Privacy Policy

PRIVACY POLICY NOTICE FOR APPLICANTS, STUDENTS, AND ALUMNI

STATEMENT OF PRIVACY POLICY

Manila Central University (MCU) is committed to protecting the privacy of its data subjects and ensuring the safety and security of their personal data under its control and custody. This policy provides information on how MCU will collect, use, process, share, secure and dispose of personal data, in accordance with Republic Act. No. 10173, also known as the Data Privacy Act of 2012 and its Implementing Rules and Regulations.

This Data Privacy Notice may be amended at any time without prior notice, and such amendments will be notified to you through MCU’s website.

PRIVACY NOTICE

a. Data Collected and Manner of Collection

We collect your personal data that include those you submit to us manually or electronically during your application for admission, upon your enrollment, during your stay with us, and after graduation as an MCU alumnus or alumna. This will include, but not limited to:

1. Names, addresses, telephone numbers, email addresses, and other contact details;
2. Personal information, such as date and place of birth, nationality, immigration status, religion, civil status, student ID, government-issued IDs, web and social media information, recommendations and assessment forms from previous schools, and other similar documents;
3. Family background, including information on parents, guardians, siblings, related MCU alumni;
4. Health records, psychological evaluation results, disciplinary records and the like;
5. Photographic and biometric data, such as photos, audio visual information, CCTV videos, fingerprints, handwriting, and signature specimens;
6. Academic or curricular undertakings, school works, including data from third party online learning and video recording tools, performance assessments and attendance records;
7. Financial and billing information;
8. Information to support student’s well-being and to provide medical, dental services, and guidance counseling;
9. Co-curricular matters such as outreach activities, as well as extra-curricular activities such as membership in student organizations, leadership positions, and participation and attendance in seminars, competitions, and programs, resumes, job interview forms; and
10. Any additional information provided to us by the student in the course of enrollment and after graduation.
    
    These personal data are collected through the MCU ERP System (Applicant and Student Portal), Microsoft Teams, and through physical controlled forms submitted to the various offices of the University. In certain instances, personal data may also be obtained from third parties, such as parents or guardians, previous schools, government agencies, or other authorized sources, when necessary for legitimate academic, administrative, or regulatory purposes.

b. Basis, Purpose, and Use of Data

MCU may process your personal data based on your consent whenever required. However, there are instances when the processing of personal data may be carried out even without consent, particularly when such processing is necessary for the performance of the University’s legitimate functions, the fulfillment of contractual or legal obligations, or when it is otherwise authorized under Sections 12 and 13 of the Data Privacy Act of 2012.

Your personal data may be collected, used, stored, and otherwise processed for the following purposes:

1. Evaluation of eligibility and processing for admission, scholarship, financial aid and enrollment in the University
2. Promoting, measuring, evaluating and validating academic progression, program of study, curricula
3. Documentation of students’ data
4. Research and support services
5. Posting of academic and non-academic achievements within the University premises and/or website Processing of application for issuance of school records (Transcripts, Diploma, Certificates)
6. Processing of grades and generation of the statement of accounts
7. Processing of application for graduation
8. Alumni services
9. Evaluation for board examinations
10. Accreditation purposes
11. Public relations, marketing and promoting the University and other academic and non-academic activities
12. Providing library, research, community outreach, medical and dental services, alumni and other student support services
13. Career services including references, work and other placements Safety and security of the MCU community

c. Methods Utilized for Automated Access

MCU utilizes DataMobility Corporation (DMC) as a third-party service to support the delivery of its digital platforms and services related to admission, enrollment, student services, and alumni engagement. These service providers may process limited personal and technical information through automated technologies to assist the University monitor system usage, maintain platform functionality, analyze website or portal engagement, and improve online services and user experience. These automated processing may involve the use of cookies and similar tracking technologies. The information collected through these systems is used solely for legitimate institutional and operational purposes and is subject to appropriate data protection and confidentiality safeguards.

The following web traffic or technical data that may be processed for these purposes include:

• IP address
• Pages and internal links accessed on the University website or portal
• Date and time of access or visit
• Geolocation
• Referring website or platform, if applicable
• Operating system
• Web browser type

d. Disclosure of Data

MCU will keep all personal information in strict confidence if not intended for public disclosure. There are instances, however, where we will share or disclose personal information pursuant to MCU’s legitimate purposes or when it is otherwise authorized under Sections 12 and 13 of the Data Privacy Act of 2012. The purposes for which MCU may share or disclose your personal information include among others:

1. Posting of class lists and class schedules in school bulletin boards or other places within the campus;
2. Sharing of information to persons, including parents, guardians or next of kin, as required by law or on a need-to-know basis as determined by the school to promote your best interests, or protect your health, safety, and security, or that of others;
3. Providing academic institutions, companies, business partners and linkages, government agencies, private or public corporations, organizations or the like, upon their request, with scholastic ranking and academic information, certification of good moral character, and the like for purposes of admission, student exchange, internships, further studies, and job placements and verification;
4. Sharing information to potential donors, funders, or benefactors for purposes of scholarship, grants, and other forms of assistance;
5. Distributing the list of graduates and awardees during commencement exercises;
6. Reporting and/or disclosing information to the government bodies, agencies or the courts (e.g., Commission on Higher Education, Department of Education and Department of Education);
7. Sharing information for accreditation and university ranking purposes;
8. Responding to inquiries verifying that you are a bona fide student or graduate of the school;
9. Conducting research or surveys for purposes of institutional development; Sharing your directory information to the schools’ alumni association;
10. Publishing academic, co-curricular, and extra-curricular achievements and success, including honors lists and names of awardees in school bulletin boards, website, social media sites, and publications;
11. Sharing your academic accomplishments or honors and co-curricular or extracurricular achievements with schools you graduated from or was previously enrolled in, upon their request;
12. Live-streaming of MCU events;
13. Service providers who perform services to help us support your learning and manage operations of our school;
14. Promoting the school, including its activities and events, through photos, audios, videos, brochures, website posting, newspaper advertisements, physical and electronic bulletin boards, and other media;
15. Publishing communications such as news information in MCU’s publications, social media sites, and other news and media organization.

Where MCU considers it necessary or appropriate for data storage, processing, or providing any service or product on our behalf to you, we may transfer your personal data to third parties inside or outside the Philippines under conditions of confidentiality and similar levels of security safeguards.

e. Storage and Retention of Data

MCU securely stores personal information in its computer systems and servers, and, where applicable, with authorized cloud-based or third-party data storage providers. Physical records containing personal information are maintained in locked filing cabinets within secured storage rooms in each office. Your personal data are transmitted within the University securely in a variety of paper and electronic formats, including databases that are shared between the University’s different units or offices. Access to your personal data is limited to University personnel who have a legitimate interest in them to carry out their contractual duties. MCU implements appropriate technical, organizational, and administrative measures to safeguard all personal information against unauthorized access, disclosure, alteration, or destruction.

Personal information shall generally be stored in the database for five (5) years in accordance with University’s Document Management Policy. However, retention periods are determined in accordance with the University’s policies and procedures, as well as applicable laws and regulations. Certain categories of personal information may be retained for longer periods where required to fulfill legal obligations or institutional responsibilities. Personal data shall be securely disposed of upon the expiration of its retention period.

f. Disposal of Data

Where a retention period has expired, or as required by law or University policy, all affected records shall be securely disposed of. Physical records shall be destroyed through shredding, while electronic files shall be permanently deleted or anonymized. In all cases, disposal procedures shall ensure that personal information can no longer be retrieved, processed, or accessed by unauthorized persons.

g. Risks

Risk refers to the potential for an incident to result in harm or disadvantage to a data subject or MCU. In the course of processing personal data, there is a possibility of unauthorized collection, use, disclosure, access, or loss of information, which may affect the confidentiality, integrity, and availability of data or result in violations of data privacy principles and the rights of data subjects.

While MCU is processing your data, potential risks include exposure of personal data to breaches, system failures, or physical damage, such as fire or flood, affecting both electronic and physical records. Risks may also arise from faults in automated systems, including the MCU ERP System (Applicant and Student Portal). While MCU implements appropriate physical, organizational, and technical security measures, absolute protection against cybersecurity threats, such as phishing, malware, or ransomware attacks, privacy violations involving sensitive personal information, and reputational harm resulting from data breaches or misuse cannot be guaranteed.

Policies and procedures within the University are in place to ensure effective security incident management, in compliance with applicable laws, University policies, and guidance issued by the National Privacy Commission.

h. Security Measures

MCU is committed to protecting the confidentiality, integrity, and availability of personal information through a combination of organizational, physical, and technical safeguards. These measures are designed in accordance with best practices in data privacy and information security, and they are regularly reviewed to address evolving risks.

1. Organizational Security Measures
   
   1. MCU has designated a Data Protection Officer (DPO) responsible for overseeing the implementation of data protection measures, ensuring compliance with the Data Privacy Act (DPA), coordinating with University departments, and leading responses to data breaches.
   2. All personnel handling personal data are required to undergo periodic training on privacy and security practices, with attendance and participation monitored by the DPO.
   3. Privacy Impact Assessments (PIAs) are conducted for initiatives, systems, or projects that process personal data, whether managed internally or through authorized third parties.
   4. Policies and procedures are reviewed regularly to remain aligned with regulatory requirements and institutional standards.
2. Physical Security Measures
   
   1. Paper records containing personal information are secured in locked cabinets within restricted storage areas in each office. Access to these areas is limited to authorized personnel, while visitors or others must receive explicit approval from the DPO and comply with confidentiality requirements.
   2. Entry and access are logged, and, where feasible, monitored through CCTV.
   3. Workstations are arranged to prevent unauthorized viewing of sensitive information.
   4. Records no longer needed are disposed of securely, following University retention policies, legal obligations, and regulatory requirements.
3. Technical Security Measures
   
   1. Electronic records are stored on secure on-premises servers or authorized cloud-based systems in compliance with data privacy standards.
   2. The University employs monitoring systems to detect unauthorized access, breaches, or other suspicious activities.
   3. All software undergoes security review before deployment, and periodic vulnerability assessments and penetration testing are conducted to maintain system integrity.
   4. Access to electronic personal data is controlled through strong authentication measures, secure storage protocols, and confidential communications for the transmission of sensitive information.

i. Data Subject Rights

As provided by the Data Privacy Act of 2012, the data subject has the right to:

1. Be informed about the collection and processing of his or her personal data, including its purpose, scope, recipients, storage period, and the identity of the personal information controller.
2. Access and obtain a copy of such information
3. Request correction of inaccurate or incomplete data
4. Object to or request the blocking, removal, or destruction of unlawfully processed or unnecessary personal data, and
5. Be indemnified for damages resulting from the unlawful or unauthorized use of personal information, in accordance with applicable data privacy laws.

For the details of your rights as a data subject, you can get in touch with our Data Protection Officer at the contact details below or at the National Privacy Commission at https://privacy.gov.ph/.

The Data Protection Officer
Email Address: dataprivacy@mcu.edu.ph
Write to: Data Protection Officer
MCU Campus, EDSA, Monumento, Caloocan City, Philippines 1400