Menu
GOVPH

Philippine Standard Time:

Event Type : ILS

Event Type ILS

No Events on The List at This Time

X
Cebu Normal University
PRIVACY POLICY

Policy Statement

This Privacy Policy is adopted in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). The University is committed to protecting and respecting your personal data privacy. We process personal information in accordance with the principles of transparency, legitimate purpose, and proportionality. This Policy informs how we collect, use, disclose, store, protect, and dispose personal information of our data subjects.

Definitions

Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information that would directly and certainly identify an individual.

Sensitive information is a type of personal information with the risk of discrimination against the Data Subject. These are about an identifiable person’s racial or ethnic origin, marital status, color, and religious, philosophical, or political affiliations. It is also, about an individual’s health, education, the genetic or sexual life of person, or any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and specifically established by an executive order or an act of Congress to be kept classified.

Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

Information We Collect

The University may collect personal information in the context of its regular functions — including but not limited to the following categories:

  1. Students: contact and enrollment details, academic records, health or medical records, accommodation records, student-activity participation, and related data.
  2. Staff and job applicants: contact details, employment history, qualifications, employee-related data.
  3. Alumni profiling: contact and demographic details.
  4. Visitors, volunteers, and other stakeholders: information collected through sign-in forms, CCTV or security monitoring, photos or recordings during official events, surveys, and feedback forms.

Collection may occur by any medium, including: paper forms, electronic forms, email, website or online platforms, CCTV or video/photographic capture, surveys/questionnaires, and other lawful means.

Purposes and Uses of the Data Collected and Processed

Personal information collected may be used for:

  1. Administration of admission, enrollment, employment, alumni relations, and other official functions.
  2. Maintenance of student and employee records, including academic, health, and administrative data.
  3. Provision of University services such as counseling, scholarship administration, placement, library access, facilities use, laboratory access, security, parking, and accommodation.
  4. Internal research, quality assurance, performance monitoring, and institutional planning.
  5. Compliance with statutory obligations (e.g. reporting to government agencies when required).
  6. Security, safety, and campus management, including CCTV monitoring.

Legal Basis / Lawful Criteria for Processing

All processing of personal data is carried out in accordance with the legality, fairness, and lawfulness requirements under the Data Privacy Act and IRR.
Where applicable, processing is grounded on consent, contract, legal obligation, legitimate interest, or other lawful bases recognized under the law. The choice of lawful basis depends on the nature of data, the purpose of processing, and legal or contractual requirements.

Manner of Collection and Processing

Personal data may be collected through physical forms (paper-based), electronic forms, online or web-based platforms (e.g., registration portals, email, institutional website), CCTV or video/photo capture (for security or surveillance), event sign-in sheets or registration forms, surveys or questionnaires, or other legitimate and lawful means.

Processing may include collection, recording, sorting, storing, retrieval, use, updating, modification, blocking, destruction or other operations as allowed under the law, consistent with declared purposes.

Disclosure of Information

The University does not disclose personal information except under the following circumstances:

  1. Internal disclosure within authorized University personnel, only when necessary and appropriate for legitimate institutional purposes.
  2. External disclosure only when required or permitted by law (e.g. statutory obligations), or when the data subject has provided valid consent.
  3. Sensitive personal information or privileged information is processed and disclosed only in accordance with relevant legal provisions.

Risks, Safeguards and Security Measures

The University recognizes that processing of personal data entails certain privacy and security risks. Accordingly, we implement appropriate organizational, technical, and physical security safeguards to protect the confidentiality, integrity, and availability of personal data — whether in electronic or physical form. Such measures include (but are not limited to):

  1. Access controls (both digital and physical) to restrict access only to authorized personnel
  2. Use of secure storage: locked filing cabinets or secure rooms for physical records; password-protected systems, encryption, secure servers, firewalls for electronic data
  3. Secure transmission of data (when shared or transferred), secure printing and disposal protocols, and safe deletion or destruction of data when no longer needed
  4. Classification of data and periodic review of security protocols, to ensure adequacy in light of the risks presented and sensitivity of the data processed

Rights of Data Subjects

Under the Data Privacy Act and its IRR, data subjects have the following rights:

  1. Right to be informed — you have the right to know whether personal information about you will be, is being, or has been processed; the purposes of processing; the personal data to be entered; and the scope and method of processing.
  2. Right to access, correct, or update your data — you may request access to your personal information, ask for rectification of inaccuracies, or request updates.
  3. Right to object or withdraw consent — when processing is based on consent or legitimate interest, you may withdraw consent or object, subject to legal limits.
  4. Right to data portability — where applicable, you may obtain a copy of your personal data in a secure and portable format for transfer to another controller.
  5. Right to erasure or blocking — if personal data is incomplete, outdated, unlawfully obtained or processed, no longer necessary, or processing is unauthorized, you may request erasure or blocking, subject to legitimate grounds for retention (e.g. legal obligations or defense of legal claims).
  6. Right to damages — you may seek indemnification for damages resulting from inaccurate, incomplete, outdated, unlawfully obtained or unauthorized use of your personal data.
  7. Right to lodge a complaint with the NPC if you believe your data privacy rights have been violated.

Requests for access, rectification, objection, portability, erasure or complaints may be submitted in writing to the University’s designated Data Protection Officer (DPO) or Data Privacy Office.

Security, Retention, and Disposal

The University implements appropriate organizational, technical, and physical security measures to safeguard personal data — whether in paper or electronic form — against unauthorized access, disclosure, alteration, or destruction. Such measures include: secure storage (locked filing cabinets or rooms), restricted access to authorized personnel only, use of locked screens/screensavers, secure transmission (sealed envelopes or secure electronic transmission), secure printing and disposal of documents, and safe deletion or destruction of data when no longer needed.

Personal data will be retained only for as long as necessary to fulfill the declared and legitimate purposes, or as required for legal obligations or defense of legal claims. When no longer needed, personal data will be disposed of securely in accordance with University policy and relevant data-protection guidelines.

Consent, Notice, and Legitimate Processing

Where required by law, consent will be obtained from data subjects prior to collection or processing of their personal or sensitive data. In other cases (e.g. CCTV monitoring, legitimate interest), the University will inform data subjects through appropriate notice mechanisms before or at the time of data collection. Privacy notice(s) will accompany data-collection forms or be posted in conspicuous campus areas, and on the University website. At all times, data processing is based on legitimate purpose and proportional to the need.

Data Subject Access and Contact

To exercise your rights or if you have any inquiry, concern, or request regarding your personal data, please contact:

Omar B. Roma

Data Protection Officer
Email: dpo@cnu.edu.ph
Phone: 09422041421

Changes to This Policy

The University reserves the right to update or amend this Privacy Policy as necessary to reflect changes in applicable laws, regulations, regulatory guidance, or its internal data-processing practices. Updated versions will be posted on the University’s official website and, where appropriate, communicated to data subjects.