DLSBI Data Privacy Policy
Effective: December 13, 2024
This policy sets out how De La Salle Brothers, Inc. (DLSBI) manages responsibilities and which De La Salle Brothers of the Philippines (Brothers), employees/personnel, donors, Beneficiaries/Scholars, volunteers, parents/guardians, alumni/alumnae, website visitors, event guests and visitors, and other third-party contractors/processors processing personal information should follow to ensure compliance with the Data Privacy Act and other related legislation and regulations.
1. Introduction
De La Salle Brothers Inc. (DLSBI) collects, uses, stores and processes personal information relating to potential, current and former De La Salle Brothers of the Philippines, employees/personnel, donors, Beneficiaries/Scholars, volunteers, parents/guardians, alumni/alumnae, website visitors, event guests and visitors, and other relevant third parties, referred to in this policy as data subjects. As Data Privacy has become a relevant and important issue in the education sector and with the implementation of the Data Privacy Act of 2012 (DPA), it is incumbent upon DLSBI to adopt reasonable measures to safeguard the personal information it processes.
DLSBI respects and values data privacy rights and is committed to protect the confidentiality of personal information it collects. This policy sets out how DLSBI manages those responsibilities and which trustees, administrators, officers, employees/personnel, De La Salle Brothers of the Philippines, donors, Beneficiaries/Scholars, parents / guardians, alumni/alumnae and other third party contractors/processors processing personal information should follow to ensure compliance with the DPA and other related legislations and regulations.
2. Purpose
This Policy describes a baseline set of common principles governing the handling of De La Salle Brothers of the Philippines’, Donors’, Beneficiaries/Scholars’, Parents’, Guardians’, Alumni’s/Alumnae’s, Human Resources’ and other third parties’ personal information within the Organization. These guidelines assure not only the Organization’s compliance to the Data Privacy Act of 2021, its implementing rules and regulation and other related laws, but will be communicated to its Employees/Personnel to ensure their compliance as well.
DLSBI values its Donors, Beneficiaries/Scholars, Parents/Guardians, Alumni/Alumnae, Donors, Employee/Personnel, De La Salle Brothers, and treats their personal information as confidential. In this policy we outline the Organization’s standards for data subject’s personal information privacy practices. DLSBI requires, as part of their job responsibility, all its trustees, administrators, officers, employees/personnel and staff entrusted with personal information of data subjects, to treat such (information) as confidential and thus, be in conformity with this policy. DLSBI likewise, requires the same responsibility and confidentiality to any third -party service providers that administer and process its personal information.
3. Objectives
3.1. To ensure clarity and consistency about how personal data must be processed and the expectations of DLSBI from all those who process personal data on its behalf
3.2 To ensure compliance with the Data Privacy Act and other relevant legislations and regulations.
3.3 To protect DLSBI’s reputation by ensuring the personal data entrusted to it is processed in accordance with data subject rights.
3.4 To protect DLSBI from risks of personal data incidents or breaches and other breaches of data protection law.
3.5 To embed a culture of privacy that enables compliance.
3.6 To promote a culture of trust and respect that enables community building.
3.7 To establish effective privacy practices, procedures and systems.
3.8 To evaluate DLSBI’s privacy practices, procedures and systems to ensure continued effectiveness.
3.9 To enhance response to privacy issues
3.10 To ensure that information assets receive an appropriate level of protection and clear identification of assets.
3.11 To ensure that all employees, permanent or temporary, understand their information security roles and responsibility.
3.12 To act as a deterrent to prevent violations, as well as information dissemination to encourage voluntary compliance to organizational Data Privacy and information security policies and procedures.
3.13 To reduce the risks of human error, theft, fraud or misuse of Organization equipment and facilities.
3.14 To protect DLSBI information and organizational assets from security incidents and minimize possible Data Privacy Security risks.
3.15 To ensure correct and fair treatment of employees/personnel who are suspected of committing Data Privacy or information security breach
3.16 To manifest that DLSBI is serious in enforcing its Data Privacy or information security policies.
4. Definition of Terms
4.1 Data Subject -refers to an individual whose personal data is processed by DLSBI;
4.2 De La Salle Brothers of the Philippines – a professed member of the Institute of the Brothers of the Christian Schools
4.3 Donor/s - an individual or Organization who give money, goods or something of value to DLSBI;
4.4 Beneficiary/scholar– An individual who receives a grant, aid, or payment to support their education. They are processed by a De La Salle Philippines school by endorsement by the Advancement Unit (AdVu), Lasallian Missions Services (LMS), and the Social Actions Unit (SAU). In certain cases, individuals may approach DLSBI to apply for air/beneficiary/scholarships, providing their personal information;
4.5 Volunteers- an individual who performs or offers to perform voluntary service for DLSBI and its projects;
4.6 Parent – a father or a mother of a student or a beneficiary/scholar or volunteer;
4.7 Guardian - an individual appointed or designated to be legally responsible for a student or beneficiary/scholar in behalf of his/her parent/s
4.8 Employees – all employees of DLSBI (regardless of type of employment), includes Administrators, Project-based agents, Contractual employees, Agency Hired and Consultants;
4.9 Former employees – employees who are retired, resigned, terminated or whose contract has ended;
4.10 Alumni/Alumnae – a graduate of a DLSBI / DLSP school
4.11 Email Users– an individual assigned with an official or subdomain email (@delasalle.ph or @”subdomain”.delasalle.ph) with De La Salle Philippines.
4.12 Processing – refers to any operation or any set of operations performed upon personal data including, but not limited to, collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data;
4.13 Website Visitors - individuals who access and interact with our website, whether or not they make a purchase or submit personal information. This includes users who browse, view, or use any features or services available on the site
4.14 Event Guests and Visitors - individuals who attend or participate in an event hosted or organized by us, either in-person or virtually. This may include attendees who register or do not register, RSVP, or interact with event-related content.
4.15 Processor – individual/department/unit which processes personal data in behalf of DLSBI;
4.16 Personal Information Controller (PIC) – refers to DLSBI, who controls the collection, holding, processing or use of personal data, including a person or organization who instructs another person or organization to collect, hold process, transfer or disclose personal information on his or her behalf;
4.17 Personal Information Processor (PIP) – refers to any natural or juridical person qualified to whom a personal information controller may outsource the processing of personal data pertaining to a data subject;
4.18 Personal Data – used when personal information, sensitive personal information and privileged information are referred to collectively;
4.19 Personal Information – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
4.20 Sensitive Personal Information – refers to personal information:
4.20.1 About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
4.20.2 About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for an offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
4.20.3 Issued by the government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns;
4.20.4 Specifically established by an executive order or an act of Congress to be kept classified.
4.21 Privileged Information – refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute as privileged communication or includes but not limited to information given by a client to a lawyer, by a patient to a doctor or by a counselee to a counselor;
4.22 Consent – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given in behalf of the data subject by an agent specifically authorized by the data subject to do so;
4.23 Privacy as a default setting – systems, processes or practices in DLSBI is designed to protect personal data automatically;
4.24 Privacy by Design – framework that dictates that privacy and data protection are embedded throughout the entire life cycle of processes, projects, systems and technologies in DLSBI, from the early design stage through deployment, use and ultimate disposal or disposition;
4.25 Privacy Management Plan – document that identifies specific, measurable goals and targets that identify how DLSBI will implement data privacy management for a period of time;
4.26 Data Protection Officer (DPO) – refers to the officer designated by DLSBI to monitor and ensure DLSBI’s compliance to the Data Privacy Act and other related laws and regulations and data privacy policies of DLSBI. The DPO is also the head of the Data Breach Response Team;
4.27 Data Breach Response Team – refers to a group of persons designated by DLSBI who are responsible for the following: evaluation of the security incident and deciding on action to be taken including but not limited to restoration of integrity of the information and communication system, mitigation and remediation of any result damage, and compliance with the reporting requirements; coordination with the different departments/units of DLSBI for the development of the overall incident response; implementation of the Data Privacy Security Incident Management Policy; reporting actions taken on instances of personal data breaches to the DLSBI Board of Trustees;
4.28 Personal Data Breach – refers to a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
4.29 Security Incident – refers to an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for the safeguard that have been put in place;
4.30 Privacy Notice – is a notification in a format specified in the appendix of this policy, provided to individuals informing them of the use and purpose for collecting or
processing the personal data, and/or allows such individual to consent to such processing of data;
4.31 Direct Marketing – refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals. This does not mean it is addressed to a particular person by and but by using other types of personal data (e.g. email address, home address, mobile phone number, etc.)
4.32 Third Party Contractors – Any individual, organization, or entity that receives personal data from DLSBI pursuant to contract and other written agreement for purposes of providing services including but limited to data management or storage services.
5. Scope and Coverage
5.1 This policy applies to all departments and units of DLSBI, employees/personnel (regardless of classification), and third party contractors/processors who process personal information collected by DLSBI or on behalf of DLSBI. The personal data referred to in this policy is limited to those collected and processed by DLSBI. This policy applies to all personal data that DLSBI processes regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject.
5.2 This Policy applies to all personal information of Beneficiaries/Scholars, Parents/ Guardians, Alumni/Alumnae and Employee/Personnel that is collected, maintained or used by trustees, administrators, officers, employee/personnel, staff and third parties and contractors of DLSBI.
5.3 Personal information that are collected and processed from Beneficiaries/Scholars and applicants for aid/admission include but are not limited to the following:
5.3.1 Name
5.3.2. Date and place of birth
5.3.3. Name of parents/guardian
5.3.4. Address
5.3.5. Email address
5.3.6. Telephone/mobile number
5.3.7. Dates of attendance
5.3.8. Grade level
5.3.9. Previous educational Organization attended
5.3.10. Date of Graduation
5.3.11. Degrees/Awards/Honors/Beneficiaries/Scholarships/Grants received
5.3.12. Height and weight information of athletes
5.3.13. Performance records and participation in competitive events and officially recognized activities, sports, and organizations
5.3.14. Media: Photographs/Videos/Images of the individual or in groups
5.3.15. Recordings from closed-circuit television
5.4 Sensitive Personal Information that is collected from Beneficiaries/Scholars and applicants include the following:
5.4.1. Gender
5.4.2. Ethnicity
5.4.3. Religion
5.4.4. Disability/Special Education Needs Conditions
5.4.5. Grades
5.4.6. Disciplinary records
5.4.7. Guidance records
5.4.8. Health records
5.4.9. Financial records
5.4.10. Alien Certificate/Visa/ Passport information
5.4.11. Nationality
*Beneficiaries/Scholars who are 18 years old and below must gain his/her parent or guardian consent by signing a Minor’s Consent to Release Personal Information. In the case that sensitive personal information is collected, expressed written consent is required from the beneficiary/scholar(if the beneficiary/scholaris 18 years old and below).
5.5 Beneficiary/scholar personal information will be used for the following purposes:
5.5.1 Processing of Beneficiary/scholar application and enrolment
5.5.2 Maintaining Beneficiary/scholar records
5.5.3 Managing and evaluating beneficiary/scholar’s academic, deportment and behavioral progress
5.5.4 Providing personal advice and support
5.5.5 Managing accommodation services such as but not limited to participating in Physical Education classes and Beneficiary/scholar Intervention Programs
5.5.6 Maintaining safety and security
5.5.7 Issuance of Organization identification cards, certifications, transcript of records and the like
5.5.8 Providing access to the campus, library and other facilities/services including online access to the Organization’s Learning Management System
5.5.9 Providing ancillary services such as uniform, Identification Cards, Learning Management System access and account management, Video conferencing platforms, etc.
5.5.10 Providing medical/health services
5.5.11 Marketing and publicity of the Organization
5.5.12 Communicating official Organization announcements
5.5.13 Posting and/or publishing of academic, co-curricular and extra-curricular achievements in the Organization’s announcement boards, website, social media sites and publications
5.5.14 Providing venues in harnessing and featuring beneficiary/scholar talents and skills
5.5.15 Conducting research for the improvement of programs, services and facilities
5.5.16 Analyzing historical and statistical data
5.5.17 Maintaining directories and alumni/alumnae records
5.5.18 Application/Renewal of Beneficiaries/Scholarships/ Grants
5.5.19 Graduation/Commencement Exercises
5.5.20 Joining of Organization recognized competitions and athletic leagues
5.5.21 Processing of beneficiary/scholar application/ travel requirements for local and international outbound beneficiary/scholar programs and activities
5.5.22 Providing placement services for required on-the-job training/internship for Beneficiaries/Scholars
5.5.23 Responding to verifications whether an individual is a bona fide beneficiary/scholar or a graduate of the Organization and background checks
5.5.24 Complying with mandatory reportorial and other lawful requirements of government agencies (such as the Department of Education, Bureau of Immigration, Local Government Units, accrediting associations, etc.)
5.5.25 For membership and accreditation to associations and groups such as but not limited to Philippine Council for NGO Certification (PCNC), Philippine Accrediting Association of Schools, Colleges, and Universities (PAASCU), Private Education Assistance Committee( PEAC) and Catholic Educational Association of the Philippines (CEAP).
5.5.26 Processing of DLSBI Beneficiaries/Scholarship applications
5.6 Personal information of parents, guardians and/or alumni/alumnae that are collected by filling out DLSBI forms and processed include, but are not limited to, the following:
5.6.1 Name
5.9.2 Civil Status
5.9.3 Addresses
5.6.4 Email address
5.6.5 Telephone/mobile number
5.6.6 Financial information (beneficiary/scholar accounts status, for Beneficiaries/Scholarship grants application, etc)
5.7 Personal information collected from parents, guardians are for the following purposes:
5.7.1 Processing of beneficiary/scholar for school/benefits/aid/beneficiary/scholarship application
5.7.2 Communicating official Organizational announcements/activities
5.7.3 Monitoring beneficiary/scholar accounts
5.7.4 Processing parental consent forms for official beneficiary/scholar Organization activities (local and international)
5.7.5 Reporting of beneficiary/scholar’s educational progress (if beneficiary/scholar is below 18 years old or if beneficiary/scholar is above 18 but has been given consent to parent)
5.7.7 Inviting alumni to participate in beneficiary/scholar formation activities and development programs
5.7.8 Media: Photographs/Videos/Images of the individual or in groups
5.8 Personal information that are collected and processed from De La Salle Brothers of the Philippines, volunteers, employees/personnel and applicants for employment which includes, but are not limited to, the following:[1]
5.8.1 Name
5.8.2 Date and place of birth
5.8.3 Address
5.8.4 Email address
5.8.5 Telephone/mobile number
5.8.6 Degrees/School/Course/Dates of attendance
5.8.7 Awards/Honors/Beneficiaries/Scholarships/Grants received
5.8.8 Previous School/Position/Dates of employment
5.8.9 License type/Date passed/License number/current status of license
5.8.10 Professional membership organization/Date of membership
5.8.11 Seminars attended/Inclusive dates
5.8.12 Published works
5.8.13 Dependents’ name/date of birth
5.8.14 Photographs/Videos/Images of individual or in groups
5.8.15 Recordings from closed-circuit television
5.9 Sensitive Personal Information that is collected from De La Salle Brothers of the Philippines, volunteers, employees/personnel and applicants include the following:
5.9.1 Gender
5.9.2 Ethnicity
5.9.3 Religion
5.9.4 Marital Status
5.9.5 Disability/Special Needs Conditions
5.9.6 Disciplinary records
5. 9.7 Evaluation records
5.9.8 Health records
5.9.9 Financial records
5.9.10 Alien Certificate/Visa/ Passport information
5.19.11 Nationality
In case sensitive personal information is collected, expressed written consent is required from the personnel.
5.10 Personal information collected from employees/personnel and applicants is for the following purposes:
5.10.1 Processing of employment application
5.10.2 Job matching
5.10.3 Maintaining personnel records
5.10.4 Compliance with statutory requirements
5.10.5 Providing assistance to foreign workers
5.10.6 Providing access to campus and other facilities
5.10.7 Providing access to online and SMS services
5.10.8 Monitoring of personnel movements
5.10.9 Processing job ranking and promotion
5.10.10 Providing personal growth and development opportunities
5.10.11 Payroll management
5.10.12 Benefits management
5.10.13 Grants management
5.10.14 HMO management
5.10.15 Issuance of Organization Identification Cards and Certificate of Employment and the like
5.10.16 Ranking/Levelling
5.10.17 Performance evaluation
5.10.18 Awards and Recognition
5.10.19 Maintaining safety and security
5.10.20 Communicating official Organization announcements
5.10.21 Marketing and publicity of the Organization
5.10.22 Data analytics for strategic planning
5.10.23 Compliance to authorizing and accrediting bodies
5.10.24 Research for improvement of programs, services and facilities
5.10.25 Joining of Organization activities
5.10.26 Posting and/or publishing of personal achievements and/or involvement in Organization achievements in Organization’s announcement boards, website, social media sites and publications
5.10.27 Providing personal advice and support
5.10.28 Maintaining directories of employee records, responding to employment verifications
5.10.29 Mandatory or voluntary retirement
5.11 Personnel personal information is shared internally within the Organization when appropriate to meet legitimate purposes. Data will only be shared between employees who have the official need to have access to it. All Employees/Personnel of the Organization shall maintain confidentiality of all personal data that come to their knowledge and possession, even after resignation/retirement, termination of contract, or other contractual relations. Personal data under the custody of the Organization shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
5.12 Personnel personal information is also shared externally on a need-to-know basis with the following:
5.12.1 Government agencies (Department of Education (DepEd), DOLE, BIR, SSS, PhilHealth, Pag-Ibig, NPC, DSWD etc.) for purposes of regulation and compliance to the law.
5.12.2 Accrediting agencies such as Philippine Accrediting Association of Schools, Colleges and Universities (PAASCU) for purposes of accreditation
5.12.3 Catholic Educational Association of the Philippines (CEAP) for purpose of retirement contributions
5.12.4 Health Maintenance Organization (HMO) for health/medical insurance
5.13 Personal information that are collected and processed from donors include but are not limited to:
5.13.1 Name
5.13.2 Email Address
5.13.3 Mobile Number
5.14 Sensitive personal information that are collected and processed from donors include but are not limited to:
5.14.1 Gender
5.14.2 Date of Birth
5.14.3. Address
5.15 Donors personal information will be used for the following purposes
5.15.1 Mailing
5.15.2 Fundraising opportunities
5.15.3 Birthday greetings
5.15.4 Anonymized Analysis and Fundraising Strategies
5.15.5 Statistical Study and Report
5.16 Personal information collected and processed from Website Visitors are, but not limited to:
5.16.1 Name
5.16.2 Email Address
5.16.3 Phone number
5.16.4 Mailing Address
5.16.5 Via Cookies:
5.16.5.1 IP Address
5.16.5.2 Browser Type
5.16.5.3 Device Type
5.16.5.4 Operating System
5.16.5.5 Geographic Location
5.16.5.6 Information about how visitors interact with our website, including pages viewed, links clicked, and time spent on the site.
5.16.6.Communication Data:
5.16.6.1 Any information shared when visitors reach out through contact forms, customer service inquiries, or feedback.
5.16.6.2 Additional information provided in the course of communication thread.
5.17 Personal information collected and processed from Events Guests and Visitors are, but not limited to:
5.17.1 Name
5.17.2 Email Address
5.17.3 Phone Number
5.17.4 Dietary Restrictions
5.17.5 Accessibility Needs
5.17.6 Vehicle Model and Plate (for parking purposes)
5.17.7 Media Recordings During Event
5.17.7.1 Photographs
5.17.7.2 Video Recordings
5.17.7.3 Audio Recordings
5.18 Sensitive Personal information collected and processed from Events Guests and Visitors are, but not limited to:
5.18.1 Government Issued IDs (for access of guest room accommodation)
5.18.2 Passport (for assistance in booking flights if applicable)
5.18.3 Flight Details (for assistance in land transportation accommodation if applicable)
6. Guideline Statements
6.1 Data Privacy Security Roles and Responsibilities of Employees/Personnel and Volunteers
6.1.1 All past, present and prospective employees/personnel, probationary and regular/permanent employees/personnel, volunteers, contractors, consultants and trainees shall implement their duties and act in accordance with the DLSBI Data Privacy Policy, Information Security policies and related policies.
6.1.2 All shall protect information security assets from unauthorized access, disclosure, modification, loss, destruction or interference.
6.2 Guidelines for Employees/Personnel
6.2.1 Pre-Employment Screening
6.2.1.1 The Organization collects necessary personal information from applicants for employment by filling out application forms with photographs and submitting them together with other documents (resume or curriculum vitae) to the Human Resource Development Services (HRDS).
6.2.1.2 Background verification checks on permanent and temporary employee/personnel and contractors must be carried at the time of processing job applications, especially if a role involves handling information or is in a position of considerable authority. If necessary HRDS shall acquire a consent from the applicant to do background verification.
6.2.1.3 Background verification checks shall be in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, and the perceived risks.
6.2.1.4 All final candidates for employment shall be required to undergo and successfully complete pre-employment screening prior to being employed.
6.2.1.5 Prior to onboarding, additional documents containing personal information (original PSA birth certificate, original PSA marriage certificate, original or certified true copy of transcript of records, certified true copy of diploma, original NBI Clearance, original barangay clearance, photocopy of SSS, Philhealth, Pag-ibig IDs, BIR form 2316, medical exam results, photocopy of PRC license, certificate of employment from previous employer, and all applicable supporting document to engage in contract), is collected by the HRDS.
6.2.2 Terms and Conditions of Employment Contract
6.2.2.1 Successful applicants will be asked to sign a contract as well as the Confidentiality and Non-Disclosure Agreement, the DLSBI Personnel Data Privacy Consent Form, and Media Release Form. Once hired, HRDS encodes the personal information into their database which may be shared with authorized offices on a need-to-know basis.
6.2.2.2 All Employees/Personnel and third-party contractors are required to sign Confidentiality and Non-Disclosure Agreement, the DLSBI Personnel Data Privacy Consent Form, and Media Release Form of work undertaken during their terms of employment/contract respectively.
6.2.2.3 Employees/Personnel are responsible for notifying the HRDS for any change in their personal information like change of status and contact information on a timely basis. HRDS may require additional documents to support the updates such as marriage certificate for those newly married, birth certificate for new dependents, certified true copy of diploma for the new graduates, or copy of PRC license for those newly licensed, etc.
6.2.2.4 Employees/Personnel shall submit additional documents for ranking, awards and promotion purposes. This may include journals/books published, research papers, proof of seminars conducted/facilitated/attended, and the like.
6.2.2.5 Foreign Employees will be asked to submit personal documents such as passport and visa so that the Organization can assist them in acquiring proper work permits.
6.2.3 Health Maintenance Organization and Annual Physical Examination
6.2.3.1 Full-time Employees/Personnel are automatically enrolled in the Organization’s chosen Health Maintenance Organization (HMO). Consultants have an option to enroll. Employees/Personnel who enroll their dependents will be required to fill out an enrollment form and provide personal information of the dependent. All employees and their dependents who avail of the HMO are required to sign an HMO Consent and Waiver Form.
6.2.3.2 All regular employees are required to participate in an Annual Physical Exam. The diagnostics laboratory will send and share the medical results with the HRDS. The results may include, but are not limited to, physical exam, complete blood count, chest xray, drug test, electrocardiogram, and pap smear.
6.2.4 Leave Benefits
Employees/Personnel are required to provide essential information and medical documents when necessary for filing of leave benefits (Emergency leave, Sick Leave, Vacation/Service Leave, Solo Parent Leave, Special Leave Without Pay, Sabbatical Leave, Birthday Leave).
6.2.5 Community Support
The employees/personnel may voluntarily provide additional necessary information such as medical condition, bank account information and mobile wallet application account which will be shared to the community should they prefer to solicit community support.
6.2.6 Local and International Travel
Employees/personnel and Volunteers may be asked to provide personal documents such as passport, visa, medical clearance and the like when they join an Organizational activity or get an endorsement from the Organization to participate in an activity that involves travelling.
6.2.7 Study Grant and Study Leave
Employees/personnel who would like to apply for benefits (study grant, study leave, training, etc.) will be asked to fill out a form that may include pertinent personal information needed for performance school verification and approval.
6.2.8 Performance Evaluation
Employees/Personnel are regularly evaluated by their supervisors, peers and their clients and the results are kept on file.
6.2.9 Organizational Services and Activities
While working for the Organization, the employee/personnel may be asked for some of his or her personal information to access services in the Organization (for example: Accounting Services Unit, De La Salle Brothers’ events, etc.) The employee/personnel may also be asked for some personal information to be involved in certain activities of the Organization (for example: retreats, seminars, workshops, social action, formation sessions, etc.)
6.2.10 Grievance and Disciplinary Cases
HRDS keeps track of grievances and on-going disciplinary cases against faculty and personnel. Incident Reports and case decisions are kept on file and shall only be shared with authorized persons/offices on a need-to-know basis.
6.2.11 Retirement or Separation
Upon resignation or retirement (mandatory or voluntary), employee/personnel will either submit a resignation letter or file and sign a retirement application including exit interview form, Waiver and Quitclaim and Release
6.3 Transparency, Legitimate Purpose, and Proportionality
6.3.1 Personal data collected shall be processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
6.3.1.1 Transparency. The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal information, including the risks and safeguards involved, the identity of the personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal information should be easy to access and understand, using clear and plain language. The processor is required to provide detailed, specific information to data subjects whether the information was collected directly from data subjects or indirectly from other sources. The data subject must be informed through an appropriate privacy notice.
6.3.1.2 The processing of information shall be compatible with a declared and specified purpose. It must not be contrary to law, morals, or public policy. Personal data must not be further processed in any manner incompatible with the original purpose/s. If the personal information will be used for a new, different or incompatible purpose, the data subject needs to give his/her consent.
6.3.1.3 Proportionality. The processing of personal data shall be adequate, relevant, suitable and necessary in relation to the purposes for which it is processed. It should not be excessive. Large volumes of personal data not relevant to purposes for which they were intended to be processed should not be collected.
6.3.2 All processors or users of personal data within DLSBI shall only process the information fairly, lawfully and for specified purposes. These restrictions are not intended to prevent processing, but to ensure that DLSBI processes personal information for legitimate purposes without prejudicing data subject rights.
6.4 Lawful Processing
6.4.1 Lawful processing of personal information can be any of the following:
6.4.1.1 Data subject has given his or her consent prior to the collection, or as soon as practicable and reasonable; if data subject is below 18 years old, his parent or legal guardian as provided in his Organization records shall be his representative;
6.4.1.2 The processing is required due to a contract;
6.4.1.3 It is necessary due to a legal obligation;
6.4.1.4 The processing is necessary to protect vitally important interests of the data subject, including his or her life and health;
6.4.1.5 The processing is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law; and
6.4.1.6 The processing is necessary to pursue the legitimate interests of DLSBI, or by a third party to whom the personal information is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject under the Philippine Constitution.
6.4.2 Lawful processing of sensitive personal information or privileged information can be any of the following:
6.4.2.1 Data subject has given his or her consent prior to the processing; if data subject is below 18 years old, his parent or legal guardian as provided in his Organization records shall be his representative;
6.4.2.2 The processing is provided for by existing laws and regulation, provided, that said laws and regulations do not require the consent of the data subject for the processing, and guarantee the protection of personal data;
6.4.2.3 The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
6.4.2.4 The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations provided that:
6.4.2.5 Processing is confined and related to the bona fide members of these organizations or their associations;
6.4.2.6 The information is not transferred to third parties; and
6.4.2.7 Consent of the data subject was obtained prior to processing.
6.4.2.8 The processing is necessary for the purpose of medical treatment: Provided that it is carried out by a medical practitioner or a medical treatment Organization, and an adequate level of protection of personal data is ensured.
6.4.2.9 The processing of the information is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate.
6.5 Data Privacy Security Awareness, Education and Training
All De La Salle Brothers of the Philippines, Donors, Beneficiaries/Scholars, Parents, Guardian, Volunteers, Alumni/Alumnae and Employees/Personnel shall be adequately trained in Data Privacy security procedures and the correct use of Information Technology facilities.
6.5.1 Security Measures for Protection of Personal Information
6.5.1.1 Organizational Measure
6.5.1.1.1 The Organization shall conduct a regular Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data.
6.5.1.1.2 DLSBI shall appoint a Data Protection Officer and such appointment shall be registered with the National Privacy Commission
6.5.1.1.3 DLSBI shall adopt the Privacy by Design (PbD) Framework in processing personal data.
6.5.1.1.4 DLSBI shall develop a Privacy Management Plan.
6.5.1.1.5 Each office, department and unit shall accomplish a Data Processing System Inventory (DPS), Privacy Impact Assessment and Privacy Risk Map for each of their process, project, system or technology that processes personal data (new or existing).
6.5.1.1.6 All heads of departments are responsible for ensuring that all employees/personnel within their area of responsibility, comply with this policy and should develop their own data privacy guidelines to implement appropriate practices, processes and controls and training to ensure compliance within their offices/units/ departments.
6.5.1.1.7 DLSBI shall be responsible for selecting and supervising its employees, agents, or representatives, particularly those who will have access to personal data.
6.5.1.1.8 All employees will be asked to sign a Confidentiality and Non-Disclosure Agreement.
6.5.1.1.9 All employees with access to personal information shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
6.5.1.1.10 Data privacy protection shall be part of an employee’s term and conditions of employment, breach of data privacy policy due to unauthorized access misuse or loss may result in disciplinary action up to and including dismissal. This obligation shall continue even after transferring to another position, or upon terminating their employment or contractual relations.
6.5.1.1.11 DLSBI through the Data Protection Office and management shall provide capacity building, orientation or training programs personnel regarding privacy or security policies. There shall be mandatory training on data privacy and security at least once a year for personnel directly involved in the processing of personal data. Their heads of departments/units shall ensure their attendance and participation in relevant training and orientations regularly.
6.5.1.1.12 The Data Protection Officer will do periodic audits to ensure compliance with this policy and the DPA.
6.5.1.1.13 DLSBI through appropriate contractual agreements, shall ensure that its Personal Information Processors (PIP), where applicable, shall also implement the security measures required by the DPA and its implementing rules and regulations (IRR). It shall only engage those personal information processors that provide sufficient guarantees to implement appropriate security measures specified by the DPA and its IRR, and ensure the protection of the rights of the data subject.
6.5.1.1.14 Usage of Organization issued devices shall be restricted to official business purposes. Personnel must be aware and accept the terms and conditions of use, which must include the adoption of adequate and appropriate information security measures.
6.5.1.1.15 Off-site computer usage, whether at home or at other locations, may only be used with the authorization from the office/department Head and monitoring of software and web based permissions for cybersecurity.
6.5.1.1.16 Personnel who are issued with portable computers and who intend to travel for work purposes must be made aware of the information security issues relating to portable computing facilities and implement the appropriate safeguards to minimize the risks.
6.5.1.1.17 Due to the nature of the device being mobile and that at times it is outside the protected premises of the Central House Administration (CHA / Head Office), the custodian must take care of all information on the device as well as prevent unauthorized personnel from accessing the information on the device.
6.5.1.1.18 Personnel are prohibited from tampering or making any modification or changes to the device’s technical specifications. Should there be a need for upgrade, the personnel should coordinate with the Communications and Resources Services (CoRe) for assessment and approval.
6.5.1.1.19 Personnel are prohibited to install any unauthorized, unlicensed or pirated software/applications in the device. Unauthorized software refers to software not allowed by the Organization regardless of its license status.
6.5.1.1.20 To ensure the availability of software upon release of the device, HRDS will coordinate with the immediate heads and/or directors regarding the required software of specific personnel items. Should there be a need to install a particular software or application needed for classroom instruction and/or work-related tasks, the personnel should raise a request, only upon endorsement of the immediate supervisor, through Communications and Resources Services (CoRe) for assessment and approval.
6.5.1.1.21 Devices are not to be used to make sound recordings without the consent of all persons being recorded. Recordings must be disposed of based on DLSBI data retention and disposal guidelines.
6.5.1.1.22 It is the sole responsibility of the custodian to back-up their own data. Back-up methods include storage in cloud–based services. Backups on external storage shall be allowed on Organizationally issued storage devices.
6.5.1.1.23 CoRe shall ensure that issued devices are updated with softwares such as anti-virus, anti-malware and the like, and maintain cybersecurity controls.
6.5.1.1.24 The Organization shall have the right to monitor the use of issued devices using a variety of methods to ensure compliance with Organizational policies. Deletion and tampering of system logs is prohibited.
6.5.1.1.25 Issued devices remain to be a Organization property and are considered a fixed asset. The personnel assigned these devices shall be considered as the custodian of the device.
6.5.1.1.26 If the device is returned by the custodian, CoRe shall manage/clean the device before it becomes part of the pool for distribution to other eligible personnel in the program.
6.5.1.2 Physical Security Measures
6.5.1.2.1 Personal data in the custody of the Organization may be in digital/electronic format and paper-based/physical format.
6.5.1.2.2 All personal data processed by the Organization shall be stored in the office/department who owns the data. Paper based documents shall be kept in a locked filing cabinet while the digital/electronic files stored in computers/servers provided and installed by the Organization shall be secured by password/s and digital devices should be turned off, locked and stored carefully when not in use.
6.5.1.2.3 Only authorized personnel shall be allowed to have access to personal data stored in offices/departments. Other personnel may be granted access upon filing of an access request form with the Office/Department Head and the latter’s approval thereof.
6.5.1.2.4 All employees/personnel shall not be allowed to take out physical files from the office except for a legitimate purpose and with written permission from the Office/department Head.
6.5.1.2.5 All employees/personnel authorized to access the data must register with the online registration platform or access logbook. They shall indicate the date, time, duration, and purpose of the access.
6.5.1.2.6 Computers shall be positioned with considerable spaces between them to maintain and protect the processing of personal data. If in a work from home set-up, the personnel shall create workspaces in private areas and make sure that unauthorized or accidental viewing by others is avoided.
6.5.1.2.7 The Organization’s work areas chosen to locate computers and to store data shall be suitably protected from physical intrusion, theft, fire, flood and other hazards.
6.5.1.2.8 The Organization’s premises shall be safeguarded against unlawful and unauthorized physical intrusion.
6.5.1.2.9 When moving and deploying computers and other hardware, suitable precautions shall be taken to guard against the environmental threats of fire, flood and excessive ambient temperature / humidity.
6.5.1.2.10 All the Organization’s premises shall be protected from unauthorized access using ID cards and security cameras to monitor movements.
6.5.1.2.11 Secure areas are set up and designed in a way suitable to protect the sensitive and critical information and/or assets being safeguarded.
6.5.1.2.12 Access to delivery and loading areas and other similar areas shall be restricted to identified and authorized personnel.
6.5.1.3 Technical Measures
6.5.1.3.1 The Organization shall implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access.
6.5.1.3.2 Where appropriate DLSBI shall adopt the following measures:
6.5.1.3.3 Info Security, IT Security and Information Systems Policy with respect to the processing of personal data;
6.5.1.3.4 Design and implement safeguards to protect their computer network against accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access through an electronic network;
6.5.1.3.5 The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of their processing systems and services;
6.5.1.3.6 Regular monitoring for security incidents/breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive, corrective, and mitigating action against security incidents that can lead to a personal data breach;
6.5.1.3.7 The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
6.5.1.3.8 A process for regularly penetration testing, assessing, and evaluating the effectiveness of security measures;
6.5.1.3.9 Encryption of personal data during storage and while in transit, authentication process, and other technical security measures that control and limit access.
6.5.1.4 Organization issued devices are protected by security settings and features adopted by the Organization. At the minimum, personnel should not disclose Organization credentials and passwords to unauthorized individuals.
6.5.1.4.1 Information and data stored on laptops or portable computers must be backed up regularly in a secure device. It is the responsibility of the user to ensure that this takes place on a regular basis.
6.5.2 Email Use
6.5.2.1 De La Salle Email Account
6.5.2.1.1 The official De La Salle email account should be used for official Organization affairs and official transactions only.
6.5.2.1.2 The email system shall not be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair, color, disabilities, age, sexual orientation, pornography, religious beliefs and practices, political beliefs, or national origin. Email Users who receive any emails with this content from any member of the DLSBI community should report the matter to the Communications and Resources Service (CoRe)
6.5.2.1.3 Using a reasonable amount of resources for personal emails by the Email User is acceptable, but non-Organizational related email shall be saved in a separate folder from the Organization related email. Sending chain letters, joke emails and the like is prohibited.
6.5.2.1.4 Virus or other malware warnings and mass mailings shall be reported by CoRe before sending. These restrictions apply to the forwarding of mail received by a Email Users.
6.5.2.1.5 Email Users shall have no expectation of privacy in anything they store, send or receive on the Organization’s email system. CoRe may monitor data without prior notice. However, CoRe is not obliged to monitor email messages and data.
6.5.2.1.6 Email Users must exercise utmost caution when sending any email from inside to an outside network.
6.5.2.1.7 Upon resignation, the employee’s email account shall be deactivated, unless superseded by a request from management.
6.5.2.1.8 Email communication by Email Users should contain a DLSBI email disclaimer.
6.5.2.2 Data Protection Officer (DPO)
6.5.2.2.1 The Organization shall designate a Data Protection Officer.
6.5.2.2.2 Functions of the DPO or any other responsible personnel with similar functions.
6.5.2.2.3 The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol and the inquiry and complaints procedure.
6.5.2.3 Review of Data Privacy
6.5.2.3.1 This Policy shall be reviewed and evaluated once every two (2) years. Privacy and security policies and practices within the Organization shall be updated to remain consistent with the current data privacy best practices.
6.5.2.3.2 Recording and documentation of activities carried out by the DPO, or the Organization itself to ensure compliance with the DPA, IRR and other relevant policies.
6.5.2.3.3 There shall be a detailed and accurate documentation of all activities, projects and processing systems of the Organization, to be carried out by the Data Protection Officer.
6.5.2.4 Incident Management
6.5.2.4.1 The Data Protection Officer shall oversee the compliance of the Organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol and the inquiry and complaints procedure.
6.5.2.4.2 All security incidents shall be reported through the Data Protection Officer and Data Breach Response Team immediately upon the discovery of the incident. This shall be followed by a written incident report.
6.5.2.4.3 All access logs containing the username, time of access, duration of use for all users who access the network shall be kept and shall be provided to management or authorized governmental authorities in case of any official investigations.
6.5.2.4.4 Incident Response Process applies to any unlawful, unauthorized or any unacceptable action that involves a computer system or computer network within the Organization. Examples of such security incidents, includes but is not limited to the following:
6.5.2.4.4.1 Computer virus or worm outbreak;
6.5.2.4.4.2 Theft of trade secrets;
6.5.2.4.4.3 Unauthorized disclosure or access to confidential information/personal data;
6.5.2.4.4.4 Email spam or harassment;
6.5.2.4.4.5 Unauthorized or unlawful intrusion into computing systems;
6.5.2.4.4.6 Embezzlement;
6.5.2.4.4.7 Denial of service (DOS) attacks;
6.5.2.4.4.8 Extortion; and
6.5.2.4.4.9 Any unlawful action where the evidence of such action may be stored on computer media such as fraud, threats, and traditional crimes.
6.5.2.5 Monitoring for Security Breaches
The Organization shall use an intrusion cybersecurity detection system to monitor security breaches and alert the Organization of any attempt to interrupt or disturb the system.
6.5.2.6 Security Features of the Software/s and Application/s Used
6.5.2.6.1 The Organization shall first review and evaluate software application before the installation thereof in computers and devices of the Organization to ensure the compatibility of security features with overall operations.
6.5.2.6.2 The Organization shall do regular testing, assessment and evaluation of effectiveness of security measures
6.5.2.6.3 The Organization shall review security facilities, conduct vulnerability assessments and perform penetration testing within the Organization on a regular schedule to be prescribed by Communications and Resources Services (CoRe).
6.5.2.6.4 The Organization shall apply encryption, authentication process, and other technical security measures that control and limit access to personal data
6.5.2.6.5 Each personnel with access to personal data shall verify his or her identity using an encrypted link and multi-level authentication.
6.5.2.7 Breach and Security Incidents
The Organization shall develop and implement policies and procedures for the management of a personal data breach, including security incidents.
6.5.2.8 Creation of Data Breach Response Team
6.5.2.8.1 A Data Breach Response Team of at least five (5) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effect of the breach.
6.5.2.8.2 The Data Breach Response Team is composed of the following:
6.5.2.8.2.1 Executive Director of Central House Administration – to ensure management’s commitment to breach response planning and execution
6.5.2.8.2.2 Director of Communications and Resources (Communications and I.T) – to ensure an accurate account of any issues is communicated to stakeholders and the press, to work directly with the affected network to research the time, location, and details of a breach. To ensure that digital and technological related data and activities are investigated
6.5.2.8.2.3 Data Protection Officer – to ensure that any evidence collected maintains its value in the event that the company chooses to take legal action and also provide advice regarding liability issues when an incident affects data subjects and/or the general public
6.5.2.8.2.4 Head Administrator of the Source of Breach – to ensure that there is cooperation in the investigation and securing evidence in his office, department or unit.
6.5.2.8.2.5 Director of Administrative Services – to conduct investigation in cases of physical break-in.
6.5.2.8.2.6 I.T. Officer – to ensure that digital and technological related data and activities are investigated
6.5.2.9 Measures to Prevent and Minimize Occurrence of Breach and Security Incidents
The Organization shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend training and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the Organization.
6.5.2.10 Disciplinary Process for Breach of Security
Any violation of Organization Data Privacy and information security policies shall be appropriately dealt with through a formal disciplinary process as provided in the Organizational Operations Manual (IOM) or Beneficiary/scholar / Volunteer Formation Handbook, and in this policy.
Severity Level
Description of Breach
Examples
Potential Penalties
Corrective Actions
Minor Breach
A breach with minimal impact on data security or individuals' privacy.
- Unauthorized access to non-sensitive data.
- Accidental sharing of data without malicious intent.
- Temporary loss of access to data with no significant harm.
- Verbal warning
- Mandatory retraining on data privacy policies.
- Written reprimand in the employee's record.
- Review and reinforce data protection training.
- Update internal procedures to prevent recurrence.
Major Breach
A breach with significant impact on data security, the organization, or data subjects.
- Exposure of sensitive (SPI) or personally identifiable information (PII) to unauthorized parties.
- Deliberate or negligent actions leading to a serious breach of privacy.
- Failure to follow established data security protocols leading to substantial harm.
- Suspension (temporary) without pay.
- Formal written warning.
- Demotion or reassignment (depending on severity).
- Potential financial penalty (if applicable).
- Comprehensive internal investigation.
- Immediate corrective actions to secure systems.
- Ongoing monitoring for compliance.
- Legal consultation if required.
Severe Breach
A breach with critical consequences, potentially resulting in legal or regulatory action.
- Intentional misconduct or negligence leading to widespread damage or data theft.
- Breach affecting a large number of individuals or involving sensitive financial, medical, or personal data.
- Violation of data privacy laws or regulatory requirements (e.g., Data Privacy Act 2012, GDPR).
- Immediate termination of employment.
- Legal action, including potential fines and lawsuits.
- Report to regulatory authorities (if required).
- Full internal audit of data handling practices.
- Possible external legal investigation.
- Strengthened security measures and policies.
- Mandatory re-evaluation of the company's data privacy policies and procedures.
Disciplinary Process for Breach of Security Matrix A
6.5.2.11 Privacy Notices
DLSBI and all departments and units processing personal data must provide data subjects with a privacy notice to inform them how and for what purpose their personal data is processed. These notices may be in the form of general privacy statements applicable to specific groups of individuals or may be stand alone, one-time privacy statements covering processing related to a specific purpose. A template and guidance for privacy notices are found in the Annex “A” of this policy.
6.5.2.12 Data Retention and Disposal Procedure
6.5.2.12.1 The Organization shall retain personal data in accordance with its data retention policy. Upon expiration of the set periods, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.
6.5.2.12.2 Personal information must not be kept longer than necessary for the purposes for which it was originally collected. This applies to all personal information, whether held on core systems, local PCs, laptops or mobile devices or held on paper.
6.5.2.12.3 If the data is no longer required, it must be securely disposed by shredding or by deletion.
6.5.2.12.4 The office, department or unit must set its own retention schedules based on legal and business requirements or based on industry practice.
6.5.2.13 Privacy by Design Framework (PbD)
6.5.2.13.1 By applying PbD framework DLSBI shall:
6.5.2.13.2 Take a proactive rather than a reactive measure. It anticipates the risks and prevents privacy incidents before they occur.
6.5.2.13.3 Seek to deliver the maximum degree of privacy by ensuring personal information is automatically protected as a practice. No action on the part of the individual is needed in order to protect their privacy.
6.5.2.13.4 Embed PbD into the design and architecture of the IT system and business practices of DLSBI. Privacy shall be integrated into the system without diminishing DLSBI’s functions.
6.5.2.13.5 Seek to accommodate all legitimate objectives in a positive-sum “win-win” manner
6.5.2.13.6 Embed PbD into the system prior to the first element of information being collected and extends securely throughout the entire lifecycle of the data involved.
6.52.13.7 Seek to assure all stakeholders that whatever the business practice and technology involved is operating in accordance to the objectives of this policy
6.5.2.13.8 Require architects and operators to keep the interests of the individual primary by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.
6.5.2.13.9 Require each department or unit to implement Privacy by Design measures when processing personal information, by implementing appropriate technical and organizational measures in an effective manner, to ensure compliance with data-protection principles. To further reduce the risks associated with handling personal information, whenever possible anonymization should be applied, if not possible, pseudonymization.
6.5.2.13.10 Ensure that data-handling practices default to privacy, in order to minimize unwarranted intrusions in privacy (e.g. by disseminating personal information to those who need to receive it to discharge their duties). Personal information should not be available to an indefinite number of persons.
6.5.2.14 Data Processing System (can be found here as Annex “B”)[MOU2]
6.5.2.14.1 Each department or unit shall regularly accomplish/update the Data Processing System (DPS). This is needed to be able to adopt a meaningful privacy management program to comply with the law. The PDI includes the following:
6.5.2.14.1.1 Personal data collected and processed
6.6.2.14.1.2 Purpose of the collection/processing of the personal data;
6.13.17.1.3. Owner of the personal data;
6.13.17.1.4. Legal basis of the collection/processing;
6.13.17.1.5. Storage location of data including third party systems and where their servers are located;
6.13.17.1.6. Mapping where the data goes from point of collection internally and externally;
6.13.17.1.7. Access control to data (read only or can edit)
6.13.17.1.8. Existing policies if there are any on use, disclosure, protection, back-up and disposal policies Period of retention of data and format of data
6.6.2.15 Privacy Impact Assessment
6.6.2.15.1 When considering new processing activities or setting up new procedures or systems that involve personal information, the office, department or unit must always consider privacy issues at the earliest stage and Privacy Impact Assessment (PIA) must be conducted. The PIA is a mechanism to identify and examine the impact of new initiatives and put in place measures to minimize or reduce risks during the design stages of a process and throughout the life cycle of the initiative. This includes implementing appropriate technical and organizational measures to minimize the potential negative processing can have on the data subjects’ privacy. This will ensure that privacy and data protection control requirements are not an afterthought. A template and guidance for PIA can be found here as Annex “C”.
6.6.2.15.2 A PIA should be conducted in the following cases:
6.6.2.15.2.1 the use of new technologies or changing technologies (programs, systems or processes);
6.6.2.15.2.2 automated processing including profiling;
6.6.2.15.2.3 large scale processing of sensitive data;
6.6.2.15.2.4 large scale and systematic monitoring of publicly accessible areas(e.g. CCTV)
6.6.2.15.3 A PIA must include:
6.6.2.15.3.1 Description of the program, project, process, measure, system or technology and including expected benefits which requires the collection of personal information;
6.6.2.15.3.2 Description of the information lifecycle including personal information data process flow;
6.6.2.15.3.3 Description of legal grounds for processing personal information including copies of forms used (e.g. consent forms); and
6.6.2.15.3.4 Identification of the privacy risks and type of risks.
6.6.2.16 Risk Map
6.6.2.16.1 A Risk Map is an assessment of the severity and likelihood of identified risks.
6.6.2.16.2 It includes a list of proposed controls with type (organizational, physical, or technical), estimated cost, and estimated implementation timeframe
6.6.2.17 Hiring Third Party Processors or Personal Information Processors (PIP)
6.6.2.17.1 Where external processors are hired to process personal information on behalf of DLSBI:
6.6.2.17.2 Personal Information Processor (PIP) must be chosen by DLSBI which provide sufficient guarantees about security measures to protect the processing of personal data;
6.6.2.17.3 DLSBI must take reasonable steps that security measures are in place; and
6.6.2.17.4 There should be a written contract (a data processing agreement) establishing what personal information will be processed and for what purpose, signed by DLSBI and the PIP.
6.6.2.18 Processing of Personal Information/Data for Research
6.6.2.18.1 Before researchers can process, collect and/or use any personal data as part of a research project, an appropriate legal basis for the processing of the data must be identified. It can be one of the following:
6.6.2.18.2 Informed and freely given consent, public interest, legitimate or contract
6.6.2.18.3 Research subject’s/participants’ data privacy shall be protected. This includes but are not limited to the following:
6.6.2.18.3.1 The research subjects must be aware how their data will be used and may object if they wish;
6.6.2.18.3.2 Personal data should be kept confidential and can only be shared with research subject’s permission;
6.6.2.18.3.3 There should be no substantial damage or distress to research subjects;
6.6.2.18.3.4 There should be data minimization. The processing of personal data should just be sufficient to fulfill the research purpose and should be relevant and limited to what is necessary;
6.6.2.18.3.5 There should be anonymizing or pseudonymization of data whenever possible;
6.6.2.18.3.6 Ensure the personal information is kept secured and only accessed by those authorized to do so.
7. Data Subject Rights
7. The DPA contains eight (8) data subject rights to which DLSBI must comply with:
7.1 Right to be informed
7.1.1 This applies whether personal information pertaining to the data subject shall be, are being, or have been processed. It includes any form of automated processing of personal information consisting of use of personal data.
7.1.1 Data subject is notified and furnished of the following before the entry of data subject’s personal information into the processing system of DLSBI as personal information controller, or at the next practical opportunity:
7.1.1.1 Description of the personal data to be entered into the system;
7.1.1.2 Purposes for which information are being processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
7.1.1.3 Basis of processing, when processing is not based on the consent of the data subject;
7.1.1.4 Scope and method of the personal information processing;
7.1.1.5 The recipients of the personal information or to whom it may be disclosed;
7.1.1.6 Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;
7.1.1.7 The identity and contact details of the personal information controller or its Data Protection Officer (DPO);
7.1.1.8 The period for which the information will be stored; and
7.1.1.9 The existence of their rights as data subjects
7.2 Right to Object
7.2 .1 The data subject shall have the right to object to the processing of his or her personal information, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject.
7.2.2 When a data subject objects or withholds consent, the processor shall no longer process the personal data, unless:
7.2.2.1 The personal data is needed pursuant to a subpoena;
7.2.2.2 The collection and processing are for obvious, legitimate purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
7.2.2.3 The information is being collected and processed as a result of legal obligation.
7.3 Right to Access.
7.3.1 The data subject has the right to reasonable access to, upon demand, the following:
7.3.1.1 Contents of personal information of the data subject that were processed;
7.3.1.2 Sources from which personal data were obtained;
7.3.1.3 Names and addresses of recipients of the personal information;
7.3.1.4 Manner by which such data were processed
7.3.1.5 Reasons for the disclosure of the personal information to recipients, if any;
7.3.1.6 Information on automated processes where the information will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
7.3.1.7 Date when his or her personal data concerning the data subject were last accessed and modified;
7.3.1.8 Until how long will his or her personal data be retained and the manner it will be disposed of
7.3.1.9 The designation, name or identity, and address of the personal information controller.
7.4 Right to Rectification/Correction
7.4.1 The data subject has the right to dispute the inaccuracy or error in the personal information and have DLSBI correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
7.4.2 If the personal information has been corrected, DLSBI shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof. The recipients or third parties who have previously received such processed personal information shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject.
7.5 Right to Erasure or Blocking
7.5.1 The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information from DLSBI’s filing system. This right may be exercised upon discovery and substantial proof of any of the following:
7.5.1.1 The personal information is incomplete, outdated, false, or unlawfully obtained;
7.5.1.2 The personal information is being used for purpose not authorized by the data subject;
7.5.1.3 The personal information is no longer necessary for the purposes for which they were collected;
7.5.1.4 The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
7.5.1.5 The personal information concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
7.5.1.6 The processing is unlawful;
7.5.1.7 The processor violated the rights of the data subject;
7.5.1.8 In some circumstances, data subjects may not wish to have their personal information erased but rather have any further processing restricted. In limited situations, data subjects may object to further processing of their personal information.
7.5.1.9 In some circumstances, if personal data are incomplete, the data subject can also require DLSBI to complete the data or to record a supplementary statement.
7.6 Right to Data Portability
Where the personal information is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from DLSBI a copy of such information in an electronic or structured format that is commonly used and allows for further use by the data subject.
7.7 Right to Damages
The data subject may be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information, taking into account any violation of his or her rights and freedom as data subject.
7.8 Right to File a Complaint
7.8.1 Data subjects have the right to file a complaint. DLSBI through the DPO must respond to these requests within thirty (30) days. It is an offense to delete relevant personal information after the data subject’s access request has been received.
7.8.2 The lawful heirs and assigns of the data subject (e.g. parent of beneficiary/scholar) may invoke the rights of the data subject to which he or she is an heir or an assignee, at any time after the death of the data subject, or when the data subject is incapacitated or incapable of exercising his or her data subject rights.
7.8.3 Where the legal basis of processing is consent the data subject may withdraw such consent. However, the data subject needs to demonstrate valid and reasonable grounds for withdrawal relating to their particular situation.
7.8.4 Data subjects have the right to object to specific types of processing such as processing for direct marketing, research or statistical purposes. The data subject needs to present valid and reasonable grounds for objecting to the processing relating to their particular situation except in direct marketing where it is an absolute right. Individuals receiving these kinds of requests should not act to respond but instead contact the Data Protection Officer immediately.
7.9 Rights in Relation to Automated Decision Making and Profiling
In case of automated decision making and profiling that may have significant effects on data subjects, they have the right to either have the decision reviewed by a human being or not to be subjected to this type of decision making at all. These requests must be forwarded to the Data Protection Officer Immediately.
8. Record Keeping and Access
8.1 DLSBI shall keep full and accurate records of all its data processing activities. Offices, departments or units must keep and maintain accurate records reflecting DLSBI’s processing, including records of data subjects’ consents and procedures for obtaining consents, where consent is the legal basis of processing
8.2 These records should include, at a minimum, the name and contact details of DLSBI as Personal Information Controller (PIC) and of the DPO, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place
8.3 Records of personal data breaches must also be kept, setting out:
8.3.1 Facts surrounding the breach
8.3.2 Effects of the data breach; and
8.3.3 Remedial action taken
8.4 Access
8.4.1 Due to the confidential and at times sensitive nature of the personal data under the custody of DLSBI, only Organization officials who have a legitimate educational interest/legitimate interest have access to these records
8.4.2 An Organization official is:
8.4.2.1 A person employed by DLSBI in an administrative, supervisory, academic or research, security services, or support staff position, including health or medical staff and also clerical staff who have access to the beneficiary/scholar/personnel record;
8.4.2.2 A contractor, consultant, volunteer or other service provider with whom DLSBI has contracted as its agent to provide a service that would otherwise be performed by a DLSBI employee, such as (but not limited to) an attorney, auditor, healthcare provider and security agency;
8.4.2.3 An individual serving on an official committee, such as a disciplinary or grievance committee, or who is assisting another Organization official in performing his/her tasks; and
8.4.2.4 An individual serving in the Board of Trustees.
8.4.3 A Organization official has a legitimate educational interest/legitimate interest if the official is:
8.4.3.1 Performing a task that is specified in his/her position description or contract agreement;
8.4.3.2 Performing a task related to the discipline of a beneficiary/scholar/employee;
8.4.3.3 Providing a service or benefit relating to the beneficiary/scholar or beneficiary/scholar’s family or employee or employee’s family, such as health care, counselling, job placement, or financial aid discipline cases and;
8.4.3.4 Maintaining the safety and security of the campus.
8.5 Data Sharing
8.5.1 Beneficiary/Scholar/Employee personal information is shared internally within DLSBI when appropriate to meet legitimate purposes. Data will only be shared between employees who have the official need to have access to it. All employees of DLSBI shall maintain confidentiality of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations.
8.5.2 When personal information is transferred internally, the recipient must only process the information in a manner consistent with the original purpose for which the data is collected.
8.5.3 If personal information is shared internally for a new and different purpose, a new privacy notice should be provided to the data subject and if necessary acquire data subject’s consent.
8.5.4 When personal information is transferred externally, a legal basis must be determined and data sharing agreement/service legal agreement between DLSBI and the third party must be signed, unless disclosure is required by law, such as DepEd, Bureau of Internal Revenue, and Department of Labor and Employment.
8.5.5 If transferring personal information outside the Philippines, personnel involved in transferring personal information must inform the DPO first to ensure that appropriate safeguards are in place before agreeing to any such transfer. Personal information can be transferred in the following cases:
8.5.5.1 Data subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or
8.5.5.2 The transfer is necessary for one of the other reasons set out in the EU General Data Protection Regulation (GDPR) including:
8.5.5.2.1 The performance of a contract between DLSBI and the data subject (e.g. volunteer program);
8.5.5.2.2 Reasons of public interest;
8.5.5.2.3 To establish, exercise or defend legal claims; or
8.5.5.2.4 To protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent.
8.5.6 DLSBI has a full range of standard transfer agreements and clauses and the data subject should seek guidance from the DPO at dpo@delasalle.ph before any transfer of personal data takes place.
8.6. Disclosure
8.6.1 Personal data under the custody of DLSBI shall be disclosed only pursuant to a lawful purpose, and to authorize recipients of such data. Personal information shall always be held securely and shall not be disclosed to any unauthorized third party either accidentally, negligently or intentionally
8.6.2 In the absence of consent, a legal obligation or other legal basis of processing, personal information should not generally be disclosed to third parties unrelated to DLSBI (e.g. Beneficiaries/Scholars’ parents, members of the public, private property owners). If a beneficiary/scholar is 18 years old and above, the Beneficiaries/Scholars’ parent/s and/or guardians do not have an automatic right to gain access to their child’s data unless their child has signed the consent form allowing them access to his/ her records.
8.6.3 Some government agencies have a statutory power to obtain information. Employees or Beneficiaries/Scholars should seek confirmation of any such power before disclosing personal data in response to a request. If the data subject needs guidance, he/ she should contact the DPO.
8.6.4 Without a search warrant subpoena, the law enforcement officers have no automatic right of access to records of personal information, though voluntary disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders. In such cases, the law enforcement officers may contact the DPO for guidance.
8.7. Direct Marketing
8.7.1 Direct Marketing does not only cover the communication of material about the sale of products and services to individuals, but also the promotion of aims and ideals. For DLSBI, this will include notification about events, fundraising, selling of goods or services. Marketing covers all, such as contact by mail, telephone and electronic messages (emails and text messaging). The DLSBI must ensure that it complies with relevant legislations when it undertakes direct marketing and must cease all direct marketing activities if an individual requests it to stop.
9. Responsibilities of DLSBI
9. Responsibilities of DPO, DLSBI, Beneficiaries/Scholars, Volunteers and Employees
9.1. Responsibilities of the Data Protection Officer
9.1.1 The DPO shall in the performance of his/her tasks, have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of processing
9.1.2 The DPO is responsible for:
9.1.2.1 Advise DLSBI and the community (personnel and Beneficiaries/Scholars) of its obligation under the DPA;
9.1.2.2 Monitor compliance with the DPA, IRR, other relevant legislations and regulations, DLSBI’s policies on data protection and monitoring and training and audit activities related to data privacy;
9.1.2.3 Provide advice where requested on data privacy concerns; and
9.1.2.4 Cooperate with and act as the point of contact for the NPC.
9.1.3 As the Personal Information Controller (PIC), DLSBI is responsible for establishing policies and procedures in order to comply with the DPA and other relevant legislations and regulations.
9.2 Responsibilities of Employees/Personnel Processing Personal Information
9.2.1 Employees/Personnel processing personal information shall ensure that:
9.2.1.1 All personal information is kept securely;
9.2.1.2 No personal information is disclosed either verbally, in writing or electronically, accidentally or otherwise, to any unauthorized third party;
9.2.1.3 Personal information is kept in accordance with DLSBI’s retention schedule;
9.2.1.4 Any queries regarding data protection, including data subject’s access requests and complaints, are promptly directed to the Data Protection Officer;
9.2.1.5 Any data protection incidents are swiftly brought to the attention of the Data Protection Officer and support in resolving breaches;
9.2.1.6 Where there is doubt or uncertainty around a data protection concern, advice should be sought from the Data Protection Officer;
9.2.1.7 Where personnel are responsible for supervising Beneficiaries/Scholars and volunteers doing work which involves the processing of personal information (for example in research projects), they must ensure that those Beneficiaries/Scholars and volunteers are aware of the data protection principles.
9.2.1.8 Personnel who are unsure about who are the authorized third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Officer.
9.2.1.9 Heads of office, departments or units who employ contractors, short term or voluntary staff shall:
9.2.1.9.1 Ensure contractors, short term or voluntary staff sign a Confidentiality and Non-Disclosure Agreement;
9.2.1.9.2 Take all practical and reasonable steps to ensure that contractors, short term or voluntary staff do not have access to any personal information beyond what is essential for the work to be carried out properly;
9.2.1.9.3 Appropriately appraise Contractors, Short Term or Voluntary Staff for the data they will be processing;
9.2.1.9.4 Ensure that Contractors, Short Term or Voluntary Staff comply with the following:
9.2.1.9.4.1 Keep secure and confidential any personal data collected or processed in the course of work undertaken for DLSBI;
9.2.1.9.4.2 Return to DLSBI all personal data upon completion of the work, including any copies that may have been made;
9.2.1.9.4.3 Notify DLSBI of any disclosure of personal information to any other organization or any person who is not a direct employee of the contractor; and
9.2.1.9.4.4 Not to store nor process any personal data made available by DLSBI, or collected in the course of work outside the Philippines, unless a written consent to do so has been received by DLSBI.
9.3 Responsibilities of Volunteers and Employees/Personnel
9.3.1 Volunteers and Employees are responsible for:
9.3.1.1 Familiarizing themselves with the Privacy Notice provided when they register with DLSBI:
9.3.1.2 Ensuring that the personal information they provided to DLSBI are accurate and up to date;
9.3.1.3 Reporting Breach and/or Security Incidents.
9.3.1.4 Abiding with DLSBI policies and procedures for the management of a personal data breach, including incidents
9.4 Creation of Data Breach Response Team
9.4.1 A Data Breach Response Team of at least five (5) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effect of the breach.
9.4.2 The Data Breach Response Team is composed of the following:
9.4.2.1 Executive Director of Central House Administration – to ensure management’s commitment to breach response planning and execution
9.4.2.2 Director of Communications and Resources (Communications and I.T) – to ensure an accurate account of any issues is communicated to stakeholders and the press, to work directly with the affected network to research the time, location, and details of a breach. To ensure that digital and technological related data and activities are investigated
9.4.2.3 Data Protection Officer – to ensure that any evidence collected maintains its value in the event that the company chooses to take legal action and also provide advice regarding liability issues when an incident affects data subjects and/or the general public
9.4.2.4 Head Administrator of the Source of Breach – to ensure that there is cooperation in the investigation and securing evidence in his office, department or unit.
9.4.2.5 Director of Administrative Services – to conduct investigation in cases of physical break-in.
9.4.2.6 I.T. Officer – to ensure that digital and technological related data and activities are investigated
9.4.2.6.1 DLSBI makes every effort to avoid data privacy security incidents, however, it is possible that such incidents will occur on occasions. Data privacy security incidents might occur through:
9.4.2.6.1.1 Accidental or unauthorized access to beneficiary/scholar, employee/personnel or third party personal information;
9.4.2.6.1.2 Unauthorized access of personal information from DLSBI’s server or through malicious attack;
9.4.2.6.1.3 Negligence (e.g. leaving a password list in a publicly accessible location;)
9.4.2.6.1.4 Policy or system’s failure;
9.4.2.6.1.5 Loss through negligence, theft or robbery of USB, personal computer, Organization- issued devices, any removable media containing one or more personal data;
9.4.2.6.1.6 Inadvertent exposure of personal data in the DLSBI website, social media or public document;
9.4.2.6.1.7 Accidental or unauthorized disclosure of personal data (e.g. via misaddressed correspondence or incorrect system permissions/filter failure);
9.4.2.6.1.8 Corruption or unauthorized modification of vital records (e.g. alteration of master records);
9.4.2.6.1.9 Computer system or equipment compromise (ex. virus, malware, denial of service attack);
9.4.2.6.1.10 Compromised IT user account (e.g. spoofing, hacking, shared password;
9.4.2.6.1.11 Break in at a location holding personal Information or containing critical information processing equipment such as servers.
9.5 Notification Protocol
9.5.1 Immediately upon knowledge and discovery of the Security Incident/Personal Data Breach, the employee/personnel, beneficiary/scholar or parent shall file a Data Breach Reporting Form within 24 hours from knowledge or discovery of personal data breach or he/she should immediately contact the DPO at dpo@delasalle.ph and follow the instructions in the personal data breach procedure as provided in the Data Privacy Incident and Breach Management Policy. All evidence relating to personal data breaches in particular must be retained to enable DLSBI to maintain a record of such breaches.
9.5.2 Based on the Data Breach Reporting Form, the Data Protection Officer (DPO) shall assess the reported incident and if verified that a breach has occurred, the DPO shall convene the Data Breach Response Team in case of data breach
9.5.3 The DPO shall report a data breach to the National Privacy Commission (NPC) if the personal information believed to have been compromised involves:
9.5.3.1 Information that would likely affect national security, public safety, public order, or public health;
9.5.3.2 At least one hundred (100) individuals;
9.5.3.3 Information required by applicable laws or rules to be confidential; and
9.5.3.4 Personal information of vulnerable groups.
9.5.4 The DPO shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report to be submitted to the DLSBI President and the National Privacy Commission, within the prescribed period.
9.5.5 The DPO and/or Head of the Data Breach Response Team shall inform the President’s Council of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law.
9.5.6 DLSBI shall implement measures to prevent and minimize future occurrence of breaches and security incidents
9.5.7 DLSBI shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitoring for security breaches and vulnerability scanning of computer networks.
9.5.8 Employee/Personnel directly involved in the processing of personal data must attend training and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in DLSBI.
9.5.9 Procedure for Recovery and Restoration of Personal Data DLSBI shall always maintain a back-up file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the back-up with the affected file to determine the presence of any inconsistencies or alteration resulting from the incident or breach.
9.6 Inquiries and Complaints
9.6.1 Every data subject has the right to reasonable access to his or her personal data being processed by the Organization.
9.6.2 Other Available Rights Include:
9.6.2.1 right to dispute the inaccuracy or error of the personal data;
9.6.2.2 right to request suspension, withdrawal, blocking, removal or destruction of personal data; and
9.6.2.3 right to complain and be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. Accordingly, there must be a procedure for inquiries and complaints that will specify the means through which concerns, documents, or forms submitted to the Organization shall be received and acted upon.
9.6.3 Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the Organization, including data privacy and security policies implemented to ensure the protection of their personal data. They may write to the Organization at dpo@delasalle.ph and briefly discuss the inquiry, together with details for reference.
6.24.4. Complaints shall be filed in three (3) printed copies, or sent to dpo@delasalle.ph. The concerned department shall confirm with the complainant its receipt of the complaint.
10. Sanctions and Penalties
10. 1 All employees processing personal data on behalf of DLSBI must read these guidelines and failure to comply with these guidelines may result in disciplinary and/or legal action. Disciplinary sanctions shall be in accordance with DLSBI’s Organizational Office Manual for employees/personnel and DLSBI’s Beneficiary/scholar Formation Handbook for Beneficiaries/Scholars.
Severity Level
Description of Breach
Examples
Potential Penalties
Corrective Actions
Minor Breach
A breach with minimal impact on data security or individuals' privacy.
- Unauthorized access to non-sensitive data.
- Accidental sharing of data without malicious intent.
- Temporary loss of access to data with no significant harm.
- Verbal warning
- Mandatory retraining on data privacy policies.
- Written reprimand in the employee's record.
- Review and reinforce data protection training.
- Update internal procedures to prevent recurrence.
Major Breach
A breach with significant impact on data security, the organization, or data subjects.
- Exposure of sensitive (SPI) or personally identifiable information (PII) to unauthorized parties.
- Deliberate or negligent actions leading to a serious breach of privacy.
- Failure to follow established data security protocols leading to substantial harm.
- Suspension (temporary) without pay.
- Formal written warning.
- Demotion or reassignment (depending on severity).
- Potential financial penalty (if applicable).
- Comprehensive internal investigation.
- Immediate corrective actions to secure systems.
- Ongoing monitoring for compliance.
- Legal consultation if required.
Severe Breach
A breach with critical consequences, potentially resulting in legal or regulatory action.
- Intentional misconduct or negligence leading to widespread damage or data theft.
- Breach affecting a large number of individuals or involving sensitive financial, medical, or personal data.
- Violation of data privacy laws or regulatory requirements (e.g., Data Privacy Act 2012, GDPR).
- Immediate termination of employment.
- Legal action, including potential fines and lawsuits.
- Report to regulatory authorities (if required).
- Full internal audit of data handling practices.
- Possible external legal investigation.
- Strengthened security measures and policies.
- Mandatory re-evaluation of the company's data privacy policies and procedures.
Disciplinary Process for Breach of Security Matrix A
10.1.1 Severity Assessment: Breaches should be assessed on a case-by-case basis by the company's data protection or compliance officer, considering the specific impact on data security, data subjects, and the organization.
10.1.2 Documentation: All breaches, regardless of severity, should be documented and reported according to company policy.
10.1.3 Transparency: Employees should be informed of the breach and the company’s response, including any disciplinary actions that may be taken.
Annexes
Annex A
Data Privacy Notice (Template)
Privacy Notice
De La Salle Brothers Inc. (DLSBI) respects your right to privacy and is committed to protect the confidentiality of your personal information thus has adopted necessary measures to secure it. DLSBI is bound to comply with the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations and relevant issuances of the National Privacy Commission.
Information Processed
We collect your personal data that include those you provide us during your application for admission and information we acquire or generate upon enrolment and during the course of your stay with DLSBI.
The following personal information are processed:
What information do we collect/process?
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Collection:
How do we collect the data?
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Use:
What is the purpose/use of the collection/processing?
The information you provide is used for:
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
We also use the information gathered from you for systems administration purposes and abuse prevention.
Your personal information is accessed and used by:
Who will have access to the data?
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Who do we share the data with?
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
DLSBI use and share your information as permitted or required by law to pursue the Organization’s legitimate interests as an educational Organization, including a variety of academic, aid, advancement, administrative, historical, and statistical purposes.
Information Protection
DLSBI shall store the data collected in the respective repository as declared in their Data Processing Systems.
DLSBI shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data which we collected.
DLSBI has reasonable organizational, physical and technical security measures in place to help protect against the loss, misuse, and alteration of the information under our control. However, no method of transmission over the Internet or method of electronic storage is 100% secure.
Retention Period
DLSBI shall only retain the said personal information until it serves the purpose. It is collected and processed, after which it shall be securely disposed of.
You may request access to your personal information, and/or have it corrected, erased or blocked on reasonable grounds. DLSBI will consider the request and reserves the right to deal with the matter in accordance with law.
Amendment/Modification of Data Privacy Policies
DLSBI reserves the right to modify/amend this notice at any time in its sole discretion. The modification shall take effect immediately upon publishing.
Queries and complaints can be directed to the Data Protection Officer via email at dpo@delasalle.ph
Annex B
Data Processing System
Click the link to view the Google Sheet: https://docs.google.com/spreadsheets/d/1L9ySHSTEkTDPWc4pFq8eHKB7gL0bf91RrZb7W1DmIy8/edit?gid=0#gid=0
Annex C
DLSBI Privacy Impact Assessment
Click the link to view the Google Sheet: https://docs.google.com/spreadsheets/d/1BGZTdGil2LvcZKkMUERaq4VClM0wbHiG13nB0ZnCWgo/edit?gid=0#gid=0
Annex D
DATA PRIVACY SECURITY INCIDENT REPORTING FORM
This document ensures that in the event of a data privacy security incident. All needed information is gathered to understand the impact of the incident and what must be done to reduce any risk to data subject and/or the Organization’s data and information.
The checklist can be accomplished by an individual with knowledge of the incident. It will also require the review by the Organization’s Data Protection Officer who will determine the implications of the Data Privacy Act of 2012, its Implementing Rules and Regulations and/or relevant order and other guidelines issued by the National Privacy Commission and address changes required to the existing processes.
DATA PRIVACY NOTICE
DLSBI respects one’s rights to data privacy. Any personal data that is provided will only be used in line with the investigation of this incident and other legitimate purposes. This includes contact information should there be a need for clarifications or additional information. All collected data will be kept secure and confidential, unless otherwise authorized by law. They will be disposed of as soon as it has served its purpose. Aggregated or anonymized data may be retained for statistical or research purposes.
If there are questions or clarifications relating to privacy and data protection, you may contact the Organization’s data protection officer at dpo@delasalle.ph
Reported by:
________________________________
Name and Signature
Noted by:
________________________________
Name and Signature of Department Head
Department/Unit:
________________________________
Date:
________________________________
Summary of the Incident
Date and Time of the Incident
Date Reported
How many individuals or records are involved?
Department/Center/Office
Nature of the breach:
Confidentiality/Integrity/Availability
This should be as detailed as possible (e.g.
unauthorized access/processing)
Description of how the breach happened
<brief description of the incident>
Timeline
Provide a comprehensive account of the incident.
List down the relevant events in a chronological order, starting from the time the issue was discovered until it was mitigated or resolved, if so.
Date
Time
Particulars
Personal Data Involved
Personal Information
Sensitive Personal Information
Reporting
Were there any controls in place?
(e.g. encryption, etc.)
Who detected the breach?
When was the breach isolated?
Initial Assessment
Does it involve sensitive personal information or any
other data that may be used to commit identity
fraud?
☐ Yes
☐ No
☐
Uncertain
Is there reason to believe that the data has been
acquired by an unauthorized person?
☐ Yes
☐ No
☐
Uncertain
Is there a real risk of serious harm to the affected
individual/s?
☐ Yes
☐ No
☐
Uncertain
What are the immediate consequences of the incident on the affected individual/s? (if known)
Were there security measures in place to
help avoid the incident or mitigate its negative impact? If yes, please describe.
Remedial Measures Taken
Measure
Application
Date (of implementation)
What have you done to secure, recover, remove, or delete the personal data (if applicable)?
What have you done to help mitigate the harm, damage, distress or negative consequences caused by the incident on the affected individuals?
What have you done to inform the affected individuals? Indicate the reason if there was delay, or no notification.
What have you done to provide assistance to affected individuals?
What have you done to prevent or avoid similar incidents in the future?
Impact
What are the potential adverse consequences for Beneficiaries/Scholars, personnels, third parties, or DLSBI?
What processes/systems are affected and how? (e.g. website taken off line, access to data base restricted, etc.)
Have you received a formal complaint from any individual affected by this incident/breach? If so, provide details.
Management
What further action has been taken to minimize the possibility of a repeat of such an incident?
Assessment (to be accomplished by Data Protection Officer)
Recommendation:
REFERENCES
LAWS:
Republic Act 10173, Data Privacy Act of 2012
Implementing Rules and Regulations of the Data Privacy Act of 2012
NPC Circular 16-03 – Personal Data Breach Management
URL GENERAL WEBSITE ARTICLE WITHOUT AUTHOR)
https://www.lsgh.edu.ph/data-privacy-policy/
https://www.ed.ac.uk/records-management/policy/data-protection
https://www.nottingham.ac.uk/governance/records-and-information-management/dataprotection/data-protection-policy.aspx
https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design
