Social Media Policy on Data Privacy & Protection

I. Policy Statement and Objectives

• Policy: Lyceum-Northwestern University recognizes social media as a powerful communication tool for engagement, learning, and promotion. This policy governs the use of social media platforms by all members of the L-NU community (students, faculty, administrators, and staff) to ensure professional conduct, protect institutional integrity, and strictly comply with the Data Privacy Act of 2012 (DPA) and other relevant laws and regulations.

• Objectives:

• To establish clear rules for official and personal social media use.

• To safeguard the Personal Information and Sensitive Personal Information of all data subjects within the L-NU community.

• To promote a responsible, ethical, and professional online presence.

• To prevent online harassment, libel, and other legal violations, including those under the Safe Spaces Act (RA 11313).

II. Compliance with Data Privacy Act of 2012 (RA 10173)

The following principles from the DPA are paramount for all social media activities:

• Lawful Basis and Consent:

• No Personal Information (e.g., names, student ID numbers, contact details) or Sensitive Personal Information (e.g., race, health, religious affiliations, academic performance) of any individual shall be posted or shared on official or personal social media accounts without the explicit, written, or recorded consent of the data subject (or their parent/guardian, if a minor).

• Consent must be freely given, specific, and informed, clearly stating the purpose and extent of the processing (e.g., posting a photo on the official Facebook page for an event).

• Purpose Limitation: Personal data collected (e.g., photos or testimonials for university marketing) must only be used for the specific purpose for which the data subject consented.

• Transparency and Security:

• Individuals must be informed about what data is collected, why it is collected, and how it will be used before it is posted.

• All L-NU controlled social media accounts must utilize strong passwords and two-factor authentication to prevent unauthorized access and data breaches.

• Data Subject Rights: All members of the L-NU community have the right to access, object, correct, and request the deletion of their personal data shared on L-NU's social media accounts, subject to legal limitations.

III. General Guidelines for Social Media and Public Postings

A. Official L-NU Accounts (Managed by designated personnel)

1. Authorization: Only the University Communications Officer and personnel specifically designated by the Administration are authorized to create, manage, and post on official university accounts.

2. Content Standards: All posts must be factual, professional, and align with L-NU's vision and mission. Content must be clear, respectful, and free from misleading information.

3. Data Protection Vetting: Before posting any content that includes identifiable individuals (photos, videos, names, etc.), the designated social media personnel must verify that appropriate consent has been secured and documented.

4. Moderation: Official accounts must be actively monitored. Hateful, libelous, harassing, or privacy-violating comments must be hidden or deleted immediately.

B. Personal Accounts (Used by Students, Faculty, and Staff)

1. Professionalism and Reputation: While exercising freedom of expression, all L-NU personnel and students must remember that their actions online can reflect on the University. Avoid posting or sharing content that is obscene, defamatory, harassing, or threatens the safety and welfare of any member of the community.

2. Confidentiality: Do not share or disclose:

• Confidential or proprietary L-NU information (e.g., non-public institutional documents, unreleased financial data, internal memos).

• Non-public information about students, personnel, or research protected by the DPA, especially academic or medical records.

3. Use of Affiliation: When posting about L-NU on a personal account, a clear disclaimer should be used, such as: "The views expressed here are my own and do not necessarily represent the views of Lyceum-Northwestern University."

4. Interactions with Students/Minors (Faculty and Staff):

• Limit social media contact with students to official, school-related purposes.

• Maintain professional boundaries at all times. Personal and unnecessary private messaging is strictly prohibited.

• Personnel in basic education (under DepEd jurisdiction) must adhere strictly to DepEd guidelines regarding student interaction and privacy, which often require parental/guardian consent for minor data use.

C. Prohibited Content and Conduct

1. Harassment and Bullying: Posting or sharing content that constitutes cyberbullying, gender-based online sexual harassment (RA 11313), discrimination, or hate speech against any person is strictly prohibited and subject to disciplinary action.

2. Misrepresentation: Impersonating other individuals, including L-NU officials, or creating unauthorized L-NU accounts is prohibited.

3. Intellectual Property and Copyright: Do not use copyrighted materials (text, images, music) on official accounts without proper authorization or citation.

V. Violation and Disciplinary Action

Any violation of this Social Media Policy will be subject to disciplinary action in accordance with the established L-NU student policy manual, faculty manual, and employee handbook, as well as applicable laws (e.g., Data Privacy Act of 2012, Safe Spaces Act, Revised Penal Code). Sanctions may range from reprimand to suspension, or even termination of employment or expulsion, depending on the severity of the offense.

VI Digital Asset Registration and Compliance Monitoring

Item 8: Mandatory Registration and Audit Requirements for Official Digital Communications Platforms

A. Registration Mandate: All Colleges, Departments, Offices, and recognized University officials utilizing social media accounts, group chat applications, or any third-party digital communication platforms for the conduct of official University business (hereinafter referred to as "Official Digital Assets") shall be required to formally report and register these assets with the designated Data Protection Officer (DPO).

C. Compliance and Audit Protocol: To ensure continuous adherence to institutional policies and relevant statutory mandates, all registered Official Digital Assets shall be subject to routine and/or random monitoring and surveillance.

1. Mandatory Access: The administering party of every registered Official Digital Asset is hereby required to add the authorized representative of the DPO Monitoring and Surveillance Unit as an administrative member, auditor, or equivalent observer, ensuring unimpeded access.

2. Scope of Review: The DPO Monitoring and Surveillance Unit shall exercise its right to conduct periodic or random checking for potential non-compliance, specifically targeting violations pertaining to:

   • Data Privacy: Non-adherence to the University's Data Privacy Policy and national data protection laws.

   • Cyber-Harassment: Infringement of the University’s Anti-Cyberbullying Policy.

   • Legal Compliance: Breach of relevant national legislation, including the Safe Spaces Act (RA 11313) and policies concerning Child Protection (e.g., RA 7610 and related University codes).

   • University Policies: Violation of any standing University rules, regulations, and codes of conduct.

C. Sanctions: Failure to register Official Digital Assets as mandated, or refusal to grant the DPO Monitoring and Surveillance Unit the requisite access, shall constitute a breach of this Policy and shall subject the responsible College, Department, Office, or official to appropriate administrative disciplinary action.

C. Required Information: The mandatory registration report submitted to the DPO shall include, but not be limited to, the following particulars:

Category Specific Requirement

I. Program/Subject The specific academic program, course subject, administrative function, or official purpose the account is intended to serve.

II. Platform Identifier The type of digital application or social media platform utilized (e.g., Facebook Group, Telegram Channel, WhatsApp Group).

III. Purpose of Deployment Classification of the account's primary function (e.g., General Information Dissemination/Public Postings; Direct/Interactive Communication and Stakeholder Engagement).

IV. Member Scope/Jurisdiction The defined constituency of users granted access (e.g., Students Only, Faculty Only, Students and Faculty, Specific College/Department Personnel, Parents and Students, External Stakeholders).

Notes: 

A. Lawful Basis for Processing & Monitoring (Section 12, DPA)

For the policy to be legal, the University (as the Personal Information Controller or PIC) must establish a lawful basis for processing (collecting, storing, and monitoring) the personal data found in these communication channels. The most applicable lawful bases are:

• Contractual Necessity (Employment Contract): The policy can be justified as necessary for the performance of the University's contract with its faculty and staff. Using specific, designated communication platforms for official school-related duties is a reasonable and expected part of the employment obligation.

• Legitimate Interests of the PIC: This is the strongest basis. The University has a legitimate interest in monitoring official communication channels to:

  • Protect Students (especially minors): Monitoring for anti-cyberbullying, Safe Spaces Act violations, or child protection issues is a paramount, non-commercial, and legitimate interest.

  • Prevent Data Privacy Breaches: Early detection of unauthorized disclosure of Sensitive Personal Information (SPI) (like grades, health records, or education records) protects the entire school community and helps the University comply with its legal obligation to secure data.

  • Protect Institutional Integrity: Ensuring all official communication is professional, compliant, and reflective of University standards.

B. Key Safeguard: Scope of Monitoring

The policy is legal only if the monitoring is limited to the platforms declared and used for official school-related communication.

• Legal Scope: Monitoring the content of a Facebook Group named "College of Engineering - Grade 11 Class 2024" to which the DPO is a member for compliance purposes is a legitimate audit function.

• Illegal Scope (Violation): Requiring the DPO to have access to a faculty member's personal Facebook Messenger account or private Viber chats not designated for official use would be a likely violation of the individual's constitutional right to the privacy of communication and correspondence.

C. The Three Data Privacy Principles (Section 11, DPA)

The policy must strictly adhere to the following principles:

Principle Application of Policy

Transparency Crucial: The University must clearly and explicitly inform faculty and staff, in writing, that all communication on these declared official channels will be subject to random monitoring by the DPO Unit for the stated purposes.

Legitimate Purpose: The purpose must be declared, specified, and not contrary to law. Your stated purpose—early detection of data privacy breaches, anti-cyberbullying, and Safe Spaces Act violations—is a highly legitimate and defensible purpose. 

Proportionality: The most critical point. The monitoring must be adequate, relevant, suitable, necessary, and not excessive in relation to the declared purpose. The policy must clearly state that only communication related to school/official business on the registered platforms will be monitored. Personal, private accounts or communications used for purely non-official purposes must not be included. 

D. Additional Items for Action:

Mandate the Use of Official Channels: 

The University shall issue a directive that all school-related communication containing student or parent personal data must be conducted using only the DPO-registered Official Digital Assets (or the official Learning Management System/LMS). This reduces the risk in personal, unmonitored channels.

Explicit Consent/Notice (Workplace Expectation): 

While Legitimate Interest can suffice, the University shall include a clause in the employment contract or a separate Data Privacy Consent/Notice Form for employees, explicitly detailing the requirement to register official channels and the DPO's right to monitor them. This establishes an informed expectation of privacy (or lack thereof) for the official channels.

DPO Protocol: 

Monitoring shall be conducted as random, non-continuous auditing by the DPO Unit, limited only to verifying compliance. The DPO representative shall have a defined, limited role (e.g., "auditor" or "observer") that does not interfere with the official function of the group.

Data Minimization: 

DPO shall ensure that the policy mandates that any personal data of the faculty/staff intercepted during monitoring that is irrelevant to the compliance check (i.e., purely private communication mistakenly sent to the official channel) must be immediately ignored and deleted/redacted from the audit report if generated.