Sorsogon State University
Data Privacy Statement
“Ang Pamantasang May Puso”
SORSOGON STATE UNIVERSITY, “Ang Pamantasang May Puso,” is committed to protecting and respecting your personal data privacy. We are at the forefront of not only implementing but also complying with the Data Privacy Act of 2012. This Privacy Statement outlines how the University collects, uses, discloses, stores, and protects personal data in the exercise of its academic, research, administrative, and extension functions.
The terms ‘SorSU,’ ‘University,’ ‘we,’ ‘our,’ or ‘us’ refer to Sorsogon State University. The terms ‘you’ and ‘your’ refer to all students of Sorsogon State University, individuals applying for admission, and, where applicable, the parents or legal guardians of minors who are required to sign registration-related documents and other official forms, such as scholarship applications.
1 SERVICE DESCRIPTION
Sorsogon State University (SorSU) is a public higher education institution that offers academic, research, extension, and administrative services. As part of its operations, SorSU manages several digital platforms to streamline services and improve user experience.
These include the University Portal (UPortal), which provides students with access to academic records, grades, schedules, and other essential services; it is also a platform for faculty members to manage class lists, submit grades, and access academic resources; the Human Resource Information System (HRIS) is integrated into the University Portal, which manages employee profiles, appointments, leave requests, and other HR functions; this portal also facilitates student enrollment and subject registration processes; and the Online Portal for Admission Services (OPAS) for SorSU Admission Test Applications, which allows applicants to register, submit documents, and track their entrance exam application status.
2 PERSONAL INFORMATION THAT ARE COLLECTED
Specific pieces of personal information are collected depending on the digital service accessed by students, faculty, staff, or applicants. The University Portal (UPortal) collects the full name, date of birth, contact information/parent or guardian information, address, course and year level, username, password, and profile photo. Along with this portal are the academic records (grades, subjects, schedules), learner reference number, subjects enrolled, enrollment history, student status, and activity logs. The UPortal also collects the faculty account information, which includes full name, faculty ID number, class assignments, subject details, academic schedules, grades submitted, login credentials, contact information, and academic rank.
Integrated into the UPortal is the HRIS, which gathers personal information such as full name, date of birth, address, contact details, government-issued ID numbers (e.g., TIN, GSIS, Pag-IBIG), marital status, employment status, position, department, education, work history, and emergency contact information. Integrated also into UPortal is the AMS (Asset Management System), which handles information of suppliers and supplies such as TIN, name, address, contact, and email.
For the SorSU Admission Test, SorSU collects the full name, birthdate, gender, civil status, email, phone number, home address, school last attended, academic background, preferred course(s), documents submitted (e.g., card, transcript, ID), and a photo.
Across all systems, SorSU may also collect account login credentials, IP addresses, and device/browser metadata automatically when users access digital platforms. Additionally, cookies and similar technologies may collect session data and preferences during user interactions with SorSU web services.
3 COLLECTION METHOD
Personal information is collected through both manual and digital means, depending on the service or transaction involved. For example, names, birthdates, and contact information are typically collected through online forms or printed application documents submitted during student enrollment or employee onboarding.
Academic records, such as grades and class schedules, are collected and updated through platforms like the UPortal, based on entries made by students, faculty, and staff.
Government-issued ID numbers are gathered through HRIS or enrollment forms for verification, benefits, or official reporting. Email addresses and usernames are collected when users create accounts on SorSU digital platforms (e.g., OPAS, HRIS). Photographs and video recordings may be collected via CCTV surveillance or event documentation, while IP addresses and usage data are gathered automatically when users visit SorSU websites or mobile apps through cookies and other web-tracking technologies. All data is collected directly from the individual concerned unless provided by authorized personnel or systems on their behalf, and always for lawful and declared purposes.
4 TIMING OF COLLECTION
Personal data is initially collected during application or registration periods, such as at the time of college entrance (e.g., SorSU Admission Test Application), student enrollment (via UPortal), and employment onboarding (via HRIS).
For students, information is collected at the start of each academic term during registration and may be updated throughout their enrollment period based on academic progress, changes in personal circumstances, or requests for specific services (e.g., scholarships, leaves of absence).
For employees, personal data may be collected upon hiring and periodically updated throughout their employment for purposes such as payroll adjustments, promotions, training, or leave benefits.
Certain types of personal information—such as IP addresses, login credentials, and usage data—are automatically collected in real time each time a user accesses SorSU digital platforms. Furthermore, if personal data updates are necessary after the initial collection (e.g., changes in contact information, dependent details, or academic status), such updates may be collected on an ongoing basis even after initial notice, provided the collection remains consistent with the original purpose.
5 PURPOSES OF COLLECTED PERSONAL INFORMATION
For students and applicants, information such as full name, birthdate, contact details, academic records, and course preferences is used to process applications, register for subjects, assign classes, and communicate important updates. This information is also needed to create student accounts, keep academic records, and track progress throughout your stay at the University.
For faculty and staff, the University uses personal data such as name, ID number, employment records, and salary details to process appointments, handle payroll, manage benefits, and record work attendance.
Documents like transcripts, photos, and IDs help verify your identity and qualifications. Emergency contact details and health declarations are needed in case of health issues or emergencies while on campus. System login information, device data, and IP addresses are collected to keep your accounts safe and ensure that the digital systems are working properly. SorSU also uses cookies and similar tools to improve your experience when using our websites or online services by remembering your settings and preferences.
6 STORAGE AND TRANSMISSION OF PERSONAL INFORMATION
Digital information is stored on secure University servers and authorized cloud-based systems with controlled access. These systems are protected by firewalls, antivirus software, encryption, and secure user authentication to prevent unauthorized access or data breaches. The cloud infrastructure utilized by the University features SOC 2 Type II certified security controls, GDPR compliance frameworks, and industry-standard encryption protocols, both at rest and in transit. Multi-factor authentication, role-based access controls, and regular security audits ensure data integrity and regulatory compliance. Physical documents, such as printed forms or identification records, are kept in locked filing cabinets inside restricted-access offices.
When your personal data needs to be shared or transferred—for example, from one SorSU office to another or to a University-approved system—it is transmitted using secure and encrypted channels, such as HTTPS and password-protected files. Only authorized University personnel have access to your data, and they are required to follow strict data privacy and security protocols.
SorSU regularly backs up data to protect against accidental loss and conducts system audits to monitor for any threats. In the case of data transfer to third-party providers (such as payment processors or technical service partners), SorSU ensures that these entities adhere to the same level of data protection and confidentiality through official agreements and compliance checks. These measures help protect your personal information from misuse, loss, or unauthorized access while allowing the University to deliver services safely and efficiently.
7 METHOD OF USE
Once your data is collected, it may first go through validation or checking to ensure it is complete, accurate, and not duplicated. For example, submitted application forms, grades, or employment records are reviewed and compared with existing University records or official documents. In some cases, your data may be grouped or organized (processed) to generate reports, academic results, or enrollment statistics. These processes are done only when necessary to support the main purposes of use, such as admission, registration, or academic tracking.
After validation or processing, your personal information is securely stored and then used by authorized offices or systems to deliver services—such as assigning class schedules, managing grades, and communicating with students or staff. Some information may also be analyzed in aggregate form (not personally identifiable) for institutional planning or decision-making, but this is done with strict safeguards in place.
Should SorSU require the use of your information for purposes other than those originally disclosed, you will be duly informed, and your consent will be sought, when required, prior to any such use.
8 LOCATION OF PERSONAL INFORMATION
Personal information collected by Sorsogon State University (SorSU) is stored and processed in specific locations based on the system or service where it is used. For digital systems such as the UPortal OPAS, HRIS, and other University-managed platforms, your personal data is stored in secure on-site servers located at the University’s Data Center, housed within the Management Information Services (MIS) Office at Sorsogon State University – Sorsogon City Campus. These servers are maintained in a controlled environment with physical security, restricted access, and continuous monitoring.
Some digital services, particularly those that use web or cloud-based applications, also store and process data using secure cloud servers hosted by third-party providers. These providers are selected by SorSU based on their compliance with data protection standards and are bound by data-sharing agreements to ensure your information is processed only for authorized purposes. The location of these cloud servers is primarily within the Philippines but may also include secure data centers in other countries with adequate data protection laws, if necessary and lawful.
For physical records—such as printed forms, academic records, and employment files—these are stored in locked cabinets or storage rooms within the offices that handle them, including the SorSU Admission Services Unit, the Office of the University Registrar, the Human Resource Management and Development Office (HRMDO), and college or department offices. Only authorized personnel are allowed access to these areas, and records are secured under the University’s archiving and disposal policies.
9 THIRD-PARTY TRANSFER
Your information may be shared with government agencies such as the Commission on Higher Education (CHED), the Department of Budget and Management (DBM), and the Civil Service Commission (CSC) to comply with education regulations, employment standards, and reporting requirements.
In support of academic quality assurance and institutional development, personal information may also be shared with accrediting bodies such as the Accrediting Agency of Chartered Colleges and Universities in the Philippines (AACCUP), ISO certification body, and external auditors. These organizations may access academic records, program data, or employment profiles strictly for evaluation, accreditation, and audit purposes. Any information shared is limited to what is necessary for assessment and is kept confidential.
If you are a student applying for scholarships, internships, or programs supported by external foundations, partner industries, or NGOs, SorSU may share relevant data with these entities to process applications, conduct interviews, or confirm eligibility. This also applies if you are availing yourself of the services of the Health Services Unit (HSU), Lying-in Clinic, Placement Office, and Guidance and Counseling Services Unit. In addition, third-party IT providers and cloud hosting services may access certain information for system maintenance, support, or secure storage, but only under strict data protection controls.
10 RETENTION PERIOD
Sorsogon State University retains personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law, institutional policies, and relevant regulatory bodies. The length of time personal data is stored depends on the type of information and the service or process it supports.
For students, personal information—including academic records, enrollment data, and supporting documents—is retained for at least ten (10) years after graduation, separation, or last enrollment, to ensure proper recordkeeping for transcripts, certifications, and verification requests. Digital records within systems such as the UPortal, OPAS, and HRIS are maintained while the student is active and archived once they leave the University, following record retention guidelines.
For employees, personal information such as personnel records, service records, payroll data, and attendance logs is retained for at least ten (10) years from the end of employment, resignation, or retirement, unless longer retention is required by law or for claims processing. Copies of service records and government contributions are preserved permanently in some cases to comply with statutory obligations.
When personal data is no longer needed, SorSU ensures that it is securely disposed of or de-identified. Physical records are shredded, while digital data is deleted using secure data wiping methods. In some cases, data may be anonymized—stripped of identifying details—and retained for research or statistical purposes.
11 PARTICIPATION OF DATA SUBJECT
As a data subject, you have specific rights under the Data Privacy Act of 2012 (Republic Act No. 10173) to help you stay informed and in control of your personal information. These rights include the right to be informed, the right to access, the right to object, the right to erasure or blocking, the right to damages, the right to rectify, and the right to data portability.
You have the right to know what personal information Sorsogon State University collects about you, why it is collected, how it is used, and with whom it is shared. You may request access to your personal data and obtain a copy of the information held by the University. If you believe that any part of your personal information is incorrect, outdated, or incomplete, you may request that it be updated. You also have the right to withdraw consent or object to certain types of data processing, especially if it is not required by law or not essential to the delivery of SorSU’s services. In cases where your data is no longer needed, you may ask for it to be deleted or blocked from further processing, subject to applicable regulations.
To exercise any of your rights, you may submit a written request or fill out a Data Subject Request (DSR) form addressed to the Data Protection Officer (DPO). You will be required to present a valid ID and, in some cases, supporting documents to verify your identity and allow proper processing of your request.
SorSU is committed to respecting and protecting your rights as a data subject. If you have concerns or believe that your personal data has been handled improperly, you also have the right to file a complaint with the National Privacy Commission (NPC).
12 INQUIRY
For questions, concerns, or requests regarding personal data and privacy matters, individuals may contact the Sorsogon State University Data Protection Officer at:
Contact Information
© 2024 Sorsogon State University – Data Privacy Statement
This document complies with the Data Privacy Act of 2012 (Republic Act No. 10173)
