Overview
Isabela State University (ISU) is committed to protecting the privacy and security of personal information processed within the ISU Records Management System. This policy outlines how we collect, use, disclose, and protect personal data in compliance with the Republic Act No. 10173, also known as the Data Privacy Act of 2012.
As a higher education institution, ISU collects and processes personal information for legitimate educational, administrative, research, and historical purposes. We are committed to ensuring that all personal data is:
- Processed lawfully, fairly, and transparently
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date
- Stored for no longer than is necessary
- Processed securely and protected against unauthorized access
Information Collection and Processing
Types of Personal Data Collected
The ISU Records Management System may collect and process the following types of personal information:
| Category | Types of Information | Purpose | Retention Period |
|---|---|---|---|
| User Account Information | Name, employee ID, email address, department, role | System access, authentication, authorization | Duration of employment + 1 year |
| Academic Records | Student names, ID numbers, grades, academic history | Academic administration, verification | Permanent |
| Personnel Records | Employee information, contracts, evaluations | HR management, payroll, benefits | Employment duration + 15 years |
| Financial Records | Payment records, financial transactions | Financial management, audit compliance | 10 years |
| System Usage Data | Login timestamps, access logs, IP addresses | Security monitoring, audit trailing | 3 years |
Lawful Basis for Processing
We process personal data based on one or more of the following lawful bases:
- Contractual Necessity: Processing necessary for the performance of a contract (e.g., employment contracts)
- Legal Obligation: Processing necessary for compliance with legal obligations
- Legitimate Interests: Processing necessary for the legitimate interests of the University
- Consent: Processing based on specific, informed, and unambiguous consent
- Public Interest: Processing necessary for tasks carried out in the public interest
Data Security Measures
ISU implements appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
Technical Safeguards
- Encryption: All sensitive data is encrypted both in transit and at rest
- Access Controls: Role-based access controls limit data access to authorized personnel
- Authentication: Multi-factor authentication for system access
- Monitoring: Continuous monitoring of system activities and security events
- Backup: Regular data backups with secure offsite storage
- Firewalls: Network security controls to prevent unauthorized access
- Patch Management: Regular security updates and vulnerability management
Organizational Measures
- Training: Regular data privacy and security training for all staff
- Policies: Documented information security and data handling policies
- Access Management: Strict procedures for granting and revoking access
- Risk Assessments: Regular privacy impact assessments
- Incident Response: Documented breach notification and response procedures
- Third-Party Management: Due diligence and contractual safeguards for vendors
- Audit: Regular compliance audits and security assessments
Data Sharing and Disclosure
ISU respects the confidentiality of personal information and limits disclosure to specific circumstances. We may share personal data with the following categories of recipients:
| Recipient Category | Example | Purpose of Sharing | Safeguards |
|---|---|---|---|
| Internal Recipients | Academic departments, administrative offices | Administration of university functions | Role-based access, need-to-know basis |
| Government Agencies | CHED, BIR, SSS, GSIS | Regulatory compliance, reporting | Secure transmission methods, minimal data |
| Service Providers | IT vendors, cloud storage providers | System maintenance, hosting | Data processing agreements, security assessments |
| Academic Partners | Research collaborators, exchange programs | Academic collaboration, student exchange | Anonymization where possible, consent |
Conditions for Data Sharing
Personal data will only be shared when at least one of the following conditions is met:
- The data subject has given explicit consent for the specific purpose
- Sharing is necessary to fulfill a contractual obligation
- Sharing is required by law or regulation
- Sharing is necessary to protect vital interests of the data subject or others
- Sharing serves a legitimate interest that does not override data privacy rights
Data Subject Rights
Under the Data Privacy Act of 2012, individuals have certain rights regarding their personal information. ISU respects and upholds these rights, which include:
Rights to Information and Access
- Right to be informed: Know how your data is being processed
- Right to access: Request copies of your personal data
- Right to know: Be informed of the recipients of your data
- Right to data portability: Receive your data in a structured format
Control and Correction Rights
- Right to rectification: Correct inaccurate or incomplete data
- Right to object: Object to the processing of your personal data
- Right to erasure: Request removal of your data under certain conditions
- Right to damages: Claim compensation for damages due to violations
How to Exercise Your Rights
To exercise any of these rights, please follow these steps:
- Submit a written request to the University Data Protection Office
- Include your name, contact information, and specific right(s) you wish to exercise
- Provide sufficient information to verify your identity
- Specify the personal information involved and the action requested
Contact Data Protection Officer:
Email: dpo@isu.edu.ph
Address: Data Protection Office, Administration Building, Isabela State University
Phone: (123) 456-7890
ISU will respond to your request within 15 business days of receipt. This period may be extended by an additional 15 business days when necessary, taking into account the complexity and number of requests.
Children's Privacy
The ISU Records Management System primarily processes information of adults (18 years and older). However, we recognize that some records may contain information about minors, particularly in academic contexts.
When processing personal information of individuals under 18 years of age:
- We obtain appropriate consent from parents or legal guardians
- We implement additional safeguards to protect children's data
- We limit access to such information on a strict need-to-know basis
- We do not use children's data for marketing or promotional purposes
Cookies and Tracking Technologies
The ISU Records Management System uses cookies and similar tracking technologies to enhance user experience, secure the system, and collect usage information for system improvement.
Types of Cookies Used
| Type | Purpose | Duration | Data Collected |
|---|---|---|---|
| Essential Cookies | System functionality, security, authentication | Session / Persistent | Session ID, security tokens |
| Functional Cookies | Remember user preferences and settings | Up to 1 year | Language, display preferences |
| Analytics Cookies | Measure system usage and performance | Up to 2 years | Page views, navigation patterns |
Managing Cookies
Users can control cookies through their browser settings. Most browsers allow you to:
- Delete all cookies
- Block all cookies
- Allow only essential cookies
- Manage cookie preferences by site
Policy Updates
ISU reserves the right to modify this policy to reflect changes in legal requirements, technological advancements, or system enhancements. We will notify users of significant changes through:
- System notifications upon login
- Email communications to registered users
- Announcements on the university website
The most current version of this policy will always be available within the Records Management System and on the university website. Users are encouraged to review this policy periodically.
- Version 2.1 - May 17, 2025 (Current)
- Version 2.0 - January 10, 2024
- Version 1.5 - March 22, 2023
- Version 1.0 - September 15, 2022
Compliance and Legal Framework
The ISU Records Management System's privacy practices comply with the following legal frameworks:
- Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations
- Republic Act No. 9470 (National Archives of the Philippines Act of 2007)
- Republic Act No. 10931 (Universal Access to Quality Tertiary Education Act)
- CHED Memorandum Orders related to records management in higher education institutions
- ISU Records Management Manual and related institutional policies
Data Protection Authorities
For concerns regarding data privacy that cannot be resolved directly with ISU, you may contact:
National Privacy Commission
5th Floor, Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila
Email: info@privacy.gov.ph
Website: https://www.privacy.gov.ph
By using the ISU Records Management System, you acknowledge that you have read and understand this Privacy Policy.
Last Updated: May 17, 2025