Trunkline Number:    8-551-2763

Students
Faculty

San Juan De Dios Educational Foundation, Inc. Where faith and reason are expressed in Charity

San Juan de Dios Educational Foundation, Inc.
Data Privacy

Privacy Notice

01Introduction

San Juan de Dios Educational Foundation, Inc. – College (SJDEFI) recognizes the importance of protecting the personal information of all individuals connected with the institution.

In the course of its operations, the College collects and processes different kinds of personal data from students, employees, parents, alumni, applicants, visitors, and partner institutions. This information are necessary for the delivery of educational services, employment administration, student support, financial transactions, research activities, and institutional operations.

With the advancement of technology and the increased use of digital systems, the risk of unauthorized access, misuse, theft, or disclosure of personal information has also increased. Because of this, SJDEFI commits itself to implementing effective privacy and security measures to ensure that all personal data are properly protected.

This Data Privacy Guide serves as the institution's framework for responsible data handling and compliance with the provisions of the Data Privacy Act of 2012 (Republic Act No. 10173) and the regulations of the National Privacy Commission (NPC). The guide establishes policies, responsibilities, and procedures that govern the collection, processing, storage, sharing, retention, and disposal of personal data within the institution.

The guide also promotes awareness among all members of the SJDEFI community regarding their duties and responsibilities in maintaining confidentiality and protecting privacy rights. Through this policy, the College aims to establish trust, accountability, transparency, and security in all information-processing activities.

02Objectives

2.1To Ensure Compliance with the Data Privacy Act of 2012

One of the primary objectives of this guide is to ensure that SJDEFI complies with the requirements of Republic Act No. 10173 or the Data Privacy Act of 2012. Compliance means following the legal standards and regulations set by the National Privacy Commission regarding the proper handling of personal information.

The institution acknowledges that non-compliance may lead to legal liabilities, penalties, reputational damage, and loss of trust among stakeholders. Therefore, all offices, departments, employees, and personnel are required to adhere to the policies and procedures stated in this guide.

Compliance also means regularly reviewing institutional practices and updating procedures whenever new laws, technologies, or privacy risks emerge.

2.2To Protect Personal Information from Unauthorized Access and Disclosure

The College is responsible for protecting all personal information under its custody. Personal data such as student records, employee files, medical information, and financial details are considered valuable and sensitive. If these information fall into the wrong hands, individuals may suffer identity theft, discrimination, financial loss, emotional distress, or reputational harm.

This guide establishes security measures to ensure that personal data are:

  • Kept confidential
  • Accessible only to authorized persons
  • Protected against unauthorized access, alteration, disclosure, or destruction

Protecting personal information is not only a legal responsibility but also an ethical obligation of the institution.

2.3To Establish Clear Policies and Procedures for Data Processing

Another objective of this guide is to provide standardized procedures in handling personal information throughout its entire life cycle. This includes:

  • Collection
  • Recording
  • Organization
  • Storage
  • Retrieval
  • Sharing
  • Retention
  • Disposal

By establishing clear procedures, the institution minimizes confusion, errors, and inconsistent practices among departments and personnel.

The guide also helps employees understand what actions are permitted and prohibited when handling personal data.

2.4To Promote Accountability and Transparency

SJDEFI promotes a culture of accountability where every employee and office handling personal information is responsible for protecting the confidentiality and integrity of the data entrusted to them.

Transparency is also emphasized by ensuring that data subjects are informed about:

  • Why their information is being collected
  • How their information will be used
  • Who will have access to it
  • How long it will be retained

Transparent practices strengthen trust between the institution and its stakeholders.

2.5To Prevent Data Breaches and Security Incidents

The institution aims to reduce the risk of privacy incidents and personal data breaches by implementing preventive security measures and response protocols.

A data breach may occur due to:

  • Human error
  • Cyberattacks
  • Weak passwords
  • Unauthorized disclosure
  • Improper disposal of records

This guide establishes preventive controls and incident response procedures to minimize risks and ensure immediate action whenever an incident occurs.

03Scope

The scope of this Data Privacy Guide defines who and what are covered by the policy.

This guide applies to all individuals and offices within SJDEFI that collect, process, store, or manage personal information. It includes:

  • Students
  • Faculty members
  • Non-teaching personnel
  • School administrators
  • Contractual employees
  • Alumni
  • Parents and guardians
  • Third-party service providers
  • Visitors and applicants

The guide also covers all forms of data processing, whether manual or automated. This includes:

  • Paper documents
  • Filing cabinets
  • Computers and databases
  • Emails
  • Cloud storage systems
  • Learning management systems
  • CCTV recordings

The policy applies regardless of where the information is stored or processed.

By defining the scope clearly, the institution ensures that all stakeholders understand that data privacy responsibilities apply across all offices and activities.

04Key Principles Of Data Privacy

The Data Privacy Act establishes important principles that guide institutions in processing personal data responsibly.

SJDEFI adopts these principles as the foundation of its privacy practices.

4.1Transparency

Transparency means that the institution must be honest and open with individuals regarding how their personal information is collected, processed, and used.

Before collecting any information, SJDEFI must inform the data subject about:

  • The purpose of collection
  • The type of information needed
  • How the information will be processed
  • Who may access the data
  • How long the data will be stored

For example, during student enrollment, applicants must be informed that their information will be used for academic records, billing, student services, and government reporting requirements.

Transparency helps individuals make informed decisions regarding their personal information and promotes trust between the institution and the data subject.

Failure to provide proper notice may be considered a violation of data privacy rights.

4.2Legitimate Purpose

Personal data must only be collected for lawful, specific, and legitimate purposes.

SJDEFI may only collect information that is necessary for institutional operations and educational services.

Examples of legitimate purposes include:

  • Enrollment processing
  • Employment administration
  • Scholarship evaluation
  • Student guidance services
  • Financial transactions
  • Compliance with government regulations

The institution must not use personal data for unrelated or unauthorized activities without obtaining proper consent.

For example, student contact information collected for enrollment cannot automatically be used for commercial marketing activities unless permission is granted.

This principle prevents misuse and abuse of personal information.

4.3Proportionality

Proportionality means that the institution should collect only the minimum amount of information necessary to accomplish a legitimate purpose.

Excessive or unnecessary collection of information is discouraged because it increases privacy risks.

For example:

A seminar registration form may only require the participant's name, department, and contact number.

It would be unnecessary to request highly sensitive personal information unrelated to the activity.

This principle ensures balance between institutional needs and the individual's right to privacy.

Collecting unnecessary data may expose individuals to greater risks in case of unauthorized disclosure or data breach.

05Types Of Data Collected

5.1Personal Information

Personal information refers to any data that can identify an individual directly or indirectly.

Examples include:

  • Full name
  • Address
  • Date of birth
  • Contact number
  • Email address
  • Student number
  • Employment information

These information are commonly used in school operations and administrative processes.

Although considered basic information, personal information must still be protected because unauthorized disclosure may lead to misuse or identity theft.

5.2Sensitive Personal Information

Sensitive personal information refers to highly confidential data that require stricter protection because disclosure may seriously affect the individual.

Examples include:

  • Medical records
  • Health conditions
  • Religious affiliation
  • Marital status
  • Financial information
  • Government-issued IDs
  • Academic performance records

Because of the confidential nature of these information, access must be limited only to authorized personnel with legitimate reasons.

Improper disclosure may result in discrimination, embarrassment, financial harm, or legal consequences.

5.3Privileged Information

Privileged information refers to confidential communications protected by law or ethical standards.

Examples include:

  • Counseling records
  • Legal advice
  • Investigation reports
  • Confidential disciplinary proceedings

This information are protected because disclosure may violate legal rights, professional ethics, or institutional confidentiality obligations.

Only authorized individuals may access privileged information.

06Data Classification

Data classification is an important component of the Data Privacy Guide because it helps the institution determine the level of protection, security, and access control required for different kinds of information. Not all information has the same degree of sensitivity. Some information may be shared publicly, while others require strict confidentiality and limited access.

Proper classification ensures that employees understand how information should be handled, stored, transmitted, and disposed of.

SJDEFI classifies personal data into three major categories:

6.1Public Information

Public information refers to data that may be disclosed to the public without causing harm or violating privacy rights. These information are generally intended for public awareness, institutional promotion, or official communication.

Examples of public information include:

  • School announcements
  • Course offerings
  • Academic calendars
  • Organizational charts
  • Names of administrators and faculty members
  • Published research outputs
  • Public directories
  • Institutional events and activities

Although public information may be shared openly, SJDEFI still ensures that the information released is accurate, appropriate, and officially authorized.

Employees must avoid releasing confidential or sensitive details disguised as public information. Even publicly available information must still be handled responsibly to prevent misuse or misrepresentation.

6.2Confidential Information

Confidential information refers to personal data that are restricted and may only be accessed by authorized individuals for legitimate institutional purposes.

These information require protection because unauthorized disclosure may:

  • Harm the individual concerned
  • Damage the reputation of the institution
  • Violate privacy laws and regulations

Examples of confidential information include:

  • Student academic records
  • Employee 201 files
  • Contact details of students and employees
  • Medical and health records
  • Guidance counseling records
  • Financial information
  • Tuition payment records
  • Disciplinary records

Confidential information must only be processed by authorized personnel such as:

  • Registrar staff
  • Human Resource personnel
  • Finance Office staff
  • Guidance Office personnel
  • Clinic staff

Access to confidential information must be controlled through:

  • Password-protected systems
  • Locked cabinets
  • Restricted office access
  • Secure filing procedures

Employees handling confidential information are expected to observe professionalism, confidentiality, and discretion at all times.

Unauthorized disclosure, sharing, or discussion of confidential information is strictly prohibited and may result in disciplinary action or legal liability.

6.3Classified Information

Classified information refers to highly sensitive data that require the highest level of protection because unauthorized disclosure may result in severe harm, identity theft, financial loss, security threats, or institutional compromise.

Examples of classified information include:

  • Passwords and login credentials
  • ATM PIN numbers
  • Bank account details
  • Security system access codes
  • Database administrator credentials
  • Encryption keys
  • Highly sensitive investigation reports

Because of the extreme sensitivity of classified information, access is strictly limited to specifically authorized personnel only.

SJDEFI implements stronger safeguards for classified information such as:

  • Multi-factor authentication
  • Data encryption
  • Limited administrator access
  • Monitoring and logging of system access
  • Strict confidentiality agreements

Employees are prohibited from:

  • Sharing passwords
  • Writing passwords in visible places
  • Using unauthorized storage devices
  • Sending classified information through unsecured channels

The institution recognizes that the compromise of classified information may lead to serious legal, operational, and financial consequences. Therefore, strict security protocols must always be followed.

ClassificationDescriptionExamples
Public Accessible to the public Directory, announcements
Confidential Restricted access Student records, employee files
Classified Highly sensitive Passwords, bank details

07Data Collection And Consent

Data collection is one of the most important stages in data processing because it is the point where personal information is obtained from individuals.

SJDEFI ensures that all personal information collected are:

  • Obtained lawfully
  • Collected fairly
  • Necessary for legitimate institutional purposes
  • Supported by proper consent whenever required

The institution follows the principle that individuals have the right to know why their information is being collected and how it will be used.

7.1Purpose Of Data Collection

SJDEFI collects personal information for legitimate educational, administrative, and operational purposes such as:

  • Student enrollment
  • Employee hiring and administration
  • Scholarship processing
  • Academic evaluation
  • Student support services
  • Research and extension programs
  • Financial transactions
  • Compliance with government reporting requirements

The institution only collects information necessary to fulfill these purposes.

Excessive, irrelevant, or unnecessary collection of information is avoided to reduce privacy risks.

7.2Consent Of The Data Subject

Consent refers to the voluntary agreement of the individual to allow the institution to collect and process personal information.

Consent must be:

  • Freely given
  • Specific
  • Informed
  • Evidenced by written, electronic, or recorded means

Before obtaining consent, SJDEFI must explain:

  • What information will be collected
  • Why the information is needed
  • How the information will be used
  • Who may access the information
  • How long the information will be stored

For example: During online enrollment, students may be asked to agree to a privacy notice before submitting their personal information.

Consent is important because it respects the individual's right to control personal information.

However, there are situations where processing may still be allowed even without consent, such as:

  • Compliance with legal obligations
  • Protection of life and health
  • Fulfillment of contractual obligations
  • Legitimate institutional interests allowed by law

7.3Privacy Notice

A privacy notice is a statement provided to individuals explaining how their personal data will be handled.

SJDEFI ensures that privacy notices are:

  • Clear
  • Understandable
  • Accessible
  • Written in simple language

Privacy notices are included in:

  • Enrollment forms
  • Employment applications
  • Online systems
  • Institutional websites
  • Consent forms

The purpose of the privacy notice is to maintain transparency and allow individuals to make informed decisions regarding their information.

08Data Processing And Use

Data processing refers to any operation performed on personal information.

This includes:

  • Collection
  • Recording
  • Organization
  • Storage
  • Updating
  • Retrieval
  • Consultation
  • Use
  • Sharing
  • Erasure
  • Disposal

SJDEFI ensures that all processing activities are lawful, fair, secure, and aligned with institutional purposes.

8.1Lawful Processing

The institution processes personal information only when permitted by law or supported by legitimate institutional purposes.

Processing activities must always comply with:

  • Data Privacy Act of 2012
  • NPC regulations
  • Institutional policies

Unlawful processing, unauthorized access, or misuse of information is prohibited.

8.2Access Control

Access to personal information is limited only to authorized individuals who require the information to perform official duties.

Examples:

  • The Registrar may access academic records
  • HR personnel may access employee records
  • Clinic staff may access medical information

Employees are not allowed to access records outside their responsibilities.

SJDEFI implements access controls such as:

  • User accounts and passwords
  • Role-based access systems
  • Restricted office access
  • Monitoring of user activities

This minimizes unauthorized access and protects confidentiality.

8.3Data Accuracy

The institution ensures that personal information is accurate, complete, and updated whenever necessary.

Inaccurate information may:

  • Cause administrative errors
  • Affect decision-making
  • Harm the individual concerned

Data subjects may request corrections if they discover incorrect information in institutional records.

8.4Storage And Security

Personal information must be stored securely to prevent unauthorized access, loss, theft, or damage.

SJDEFI protects data through:

  • Secure filing systems
  • Password protection
  • Antivirus software
  • Firewalls
  • Backup systems
  • Encryption technologies

Physical records are kept in locked cabinets or restricted offices, while electronic records are protected through technical safeguards.

Employees must exercise caution when handling records both inside and outside the institution.

09Data Sharing And Disclosure

Data sharing refers to the transfer or disclosure of personal information to another person, office, organization, or third party.

SJDEFI recognizes that personal information should not be shared freely without proper authorization or legal basis.

9.1Authorized Data Sharing

Personal information may only be shared when:

  • The data subject has given consent
  • Sharing is required by law
  • Necessary for official institutional functions
  • Supported by formal agreements

Examples include:

  • Submission of student records to government agencies
  • Coordination with scholarship providers
  • Reporting required by regulatory bodies

Before sharing information, the institution ensures that the receiving party has adequate safeguards to protect the data.

9.2Third-Party Service Providers

SJDEFI may engage third-party service providers for services such as:

  • Information technology support
  • Cloud storage
  • Payroll systems
  • Security services

Third parties processing personal information on behalf of SJDEFI are required to:

  • Follow data privacy laws
  • Maintain confidentiality
  • Implement security measures
  • Use data only for authorized purposes

Formal agreements are established to define responsibilities and obligations.

9.3Unauthorized Disclosure

Unauthorized disclosure occurs when personal information is shared without permission or legal authority.

Examples include:

  • Discussing student grades publicly
  • Sharing employee records without approval
  • Sending confidential files to unauthorized persons
Unauthorized disclosure is considered a serious violation and may result in disciplinary action, administrative sanctions, or legal penalties.

10Data Retention And Disposal

Data retention and disposal are essential parts of data privacy management because personal information should not be kept indefinitely without valid purpose. SJDEFI recognizes that retaining unnecessary records increases the risk of unauthorized access, misuse, accidental disclosure, and security breaches.

The institution therefore establishes proper retention schedules and secure disposal procedures to ensure that personal information is managed responsibly throughout its entire life cycle.

10.1Data Retention

Data retention refers to the period during which personal information is stored and maintained by the institution.

SJDEFI retains personal information only for as long as necessary to:

  • Fulfill legitimate institutional purposes
  • Comply with legal and regulatory requirements
  • Resolve disputes or administrative concerns
  • Maintain academic and employment records
  • Support research and institutional documentation

The retention period may vary depending on the type of record involved.

Examples include:

  • Student academic records retained for transcript and verification purposes
  • Employee records maintained for employment and legal requirements
  • Financial records kept for auditing and taxation compliance

The institution ensures that retained records are:

  • Accurate
  • Updated
  • Securely stored
  • Accessible only to authorized personnel

Records that are no longer necessary must not be retained unnecessarily because prolonged storage increases privacy and security risks.

10.2Secure Storage During Retention

While records are retained, SJDEFI ensures that they are protected from:

  • Unauthorized access
  • Theft
  • Loss
  • Physical damage
  • Cyberattacks
  • Alteration or tampering

The institution applies both physical and technical safeguards.

Examples of physical safeguards include:

  • Locked filing cabinets
  • Restricted office access
  • Controlled document handling procedures
  • Visitor monitoring systems

Examples of technical safeguards include:

  • Password-protected databases
  • Antivirus software
  • Firewalls
  • Backup systems
  • Encryption technologies

Only authorized personnel with legitimate institutional functions may access retained information.

Employees are reminded that confidentiality obligations continue even after records are archived or inactive.

10.3Data Disposal

Data disposal refers to the proper destruction or deletion of personal information that is no longer necessary.

SJDEFI ensures that disposal procedures prevent unauthorized recovery or reconstruction of information.

Improper disposal may expose individuals to identity theft, fraud, reputational damage, or privacy violations.

Examples of secure disposal methods include:

For Physical Records:

  • Shredding documents
  • Burning where permitted
  • Secure disposal bins

For Electronic Records:

  • Permanent deletion
  • Data wiping software
  • Destruction of storage devices when necessary

Simply deleting files from a computer is not sufficient because data may still be recoverable.

The institution ensures that disposal activities are supervised and documented when necessary.

10.4Responsibilities In Data Retention And Disposal

All employees handling records are responsible for:

  • Following retention schedules
  • Protecting stored records
  • Reporting unauthorized access
  • Ensuring proper disposal procedures

Offices and departments must coordinate with the Data Protection Officer (DPO) when disposing of sensitive or classified records.

Failure to dispose of records properly may expose the institution to legal and security risks.

11Rights Of Data Subjects

SJDEFI recognizes and respects the rights of individuals regarding their personal information. These rights are guaranteed under the Data Privacy Act of 2012 and are essential in protecting privacy and human dignity.

Data subjects include:

  • Students
  • Employees
  • Parents
  • Alumni
  • Applicants
  • Other individuals whose information is processed by the institution

The institution ensures that individuals are able to exercise these rights fairly and reasonably.

11.1Right To Be Informed

Data subjects have the right to know:

  • What information is being collected
  • Why it is being collected
  • How it will be processed
  • Who will access the information
  • How long the information will be retained

SJDEFI fulfills this right through:

  • Privacy notices
  • Consent forms
  • Institutional policies
  • Official communications

Transparency allows individuals to make informed decisions regarding their personal information.

11.2Right To Access

Individuals have the right to request access to their personal information held by the institution.

This includes the right to know:

  • What information is stored
  • The source of the information
  • The purposes of processing
  • Recipients of the data

For example:

  • Students may request copies of academic records
  • Employees may review employment records

SJDEFI establishes procedures for verifying identity before granting access to prevent unauthorized disclosure.

11.3Right To Correction

Data subjects may request correction of inaccurate, incomplete, outdated, or misleading information.

Accurate information is important because errors may negatively affect:

  • Academic standing
  • Employment records
  • Financial transactions
  • Institutional decisions

Examples include correcting:

  • Misspelled names
  • Incorrect addresses
  • Wrong birthdates
  • Outdated contact details

SJDEFI evaluates correction requests and updates records when justified.

11.4Right To Object

Individuals have the right to object to the processing of their personal information under certain circumstances.

For example, a person may object if:

  • Processing is unnecessary
  • Information is used for unauthorized purposes
  • Processing may cause harm or distress

The institution evaluates objections carefully while balancing legal and institutional obligations.

However, some processing activities may continue if required by law or necessary for institutional functions.

11.5Right To Erasure Or Blocking

Also known as the "right to be forgotten," this allows individuals to request deletion or blocking of personal information when:

  • The information is no longer necessary
  • Consent has been withdrawn
  • Processing is unlawful
  • The data subject's rights are violated

SJDEFI evaluates requests while considering:

  • Legal retention requirements
  • Institutional obligations
  • Public interest considerations

Some records, such as academic records, may need to be retained despite requests for deletion due to legal or regulatory requirements.

11.6Right To File A Complaint

Data subjects may file complaints if they believe their privacy rights have been violated.

Complaints may involve:

  • Unauthorized disclosure
  • Data breaches
  • Improper processing
  • Denial of access rights

Complaints may be submitted to:

  • The Data Protection Officer (DPO)
  • The National Privacy Commission (NPC)

SJDEFI ensures that complaints are handled fairly, promptly, and confidentially.

12Roles And Responsibilities

Protecting personal information is a shared responsibility within SJDEFI. Every employee, office, and stakeholder has a role in ensuring compliance with data privacy laws and institutional policies.

Clearly defining responsibilities helps promote accountability and effective implementation of privacy practices.

12.1Data Protection Officer (DPO)

The Data Protection Officer is responsible for overseeing the institution's compliance with data privacy laws and policies.

The DPO serves as the primary authority on privacy-related matters within the institution.

Responsibilities of the DPO include:

  • Monitoring compliance with the Data Privacy Act
  • Developing and updating privacy policies
  • Conducting privacy training and awareness programs
  • Responding to complaints and inquiries
  • Managing privacy incidents and data breaches
  • Coordinating with the National Privacy Commission
  • Conducting privacy impact assessments

The DPO also advises the institution on privacy risks and recommended safeguards.

To perform these functions effectively, the DPO must be given sufficient authority, independence, and institutional support.

12.2Employees And Personnel

All employees are responsible for protecting the confidentiality and integrity of personal information they handle.

Employees are expected to:

  • Follow institutional privacy policies
  • Access information only when authorized
  • Maintain confidentiality
  • Report privacy incidents immediately
  • Secure records and devices
  • Avoid unauthorized sharing of information

Employees must exercise professionalism and caution when handling personal data inside and outside the workplace.

Negligence, carelessness, or intentional misuse of information may result in disciplinary or legal consequences.

12.3Departments And Offices

Each office handling personal information is responsible for implementing privacy and security measures appropriate to its functions.

Examples include:

  • Registrar protecting academic records
  • HR safeguarding employee files
  • Finance Office securing payment records
  • Guidance Office maintaining counseling confidentiality

Departments must coordinate with the DPO regarding compliance concerns and privacy risk.

13Security Measures

Security measures are essential in protecting personal information from unauthorized access, misuse, disclosure, alteration, destruction, or loss. SJDEFI recognizes that both physical and digital records are vulnerable to different forms of threats such as theft, hacking, negligence, natural disasters, and human error.

To ensure the confidentiality, integrity, and availability of personal information, the institution implements a combination of physical, technical, and organizational security measures.

These safeguards are designed to minimize risks and strengthen the institution's ability to protect personal data.

13.1Physical Security Measures

Physical security measures are safeguards implemented to protect paper records, storage facilities, equipment, and offices from unauthorized access or physical damage.

SJDEFI ensures that confidential records are stored in secure environments accessible only to authorized personnel.

Examples of physical security measures include:

  • Locked filing cabinets
  • Restricted office access
  • Identification cards and visitor logs
  • Security guards and CCTV monitoring
  • Controlled entry to records rooms
  • Proper lighting and building security systems

Sensitive records such as student files, employee records, medical documents, and financial information must not be left unattended or exposed in public areas.

Employees are expected to observe clean desk policies and proper document handling procedures to reduce the risk of accidental exposure or unauthorized access.

The institution also prepares contingency measures for emergencies such as:

  • Fire incidents
  • Floods
  • Earthquakes
  • Theft or vandalism

Backup storage and disaster recovery plans help ensure continuity and protection of important institutional records.

13.2Technical Security Measures

Technical security measures refer to the digital safeguards implemented to protect electronic data and information systems.

Because SJDEFI uses computers, databases, online learning systems, and digital communication platforms, strong cybersecurity measures are necessary to prevent unauthorized access and cyber threats.

Examples of technical security measures include:

a. Password Protection

Employees and authorized users are required to use strong and confidential passwords for accessing institutional systems.

Passwords should:

  • Be difficult to guess
  • Contain combinations of letters, numbers, and symbols
  • Be changed regularly
  • Never be shared with others

Weak or shared passwords increase the risk of unauthorized access.

b. Antivirus and Anti-Malware Protection

SJDEFI installs antivirus and anti-malware software on institutional devices to detect and prevent malicious attacks such as:

  • Viruses
  • Spyware
  • Ransomware
  • Trojans

Regular updates and system scans are conducted to maintain system security.

c. Firewalls and Network Security

Firewalls are used to protect institutional networks from unauthorized external access and cyberattacks.

Network monitoring helps detect suspicious activities and security vulnerabilities.

Only authorized devices and users may access certain systems or databases.

d. Data Encryption

Encryption converts information into coded formats to prevent unauthorized reading or interception.

SJDEFI may use encryption when transmitting or storing sensitive information such as:

  • Financial data
  • Medical records
  • Passwords
  • Online transactions

Encryption helps ensure that even if information is intercepted, it cannot easily be understood or misused.

e. Backup and Recovery Systems

The institution maintains backup systems to protect important records from loss caused by:

  • Hardware failure
  • Cyberattacks
  • Human error
  • Natural disasters

Regular backups allow restoration of data when necessary and help maintain continuity of operations.

Backup files must also be secured and protected from unauthorized access.

f. Access Controls and User Permissions

SJDEFI limits system access according to job responsibilities and authorization levels.

Examples:

  • Registrar staff may access student records
  • HR personnel may access employee records
  • Finance personnel may access billing information

Not all employees should have access to all systems or records.

This principle of limited access minimizes unnecessary exposure of personal information.

13.3Organizational Security Measures

Organizational security measures involve policies, procedures, training, and governance practices that promote responsible handling of personal information.

SJDEFI recognizes that technology alone cannot guarantee data protection. Employees and stakeholders must also understand and follow privacy responsibilities.

Examples of organizational measures include:

  • Data privacy policies and manuals
  • Confidentiality agreements
  • Employee orientations and seminars
  • Regular privacy awareness programs
  • Monitoring and compliance audits
  • Incident response procedures

The institution also establishes accountability mechanisms to ensure that employees comply with institutional privacy standards.

Organizational culture plays an important role in promoting respect for confidentiality and responsible information handling.

13.4Responsibility Of Employees In Security

Employees are considered one of the most important components of data security because many privacy incidents result from human error or negligence.

Employees are expected to:

  • Handle information responsibly
  • Keep passwords confidential
  • Log out from systems after use
  • Avoid using unauthorized devices or software
  • Protect physical and electronic records
  • Report suspicious activities immediately

Examples of improper practices that must be avoided include:

  • Leaving confidential documents unattended
  • Sharing login credentials
  • Sending sensitive files through unsecured platforms
  • Discussing confidential information in public places

Failure to observe security protocols may expose the institution and affected individuals to significant risks.

14Data Breach And Incident Management

Despite preventive measures, privacy incidents and security breaches may still occur. SJDEFI therefore establishes procedures for responding quickly and effectively whenever such incidents happen.

Proper incident management helps minimize harm, contain risks, and restore security.

14.1Privacy Incidents

A privacy incident refers to any event involving personal information that may compromise privacy or data security.

Examples include:

  • Unauthorized access to records
  • Lost or stolen devices containing personal data
  • Accidental disclosure of confidential information
  • Sending information to the wrong recipient
  • Improper disposal of documents
  • System hacking or malware infection

Not all privacy incidents automatically become data breaches, but all incidents must be evaluated carefully.

14.2Personal Data Breach

A personal data breach occurs when there is:

  • Unauthorized disclosure
  • Unauthorized access
  • Loss
  • Destruction
  • Alteration
  • Theft of personal information

Examples include:

  • Hacked databases
  • Stolen laptops containing records
  • Public posting of confidential information
  • Leakage of passwords or financial data

Data breaches may cause serious harm to individuals and the institution.

Possible consequences include:

  • Identity theft
  • Financial fraud
  • Emotional distress
  • Reputational damage
  • Legal liabilities

14.3Incident Reporting

SJDEFI encourages immediate reporting of suspected or confirmed incidents.

Employees must report incidents to:

  • Immediate supervisors
  • The Data Protection Officer (DPO)
  • The Data Privacy Response Team

Reports should include:

  • Description of the incident
  • Date and time
  • Type of information involved
  • Persons affected
  • Immediate actions taken

Prompt reporting helps contain the situation and prevent further damage.

Failure to report incidents may worsen risks and delay corrective action.

14.4Incident Response Procedures

SJDEFI follows organized procedures when responding to incidents.

a. Detection and Identification

The institution first determines:

  • What happened
  • What information was affected
  • Who may be involved
  • Whether a breach occurred

This stage helps assess the seriousness of the incident.

b. Containment

Immediate actions are taken to stop or limit the incident.

Examples include:

  • Disconnecting compromised systems
  • Changing passwords
  • Recovering exposed documents
  • Restricting unauthorized access

Containment helps prevent further loss or exposure.

c. Assessment and Investigation

The institution evaluates:

  • The extent of the breach
  • The risks involved
  • The possible harm to affected individuals
  • The cause of the incident

Investigations also identify weaknesses in systems or procedures.

d. Notification

When required by law, SJDEFI notifies:

  • Affected individuals
  • The National Privacy Commission

Notifications may include:

  • Nature of the breach
  • Information affected
  • Risks involved
  • Actions taken
  • Recommendations for affected individuals

Transparency during incidents helps maintain trust and accountability.

e. Recovery and Prevention

After the incident, the institution takes corrective actions to:

  • Restore systems
  • Improve safeguards
  • Prevent recurrence
  • Strengthen policies and procedures

Lessons learned from incidents help improve future security practices.

15Training And Awareness

Data privacy protection requires continuous education and awareness among employees, students, and stakeholders.

SJDEFI conducts training programs to ensure that individuals understand:

  • Privacy rights and obligations
  • Institutional policies
  • Proper handling of personal information
  • Security practices
  • Incident reporting procedures

Awareness programs may include:

  • Employee orientations
  • Student seminars
  • Posters and advisories
  • Cybersecurity campaigns
  • Workshops and webinars

Regular training helps reduce human errors and strengthens institutional compliance.

16Monitoring And Compliance

Monitoring and compliance are essential to ensure that SJDEFI consistently follows the requirements of the Data Privacy Act of 2012 and the policies established in this Data Privacy Guide. Data privacy protection is not a one-time activity but a continuous institutional responsibility that requires regular evaluation, supervision, and improvement.

SJDEFI recognizes that privacy risks, technologies, and operational processes constantly evolve. Therefore, the institution regularly reviews and monitors its systems, procedures, and practices to ensure that personal information remains protected.

Monitoring activities also help identify weaknesses, vulnerabilities, and non-compliance issues before they result in serious incidents or legal violations.

16.1Regular Privacy Audits

SJDEFI conducts regular privacy audits and assessments to evaluate whether departments and offices comply with institutional privacy policies and legal requirements.

Privacy audits may include:

  • Review of records management practices
  • Inspection of storage systems
  • Evaluation of security measures
  • Assessment of data sharing activities
  • Verification of employee compliance
  • Examination of incident reports and responses

The purpose of privacy audits is to:

  • Identify risks and vulnerabilities
  • Improve institutional practices
  • Ensure proper implementation of safeguards
  • Prevent future incidents

Departments are expected to cooperate fully during privacy reviews and provide necessary documentation when requested.

16.2Monitoring Of Data Processing Activities

The institution monitors how personal information is collected, used, stored, shared, and disposed of within different offices and systems.

This monitoring ensures that:

  • Processing activities remain lawful and authorized
  • Employees follow approved procedures
  • Access to records is properly controlled
  • Security measures remain effective

Monitoring may involve:

  • Reviewing system logs
  • Checking access records
  • Evaluating database usage
  • Observing document handling practices

Improper or suspicious activities may be investigated immediately to prevent privacy violations.

16.3Review Of Policies And Procedures

SJDEFI regularly reviews and updates its privacy policies to ensure that they remain relevant, effective, and aligned with:

  • New laws and regulations
  • National Privacy Commission guidelines
  • Technological developments
  • Emerging cybersecurity threats
  • Institutional operational changes

Policy reviews help the institution adapt to changing environments and improve its privacy management systems.

Employees are informed whenever significant policy updates are implemented.

16.4Compliance Of Employees And Personnel

All employees, faculty members, and staff are expected to comply with institutional data privacy policies and procedures.

Compliance includes:

  • Observing confidentiality
  • Following access restrictions
  • Protecting records and devices
  • Reporting incidents promptly
  • Participating in privacy training

College Administrators are responsible for ensuring that personnel under their supervision understand and follow privacy requirements.

Employees who violate privacy policies may face:

  • Administrative sanctions
  • Disciplinary actions
  • Suspension or termination
  • Legal liabilities where applicable

The institution emphasizes that accountability is necessary to maintain a strong culture of privacy protection.

16.5Documentation And Record Keeping

SJDEFI maintains proper documentation of privacy-related activities to demonstrate accountability and compliance.

Examples of records maintained include:

  • Consent forms
  • Privacy notices
  • Incident reports
  • Training attendance records
  • Privacy impact assessments
  • Data sharing agreements
  • Audit reports

Proper documentation helps:

  • Support institutional transparency
  • Facilitate investigations
  • Demonstrate compliance during audits or inspections
  • Improve institutional governance

Records must also be stored securely and accessed only by authorized individuals.

17Contact Information

The Contact Information section provides the official channels through which students, employees, parents, and stakeholders may communicate privacy-related concerns, requests, or complaints.

SJDEFI ensures that individuals have accessible means of contacting the institution regarding:

  • Privacy inquiries
  • Requests for access or correction
  • Complaints
  • Incident reporting
  • Clarifications regarding privacy policies

The institution designates a Data Protection Officer (DPO) to oversee privacy-related matters and serve as the official contact person for data privacy concerns.

DR. ROSANA C. TALA

Data Protection Officer (DPO)
Vice President for Education
San Juan de Dios Educational Foundation, Inc. – College

Email: vpeoffice@sjdefi.edu.ph
Contact: 09303193021

Effectivity: The Effectivity section explains when the Data Privacy Guide becomes officially implemented and recognized within the institution.

This section also confirms the institution's commitment to continuously improving privacy protection measures.

18Implementation Of The Policy

This Data Privacy Guide becomes effective upon approval by the authorized officials of SJDEFI.

Once implemented:

  • All departments and offices are required to comply
  • Employees must familiarize themselves with the guide
  • Institutional practices must align with privacy requirements

Orientation and dissemination activities may be conducted to ensure awareness and understanding among stakeholders.

19Periodic Review And Revision

SJDEFI recognizes that privacy laws, technologies, and institutional practices evolve over time.

Therefore, this guide may be:

  • Reviewed periodically
  • Revised when necessary
  • Updated to reflect legal or operational changes

Periodic reviews ensure that the institution remains responsive to:

  • Emerging cybersecurity threats
  • Technological advancements
  • New NPC regulations
  • Institutional operational developments

Updates may be issued whenever necessary to strengthen privacy protection and institutional compliance.

20Continuing Commitment To Privacy Protection

SJDEFI remains committed to promoting a culture of privacy, accountability, and responsible information management.

The institution recognizes that protecting personal information is essential to:

  • Preserving trust
  • Maintaining institutional integrity
  • Protecting individual rights
  • Supporting ethical educational practices

All members of the SJDEFI community are encouraged to actively participate in maintaining a secure and privacy-conscious environment.

The Data Privacy Guide of San Juan de Dios Educational Foundation, Inc. – College serves as a comprehensive framework for the responsible collection, processing, storage, sharing, retention, and protection of personal information within the institution.

As an educational institution entrusted with large amounts of personal and sensitive information, SJDEFI acknowledges its duty to safeguard the privacy rights of students, employees, parents, alumni, and stakeholders.

The guide emphasizes that data privacy protection is not solely the responsibility of the Data Protection Officer or administrators. Rather, it is a shared responsibility of every member of the institution. All employees, faculty members, students, and stakeholders must work together to ensure that personal information is handled lawfully, ethically, securely, and responsibly.

Through the implementation of appropriate physical, technical, and organizational safeguards, SJDEFI aims to:

  • Prevent unauthorized access and disclosure
  • Reduce risks of data breaches
  • Promote accountability and transparency
  • Strengthen institutional trust and credibility
  • Ensure compliance with the Data Privacy Act of 2012

The institution also recognizes that privacy protection is a continuous process requiring regular monitoring, education, improvement, and adaptation to evolving technologies and threats.

By upholding the principles of transparency, legitimate purpose, and proportionality, SJDEFI demonstrates its commitment to respecting human dignity, protecting individual rights, and fostering a culture of confidentiality and responsible information management within the academic community.

Ultimately, this Data Privacy Guide serves not only as a legal compliance document but also as a manifestation of the institution's dedication to ethical governance, institutional integrity, and the protection of the people it serves.