclosure is considered a serious violation and may result in disciplinary action, administrative sanctions, or legal penalties.
Data retention and disposal are essential parts of data privacy management because personal information should not be kept indefinitely without valid purpose. SJDEFI recognizes that retaining unnecessary records increases the risk of unauthorized access, misuse, accidental disclosure, and security breaches.
The institution therefore establishes proper retention schedules and secure disposal procedures to ensure that personal information is managed responsibly throughout its entire life cycle.
Data retention refers to the period during which personal information is stored and maintained by the institution.
SJDEFI retains personal information only for as long as necessary to:
The retention period may vary depending on the type of record involved.
Examples include:
The institution ensures that retained records are:
Records that are no longer necessary must not be retained unnecessarily because prolonged storage increases privacy and security risks.
While records are retained, SJDEFI ensures that they are protected from:
The institution applies both physical and technical safeguards.
Examples of physical safeguards include:
Examples of technical safeguards include:
Only authorized personnel with legitimate institutional functions may access retained information.
Employees are reminded that confidentiality obligations continue even after records are archived or inactive.
Data disposal refers to the proper destruction or deletion of personal information that is no longer necessary.
SJDEFI ensures that disposal procedures prevent unauthorized recovery or reconstruction of information.
Improper disposal may expose individuals to identity theft, fraud, reputational damage, or privacy violations.
Examples of secure disposal methods include:
For Physical Records:
For Electronic Records:
Simply deleting files from a computer is not sufficient because data may still be recoverable.
The institution ensures that disposal activities are supervised and documented when necessary.
All employees handling records are responsible for:
Offices and departments must coordinate with the Data Protection Officer (DPO) when disposing of sensitive or classified records.
Failure to dispose of records properly may expose the institution to legal and security risks.
SJDEFI recognizes and respects the rights of individuals regarding their personal information. These rights are guaranteed under the Data Privacy Act of 2012 and are essential in protecting privacy and human dignity.
Data subjects include:
The institution ensures that individuals are able to exercise these rights fairly and reasonably.
Data subjects have the right to know:
SJDEFI fulfills this right through:
Transparency allows individuals to make informed decisions regarding their personal information.
Individuals have the right to request access to their personal information held by the institution.
This includes the right to know:
For example:
SJDEFI establishes procedures for verifying identity before granting access to prevent unauthorized disclosure.
Data subjects may request correction of inaccurate, incomplete, outdated, or misleading information.
Accurate information is important because errors may negatively affect:
Examples include correcting:
SJDEFI evaluates correction requests and updates records when justified.
Individuals have the right to object to the processing of their personal information under certain circumstances.
For example, a person may object if:
The institution evaluates objections carefully while balancing legal and institutional obligations.
However, some processing activities may continue if required by law or necessary for institutional functions.
Also known as the “right to be forgotten,” this allows individuals to request deletion or blocking of personal information when:
SJDEFI evaluates requests while considering:
Some records, such as academic records, may need to be retained despite requests for deletion due to legal or regulatory requirements.
Data subjects may file complaints if they believe their privacy rights have been violated.
Complaints may involve:
Complaints may be submitted to:
SJDEFI ensures that complaints are handled fairly, promptly, and confidentially.
Protecting personal information is a shared responsibility within SJDEFI. Every employee, office, and stakeholder has a role in ensuring compliance with data privacy laws and institutional policies.
Clearly defining responsibilities helps promote accountability and effective implementation of privacy practices.
The Data Protection Officer is responsible for overseeing the institution’s compliance with data privacy laws and policies.
The DPO serves as the primary authority on privacy-related matters within the institution.
Responsibilities of the DPO include:
The DPO also advises the institution on privacy risks and recommended safeguards.
To perform these functions effectively, the DPO must be given sufficient authority, independence, and institutional support.
All employees are responsible for protecting the confidentiality and integrity of personal information they handle.
Employees are expected to:
Employees must exercise professionalism and caution when handling personal data inside and outside the workplace.
Negligence, carelessness, or intentional misuse of information may result in disciplinary or legal consequences.
Each office handling personal information is responsible for implementing privacy and security measures appropriate to its functions.
Examples include:
Departments must coordinate with the DPO regarding compliance concerns and privacy risk.
Security measures are essential in protecting personal information from unauthorized access, misuse, disclosure, alteration, destruction, or loss. SJDEFI recognizes that both physical and digital records are vulnerable to different forms of threats such as theft, hacking, negligence, natural disasters, and human error.
To ensure the confidentiality, integrity, and availability of personal information, the institution implements a combination of physical, technical, and organizational security measures.
These safeguards are designed to minimize risks and strengthen the institution’s ability to protect personal data.
Physical security measures are safeguards implemented to protect paper records, storage facilities, equipment, and offices from unauthorized access or physical damage.
SJDEFI ensures that confidential records are stored in secure environments accessible only to authorized personnel.
Examples of physical security measures include:
Sensitive records such as student files, employee records, medical documents, and financial information must not be left unattended or exposed in public areas.
Employees are expected to observe clean desk policies and proper document handling procedures to reduce the risk of accidental exposure or unauthorized access.
The institution also prepares contingency measures for emergencies such as:
Backup storage and disaster recovery plans help ensure continuity and protection of important institutional records.
Technical security measures refer to the digital safeguards implemented to protect electronic data and information systems.
Because SJDEFI uses computers, databases, online learning systems, and digital communication platforms, strong cybersecurity measures are necessary to prevent unauthorized access and cyber threats.
Examples of technical security measures include:
Employees and authorized users are required to use strong and confidential passwords for accessing institutional systems.
Passwords should:
Weak or shared passwords increase the risk of unauthorized access.
SJDEFI installs antivirus and anti-malware software on institutional devices to detect and prevent malicious attacks such as:
Regular updates and system scans are conducted to maintain system security.
Firewalls are used to protect institutional networks from unauthorized external access and cyberattacks.
Network monitoring helps detect suspicious activities and security vulnerabilities.
Only authorized devices and users may access certain systems or databases.
Encryption converts information into coded formats to prevent unauthorized reading or interception.
SJDEFI may use encryption when transmitting or storing sensitive information such as:
Encryption helps ensure that even if information is intercepted, it cannot easily be understood or misused.
The institution maintains backup systems to protect important records from loss caused by:
Regular backups allow restoration of data when necessary and help maintain continuity of operations.
Backup files must also be secured and protected from unauthorized access.
SJDEFI limits system access according to job responsibilities and authorization levels.
Examples:
Not all employees should have access to all systems or records.
This principle of limited access minimizes unnecessary exposure of personal information.
Organizational security measures involve policies, procedures, training, and governance practices that promote responsible handling of personal information.
SJDEFI recognizes that technology alone cannot guarantee data protection. Employees and stakeholders must also understand and follow privacy responsibilities.
Examples of organizational measures include:
The institution also establishes accountability mechanisms to ensure that employees comply with institutional privacy standards.
Organizational culture plays an important role in promoting respect for confidentiality and responsible information handling.
Employees are considered one of the most important components of data security because many privacy incidents result from human error or negligence.
Employees are expected to:
Examples of improper practices that must be avoided include:
Failure to observe security protocols may expose the institution and affected individuals to significant risks.
Despite preventive measures, privacy incidents and security breaches may still occur. SJDEFI therefore establishes procedures for responding quickly and effectively whenever such incidents happen.
Proper incident management helps minimize harm, contain risks, and restore security.
A privacy incident refers to any event involving personal information that may compromise privacy or data security.
Examples include:
Not all privacy incidents automatically become data breaches, but all incidents must be evaluated carefully.
A personal data breach occurs when there is:
Examples include:
Data breaches may cause serious harm to individuals and the institution.
Possible consequences include:
SJDEFI encourages immediate reporting of suspected or confirmed incidents.
Employees must report incidents to:
Reports should include:
Prompt reporting helps contain the situation and prevent further damage.
Failure to report incidents may worsen risks and delay corrective action.
SJDEFI follows organized procedures when responding to incidents.
a. Detection and Identification
The institution first determines:
This stage helps assess the seriousness of the incident.
b. Containment
Immediate actions are taken to stop or limit the incident.
Examples include:
Containment helps prevent further loss or exposure.
c. Assessment and Investigation
The institution evaluates:
Investigations also identify weaknesses in systems or procedures.
d. Notification
When required by law, SJDEFI notifies:
Notifications may include:
Transparency during incidents helps maintain trust and accountability.
e. Recovery and Prevention
After the incident, the institution takes corrective actions to:
Lessons learned from incidents help improve future security practices.
Data privacy protection requires continuous education and awareness among employees, students, and stakeholders.
SJDEFI conducts training programs to ensure that individuals understand:
Awareness programs may include:
Regular training helps reduce human errors and strengthens institutional compliance.
Monitoring and compliance are essential to ensure that SJDEFI consistently follows the requirements of the Data Privacy Act of 2012 and the policies established in this Data Privacy Guide. Data privacy protection is not a one-time activity but a continuous institutional responsibility that requires regular evaluation, supervision, and improvement.
SJDEFI recognizes that privacy risks, technologies, and operational processes constantly evolve. Therefore, the institution regularly reviews and monitors its systems, procedures, and practices to ensure that personal information remains protected.
Monitoring activities also help identify weaknesses, vulnerabilities, and non-compliance issues before they result in serious incidents or legal violations.
SJDEFI conducts regular privacy audits and assessments to evaluate whether departments and offices comply with institutional privacy policies and legal requirements.
Privacy audits may include:
The purpose of privacy audits is to:
Departments are expected to cooperate fully during privacy reviews and provide necessary documentation when requested.
The institution monitors how personal information is collected, used, stored, shared, and disposed of within different offices and systems.
This monitoring ensures that:
Monitoring may involve:
Improper or suspicious activities may be investigated immediately to prevent privacy violations.
SJDEFI regularly reviews and updates its privacy policies to ensure that they remain relevant, effective, and aligned with:
Policy reviews help the institution adapt to changing environments and improve its privacy management systems.
Employees are informed whenever significant policy updates are implemented.
All employees, faculty members, and staff are expected to comply with institutional data privacy policies and procedures.
Compliance includes:
College Administrators are responsible for ensuring that personnel under their supervision understand and follow privacy requirements.
Employees who violate privacy policies may face:
The institution emphasizes that accountability is necessary to maintain a strong culture of privacy protection.
SJDEFI maintains proper documentation of privacy-related activities to demonstrate accountability and compliance.
Examples of records maintained include:
Proper documentation helps:
Records must also be stored securely and accessed only by authorized individuals.
The Contact Information section provides the official channels through which students, employees, parents, and stakeholders may communicate privacy-related concerns, requests, or complaints.
SJDEFI ensures that individuals have accessible means of contacting the institution regarding:
The institution designates a Data Protection Officer (DPO) to oversee privacy-related matters and serve as the official contact person for data privacy concerns.
DR. ROSANA C. TALA
Data Protection Officer (DPO)
Vice President for Education
San Juan de Dios Educational Foundation, Inc. – College
Email: vpeoffice@sjdefi.edu.ph
Contact: 09303193021
This section also confirms the institution's commitment to continuously improving privacy protection measures.
This Data Privacy Guide becomes effective upon approval by the authorized officials of SJDEFI.
Once implemented:
Orientation and dissemination activities may be conducted to ensure awareness and understanding among stakeholders.
SJDEFI recognizes that privacy laws, technologies, and institutional practices evolve over time.
Therefore, this guide may be:
Periodic reviews ensure that the institution remains responsive to:
Updates may be issued whenever necessary to strengthen privacy protection and institutional compliance.
SJDEFI remains committed to promoting a culture of privacy, accountability, and responsible information management.
The institution recognizes that protecting personal information is essential to:
All members of the SJDEFI community are encouraged to actively participate in maintaining a secure and privacy-conscious environment.
The Data Privacy Guide of San Juan de Dios Educational Foundation, Inc. – College serves as a comprehensive framework for the responsible collection, processing, storage, sharing, retention, and protection of personal information within the institution.
As an educational institution entrusted with large amounts of personal and sensitive information, SJDEFI acknowledges its duty to safeguard the privacy rights of students, employees, parents, alumni, and stakeholders.
The guide emphasizes that data privacy protection is not solely the responsibility of the Data Protection Officer or administrators. Rather, it is a shared responsibility of every member of the institution. All employees, faculty members, students, and stakeholders must work together to ensure that personal information is handled lawfully, ethically, securely, and responsibly.
Through the implementation of appropriate physical, technical, and organizational safeguards, SJDEFI aims to:
The institution also recognizes that privacy protection is a continuous process requiring regular monitoring, education, improvement, and adaptation to evolving technologies and threats.
By upholding the principles of transparency, legitimate purpose, and proportionality, SJDEFI demonstrates its commitment to respecting human dignity, protecting individual rights, and fostering a culture of confidentiality and responsible information management within the academic community.
Ultimately, this Data Privacy Guide serves not only as a legal compliance document but also as a manifestation of the institution’s dedication to ethical governance, institutional integrity, and the protection of the people it serves.