Privacy policy

Data privacy notice

KCP Data Privacy

Institutional Policy in compliance with Republic Act No. 10173 (Data Privacy Act of 2012)

I. Introduction

A. Purpose and Scope This manual serves as the official policy of KCP on the collection, processing, storage, and disposal of all personal data, whether in physical or digital format. It aims to institutionalize a culture of privacy and data protection within the KCP community, ensuring compliance with the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and all relevant issuances of the National Privacy Commission (NPC). This policy applies to all KCP personnel (faculty, administrators, staff), students, alumni, parents/guardians, applicants, contractors, and all other individuals whose personal data is processed by the institution. It covers all KCP-owned or managed systems, facilities, and processes, both online and on-campus.

B. Legal Basis This manual is established in accordance with Republic Act No. 10173, also known as the Data Privacy Act of 2012, which mandates the protection of an individuals personal data while ensuring the free flow of information to promote innovation and growth.

C. Definitions For clarity, the following terms are defined as they are used in this manual:

  • KCP: Refers to the institution, KCP.
  • Personal Data: Refers to all types of personal information, including sensitive personal information and privileged information.
  • Personal Information: Any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Sensitive Personal Information (SPI): Personal information about an individual’s:
    • Race, ethnic origin, marital status, age, and religious, philosophical, or political affiliations.
    • Health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings.
    • Information issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, health records, licenses or its denials, suspension or revocation, and tax returns.
  • Data Subject: An individual whose personal data is processed. This includes students, faculty, staff, applicants, etc.
  • Personal Information Controller (PIC): An entity that controls the collection, holding, processing, or use of personal data. KCP is a PIC.
  • Processing: Any operation or any set of operations performed upon personal data, including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
  • Data Protection Officer (DPO): The individual appointed by KCP to oversee compliance with the DPA.
  • MIS: The Management Information System, KCP’s centralized database and software platforms for administrative and academic functions.
  • Online Activities: Any activity conducted through KCP’s digital platforms, including but not limited to the official website, student portals, online learning management systems (LMS), and email.
II. The KCP Privacy Principles

All processing of personal data at KCP shall be guided by the following principles:

  • Transparency: Data subjects must be informed about the nature, purpose, and extent of the processing of their personal data.
  • Legitimate Purpose: The processing of personal data must be for a specific and legitimate purpose, and not contrary to law, morals, or public policy.
  • Proportionality: The collection and processing of personal data shall be adequate, relevant, suitable, necessary, and not excessive in relation to the declared and specified purpose.
III. Institutional Responsibilities

A. Data Protection Officer (DPO) The DPO is the key individual responsible for KCP’s compliance with the DPA. The DPO’s responsibilities include:

  • Monitoring KCP’s data processing activities to ensure compliance with the DPA.
  • Serving as the contact person for data subjects regarding data privacy matters.
  • Coordinating with the National Privacy Commission (NPC).
  • Conducting Privacy Impact Assessments (PIAs) for new systems or projects.
  • Overseeing the development and implementation of KCP’s Privacy Management Program.
  • Managing all security incidents and data breaches.

B. Privacy Committee The Privacy Committee, chaired by the DPO, will consist of representatives from various departments. This committee will:

  • Formulate and review institutional data privacy policies.
  • Assist the DPO in implementing the Privacy Management Program.
  • Act as a central body for addressing data privacy concerns across the institution.

C. Departmental Data Processors Each department head or designated personnel shall act as a “Departmental Data Processor,” responsible for:

  • Ensuring that their department’s data processing activities comply with this manual and the DPA.
  • Maintaining an inventory of all personal data processed within their department.
  • Reporting any security incidents or data breaches to the DPO immediately.
IV. Data Processing Guidelines

A. Collection of Personal Data

  • Personal data shall only be collected for specified, legitimate purposes.
  • Data subjects shall be informed of the purpose of data collection at the time of collection.
  • Consent shall be obtained from data subjects for the processing of their personal data, except in cases where processing is authorized by law (e.g., for contractual obligations, legal compliance, or to protect the life and health of the data subject).
  • For sensitive personal information, explicit consent is required, except as otherwise provided by law.

B. Processing and Storage

  • Personal data shall be stored in secure locations, whether physical (locked cabinets in restricted rooms) or electronic (password-protected and encrypted systems).
  • Access to personal data, particularly sensitive personal information, shall be limited to authorized personnel on a “need-to-know” basis.
  • Electronic data shall be protected with firewalls, anti-malware software, and regular security updates. Physical documents shall be stored in a secure, fireproof location.
  • Back-ups of electronic data must be regularly performed and stored in a secure, separate location.

C. Disclosure and Sharing

  • Personal data shall not be disclosed or shared with third parties without the explicit consent of the data subject, unless authorized by law.
  • When sharing data with third-party service providers (e.g., cloud storage, online learning platforms), a Data Sharing Agreement or a contract with a data privacy clause shall be in place to ensure the third party’s compliance with the DPA.
  • Disclosure of personal data to government agencies or other institutions will only be done in compliance with a legal obligation, subpoena, or court order.

D. Retention and Disposal

  • Personal data shall be retained only for as long as necessary to fulfill the purpose for which it was collected or to comply with legal and regulatory requirements.
  • Once the retention period has lapsed, personal data shall be securely disposed of.
  • Physical disposal: Shredding of documents, pulverizing hard drives.
  • Electronic disposal: Permanent deletion of files, disk wiping, or degaussing.
V. Management Information System (MIS) and Online Activities

This section specifically governs all digital platforms and electronic data processing within KCP.

A. KCP Management Information System (MIS)

  • Role: The MIS is the primary digital hub for all institutional data, including student records, employee information, and financial data.
  • Security Measures:
    1. Access Control: Access to the MIS is strictly based on user roles and permissions. Only authorized personnel from relevant departments can access specific modules.
    2. Authentication: All users must use a unique username and a strong, complex password. Two-factor authentication (2FA) shall be implemented for all high- privilege accounts.
    3. Data Encryption: All personal data, especially sensitive personal information, shall be encrypted both in transit (using SSL/TLS certificates) and at rest (using database encryption).
    4. Logging and Auditing: The MIS will maintain a log of all data access, modifications, and deletions. The DPO and designated IT personnel will regularly audit these logs for any suspicious activity.
    5. Regular Backups: The MIS database will be backed up daily, with backups stored securely in an off-site location to ensure data integrity and availability.

B. KCP Online Activities

  • Official Website and Portals:
    1. Privacy Policy: The KCP website and all official portals must have a clear, easy- to-find privacy policy that informs users about the types of data collected, the purpose of collection, and their rights as data subjects.
    2. Consent: Online forms (e.g., for admissions, event registration) must include a clear mechanism for users to provide or withhold consent.
    3. Cookies and Tracking: Users must be informed about the use of cookies and other tracking technologies. A cookie consent banner will be implemented to allow users to manage their preferences.
  • Online Learning Management Systems (LMS) and Video Conferencing:
    1. Recordings: The recording of online classes or meetings must be done with the knowledge and consent of all participants. Recordings will be stored securely and access will be restricted.
    2. Privacy in Class: Participants are strictly prohibited from taking screenshots or unauthorized recordings of sessions.
    3. Third-Party Providers: KCP will enter into contracts with LMS and video conferencing providers that include strong data privacy clauses, ensuring the provider’s compliance with the DPA.
VI. Data Privacy in Department-Specific Operations

A. Human Resources Department (HR)

  • Data Collected: Employee records, application forms, resumes, performance evaluations, payroll information, government IDs.
  • Purpose: To process employment, manage compensation and benefits, performance, and legal compliance.
  • Privacy Measures: HR files, both physical and digital, are stored in a restricted area with limited access. Access is limited to authorized HR personnel on a need-to-know basis.

B. Accounting Office

  • Data Collected: Financial information of students, parents, employees, and suppliers; payroll data, payment records, tax documents.
  • Purpose: To manage tuition payments, payroll, reimbursements, financial reports, and tax compliance.
  • Privacy Measures: Financial records are highly confidential. Access is strictly limited to authorized accounting personnel. Digital records are stored in an encrypted system with robust access controls.

C. Registrar’s Office

  • Data Collected: Student application forms, enrollment records, grades, academic credentials, transcripts, student IDs, parent/guardian information.
  • Purpose: To manage student enrollment, academic records, and institutional reporting.
  • Privacy Measures: Student records are confidential. Transcripts and academic credentials will only be released upon the written request or authorization of the student.

D. Library

  • Data Collected: Patron names, student/employee IDs, borrowing history, and research inquiries.
  • Purpose: To manage library circulation, track resource usage, and provide specialized services.
  • Privacy Measures: Library patron records and borrowing history are confidential. Borrowing history shall not be disclosed to other patrons, faculty, or staff without the data subject’s consent.

E. Wellness and Counseling Center

  • Data Collected: Case notes, psychological assessments, medical records, and personal disclosures from students and personnel.
  • Purpose: To provide psychological, health, and wellness services.
  • Privacy Measures: All information is considered confidential and privileged. Records are stored in a locked filing cabinet and a password-protected, encrypted computer system. Information shall not be disclosed to any third party without the explicit written consent of the data subject, except in cases of immediate threat to the data subject or others as mandated by law.

F. Academic Departments / Colleges

  • Data Collected: Student information for class lists, attendance sheets, grades, and academic advising records.
  • Purpose: For academic and administrative purposes, including class management, grading, and student support.
  • Privacy Measures: Faculty and staff must handle student information responsibly. Class lists and attendance records are for internal use only. Posting of grades must be done in a manner that does not identify the student to others.
VII. Security Incident and Data Breach Management

A. Definition

  • Security Incident: An event or occurrence that affects the confidentiality, integrity, or availability of KCP’s information assets. This could include unauthorized access attempts, system malfunctions, or malware infections. Not all incidents are breaches.
  • Data Breach: A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed by KCP. A breach is a subset of a security incident.

B. Breach Response Procedure

  1. Immediate Reporting: Any KCP personnel who discovers or suspects a security incident or data breach must immediately report it to the Data Protection Officer (DPO) by filling out a Security Incident Report Form (Annex C). The report must include the date, time, nature of the incident, and data subjects involved.
  2. . Incident Investigation and Containment: Upon receiving a report, the DPO, in coordination with the IT department and the Privacy Committee, will:
    • Assess the nature and severity of the incident.
    • Take immediate steps to contain the breach and prevent further compromise (e.g., disconnecting affected systems, changing passwords).
    • Document all actions taken and gather evidence.
  3. Notification to the NPC and Data Subjects:
    • If the incident is determined to be a data breach that requires notification, the DPO will notify the National Privacy Commission (NPC) within 72 hours of discovery.
    • The DPO will also notify the affected data subjects in a timely manner. The notification will include a description of the breach, the type of data compromised, the measures taken by KCP to address the breach, and the steps the data subject can take to protect themselves.
  4. Mitigation and Recovery: KCP will take all necessary steps to mitigate the harm caused by the breach, restore affected systems, and implement improved security measures to prevent a recurrence.
VIII. Inquiries and Complaints

A. Point of Contact All inquiries, concerns, or complaints regarding the processing of personal data by KCP should be directed to the Data Protection Officer (DPO). Contact Information:

  • Email: kingscollege@kcp.edu.ph
  • Physical Address: Pico Rd., La Trinidad, Benguet
  • Phone: 074-620-3208

B. Complaint Procedure

  1. Submission: A data subject who wishes to file a complaint must submit a written request to the DPO. The request must include:
    • The data subject’s full name and contact information.
    • A clear and concise description of the complaint or inquiry.
    • The specific right(s) under the DPA that the data subject believes has been violated.
    • Any supporting documents or evidence.
  2. Acknowledgment and Investigation: The DPO will acknowledge receipt of the complaint within 5 working days and will conduct a thorough investigation.
  3. Resolution: The DPO will provide a written response to the data subject, outlining the findings of the investigation and the actions taken to resolve the complaint, within 60 working days from the date the complaint was received. If a resolution is not possible within this timeframe, the DPO will inform the data subject of the reason for the delay and the expected timeline.
IX. Annexes

The following annexes are integral to this manual and serve as working documents for KCP’s
privacy management program.

  • Annex A: Data Subject Consent Form
    • A standardized form used to obtain clear and explicit consent from data subjects for the collection and processing of their personal data. The form will detail the purpose of collection, the types of data to be processed, and the data subject’s rights.
  • Annex B: Employee and Vendor Non-Disclosure Agreement (NDA)
    •  A legal agreement that all employees, contractors, and third-party vendors must sign, obligating them to maintain the confidentiality of all personal data they access during their work with KCP.
  • Annex C: Security Incident Report Form
    • A standardized form for KCP personnel to use when reporting a security incident or suspected data breach to the DPO.
  • Annex D: Data Breach Response Checklist
    • A step-by-step guide for the DPO and Privacy Committee to follow in the event of a data breach, ensuring all necessary actions—from containment to notification—are taken in a timely and compliant manner.
Get in Touch
  • Km5 Pico Rd, La Trinidad, 2601 Benguet
  • 0917-317-6335
  • kingscollege@kcp.edu.ph
Quicklinks
Portals

Copyright 2025. King’s College of the Philippines

Scroll to Top