Data Protection

I. Data Privacy Principles (DPA Compliance)

The handling of all student records, considered Sensitive Personal Information under the DPA, must adhere to the following principles:

Transparency: Data subjects (students) must be informed about the nature, purpose, and extent of the processing of their personal data.
Legitimate Purpose: Processing must be for a declared, specified, and legitimate purpose, and not incompatible with such purpose.
Proportionality: Personal data collected and processed must be adequate, relevant, and limited to what is necessary for the declared purpose.

II. Organizational Policies and Procedures

These policies define the roles, responsibilities, and management framework for data protection.

A. Designation and Training

Data Protection Officer (DPO): The University shall designate a DPO accountable for ensuring DPA compliance across all departments.
Data Handler Accountability: All designated data handlers—including the Registrar, Student Affairs Staff, Infirmary Staff, Admission Staff, AIMS Staff, Guidance Staff, Alumni Staff, Academic Affairs, College Secretaries, College Deans, Faculty, and HRD Staff—must undergo mandatory and regular DPA compliance training.
Confidentiality Agreement: All staff with access to student records must sign a Non-Disclosure/Confidentiality Agreement enforceable throughout and beyond their employment/service period.

B. Access Control and Need-to-Know

Role-Based Access: Access to student records (both physical and digital) shall be strictly role-based and limited to personnel who have a "need-to-know" for a legitimate educational or administrative purpose.
- Example: Infirmary Staff can access medical records but not financial records; Faculty can access class lists and grades for their enrolled students but not the student's complete guidance or alumni history.
Segregation of Duties: Access to critical functions (e.g., record amendment, data deletion, system administration) shall be segregated to prevent a single person from processing or altering a record without verification.
Audit Trails: All access, modification, and disclosure activities for both physical and digital records must be logged and regularly reviewed by the DPO or a designated security officer to detect unauthorized access or tampering.

C. Data Collection and Disposal

Data Minimization: Only collect necessary personal and sensitive personal information.
Secure Disposal: Procedures for the secure disposal of physical (e.g., shredding, burning) and digital records (e.g., secure wiping) must be implemented once the retention period has lapsed, as mandated by the DPA and L-NU's retention policy.

III. Physical Security Safeguards (Anti-Tampering)

These safeguards protect records in non-digital formats and the physical location of digital assets.

Secured Storage (Steel Cabinets): Physical records (e.g., permanent record cards, folders, admission documents) must be stored in locked, fire-resistant steel cabinets within restricted-access offices (e.g., Registrar’s Vault).
- Key Management: A strict key-management protocol shall be in place, limiting access to cabinet keys to authorized personnel only, with a secure log of key issuance and return.
Facility Security: Offices containing student records must be secured with locked doors, window bars, and monitored by CCTV. Access logs or sign-in sheets for visitors and non-department personnel are mandatory.
Clear Desk/Screen Policy: Employees must ensure that sensitive physical documents are stored securely (e.g., locked away) and digital systems are logged off or locked when they leave their workstations.

IV. Technical Security Safeguards (Confidentiality and Integrity)

These procedures ensure the security of electronic records against unauthorized access and tampering.

A. Encryption and System Security

Data-at-Rest Encryption: All student record files and databases, especially those containing Sensitive Personal Information (e.g., academic, health, financial data), must be protected using the Advanced Encryption Standard (AES) 256-bit encryption.
Data-in-Transit Encryption: All transmission of sensitive student data (e.g., over the network, via email, to external partners) must use secure protocols like SSL/TLS (Secure Sockets Layer/Transport Layer Security) with strong encryption standards.
Strong Authentication: Multi-Factor Authentication (MFA) shall be mandatory for all staff accessing the student information system. Passwords must be strong, complex, and changed regularly.
Anti-Tampering Measures: The student information system must have data integrity checks and use digital signatures/hashes for critical records to verify that a file has not been altered since its last authorized modification.

B. System Access and Monitoring

Secure Workstations: University-owned devices used to access student records must be secured with updated anti-malware software, firewalls, and regular security patching.
Network Security: Student record servers must be protected by robust network security measures, including intrusion detection systems and access control lists, isolated from the public network.
Data Backups: Secure, encrypted backups of digital student records must be performed regularly, stored offsite (or in a separate, secure location), and a robust, tested recovery procedure must be in place to ensure data availability and integrity in case of system failure or malicious activity.

V. Incident Response and Breach Management

Breach Protocol: A clear protocol for handling a security incident or data breach must be established, including (use the breach reporting form on this website):
1. Containment and mitigation of the breach.
2. Assessment of the scope and impact.
3. Mandatory reporting of all notifiable breaches to the National Privacy Commission (NPC) within 72 hours of discovery, as required by the DPA.
4. Notification of the affected data subjects (students).
5. Post-incident review and system hardening.

Social Media & Public Postings
I. Policy Statement and Objectives

Policy: Lyceum-Northwestern University recognizes social media as a powerful communication tool for engagement, learning, and promotion. This policy governs the use of social media platforms by all members of the L-NU community (students, faculty, administrators, and staff) to ensure professional conduct, protect institutional integrity, and strictly comply with the Data Privacy Act of 2012 (DPA) and other relevant laws and regulations.
Objectives:

To establish clear rules for official and personal social media use.
To safeguard the Personal Information and Sensitive Personal Information of all data subjects within the L-NU community.
To promote a responsible, ethical, and professional online presence.
To prevent online harassment, libel, and other legal violations, including those under the Safe Spaces Act (RA 11313).

II. Compliance with Data Privacy Act of 2012 (RA 10173)

The following principles from the DPA are paramount for all social media activities:

Lawful Basis and Consent:

No Personal Information (e.g., names, student ID numbers, contact details) or Sensitive Personal Information (e.g., race, health, religious affiliations, academic performance) of any individual shall be posted or shared on official or personal social media accounts without the explicit, written, or recorded consent of the data subject (or their parent/guardian, if a minor).
Consent must be freely given, specific, and informed, clearly stating the purpose and extent of the processing (e.g., posting a photo on the official Facebook page for an event).

Purpose Limitation: Personal data collected (e.g., photos or testimonials for university marketing) must only be used for the specific purpose for which the data subject consented.
Transparency and Security:

Individuals must be informed about what data is collected, why it is collected, and how it will be used before it is posted.
All L-NU controlled social media accounts must utilize strong passwords and two-factor authentication to prevent unauthorized access and data breaches.

Data Subject Rights: All members of the L-NU community have the right to access, object, correct, and request the deletion of their personal data shared on L-NU's social media accounts, subject to legal limitations.

III. General Guidelines for Social Media and Public Postings

A. Official L-NU Accounts (Managed by designated personnel)

Authorization: Only the University Communications Officer and personnel specifically designated by the University President are authorized to create, manage, and post on official university accounts.
Content Standards: All posts must be factual, professional, and align with L-NU's vision and mission. All employees, faculty, and students of Lyceum-Northwestern University are entrusted with upholding the dignity, reputation, and core values of the institution. While exercising the right to freedom of expression on personal social media platforms, you must act with professionalism, respect, and discretion at all times.

Therefore, the following is mandated:

Protecting Institutional Integrity: All public postings, comments, or online activities must not, either directly or indirectly, undermine, malign, or unjustly damage the reputation and credibility of Lyceum-Northwestern University, its personnel, or its stakeholders.
Professional Conduct: Content that may be reasonably perceived as libelous, defamatory, discriminatory, or disruptive to the learning and working environment is strictly prohibited. Conduct that violates the Code of Ethics for Professional Teachers (for faculty) or the established Student/Employee Code of Conduct is a violation of this policy.
Consequence Awareness: Remember that your online actions, even on personal accounts, can be widely disseminated and reflect upon the University. Any posting that negatively impacts the public's trust in L-NU’s ability to function as a professional academic institution will be subject to disciplinary action.
Consent: is secured prior to posting of photos and other data.

Data Protection Vetting: Before posting any content that includes identifiable individuals (photos, videos, names, etc.), the designated social media personnel must verify that appropriate consent has been secured and documented.
Moderation: Official accounts must be actively monitored. Hateful, libelous, harassing, or privacy-violating comments must be hidden or deleted immediately.

B. Personal Accounts (Used by Students, Faculty, and Staff)

Professionalism and Reputation: While exercising freedom of expression, all L-NU personnel and students must remember that their actions online can reflect on the University. Avoid posting or sharing content that is obscene, defamatory, harassing, or threatens the safety and welfare of any member of the community.
Confidentiality: Do not share or disclose:

Confidential or proprietary L-NU information (e.g., non-public institutional documents, unreleased financial data, internal memos).
Non-public information about students, personnel, or research protected by the DPA, especially academic or medical records.

Use of Affiliation: When posting about L-NU on a personal account, a clear disclaimer should be used, such as: "The views expressed here are my own and do not necessarily represent the views of Lyceum-Northwestern University."
Interactions with Students/Minors (Faculty and Staff):

Limit social media contact with students to official, school-related purposes.
Maintain professional boundaries at all times. Personal and unnecessary private messaging is strictly prohibited.
Personnel in basic education (under DepEd jurisdiction) must adhere strictly to DepEd guidelines regarding student interaction and privacy, which often require parental/guardian consent for minor data use.

C. Prohibited Content and Conduct

Harassment and Bullying: Posting or sharing content that constitutes cyberbullying, gender-based online sexual harassment (RA 11313), discrimination, or hate speech against any person is strictly prohibited and subject to disciplinary action.
Misrepresentation: Impersonating other individuals, including L-NU officials, or creating unauthorized L-NU accounts is prohibited.
Intellectual Property and Copyright: Do not use copyrighted materials (text, images, music) on official accounts without proper authorization or citation.

IV. Violation and Disciplinary Action

Any violation of this Social Media Policy will be subject to disciplinary action in accordance with the established L-NU student policy manual, faculty manual, and employee handbook, as well as applicable laws (e.g., Data Privacy Act of 2012, Safe Spaces Act, Revised Penal Code). Sanctions may range from reprimand to suspension, or even termination of employment or expulsion, depending on the severity of the offense.

V. Work Instructions for Official Social Media Posting

These instructions are for the University Public Relations Office (PRO) or designated unit managing official L-NU social media platforms.

Page updated

Report abuse