Data Privacy Statement

The right to privacy is a fundamental human right. Acknowledging this, the Office of the University Registrar, hereafter referred to as “OUR”, endeavors to safeguard its stakeholders’ data privacy by adhering to data privacy principles and employing standard safety measures in the collection, processing, disclosure, and retention of personal data in accordance with the Data Privacy Act of 2012 (R.A. 10173), its Implementing Rules and Regulations (IRR) and to issuances of the National Privacy Commission.

This OUR Data Privacy Statement (the “ODPS”) contains an outline of the general practices of the OUR in the context of data collection and processing. All other data privacy statements released or to be released by the University specific to a particular office, function or procedure shall be in congruence with the OUR. Designed for general knowledge, the OUR may not include specific information pertaining to the data collection and processing mechanism of a specific office, function, or procedure. Thus, whenever applicable, a more specific data privacy statement or notice should be consulted.

What personal data the OUR may collect and process?

The OUR collects and processes only the type and amount of data necessary to perform its core and auxiliary functions. As an institution composed of heterogeneous entities, the OUR may collect a variety of personal information in different contexts and for different specific purposes.

In general, among the common personal data the University may collect include:

All personal data collection and processing can only be done when the OUR acquires the consent of the data subject, either explicitly or implicitly, after the latter has been informed of the nature and extent of data collection and processing.

Why does the OUR collect and process personal data?

The purpose of personal data collection and processing may vary from one OUR procedure (e.g. student admission, requesting of documents, releasing of documents, visitor entry, human resource management, etc.) to another. However, the general principle governing the OUR ’s data collection process is legitimacy of purpose.

The OUR shall only collect and process data for legitimate purposes in consonance with its inherent functions and in compliance with legal requirements. These legitimate purposes may include, but may not be limited to, the following:

How does the University share or disclose personal data?

Utmost care and due diligence are practiced by the OUR in handling personal data. The OUR shall never share or disclose data to third-parties without prior consent from the data subjects. Whenever disclosure of data is necessary and permitted, the OUR conscientiously reviews the privacy and security policies of the authorized third-party service providers or external partners. The OUR may also be required to disclose data in compliance with legal or regulatory obligations.

Internal disclosure of personal data from one OUR entity to another shall be subjected to an institutionalized standard data request procedure. This ensures that data is transmitted through official channels and shared for legitimate purposes.

Regardless of the context of data disclosure, the OUR shall always practice the principle of data minimization which means that only the minimum amount of data needed to serve a particular purpose is shared to the requesting entity.

How does the OUR protect personal data?

The OUR shall employ necessary or reasonable safeguards in the form of physical, technological, logical and administrative controls. Internal access to stored personal data will be kept to a minimum number of authorized individuals and bounded by confidentiality agreements. These individuals are subjected to regular training for proper handling of information in accordance with the OUR’s data privacy policies and other related laws, regulations or issues.

How long does the University retain personal data?

Personal data are retained only for as long as necessary to serve its declared purpose or comply with regulatory and legal requirements. Depending on the nature of data and purpose it serves, the retention period could range from days (e.g. CCTV recording) to years (e.g. student academic information). Whenever retention becomes unnecessary, the University shall dispose of the personal data properly through a secure and confidential means.

For concerns and inquiries relating to OUR Data Privacy, please don't hesitate to contact us through this email: registrar@usep.edu.ph.