I. INTRODUCTION

​

This Data Privacy Policy is established by Foundation University in accordance with the Data Privacy Act of 2012, which aims to safeguard the fundamental human right of every individual to privacy while ensuring the free flow of information for innovation, growth, and national development. 

​

The Data Privacy Act of 2012 defines personal information as any information, whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or which, when combined with other information, would directly and certainly identify an individual.

​

Sensitive personal information refers to personal information:

​

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;

(2) About an individual’s health, education, genetic or sexual life, or any proceeding for an offense committed or alleged to have been committed by such individual, the disposition of such proceedings, or the sentence of any court in such proceedings;

(3) Issued by government agencies that are specific to an individual, including but not limited to social security numbers, past or current health records, licenses or their denial, suspension or revocation, and tax returns; and

(4) Specifically classified as such by an executive order or an act of Congress.

​

Privileged information refers to any and all forms of data that, under the Rules of Court and other pertinent laws, constitute privileged communication.

​

Personal data refers collectively to personal information, sensitive personal information, and privileged information, whether stored in an information and communications system, a relevant filing system, or intended to form part of such systems.

​

Data subject refers to an individual whose personal information is processed.

​

The University is a higher educational institution committed to respecting the privacy rights of its community and to protecting information collected from each individual, in accordance with the Data Privacy Act.

​

II. COVERAGE

​

This Privacy Policy shall apply to all departments, colleges, and offices of the University, including all units that collect, store, or process personal data in the performance of their functions and services.

​

III. PURPOSE OF PROCESSING PERSONAL DATA

​

The University uses students’ personal data to pursue its legitimate interests as an educational institution. This includes a range of academic, administrative, research, historical, safety, and statistical purposes, to the extent permitted or required by law. Personal data may be used for purposes such as:

a. Enrolment and admissions;

b. Processing of grades;

c. Maintaining transcripts of records;

d. Processing permits for student activities on and off campus;

e. Capturing entry and exit logs using biometrics, turnstiles, or any other technology at designated university access points.;

f. Gathering data for statistical and research purposes;

g. Processing scholarship grants for qualified students;

h. Publication in official university platforms (e.g., digital magazines, student publications, university website, social media, public advisories, yearbooks);

i. Managing alumni records;

j. Coordinating with law enforcement agencies regarding security and safety concerns;

k. Coordinating with private and public health institutions;

l. Sharing graduates’ information with prospective employers.

​

IV. PROCESSING OF PERSONAL DATA

​

The University gathers, generates, receives, and uses personal data in various forms. These include photographs, videos, sound recordings, electronically transmitted data, and written records. The nature of this information may vary depending on how it is collected, its type, intended purpose, and the duration for which it is needed.

​

a. Admission Process

​

Personal data collected during the admission process include, but are not limited to, the following:

1. 1. Name

   2. Age

   3. Citizenship

   4. Residence

   5. Date of Birth

   6. Place of Birth

   7. Religious Affiliation

   8. Phone Number

   9. Email Address

   10. Previous School Records

   11. Medical Records

 

This information is gathered either through the online enrollment system or by submitting a completed enrollment form to the Registrar’s Office.

​

b. Student Residency Period

​

While enrolled at Foundation University, personal data may be collected through various departments and offices. This includes, but is not limited to:

​

1. 1. Academic records and performance (e.g., attendance, grades)

   2. CCTV recordings and photographs taken within campus premises

   3. Entry and exit logs captured using biometrics, turnstiles, or any other technology at designated university access points.

   4. Membership in student organizations

   5. Disciplinary records or involvement in incidents

   6. Participation in university-sanctioned co-curricular activities

   7. Attendance in seminars, workshops, and outreach activities

 

c. Third-Party Information

 

Personal information released to the University by third parties may be used for educational purposes, student welfare, and other legitimate interests of the University. Non-essential information shall be properly disposed of to ensure the protection of the student’s privacy.

 

V. STORAGE

 

Personal Data is stored in a variety of databases, media, and formats. While the University is actively digitizing its records through the Management Information System, many units and offices still maintain paper-based records. The following units and offices may retain personal data, such as:

1. Management Information Systems Department

   1. Records of the Registrar’s Office

   2. Records of the Business and Finance Office

   3. Alumni Records

2. Creative Department

   1. Digital Files, including but not limited to:

      i. University Event Photos

      ii. Yearbook Photos

      iii. College and Department Activity Photos 

iv. Layouts, Graphics, and Animation Files

v. Social Media Files

vi. Promotional Videos

vii. Facebook Live Videos

viii. Interview Videos

ix. Digital Magazine and Newspaper Files

1. Colleges, Departments, and Offices

   1. Health and Medical Records

   2. Guidance Evaluation Records

 

The retention periods for these records vary depending on the function and regulatory requirements of each office. For example, transcripts of records are considered permanent and are retained indefinitely, as required by law. In contrast, information collected for temporary purposes is securely disposed of once it is no longer necessary.

All University units that store or handle personal data are required to implement physical, technical, and organizational safeguards. These measures are designed to ensure the secure storage of personal data and to restrict access and usage exclusively to authorized personnel for legitimate purposes.

 

VI. SHARING OF INFORMATION

 

The University shares personal information in accordance with the law, limited to educational, administrative, research, safety, and statistical purposes. This includes, but is not limited to, the following:

 

a. References for prospective employers

b. Determination of student awards

c. Evaluation of scholarship eligibility

d. Requirements mandated by the Commission on Higher Education (CHED) and the Department of Education (DepEd)

e. Requirements mandated by the Bureau of Immigration for foreign students

f. Documentation of student activities and university events

g. University promotions (digital media, print media, social media, website)

h. Public advisories and news articles

i. Inter-office memorandums

j. Requirements associated with national conventions or workshop organizers

k. Subpoenas issued for court compliance

l. Safety and security purposes

 

VII. RIGHTS OF DATA SUBJECT

 

As the Data Subject, you are afforded the following rights:

a. Be informed whether personal information pertaining to him or her shall be, are being or have been processed;

b. Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:

​

1. 1. Description of the personal information to be entered into the system;

   2. Purposes for which they are being or are to be processed;

   3. Scope and method of the personal information processing;

   4. The recipients or classes of recipients to whom they are or may be disclosed;

   5. Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;

   6. The identity and contact details of the personal information controller or its representative;

   7. The period for which the information will be stored; and

   8. The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.

 

c. Reasonable access to, upon demand, the following:

​

1. 1. Contents of his or her personal information that were processed; 

   2. Sources from which personal information were obtained;

   3. Names and addresses of recipients of the personal information;

   4. Manner by which such data were processed;

   5. Reasons for the disclosure of the personal information to recipients;

   6. Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;

   7. Date when his or her personal information concerning the data subject were last accessed and modified; and

   8. The designation, or name or identity and address of the personal information controller;

 

d. Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal information have been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided, That the third parties who have previously received such processed personal information shall he informed of its inaccuracy and its rectification upon reasonable request of the data subject;

 

e. Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information; and

 

f. Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

 

VIII. AMENDMENTS AND REVISIONS

 

This Privacy Policy has been drafted in accordance with the Data Privacy Act of 2012. Any amendments or revisions to this policy shall be in consultation with the University Administration.

 

IX. COMPLAINTS

 

For any complaints, concerns, or questions regarding the collection and use of your personal information, you can contact our Data Protection Officer at dpo@foundationu.com.

 

X. EFFECTIVITY

 

This Privacy Policy shall take effect immediately upon posting on the University website and, when applicable, through other means of communication. This Privacy Policy shall also be included in the terms and conditions that new and continuing students of Foundation University must agree to via the Data Privacy Consent Form prior to official enrollment.