THE DATA PRIVACY OFFICE (DPO)

Our Lady of Peace School – Antipolo protects, respects, and values the data privacy rights and makes sure that all personal data collected from the students and employees, parents, and guardians, and other third parties are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

SCOPE and LIMITATION of the DPO

The Data Privacy Office adheres to the limitations of the Data Privacy act, which applies to the processing of all types of personal information and to any natural juridical person, in the country and even abroad, subject to certain qualifications. The Data Privacy Act applies to all departments of the School, employees regardless of the type, students, officers and third parties whose information (applicants for admission or employment and former students or alumni whose school records are required to be kept and secured by the School). The data covered by this act is limited to personal information as defined under Section III of the Data Privacy Manual, collected and processed by the School.

GENERAL PRIVACY POLICY

  1. OLPS adheres to the general principles of transparency, legitimate purpose and proportionality in the collection, processing, securing, retention, and disposal of personal information.
  2. The students, parents, guardians, employees, or third parties whose personal information is being collected shall be considered as data subjects for the purposes of these policies.
  3. Data subjects shall be informed of the reason or purpose of collected and processing of personal data.
  4. The data subjects shall have the right to correct the information especially in cases of erroneous or outdated data, and to object to collection of personal information within the bounds allowed by privacy and education laws.
  5. The data subject has the right to file a complaint in case of breach or unauthorized access of his/her personal information.
  6. OLPS shall secure the personal information of students, parents, guardians, employees, and third parties from whom personal information is collected and shall take adequate measures to secure both physical and digital copies of the information.
  7. OLPS shall ensure that personal information is collected and process only by authorized personnel for legitimate purposes of the School.
  8. Any information that is declared obsolete based on the internal privacy and retention procedures of the School shall be disposed of in a secure and legal manner.
  9. Any suspected or actual breach of the OLPS Data privacy policy must be reported to any member of the Data Privacy Officer.
  10. Data subjects may inquire or request for information from the Data Privacy Officer, regarding any matter relating to the processing of their personal data under the custody of OLPS including the data privacy and security policies implemented to ensure the protection of their personal data.

PROCESSING OF PERSONAL DATA

Any natural or juridical person or other body involved in the processing of personal data shall develop, implement, and review:

  • A procedure for the collection of personal data, including procedures for obtaining consent, when applicable;
  • Procedures that limit the processing of data, to ensure that it is only to the extent necessary for the declared, specified, and legitimate purpose;
  • Policies for access management, system monitoring, and protocols to follow during security incidents or technical problems;
  • Policies and procedures for data subjects to exercise their rights under the Act;
  • Data retention schedule, including timeline or conditions for erasure or disposal of records.

SECURITY MEASURES

Personal Information Controllers (PICs) and Personal Information Processors (PIPs) shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data. (IRR, R.A. 10173, Sec.25)

They shall aim to maintain:

  • Availability,
  • Integrity, and
  • Confidentiality of personal data

Intended to protect personal data against any of the following:

  • Accidental or Unlawful Destruction, Alteration and Disclosure;
  • Unlawful Processing;
  • Natural Dangers (e.g. flood, earthquake, and other natural calamities), and;
  • Human Dangers (e.g. unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination.)

The Determination of the appropriate level of security must consider the following:

  1. Nature of the personal data to be protected;
  2. Risks represnted by the processing;
  3. Size of the organization and complexity of its operations;
  4. Current data privacy best practices; and
  5. Cost of security implementation

BREACH AND SECURITY INCIDENTS

Only authorized personnel have access to your personal data, the exchange of which (mainly within campus) is facilitated through internal shared servers, email, and paper files.

SECURITY INCIDENT is:

  • An event of occurrence that affects or tends to affect data protection; or
  • An incident that compromises the availability, integrity, or confidentiality of personal data.

DATA BREACH is a security incident that:

  • Leads to accidental or unlawful destruction, loss alteration, unauthorized disclosure or access of or unauthorized processing of personal data.
  • Compromises the availability, integrity, or confidentiality of personal data.

INQUIRIES AND COMPLAINTS

Notification of a data breach is mandatory when:
All three elements are present:

  1. The personal data involves:
    • Sensitive personal information or
    • Any other information that may be used to enable identity fraud
  2. There is a reason to believe that the information may have been acquired by an unauthorized person; and
  3. The unauthorized real risk of serious harm acquisition is likely to give rise to any affected data subject.

REPUBLIC ACT NO. 10173

Republic Act No. 10173, referred to as the Data Privacy Act, is an act protecting individual personal information in information and communications systems in the government and the private sector, creating for the purpose of a national privacy commission, and for other purposes.