ST.

ANDREW MONTESSORI AND HIGH SCHOOL, INC

Nancayasan, Urdaneta City

DATA PRIVACY POLICIES AND GUIDELINES

INTRODUCTORY STATEMENT

The school's Data Protection Policy applies to the personal data held by the school's Board of
Trustees, which is protected by Republic Act No. 10173 or the Data Privacy Act of 2012.

The policy applies to all school staff, the Board of Trustees, parents/guardians, students and others
(including prospective or potential students and their parents/guardians and applicants for staff
positions within the school) insofar as the measures under the policy relate to them. Data will be stored
securely, so that confidential information is protected in compliance with relevant legislation. This policy
sets out the manner in which personal data and special categories of personal data will be protected by
the school.

St. Andrew Montessori and High School, Inc. operates a "Privacy by Design" method in relation to
Data Protection. This means we plan carefully when gathering personal data so that we build in the
data protection principles as integral elements of all data operations in advance. We audit the
personal data we hold in order to;

1. be able to provide access to individuals to their data

2. ensure it is held securely
3. document our data protection procedures
4. enhance accountability and transparency

DATA PROTECTION PRINCIPLES

The school BoT is a data controller of personal data relating to its past, present and future staff,
students, parents/guardians and other members of the school community. As such, the BoT is obliged
to comply with the principles of data protection set out in the Data Privacy Act of 2012, which can be
summarized as follows:

1. Obtain and process Personal Data fairly

Information on students is gathered with the help of parents/guardians and staff. Information is
also transferred from their previous schools. In relation to information the school holds on other
individuals (members of staff, individuals applying for positions within the School,
parents/guardians of students, etc.), the information is generally furnished by the individuals
themselves with full and informed consent and compiled during the course of their employment
or contact with the School. All such data is treated in accordance with the Data Protection
legislation and the terms of this Data Protection Policy. The information will be obtained and
processed fairly.

2. Consent
Where consent is the basis for provision of personal data, (e.g. data required to join sports
team/ after-school activity or any other optional school activity) the consent must be a freely-
 given, specific, informed and unambiguous indication of the data subject's wishes. St. Andrew
Montessori and High School, Inc. will require a clear, affirmative action e.g. ticking of a box and
signing a document to indicate consent. Consent can be withdrawn by data subjects in these
situations.

3. Keep it only for one or more specified and explicit lawful purposes
The BoT will inform individuals of the reasons they collect their data and the uses to which their
data will be put. All information is kept with the best interest of the individual in mind at all
times.

4. Process it only in ways compatible with the purposes for which it was given initially
Data relating to individuals will only be processed in a manner consistent with the purposes for
which it was gathered. Information will only be disclosed on a “need to know” basis, and access
to it will be strictly controlled.

5. Keep Personal Data Safe and Secure

Only those with genuine reason for doing so may gain access to information. Personal Data is
securely stored under lock and key in the case of manual records and protected with computer
software and password protection in the case of electronically stored data. Portable devices
storing personal data (such as laptops) are password-protected.

6. Keep Personal Data Accurate, complete and up-to-date

Students, parents/guardians, and/or staff should inform the school of any change which the
school should make to their personal data to ensure that the individual’s data is accurate,
complete and up-to-date. Once informed, the school will make all necessary changes to the
relevant records. Records must not be altered or destroyed without proper authorization.

7. Ensure that it is adequate, relevant and not excessive

Only the necessary amount of information required to provide an adequate service will be
gathered and stored.

8. Retain it no longer than is necessary for the specified purpose or purposes for which it
was given
As a general rule, the information will be kept for the duration of the individual's time in the
school. Thereafter, the school will comply with DPA guidelines on the storage of Personal Data
relating to a student. In the case of members of staff, the school will comply with both DPA
guidelines and the requirements of the National Privacy Commission with regard to the
retention of records relating to employees. The school may also retain the data relating to an
individual for a longer length of time for the purposes of complying with relevant provisions of
law and/or defending a claim under employment legislation and/or contract and/or civil law.

9. Provide a copy of their personal data to any individual on request

Individuals have a right to know and have access to a copy of personal data held about them,
by whom, and the purpose for which it is held.
SCOPE

The Data Privacy Act of 2012 is a comprehensive privacy law that prohibits the disclosure or misuse of
personal information of a person collected or processes by an individual or company unless authorized
by law or through the consent of said person. It is intended to protect individuals from intrusion into
seclusion and interception of confidential communications.

The purpose of this policy is to assist the school to meet its statutory obligations, to explain those
obligations to School staff, and to inform staff, students and their parents/guardians how their data will
be treated.

The policy applies to all school staff, the Board of Trustees, parents/guardians, students and others
(including prospective or potential students and their parents/guardians, and applicants for staff
positions within the school) insofar as the school handles or processes their Personal Data in the
course of their dealings with the school.

Definition of Data Protection Terms

In order to properly understand the school's obligations, there are some key terms, which should be
understood by all relevant school staff:

“Personal Data” means any data relating to an identified or identifiable natural person i.e. a living
individual who is or can be identified either from the data or from the data in conjunction with other
information that is in, or is likely to come into, the possession of the Data Controller (BoT).

“Personal Information Controller” is the Board of Trustees or the Registrar of the school

“Data Subject” is an individual who is the subject of personal data

“Data Processing” -performing any operation or set of operations on data, including:

 Obtaining, recording or keeping the data
 Collecting, organizing, storing, altering or adapting the data
 Retrieving, consulting or using the data
 Disclosing the data by transmitting, disseminating or otherwise making it available
 Aligning, combining, blocking, erasing or destroying the data

“Personal Information Processor” - a person who processes personal information on behalf of a data
controller, but does not include an employee of a data controller who processes such data in the
course of their employment, for example, this might mean an employee of an organization to which the
data controller out-sources work. The Data Protection legislation places responsibilities on such entities
in relation to their processing of the data.

“Special categories of Personal Data” refers to Personal Data regarding a person’s

 racial or ethnic origin
 political opinions or religious or philosophical beliefs
 physical or mental health
 sexual life and sexual orientation
  genetic and biometric data
 criminal convictions or the alleged commission of an offense
 trade union membership

“Personal Data Breach” - a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise
processed. This means any compromise or loss of personal data, no matter how or where it occurs.

RATIONALE

In addition to its legal obligations under the broad remit of educational legislation, the school has a legal
responsibility to comply with the Data Privacy Act 2012.

This policy explains what sort of data is collected, why it is collected, for how long it will be stored and
with whom it will be shared. The school takes its responsibilities under data protection law very
seriously and wishes to put in place safe practices to safeguard individual's personal data. It is also
recognized that recording factual information accurately and storing it safely facilitates an evaluation of
the information, enabling the Principal and Board of Trustees to make decisions in respect of the
efficient running of the School. The efficient handling of data is also essential to ensure that there is
consistency and continuity where there are changes of personnel within the school and Board of
Trustees.

OTHER LEGAL OBLIGATIONS

Implementation of this policy takes into account the school's other legal obligations and responsibilities.

For example:

 the parents of a student, or a student who has reached the age of 18 years, must be given
access to records kept by the school relating to the progress of the student in their education

 the school must maintain a register of all students attending the School

 a Principal is obliged to notify certain information relating to the child's attendance in school and
other matters relating to the child's educational progress to the Principal of another school to
which a student is transferring

 the school must record the attendance or non-attendance of students registered at the school
on each school day

 the School may supply Personal Data kept by it to certain prescribed bodies. The BoT must be
satisfied that it will be used for a 'relevant purpose' (which includes recording a person's
educational or training history or monitoring their educational or training progress; or for carrying
out research into examinations, participation in education and the general effectiveness of
education or training)
  the school is required to furnish to the National Council for Special Education (and its
employees, which would include Special Educational Needs Organizers) such information as
the Council may from time to time reasonably request

 provides a qualified right to access to information held by public bodies which does not
necessarily have to be "personal data", as with data protection legislation

 a School shall cause all reasonable facilities (including facilities for obtaining names and
addresses of pupils attending the school) to be given to a health authority who has served a
notice on it of medical inspection, e.g. a dental inspection

 mandated persons in schools have responsibilities to report child welfare concerns to

Government Agency responsible for Child Protection

RELATIONSHIP TO CHARACTERISTIC SPIRIT OF THE SCHOOL:

St. Andrew Montessori and High School, Inc. seeks to INSPIRES Future Leaders

 Improve the facilities to cope with the current technology

 Nurture the students to become future leaders
 Strengthens the development of its faculty and staff
 Produce efficient and responsible leaders
 Innovate the programs and curriculum
 Reach the student’s goals by guiding them as they undergo different learning activities
 Ensures that the school always adheres to quality beyond standard
 Safe and clean institution conducive to child’s learning

We aim to achieve these goals while respecting the privacy and data protection rights of students, staff,
parents/guardians and others who interact with us. The school wishes to achieve these vision while
fully respecting individual’s rights to privacy and rights under the Data Protection legislation.

PERSONAL DATA

The Personal Data records held by the school may include:

1. Staff records:

a) Categories of staff data:

As well as existing members of staff (and former members of staff), these records may also
relate to applicants applying for positions within the school, trainee teachers and teachers under
probation. These staff records may include:
 Name, address and contact details
 Name and contact details of next-of-kin in case of emergency
 Original records of application and appointment to promotion posts
 Details of approved absences (career breaks, parental leave, study leave, etc.)
 Details of work record (qualifications, classes taught, subjects, etc.)
 Details of any accidents/injuries sustained on school property or in connection with the
staff member carrying out their school duties
  Records of any reports the school (or its employees) have made in respect of the staff
member

b) Purposes:
Staff records are kept for the purposes of:
 the management and administration of school business (now and in the future)
 to facilitate the payment of staff, and calculate other benefits/entitlements
 human resources management
 recording promotions made (documentation relating to promotions applied for) and changes in
responsibilities, etc.
 to enable the school to comply with its obligations as an employer, including the preservation of
a safe, efficient working and teaching environment
 to enable the school to comply with requirements set down by the Department of Education and
any other governmental, statutory and/or regulatory departments

c) Location and Security procedures of St. Andrew Montessori and High School, Inc.

 Manual records are kept in a secure, locked filing cabinet only accessible to personnel who are
authorized to use the data. Employees are required to maintain the confidentiality of any data to
which they have access.
 Digital records are stored on password-protected computers.

2. Student records:

a) Categories of student data:

These may include:

 Information which may be sought and recorded at enrolment and may be collated and compiled
during the course of the student's time in the school. These records may include:
- name, address and contact details
- date and place of birth
- names and addresses of parents/guardians and their contact details (including any special
arrangements with regard to guardianship, custody or access)
- religious belief
- racial or ethnic origin

 Information on previous academic record (including reports, references, assessments and other
records from any previous school(s) attended by the student.
 Psychological, psychiatric and/or medical assessments/forms .
 Permission slips/consent forms
 Attendance records
 Photographs and recorded images of students (including at school events and noting
achievements) are managed in line with the accompanying policy on school photography.
 Academic record - subjects studied, class assignments, examination results as recorded on
official School reports.
 Records of significant achievements.
 Records of disciplinary issues/investigations and/or sanctions imposed.
 Other records e.g. records of any serious injuries/accidents, etc.
 Records of any reports the school (or its employees) have made in respect of the student

b) Purposes: The purposes for keeping student records include:

 to enable each student to develop to his/her full potential

 to comply with legislative or administrative requirements
 to ensure that eligible students can benefit from the relevant additional teaching or financial
supports
 to support the provision of religious instruction
 to enable parents/guardians to be contacted in the case of emergency or in the case of school
closure, or to inform parents of their child's educational progress or to inform parents of school
events, etc.
 to meet the educational, social, physical and emotional requirements of the student
 photographs and recorded images of students are taken to celebrate school achievements, e.g.
compile yearbooks, establish a school website, record school events, and to keep a record of
the history of the school
 to ensure that the student meets the school's admission criteria
 to ensure that students meet the minimum age requirement according to DepEd requirements
 to furnish documentation/information about the student to the Department of Education
 to furnish, when requested by the student (or their parents/guardians in the case of a student
under 18 years) documentation/information/references

3. Board of Management records:

a) Categories of Board of Management data:

 Name, address and contact details of each member of the Board of Trustees
 Records in relation to appointments to the Board
 Minutes of Board of Trustee meetings and correspondence to the Board which may include
references to individuals.

b) Purposes:
To enable the Board of Trustees to operate in accordance with the Law and other applicable
legislation and to maintain a record of Board appointments and decisions.

4. Other Records: Creditors

a) Categories of Board of Management data:

The school may hold some or all of the following information about creditors (some of whom are
self-employed individuals):
 Name
 Address
 Contact details
 tax details
 bank details and amount paid
 b. Purposes: The purposes for keeping creditor records are:

This information is required for routine management and administration of the school's financial
affairs, including the payment of invoices, the compiling of annual financial accounts and complying
with audits and investigations

5. Other Records: Charity Tax-back Forms

a) Categories of Board of Management data:

The school may hold the following data in relation to donors who have made charitable donations to
the school:
 Name
 Address
 Telephone number
 Tax rate
 Signature and
 The gross amount of the donation.

6. Location and security of additional data

 Memory sticks and hard drives containing sensitive information must be password protected
and stored securely.
 Historical roll books will be stored securely in locked store room.

EXAMINATION RESULTS

The school will hold data comprising examination results in respect of its students. These may include
Quarter Exam, Mid-term, annual assessment results and the results of National Achievement Tests.

Purposes:

The main purpose for which these examination results are held is to monitor a student's progress and
to provide a sound basis for advising them and their parents or guardian about educational attainment
levels and recommendations for the future. The data may also be aggregated for statistical/reporting
purposes, such as to compile results tables.

PROCESSING IN LINE WITH A DATA SUBJECT'S RIGHTS

Data in this school will be processed in line with the data subject's rights. Data subjects have a right to:

 Know what personal data the school is keeping on them.

 Request access to any data held about them by a data controller
 Prevent the processing of their data for direct-marketing purposes.
 Ask to have inaccurate data amended.
 Ask to have data erased once it is no longer necessary or irrelevant.
Personal Data Breaches

A Notification of Personal Data Breach shall be required when sensitive personal information has been
acquired by an authorized person, and that:

1. Under the circumstances, such can be used to enable identify fraud;

2. The personal information controller or the National Privacy Commission believes that such
unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected
data subject.

The PIC is required to promptly notify the National Privacy Commission and the affected data subjects
upon knowledge of, or when it has reasonable belief that sensitive personal information or other
information has been acquired by an unauthorized person under the foregoing circumstance.

Dealing with a data access request

 Individuals are entitled to a copy of their personal data on written request.

 The individual is entitled to a copy of their personal data.
 Request must be responded to within one month. An extension may be required over holiday
periods.
 No fee may be charged except in exceptional circumstances where the requests are repetitive
or manifestly unfounded or excessive.
 No personal data can be supplied relating to another individual apart from the data subject.

PROVIDING INFORMATION OVER THE PHONE

An employee dealing with telephone enquiries should be careful about disclosing any personal
information held by the school over the phone. In particular, the employee should:

 Ask that the caller put their request in writing.

 Refer the request to the Principal for assistance in difficult situations.
 Not feel forced into disclosing personal information

SHARING INFORMATION WITH PARENTS ASSOCIATION

 Only names and class will be shared with Parents Association on request.
 Parents Association must abide by the Data Privacy Act of 2012.
 Information must be destroyed immediately after its intended purpose.

DATA AUDIT & DISCONTINUED DATA

Discontinued data will be shredded in school annually after a data audit.

IMPLEMENTATION ARRANGEMENTS, ROLES AND RESPONSIBILITIES

The BoT/Registrar is the data controller and the Principal implements the Data Privacy Policy, ensuring
that staff who handle or have access to Personal Data are familiar with their data protection
responsibilities.

The following personnel have responsibility for implementing the Data Privacy Policy:
Name Responsibility
Board of Management Personal Information Controller
Principal Implementation of Policy

MONITORING THE IMPLEMENTATION OF THE POLICY

The implementation of the policy shall be monitored by the Principal, staff and the Board of Trustees

REVIEWING AND EVALUATING THE POLICY

The policy will be reviewed and evaluated as needed. On-going review and evaluation will take
cognizance of changing information or guidelines, legislation and feedback from parents/guardians,
students, school staff and others.

The policy will be revised as necessary in the light of such review and evaluation and within the
framework of school planning.

This policy will be reviewed by the Board of Trustees as needed.

This policy was adopted by the Board of Trustees after consultation with Parents Association on
October 16, 2020.

JESUS L. DUQUE____ _JULIETA R. TAN_

Assistant Director/ Registrar Principal