About Us

The University Data Protection Office (UDPO) is a unit directly under the Office of the President tasked primarily to ensure the compliance of University of Southern Mindanao (including its satellite and external campuses) with the provisions of Republic Act 10173 or the Data Privacy Act of 2012, its Implementing Rules and Regulations, and all other relevant and related privacy policies including the issuances of the National Privacy Commission.

What We Do

  • Monitor the University’s compliance to RA 10173 (or the Data Privacy Act of 2012) and other relevant and applicable laws, including issuances by the National Privacy Commission
  • Act as liaison between the University and National Privacy Commission and other relevant authorities
  • Develop policies and procedures to ensure the protection of personal data of USM personnel, students, stakeholders, and other interested parties
  • Provide advice to various Units in the University regarding complaints and/or the exercise by data subjects of their rights under the DPA
  • Train personnel involved in data processing operations
  • Conduct regular Privacy Impact Assessments to ensure compliance
  • Respond to data subjects to inform them about how their personal data is being used and what measures the company has put in place to protect their data
  • Ensure that data subjects’ requests to see copies of their personal data or to have their person data erased are fulfilled or responded to, as necessary.


University Data Protection Officer

Aside from being trained Data Protection Officer, she is also the Secretary of the University and the Board of Regents. She was the former Corporate Management Representative of USM for ISO 9001:2015 Quality Management System Certification. She has a degree in Philosophy.


Compliance Officer for Privacy

He is the current Dean of the College of Engineering and Information Technology. He has received extensive training in data protection measures in the field of Information Technology.


Compliance Officer for Privacy

He is the current Dean of the College of Arts and Social Sciences (CASS), has a degree in Law, teaches at the Department of Social Sciences and Philosophy, Department of Criminal Justice Education, and Graduate School. He also manages a Review Center.



Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), governs the processing of personal data in the Philippines. The law calls for the adoption of appropriate and necessary security measures that prevent or minimize the risks posed by data breaches and other security incidents. They include mechanisms to notify the National Privacy Commission (NPC) and affected individuals of data breaches under certain circumstances. The NPC has also developed policies that elaborate on said measures and their implementation.

Within the University of Southern Mindanao, the responsibility for developing these security measures lies primarily with the University Data Protection Office (UDPO).

The UDPO recognizes that no data processing system can ever be completely secure. Data breaches and other security incidents are bound to occur, regardless of the type and amount of security tools one puts in place. This makes it important for every organization to be prepared and have the necessary protocols that would facilitate the proper handling of such incidents in order to minimize their impact and ensure compliance with all applicable laws and policies.

For these reasons, the UDPO issues this Policy that provides for the security incident management protocols of the University.


  1. Scope 

This Policy shall cover all security incidents involving any data processing system of the University and/or personal data under its control or custody.


  1. Definition of Terms 

Whenever used in this Policy, the following terms shall have their corresponding meanings as provided below:

2.1. “Data Breach” refers to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. It may be in the nature of:

2.1.1. availability breach – loss, accidental or unlawful destruction of personal data;

2.1.2. integrity breach – alteration of personal data; or

2.1.3. confidentiality breach – unauthorized disclosure of or access to personal data.

2.2. “Data processing system” refers to a system or procedure by which personal data is collected and processed in an information and communications system, or a relevant filing system.

2.3. “Data subject” refers to an individual whose personal data is processed.

2.4. “Incident Report” refers to a document that provides a detailed account of a suspected security incident. It is not an acknowledgment of guilt or wrongdoing on the part of the person who prepares it. It shall be treated primarily as a statement of facts, which also includes an initial assessment of the incident.

2.5. “Office” refers to a basic component or working unit of the University, including offices, centers, institutes, departments, and laboratories.

2.6. “Personal Data” pertains to the collective term used to refer to personal information, sensitive personal information, and privileged information.

2.7. “Personal Information” refers to any information, on its own or when combined with other information, from which the identity of an individual is apparent or can be reasonably and directly ascertained.

2.8. “Personal Information Controller” or “PIC” refers to a natural or juridical person that controls the processing or use of personal data. It includes a person who instructs another person to process personal data on its behalf.

2.9. “Personal Information Processor” or “PIP” refers to a natural or juridical person to whom a personal information controller may outsource the processing of personal data under the latter’s control or custody.

2.10. “Privacy Impact Assessment” refers to a process meant to evaluate and manage the impact on privacy of a particular program, project, process, measure, system or technology product of a PIC or PIP.

2.11. “Privileged Information” refers to any and all forms of data, which, under the Rules of Court

and other pertinent laws constitute privileged communication.

2.12. “Process Owner” refers to the office that owns, administers, and/or manages a data processing system, or is the principal custodian of a particular personal data under the control or custody of the University. It excludes offices or units of service providers contracted by the University for specific purposes.

2.13. “Reported Incident” refers to an event or incident suspected of being a data breach or some

other type of security incident that is subsequently relayed to the Data Protection Officer (DPO).

2.14. “Security Incident” refers to an event or occurrence that affects or tends to affect data protection, may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place. A data breach is a type of security incident.

2.15. “Sensitive Personal Information” refers to personal information:

2.15.1. about an individual’s race, ethnic origin, marital status, age, color, and religious,

philosophical or political affiliations;

2.15.2. about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

2.15.3. issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and;

2.15.4. specifically established by an executive order or an act of Congress to be kept classified. “University” or “USM” shall pertain to the University of Southern Mindanao including its units and offices.

2.16. “Service Provider” refers to any authorized person, organization, or body performing a function or providing a service to or on behalf of the University. A PIP is a specific type of service provider.

2.17. “University” refers to University of Southern Mindanao.

2.18. “UDPO” refers to the University Data Protection Office, the Unit tasked to ensure implementation and compliance of the University to the provisions of the Data Privacy Act of 2012.

2.19. “University personnel” refers to all individuals who perform services for or on behalf of the University. They shall include, but are not limited to, administrators, faculty members, employees, and consultants.


  1. Data Security Incident Management Team 

There shall be a Data Security Incident Management Team (DSIMT), which shall be responsible for investigating a suspected security incident. Headed by the University Data Protection Officer, the Team shall have two (2) other permanent members appointed by the University President. Other University personnel may be called on to join the Team on a per incident basis when their expertise or background is appropriate and necessary to adequately address the incident, as recommended by the permanent members and approved by the University President.                        All members must have the rank of administrator.  Where a permanent member of the Team is the Process Owner involved in a reported incident, the University President will designate a competent alternate. A service provider or external party may also be considered.

A Team member may delegate his or her functions to another member of his or her Office, provided that he or she shall remain the signatory in all related documents accomplished or generated by the Team.


  1. Assignment of Duties and Responsibilities 

To ensure the effective implementation of this Policy, the following offices and individuals shall perform their respective functions and responsibilities:


4.1. Data Security Incident Management Team  (DSIMT)

4.1.1  Investigate and assess  suspected security incidents with all concerned units and offices   of the  University.

4.1.2. Recommend remedial measures to be performed by the Process Owner and other concerned units or offices of the University in relation to a suspected security incident.

4.1.3. Accomplish an Assessment Report


4.2. Data Protection Officer (DPO)

4.2.1  Serves as the main point of contact for all reports of a suspected security incident

4.2.2. Acts as custodian of all reports and documents generated or prepared in relation to each suspected security incident.

4.2.3. Reviews and revises this Policy in accordance with the provisions hereof.

4.2.4. Assists the University President, the DSIMT, and Process Owners in the performance of their     functions under this Policy.


4.3. University President 

4.3.1. Approves, rejects, or otherwise takes action on the findings or recommendations of the DSIMT.

4.3.2. Appoints the permanent members of the DSIMT.

4.3.3. Approves the designation of additional members of the DSIMT as the circumstances may require.

4.3.4. Designates the alternate of any permanent member of the DSIMT, when necessary.

4.3.5. Notifies the NPC and/or affected data subjects when required by DPA.

4.3.6. Approves, rejects, or otherwise comments on proposed revisions to this Policy.


4.4. Process Owners 

4.4.1. Where a reported incident involves its data processing system or any personal data under its control or custody, including those being processed by a service provider or an authorized third party, submit an Incident Report to the UDPO in accordance with this policy.

4.4.2. Implement security measures that aim to:

  1. avoid or minimize the risk of experiencing security incidents
  2. stop an ongoing security incident
  3. contain, limit, or mitigate the impact of a security incident

4.4.3. Where they share, disclose, or transfer to authorized third parties any personal data under their control or custody, require such third parties to report any security incident that affects or involves the shared, disclosed, or transferred data.

4.4.4. Cooperate with and extend assistance to the UDPO and the DSIMT in resolving each reported incident.


Unless otherwise prevented by more pressing matters, the foregoing offices and individuals shall prioritize their functions and responsibilities under this Section to ensure a prompt and effective resolution of all reported incidents, and to enable the University to meet its obligations under the DPA.


  1. Notification of the UDPO 

Incident notification shall be carried out in accordance with the provisions of this Section:


5.1. Subject of a Notification. An incident must involve a data processing system of the University or personal data under the control or custody of the University. It includes those being processed by a service provider or any other authorized third party.

5.2. Notifying Party and Recipient of Notification. Any person who becomes aware of or has reason to believe that an incident described by the previous subsection has occurred must notify the DPO using any of the latter’s contact information. If a notification is sent to or received by a different office of the University, it shall be immediately referred to the DPO.

5.3. Method of Notification. A person who wishes to notify the DPO of an incident shall submit a Contact Form, as prescribed by the UDPO. In the absence of a Contact Form, the Notifying Party must be able to provide the following information:

5.3.1.   Name

5.3.2.   Contact details Email Address Contact Number

5.3.3.  Details of the incident (if known) Date and Time of Incident Number of persons affected Name of office processing the information


If the incident involves the office of the Notifying Party (i.e., the office is the concerned Process Owner), he or she shall instead accomplish an Incident Report in accordance with Section 6.2 of this Policy.

All forms are available at the UDPO link on the University website.


  1. Investigation of Incidents 


Investigations of incidents shall be carried out in accordance with the provisions of this Section:


6.1. The DPO shall refer a reported incident to the concerned Process Owner. It shall also give

advance notice to the DSIMT about the reported incident.

6.2. Once informed by the DPO, the Process Owner shall accomplish an Incident Report and submit the same to the UDPO within twenty-four (24) hours. The Process Owner must inform the DPO before the expiration of such period if it requires additional time. However, in no case shall such additional time exceed five (5) calendar days.

Whenever possible, the person/s who may be involved in the reported incident should not be made to accomplish the Incident Report to minimize any conflict of interest.

The DPO shall not accept Incident Reports that are incomplete or improperly accomplished.

6.3  The DPO shall refer the Incident Report to the members of the DSIMT for their evaluation. At this point, the DSIMT will determine if additional members are necessary to investigate the reported incident.  If so deemed necessary, the DSIMT shall recommend the designation of additional members to the University President.


6.4. The DSIMT shall conduct its investigation of the incident based primarily on the Incident Report. However, it is not bound by such report and can perform any of the following tasks:

6.4.1. direct clarificatory or follow-up questions to the Process Owner

6.4.2. require additional submissions from the Process Owner

6.4.3. request for a meeting with the Process Owner and other concerned offices of the  University, including individuals affected by the suspected security incident

6.4.4. perform other actions to obtain information critical to the investigation


The SIMT shall complete its investigation within forty-eight (48) hours after it has obtained all information it needs to carry out its investigation. If it requires additional time, it must at least determine within this period whether or not a data breach has occurred, and if notification of the NPC is necessary. This initial assessment shall be relayed to the University President by the DPO.


6.5.      The results of the investigation by the DSIMT shall be consolidated by the DPO into a DSIMT Assessment Report. The UDPO may already advise the Process Owner regarding any initial or urgent recommendations by the DSIMT.


6.6.     The DSIMT Assessment Report, together with the Incident Report and other relevant attachments, shall be recorded and stored in accordance with this Policy. However, if it contains recommendations and/or other matters that require the attention of or action from the University President, it shall be transmitted immediately to the latter for appropriate action.


Data Breach Notification of the NPC and Data Subjects


Notification of the NPC and affected data subjects shall be carried out in accordance with the provisions of this Section:

7.1. A confirmed data breach shall be reported to the NPC if the University President, after being informed of the advice of the DSIMT, has determined that it is attended by all of the following conditions:

7.1.1. it involves sensitive personal information or any other information that may be  used to enable identity fraud;

7.1.2. there is reason to believe that the information may have been acquired by an unauthorized person; and

7.1.3. there is reason to believe that the unauthorized acquisition is likely to give rise  to a real risk of serious harm to any affected data subject.

7.2. If there is uncertainty regarding the need to notify the NPC, the following additional factors  shall be considered  by the University President and the DSIMT:

7.2.1. Notification could reduce the risks arising from the data breach.

7.2.2. The data breach would likely affect national security, public safety, public order,

or public health.

7.2.3. The personal data involved is required by applicable laws or rules to be


7.2.4. The personal data involved belongs or refers to vulnerable groups.

7.2.5. The data breach affects at least one hundred (100) individuals.

7.3 The University President, with the assistance of the UDPO, shall notify the NPC within seventy-two (72) hours after he has determined that a confirmed data breach meets the conditions set out in Subsections 7.1 and/or 7.2 hereof.

For this purpose, the UDPO shall send a notification letter to the NPC via email, as signed by University President. The UDPO shall make sure to obtain a confirmation from the NPC that it has received the notification letter. If online access is not available, the UDPO shall personally deliver the notification letter to the NPC and maintain a receiving copy.

7.4 There shall be no delay in notifying the NPC except in instances expressly allowed or recognized by the   Commission through its Circular 16-03 and other applicable policies.

7.5 The University must also notify affected individuals within the same period, unless there are grounds recognized by law that allow the University to forego with such notification.  In determining whether a valid reason exists for not notifying affected individuals, the University, through the University President, may consult with the NPC.

7.6  Whenever possible, the University, through the concerned Process Owner, shall coordinate with all affected data subjects and provide appropriate guidance or assistance.


  1. Reports and Documentation 

All reported incidents shall be properly documented. The DPO shall develop forms for this purpose, facilitate their accomplishment by the responsible parties, and see to their secure storage and disposal. As a basic security measure, soft copies of all reports and related documents must be password- protected. Only those directly involved in their preparation and use shall have access to these documents.

A Summary Report shall be submitted by the DPO to the Administrative Council on a quarterly basis. A separate Annual Security Incident Report shall also be submitted by the DPO to the Administrative Council and the NPC.

All documents shall be made available to the NPC, upon request. However, the DPO shall anonymize all personal data within two (2) years after their filing.


  1. Undertaking of Confidentiality 

All information generated by or involved in the handling of security incidents shall be kept confidential by all concerned Parties. For this purpose, all University Personnel involved must have accomplished the Non-Disclosure Agreement prescribed by the UDPO before they assume their functions under this Policy.

Any public pronouncements involving such incidents must be coordinated with the UDPO and shall be subject to the approval of the University President.


  1. Remedial and Prevention Measures 

To help prevent or avoid the same type of security incident from occurring, the following measures may be undertaken:

10.1. The DPO may facilitate a debriefing session with the concerned Process Owner to ensure that remedial or preventive measures are properly implemented. It may also conduct an orientation regarding data privacy and compliance with the DPA.

10.2. The DSIMT may recommend the conduct of a Privacy Impact Assessment (PIA) on the data processing system involved in a security incident, or on the entire office of the Process Owner. The DPO shall issue the necessary guidelines for the proper conduct of a Privacy Impact Assessment.

10.3. The concerned Process Owner shall implement new security measures, and/or make

changes to existing ones.


  1. Penalties 

Failure to comply with this Policy may result in disciplinary action, in accordance with the applicable Code of Discipline/Conduct of the University, and other relevant rules and regulations. This is without prejudice to other legal remedies available to the University and/or any aggrieved or injured party under all applicable laws and policies.


  1. Review 

Unless circumstances require a shorter period, the DPO shall review this Policy after one (1) year in consultation with relevant units and offices of the University. Amendments must also be approved by the University President.


  1. Effectivity 

This Policy shall take effect within fifteen (15) calendar days after the approval by the Board of Regents and subsequent posting on the University website.


APPROVED as per BOR Resolution No. 102 s. 2020



UNIVERSITY OF SOUTHERN MINDANAO (USM) is committed to protecting the privacy of its data subjects, and ensuring the safety and security of personal data under its control and custody. This policy provides information on what personal data is gathered by USM about its current, past, and prospective students, how it will use and process this, how it will keep this secure, and how it will dispose of it when it is no longer needed. This information is provided in compliance with Republic Act 10173 (also known as the Data Privacy Act of 2012 or DPA) and its Implementing Rules and Regulations (DPA-IRR). It lays out USM’s data protection practices in safeguarding personal data of individuals it deals with, and also to inform such individuals of their rights under the Act.Data Privacy Notice may be amended at any time without prior notice, and you will be notified of such changes through USM’s website and social media accounts.What Information We CollectUSM collects, stores, and processes personal data from its current, past and prospective students, starting with the information provided at application through to information collected during the whole course of their stay in the university. This will include:

  1. Contact information, such as, name, addresses, telephone numbers, email addresses and other contact details
  2. Personal information, such as date and place of birth, nationality, immigration status, religion, civil status, student ID, government-issued IDs, web information, recommendations and assessment forms from previous schools, etc.
  3. Family background, including information on parents, guardians, siblings
  4. Photographic and biometric data, such as, photos, CCTV videos, fingerprints, handwriting and

signature specimens

  1. Student’s school works, including data gathered using third party online learning tools, such as Virtual Learning Environment, Turnitin, Edmodo, among others
  2. Health records, psychological evaluation results, disciplinary records, and physical fitness information
  3. Personal Data Sheet of students, which includes interviews, entrance exam results, guidance

assessments, special needs, etc.

  1. Permanent Student Academic Records, including transcripts of records
  2. Student extra-curricular activities, résumés, job interview forms
  3. Financial and billing information

How We Use Your Data

The personal data we collect from you will be used solely for the following purposes:

  1. Processing of admission application and student selection (and to confirm the identity of prospective students and their parents)
  2. Verifying authenticity of student records and documents
  3. Processing of scholarship applications and its requirements
  4. Processing of enrollment and registration
  5. Supporting student learning, and validating students’ program of study based on curriculum

requirements, and other activities and experiences forming part of the student’s formation and   education

  1. Supporting the student’s well-being and providing medical services and guidance counselling
  2. Monitoring and reporting student progress; processing of student evaluations, exam results, and grades
  3. Monitoring and ensuring the safety of all students within the USM campus
  4. Processing and generating statements of accounts
  5. Processing of application for graduation
  6. Evaluation for board examinations
  7. For accreditation, professional development of teachers and staff, and research
  8. Posting or displaying of academic and non-academic achievements within the USM’s premises and/or its official website and social media accounts (Facebook, Instagram, and Twitter)
  9. Marketing and promoting USM, its students, employees, and other academic and non-academic student and/or school activities inside and outside the campus
  10. Providing Library services, running an outreach/extension program, job postings, internships, employment

How We Share Your Information

Personal data under the custody of USM shall be disclosed only to authorized recipients of such data. Otherwise, we will share your personal data with third parties, other than your parents and/or guardian on record for minors, only with your consent, or when required or permitted by our policies and applicable law, such as with:

  1. Regulatory authorities, courts, and government agencies, e.g., Department of Education, Commission on Higher Education, etc.
  2. The AACCUP, a service organization which accredits academic programs that meet commonly accepted standards of quality education.
  3. Business partners and other academic linkages who provide internships and job opportunities to our graduates.

How We Transfer or Share Your Data

Where USM considers it necessary or appropriate, for the purposes of data storage, processing, providing any service or product on our behalf to you, or implementing an academic linkage program, we may transfer your personal data to third parties within or outside of the Philippines, under conditions of confidentiality and similar levels of security safeguards, and with your consent.

How Your Data is Secured

We continue to implement organizational, administrative, technical, and physical security measures to safeguard your personal data.  Only authorized personnel have access to your personal data, the exchange of which (mainly within campus) is facilitated through internal shared servers, email, and paper files.

Should third parties need access to your personal data, we require  data sharing agreement with them, in compliance with the DPA and the DPA-IRR.

Your paper and digital files are securely stored: employing physical security to safeguard the paper files and technical security to protect the digital file

How Long Your Information is Retained

We keep your paper and digital files only for as long as necessary.

  1. The Permanent Student Academic Records are kept by the Admission and Records Office for eternity.
  2. Scholarship application forms and supporting documentation are kept by the Office of Student Affairs for four years, or until the scholar graduates.
  3. Student disciplinary records are stored by the Office of the Board Secretary for five years after graduation.
  4. Class records are kept for one year after graduation.
  5. Non-academic records, e.g., service records for scholars, extra-curricular activities, emergency contact forms, etc. are kept for five years.
  6. Financial and billing information are kept by the Finance Offices for 10 years.
  7. The Clinic retains health records for five years after graduation.
  8. CCTV cameras are the responsibility of offices. Cameras have memory for four days of videos. The cameras run continuously on a rolling basis, older videos are overwritten.

When your personal data is no longer needed, we take reasonable steps to securely destroy such information or permanently de-identify it. Paper files are securely shredded; and electronic information is deleted.



  • Your Rights Under the Data Privacy ActYou have the right to be informed, to object to processing, to access and rectify your data, to suspend or withdraw your personal data, including any such information held by third parties with whom USM has a data sharing agreement; and to be indemnified in case of damages pursuant to the provisions of the DPA and its IRR.If you want to exercise any of your rights, or if you have any questions about how we process your personal data, please contact the Data Protection Officer, through the following channels:Email:
    [email protected] (for questions and information)
    [email protected] (for reports and complaints)Call: (064) 572-2854Write to:The Data Protection Officer
    Administration Building
    University of Southern Mindanao
    9407 Kabacan, Cotabato



Welcome to the University of Southern Mindanao. This Privacy Notice informs you about our policy when we collect, use, or otherwise process your personal data, in relation to your transactions with the University.  We respect your right to privacy and aim to comply with the requirements of the Data Privacy Act of 2012.

In this Policy, the terms, “data” and “information” are interchangeable. “Personal data” includes the concepts of personal information, sensitive personal information, and privileged information. They are typically used to identify you. For their exact definitions, refer to the text of the Data Privacy Act of 2012 or visit the website of the National Privacy Commission (www.privacy.gov.ph).

Information Collected, Acquired and Generated

Personal data is collected in many forms. They may consist of written records, photographic and video images, digital material, and even biometric records. Examples include:


  1. Information you provide or we generate prior to your employment or engagement.When you apply for a position within the University, or if we seek to engage you for a particular service or work, we ask for your personal data through a Personal Data Sheet (PDS). We also request you to provide your resume, Transcript of Records, and details about your professional license, if any and applicable. During the preliminary screening, we may collect additional information, including those generated from your interview and/or those obtained from your indicated professional referees. If you are already working or have been previously hired by the University, we may use the information already in our possession to process your application for the new or different position, upon confirmation that the information are still up-to-date.


  1. Information we collect or generate upon hiring or the commencement of your engagement. Once you accept our job offer or agree to the terms of a proposed engagement, we will collect another set of information including, but not limited to, the following: (1) Certificate of Employment; (2) Medical/Fit-to-Work Clearance; (3) NBI or Police Clearance; (4) Philippine Statistics Authority (PSA) Birth Certificate (applicant/dependents); (5) PSA Marriage Contract; (6) SSS ID or E1 or E4; (7) Pag-IBIG Member’s Data Form and/or ID; (8) Pag-IBIG Member’s Change in Information Form (MCIF); (9) PhilHealth MDR or ID; (10) PhilHealth Member Registration Form; (11) tax-related documents, such as your TIN ID or BIR Form 1902 (with stamp) and 2316; and (12) bank account details necessary to facilitate the processing of your compensation.


  1. Information we collect or generate during the course of your employment or engagement with the University.

After you join the University, we may also collect additional information about you, including: your annual physical examination results, and other data that may be used in the processing of loan applications and insurance claims, in performance evaluation, and in administrative and disciplinary cases. There will also be times when we will acquire other forms of data like pictures or videos of activities you participate in, via official documentation of such activities, or through recordings from closed-circuit security television cameras installed within school premises.


  1. Unsolicited Information.Other personal information may also be sent to or received by us even without our prior request. In such cases, we will determine if we can legitimately keep such information. If it is not related to any of our legitimate interests, we will immediately dispose of the information in a way that will safeguard your privacy. Otherwise, it will be treated in the same manner as information you provide us.

If you supply us with personal data of other individuals (e.g., person to contact in the event of an emergency, professional referees), we will request you to certify that you have obtained the consent of such individuals before providing us with their personal data.

Use of Your Information

Your personal data to pursue will be used to the extent permitted by law, our legitimate interests as an educational institution, employer, and/or contracting party, including a variety of administrative, research, historical, and statistical purposes. For example, we may use the information we collect for purposes such as:


  1. identifying applicants and processing their respective applications;
  2. assessing suitability based on academic and competency qualifications of candidates for a particular role or position;
  3. verifying the provided or submitted information;
  4. checking background information;
  5. implementing health-related treatments for the proper delivery of his/her work;
  6. granting remuneration, payroll, pension, and other standard employment functions;
  7. administering human resource-related processes, including those relating to performance management, and disciplinary issues;
  8. delivering or providing facilities, services, security, and staff benefits to employees;
  9. facilitating claims and remittances for mandatory benefits;
  10. communicating effectively pertinent information to USM employees
  11. compiling statistics and conducting surveys and research for internal and statutory reporting purposes;
  12. enabling the Human Resource Management and Development Office (HRMDO) to contact others in emergency cases.

We consider the processing of your personal data for these purposes necessary for the performance of our contractual obligations to you, for our compliance with a legal obligation, to protect your vitally important interests, including your life and health, for the performance of tasks we carry out in the public interest (e.g., public order, public safety, etc.), or for the pursuit of the legitimate interests of the University, or a third party. We understand that the DPA imposes stricter rules for the processing of sensitive personal information and privileged information, and we are fully committed to abiding by those rules.

If we require your consent for any specific use of your personal data, we will collect it at the appropriate time. We will not subject your personal data to any automated decision-making process without your prior consent.

Sharing, Disclosing, or Transferring Your Information


To the extent permitted or required by law, your personal data may be shared, disclosed, or transferred to other persons or organizations in order to pursue our legitimate interests as an educational institution, employer, and/or contracting party. We may share, disclose, or transfer your personal data for purposes such as:

  1. submission of information to government agencies such as the Commission on Higher Education and Department of Education, for accreditation and reportorial requirements; the Social Security System, Philippine Health Insurance Corporation, Pag-IBIG, and Bureau of Internal Revenue, for the provision of employment benefits mandated by law;
  2. sharing of necessary information to contracted providers such as insurance companies, insurance brokers, banks, and other similar organizations, in relation to any or all of your loan applications and insurance claims;
  3. sharing information with entities or organizations (e.g., AACCUP, TUV, CHED) for accreditation, certification, and university ranking purposes;
  4. disclosure of your information related to Termination of Employment, Employees Compensation Report to the Department of Labor and Employment, as part of the University’s reportorial obligations;
  5. other purposes, when necessary and under circumstances permitted or required by law.


Storage and Retention of Your Information

Your personal data is stored and transmitted securely in a variety of paper and electronic formats, including databases shared among the different units or offices in the University. Access to personal data is limited to University personnel who have a legitimate interest for carrying out their duties. The use of your personal data will not be excessive and limited to that which is necessary to achieve the purpose of their collection, and/or only when permitted by law.

In retaining your personal information, we generally subscribe to the following schedule:

  1. One year (1) from the day of your separation from the University or the termination of your employment, after which your employment records (e.g., 201 file) in HRMDO are transferred to the University Archives, subject to applicable University policies.
  2. Job applicants.Seven (7) months to one (1) year for pooling purposes, after which they are disposed of in a secure and safe manner, if not used within said period.

For other types of personal data, we only retain them for historical and statistical purposes, unless otherwise provided by law or by applicable University policies.

Your Rights with Respect to Your Personal Data

Your rights with respect to your personal data are recognized, as provided under the DPA. If you wish to exercise any of your rights, or should you have any concern or question regarding them, this Notice, or any matter involving the University and data privacy, you may contact the  University Data Protection Office (UDPO) at:

Email:  [email protected] or [email protected]
Landline: +63 (64) 572-2854



The Data Protection Officer
University Administration Building
University of Southern Mindanao
Kabacan, Cotabato


This policy may be changed without prior notice.  Notifications on changes will be through the USM website and memoranda specific to this matter.



Guests and Visitors:


Welcome to the University of Southern Mindanao!

We respect your right to privacy and commit to protect your safety and security inside the University premises.  This Privacy Notice explains how we process the information we collect or generate from you upon entering the campus.  Those with a University-issued ID or gate pass sticker will have been shown a similar Notice before the ID or sticker was issued.


What Information We Collect, Acquire, and Generate

We collect basic information about you by asking you to sign our official log book and requiring you to deposit proof of identity (ID) for verification purposes.  For those with vehicles, we take note of your vehicle plate number and ask you to deposit your driver’s license or any other valid ID.  Video footage is also being recorded via a CCTV system installed in strategic locations inside the campus.  This is primarily used as a security measure and may also help in the investigation of violations of University policies and other applicable laws.


How We Store Your Information

Your data are kept in the Security Services Management Office (SSMO) where at least one security personnel is on-duty 24/7.  Only authorized University and security personnel have access to them.  We dispose of the log books two (2) years from the date of the collection, unless required by law to retain them for a longer period.  CCTV footages, on the other hand, are stored for four days before being automatically deleted.  We do NOT transfer for share your personal data with other persons or organizations, unless required or permitted by law.


Your Rights with Respect to Your Data

The Data Protection Act of 2012 ensures the protection of your rights with respect to your personal data.  Should you wish to exercise them, you may do so by contacting the University’s Data Protection Officer through the following:

Email:  [email protected] or [email protected]

Landline: +63 (64) 572- 2854


The University Data Protection Officer
Administration Building
University of Southern Mindanao
9407 Kabacan, Cotabato


Thank you and we hope you enjoy your stay in USM!



Dear Visitor,

Uhe University of Southern Mindanao respects your right to privacy and aims to comply with the requirements of RA 10173 or the Data Privacy Act of 2012, including all relevant privacy and data protection laws. This Policy explains how we process the information collected or generated from you every time you access our website.

Other domains managed by the University may be covered by a separate and different policy.

Information Collected, Acquired and Generated

Whenever you browse this site, technical information about your visit are automatically recorded. They may include the following:


  • browser type and version
    • browser plug-in types and versions
    • date and time of connection
    • length of visits to certain pages
    • IP address
    • operating system
    • pages viewed/searched for
    • page interaction information (e.g., scrolling, clicks, and mouse-overs)
    • page response time
    • time zone setting
    • download errors
    • platforms and referrers

In most instances, these information are not sufficient to determine your identity.

Purpose of collection

The recorded information primarily helps keep the site safe and secure. It may also be used for bug tracking, investigations relating to a security or data breach, and usage statistics.

Rest assured that we will obtain your consent whenever we feel the need to use any personal data gathered when you visit the website.

Usage, storage and retention of information

All information collected by domains maintained by the University is stored in data centers accessible only to authorized personnel and agents. Third parties who maintain or manage websites for some units or offices of the University store their collected information in their own designated servers or data centers.

The collected information is kept for as long as necessary for the declared purpose in its collection. It will not be shared with or transferred to other persons or organizations, unless required or permitted by law.

Use of Cookies

This site uses cookies, small text files that are automatically downloaded to your browser upon visiting this site, set by either our webserver or provided by a third party. These collect your browsing data to promote better interaction with you and other visitors. In other instances, cookies may also be used for authentication, session management, and performance analytics.

Exercise of Rights

The Data Privacy Act protects  your rights to protect your personal data. Should you wish to exercise them, or if you have some questions relating to the University’s data protection policies, you may contact the University Data Protection Office through the following:

Email:  [email protected]  or [email protected]
Call: +63 (64) 572-2854

Write to:

The Data Protection Officer
University Administration Building
Kabacan, Cotabato


Changes to This Policy

Changes to this Policy may be made without prior notice. When permissible, we will inform you through other available means of communication.









Your Rights Under the Data Privacy Act

You have the right to be informed, to object to processing, to access and rectify your data, to suspend or withdraw your personal data, including any such information held by third parties with whom USM has a data sharing agreement; and to be indemnified in case of damages pursuant to the provisions of the DPA and its IRR.

If you want to exercise any of your rights, or if you have any questions about how we process your personal data, please contact the Data Protection Officer, through the following channels:

[email protected] (for questions and information)
[email protected] (for reports and complaints)

(064) 572-2854

Write to:

The Data Protection Officer
Administration Building
University of Southern Mindanao
9407 Kabacan, Cotabato