Privacy Policy

Statement of Policy

This is in compliance with the Data Privacy Act of 2012 or otherwise known as Republic Act No. 10173, the Central Mindanao University is committed to protecting and respecting your personal data privacy. The University processes personal information in accordance with the principles of Transparency, Legitimate Purpose, and Proportionality.

This privacy policy informs the public on how we collect, use, and disclose the personal information of our data subjects.


Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information that would directly and certainly identify an individual.

Sensitive information is a type of personal information with the risk of discrimination against the Data Subject. These are about an identifiable person’s racial or ethnic origin, marital status, color, and religious, philosophical, or political affiliations. It is also, about an individual’s health, education, the genetic or sexual life of person, or any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and specifically established by an executive order or an act of Congress to be kept classified.

Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

Information we collect:

University collects the following types of information.

  • Personal Data sheet of students ie., contact and enrolment details, health information.
  • Personal Data sheet of job applicants and employees;
  • Alumni profiling ie., Contact details.
  • Information about the activities of students, staff, and families if they are on school grounds. ie., Information captured by CCTVs and photographers.

Data Collection medium:

The university collects information in any medium:

  • Person over the phone, from student and their families, visitors, volunteers, job applicants, and others.
  • Electronic and paper-based documentation (Emails, letters, job applications, and forms applications).
  • Through online tools such as software used by the University
  • CCTV cameras at the school premises and photographs, and recordings
  • Polls survey questionnaires
  • School websites and social media.

Collection notices

The university provides privacy notices prior to the collection of personal, sensitive, and privileged information. Privacy notice stating the reason for collecting information for every specific University transaction, used and disclosed, access, and update and rectify the information.

Consent Process

Consent is collected when required. It is obtained in different ways, and can be recorded, online and in writing. Consent is also obtained during enrolment by signing the privacy statement and also, embedded in the collection form medium.  There are some other cases, in which consent is not required like, data captured by CCTV cameras, however, the Data Subject is informed through notices posted on the campus premises. Also, in the processing of data with legitimate interest like, between the life and death of the Data subject.

Health services in the University use specific consent form, which includes consent for the use and disclosure of information to the regulatory body.

Unsolicited Information:

The university may receive personal information not in any procedure or medium to collect such information. This unsolicited information will be disposed of securely if it is not permitted by the Act that the University will keep such information.

Purpose of data collection

The University collects personal information to administer the application, enrolment, and financial information and to manage its core functions in Instruction, Administration, Research and Extension, and Production.

The collection of information enables the University to manage the individual student’s academic career from admission to graduation, through to alumni, and confirming qualification for employment. 

The university needs to hold personal information about the students for instruction, Research, and Extension, and Administrative purposes in order to administer their academic career, including;

  • maintenance of the student record (Including personal, educational, and academic details) for management of academic purposes;
  • uploading and posting of grades;
  • printing and releasing of grades slip;
  • monitoring of the class record;
  • health and medical records;
  • management of accommodation;
  • alumni operations, including fund-raising;
  • provision of advice and support to students (Counselling Service, Scholarships and Placement);
  • access to facilities such as a library, computer rooms, and laboratory rooms;
  • internal research, including monitoring quality and performance; and
  • security and car parking.

Disclosure of Information:

The University does not disclose personal information, except, when the disclosure of data is in accordance with Section 12, Criteria for Lawful Processing of Personal Information and Section 13, Sensitive Personal Information and Privileged Information of the Data Privacy Act of 2012.

Internal Disclosure:

Personal Information should only be disclosed to the designated officer, if given permission or if the disclosure is necessary for the legitimate interest of the University. The University does not disclose personal information merely for social reasons.

External Disclosure:

The University did not disclose the personal information externally, except where there is a legal requirement to do so. This includes supplying information to parents, legal guardians, and next of kin.

Statutory Obligations

The University has a statutory obligation to disclose personal information about their students that require the information to carry out their statutory functions in relation to the funding of Commission on Higher Education (CHED) and the Department of Education (DepEd) which is then passed to relevant government agencies for grants and scholarships.

Rights of the Data Subjects

The University respects the Rights of the Data Subject under Section 34 of the Implementing Rules and Regulation of the Data Privacy Act of 2012.  

The data subject is entitled to the following rights:

a. Right to be informed.

1. The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

2. The data subject shall be notified and furnished with information indicated hereunder before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity:

(a) Description of the personal data to be entered into the system;

(b) Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;

(c) Basis of processing, when processing is not based on the consent of the data subject;

(d) Scope and method of the personal data processing;

(e) The recipients or classes of recipients to whom the personal data are or may be disclosed;

(f) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;

(g) The identity and contact details of the personal data controller or its representative;

(h) The period for which the information will be stored; and

(i) The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission.

b. Right to object.

The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.

When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless:

1. The personal data is needed pursuant to a subpoena;

2. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or

3. The information is being collected and processed as a result of a legal obligation.

c. Right to Access.

The data subject has the right to reasonable access to, upon demand, the following:

1. Contents of his or her personal data that were processed;

2. Sources from which personal data were obtained;

3. Names and addresses of recipients of the personal data;

4. Manner by which such data were processed;

5. Reasons for the disclosure of the personal data to recipients, if any;

6. Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;

7. Date when his or her personal data concerning the data subject were last accessed and modified; and

8. The designation, name or identity, and address of the personal information controller.

d. Right to rectification. The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject.

e. Right to Erasure or Blocking.

The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.

1. This right may be exercised upon discovery and substantial proof of any of the following:

(a) The personal data is incomplete, outdated, false, or unlawfully obtained;

(b) The personal data is being used for purpose not authorized by the data subject;

(c) The personal data is no longer necessary for the purposes for which they were collected;

(d) The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;

(e) The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;

(f) The processing is unlawful;

(g) The personal information controller or personal information processor violated the rights of the data subject.

2. The personal information controller may notify third parties who have previously received such processed personal information.

f. Right to damages.

 The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject.

g. Right to file a complaint with the National Privacy Commission

If you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint with the NPC.

h. Right to data portability

This right assures that the data subject remain in full control of his data. Data portability allows the data subject to obtain and electronically move, copy or transfer the data in a secure manner, for further use. It enables the free flow of personal information across the internet and organizations, according to data subjects’ preference. This is important especially now that several organizations and services can reuse the same data.

Data portability allows the data subject to manage his personal data in his private device, and to transmit his data from one personal information controller to another. As such, it promotes competition that fosters better services for the public.

Accessing Information:

The University provides the Data Subject a means to access their personal information through Data Subject Access Request. This includes the requests for updates and rectification of records, secure a copy of data, and verification. Authorized representatives may access provided that his/her name is reflected in the Privacy Statement signed by the Data Subject (Student). In cases,  where the Data Subject is a minor, the parents or legal guardian have the right to access the official record of the student based on the Educational Community, Chapter 2, and item 2 of Batas Pambansa Bilang 232.

Security Measure:

The University employees who have access and, process personal information as part of their job should at all times ensure that:

  • data are only used for the purpose(s) for which they were collected;
  • data confidentiality is maintained at all times;
  • data accuracy is maintained;
  • data are held securely;
  • only data are necessary for the conduct of the University business are retained; and
  • confidential data, whether held in paper format or electronically, are securely destroyed when no longer required.

Security of data:

Employees who have accessed and processed personal data ensure that the personal data they hold are:

  • kept in a locked filing cabinet, drawer, or room whether it is in paper or electronic format when not being worked on or when the office is left unattended(even for a short time);
  • not visible, either on desks or on computer screens, to anyone not authorized to see it-ensure screen savers and computer screen lock are used;
  • sent in a sealed envelope, if transmitted through the mail, either internally or externally;
  • not sent via e-mail if it is sensitive information;
  • not left on shared printers/photocopier; and
  • disposed of securely in line with the University Policy and Guidelines on the Disposal of Personal Information.


The University shall not retain a longer period the personal data. Retention of personal data shall only for as long as necessary:

  • for the fulfilment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
  • for the establishment of, exercise, or defense of legal claims; or
  • for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by an appropriate government agency.

Disposal information:
The University shall dispose of or discard personal data in a secure manner and based
on CMU Policy and guidelines on the disposal of Personal Information.
Contact Information:
Advice and guidance on aspects of data privacy are available at the University Data
Privacy Office. Please email us with any questions you may have at
This policy shall be reviewed every year.