Pampanga State University (PSU) acknowledges its obligations under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, in relation to the personal data it collects, records, organizes, processes, updates, uses, consolidates, stores, retains, and disposes of involving its students, employees, alumni, research participants, and other stakeholders.
All personal data gathered by PSU are securely stored in the University’s authorized information and communication systems and are accessible only to duly authorized personnel for legitimate and official purposes. The University has adopted appropriate organizational, physical, and technical safeguards to protect the confidentiality, integrity, and availability of personal data.
Personal Data Collected
PSU may collect personal and sensitive personal information, including but not limited to the following:
- Name
- Address (residential, postal, and email)
- Contact number
- Date of birth
- Gender
- Ethnic origin
- Passport number
- Tax identification number
- Health information and medical records
- Emergency contact details
- Photographs and video recordings, including CCTV footage
- Academic records
Purpose of Processing
Personal data collected and stored in the University’s databases and information systems shall be processed solely for legitimate institutional purposes, including but not limited to:
- Processing and documentation related to academic and professional services such as instruction, skills training, on-the-job training, enrollment, grading, finance and accounting, research and extension activities, library services, medical and wellness programs, sports development, and other co-curricular and extra-curricular programs;
- Processing and documentation incidental to the University’s administrative and governmental functions, including academic and institutional compliance, faculty and staff development programs, employee-related initiatives, inter-agency coordination, authorized partnerships, and participation in legally constituted consortia;
- Processing and documentation related to alumni programs, including professional and qualifying examinations, board examinations, leadership and apprenticeship programs, pre-employment initiatives, and other alumni-related activities; and
- Other purposes that may be expressly authorized by law or with the lawful consent of the data subject.
Primary and Secondary Use of Data
Personal data shall be used primarily for the purpose for which they were collected. Any secondary use or disclosure shall be permitted only when:
- The data subject has given consent;
- The use is related or directly related to the original purpose; or
- The use or disclosure is authorized or required by applicable laws.
Legal Basis for Processing
The processing of personal data is anchored on the following lawful grounds:
- Consent of the data subject;
- Compliance with legal obligations;
- Protection of vital interests such as life and health;
- Performance of functions of public authority; or
- Pursuit of the University’s legitimate interests, in accordance with the Data Privacy Act.
Manner of Collection
Personal data are collected directly from data subjects through application forms, online platforms, official transactions, University systems, or from authorized third parties, as allowed by law.
Disclosure of Personal Data
Personal data may be disclosed to:
- Government agencies, when required by law;
- University offices and units for legitimate institutional functions; and
- Third parties and partners covered by approved contracts, agreements, or data sharing arrangements, subject to appropriate data privacy safeguards.
Any disclosure shall be limited to information that is lawful, relevant, and necessary.
Protection Measures and Risk Management
To mitigate and address privacy and security risks, PSU implements the following safeguards:
Organizational Measures
- Appointment of a Data Privacy Officer (DPO) and establishment of the Data Privacy Office;
- Implementation of data privacy policies, procedures, and periodic risk assessments;
- Conduct of data privacy and information security training for University personnel; and
- Restriction of access to personal data strictly on a need-to-know basis.
Physical Measures
- Secure storage of records in locked cabinets and controlled-access offices;
- Installation and use of CCTV systems to promote campus safety and security; and
- Restriction of access to areas where personal data are processed or stored.
Technical Measures
- Use of authorized information and communication systems;
- Implementation of user authentication, access controls, and password protection;
- Secure storage, backup, and controlled transmission of electronic data; and
- Continuous monitoring and reporting of data breaches and security incidents.
PSU maintains a Data Breach Response Plan to ensure timely reporting, investigation, mitigation, and notification of data breaches in accordance with applicable laws and the guidelines of the National Privacy Commission (NPC).
Retention and Storage
Personal data are securely stored in both physical and electronic formats and shall be retained only for as long as necessary to fulfill the purposes for which they were collected or as required by law, University policies, and records management regulations. Disposal or destruction of personal data shall be carried out in a secure and lawful manner.
Rights of Data Subjects
In accordance with the Data Privacy Act of 2012, data subjects are entitled to the following rights:
- Right to be informed
- Right to object
- Right to access
- Right to rectification or correction
- Right to erasure or blocking
- Right to file a complaint and claim damages
Data Privacy Office Contact
For inquiries, requests, or concerns regarding the processing of personal data, you may contact:
Data Privacy Officer: JAYSON G. MAGAT
Email:
PSU may revise this Data Privacy Notice from time to time. Any updates shall take effect immediately upon publication on the University website.
