New Era University (‘NEU’) is the data controller and processor for all information collected as part of your use of this website, data processing systems and services of NEU (the ‘Service’). This page informs you (the ‘user’) of our policies regarding the collection, use, and disclosure of personal data when you use our Service. We use your data to provide and improve the Service. By using the website and other data processing systems of NEU, you voluntarily consent to and agree with the collection and use of your information in accordance with this policy along with the Data Privacy Policies of the University.
1.1. We collect several different types of information for various purposes to prove and improve our Service to you.
1.2. Personal Information. While using our website and other data processing system of NEU, you may be disclosing to NEU certain personally identifiable information that can be used to contact or identify you. (‘Personal data’). Personally identifiable information may include, but is not limited to:
Through Inquiry, application, or registration through the school provided portals, on-site or at the University’s premises and participation to the NEU’s activities:
1.2.1. Information about the applicant or student’s parents and guardians, their names, addresses, and contact details, to confirm the legal identity of the applicant or student and for communicating the latter’s academic progress, send information of school activities and services, and send important announcements.
1.2.2. Applicant or student’s name, address, date of birth, gender, picture, contact details, grades, attendance, punctuality records, and educational background for basic administration and instructional purposes, and to access the data processing systems of the University.
1.2.3. Health history and legal and disciplinary records of the applicant or student to address behavioral or performance difficulties of applicant/student and to comply with health and safety obligations of the University.
1.2.4. Billing and financial information for processing and evaluation of application to the University.
1.2.5. Other information to comply with the legal and statutory obligations of the University.
1.2.6. Videos and pictures may also be collected: (i) through the applicant/student’s participation in the University’s activities and services which may be displayed on the University’s website or on social media platforms or in the print media as part of the University’s services and for marketing purposes and/or (ii) for security purposes e.g. closed-circuit television (CCTV) camera installed within the University’s premises. Through the Website:
1.2.7. Cookies and Usage Data
1.2.8. We may also collect information on how the Service is accessed and used (‘Usage Data’). This Usage Data may include information such as your computer’s Internet Protocol address, (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
1.2.9. We use the collected data through the website to provide and maintain the service for the following reasons:
1.2.9.1. To notify you about changes to our service;
1.2.9.2. To allow you to participate in interactive features of our service when you choose to do so;
1.2.9.3. To provide customer care and support;
1.2.9.4. To provide analysis or valuable information so that we can improve the Service;
1.2.9.5. To monitor the usage of the Service;
1.2.9.6. To detect, prevent and address technical issues.
1.2.9.7. We also use third-party cookies to help us monitor traffic on our Sites (e.g. Google Analytics), to identify fraudulent or non-human traffic, to assist with market research, to improve site functionality, to monitor compliance with our terms and conditions and copyright policy.
1.2.9.8. We also use third party submission of ‘cookies-like’ and robotic crawl data to optimize search results in Google, Bing, and other search engines companies.
1.3. Collection of Personal Information. NEU collects your personal information in various ways:
1.3.1. When you provide us with this information upon application, enrollment, admission to the University, inquiry with the University Programs, and when signing up in our mailing list; or
1.3.2. Through a variety of built-in technologies, such as tracking and cookies data, application program interfaces, or use of a third-party application on our website;
1.3.3. We will only hold your personal information while it is necessary for the provision of our services to you, or that we have a valid reason to keep it. Valid reasons may include that we must keep it to avoid breaking the law.
2.1. We may share your data with other organizations that provide services on our behalf to operate the website and data processing systems of the University.
Examples of when we may share your data with service providers includes:
2.1.1. Internet and cloud hosting services providers, such as Amazon Web Services (AWS), Cloudfare, Bunny CDN, and other content-delivery networks, to help accommodate the traffic on the website without compromising the bandwidth;
2.1.2. Third-party webpage components and assets, such as Google Fonts, in order to style and design the website;
2.1.3. YouTube, given that we use their unbranded embedded player to provide video content on our websites and apps. The embedded player relies on the YouTube API. Which is a type of software that allows data to be communicated between our website and apps and the YouTube player;
2.1.4. Social Media Platforms, such as Facebook, Twitter, and Instagram, to make it easier to view and share the contents of the website; and
2.1.5. Third-party analytic services, such as Google Analytics, which send your session statistics, IP address, geolocation, and browser and device information, to optimize your experience of the website.
2.2. We may also share your data to others for some specific situations:
2.2.1. Publishing academic achievements which may include names and ratings achieved by student in the school bulletin boards, campus websites, and social media platforms;
2.2.2. Providing academic institutions, companies, government agencies, private or public corporations, or the like, upon request, with scholastic ranking information or certification of good moral character for purposes of transfer, admission and/or acceptance;
2.2.3. Sharing of personal information among the school’s officials in order to decide on disciplinary cases involving acts done within the University’s premises, acts affecting the University and other students;
2.2.4. Reporting and/or disclosing information to the National Privacy Commission, government bodies or agencies e.g. Commission on Higher Education, Department of Education, and other enforcement agencies;
2.2.5. Marketing or advertisement to promote the University, including its activities and events, through photos, videos, brochures, website, newspaper, and social media posting, and physical and electronic bulletin boards, and other media;
2.2.6. Live streaming of the University’s events and activities; and
2.2.7. Complying with court orders, subpoena and other legal obligations.
3.1. Definition of ‘Cookies.’ Cookies are small text files which a website may place on your computer or device when you visit a site. The cookie will help the website to recognize your device the next time you visit. Web beacons, pixels or other similar files can also do the same thing. We use the term ‘cookies’ in this policy to refer to all files that collect information in this way.
3.1.1. Internet and cloud hosting services providers, such as Amazon Web Services (AWS), Cloudfare, Bunny CDN, and other content-delivery networks, to help accommodate the traffic on the website without compromising the bandwidth;
3.1.2. Third-party webpage components and assets, such as Google Fonts, in order to style and design the website;
3.2. Examples of Cookies we use. We use, without limitation, the following types of cookies:
3.2.1. Session Cookies. We use Session Cookies to operate our Service.
3.2.2. Preference Cookies. We use Preference Cookies to remember your preferences and various settings. For example, we use the technology on our Sites, which records user movements, including page scrolling, clicks and text entered. This helps us to identify usability issues and improve the assistance we can provide to users and is also used for aggregated and statistical reporting purposes.
3.2.3. Security Cookies. We use Security Cookies for security purposes.
3.2.4. Third party cookies. These are cookies created by domains other than this website. For example, social media plugins that enable you to log in and share website materials on Facebook, Twitter, Instagram and the like will place cookies on your device.
4.1. We only process personal information where we have lawful basis for doing so. This includes, but is not limited to, the following:
4.1.1. User consent. This is where you have given us explicit permission to process personal information for a given purpose. For example, if you sign a consent form during enrollment and admission to the University, if you sign up to our mailing list e.g. giving us your contact details to send you the programs and services offered by the University or to send you materials in our website.
4.1.2. Legitimate organizational purposes. This is where we have a legitimate interest as an organization to process personal information. For example, where we are aware of copyright infringement on our Site, it is our legitimate interests to identify those responsible. We take due care to balance our interests against your right to privacy.
4.1.3. Legal obligation. This is where we have to process personal information in order to comply with the law. For example, we process and retain student’s access information to our data processing system to comply with data privacy regulations.
5.1. Legal requirements. We may disclose your Personal Data in good faith belief that such action is necessary to:
5.1.1. To comply with a legal obligation;
5.1.2. To protect and defend our rights or property;
5.1.3. To prevent or investigate possible wrongdoing in connection with our Service;
5.1.4. To protect the personal safety of users of the Service or the public; and
5.1.5. To protect against legal liability.
5.2. Security of Data Disclosed. The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
5.3. Service Providers. We may also employ third party companies and individuals to facilitate our Service (‘Service Providers’), to provide the Service on our behalf, to perform website and education-related services or to assist us in analyzing how our Service is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
6.1. Our Website may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.
6.2. NEU has no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
7.1. When visiting the website and filling out forms, you warrant and assure NEU that you are over the age of consent. If you are under the age of consent, you warrant and assure NEU that any personal information you provide has been provided under the consent and supervision of a parent or guardian.
7.2. We do not knowingly collect personally identifiable information from anyone under the age of consent without parental supervision. If you are a parent or guardian and you are aware that your children has provided us with Personal Data without your consent, please contact us.
8.1. Under data protection laws, you have rights as an individual in relation to the personal data we hold about you. These rights include:
8.1.1. Right to be informed;
8.1.2. Right to object;
8.1.3. Right to access;
8.1.4. Right to correct;
8.1.5. Right for erasure or blocking;
8.1.6. Right to file a complaint;
8.1.7. Right to damages;
8.1.8. Right to data portability
Further explanation about your rights, you can refer to the Data Privacy Act of 2012 available at https://privacy.gov.ph/data-privacy-act/.
8.2. You can exercise these rights by contacting us through the inquiries page on our website or through the contact details provided below.
9.1. All personal data collected as part of your use of our website, data processing system, and services are controlled and processed by NEU in its offices in the Philippines, located at:
Main Campus:
New Era University,
No. 9, Central Avenue, New Era, Quezon City
Branches:
New Era University Lipa City, Batangas
1795 P. Olam St. Marawoy, Lipa City, Batangas
New Era University City of San Fernando, Pampanga
Mc Arthur Highway, Brgy. Dela Paz Norte, San Fernando, Pampanga
New Era University General Santos City, South Cotabato
Aparente Ave., Purok Malakas, Brgy. San Isidro, General Santos City
New Era University Pinugay, Baras Rizal
E.G. Manalo St. Pinugay, Baras, Rizal
9.2. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer, acknowledging the presence of risks given the absence of any Standard Contractual Clauses, adequacy decisions, and similar privacy provisions.
9.3. NEU will take all steps it considers reasonable to ensure that your data is treated securely and in accordance with this Privacy Policy.
9.4. For the purposes of the Data Privacy Act of 2012 and concerns regarding your privacy rights, you may contact our Data Protection Officer through the following details:
The Data Protection Officer
Address: No. 9 Central Avenue, New Era, Quezon City, 1107, Metro Manila
Email Address: dpo@neu.edu.ph
This policy provides guidance, procedures, and actions to be taken in case of security or personal breach involving any data processing system of the University and/or personal data under its control and custody.
This policy is promulgated to:
● Provide a set of rules and regulations to govern the use of the technology resources, networks, and data processing systems of the New Era University.
● Secure and protect the personal information and sensitive personal information of the employees, students, and applicants.
● Secure the confidentiality, integrity, and availability of the information under the control and custody of the University.
● Guarantee compliance with the Data Privacy Act of 2012.
This policy governs all New Era University’s branches, academic units and administrative offices, personnel, and students.
For the purpose of this policy, the following terms are defined, as follows:
3.1. “Personal Data” refers to personal information, sensitive personal information, and privileged information as defined by the Data Privacy Act of 2012;
3.2. “Sensitive Personal Information” refers to personal information:
a. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
b. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
c. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, and
d. Specifically established by an executive order or an act of Congress to be kept classified.
3.3. “Data Processing System” refers to the structure and procedure by which personal data is collected and processed in an information and communications system, or any other relevant filing system. It includes the purpose and intended output of the processing (National Privacy Commission, op.cit.).
3.4. “Personal Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
a. An availability breach resulting from loss, accidental or unlawful destruction of personal data;
b. Integrity breach resulting from alteration of personal data; and/or
c. A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.
3.5. “Data Processor” refers to the NEU personnel who process Personal Data pertaining to a Data Subject;
3.6. “University” refers to New Era University and all its branches.
3.7. “Data Subject” refers to an individual whose personal data is processed.
3.8. “Personnel” refers to all members of the faculty, also called as the academic personnel, both to the teaching and non-teaching personnel, working in the New Era University Main Campus in New Era, Quezon City and in its branches in Lipa City, Batangas; City of San Fernando, Pampanga; General Santos City, South Cotabato; and Pinugay, Baras, Rizal.
3.9. “Security Incident Response Team (SIRT)” refers to the personnel that would be the first responders to any and all data breach incidents. The team is also tasked to provide regular updates to the affected University personnel as to the ongoing measures to address the security incident.
3.10. “Compliance Officer for Privacy (COP)” refers to the personnel assigned to each department of the University to oversee compliance of data privacy within the department.
3.11. “Security Incident” refers to an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place. The term “Security Incident” includes “Personal Data Breach.”
A Security Incident includes, but is not restricted to, the following:
● The loss or theft of data or information.
● The transfer of data or information to those who are not entitled to receive that information.
● Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system.
● Changes to information or data or system hardware, firmware, or software characteristics without the NEU's knowledge, instruction, or consent.
● Unwanted disruption or denial of service to a system.
● The unauthorised use of a system for the processing or storage of data by any person.
3.12. “Incident Report” refers to a document that provides a detailed account of a suspected security incident which could be a basis for initial assessment of the incident.
3.13. “Risk” refers to the potential of an incident to result in harm or danger to a Data Subject or organization.
3.14. “Vulnerability” refers to a weakness of a data processing system that makes it susceptible to threats and other attacks.
3.15. “Threat” refers to a potential cause of an unwanted incident, which may result in harm or danger to a Data Subject, system, or organization.
3.16. “DPA refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012.
3.17. “IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012.
3.18. “NPC” refers to the National Privacy Commission of the Philippines as created by the Data Privacy Act of 2012.
In order to implement the proper security measures for the data processing systems of the University, a corresponding inventory and data classification shall be done by each department to be led by the assigned COP per department. A corresponding Records of Processing System Form shall be distributed and filled out by each department and submitted to the Data Protection Officer (DPO) and the Security Incident Response Team (SIRT) to assess the necessity of suitable data privacy policies and procedures.
The DPO and SIRT then will recommend the proper security measures to be implemented to secure personal and sensitive personal information collected or processed.
In line with our effort to ensure the integrity of our computer facilities, please be reminded of the following guidelines for proper use of computers and internet connections:
● Only approved work-related or education-related software will be installed in the University’s computer units (ex. Word, Excel, and Students Record System (SRS) application and the like); non-work-related or non-education-related software will be uninstalled. Should there be a need to install additional software in the computer units, the same shall be done with clearance and assistance from the Computer Services Department (CSD).
● It is prohibited to make unauthorized system changes, plugging unknown devices, and disabling security features of the computer units or the University’s data processing systems.
● Those with internet access should only use the same for legitimate and/or official purposes. The following are prohibited:
● Downloading, watching, or streaming videos, music videos, and similar materials unless authorized by the instructor or part of the study.
● Downloading and/or playing video games (online/offline)
● Engaging in online games or gambling, online marketing, cryptocurrency mining or trading.
● Visiting malicious sites like pornographic and gambling sites.
● Use of VPN and/or unauthorized (wifi) routers or switches and other network devices.
● Use of the University’s facilities and services for other illegitimate purposes.
● The playing of computer games is strictly prohibited.
● Use of computer units shall only be during the scheduled class except those in the library and other services that require access anytime provided there is approval of the Head of the Department concerned.
● Always keep your computer clean and orderly.
● Eating and drinking near the computer units is not allowed (even candies, juices, and the like). Food crumbs and liquid spills might cause damage to the computer units.
● Do not let small objects such as staple wires, hair pins, paper clips, and the like, fall into the printer or keyboard.
● Avoid using bond paper with staple wire in the printer for this will damage the print head or the printer itself.
● Report to the CSD office any case of system trouble. Do not attempt to troubleshoot or fix the computer.
● Before leaving the office or room, check if the computer unit is properly shut down.
● The concerned employee or department shall be responsible for the assigned computer equipment and peripherals and shall be liable for any damage sustained by the equipment because of misuse.
● Employees shall lock their assigned computers when not in use or when leaving computers unattended for any length of time. This shall be done despite the configuration of the computer to automatically lock after a specified minutes of idle time.
In using the University’s Laboratory Rooms and equipment, the Teachers/Instructors are required to implement the following:
● Implement the Computer Laboratory Rules and Regulations in their classes.
● Prepare a seating plan and assign each student to a particular workstation for the entire term.
● The laboratory class is a faculty-supervised activity. Do not leave the class to avoid any untoward incident such as damage to or loss of property and unauthorized activities by students.
● Use the projector wisely. Turn off the projector when not in use.
● Do not leave personal belongings or class materials in the computer laboratory.
● Do not stay in the laboratory if you have no laboratory session. If necessary, you may use the computers in the CSD Office.
● Upon leaving the laboratory, turn off the lights and air-conditioning unit. Lock the doors unless the instructor of the next class is already present.
● Be the last one to leave the laboratory. Before leaving the laboratory, ensure that all computer units are logged off/shut down properly, the projector is turned off, whiteboards are clean, chairs are arranged properly, and trash is put in the trash can.
For the students, guidelines for the use of the computer laboratory are as follows:
● Only students who are officially enrolled in the class shall be allowed inside the laboratory.
● Do not enter the computer laboratory room when the instructor is not yet around.
● Wear the prescribed uniform including ID while inside the laboratory.
● Bags and other things must be placed in the bag cabinet before proceeding to the assigned computer unit.
● Keep the facilities clean and orderly.
● Do not bring food or drinks in the laboratory as they may damage the equipment.
● Observe silence inside the laboratory.
● Do not use your mobile phone while inside the laboratory. Switch it off or put it in silent mode.
● Use only the computer unit assigned to you by the instructor.
● Use computers for assigned activities only. Do NOT play computer games or chat online.
● Do not use someone else’s username and password or allow others to use yours.
● Do not alter the configuration of the operating system or desktop.
● Save your projects and activities on the file server. Files saved onto the local hard disk may be deleted.
● Secure permission from the instructor if you are going to use the printer.
● Report to the instructor and/or laboratory technician any computer trouble. Do not attempt to fix the computer.
● Once proven, any damage done by the student on the facility in any manner will be charged to him accordingly.
● Optical drives and USB ports are disabled for security reasons. Ask the assistance of the instructor/laboratory technician if you need to use them.
● Log off and shut down the computer at the end of the laboratory session.
● Arrange the chairs before leaving the computer room and put the trash in the trash can.
The following shall be observed in accessing personal information and sensitive personal information by employee or department personnel:
● A department employee shall only be granted access to personal information necessary to his/her official functions or based on the need to know policy.
● Access of employees or personnel from other departments shall be granted access to personal and sensitive personal information only upon execution of a Non-Disclosure Agreement and approval of a security clearance from the assigned approving authority. A security clearance form is available in each department for this purpose.
● The purpose of access, mode of access, and the period of validity or duration of access shall be indicated in the security clearance form.
● All documents whether electronic or physical copy for transfer shall be subject to the access and disclosure policies and procedures of the University. A letter or transmittal form shall be prepared indicating the specific documents for transmittal.
● Employees shall only use the institutional email accounts in the transfer of information. As such, the CSD shall submit inventory of user access and access level control of the employees of the University.
● All mail for transit through postal office, liaison officer or forwarding services are properly sealed in an envelope and, if necessary, placed in an enclosed mail bag. The liaison officer shall also sign a Non-Disclosure Agreement and shall be informed of the Data Privacy policies, procedures and penalties for security breaches.
● Transfer of personal information and sensitive personal information to external parties shall be governed by a Data Sharing Agreement. As such, any project that involves processing of personal and sensitive information shall be informed to the SIRT and DPO to make the necessary assessment and recommendation if there is a need to execute a Data Sharing Agreement.
● Any form, whether physical or electronic, where there is a processing of personal and sensitive information involved shall be checked and cleared by the SIRT and DPO to ensure compliance with the data protection policies of the University.
● Transmittal of documents through facsimile technology is discouraged. For official communications, especially consisting of personal and sensitive personal information, the usage of institutional email is recommended.
● Access, reproduction, printing of documents or files, sharing of information, reuse of documents, deletion or shredding of documents shall follow the information security policy of each department. Reuse of documents with personal or sensitive personal information shall be prohibited. Deletion and shredding of documents shall be monitored and approved by the Head of the Department.
● Bringing homework-related documents that contain personal and sensitive personal information is prohibited unless authorized by the University.
● Encoding of grades shall be done only by the assigned employee, e.g. teachers or professors, unless with permission and approval by the department head.
● All types of maintenance works applicable to the department by third parties or employees not belonging to the department concerned shall be done through proper supervision or monitoring of the COP and/or Department Head. If necessary, proof of job order or authority to conduct said maintenance shall be required.
● Taking pictures of documents with personal and sensitive information shall be considered as processing or accessing of information. As such it is prohibited to capture copies of documents unless there is prior approval by the University.
● All inquiries involving personal and sensitive information shall be endorsed and/or with prior approval of the proper authority or processor of said information before the release of such information. Viewing and verbal giving of personal and sensitive information shall also be done by the authorized employee and with the necessary approval according to the data privacy policies of the University.
Employees shall clear their desks of all papers when they step away from their workspace e.g. taking a break, before going home at the end of the day. This is to protect personal information and sensitive personal information against inappropriate access, disclosure, damage, or loss.
All personal information and sensitive personal information being processed by the Department shall be stored in secured, locked, and cleaned designated data rooms, filing cabinets, or labelled filing boxes inside a storage area.
Each department shall implement an effective filing system, make an inventory of files, technology resources, facilities or equipment used, and access control management. Strict compliance on limitations of access to personal and sensitive personal information shall be enforced. Persons with access to keys of filing cabinets, storage areas, remote or online access to database, or access to I.T. facilities or equipment must be identified and controlled.
Each department shall be responsible for checking that all physical and electronic records are secured, tracked, and/or monitored e.g. locked, protected by passwords, encrypted and maintained accordingly, and access to files documented. Absent such security, the Compliance Officer for Privacy (COP) shall recommend to: (i) the Head of the Department for approval, implementation, recommendation, or acquisition request; or (ii) the CSD and/or SIRT for implementation of technical security measures.
A signage “Authorized Personnel Only” and “Restricted Area” shall be placed visibly in designated personal information secured storage areas or rooms.
Retention policies involving documents with personal and sensitive personal information shall be according to the department’s recommendation and/or justification and approval by the SIRT, DPO, and University President.
Storage of personal data from NEUVLE and other Data Processing Systems of the University
All personal data collected during the conduct of an online course should be stored in the NEUVLE or Google Drive of the institutional email unless otherwise allowed by the University. This is to stay within the official work environment of the concerned institution. Storing of personal data collected as part of the conduct of a class in a personal account or device should be avoided or at least kept to a minimum in order to minimize the risk of unauthorized use or access. Unless some other lawful basis for their continued retention exists, personal data should be disposed of securely when the declared purpose for its collection and processing is no longer valid.
The University has several data processing systems or databases to provide services to the faculty and students.
● NEUVLE: https:neuvle.neu.edu.ph
● NEU Automate: https://automate.neu.edu.ph
● NEU Website: https://neu.edu.ph, and
● Google Suite (Institutional email): ____@neu.edu.ph
The following shall be observed in using said services:
● The systems of the University can only be used by the employees, faculty, and students at the University.
● A corresponding consent form shall be signed by the employees, faculty, and students for the collection and processing of their personal information necessary to provide the services of the University.
● Instructions as to how to register and access said systems can be done through the CSD. Other concerns can be sent to:
Computer Services Department (CSD)
Email Address: _______________
Telephone No./Mobile No.: ________________
Helpdesk online: _________________________
Schedule of Helpdesk Online: ________________
● All academic and administrative departments shall establish their own virtual offices via neuvle.neu.edu.ph to cater to stakeholders where there will be staff on hand to answer various queries. The CSD is assigned to oversee the creation of such virtual offices. A corresponding Telegram Group Chats/Channels will also be created, through the Ministrong Tagasubaybay, which can be used to attend to the student or stakeholder grievances.
The school-student relationship is contractual in nature and the contract between the school and the student is imbued with public interest. The NPC refers to this contract between the school and the student as the “educational framework,” which encompasses all activities and operations the school may perform in line with the students’s education. Any processing of personal information to fulfill the obligations of parties within the educational framework is permissible.
Thus, the recording of online classes, and any use, storage, or any kind of processing related thereto is permissible processing within the educational framework. However, the employees, especially the teachers or professors, shall adhere to the following guidelines:
● An announcement or posting that involves personal data (e.g. grades, results of assignments, etc.) should be made in a manner that only makes it viewable by its intended recipient/s.
● Downloading of personal data stored in the NEUVLE should be kept to a minimum and/or limited to that which is necessary for online learning. Any downloaded data shall be retained only until there is a legitimate need for such offline copy.
● Submissions of school-related activities, e.g. assignments, projects, etc., shall be made within the NEUVLE, institutional email accounts, and other platforms authorized or permitted by the University, e.g. permitted chat groups. Submissions via social media platforms are discouraged since these platforms were never designed for such a purpose.
● Exercise caution when integrating applications, tools, and other services into the NEUVLE. They may introduce vulnerabilities to an otherwise secure system. A Privacy Impact Assessment may be undertaken by a multidisciplinary team before formalizing any planned integration. The team shall review key areas such as security, data protection, compatibility, and administration.
Publication of information or files via other means or platforms
Personal Data, including the files or records that contain them, stored or uploaded in the NEUVLE and other Data Processing Systems of the University is covered by legal (e.g. data privacy policies, intellectual property policies, etc.) and technical requirements of the University. As such, it is prohibited to publicly disseminate, repost, or reshare personal data and any of the contents in the NEUVLE and other data processing systems of the University without prior approval from the University.
Optical drives and USB ports of the University’s Computer Units are disabled for security reasons. Computers with optical drives and USB ports as well as authorized employees or students to use the same are with prior approval of the University and included in the inventory and monitoring of the CSD. Such inventory shall also be submitted to the office of SIRT
As part of the security of official communications of the University’s employees, the following privacy and confidentiality notice shall be indicated at the bottom of the mail or email:
All information contained in this communication, including any and all attachments, manually or electronically transmitted is strictly confidential and used for privileged purposes including, but not limited to, official-academic purposes or work-product privilege. Unauthorized disclosure may result in prosecution, including, but not limited to, criminal and civil actions against the offender. If you are not the intended recipient of this letter or email, do not read, copy, use, forward, or disclose any of its contents to others. If you have received this letter or email in error, please notify the sender by replying to this letter or email and then delete it from your system
New Era University
© Copyright 2024. All Rights Reserved.
In communicating with fellow employees or students, the messaging application within the NEUVLE or official telegram accounts or groups shall be utilized.
Password policy
● Do not use the same password across multiple accounts.
● Use hard-to-guess strong passwords or paraphrases.
● Passwords should not be selected based on personal information that is easy to obtain, such as names or date of birth.
● Alphanumeric and special characters should be used in the password.
● Use multi-factor authentication, if available, such as time-based one-time PINs sent via SMS, or generated by software-based authenticators, and hardware-based authenticators like physical keys.
● Username and password are assigned per individual user to maintain accountability. Thus, the sharing of accounts and access to such accounts is prohibited.
● Do not display passwords on the screen when being entered.
● Do not display usernames and/or passwords in any visible areas or storage where anyone can access them. e.g. shared computers, messaging chats with multiple users, etc.
● Store and transmit passwords in protected form.
● Users must change their passwords immediately if the confidentiality of their passwords is compromised.
Emails, Social Media, and Web Browsing Policy
● Institutional emails and web browsing shall only be used for official academic or work-related tasks. The University has a right to suspend, deactivate, or remove access and use of said email and accounts anytime, including but not limited to, upon graduation, transfer to other schools, the student is no longer enrolled with the University, employee’s end of the contractual relationship with the Univeristy, and/or as a disciplinary measure.
● The students, faculty, employees acknowledge that these institutional email and other university-provided accounts are owned by the University.
● Use of email and browsers for offensive, disruptive, or discriminative acts, for visiting malicious sites like pornographic and gambling sites, and for other illegal purposes are strictly prohibited.
● Sharing of official accounts and access to the University’s facilities is strictly prohibited.
● An email signature with the following format is highly recommended:
Name
Designation
Academic Unit/Administrative Office
New Era University
● Social media content, website advertisements, and emails with links and attachments coming from external sources or through email not using the institutional email are the easiest entry points to perpetuate malicious attacks. As a precautionary measure, please observe the following steps to fully protect you information:
a. Regularly check your accounts for suspicious transactions.
b. Be very cautious about providing personal information which will require you to click on links or download attachments contained in emails, SMS, or private messages. Take time to verify the source of the information.
● Posting or sharing of personal data (e.g. photos, videos, etc.) social media must always have a legitimate purpose. Assessment as to the necessity of data subject consent must be made before such posting or sharing.
● Posting of photo and/or video of students on the teacher or professor’s personal social media account is prohibited unless with prior authorization or consent by the student or parents/guardian (if minor). The Photo and/or Video Release Form by the University is exclusively for giving consent and authorization to the University.
● Personal data collected by personnel in their official capacity and/or during an official activity must not be used for personal purposes or reasons. On the other hand, if personnel have collected personal data in their personal capacity and later on decided to use it for work-related purposes, consent from the data subject must be acquired following the principles of fairness and transparency. Collection of personal data, if used for official purposes, shall be with prior approval and according to the data privacy policy of the University.
Photo and/or Video Release Form
A corresponding Photo and/or Video Release Form shall be signed by the students upon enrollment to be used in and/or for any lawful promotional materials including, but not limited to, newsletters, flyers, posters, brochures, advertisements, fundraising letters, annual reports, press kits, and submissions to journalists, websites, social networking sites, and other print and digital communications.
Notices and signs
For NEU sponsored activities open to the public notices or posted signs should be placed at the entrances and throughout the premises clearly and conspicuously.
For events hosted by third-party organizations using NEU property, any photography, video recordings, livestreaming, and/or other documentation done by the third-party event organizers should have a corresponding crowd notice for filming and recording, separate from the NEU notices and signs, and be provided by the third-party organizations.
The installation of software is the responsibility of the Computer Services Department. The downloading and installation of pirated software are strictly prohibited. If there is a necessity for a specific software for official use or functions, the Head of the Department shall make the proper request and/or recommendation for the acquisition of such software. video recordings, livestreaming, and/or other documentation done by the third-party event organizers should have a corresponding crowd notice for filming and recording, separate from the NEU notices and signs, and be provided by the third-party organizations.
Optical drives and USB ports are disabled for security reasons. Ask for the assistance of the instructor, laboratory technician, and/or the Computer Services Department if necessary.
Student activities should be saved on the file server. Files saved onto the local hard disk may be deleted.
Saving of official files created or used by employees shall follow the policy of each department.
In the event of a data breach and incident, the Security Incident Response Team (SIRT) and Data Protection Officer (DPO) shall be notified. Authorized personnel of the Department, as instructed by the SIRT, or the SIRT shall make the necessary back-up and recovery to minimize damage and loss of data.
The Security Incident Management Policy of the New Era University is published through the official data processing systems of the University as well as on the University’s website. This policy provides guidance, procedures, and actions to be taken in case of security or personal breach involving any data processing system of the University and/or personal data under its control and custody.
The Use of public facilities such as internet cafes and free public Wi-Fi facilities in encoding personal and sensitive personal information is prohibited.
In order to reduce exposure to malware and other viruses, employees shall utilize the internet primarily for official purposes and not for personal transactions. Downloading pirated software, watching, or streaming videos, music videos, and similar materials are prohibited unless authorized or required as part of the curriculum or study.
Employees and students, as approved by the Computer Services Department, shall be authorized to access or use the internet connection of the University. Unauthorized individuals who utilize the internet connection of the University will be blocked and/or dealt with accordingly.
As far as practicable, the University shall adopt the recommended encryption standard - the Advanced Encryption Standard with a key size of 256 (AES-256) of the National Privacy Commission for all digitally processed data consisting of personal and sensitive personal information, whether at rest or in transit.
The employee and students shall ensure that personal devices used for academic and work-related activities are secured. They must comply with the policy of the use of the University’s internet connection and the use of Wi-Fi connections as indicated in this policy.
In the event of loss of device and on the belief of possible access of academic and work-related activities and personal and sensitive personal information, the employee or student must immediately notify the Data Protection Officer (DPO) and/or the Security Incident Response Team (SIRT) to commence the remote wiping process or to secure the access of the data processing system of the University.
Inventory of authorized and unauthorized devices, installation of antivirus, firewalls, intrusion detection system, and implementation of OS Patches and Penetration Testing shall be the responsibility of the Computer Services Department and the Security Incident Response Team.
Mandatory security awareness training programs will be conducted for all faculty, staff, and students to educate them about the importance of information security. These training programs will cover topics such as password hygiene, phishing awareness, data protection, and compliance with security policies and regulations, and it will be provided during the onboarding process for new hires and on an annual basis for existing employees and students.
Third-party Risk Assessment
Before entering into any contractual agreement, all third-party vendors and service providers will undergo a comprehensive risk assessment. They are required to demonstrate compliance with industry-standard security practices and adhere to the university's specific security requirements. Additionally, vendor relationships will undergo periodic reviews to ensure ongoing compliance with security standards and performance expectations.
Contractual Obligations
Contracts with vendors will include specific security clauses outlining data protection obligations, incident reporting requirements, and liability provisions. Vendors will be contractually obligated to cooperate with security audits and provide evidence of compliance with contractual obligations and security standards.
Service Level Agreements (SLAs)
SLAs will be established with vendors to define service expectations, performance metrics, and remedies for service failures or disruptions. These SLAs will be reviewed and updated periodically to reflect changes in business requirements, regulatory landscape, and service performance.
The following table identifies who within the University is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:
● Responsible – the person(s) responsible for developing and implementing the policy.
● Accountable – the person who has ultimate accountability and authority for the policy.
● Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
● Informed – the person(s) or groups to be informed after policy implementation or amendment.
Responsible | University President |
Accountable | Data Protection Officer and the Head of the SIRT |
Consulted | Board of Trustees University President VP Administration University Secretary Corporate Secretary Legal Department Human Resources Department Security Incident Response Team Computer Services Department |
Informed | All Academic and Administrative Officials All Faculty and Staff All Student Organizations All Students (Grade 7 above) All Parents/Guardians |
If any user is found to have breached this policy, they may be subject to the University’s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the perpetrators, all participants, and accomplices.
This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Policy review will be undertaken by the Data Protection Officer and the head of the SIRT.
Upon the approval of the Board of Trustees, this Policy and any subsequent amendments shall take effect within fifteen (15) calendar days after it has been posted in the University’s website.
This policy provides guidance, procedures, and actions to be taken in case of security or personal breach involving any data processing system of the University and/or personal data under its control and custody.
This policy is promulgated to:
● Ensure that the University, its offices, personnel, and students react appropriately to any actual or suspected security incidents relating to the data processing systems and personal data within the custody of the University.
● Establish a data breach response team and define its roles and responsibilities.
● Implement security measures to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident.
● Establish an incident response procedure to ensure the availability, integrity, and confidentiality of the personal data being processed through the University’s data processing system.
● Establish procedures for mitigating possible harm and negative consequences in the event of data breach.
This policy governs all New Era University’s branches, academic units and administrative offices, personnel, and students.
For the purpose of this policy, the following terms are defined, as follows:
3.1. “Personal Data” refers to personal information, sensitive personal information, and privileged information as defined by the Data Privacy Act of 2012;
3.2. “Sensitive Personal Information” refers to personal information:
a. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
b. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
c. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, and
d. Specifically established by an executive order or an act of Congress to be kept classified.
3.3. “Data Processing System” refers to the structure and procedure by which personal data is collected and processed in an information and communications system, or any other relevant filing system. It includes the purpose and intended output of the processing (National Privacy Commission, op.cit.).
3.4. “Personal Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
a. An availability breach resulting from loss, accidental or unlawful destruction of personal data;
b. Integrity breach resulting from alteration of personal data; and/or
c. A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.
3.5. “Data Processor” refers to the NEU personnel who process Personal Data pertaining to a Data Subject;
3.6. “University” refers to New Era University and all its branches.
3.7. “Data Subject” refers to an individual whose personal data is processed.
3.8. “Personnel” refers to all members of the faculty, also called as the academic personnel, both to the teaching and non-teaching personnel, working in the New Era University Main Campus in New Era, Quezon City and in its branches in Lipa City, Batangas; City of San Fernando, Pampanga; General Santos City, South Cotabato; and Pinugay, Baras, Rizal.
3.9. “Security Incident Response Team (SIRT)” refers to the personnel that would be the first responders to any and all data breach incidents. The team is also tasked to provide regular updates to the affected University personnel as to the ongoing measures to address the security incident.
3.10. “Compliance Officer for Privacy (COP)” refers to the personnel assigned to each department of the University to oversee compliance of data privacy within the department.
3.11. “Security Incident” refers to an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place. The term “Security Incident” includes “Personal Data Breach.”
A Security Incident includes, but is not restricted to, the following:
● The loss or theft of data or information.
● The transfer of data or information to those who are not entitled to receive that information.
● Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system.
● Changes to information or data or system hardware, firmware, or software characteristics without the NEU's knowledge, instruction, or consent.
● Unwanted disruption or denial of service to a system.
● The unauthorised use of a system for the processing or storage of data by any person.
3.12. “Incident Report” refers to a document that provides a detailed account of a suspected security incident which could be a basis for initial assessment of the incident.
3.13. “Risk” refers to the potential of an incident to result in harm or danger to a Data Subject or organization.
3.14. “Vulnerability” refers to a weakness of a data processing system that makes it susceptible to threats and other attacks.
3.15. “Threat” refers to a potential cause of an unwanted incident, which may result in harm or danger to a Data Subject, system, or organization.
3.16. “DPA refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012.
3.17. “IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012.
3.18. “NPC” refers to the National Privacy Commission of the Philippines as created by the Data Privacy Act of 2012.
The NEU Security Incident Response Team (SIRT) shall be responsible for investigation of a suspected security incident and reporting to the University President and Board of Trustees.
The COP of each department shall serve as the main point of contact for all reports of a suspected security incident coming from their assigned department.
Headed by the Director of the SIRT and assisted by the Data Protection Officer, the team shall have two (2) other permanent members recommended by the Director of the SIRT and approved by the University President. Where the member of the Team is the data processor involved in a reported incident, the University president will recommend a competent alternative. Additional members shall be appointed as necessity arises and depending on the recommendation of the Director of the SIRT.
The following offices and individuals shall perform their respective functions and responsibilities:
6.1. CSD
a. Responsible for the daily operation and maintenance of the University’s I.T. facilities.
b. Responsible for immediately reporting possible security incidents that need further investigation by the SIRT.
c. Cooperate and allow the SIRT and DPO to regularly check the operations of the CSD to comply with the former’s obligation in monitoring security breaches and vulnerability of computer networks.
d. Submit inventory of user access and access level control of employees as to the assigned accounts for the use of the data processing system of the University e.g. institutional email, NEU Automate, and existing google forms
e. Secure necessary logs in maintaining the infrastructure of the University.
6.2. COP
a. Responsible for conducting data audits within the department. This should involve identifying:
i. The categories of personal data processed
ii. The locations where it is stored e.g. physical filing cabinets, hard disks, and cloud drives.
iii. Inflows or sources of personal information e.g. google or web forms, physical forms, email, and phone calls.
iv. Outflows or third parties with whom the personal data is shared e.g. mail carriers, advertisers, cloud storage providers, and third-party online platforms.
b. Responsible for checking that all physical and electronic records are secured, tracked, and/or monitored.
c. Records and secures all reports and documents related to suspected security incidents.
d. Review and recommend, along with the head of the department, information security measures and the acquisition of necessary equipment to implement such information security measures to the University President, SIRT, and/or DPO.
e. Assist in the implementation of information security measures within the department.
f. Submit the Incident Report to the SIRT and DPO in accordance with this policy.
6.3. SIRT
a. Investigate and assess suspected security incidents in coordination with all concerned units and offices of the University.
b. Recommend remedial measures to be performed concerning a suspected security incident.
c. Accomplish a Security Incident Report, as prescribed by the Board of Trustees.
d. Recommend permanent and additional members of SIRT to the University President.
6.4. SIRT Head and DPO
a. Serve as the main point of contact for all reports of a suspected security incident.
b. Act as custodian of all reports and documents generated or prepared in relation to suspected security incidents. Document all the remedial actions taken.
c. Review and revise this Policy in accordance with the Philippine Data Privacy Act of 2012 and other laws, guidelines, and standards applicable to the protection of Data Processing Systems and Personal Data.
d. Report to the University President, recommend and implement approved remedial measures to be performed in relation to a suspected security incident.
e. Notify the NPC and/or affected data subjects when required by the Data Privacy Act of 2012.
6.5. University President
a. Approve, reject, or otherwise take action on the findings or recommendations of the SIRT and DPO.
b. Appoint the permanent members of the SIRT.
c. Appoint the alternate of any permanent member of the SIRT, when necessary.
d. Approve, reject, or otherwise comment on proposed revisions to this Policy.
e. Approve identified and authorised staff that should have access to the affected systems during the incident.
Security incidents as well as events and weaknesses of the data processing system need to be reported at the earliest possible stage as they need to be assessed by the Data Protection Officer and the Head of the SIRT. The Data Protection Officer enables the Security Incident Response Team (SIRT) to identify when a series of events or weaknesses have escalated to become an incident. The SIRT needs to gain as much information as possible from the data subjects or personnel to identify if an incident is occurring.
Examples of the security events, weaknesses, and common forms of Security Incidents have been provided below:
Security events can include:
● Uncontrolled system changes.
● Access violations – e.g. password sharing.
● Breaches of physical security.
o Loss of ID badge/s
o Missing correspondence
o Exposure of Uncollected print-outs
● Misplaced or missing media
● Loss of mobile phones and portable devices
● Systems being hacked or manipulated.
● Non-compliance with policies.
Security weaknesses can include:
● Inadequate firewall or antivirus protection.
● System malfunctions or overloads.
● Malfunctions of software applications.
● Human errors.
The most common Security Incidents are listed below. It should be noted that this list is not exhaustive.
Malicious
● Giving information to someone who should not have access to it - verbally, in writing, or electronically.
● Computer infected by a Virus or other malware.
● Sending a sensitive e-mail to 'all staff' by mistake.
● Receiving unsolicited mail of an offensive nature.
● Receiving unsolicited mail that requires you to enter personal data.
● Finding data that has been changed by an unauthorized person.
● Receiving and forwarding chain letters – including virus warnings, scam warnings, and other emails that encourage the recipient to forward to others.
● Unknown people ask for information that could gain them access to the University data (e.g. a password or details of a third party).
Misuse
● Use of unapproved or unlicensed software on the University’s equipment.
● Accessing a computer database using someone else's authorization (e.g. someone else's user ID and password).
● Writing down your password and leaving it on display / somewhere easy to find.
● Printing or copying confidential information and not storing it correctly or confidentially.
Theft / Loss
● Theft/loss of a hard copy file.
● Theft/loss of any of the University’s computer equipment.
7.1. Notification or Report to the Data Protection Officer and the Security Incident Response Team (SIRT)
Security Incident Report shall be submitted or coordinated through:
The Data Protection Officer (DPO) and/or
Head of the Security Incident Response Team (SIRT)
Email addresses: dpo-notification@neu.edu.ph
Contact Numbers:028-9814221 local 3859
The following information should be provided:
● Details of the incident (if known)
● Date and Time of Incident
● Number of Persons Affected
● Name of office processing the information
● Contact name and number of the person reporting the incident.
● The type of data, information, or equipment involved.
● Whether the loss of the data puts any person or other data at risk.
● Location of the incident.
● Inventory numbers of any equipment affected.
● Location of data or equipment affected.
7.2. The SIRT shall investigate and assess the reported suspected security incidents in coordination with the concerned unit or office.
7.3. The SIRT shall inform immediately, or within one (1) hour from the discovery of the security incident, to the University President for appropriate action. A Security Incident Report shall be accomplished within twenty-four (24) hours and submit the same to the University President.
7.4. The SIRT shall evaluate the Security Incident Report submitted to them. The Head of the SIRT will determine if additional members or experts are necessary to investigate the reported incident. If deemed necessary, the Head of the SIRT shall recommend the designation of additional members to the University President.
7.5. The SIRT shall conduct its investigation based on the Security Incident Report submitted and shall perform the following tasks:
a. Collate the following information:
i. The nature and circumstances of the security incident.
ii. Data processing systems involved.
iii. Data Processor and other persons responsible or involved, designation and their contact details.
b. Conduct clarificatory questions to the Data Processor.
c. Require additional submissions of documents, reports, or information from the Data Processor.
d. Request for a meeting with the Data Processor and other concerned offices or individuals in the University.
e. Perform actions to obtain the necessary information related to the reported Security Incident.
f. Consult with the DPO and Head of the SIRT before performing major actions that may need permission from the University President and/or Board of Trustees.
g. Complete its investigation within forty-eight (48) hours after the endorsement of the Security incident Report for investigation. Any request for extension of investigation and submission of initial assessment shall be relayed to the University President, DPO, and Head of the SIRT.
7.6. The results of the investigation and initial recommendation (SIRT Security Incident Report) shall be signed by all members of the SIRT and submitted to the University President, copy furnished to the DPO.
7.7. The University President, DPO and Head of the SIRT shall then make a final recommendation to the Board of Trustees for appropriate approval and action.
7.8. All documents submitted related to the Security Incident shall be consolidated and kept by the DPO and Head of the SIRT.
8.1. The DPO and Head of the SIRT, with the approval of the University President, will conduct a debriefing session with the COPs, Data Processor and concern individuals to implement remedial or preventive measures. The DPO may also conduct an orientation regarding data privacy and compliance with the Data Privacy Act of 2012.
8.2. The DPO and Head of the SIRT may recommend the conduct of Privacy Impact Assessment (PIA) on the data processing system involved in the security incident or the office concern.
8.3. The University President shall issue a corresponding memorandum to implement the new security measures as recommended by the DPO and the Head of the SIRT.
8.4. The SIRT shall conduct the following:
a. Regular monitoring for security breaches and vulnerability scanning of computer networks;
b. Change user and administrative access credentials;
c. Conduct backup of data as deemed necessary. General or scheduled back-up shall be implemented by CSD;
d. Shut down or disconnect the affected devices from the internet or intranet;
e. Conduct inventory and review of access control, equipment and assets, and secure log files as deemed necessary. General inventory shall be done by CSD and reported to the SIRT and DPO;
f. Restore, repair or rebuild the system or application that was compromised.
g. Review and approve the Assets Inventory Report conducted by the CSD.
8.5. The Computer Service Department (CSD) shall remain to be responsible for the daily operation and maintenance of the University’s I.T. facilities. They shall immediately report to the SIRT in case there is a belief or possibility that a security incident might arise and need further investigation by the SIRT. They will cooperate and allow the SIRT and DPO to regularly check the operations of the CSD to comply with the former’s obligation to monitor security breaches and vulnerability of computer networks.
8.6. The Acceptable Use Policy of the University, including but not limited to the Information Security Policy, shall govern the use of computing facilities and network infrastructure in the University.
All information related to reported security incidents shall be kept confidential by all concerned Parties. A corresponding Non-Disclosure Agreement prescribed by the DPO shall be explained to the concerned parties and signed by them before they assume their functions under this Policy. Any public pronouncements involving any security incidents must be upon the approval of the DPO, University President, and/or Board of Trustees.
The DPO shall assess and recommend whether the Personal Data Breach should be reported to the National Privacy Commission (NPC) as required under the Data Privacy Act of 2012.
The following shall be reported to NPC:
a. The personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
b. Other information includes, but is not limited to, the following:
i. Data about the financial or economic situation of the data subject;
ii. Usernames, passwords, and other login data;
iii. Biometric data;
iv. Copies of identification documents, licenses, or unique identifiers like Philhealth, SSS, GSIS, TIN number; or
v. Other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits.
c. There is reason to believe that the information may have been acquired by an unauthorized person; and
d. The personal information controller believes that the data breach is likely to give rise to a real risk of serious harm to the affected data subject.
When there is doubt as to whether notification is necessary, consider factors:
a. The likelihood of harm or negative consequences on the affected data subjects;
b. How notification, particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred; and
c. If the data involves:
i. Information that would likely affect national security, public safety, public order, or public health;
ii. At least one hundred (100) individuals;
iii. Information required by all applicable laws or rules to be confidential; or
iv. Personal data of vulnerable groups.
Aside from notifying the NPC, the University, through the DPO, SIRT, and University President, shall also notify the affected Data Subjects within seventy-two (72) hours upon knowledge of or the reasonable belief by the University that a Personal Data Breach has occurred.
Generally, there shall be no delay in notification, except to the extent necessary to determine the following:
a. The scope of the breach;
b. To prevent further disclosures; or
c. To restore reasonable integrity to the information and communications system.
Delay is not allowed if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive, personal information will harm or adversely affect the data subject except when the University is granted additional time by the NPC to comply.
Security Incidents shall be recorded and reviewed to improve the response process of the University. The information collated shall be considered in reviewing and recommending the revision of the University’s Data Privacy Policy.
The following table identifies who within the University is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:
● Responsible – the person(s) responsible for developing and implementing the policy.
● Accountable – the person who has ultimate accountability and authority for the policy.
● Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
● Informed – the person(s) or groups to be informed after policy implementation or amendment.
Responsible | University President |
Accountable | Data Protection Officer and the Head of the SIRT |
Consulted | Board of Trustees University President VP Administration University Secretary Corporate Secretary Legal Department Human Resources Department Security Incident Response Team Computer Services Department |
Informed | All Academic and Administrative Officials All Faculty and Staff All Student Organizations All Students (Grade 7 above) All Parents/Guardians |
If any user is found to have breached this policy, they may be subject to the University’s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the perpetrators, all participants, and accomplices.
This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Policy review will be undertaken by the Data Protection Officer and the head of the SIRT.
Upon the approval of the Board of Trustees, this Policy and any subsequent amendments shall take effect within fifteen (15) calendar days after it has been posted in the University’s website.