At Holy Trinity College of General Santos City, we uphold our responsibility to protect and respect the personal data entrusted to us by our students, employees, alumni, website users, and visitors. Guided by Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations, we are committed to processing all personal information lawfully, fairly, and securely.
This Data Protection Policy outlines how we collect, process, store, and protect personal data across different stakeholders while ensuring transparency and accountability.
About
- We collect personal information only for legitimate educational, administrative, employment, and institutional purposes.
- Personal data may include, but is not limited to: names, addresses, contact details, academic records, employment history, financial information, and health-related data when necessary.
- We ensure that:
- Data collection is limited to what is necessary.
- Information is accurate and regularly updated.
- Data is retained only as long as needed for its purpose and securely disposed of thereafter.
The school employs both organizational (policies, guidelines, staff training) and technical measures (secure servers, encryption, access controls) to safeguard data from unauthorized access, alteration, or misuse.
Security Breach Incident
In accordance with Republic Act No. 10173 (Data Privacy Act of 2012), a security breach is any incident that leads to unauthorized access, disclosure, alteration, or loss of personal data that may compromise the privacy, security, or rights of an individual.
Should a breach occur, the school will:
- Immediate Response
- Activate its Data Breach Response Protocol, which includes assessing the scope, nature, and extent of the breach.
- Contain and mitigate the breach to prevent further exposure of data.
- Notification
- Inform the National Privacy Commission (NPC)within 72 hours upon knowledge of or reasonable belief that a breach has occurred, when the incident poses a real risk of serious harm to affected data subjects.
- Notify affected individuals in clear and accessible language, stating the nature of the breach, the type of data involved, possible consequences, and the steps being taken to address it.
- Corrective Measures
- Conduct an internal investigation to determine the cause of the incident.
- Apply technical and organizational remedies to prevent recurrence.
- Maintain a breach management logdocumenting the incident, actions taken, and preventive strategies.
- Rights of Data Subjects
Students
- Data collected from students may include personal information, contact details, academic records, disciplinary history, medical information, and financial records.
- Processing purposes include:
- Student admissions and registration
- Academic assessment and record-keeping
- Guidance and counseling services
- Participation in curricular and co-curricular activities
- Compliance with government reporting requirements
- Disclosure of student data to third parties is done only:
- With the student’s consent
- When required by law
- When necessary for legitimate educational interests (e.g., accreditation, scholarship applications)
Records will be archived for alumni purposes and securely disposed of when no longer required.
Employees
- Personal information from employees may include contact details, employment history, credentials, payroll records, and performance evaluations.
- Data will be used only for legitimate purposes such as recruitment, human resources management, payroll processing, and compliance with labor and tax regulations.
- Access to employee data is strictly limited to authorized personnel.
Records are stored securely, and sharing outside the institution will only occur with the employee’s consent or when mandated by law.
Alumni
- Alumni data may include graduation records, updated contact information, and participation in alumni activities.
- These records support:
- Maintaining communication with alumni
- Organizing alumni events and reunions
- Updating alumni directories and publications
- Institutional research and development
- Alumni may request to update or remove their data from our records.
The school will never sell or share alumni data for commercial gain.
Website Users & Visitors
- The website collects information to improve functionality and provide better services. This may include:
- Technical information such as IP addresses, device types, and browser details (collected automatically through cookies or analytics tools).
- Personal information voluntarily submitted through forms (e.g., admissions inquiries, online applications, feedback forms).
- Data collected is used solely for the purpose specified at the time of collection.
- Cookies and similar technologies are used to enhance user experience. Users may disable cookies through their browser settings, although some site functions may be limited.
The school is not responsible for the privacy practices of third-party websites linked from our pages. Users are encouraged to review the policies of these external sites.
Data Subject Rights
In compliance with the Data Privacy Act of 2012, all data subjects have the right to:
- Be informedabout how their data is collected and processed.
- Accesstheir personal data upon request.
- Objectto processing for unauthorized purposes.
- Rectifyor correct inaccurate or outdated information.
- Erase or blockdata when processing is unlawful.
- Seek damagesin case of proven violation of their data privacy rights.
Requests related to data access, correction, or complaints may be submitted to the school’s Data Protection Officer (DPO) at [email protected].
Policy Review
This Data Protection Policy will be reviewed regularly to ensure compliance with updates in data privacy laws and evolving best practices. Updates will be reflected on the school website, and affected stakeholders will be informed of significant changes.