Personal data processing policy
1. REGULATIONS
To comply with this policy, it must be taken into account that article 15 of the Political Constitution establishes the protection of personal data, as the fundamental right that all people have to preserve their personal and family privacy, good name and to know, update and rectify the information that has been collected about them in data banks and files of public and private entities.
Furthermore, Statutory Law 1581 of 2012 aims to develop the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files, establishing the need to comprehensively guarantee the protection and exercise of the fundamental right of Habeas data, as well as the incorporation of special duties to those responsible for the processing of personal data, and the adoption of internal manuals of policies and procedures to guarantee adequate compliance with the rules that govern the matter, as well as the attention of queries and complaints.
Likewise, Decree 1377 of 2013 partially regulates Law 1581 of 2012.
2. OBJECTIVE
Establish the criteria for obtaining, collecting, using, treating, processing, exchanging, transferring and transmitting personal data or any other type of information that is used or that resides in institutional databases and files, in accordance with the provisions in articles 15 and 20 of the Political Constitution of Colombia and Statutory Law 1581 of 2012, together with its regulatory Decrees.
3. DEFINITIONS
Databases: Organized set of personal data that is subject to processing.
Personal information: Information that allows the identification of a person by a third party.
Public Data: It is the data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade, and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality.
Private Data: Information that, due to its intimate or reserved nature, is only relevant to the owner. (Law 1266 of 2008).
Sensitive Data: Sensitive data is understood to be data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, of human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
Headline: Natural person whose personal data is the subject of Processing.
Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is located inside or outside the country. .
Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller.
Responsible for Treatment: Natural or legal person, public or private, who alone or in partnership with others, decides on the database and/or the Processing of the data.
Treatment Manager: It is the external contractor to whom the Institution assigns the responsibility of managing and processing the databases that are directly related to its functions or obligations.
Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.
Right of access: It is the power that the owner or authorized persons have to know their personal data contained in the databases. This right includes obtaining total or partial copies of them.
Update Right: It is the power that the owner or authorized persons have to renew their personal data contained in the databases.
Right of Rectification: It is the power that the owner or authorized persons have to obtain the total or partial correction of their personal data contained in the databases.
Notice of Privacy: Verbal or written communication generated by the Controller, addressed to the Owner for the Processing of their personal data, through which they are informed about the existence of the information Processing policies that will be applicable to them, the way to access them and the purposes of the Treatment that is intended to be given to personal data.
4. PRINCIPLES
The Conservatory of Tolima, Higher Education Institution, in the exercise of its academic, administrative and extension and social projection activities, collects and manages personal information of the Academic Community and suppliers that, in compliance with the provisions of Law 1581 of 2012 and its Regulatory decrees require the Institution to design procedures aimed at the protection and security of said information.
To achieve this purpose, the Institution will be governed in a harmonious and comprehensive manner by the following principles:
Principle of Legality: The Tolima Conservatory will strictly comply with current regulations and regulations when processing personal data found in its databases.
Purpose Principle: The Tolima Conservatory will manage the personal data of the Academic Community and its suppliers, in accordance with the provisions of the Political Constitution and the Law, and in the required cases, informing the owners of the treatment that applies to them.
Freedom Principle: The processing of personal data of the Academic Community and the suppliers of the Tolima Conservatory will be carried out with the prior, express and informed consent of the owner. Personal data from the Institution's databases may not be obtained or disclosed without prior consent or authorization of the owner.
Principle of Truth or Quality: The Tolima Conservatory will ensure that the information contained in its databases is true, complete, accurate, understandable, verifiable and updated, avoiding the processing of partial, erroneous, incomplete and fragmented data.
Transparency Principle: The Tolima Conservatory, through its citizen service policy, is willing to provide information related to personal data to the owner in an effective and efficient manner.
Principle of Access and Restricted Circulation: The Tolima Conservatory will establish the necessary security policies to guarantee the
adequate treatment of sensitive data that are in the Institution's databases and that are in its information systems.
Security Principle: The Tolima Conservatory will take the necessary technical, human and administrative measures to avoid adulteration, loss, consultation, unauthorized or fraudulent use or access to institutional records.
Confidentiality Principle: All people at the Tolima Conservatory who administer, manage, update or have access to non-public information of the Academic Community and its suppliers are obliged to guarantee its confidentiality, even once they have left the Institution.
5. POLICIES
The Tolima Conservatory, Higher Education Institution, will use the personal data that rests in its databases to fulfill its institutional mission. Likewise, in cases that warrant data processing, in accordance with the provisions of Law 1581 of 2012, the Institution will inform the owners through a privacy notice.
Owners' Rights: The Tolima Conservatory, complying with the provisions of the Law and its regulatory decrees, will guarantee at least the following rights to the owners of the personal data that rest in the institutional databases:
- Access, know and update your personal data that resides in the Institution's databases, in accordance with the provisions of this procedure.
- Authorize the processing of your personal data.
- Request proof of the authorization granted to the Tolima Conservatory through data processing through any valid means of communication or request; except in cases where authorization is not necessary in accordance with the Law.
- Be informed by the Tolima Conservatory about the use that has been made of your personal data.
- Submit to the Superintendence of Industry and Commerce or the Entity that takes its place, complaints for violations of the provisions of Law 1581 of 2012 and its regulatory decrees, once the internal procedure has been completed before the Conservatory of Tolima.
- Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees, as well as when there is no legal or contractual obligation to remain in the database.
- Access free of charge to your personal data that has been processed periodically and when substantial modifications occur that warrant a request for information. In the event that the holders request this information more than once in the calendar month, the Tolima Conservatory reserves the right to charge an amount that does not exceed the cost of sending, reproducing and certifying the documents.
- In the case of respecting the prevailing rights of children and adolescents, the Institution undertakes to process data in accordance with the provisions of Law 1581 of 2012 and its regulatory decrees.
Obligations of the Delegated Responsible: The obligations, in addition to those granted by Law, of the person responsible for the processing and protection of personal data, delegated by the Tolima Conservatory, are:
- Guarantee the owner, at all times, the full and effective exercise of the right of Habeas Data.
- Maintain, at any time, the authorization granted to the Institution for the processing of personal data.
- Duly inform the owner about the purpose of the treatment and the rights granted to him by virtue of the authorization granted.
- Keep personal data under the security conditions necessary to prevent its adulteration, loss, consultation, use, unauthorized or fraudulent access.
- Delete personal data that is contained in administrative acts and institutional documents that may affect the owner, as established in articles 15 and 20 of the Political Constitution of Colombia.
- Timely update the information, according to the news provided by the owner.
- Transmit or transfer personal data found in its databases to natural or legal persons authorized by the Law.
- Rectify the information in case of error and inform the interested party in a timely manner.
- Process queries and claims in the terms indicated by the Law and this procedure.
- Inform the data protection authority in case of violations of security codes and there are risks in the administration of the owners' information.
- Comply with the requirements issued by the Superintendence of Industry and Commerce.
- Only use data whose processing is previously authorized in Law 1581 of 2012.
- Ensure the appropriate use of the personal data of children and adolescents in those cases in which the processing of their data is being authorized.
- Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
- Keep the support for the costs of shipping, reproduction and, where applicable, certification of documents, when these have been charged to the owner.
- Delete personal data found in its databases for which it has no legal or contractual obligation or power to process.
Powers of the Delegated Manager:
- Be informed by the owner or his representatives of any situation that affects compliance with the Law and its regulatory decrees in relation to the handling of personal data.
- Carry out the processing of personal data found in the databases under their responsibility in accordance with existing regulations and regulations.
- Appoint those in charge of processing the information, in accordance with existing regulations and regulations.
- Carry out the transfer and/or transmission of personal data contained in its databases, signing the necessary acts and contracts, in accordance with existing regulations and regulations.
- Carry out the processing, transfer and/or transmission of personal data found in its databases, without prior and express authorization from the owner in the following cases:
- When the information is required by a public or administrative entity in the exercise of its legal functions or by court order.
- When dealing with data of a public nature.
- In cases of medical or health emergency.
- When the treatment is authorized by Law for historical, scientific and statistical purposes.
- When the data is related to the civil registry of people.
Responsible: The Tolima Conservatory, Higher Education Institution, is the legal entity responsible for the management and processing of personal data of the Academic Community and suppliers of the Institution.
Delegates: The dependencies delegated to be responsible for the management of the databases, according to their functions, are:
ADMINISTRATIVE, LEGAL AND HUMAN TALENT MANAGEMENT
| Dependencia | Datos Personales | Datos Sensibles | Sujeto del Tratamiento | Tipo de Información |
|---|---|---|---|---|
|
General Secretary
|
x |
x |
|
|
|
Single Window |
x |
|
Third parties |
Personal Data of third parties that file the correspondence. |
TEACHING
| Dependencia | Datos Personales | Datos Sensibles | Sujeto del Tratamiento | Tipo de Información |
|---|---|---|---|---|
|
Faculty of Education and Arts |
x |
|
|
Personal data of students and teachers |
INVESTIGATION
| Dependencia | Datos Personales | Datos Sensibles | Sujeto del Tratamiento | Tipo de Información |
|---|---|---|---|---|
|
Faculty of Education and Arts |
x |
x |
|
|
EXTENSION AND SOCIAL PROJECTION
| Dependencia | Datos Personales | Datos Sensibles | Sujeto del Tratamiento | Tipo de Información |
|---|---|---|---|---|
|
Music school |
x |
x |
|
|
|
Registration and Academic Control |
x |
x |
|
|
INSTITUTIONAL WELL-BEING
| Dependencia | Datos Personales | Datos Sensibles | Sujeto del Tratamiento | Tipo de Información |
|---|---|---|---|---|
|
Institutional Wellbeing |
x |
x |
|
Personal Data of the Academic Community linked to Wellbeing services |
MANAGEMENT OF GOODS AND SERVICES
| Dependencia | Datos Personales | Datos Sensibles | Sujeto del Tratamiento | Tipo de Información |
|---|---|---|---|---|
|
Instrument Bank |
x |
|
|
Personal Data of teachers, workshop leaders and students who lend musical instruments.
|
|
Library |
x |
|
|
Personal Data of teachers, workshop leaders and students who access Library services. |
|
Loan of Physical Spaces |
x |
|
|
Personal Data of the Academic Community to access the SYNERGY user, visitors to tour the Alberto Castilla Hall and the Traditional Headquarters and users of the computer rooms. |
OPERATIONAL AND FINANCIAL MANAGEMENT
| Dependencia | Datos Personales | Datos Sensibles | Sujeto del Tratamiento | Tipo de Información |
|---|---|---|---|---|
|
Payment |
x |
x |
|
Personal financial information of contractors, academic community related to the certificate of income and withholdings, payroll and payment of parafiscal contributions, among others. |
Revocation: The owners of the personal data may at any time revoke all or part of the authorization granted to the Institution for the processing of their personal data or request the total or partial deletion of the same, as long as it is not prevented by a legal or contractual provision.
Processing of Personal Data of Minors: The processing of personal data of children and adolescents is prohibited, except when it involves data of a public nature, in accordance with the provisions of article 7 of Law 1581 of 2012 and when said processing complies with the following parameters and requirements : 1. That responds to and respects the best interests of children and adolescents. 2. That respect for their fundamental rights is ensured.
The Tolima Conservatory establishes Extension and Social Projection as a missionary function that, through continuous training courses, extension courses, free courses or workshops, offers alternative spaces to complement or acquire knowledge, theoretical-practical skills and support in the comprehensive formation of the community. internal and external; complying with the principles and obligations established in Law 1581 of 2012 and Decree 1074 of 2015; In the development of its function, the Tolima Conservatory through Extension and Social Projection, collects the data of children and adolescents who access our services, previously requesting authorization for the processing of personal data from the Legal Representative or Guardian and ensuring the proper management of these.
Treatment of Sensitive Personal Data: The Tolima Conservatory may, with prior express authorization from the owner, process sensitive personal data in the following events:
- When the owner has given explicit authorization, except in cases where such authorization is not necessary by law.
- When the treatment is necessary to safeguard the vital interest of the owner and he or she is physically or legally incapacitated.
- In these events, legal representatives must grant their authorization.
- When the processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
- The treatment has a historical, statistical or scientific purpose. In this case, measures must be taken to eliminate the identity of the owners.
- When the treatment is carried out in the course of legitimate activities and with due guarantees by a non-profit entity, provided that they refer exclusively to its members or people who have permanent contact due to its corporate purpose.
Security: Currently, the security mechanisms of the Tolima Conservatory to protect personal data and sensitive data housed in institutional databases are:
- Access passwords of those authorized to enter the platforms.
- Users and roles of those authorized to enter the platforms.
- Restriction and configuration of security programs with internal IP ports, to avoid any type of hacking or vulnerability to the system.
- A Firewall System on the Institution's network to block intruders and access to unauthorized networks. (Blocking unauthorized users).
- Daily copies, on external hard drives protected in a safe, of institutional databases and platforms.
- Personnel in charge of the IT area for managing the security and maintenance of the equipment where the information resides. Daily review of racks and firewall.
- CMS website protected with passwords and security codes to avoid MYSQL insertions through forms and records.
Regarding the institutional protection mechanism for physical information, related to personal data and sensitive data of the Academic Community, which rests in the Management Archive, Central Archive and Historical Archive, it is the custody of these documents by a person responsible for its management.
Digital Information Systems: Currently, the Institution's digital Information Systems, in which personal information of the Academic Community resides, are:
—
OPERATIONAL AND FINANCIAL MANAGEMENT
| SOFTWARE | FUNCIONALIDAD |
|---|---|
|
FOLLOW |
Modular system for the academic and curricular administration of the Faculty of Education and Arts and the School of Music. |
|
SYNERGY |
Process automation software. Currently the Institution manages the following processes with this tool:
|
|
SIIGO |
Accounting and Financial information system is carried out through the SIIGO program. This system is managed internally by financial area officials. Therefore, citizens do not have access. However, on the website, in the transparency link, the consolidated financial statements are published. |
Physical Information: The non-digital information rests in the Documentary Archive of the Institution, which is part of the Administrative, Legal and Human Talent Management process.
The physical documentary archive that is not in the system for the following topics also resides in the Academic Registration and Control office:
- Qualifications for the daytime musical baccalaureate.
- Notes from cohort 1 and 2 of the Bachelor of Music Professionalization Program that do not rest in the academic system, are found in Excel files on the Registration and Control computer.
- Notes from the Technical Labor program offered by the School of Music that are not in the system, but are found in Excel files on the School of Music's auxiliary computer.
6. REFERENCED DOCUMENTS AND RECORDS
Law 1581 of 2012 By which general provisions are issued for the protection of personal data.
Decree 1377 of 2013 by which Law 1581 of 2012 is partially regulated.
Law 1266 of 2008 by which the general provisions of habeas data are dictated and the management of information contained in personal databases is regulated, especially financial, credit, commercial, services and information from third countries and is dictated other provisions.