Policy ICT-011: Student ID Card Policy (preceding Policy IT-011)

Purpose and Objectives:

This policy sets out the obligations of officially enrolled students of Philippine ChristianUniversity in the Tertiary level whether in the on-campus and off-campus programs. The student Identification Card (ID) is a multi-use card that provides many functions and usage, from admission, identification, security and other ICT-related services in the University officially processed and produced by the Information and Communications Technology Center (formerly Information Technology Department)-ID Production Division.

Policy Scope/Coverage:

This policy covers all Tertiary level students enrolled at the Philippine Christian University in all campuses (Manila, Dasmariñas and Mary Johnston College of Nursing (MJCN) Campuses including its distance education, extension classes and TNE/TNEEP offered programs and courses), on-campus and off-campus sites.
Policy Statement: The University will issue an ID Card, containing a photographic image with embedded technology (i.e. QR Code, contactless/RFID etc.) to all its enrolled students at the commencement of their program. The ID Card must be produced on request and remains the property of Philippine Christian University.

Policy ICT-012: Student ID Card Procedures (preceding Policy IT-012)

Purpose and Objectives:

These procedures apply to the issue and management of Student Identification Cards of Tertiary level students implementing thereafter, the policies of the University Student Manual of the Office of Student Affairs, Article 3: Section 7, 7.1 7.8: Student Identification Card and enact Policy ICT-011: Student ID Card Policy of the Information and Communications Technology Center (formerly Information Technology Department).

Procedures Scope/Coverage: These procedures apply to all Tertiary level students at the Philippine Christian University.

Procedural Guidelines: The following are the listed guidelines for the general administration of the student identification cards:

1. ID cards are mandatory for all students including those studying through online/distance education, extension classes and TNE/TNEEP offered programs and courses), on-campus and off-campus sites.
2. ID cards will only be produced for students who are enrolled in courses in their initial enrolment, validated by the Office of Student Affairs (for the College Level) every semester, trimester (for the Graduate School/TNEEP) or the summer term upon re-enrollment, thereafter, student identification cards shall be valid for a maximum of five (5) years for the Bachelor’s, Master’s and Doctoral degrees and three (3) years for the Associate programs. No validation for the succeeding semester or trimester means the student is not officially enrolled in their succeeding semester or trimester term.
3. It is the student’s responsibility to provide, at their initial enrolment, full and complete information for the production of their ID card (via Google Forms, controlled document per ISO 9001:2015). “No Registration Card, No ID Policy” shall apply in the initial enrollment.
4. On-campus enrolled students are expected to attend the campus in person to have their ID card produced at the ICTCID Production Division. Students should wear the prescribed University uniform (Associate and Bachelor’s), professional attire (for the Master’s and Doctoral degrees).
5. ID cards will only be produced on the current initial semester or trimester enrollment only, it is the obligation of the student to apply for their official student identification card stated within this period, whether in the on-campus or off-campus sites, where applicable. Site Coordinators are enjoined to facilitate this vital requirement.
6. Per policy of the Office of Student Affairs and the Information and Communications Technology Center, students with artificial hair colors (male and female students) and earrings (for male students) will not be allowed to have their photos taken during the ID production. This policy may be relaxed depending on the health declaration policies of the IATF as approved by the OVPICT.
7. Students are required to activate their official @pcu.edu.ph accounts. “No @pcu.edu.ph Account, No ID Policy” shall apply in the initial enrollment.

Online/Distance Education, Extension Classes, TNE/TNEEP Students (off-campus sites):

1. Off-campus enrolled students in the online/distance education (blended learning), extension classes and TNE offered programs and courses (i.e. is not enrolled in any on-campus courses and is enrolled in at least one. course in an off-campus site), may obtain an ID card remotely, without having to personally attend the campus. Off-campus enrolled students or their designate Coordinator (in close coordination with the College or Unit the students are enrolled) may opt to attend the campus in person to have their ID card/s produced at the ICTC -ID Production Division.
2. Students seeking to obtain an ID card remotely must complete the ID Application for College and Graduate School Form (controlled document, per ISO 9001:2015):

                          a.) may be sent in print with complete information including the extension class name, course, secondary/personal email (for activation of @pcu.edu.ph account), specimen signature (black ink) and with professional/studio-type picture (half-body shot);
                           b.) may be sent directly thru email at idproduction.ictcmanila@pcu.edu.ph with complete information including the extension class name, course,                                               secondary/personal email (for activation of @pcu.edu.ph account), specimen signature (black ink), professional/studio-type picture (half-body shot) as the required attachments.

The ID Application Form may be obtained from the Academic Unit you are enrolled, the Information and Communications Technology Center and will be available as a downloadable form in the University websites.

Cardholder Responsibility:

The student is responsible for:
a.) Promptly notifying the University of any change in personal details (for example, residential or postal address, name change, etc.) to maintain the currency of identification and contact details;

b.) Paying for a replacement card if the original card was produced based on incorrect enrolment information provided by the student (for example, incorrect graduation semester resulting in the ID card expiring prior to degree requirements being met);

c.) Applying for a replacement ID card to reflect their true enrolment status if they change their course or majors; and

d.) Returning the ID card to the University should their enrolment be cancelled.
The identification card must be produced on request and remains the property of Philippine Christian University. Any attempt to fraudulently obtain or use an identification card will be dealt with under the University policy and/or referred to law enforcement agencies.

Application Process for Obtaining Replacement Cards:

Students requiring a replacement ID card because the original card has been lost, stolen or destroyed, can apply for a replacement card by completing and submitting the Request for Replacement ID Card form.

There is a fee for the replacement of the ID card if:

• the ID card is lost or destroyed;
• if a new card is required to correct inaccurate enrolment information; or
• if a new image is requested (see the Request for Replacement ID Card form for details).

Replacement ID cards are issued free of charge only where replacement is necessary as a result of. University error, extension of program duration; change of program; legal change of name; or loss of ID card due to theft.

Students requesting a replacement ID card due to change of name (for example, because of marriage, affidavit of name change or other legal name change) must submit certified documentary evidence of the change of name to the Office of Student Affairs. A replacement ID card will be issued free of charge upon verification of the name change.

POLICY ICT-017: UNIVERSITY DATA MANAGEMENT POLICY 

POLICY STATEMENT:  All Academic Units, Administrative Units and members of the PCU Community must access and utilize University data in ways that safeguard the data and protect the institution.

Academic Units, Administrative Units and members of the PCU Community must ensure:

1. Compliance with regulatory and statutory requirements of government agencies (National Privacy Commission (NPC), NBI, DOJ, DICT etc.) in-charge of digital data as well as third-party and other contractual data obligations.
2. Data is used for the purposes for which it is collected with emphasis on sensitive data or data subjects and any restrictions for its use are observed as outlined in RA 10173 or the Data Privacy Act of 2012.
3. Data is collected, stored, and disposed of in ways appropriate to the risk and impact of unintended disclosure as outlined in ISO 9001:2015 on risk management.

For research data, the principal proponent is accountable for all decisions regarding their research data.  With reference to the guidelines set by the National Privacy Commission (NPC), personal information does not apply for journalistic, artistic, literary or research purposes.

For decisions regarding institutional data, such as access, classification and appropriate use, members of the PCU community must consult the designated Data Manager or the Data Privacy Office (DPO) that has accountability for the data. These roles and accountabilities are defined and outlined in the University Data Governance Framework to be published, thereafter, in sequence of this memorandum.

PURPOSE AND OBJECTIVES:   Philippine Christian University is responsible for ensuring the availability, confidentiality and integrity of all information to which it is entrusted.  University data, whether managed and residing on University Information and Communications Technology resources, stored on personal devices, managed by a third party or a business partner, or outsourced to a service provider, is an important asset that must be governed, protected and appropriately safeguarded.

Improper use of the University’s data may result in harm to the University, its faculty, staff, students and alumni.  This harm could impact the university’s mission of teaching and learning, research and service delivery.  It exposes the University to criminal, financial and reputational risks.  Members of the PCU Community have the responsibility to appropriately use, maintain and safeguard University data.

This policy will provide a framework to safeguard and protect the University’s data while providing flexibility to support the broad range of academic, research and administrative activities.

GUIDING PRINCIPLES:  This policy is guided by the principles and values outlined in the Philippine Christian University mission statement, vision statement, ICTC vision statement, ICTC mission statement, ICTC core values and thrust, University quality policy among the Academic and Administrative Units and by the principles outlined in the University’s ICTC enterprise architecture.   It was also developed in the context of the following data management principles:

• Protecting the University’s data is a responsibility shared by all members of the PCU community.  Data protection begins with the person or office creating the data and is the continuing responsibility of all who subsequently access and use it.
• University data is critical to the University’s academic, research and administrative activities. In order to reduce the damaging impact of data loss on business continuity, academic activities and research programs, University data must be appropriately safeguarded.
• The requirement to safeguard University data must be balanced with the need to access and use data in support of the pursuit of legitimate academic, research and administrative activities.
• Reference and particulars on Data Privacy may be viewed on the official website of the University or the National Privacy Commission.
• The University uses a risk-based approach as outlined in the guiding procedures and tenets of ISO 9001:2015 following the best practices in data management, to select appropriate access controls to minimize risk to an acceptable level and to design security and privacy into its data infrastructure.

DEFINITION OF TERMS:

• University data – Data that is created, collected and stored (either electronically or in hard copy) by Departments/Colleges/Units and members of the PCU community, in support of academic, research and administrative activities. University data may include the following (these are not mutually exclusive):

• Data subject – An individual whose personal information is processed.
• Institutional data – Data that is created, collected and stored by all units and members of the PCU community, in support of academic and administrative activities. Administrative data about teaching, learning, research and scholarly activity, such as grades, attendance, research grants held and publications generated, is considered institutional data.
• Research data – Data that is created by or derived from research, scholarly and artistic activities.
• Personal data – Data that contains personal information about an identifiable individual, if compromised or used inappropriately, this would have implications to the privacy of an individual.
• Personal information – Any information whether recorded in a material form or not, from which the identity of the individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
• Sensitive data – Data that is identified as classified information that must be protected and is inaccessible to outside parties unless specifically granted permission. The data can be in physical or electronic form, but either way, sensitive data is regarded as private information or data.
• Third-party data – Data that is created or owned by a third party and is being used in support of academic, research and administrative activities. This data if compromised or used inappropriately would have implications for the third party. This includes data such as licensed software or software components and copyrighted material.

• Derived data – Data that is changed from the original data using a mechanism such as an arithmetic formula, composition or aggregation.
• Data management – Encompasses activities that relate to the creation, collection, storage, maintenance, cataloguing, use, dissemination and disposal of University data.
• Data Manager – An individual who develops and governs data-oriented systems designed to meet the needs of the University in his or her specific designation, function, role and responsibilities or otherwise stated, an individual designated to do research for the advancement of the University.

• National Privacy Commission (NPC) – An independent body created under Republic Act No. 10173 or the Data Privacy Act of 2012, mandated to administer and implement the provisions of the Act, and to monitor and ensure compliance of the country with international standards set for data protection.
• PCU community – All PCU students, employees, faculty, post-doctoral fellows, alumni, agents, contractors, authorized guests, persons or organizations acting for or on behalf of the University.

DEFINITION OF TERMS (continued):

• Republic Act No. 10173 or the Data Privacy Act of 2012 – A law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.
• University owned – Assets purchased by University funds including research grants administered by the University or acquired by the University through some contractual agreement.
• ICT/IT services – Technology-based services managed or hosted by a PCU community member, the University or vendors/contractors.
• ICT/IT infrastructure – ICT/IT assets including, but not limited to, servers, databases, data, software, end-point devices, the University network, Internet connections, central authentication, telephone systems and data centers, whether provided directly or indirectly by the Information and Communications Technology Center (ICTC) or classified as a contracted service.
• ICT/IT outsourcing – The use of external service providers to deliver ICT/IT-enabled business process, application service and infrastructure solutions. Outsourcing can include, but is not limited to, utility services, Software as a Service (SaaS) and cloud-enabled outsourcing.

POLICY SCOPE:  This policy is applicable to all PCU community members and all Philippine Christian University Academic and Administrative units, ancillary units and any affiliated organizations (collectively referred to as “units”) that create, modify or make use of University data.

It covers all University data regardless of where it is stored (on-campus or off-campus sites), where it is being accessed from (on-campus or off- campus sites) and whether the data is in raw form, derived, summarized or aggregated.

The policy has been developed in the context of, and is designed to complement the following:

• Existing University policies and regulations, the provisions of which is identified in the University Manual, particularly those governing use of University property and services; computer use; Information Technology or Information and Communications Technology security and control; privacy; risk management; records management; responsible conduct of research; disciplinary procedures; copyright and intellectual property.
• Legislation and statutory laws that are mandated by the National government or Local Government;
• Legal contracts and agreements with external sponsors, granting agencies, and others;
• Collective agreements.

For decisions regarding institutional data, such as access, classification and appropriate use, members of the PCU community must consult the Data Manager that has accountability for the data. These roles and accountabilities are defined in the University Data Governance Framework.

ROLES AND RESPONSIBILITIES:  Data Managers within the University have specific data management accountabilities and responsibilities as outlined in the University Data Governance Framework.

1. Information and Communications Technology Center (ICTC):

The University’s Information and Communications Technology Center (ICTC) is responsible for maintaining the availability and security of the University’s data infrastructure ensuring that authorized users have access to the data they require for academic, research and administrative activities.

ICTC is responsible for implementing security and access measures that mitigate the risk of unintended disclosure of electronic data.  This includes, but is not limited to, continually improving end-user awareness of proper data management; maintaining physical security of data infrastructure; implementing appropriate data access; and providing data cataloging technologies to users.

1. Departments/Colleges/Units:

Academic, administrative and ancillary units are responsible for ensuring they access and use University data (both electronic and hard copy) in a manner that minimizes risk to the University.

The best way to minimize risk to electronic University data is to use the university-approved ICT infrastructure (including data centers and end-point devices) and services for all University activities to the greatest extent practicable. 

1. PCU Community Members:

Individual members are responsible for ensuring they access and use University data (both electronic and hard copy) in a manner that minimizes risk to the University. They must understand that data management is a shared responsibility across the PCU community and they must abide by data management procedures and practices.  These responsibilities include:

• Using data only for authorized and intended purposes.
• Understanding the data and guarding against misinformed or incorrect interpretations.  For any questions regarding the data, they should contact the Data Manager in their respective Cluster or functional unit or the Data Privacy Office (DPO) with data management accountability for that data. 
• Respecting the privacy of the data and the individuals that it represents.  This includes not disclosing personal information, nor accessing or manipulating such data for personal gain or interest.
• Ensuring that they do not knowingly falsify data nor inappropriately delete or reproduce data.

NON-COMPLIANCE TO POLICY ICT-017:   If there is reason to suspect that laws or University policies have been, or are being violated, or that continued access poses a threat to the University’s data, data infrastructure, PCU community members or the reputation of the University, access to the University’s data and data infrastructure may be restricted or withdrawn.

Following due process, the University may take action against anyone whose activities are in violation of the law or of this policy.  The actions taken may include, but are not limited to:

• Revocation of access to the University’s data, ICT/IT services, ICT/IT infrastructure or parts of it.  This will be explained further in the Acceptable Use Policy and other ICT Policies, to be promulgated by the University and ICTC, in sequence of this Memorandum.
• Disciplinary action for students following the University Student Manual administered by the Student Services Office – Office of Student Affairs, as approved by the University President and the PCU – Board of Trustees.
• Disciplinary action for employees.

Ignorantia legis neminem excusat  [ Ignorance of the law excuses no one ].  

Please be guided accordingly.

Pursuant to the provisions of the ISO 9001:2015 ICTC Manual 2023 on Risk and Opportunity Management, the authority vested to the Office of the VP for ICT and Student Services by the University President and the PCU – Board of Trustees (PCU-BOT) for good governance and digital compliance, the Acceptable Use Policy (AUP) for all University Digital/Technology Resources is now officially in effect for university-wide implementation, to wit:

POLICY ICT-019: UNIVERSITY ACCEPTABLE USE POLICY (AUP)

Purpose

This Acceptable Use Policy (AUP) outlines the acceptable use of computer equipment, networks, University Digital platforms, and Internet resources owned or operated by Philippine Christian University (PCU). The purpose of this policy is to ensure the appropriate use of these resources and prevent any misuse that could result in security vulnerabilities, legal liability, or damage to the University’s reputation.

Scope

This policy applies to all PCU employees (whether full-time or part-time), PCU contractors, PCU vendors, PCU students, and other individuals who use the University’s computer equipment, networks, University digital platforms, and Internet resources, regardless of their location.

Acceptable Use

Philippine Christian University’s computer equipment, networks, University digital platforms, and Internet resources should be used primarily for work-related activities. However, some personal use is allowed as long as it does not interfere with an employee’s work responsibilities, a student’s teaching and learning engagement, violate any laws or regulations, or cause harm to the University.

Examples of Acceptable Use include:

• Conducting research related to an employee’s job responsibilities;
• Sending and receiving work-related emails;
• Accessing the Internet for work-related purposes;
• Using social media for work-related purposes, such as marketing or networking.

Unacceptable Use

The following activities are strictly prohibited and could result in disciplinary action, up to and including termination of employment, legal action, or criminal prosecution:

• Accessing or attempting to access unauthorized computer systems or networks;
• Using the University’s resources to engage in illegal activities or activities that violate the University’s policies or procedures with reference to the University Handbook, University Student Manual approved by the University President and the PCU – Board of Trustees (PCU-BOT) and all ICTC promulgated policies, procedures, and guidelines;
• Intentionally damaging, disrupting, or interfering with the University’s computer equipment, networks, or Internet resources;
• Using the University’s resources to transmit, distribute, or store copyrighted material without permission or in violation of copyright laws;
  Sending or posting harassing, threatening, defamatory, or obscene messages or materials;
• Using the University’s resources for personal gain, such as running a personal business or engaging in outside employment with no authorization or consent from the University;
• Installing or using unauthorized software or hardware on the University’s computer equipment, networks, University platforms or Internet resources;
• Using the University’s resources to participate in political activities or to express personal political views.

The University recognizes that email is a vital communication tool for its employees. As such, this policy outlines the University’s approach to email use by employees (whether FULL-TIME OR PART- TIME) to ensure that it is used effectively and responsibly. Pursuant to the provisions of the ISO 9001:2015 ICTC Manual 2023 on Risk and Opportunity Management, the authority vested to the Office of the Vice President for ICT and Student Services by the University President and the PCU-Board of Trustees (PCU- BOT) for good governance and digital compliance with reference to the University Acceptable Use Policy (Policy ICT-019), the University Email (@pcu.edu.ph) Policy for Employees (UEPE) is now officially in full effect for university-wide implementation, to wit:

POLICY ICT-020: UNIVERSITY EMAIL POLICY FOR EMPLOYEES (UEPE)

Scope:
This policy applies to all University employees who use email for work-related communication.

Policy:

1. Authorized Use:
   Email (@pcu.edu.ph) may only be used for work-related communication. Personal use of University email is prohibited, except in cases where it is incidental and does not interfere with work-related tasks. YOUR EMAIL ADDRESS (@pcu.edu.ph) IS YOUR OFFICIAL REPRESENTATION OF THE UNIVERSITY, USE OF PERSONAL EMAIL, THEREFORE, SHOULD NOT BE USED AND IS STRICTLY PROHIBITED TO REPRESENT OR TRANSACT IN BEHALF OF THE UNIVERSITY.
   
   
2. Security:
   All employees are responsible for ensuring the security of their (@pcu.edu.ph) email accounts. This includes protecting their passwords and ensuring that their accounts are not used by unauthorized persons.
   
   
3. Confidentiality:
   Employees must maintain the confidentiality of sensitive information contained in emails (@pcu.edu.ph). Sensitive information includes, but is not limited to, personal information, financial information, and student records.
   
   
4. Professionalism:
   Emails (@pcu.edu.ph) must be professional in tone and content. Employees must use proper grammar, spelling, and punctuation, and avoid using slang or inappropriate language.
   
   
5. Compliance:
   All emails (@pcu.edu.ph) must comply with applicable laws, regulations, and University policies. This includes, but is not limited to, the University’s Code of Conduct, Intellectual Property Policy (Work in Progress), and the University Acceptable Use (UAUP) Policy/Policy ICT-019.
   
   
6. Monitoring:
   The University reserves the right (thru ICTC) to monitor all email (@pcu.edu.ph) traffic on its systems. Employees should have no expectation of privacy when using University email (@pcu.edu.ph).
   
   
7. Retention:
   All emails (@pcu.edu.ph) that contain official University records must be retained in accordance with the University’s record retention policies. Employees must not delete emails that are required for legal or business purposes. Upon resignation or retirement, and end of contract, the employee will be required to download their files within two (2) months before their email accounts will be officially archived.
   
   
8. Use of Distribution Lists:
   Distribution lists may only be used for work-related communication. Employees must obtain approval from the appropriate authority before using a distribution list.
   
   
9. Google Cloud Storage:
   PCU mail (@pcu.edu.ph which uses Gmail), Google Drive, Google Docs, Google Sheets, Google Slides, Google Forms, and other Google Workspace for Education apps will be affected as the previously unlimited storage will no longer be available to the academic community with reference to the standards set by Google Workspace for Education and managed accordingly by ICTC. For PCU employees, Google Drive storage is set to 100GB, university-wide. Unlimited storage however, is available for administrators, faculty or staff who are engaging with more than what is expected based on their teaching and learning demand for cloud storage and the nature of their digital roles and responsibilities.
   
   A University Cloud Storage Policy will be separately issued by ICTC with reference to this memorandum/circular including guidelines for its use and FAQS (Frequently Asked Questions)

10. Email Signatures:
    Employees must use the standard email signature (@pcu.edu.ph) provided by the University. The email signature (@pcu.edu.ph) must include the employee’s complete name, title/position, department/unit, official logo (if any) and contact information. Employees are required to include the following DISCLAIMER AND CONFIDENTIALITY NOTICE in their @pcu.edu.ph email account:
    
    DISCLAIMER AND CONFIDENTIALITY NOTICE
    The information contained in this email (managed by @pcu.edu.ph), including those in its attachments, is confidential and intended only for the person(s) or entity(ies) to which it is addressed. If you are not the intended recipient, you must not read, copy, store, disclose, distribute this message, or act in reliance upon the information contained in it. Any unauthorized dissemination, copying, use or disclosure of information contained herein is STRICTLY PROHIBITED and ILLEGAL.
    
    
11. Use of PCU email (@pcu.edu.ph) with reference to duties and obligations to the University.
    Employees are required to open their email (@pcu.edu.ph) at least once a day, and are enjoined to open their email (@pcu.edu.ph) at the optimum based on their roles, duties, obligations and responsibilities to the University.