To further its dedication to safeguarding personal data privacy, the Southern Philippines Agri-business and Marine and Aquatic School of Technology (“SPAMAST”) introduces the “SPAMAST Privacy Policy”, outlining a structured approach to managing personal information.

This policy aligns with the rights and responsibilities of data subjects as outlined by SPAMAST.

I. Whom does the Policy concern?

This policy applies to individuals associated with SPAMAST, including students, parents, guardians, faculty, staff, researchers, extension service members, administrative personnel, Contract-of-Service personnel, Part-Time instructors, student enrollee, contractors, retirees, research participants, clients, customers, alumni, faculty applicants, administrative position applicants, donors, partners, subcontractors, assessors, accreditors, and others with a legal relationship with SPAMAST (“SPAMAST Individuals”). It pertains to the processing of their personal information, sensitive personal information, and privileged personal information (“Personal Data”) by SPAMAST.

II. Why are Personal Data processed?

SPAMAST processes Personal Data to:

(1) Carry out its duties, exercise its entitlements, and fulfill its related responsibilities in the capacity of:

a.  an instrumentality of the government;

b.  a higher education institution.

(2) Fulfill its objective and mandates:

a.  Under Batas Pambansa Bilang 148 as an “agri-business and aquatic school of technology”

(3) Carry out all activities expected and commonly undertaken by similar entities within each specific department of SPAMAST.

(4) Make decisions and take actions that consider the overall well-being of students, their families, faculty, staff, researchers, alumni, and the wider SPAMAST community.

(5) Oversee and handle both internal and external matters as a university, as a governmental entity, and as a legal entity with its own rights and concerns.

III. What Personal Data are processed?

SPAMAST processes Personal Data including but not limited to:

• • Personal details such as name, birth, gender, civil status and affiliations;
  • Contact information such as address, email, mobile and telephone numbers;
  • Academic information such as grades, course and academic standing;
  • Employment information such as government-issued numbers, position and functions;
  • Applicant information such as academic background and previous employments;
  • Medical information such as physical, psychiatric and psychological information.

With the following objectives (“Objectives”), it is necessary for SPAMAST to process other Personal Data for the:

(1)  Objectives that apply to all categories of individuals affiliated with SPAMAST:

a.  Objectives essential for SPAMAST to fulfill its responsibilities, exercise its privileges, and carry out its associated functions as a governmental body and as a higher education institution;

b.  Objectives aimed at fulfilling SPAMAST’s mandates as outlined in existing laws and regulations;

c.  Objectives geared towards executing actions and making decisions necessary for SPAMAST to oversee and manage both its internal and external affairs as a legal entity with its own entitlements and interests;

d.  Adherence to legal, regulatory, administrative, or judicial requirements, including obligations related to auditing, reporting, and transparency;

e.  Objectives related to records and accounts, such as:

 i.  Creation and updating of record entries and accounts;

ii.  Establishment and maintenance of records and accounts for students, faculty, or staff, whether electronic or otherwise;

f.  Objectives pertaining to security and community affairs:

i.  Ensuring the safety, security, peace, and order on and around SPAMAST campuses, as well as at locations where SPAMAST is present or conducts activities;

ii.  Preventing crimes and damages to persons or property within or outside the premises of SPAMAST.

(2)  Students, parents, and guardians

a.  Academic objectives including:

i.  Processing of initial or final grades, encompassing assessment and utilization of grades to formulate and act upon decisions regarding students;

ii.  Development, examination, and execution of policies, guidelines, procedures, processes, rules, and regulations at SPAMAST;

b.  Extra-curricular objectives such as:

i.  Oversight of student organizations and associations;

ii.  Collaborations with both public and private entities and institutions;

c.  Medical objectives comprising:

i.  Provision of medical, dental, psychiatric, and psychological assistance, whether in emergency scenarios or otherwise;

ii.  Maintenance of health records and medical histories to grasp patient context and tendencies;

d.  Student support objectives including:

i.  Offering legal, scholarship, financial, athletic, and dormitory aid;

ii.  Providing tutorial, mentorship, or internship support.

e.  Student disciplinary objectives include:

i.  Carrying out investigations, holding hearings, or assessing issues concerning SPAMAST’s policies, guidelines, and rules;

ii.  Enforcing laws or directives from government authorities.

(3)  Faculty, Part-Time, and Contract-of-Service instructors

a.  Overseeing and managing faculty as SPAMAST employees (refer to Objectives for Staff);

b.   Overseeing and managing faculty in both academic and non-academic roles, including:

i.  Assigning teaching responsibilities, evaluating performance, and handling promotions or transfers;

ii.  Addressing research, ethics, and intellectual property issues.

(4)  Staff, administrative personnel, Contract-of-Service personnel, retirees

a.  Human resources administration including:

i.  Processing and providing employee rights;

ii.  Offering compensation and benefits;

b.  Management and supervision of employees and their conduct including:

i.   Employee administration, assignment, supervision, evaluation, promotion, discipline, and transfer;

ii.  Maintaining labor relations and industrial peace.

(5)  Student enrollee, faculty applicants, and administrative position applicants

a.  Application Objectives, including:

i.  Handling applications and required documents.

ii.  Assessing eligibility for enrollment, teaching, or employment at the University of the Philippines.

b.  Verification Purposes, such as:

i.  Confirming the truthfulness of provided information.

ii.  Conducting background checks relevant to the applied position.

(6)  Researchers, research participants, and extension service members 

The Data Privacy Act does not apply if personal information is solely used for scientific and statistical research purposes, without any actions or decisions affecting the data subject. However, such data must be kept strictly confidential and used solely for the declared research purpose.

As a result, Section VI of this Policy, titled “What are the rights of SPAMAST Individuals?”, does not apply if personal data is used solely for scientific and statistical research, with no impact on the data subject. However, this exception only applies to the extent necessary to accomplish the research objective.

Furthermore, the Data Privacy Act and its Implementing Rules and Regulations do not apply to specific information, limited to the minimum extent required for the purpose, function, or activity involved, when personal data is processed for research purposes aimed at public benefit. This is subject to compliance with applicable laws, regulations, or ethical standards adopted by SPAMAST.

(7)  Patients, clients, and customers,

a.  Handling medical, physical, psychiatric, and psychological data of patients is essential for medical treatment. This should be conducted by qualified medical professionals or institutions, ensuring adequate protection of personal information.

b.  Managing Personal Data of clients and customers must align with a clearly stated and specific purpose, adhering to legal, moral, and public policy standards. Consent should be obtained transparently, and data processing should be proportional to the purpose stated.

(8)  Alumni, donors, and donees

a. Alumni Linkage Objectives, including:

i.  Maintaining an alumni database for networking and job placement.

ii.  Tracking career progress and performance of alumni.

b.  Donation Processing, such as:

i.   Meeting legal obligations like tax filings and anti-money laundering regulations.

ii.  Documenting the sources and uses of donations to ensure transparency in the School’s funds.

(9)  Assessors, assesses, accreditors, and accreditees

a.  Ensure responsible and ethical handling of personal data by all accrediting and assessing entities.

b.  Adhere to strict data privacy standards specific to accreditation and assessment processes

c.  Safeguard the confidentiality and integrity of personal information involved in accreditation and assessment activities.

d.  Comply with relevant legal and regulatory requirements governing personal data processing.

e.  Implement robust data protection measures tailored to accreditation and assessment operations.

f.  Promote transparency and accountability in the handling of personal data.

g.  Foster a culture of privacy awareness and respect within accrediting and assessing entities.

(10)  Partners, contractors, subcontractors, outsources, lessors, lessees, vendors, purchasers and customers

a.  Ensuring SPAMAST’s lawful rights, interests, obligations, and responsibilities are promptly acknowledged, adhered to, and fulfilled, whether in accordance with legal, contractual, equitable, or public policy standards.

b.  Aligning with SPAMAST’s intentions and objectives when engaging with the relevant counterparty, thereby ensuring compliance with the institution’s values and principles.

(11)   Others with a legal relationship with SPAMAST

a.  Any of the aforementioned purposes, as relevant to the specific circumstances at hand.

b.  The objectives utilized by equivalent units within SPAMAST, tailored to match the functions they perform.

IV.  How does SPAMAST process and store Personal Data and how long are these retained?

SPAMAST process and store Personal Data to achieve the Objectives in accordance with:

(1)  The Data Privacy Act of 2012, its Implementing Rules, and relevant issuances of the National Privacy Commission;

(2)  The National Archives of the Philippines Act of 2007 its Implementing Rules, and relevant issuances of the National Archives of the Philippines;

(3)  Policies, guidelines, and rules of the SPAMAST System and SPAMAST;

(4)  Research guidelines and ethical codes of conduct adopted by the SPAMAST; and

(5)  Executive Order No. 2, series of 2016 on Freedom of Information and subsequent related executive orders.

Since there is no specific rule governing the retention, Personal Data is stored only for the duration required to fulfill its stated purpose or meet regulatory and legal obligations. The retention period varies depending on the data’s nature and purpose, ranging from days (e.g., CCTV footage) to years (e.g., student academic records). Once retention is no longer necessary, the School will securely and confidentially dispose of the personal data.

V. What are the rights of the SPAMAST Individuals?

In compliance with the RA 10173 Chapter IV and its IRR Section VIII

(1)  Right to be informed.

(2)  Right to object subject to SPAMAST’s possible consequent failure to conduct academic, administrative and other functions or services;

(3)  Right to access;

(4)  Right to rectification;

(5)  Right to erasure or blocking of Personal Data which are not part of SPAMAST’s public records as an instrumentality of the government or as a higher educational institution; and

(6)  Right to damages which is subordinate to the non-liability of SPAMAST arising from the incidental damages due to SPAMAST’s pursuance of its mandates or compliance with its legal obligations.

(7)  Right to complain through proper channels and authorities.

VI. What are the responsibilities of SPAMAST Individuals?

(1)  Honor the data privacy rights of others.

(2)  Promptly report any suspected Security Incident or Personal Data Breach to SPAMAST using the contact details provided in the “The SPAMAST Data Protection Officer” section of this Policy.

(3) Provide accurate and truthful Personal Data and other information to the Southern Philippines Agri-business and Marine and Aquatic School of Technology (“SPAMAST”). Before submitting Personal Data of other individuals to SPAMAST, obtain their consent.

(4) Maintain the confidentiality of any non-public, confidential, sensitive, or personal information acquired or learned from SPAMAST, refraining from disclosing it to unauthorized parties.

(5) Adhere to the policies, guidelines, and regulations of the SPAMAST regarding data privacy, information security, records management, research, and ethical conduct. Regularly review and comply with updates to these policies, guidelines, and regulations. SPAMAST’s data privacy policies are available at https://spamast.edu.ph/privacy-notice/

VII.  Implementation and Effectivity of the policy

The SPAMAST Data Protection Officer may issue policies, guidelines, and rules that align with this Policy.

If any law or regulation mentioned in this Policy is amended or replaced, this Policy will be considered to refer to the new law or regulation, without affecting a person’s right against retroactive application of laws.

If any section of this Policy is deemed invalid, the remaining sections will continue to be in effect.

VIII. Definition of Terms

Definition of Terms According to RA 10173 (Data Privacy Act of 2012)

Personal Data. All types of personal information, including sensitive personal information and privileged information.

Personal Information. Any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Sensitive Personal Information. Personal information that includes:

     – An individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations.

     – Information about an individual’s health, education, genetic or sexual life, or any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings.

     – Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns.

     – Specifically established by an executive order or an act of Congress to be kept classified.

Privileged Information. Any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

Processing. Any operation or any set of operations performed upon personal data, including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.

Security Incident. An event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach if not for safeguards that have been put in place.

Personal Data Breach. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Purposes. Specific and measurable goals established to guide the collection, processing, and protection of personal data in accordance with legal, ethical, and institutional standards, ensuring compliance with the provisions of RA 10173.

SPAMAST Individual. Any students, parents, guardians, faculty, staff, researchers, extension service members, administrative personnel, Contract-of-Service personnel, Part-Time instructors, student enrollee, contractors, retirees, research participants, clients, customers, alumni, faculty applicants, administrative position applicants, donors, partners, subcontractors, assessors, accreditors, and others with a legal relationship with SPAMAST

SPAMAST. The Southern Philippines Agri-Business and Marine and Aquatic School of Technology (SPAMAST), an educational institution governed by RA 10173, responsible for collecting, processing, and safeguarding the personal data of individuals associated with its academic, administrative, and operational activities, ensuring compliance with data privacy regulations.

IX. The SPAMAST Data Protection Officer

The SPAMAST Data Protection Officer, reporting to the SPAMAST President, is tasked to protect the privacy of personal information to, in and from SPAMAST with the following functions:

(1) Ensure compliance with data privacy laws and regulations by implementing data protection measures, submitting necessary regulatory documents, and managing privacy incidents.

(2)Support University units by developing policies, training personnel, and conducting audits with remediation solutions.

(3)Mitigate legal, financial, and operational risks by enhancing forms, contracts, processes, and IT systems to prevent information leaks.

(4)Foster a culture of privacy respect within the University by creating policies and establishing practices that meet both domestic and international standards.

The SPAMAST Data Privacy Portal is at https://privacy.spamast.edu.ph

For data protection concerns or to report privacy incidents, please contact the SPAMAST Data Privacy Officer through any of the following channels:

Address:

SPAMAST Legal Service Unit

Legal Office, 2F, Admin Building

Lacaron-Fishing Village Road, Poblacion, Malita

Davao Occidental 8012

Landline: 082 272 3724

Email: dpo@spamast.edu.ph