Privacy Policy



Saint Michael’s College of Laguna needs to gather and use information about individuals. These can include students, employee, suppliers, business contacts, and other people the institution has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the institution’s data protection standard and to comply with the law.


This Data Privacy Policy ensures that SMCL:

  • Complies with the data privacy law and follows good practice when it comes to personal data handling.
  • Protects the rights of the students, employees, and other business partners of the institution.
  • Is open about how its stores and processes individual’s data.
  • Protects itself from the risks of a data breach.


Data Privacy Act of 2012 describes how the organizations including SMCL collects, handle, and store personal data, it protects individuals from unauthorized processing of personal information that is (1) private, not publicly available; and (2) identifiable, where the identity of the individual is apparent either through direct attribution or when put together with other available information.

DPA entails the following rules:

  • All personal information must be collected for reasons that are specified, legitimate, and reasonable. In other words, customers must opt in for their data to be used for specific reasons that are transparent and legal.
  • Personal information must be handled properly. Information must be kept accurate and relevant, used only for the stated purposes, and retained only for as long as reasonably needed. Customers must be active in ensuring that others, unauthorized parties do not have access to their customers’ information.
  • Personal information must be discarded in a way that does not make it visible and accessible to unauthorized third parties.

These rules apply regardless of whether data is stored electronically, on paper on or other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.


This Policy applies to

  • The head office of SMCL.
  • All employees, students, and volunteers of SMCL.
  • All suppliers, business partners and other people working on behalf of SMCL.

It applies to all the data that the Institution holds relating to identifiable individuals, even if that information technically falls outside the Data Privacy Act of 2012. These can include:

  • Names of individuals
  • Postal addresses
  • Student numbers
  • Employee numbers
  • Social Security System numbers
  • Pag-ibig number
  • Tax identification numbers
  • Phil health numbers
  • Medical records
  • E-mail addresses
  • Telephone numbers
  • Plus any other information relating to individuals


This policy helps to protect Saint Michael’s College of Laguna from some very real data risks, including:

  • Breaches of Confidentiality. Information is being given out inappropriately.
  • Failing to Offer Choice. All individuals should be free to choose how the Institution uses data relating to them.
  • Reputational Damage. The Institution could suffer if hackers successfully gain access to sensitive data.


Everyone who works for or with SMCL has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data privacy rules.

However, the following have key areas of responsibility

The Board of Directors is ultimately responsible for ensuring that SMCL meets its legal obligations.

The Data Protection Officer is responsible for:

  • Keeping the Board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and related policies, in line with agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from employee and students and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data SMCL holds about them.
  • Checking and approving any contracts agreement with third parties that may handle company’s sensitive data.

The IT Director is responsible for:

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

The Institutional Communication Officer is responsible for

  • Approving any data protection statements attached to communications such as e-mails and letters.
  • Addressing data protection queries from journalists or media outlets like newspapers.


  1. The only people able to access data covered by this policy should be those who need it for their work.
  2. Data should not be shared informally. When access to confidential information is required, employees can request it form their department heads.
  3. SMCL will provide training to all employees to help them understand their responsibilities when handling data.
  4. Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  5. In particular, strong password must be used and they should never be shared.
  6. Personal data should not be disclosed to unauthorized people, either within the company or externally.
  7. Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  8. Employees should request help from their department head or the data protection officer if they are unsure about any aspects of data protection.

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT Director or data controller from the IT center. When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, the paper or files should be kept in a locked of filing cabinet.
  • Employees should make sure paper and print outs are not left where unauthorized people could see them.
  • Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts:

  • Data should be protected by strong passwords that are changed regularly and never shared with employees.
  • If data is stored on removable media, these should be kept locked away securely when not being used.
  • Data should only be stored on designated in designated drives and servers. And should only be uploaded to an approved cloud computing services.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard back up procedures.
  • Data should never be saved directly to workstation or other mobile devices.
  • All servers and computer containing data should be protected by approved security software and firewall.


Personal data is of no value to SMCL unless the Institution can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data, employees should ensure the screen of their computers are always locked when left unattended.
  • Personal data should not be shared informally. In particular, it should not be sent by e-mail as this form of communication is not secure.
  • Data must be encrypted before being transferred electronically.


All individuals who are the subject of personal data held by SMCL are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access on it.
  • Be informed how the company is meeting its data protection obligation.

If the individual contacts the company requesting this information, this is called subject access request.

Subject access request from individual is made upon filling up the request form from the data controller.

The data controller will always verify the identity of anyone making a subject request before handing over the information. For instance, some subject access requests will be made electronically.


These rules protect individuals from cybercrimes. They also ensure the security of sensitive data from malicious attack online.

These guidelines apply whether the data is in the form of documents or images.

  • Employees should not post personal information of individuals on public.
  • Employees should ask permission from the individuals before broadcasting information online.
  • Online chats should not be used in sending any kind of data documents.
  • For instance, the institution post personal data online for promotion and marketing purposes, however, formal consent form signed by individuals are needed.


Saint Michael’s College of Laguna aims to ensure that the individuals are aware that their data is being processed, and that they understand how the data is being used and how to exercise their rights.


(63)2 405-5040 loc. 305

Popular posts from this blog

SMCL celebrates 102nd birth anniversary of local hero

Enroll at SMCL Senior HS for only P750 monthly

SMCL to be a Microsoft Testing Center