Gordon College Data Privacy Policy

This is Gordon College’s general statement on its data processing activities to notify data subjects of categories of personal data processed and the purpose and extent of processing. This is not a consent form but an announcement how Gordon College processes personal data.

Types of Information Collected

As an educational institution, Gordon College operates in an environment where it collects information from multiple stakeholders. It is done in many ways that best serve its legitimate interests and purposes for processing and managing personal information. The college wants that the stakeholders understand the types of information it collects as they engage with it. If the stakeholders choose to withhold personal data that Gordon College needs to process, it may be unable, in some circumstances, to comply with its obligations. The college will inform them about the implications of the decision.

1. Information Collected from Students
   1. Information Collected from Prospective Applicants
      
   2. Information Collected from Enrolled Students
      
   3. Information Collected from Alumni
      
2. Information Collected from Personnel
   1. Information Collected from Job Applicants
      
   2. Information From Current Employees
      
   3. Academic Freedom and Privacy for Faculty
      
3. Information Collected from Parents/ Legal Guardians
   
4. Information Collected from Visitors and Guests
   
5. Information Collected from Vendors, Suppliers, and Service Providers
   
6. Information Collected from Donors, Benefactors, and Sponsors
   
7. Information Collected during Sanctioned Institutional Academic and Non-academic Activities
   
8. Information Collected from College Service Operators

Gordon College collects the following General Personal Information from the abovementioned stakeholders:

• Personal details such as name, birth, gender, civil status and affiliations;
  
• Contact information such as address, email, mobile and telephone numbers;
  
• Academic information such as grades, course and academic standing;
  
• Employment information such as government-issued numbers, position and functions;
  
• Applicant information such as academic background and previous employments;
  
• Medical information such as physical, psychiatric and psychological information.

Processing of Personal Information

Gordon College expects that the following uses will fall within the category of its “legitimate interests”:

1. For Delivery of Education
   1. For Provision of Educational Support and Related Services
   2. For the Exercise of the College’s Pastoral/ Guidance Responsibilities
   3.  For Communication and Documentation
   4.  For Statistical Research, Other Research Studies and Archival Purposes
   5. For Ensuring the Safety and Security of Stakeholders
   6. For Complying with Legal and Contractual Obligations
   7. For the Administration of Human Resources
      
2. Legal Bases on Processing Personal Information
   1. The Higher Education Act of 1994 (Republic Act No. 7722)
   2. The Family Code of the Philippines (Executive Order No. 209)
   3. The Commission on Higher Education’s (CHED) Manual of Regulation for Private Higher Education
   4. Olongapo City Ordinance No. 07 Series of 2018 or the “Revised Charter of Gordon College of 2018”
   5. Laws or regulations which amend or repeal the foregoing.
      
3. Other Bases of Authorized Processing of Information
   1. Consent
   2. Contractual Obligations
   3. Legal Obligations
   4. Protection of Vital Interest
   5. Medical Treatment
   6. Other Lawful and Non-commercial Objectives
   7. Public Order and Safety
   8. By Virtue of Public Authority

Ways to Collect Personal Information

Gordon College collects Personal Data physically through printed forms, attachments, and other documents required by the college, its academic units, and its administrative offices. Gordon College collects Personal Data electronically through electronic forms, via email, or inputting of information directly by the data subject or by the concerned faculty, personnel, and other stakeholders.

Accuracy of Information

Gordon College prioritizes the correctness of the personal information of its stakeholders. With this, the college implements;

1. Verification of Personal Information
2. Correction, or Update of Personal Information

Disclosure, Transfer or Sharing of Personal Information

As part of Gordon College’s legitimate interests as an educational institution, it needs to transfer and/or share personal information within and across college departments and offices relevant to the processes involved.

1. In doing so, the college makes sure it adheres to the following guidelines;
   • The transfer or sharing has the consent of the stakeholder, when needed
   • The transfer or sharing is governed by approved contractual clauses or an arrangement providing an adequate standard of data protection and third parties performing functions for them are informed regarding appropriate handling of their personal information.
   • The transfer or sharing is necessary for the performance of a contract with another person or company/service provider, which is in the interests of the college
   • The transfer or sharing is necessary for the performance of a contract with the stakeholders or take steps requested by the college to entering into that contract

Gordon College abstains from renting, selling, or sharing personal information about its stakeholder with other non-affiliated people, entities or third parties.

In general, the college will disclose or share its stakeholders to non-affiliates only with their consent or under the following circumstances:

1. Legal Obligation as Educational Institution and Reportorial Obligations as Employer
   
2. Contractual Obligations
   • Industry Partners
   • Benefactors, Donors and Sponsors
   • Essential Service Provider
   • Accreditation and Quality Assurance
   • Legitimate Interests of the College in Sports Activities
   • Parents and Legal Guardians (for minor students)
   • Public Consumption
   • Law Enforcement and Local Authorities

Store, Retain Personal Information

Gordon College makes it a practice to store and transmit data securely in a number of ways, including manual paper and electronic formats, including databases that are shared between and among the different units or offices of the college. Access to personal data is limited to the respective college personnel who have legitimate interest for the purpose of carrying out contractual duties. It shall only collect and store information that is necessary to achieve its legitimate purposes and/or when permitted by law.

Unless otherwise provided by law or by appropriate college policies, the basic academic records for individual students are kept permanently and in perpetuity by the college, with more detailed records kept for defined retention periods. Each unit or office processing personal data have their respective retention policies, after which, all affected records will be securely disposed of.

There are also some categories of data that the college retain for historical, archival and statistical purposes, unless otherwise provided by law or by applicable college policies.

Information Security Measures

Gordon College shall exercise every practicable and reasonable means to protect personal information and to ensure the security of personal data about individuals through appropriate organizational, physical and technical measures. This includes policies around the use of technology and devices and the access to college systems. All personnel and faculty will be made aware of these policies and their duties under the Data Privacy Act of 2012 and receive relevant training at least once a year.

The college implements security measures in the following aspects;

1. Organizational Security Measures
   
2. Physical Security Measures
   
3. Technical Security Measures

Participation of Stakeholders

Gordon College encourages that its stakeholders should be aware on the importance of their rights as “Data Subjects”. The institution educates them about the importance of their Personal Data, thus helping the college to cultivate an environment that promotes “respect of privacy”.

Gordon College stakeholders have the following rights:

• Right to be informed;
  
• Right to object subject to Gordon College’s possible consequent failure to conduct academic, administrative and other functions or services;
  
• Right to access;
  
• Right to rectification;
  
• Right to erasure or blocking of Personal Data which are not part of Gordon College’s public records as an instrumentality of the government or as a local college; and
  
• Right to damages which is subordinate to the non-liability of Gordon College arising from the incidental damages due to Gordon College’s pursuance of its mandates or compliance with its legal obligations.

Gordon College stakeholders have the following responsibilities:

• Respect the data privacy rights of others;
  
• Report any suspected Security Incident or Personal Data Breach to the Gordon College Data Protection Office;
  
• Provide Gordon College (GC) true and accurate Personal Data and other information. Before submitting Personal Data of other stakeholder to GC, obtain the consent of such stakeholder;
  
• Not disclose to any unauthorized party any non-public confidential, sensitive or personal information obtained or learned in confidence from GC; and
  
• Abide by the policies, guidelines and rules of Gordon College on data privacy, information security, records management, research and ethical conduct.

Other rights and responsibilities of stakeholders are in the Gordon College Data Privacy Manual.

Breach and Security Incidents

The mitigation, management and resolution of Security Incidents and Personal Data Breaches requires the coordination of various stakeholders. All concerned should be vigilant in their responsibilities to enable an effective security incident management process.

Gordon College forms a Data Breach Response Team that will assess and evaluate the Security Incidents, which includes Personal Data Breaches, restore integrity to the information and communication systems, mitigate and remedy resulting damages, and comply with reportorial requirements.

The following incident management and notification procedure is established in the Gordon College Security Incident Management Policy, this is divided into three major steps;

1. Incident Response Procedure
   • Step 1 – Reporting
   • Step 2 – Categorization
   • Step 3 – Investigation
   
2. Breach Notification
   • Step 4 – Reporting and Notification
   
3. Mitigation Response Plan
   • Step 5 – Containment
   • Step 6 – Recovery
   • Step 7 – Feedback
   • Step 8 – Learning

Inquiries and Reporting of Security Incident

For Inquiries and reporting of security incident that involves Personal Information, you may contact us: