I – Policy Statement
The
Ateneo de Zamboanga University recognizes the importance of safeguarding
and ensuring the integrity of the data it collects, processes or handles about
its clients, stakeholders, and personnel. Thus, this policy sets the
protocol on data protection in conformity with Republic Act No. 10173, or the
Philippine Data Privacy Act of 2012. It is established to provide guidance and
direction on the management of digital information and records of the University
and to clarify the responsibilities of the personnel who have direct and
indirect access to them.
A. PURPOSES
1. Provision
of safeguards for ADZU’s IT facilities, programs, data, network equipment
against loss, misuse or abuse
2. Warranty
for proper management and safekeeping of digital and paper records and
for secure and appropriate disposal of such
3. Establishment
of users’ responsibilities for protecting the confidentiality and integrity of
the data they handle or access
B. SCOPE
This
policy covers all information and records in digital or non-digital form about
the University or any of its members or affiliates. This includes any
expression of opinion about a person, group or organization in evaluation,
feedback, meetings and other University processes. It also applies to
recorded data such as photographs or video clips (including those from CCTV) or
audio recordings.
This
policy applies to all faculty and staff who have access to our digital records
and information that are located on the different servers of the University.
This, however, does not cover information that are located in the clouds (i.e.
Google drive), workstations, and personal digital storage devices.
II – Definition of Terms
A. PERSONAL INFORMATION are
those information that can identify an individual. It includes, but is not
limited to, the following:
1. Home
address or home telephone number
2.
Health insurance information
3.
Medical records related to an individual
4. Psychological
counseling records
B. PROTECTED DATA are
those information and records in digital and non-digital form that about the
University, its members and stakeholders. They also include audio recordings
and other information held visually in photographs or videos.
C. Republic Act No. 10173, or the
Philippine Data Privacy Act of 2012 (see annex)
III – Guidelines
A.
Information Systems and Digital Information Records
The
University’s internal and external processes involve massive amount of
information generation, collection or storage. Digital information and records
are collected and processed by the university’s numerous school systems
(enrollment, HR, RFID, clinic, etc).
A school
system is developed for an office, department, or unit to facilitate or enhance
their day-to-day operations and services. They, in turn, are designated owners
of the system.
Key
users of these systems, not necessarily the designated owners, are given
various access rights on the management, maintenance and updating of the
digital information or data in a school system. Responsibility comes with the
access rights. Thus, a user and/or an employees that have access to a school
system should not share his access rights and login information. Moreover, he
should not share digital information and records (that he has access to)
without proper clearance from the owner of the school system.
Nevertheless,
it is still the CITS that is responsible for the overall management of both the
digital information and records and the servers where they are saved.
B. Digital fingerprint
The AdZU
school systems keep logs of all activities of users that access them. This
allows the CITS team to determine the who, the what, the when, and oftentimes
the where that pertains to the changes made on a particular digital record.
C. Backup, retention, and deletion
The CITS
follows two (2) backup schedules for the university’s digital data – daily and
monthly. The backup activities are automated and they normally happen during
the night time when there is (assumed to be) no user of any of the various
school systems.
All data
collected since the 90’s have been retained and backed up. In an absence of any
policy on digital data deletion, the CITS have continued to retain preexisting
data and manage them accordingly.
D. Roles and responsibilities
1.
Designated owner of school system
The
designated owner screens and selects key users for the school system under his
care. In addition, he is responsible in informing the CITS about the access
rights to be given to the key users.
Lastly,
the designated system owner has the sole right to divulge digital information
and data derived from the system he is assigned to. A special arrangement can
be made to allow key users to dispense digital information and records (ie
department chairs using registrar system, HR personnel using finance system,
etc).
2. Key
users
Various
access rights are given to key users who handle tasks that require the
utilization of school systems. These rights ranges from simple viewing to
creating and updating of digital information and records.
Key
users are responsible for the accuracy and integrity of information they input
into the systems. Most school systems do not have the capability of detecting
wrong input of information. Thus, it is the responsibility of a user of the
system to ensure that whatever data he is feeding the system is correct and
appropriate.
3. CITS
staff
A number
of CITS personnel have high access clearance on the digital information and
records of the University. This is because of the nature of their jobs.
However, they are not allowed to divulge digital information or records to AdZU
clients. Clients directly requesting these information from the CITS should be
referred to the designated owner of the particular school system.
Specific Responsibilities
a.
Director
He is
ultimately responsible for the protection management of the digital information
and records of the University. He promotes compliance and delegates
responsibility to the CITS staff.
b.
Assistant for school systems
He is
the overall custodian of the digital information and records of the University.
He assists the director on the management of these digital data. He is also
responsible in assigning special access rights to the System Developers.
c.
Server administrator
He makes
sure that digital information and records are backed up regularly. He also
secures the digital data from inside and outside intrusions.
d.
System developer
He
develops systems and then coordinates with the unit, office, or department
heads in assigning access rights to key users.
E.
Confidentiality and penalty
Unauthorized
sharing of digital information and records shall be penalized and sanctioned
based on the provisions in the University Confidentiality Policy.
F.
Review and monitoring
This
policy shall be subjected to a review every year to ensure that the demands of
the changing times are addressed. Any new policy created will supersede this
policy
Compliance
with this policy will be monitored by the director of the CITS.