I – Policy Statement
The Ateneo de Zamboanga University recognizes the importance of safeguarding and ensuring the integrity of the data it collects, processes or handles about its clients, stakeholders, and personnel. Thus, this policy sets the protocol on data protection in conformity with Republic Act No. 10173, or the Philippine Data Privacy Act of 2012. It is established to provide guidance and direction on the management of digital information and records of the University and to clarify the responsibilities of the personnel who have direct and indirect access to them.
A. PURPOSES
1. Provision of safeguards for ADZU’s IT facilities, programs, data, network equipment against loss, misuse or abuse
2. Warranty for proper management and safekeeping of digital and paper records and for secure and appropriate disposal of such
3. Establishment of users’ responsibilities for protecting the confidentiality and integrity of the data they handle or access
B. SCOPE
This policy covers all information and records in digital or non-digital form about the University or any of its members or affiliates. This includes any expression of opinion about a person, group or organization in evaluation, feedback, meetings and other University processes. It also applies to recorded data such as photographs or video clips (including those from CCTV) or audio recordings.
This policy applies to all faculty and staff who have access to our digital records and information that are located on the different servers of the University. This, however, does not cover information that are located in the clouds (i.e. Google drive), workstations, and personal digital storage devices.
II – Definition of Terms
A. PERSONAL INFORMATION are those information that can identify an individual. It includes, but is not limited to, the following:
1. Home address or home telephone number
2. Health insurance information
3. Medical records related to an individual
4. Psychological counseling records
B. PROTECTED DATA are those information and records in digital and non-digital form that about the University, its members and stakeholders. They also include audio recordings and other information held visually in photographs or videos.
C. Republic Act No. 10173, or the Philippine Data Privacy Act of 2012 (see annex)
III – Guidelines
A. Information Systems and Digital Information Records
The University’s internal and external processes involve massive amount of information generation, collection or storage. Digital information and records are collected and processed by the university’s numerous school systems (enrollment, HR, RFID, clinic, etc).
A school system is developed for an office, department, or unit to facilitate or enhance their day-to-day operations and services. They, in turn, are designated owners of the system.
Key users of these systems, not necessarily the designated owners, are given various access rights on the management, maintenance and updating of the digital information or data in a school system. Responsibility comes with the access rights. Thus, a user and/or an employees that have access to a school system should not share his access rights and login information. Moreover, he should not share digital information and records (that he has access to) without proper clearance from the owner of the school system.
Nevertheless, it is still the CITS that is responsible for the overall management of both the digital information and records and the servers where they are saved.
B. Digital fingerprint
The AdZU school systems keep logs of all activities of users that access them. This allows the CITS team to determine the who, the what, the when, and oftentimes the where that pertains to the changes made on a particular digital record.
C. Backup, retention, and deletion
The CITS follows two (2) backup schedules for the university’s digital data – daily and monthly. The backup activities are automated and they normally happen during the night time when there is (assumed to be) no user of any of the various school systems.
All data collected since the 90’s have been retained and backed up. In an absence of any policy on digital data deletion, the CITS have continued to retain preexisting data and manage them accordingly.
D. Roles and responsibilities
1. Designated owner of school system
The designated owner screens and selects key users for the school system under his care. In addition, he is responsible in informing the CITS about the access rights to be given to the key users.
Lastly, the designated system owner has the sole right to divulge digital information and data derived from the system he is assigned to. A special arrangement can be made to allow key users to dispense digital information and records (ie department chairs using registrar system, HR personnel using finance system, etc).
2. Key users
Various access rights are given to key users who handle tasks that require the utilization of school systems. These rights ranges from simple viewing to creating and updating of digital information and records.
Key users are responsible for the accuracy and integrity of information they input into the systems. Most school systems do not have the capability of detecting wrong input of information. Thus, it is the responsibility of a user of the system to ensure that whatever data he is feeding the system is correct and appropriate.
3. CITS staff
A number of CITS personnel have high access clearance on the digital information and records of the University. This is because of the nature of their jobs. However, they are not allowed to divulge digital information or records to AdZU clients. Clients directly requesting these information from the CITS should be referred to the designated owner of the particular school system.
Specific Responsibilities
a. Director
He is ultimately responsible for the protection management of the digital information and records of the University. He promotes compliance and delegates responsibility to the CITS staff.
b. Assistant for school systems
He is the overall custodian of the digital information and records of the University. He assists the director on the management of these digital data. He is also responsible in assigning special access rights to the System Developers.
c. Server administrator
He makes sure that digital information and records are backed up regularly. He also secures the digital data from inside and outside intrusions.
d. System developer
He develops systems and then coordinates with the unit, office, or department heads in assigning access rights to key users.
E. Confidentiality and penalty
Unauthorized sharing of digital information and records shall be penalized and sanctioned based on the provisions in the University Confidentiality Policy.
F. Review and monitoring
This policy shall be subjected to a review every year to ensure that the demands of the changing times are addressed. Any new policy created will supersede this policy
Compliance with this policy will be monitored by the director of the CITS.