Privacy Policy

The right to privacy is a fundamental human right. Acknowledging this, the Sultan Kudarat State University, endeavors to safeguard its stakeholders’ data privacy by adhering to data privacy principles and employing standard safety measures in the collection, processing, disclosure and retention of personal data in accordance with the Data Privacy Act of 2012 (R.A. 10173), its Implementing Rules and Regulations (IRR) and to issuances of the National Privacy Commission.

Who are covered by this Policy?

This Policy safeguards the privacy of all students, parents, guardians, faculty, visiting faculty, staff, contractual personnel, non-contractual personnel, retirees, applicant students, applicant faculty, applicant staff, researchers, research subjects, patients, clients, customers, alumni, donors, donees, contract counterparties, partners, subcontractors, outsources, licensors, licensees and other persons with a juridical link with the University whose personal information, sensitive personal information or privileged information (“Personal Data”) are processed by this University.

What personal data the University may collect and process?

The University collects and processes only the type and amount of data necessary to perform its core and auxiliary functions. As an institution composed of heterogeneous entities, the University may collect a variety of personal information in different contexts and for different specific purposes.

In general, among the common personal data the University may collect include:

  • Personal details such as name, birth, gender, civil status, nationality and affiliations;
  • Contact information such as home address, email address, mobile and telephone numbers;
  • Academic information such as grades, course and academic standing;
  • Employment information such as government or non-government identification number/card, position and functions;
  • Applicant information such as academic background and previous employments;
  • Medical information
  • Financial information
  • Images via CCTV and other similar recording devices
  • Internet Protocol (IP) addresses
  • Session Cookie data

The collecting, processing, saving and keeping of these data may be through written records, photographic and video images, digital materials, and even biometric records. Photographic and video images include official documentation of school activities, as well as security recordings taken within school premises/campus.

All personal data collection and processing can only be done when the University acquires the consent of the data subject, either explicitly or implicitly, after the latter has been informed of the nature and extent of data collection and processing.

In case we receive personal information more than what we need or requested, such data will be assessed if it can be legitimately kept. If it is related to any of our legitimate educational or corporate interests, we will treat these in the same manner as all personal information provided to us. If not, we will immediately dispose of the information in a way that will safeguard privacy or the privacy of the owner of the data, should the information belong to a third party.

Why does the University collect and process personal data?

The purpose of personal data collection and processing may vary from one University procedure (e.g., student admission, visitor entry, human resource management, etc.) to another. However, the general principle governing the University’s data collection process is legitimacy of purpose.

The University shall only collect and process data for legitimate purposes in consonance with its inherent functions and in compliance with legal requirements. These legitimate purposes may include, but may not be limited to, the following:

  • To verify students’ and employees’ identity;
  • To generate statistics and analytics useful for administrative decisions;
  • To strengthen security measures and facilitate investigations of reported violations;
  • To easily generate statutory reports;
  • For employee and human resources management purposes (as may be required by applicable laws);
  • For research purposes or endeavors contributing to the body of knowledge;
  • To comply with legal or regulatory obligations;
  • To establish, exercise or defend legal claims.

How does the University share or disclose personal data?

Utmost care and due diligence are practiced by the University in handling personal data.

The University shall never share or disclose data to third-parties without prior consent from the data subjects. Whenever disclosure of data is necessary and permitted, the University conscientiously reviews the privacy and security policies of the authorized third-party service providers or external partners. The University may also be required to disclose data in compliance with legal or regulatory obligations.

The University may share, disclose, or transfer personal data to other persons or organizations to fulfill contractual obligations to stakeholders, fulfill legal obligations, and pursue legitimate interests, as an educational institution. These include:

  1. Posting of e-mail addresses and other contact information in the online class lists;
  2. Sharing of academic progress, and co-curricular and extra-curricular activities, if any to parents/guardians;
  3. Sharing of information to government agencies, such as for Students -CHED, TESDA, and DepEd, and for employees – GSIS, BIR, LGUs as required by law;
  4. Sharing of information to service providers such as HMO and security agencies, as required by the corresponding service agreements;
  5. Sharing of academic progress, and co-curricular and extra-curricular activities to scholarship sponsors;
  6. Posting and publishing of significant researches/achievements/accomplishments;
  7. Sharing of activities and events to promote the school and its accomplishments.

Internal disclosure of personal data from one University entity to another shall be subjected to an institutionalized standard data request procedure. This ensures that data is transmitted through official channels and shared for legitimate purposes.

Regardless of the context of data disclosure, the University shall always practice the principle of data minimization which means that only the minimum amount of data needed to serve a particular purpose is shared to the requesting entity.

How does the University protect personal data?

The University shall employ necessary or reasonable safeguards in the form of physical, technological, logical and administrative controls. Internal access to stored personal data will be kept to a minimum number of authorized individuals and bounded by confidentiality agreements. These individuals are subjected to regular training for proper handling of information in accordance to the University’s data privacy policies and other related laws, regulations or issuances.

How long does the University retain personal data?

Personal data are retained only for as long as necessary to serve its declared purpose or comply with regulatory and legal requirements. Depending on the nature of data and purpose it serves, the retention period could range from days (e.g., CCTV recording) to years (e.g., student academic information). Specifically, scholastic and employment records shall be retained indefinitely for historical purposes. Other records shall only be retained for a period not more than five (5) years, unless otherwise provided by law or by institutional policies. Whenever retention becomes unnecessary, the University shall dispose of personal data in a secure and confidential means. Data in paper form shall be dispose of through paper shredding and any other similar means. While electronic data shall be permanently deleted in the University’s memory drives.

How the University Protects the Rights with Respect to Personal Data The University recognizes rights with respect to personal data. Data Privacy Rights are the following:

  • Right to be informed;
  • Right to object;
  • Right to access;
  • Right to rectify or correct erroneous data;
  • Right to erase or block;
  • Right to secure data portability;
  • Right to be indemnified for damages; and
  • Right to file a complaint.

The University shall provide access, consider requests for correction or erasure, and address objection to process data as it appears in the University’s official records, subject to applicable internal policies, relevant laws and regulation.

About Cookie Notice

This University Website uses cookies to render its services as efficient and user-friendly as possible. When visiting the website, a small amount of information is installed on the user’s device, in small files called “cookies” saved in the directory of the Web Browser used on the device. There are different types of cookies, but the main purpose of a cookie is to ensure the site operates more efficiently and to enable certain functions. These cookies help us make the website function properly, make the website more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.

Cookies are used to improve global navigation for users. In particular:

  • They make browsing from one page to another on the website much smoother.
  • They save the username and the indicated preferences.
  • They prevent the need for users to enter their personal data (such as user name and password) several times while on the website.
  • They measure the use of the services by users to optimise their browsing experience and the services themselves.
  • They present targeted advertising information based on the interests and behaviour of users whilst browsing the website.

The University Data Protection Officer

The SKSU Data Protection Officer, reporting to the University President, is tasked to protect the privacy of personal information to, in, and from University with the following functions:

  1. Comply with data privacy laws and regulations including implementing data protection measures, submitting regulatory requirements, and managing privacy incidents.
  2. Provide units of the University support services including formulating policies, training people, and conducting audits with remediation solutions.
  3. Prevent legal, financial, and operational risks by improving current and future forms, contracts, processes, and I.T. systems to secure against leakage of information.
  4. Develop in the University a culture of respect for privacy by formulating policies and establishing practices at par with domestic and international standards

For concerns and inquiries relating to the University Data Privacy Statement, please don’t hesitate to contact the University Data Privacy Officer (UDPO) through this email: dpo@sksu.edu.ph.