La Consolacion College Bacolod
Data Privacy Office
La Consolacion College Bacolod (“us”, “we”, or “our”) operates the https://www.lcc.edu.ph website (the “Service”) By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from https://www.lcc.edu.ph. In general, our website only provides information necessary for public use. If you are an employee or student of LCCB, you may be accessing third party links posted on our website which are also part of our services but are being maintained by third-party vendors such as School Automate or Google Workspace for Education.
Information We Collect
We collect several different types of information for various purposes to provide and improve our Service to you. When you visit our website, we collect the following information automatically through website plugins and server we use:
- Internet Protocol Address
- Type of Operating System used
- Type of Browser and version used
- Device platform
- Time zone setting of your device
- Location
- The pages of our Service that you visit
- Time and date of your visit
- Unique device identifiers and diagnostic data
Use of Cookies
Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:
- Session Cookies. We use Session Cookies to operate our Service.
- Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
- Security Cookies. We use Security Cookies for security purposes.
Purpose of Collection
We use the collected data for various purpose(s):
- To provide and maintain the Service
- To notify you about changes to our Service
- To allow you to participate in interactive features of our Service when you choose to do so
- To provide analysis or valuable information so that we can improve the Service
- To monitor the usage of the Service
- To detect, prevent and address technical issues
Transfer of Data
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
If you are located outside Philippines and choose to provide information to us, please note that we transfer the data, including Personal Data, to Philippines and process it there.
Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.
LCCB will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
Your Rights as the Data Subject
La Consolacion College Bacolod valued your privacy highly in pursuant to our legitimate purpose of being an academic institution. You may change or ask us to remove your data to be modified or completely deleted from our Service.
La Consolacion College Bacolod (LCCB) respects the right to privacy and confidentiality of all her stakeholders. Thus LCCB Data Privacy Office (LCCB-DPO) was formalized in compliance with the REPUBLIC ACT NO. 10173 otherwise known as the Data Privacy Act, its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission (NPC). LCCB-DPO will be an institutional office responsible for keeping the privacy and confidentiality of personal information of the students, personnel, alumni and all other stakeholders. It also ensures that any processes performed upon personal information are in compliance with the data privacy laws and regulation and to prevent legal, financial and operational risks. The office also provides support through formulating, training, implementing and evaluating policies to safeguard personal information.
This Section shall inform you of the LCCB’s data protection and security measures, and may serve as your guide in exercising your rights under the DPA.
Contact Us
Ms. Razel S. Valdez – Data Privacy Officer
Data Privacy Office
dataprivacy@lccbonline.edu.ph
(034) 434-9661 to 64 local 223
2/F Mother Rita Building
Corner Galo-Gatuslao Streets,
Bacolod City, Philippines 6100
Under RA10173, people whose personal information is collected, stored, and processed are called data subjects. Organizations who deal with personal details, whereabouts, and preferences are dutybound to observe and respect data privacy rights.
In instance that personal data has been misused, maliciously disclosed, or improperly disposed, or if any of the rights discussed here have been violated, the data subject has a right to file a complaint.
THE RIGHT TO BE INFORMED
Under R.A. 10173, your personal data is treated almost literally in the same way as your own personal property. Thus, it should never be collected, processed and stored by any organization without your explicit consent, unless otherwise provided by law. Information controllers usually solicit your consent through a consent form. Aside from protecting you against unfair means of personal data collection, this right also requires personal information controllers (PICs) to notify you if your data have been compromised, in a timely manner.
As a data subject, you have the right to be informed that your personal data will be, are being, or were, collected and processed.
The Right to be Informed is a most basic right as it empowers you as a data subject to consider other actions to protect your data privacy and assert your other privacy rights.
Take note of this:
To protect your privacy, the Philippine data privacy law explicitly requires organizations to notify and furnish you the following information before they enter your personal data into any processing system (or at the next practical opportunity at least):
- Description of the personal data to be entered into the system
- Exact Purposes for which they will be processed (such as for direct marketing, statistical, scientific etc.)
- Basis for processing, especially when it is not based on your consent
- Scope and method of the personal data processing
- Recipients, to whom your data may be disclosed
- Methods used for automated access by the recipient, and its expected consequences for you as a data subject
- Identity and contact details of the personal information controller
- The duration for which your data will be kept
- You also have to be informed of the existence of your rights as a data subject.
THE RIGHT TO ACCESS
This is your right to find out whether an organization holds any personal data about you and if so, gain ―reasonable access‖ to them. Through this right, you may also ask them to provide you with a written description of the kind of information they have about you as well as their purpose/s for holding them.
Under the Data Privacy Act of 2012, you have a right to obtain from an organization a copy of any information relating to you that they have on their computer database and/or manual filing system. It should be provided in an easy-to-access format, accompanied with a full explanation executed in plain language.
- You may demand to access the following:
- The contents of your personal data that were processed.
- The sources from which they were obtained.
- Names and addresses of the recipients of your data.
- Manner by which they were processed.
- Reasons for disclosure to recipients, if there were any.
- Information on automated systems where your data is or may be available, and how it may affect you.
- Date when your data was last accessed and modified
- The identity and address of the personal information controller.
How to Exercise your Right to Access
You must execute a written request to the organization, addressed to its Data Protection Officer (DPO). In the letter, mention that your request is being made in exercise of your right to access under the Data Privacy Act of 2012. The DPO is required to respond to your written request. Be prepared to provide evidence of your identity, which the DPO should require of you to make sure that personal information is not given to the wrong person.
If your request was not granted, or if you feel your request was not sufficiently addressed, you may file a formal complaint with the NPC. Before doing so, however, we recommend that you inform the organization and it’s DPO of your intention to formally complain to the NPC. They might be able to the opportunity to apologize, better explain their position, or reconsider your request.
Additional Notes
Some exceptions may disallow the exercise of an individual’s right to access. This is to balance the right to privacy of an individual versus the needs of civil society. Here are some examples; (1) A criminal suspect is not allowed access to the personal data held about him by law enforcement agencies as it may impede investigation. (2) You are not allowed access to information about you as contained in communications between a lawyer and his or her client, if such communication is subject to legal privilege in court. (3) Your right to access your own medical and psychological data may be denied you in the rare instance where is is deemed that your health and well-being might be negatively affected.
THE RIGHT TO OBJECT
You can exercise your right to object if the personal data processing involved is based on consent or on legitimate interest. When you object or withhold your consent, the PIC should no longer process the personal data, unless the processing is pursuant to a subpoena, for obvious purposes (contract, employer-employee relationship, etc.) or a result of a legal obligation.
In case there is any change or amendment to the information previously given to you, you should be notified and given an opportunity to withhold consent.
THE RIGHT TO ERASURE OR BLOCKING
Under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of your personal data. You can exercise this right upon discovery and substantial proof of the following:
- Your personal data is incomplete, outdated, false, or unlawfully obtained.
- It is being used for purposes you did not authorize.
- The data is no longer necessary for the purposes for which they were collected.
- You decided to withdraw consent, or you object to its processing and there is no overriding legal ground for its processing.
- The data concerns information prejudicial to the data subject — unless justified by freedom of speech, of expression, or of the press; or otherwise authorized (by court of law)
- The processing is unlawful.
- The personal information controller, or the personal information processor, violated your rights as data subject.
How to Exercise your Right to Erasure or Blocking
Execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of your right to erasure under the Data Privacy Act of 2012. Documents to support your request must be attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC, attached therewith your request letter to the DPO.
THE RIGHT TO DAMAGES
You may claim compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of your rights and freedoms as data subject.
How to Exercise your Right to Damages
Write or speak to the organization which mishandled your personal information to see if you can reach an agreement and claim compensation. If you feel that your concern has not been satisfactorily addressed, you should write to the organization and inform them of your intent to take the matter to the court, before you start court proceedings. Talk to a legal adviser if you want to make a claim in court.
The NPC has no role in dealing with compensation claims. But you may request us to assess if the organization mishandled your personal data and broke the DPA. You can give a copy of the NPC’s letter to the court along with the evidence to prove your claim. This, however, does not guarantee that the judge will fully agree with NPC’s view. You may also require someone from the NPC to give expert evidence which will only be allowed if the judge orders it. The party calling the witness will have to shoulder the corresponding cost.
THE RIGHT TO FILE A COMPLAINT WITH THE NPC
If you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint with the NPC.
Who may complain?
Under Section 3, the following can file a complaint:
1) The National Privacy Commission (NPC), on its own initiative;
2) Those who have suffered a data privacy violation or personal data breach; and
3) Persons who are personally affected by a violation of the Data Privacy Act of 2012 (Republic Act No. 10173).
Persons who are the subject of the data privacy violation or personal data breach may appoint a duly authorized representative to prosecute the complaint on their behalf.
Those who are not personally affected by a data privacy violation or personal data breach may: (a) request for an advisory opinion on data protection matters; or (b) inform the NPC of a data protection concern.
The NPC may monitor the subject organization or take such further action as may be necessary.
Those who wish to file a complaint must comply with the rule of exhaustion of remedies. This rule means that in filing the complaint, a complainant must be able to show that there was an opportunity offered in good faith to have the respondent comply with any legal obligations involving data protection and privacy.
How to file a complaint?
Formal complaints are made by filing a complaint-affidavit, together with copies of any evidence and affidavits of any witnesses at any NPC office.
Complaints can also be made by electronic filing, by: (a) attaching these documents in a specific e-mail sent to complaints@privacy.gov.ph; or (b) submitting a portable electronic data storage device to any NPC office.
Electronic documents must digitally signed in and in .PDF format (if practicable), on page sizes compliant with the Efficient Use of Paper Rule. If submitted in this digital format, the NPC may charge fees for printing.
If submitting through a portable electronic data storage device, similar portable data storage devices containing the same files must also be given to any opposing party so named. One portable data storage device is equivalent to one copy.
If the portable data storage device is infected with malware, the documents will not be considered as having been filed.
How does the NPC deal with complaints?
Once a complaint has been filed, an investigating officer will conduct the proceedings. The investigating officer shall evaluate the complaint to determine whether its allegations involve a violation of the Data Privacy Act or related issuances and if based on its allegations, there is reason to believe that there is a privacy violation or personal data breach.
The investigating officer shall then recommend to the Commission whether the complaint shall be:
(a) dismissed outright for want of palpable merit;
(b) referred to the respondent for comment and/or subject to discovery proceedings;
(c) subject to further monitoring or investigation;
(d) treated as a request for an advisory opinion; or
(e) endorsed to the proper government agency with jurisdiction over the complaint.
The Commission may dismiss outright any complaint on the following grounds:
1) The complainant did not give the respondent an opportunity to address the complaint, unless failure to do so is justified;
2) The complaint is not a violation of the Data Privacy Act or does not involve a privacy violation or personal data breach;
3) The complaint is filed beyond the period for filing; or
4) There is insufficient information to substantiate the allegations in the complaint or the parties cannot be identified or traced.
How long does it take the NPC to act on a complaint?
If the subject of the complaint is a data breach that the private information controller must report to the NPC, the NPC may already be acting on the matter before you even file the complaint.
From the time complaints are received, the Complaints and Investigation Division, through its Investigating Officers, shall conduct initial evaluations on complaints so received within a reasonable time. Feedback may be expected within a few working days.
From here, the entire process, up to final adjudication, should take four to six months.
If there is a request to have the NPC issue a temporary stop processing order so as to enjoin the processing of any data, the NPC may issue an Order, after due hearing and the payment of the proper bond. This process can happen from one to two weeks after the filing of this request.
What happens when my complaint is upheld?
If your complaint is upheld, the case records will be brought to the Enforcement Division of the Legal and Enforcement Office, NPC for the enforcement of civil damages, fines, and other administrative sanctions, when appropriate.
If the NPC decides that the filing of criminal charges is warranted against certain individuals following the filing and processing of a complaint, the NPC will forward the case record to the Department of Justice and recommend their prosecution.
What happens when my complaint is dismissed?
If your complaint is dismissed, and it involves a violation of any other cybercrime law, the NPC will forward your complaint to the appropriate law enforcement agency.
If the complaint is not upheld for lack of jurisdiction, and jurisdiction properly belongs to the dispute settlement mechanism of another government agency, the NPC will indorse your complaint to that agency for the conduct of further proceedings.
If the complaint is dismissed for lack of merit, you may file a Motion for Reconsideration. Please state the grounds for the mistakes of fact or law that may be present in the NPC’s decision.
In any event, any Decision made on a complaint may be appealed by any aggrieved party by way of appeal to the Court of Appeals, within the proper period.
THE RIGHT THE RIGHT TO RECTIFY
You have the right to dispute and have corrected any inaccuracy or error in the data a personal information controller (PIC) hold about you. The PIC should act on it immediately and accordingly, unless the request is vexatious or unreasonable. Once corrected, the PIC should ensure that your access and receipt of both new and retracted information. PICs should also furnish third parties with said information, should you request it.
How to Exercise your Right to Rectify
If the organization does not yet have rectification, you must execute a written a system or form for data request to the organization addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of your right to object under the Data Privacy Act of 2012. Documents to support your request must be attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC, attached therewith your request letter to the DPO.
Some organizations already have their system or form for data rectification. For instance, the Social Security System (SSS) only requires their members to accomplish SSS Form E-4 or the Member Data Change Request Form and submit with it the supporting documents. The needed supporting documents vary depending on the personal data that you want corrected (i.e. for correction of name and birthdate – PSA/NSO-authenticated birth certificate or valid passport, for correction of name due to naturalization – Certificate of Naturalization issued by the Philippine Department of Foreign Affairs, identification certificate issued by the Philippine Bureau of Immigration, and any foreign government- issued ID cards and/or documents showing the new name).
THE RIGHT TO DATA PORTABILITY
This right assures that YOU remain in full control of YOUR data. Data portability allows you to obtain and electronically move, copy or transfer your data in a secure manner, for further use. It enables the free flow of your personal information across the internet and organizations, according to your preference. This is important especially now that several organizations and services can reuse the same data.
Data portability allows you to manage your personal data in your private device, and to transmit your data from one personal information controller to another. As such, it promotes competition that fosters better services for the public.
How to Exercise your Right to Data Portability
Various online platforms have been making data portability an available and instant option for its users. For instance, Facebook enabled its users to readily download all their personal content and information, including wall posts, status updates, photos, videos, and conversation threads. Currently, users will just have to click at the top right of any Facebook page and select ―Settings, then click ―Download a copy of your Facebook data at the bottom of ―General Account Settings‖, and click ―Start My Archive. Google has a similar feature that readily allows its users to create an archive to keep for their personal record or for use in another service.
In case the personal information controller concerned does not yet have an online data portability feature, you must execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of your right to data portability under the Data Privacy Act of 2012. Documents to support your request must be attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC, attached therewith your request letter to the DPO.
TRANSMISSIBILITY OF DATA SUBJECT RIGHTS
Just like any physical property, such as real estate, you can assign your rights as a data subject to your legal assignee or lawful heir. Similarly, you may assert another person’s rights as a data subject, provided he or she authorized you as a ―legal assignee‖.
You may also invoke another person’s data privacy rights after his or her death if you are his or her legal heir. This same principle applies to parents of minors, or their legal guardian, who are responsible for asserting their rights on their behalf.
This right, however, is not applicable in case the processed personal data being contested are used only for scientific and statistical research.
The Practical Need For Transmissibility
An individual’s personal data lives on even after his death. As such, they could still be subject to privacy violations whether intentional or otherwise. The Data Privacy Act of 2012 included this provision to protect their privacy rights through a living person willing to assume the responsibility on their behalf. The transmissibility of data privacy rights has been extended to living adults who are unable to protect their own rights and wish to assign the responsibility to someone else.
How to Execute
Data subjects who are alive but incapacitated, for some reason unable to to assert their own personal privacy rights and wish to authorize a ―legal assignee‖ to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney.
In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors under their care.
LIMITATIONS ON RIGHTS
The provisions of the law regarding transmissibility of rights and the right to data portability will not apply if the processed personal data are used only for the needs of scientific and statistical research and, based on such, no activities are carried out and no decisions are taken regarding the data subject. There should also be an assurance that the personal data will be held under strict confidentiality and used only for the declared purpose.
They will not also apply to the processing of personal data gathered for investigations in relation to any criminal, administrative or tax liabilities of a data subject. Any limitations on the rights of the data subject should only be to the minimum extent necessary to achieve the purpose of said research or investigation.
LCCB Data Privacy Office
COLLECTION OF DATA
The term personal data or personal information‖ includes the concepts of personal information, sensitive personal information, and privileged information.
PERSONAL INFORMATION
is any information which can be linked to your identity, thus making you readily identifiable like name, contact number, house address, email address, birthdate, age.
SENSITIVE PERSONAL INFORMATION
are those:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education such as grades, year level, section and course, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
PRIVILEGED INFORMATION
refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
DATA COLLECTION PROCESS
Personal Data are collected mainly directly from the applicant; from the ones they have indicated on the application form, the documents/records submitted upon admission, other additional information are collected or generated after enrolment and during the course of stay in LCCB. Indirectly collected data are the ones sent to or received by LCCB even without prior request. In such cases, LCCB will determine if there is a need to legitimately keep such information. If it is not related to any of the institutions’ legitimate interests, LCCB will immediately dispose the information in a way that will safeguard privacy through permanent deletion for electronic data and shredding for paper formats. Otherwise, it will be treated in the same manner as information provide to LCCB. In the event that personal data of other individuals were provided like person to contact in the event of an emergency, a certification will be required to certify that consent of such individuals were obtained before providing us with their personal data.
USE OF DATA
Personal data will be used but not limited to recording, generating, evaluating, maintaining, storing and recognizing academic, co-curricular, and extra-curricular performance to the extent permitted or required by law. Moreover, your personal data will be used to pursue LCCB’s legitimate interests as an educational institution, including a variety of academic, administrative, research, historical, statistical, marketing and advertising purposes.
STORAGE, ACCESS, RETENTION & DESTRUCTION OF DATA
Personal data is stored and transmitted securely in a variety of paper and electronic formats, including databases that are shared between the school’s different units or offices. Access to personal data is limited to school personnel who have a legitimate interest in them for the purpose of carrying out their contractual duties. Rest assured that the use of personal data will not be excessive.
Unless otherwise provided by law or by appropriate school policies, we will retain relevant personal data indefinitely for historical and statistical purposes. Where a retention period is provided by law and/or a school policy, all affected records will be securely disposed of after such period.
DISCLOSURE & SHARING OF DATA
All employees and personnel of La Consolacion College Bacolod shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after graduation, transfer, resignation, termination of contract, or other contractual relations. Personal data under the custody of the LCCB shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
Researchers, Third Party Organizations such as scholarship organizations, school’s authorized insurance companies and alike are to process and submit a data sharing agreement (see Forms at Downloadable Forms Section) duly signed and notarized by both parties.
LCCB Data Privacy Office
La Consolacion College Bacolod implements reasonable and appropriate physical, technical and organizational measures for the protection of personal data. Security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
ORGANIZATION SECURITY MEASURES
Every personal information controller and personal information processor must also consider the human aspect of data protection. The provisions under this section shall include the following:
1. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
LCCB’s designated Data Protection Officer is Razel S. Valdez, who is concurrently serving as the Mulltimedia Artist of the institution. Each office and department have assigned a Compliance Officer for Privacy
2. Functions of the DPO, COP and/or any other responsible personnel with similar functions
The Data Protection Officer shall oversee the compliance of the institution with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure by holding quarterly meetings or when the need arises.
3. Conduct of trainings or seminars to keep personnel, especially the Compliance Officer for Privacy (COP) updated vis-à-vis developments in data privacy and security.
LCCB shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, LCCB Human Resource Office shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary
4. Conduct of Privacy Impact Assessment (PIA)
The Compliance Officer for Privacy (COP) shall conduct an in-office Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data in a monthly basis or when the need arises. Reports of the assessments are to be submitted to the DPO. The Data Privacy Office may choose to outsource the conduct a PIA to a third party.
5. Recording and documentation of activities carried out by the DPO, COP or the institution itself, to ensure compliance with the DPA, its IRR and other relevant policies.
La Consolacion College Bacolod shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
6. Duty of Confidentiality
All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
7. Review of Privacy Manual
This Manual shall be reviewed and evaluated annually or when the need arises. Privacy and security policies and practices within the institution shall be updated to remain consistent with current data privacy best practices.
PHYSICAL SECURITY MEASURES
This portion features the procedures intended to monitor and limit access to the facility containing the personal data, including the activities therein. It shall provide for the actual design of the facility, the physical arrangement of equipment and furniture, the permissible modes of transfer, and the schedule and means of retention and disposal of data, among others. To ensure that mechanical destruction, tampering and alteration of personal data under the custody of the organization are protected from man-made disasters, power disturbances, external access, and other similar threats.
1. Format of data to be collected
Personal data in the custody of the institution may be in digital/electronic format and paper-based or physical format.
2. Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/separate room or part of an existing room)
All personal data being processed by the institution are stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by LCCB.
3. Access procedure of school personnel
Only authorized personnel shall be allowed inside the data room. For this purpose, keys are kept in the cloiseter and only the COPs has a duplicate to the room. Non-DPO staff or COPs may be granted access to the room upon filing of an access request form with the Data Protection Officer and the latter’s approval thereof. A logbook is provided to record all actions/transactions.
4. Monitoring and limitation of access to room or facility
All personnel authorized to enter and access the data room or facility must fill out and register in a logbook placed at the entrance of the room. They shall indicate the date, time, duration and purpose of each access.
5. Design of office space/work station
The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
6. Persons involved in processing, and their duties and responsibilities
Persons involved in processing shall always maintain confidentiality and integrity of personal data.
7. Data sharing within the institution, or to third parties
Data sharing requires memorandum of agreement (MOA) between parties to ensure security. Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data. Other data transferring process must be described in detail in the MOA.
8. Retention and disposal procedure
LCCB shall retain relevant personal data indefinitely for historical and statistical purposes. Where a retention period of 5-year period for those stakeholders that are no longer directly connected to the institution. All affected records will be securely disposed of after such period.
TECHNICAL SECURITY MEASURES
Each personal information controller and personal information processor must implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the health/medical records, the computer network in place, including encryption and authentication processes that control and limit access. They include the following, among others:
1. Monitoring for security breaches
LCCB uses Sophos Cybersecurity an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system. COPs of each office are to conduct impact assessment using the tool provided for privacy impact assessment.
2. Security features of the actions used
LCCB Management Information System Head shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.
3. Process for regularly testing, assessment and evaluation of effectiveness of security measures
LCCB data privacy officer and COPs shall review security policies, conduct vulnerability assessments and perform penetration testing within the institution on regular schedule to be prescribed by the appropriate department or unit.
4. Other technical security measures that control and limit access to personal data
Each personnel with access to personal data were provided with unique access permissions using a secure encrypted link and multi-level authentication depending on their work functions.
LCCB Data Privacy Office
Every LCCB personal information controller or personal information processor must develop and implement policies and procedures for the management of a personal data breach, including security incidents. This section adequately describes such policies and procedures.
1. Creation of a Data Breach Response Team
LCCB’s Data Breach Response Team comprising of six (6) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach. Team members shall be the Data Privacy Officer, Coordinator for Student Affairs, Head of Management Information System, Vice President for Personnel and Ancillary Services, Vice President for Finance and School President.
2. Measures to prevent and minimize occurrence of breach and security incidents
LCCB shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
3. Procedure for recovery and restoration of personal data
LCCB shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
4. Notification protocol
The COP shall investigate the incident by (1) calling the attention of the persons involved, separately. And notifying the DPO of the incident. (2) A written explanation is required from both parties to be supplied within 8 hours. (3) holding a conference with the persons involved. (4) Escalate the concern to the Data Privacy Officer and/or Data Breach Response Team.
The Head of the Data Breach Response Team shall inform the administration of the need to notify the NPC and the data subjects affected by the incident or breach within 48 hour period prescribed by law. Administration may decide to delegate the actual notification to the head of the Data Breach Response Team.
5. Documentation and reporting procedure of security incidents or a personal data breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to administration and the NPC, within the prescribed period.
LCCB Data Privacy Office
Every data subject has the right to reasonable access to his or her personal data being processed by the personal information controller or personal information processor. Other available rights include: (1) right to dispute the inaccuracy or error in the personal data; (2) right to request the suspension, withdrawal, blocking, removal or destruction of personal data; and (3) right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. Accordingly, there must be a procedure for inquiries and complaints that will specify the means through which concerns, documents, or forms submitted to the organization shall be received and acted upon. Complaints shall be filed in three (3) printed copies, or sent to dataprivacy@lccbonline.edu.ph. The concerned department or unit shall confirm with the complainant its receipt of the complaint.
Who May Complain
The following can file a complaint:
- The LCCB Data Privacy Commission (LCCB-DPC), on its own initiative;
- Those who have suffered a data privacy violation or personal data breach; and Persons who are personally affected by a violation of the Data Privacy Act of 2012 (Republic Act No. 10173).
- Persons who are the subject of the data privacy violation or personal data breach may appoint a duly authorized representative to prosecute the complaint on their behalf
Those who are not personally affected by a data privacy violation or personal data breach may: (a) request for an advisory opinion on data protection matters; or (b) inform the LCCB-DPC of a data protection concern.
The LCCB-DPC may monitor the subject organization or take such further action as may be necessary.
Those who wish to file a complaint must comply with the rule of exhaustion of remedies. This rule means that in filing the complaint, a complainant must be able to show that there was an opportunity offered in good faith to have the respondent comply with any legal obligations involving data protection and privacy.
How To File A Complaint
Formal complaints are made by filing a complaint-affidavit, together with copies of any evidence and affidavits of any witnesses at the Data Privacy office.
How To Deal With Complaints
Once a complaint has been filed, an investigating officer will conduct the proceedings. The investigating officer shall evaluate the complaint to determine whether its allegations involve a violation of the Data Privacy Act or related issuances and if based on its allegations, there is reason to believe that there is a privacy violation or personal data breach.
The investigating officer shall then recommend to the LCCB-DPC whether the complaint shall be:
(a) dismissed outright for want of palpable merit;
(b) referred to the respondent for comment and/or subject to discovery proceedings;
(c) subject to further monitoring or investigation;
(d) treated as a request for an advisory opinion; or
(e) indorsed to the proper government agency with jurisdiction over the complaint.
The LCCB-DPC may dismiss outright any complaint on the following grounds:
The complainant did not give the respondent an opportunity to address the complaint, unless failure to do so is justified;
The complaint is not a violation of the Data Privacy Act or does not involve a privacy violation or personal data breach;
The complaint is filed beyond the period for filing; or There is insufficient information to substantiate the allegations in the complaint or the parties cannot be identified or traced.
How long does it take the LCCB-DPC to act on a complaint?
Depending on the category of complaint, processing may take a minimum of an hour to one (1) month.
If the subject of the complaint is a data breach that the private information controller must report to the LCCB-DPC, the LCCB-DPC may already be acting on the matter before you even file the complaint.
From the time complaints are received, the Complaints and Investigation Division, through its Investigating Officers, shall conduct initial evaluations on complaints so received within a reasonable time. Feedback may be expected within a few working days.
From here, the entire process, up to final adjudication, should take four to six months.
If there is a request to have the LCCB-DPC issue a temporary stop processing order so as to enjoin the processing of any data, the LCCB-DPC may issue an Order, after due hearing and the payment of the proper bond. This process can happen from one to two weeks after the filing of this request.
What happens when complaint is upheld?
If complaint is upheld, the case records will be brought to the Enforcement Division of the Legal and Enforcement Office, NPC for the enforcement of civil damages, fines, and other administrative sanctions, when appropriate.
If the NPC decides that the filing of criminal charges is warranted against certain individuals following the filing and processing of a complaint, the NPC will forward the case record to the Department of Justice and recommend their prosecution.
What happens when complaint is dismissed?
If complaint is dismissed, and it involves a violation of any other cybercrime law, the NPC will forward your complaint to the appropriate law enforcement agency.
If the complaint is not upheld for lack of jurisdiction, and jurisdiction properly belongs to the dispute settlement mechanism of another agency, the NPC will indorse your complaint to that agency for the conduct of further proceedings.
If the complaint is dismissed for lack of merit, you may file a Motion for Reconsideration. Please state the grounds for the mistakes of fact or law that may be present in the NPC’s decision.
In any event, any Decision made on a complaint may be appealed by any aggrieved party by way of appeal to the Court of Appeals, within the proper period.
LCCB Data Privacy Office
DOWNLOADABLE FORMS
Personal Information Rectification Form
Photo Video Promotional Release Form
Contact Us
Ms. Razel S. Valdez – Data Privacy Officer
Data Privacy Office
dataprivacy@lccbonline.edu.ph
(034) 434-9661 to 64 local 223
2/F Mother Rita Building
Corner Galo-Gatuslao Streets,
Bacolod City, Philippines 6100