Evolution of communication technology

Has been a continuous and transformative process throughout human history. It has shaped the way we connect, share
information, and interact with one another.

ORAL COMMUNICATION

The earliest form of communication was oral, where people communicated through spoken words and gestures. This
method allowed for direct, face-to-face interaction and was the primary means of communication for thousands of
years.

WRITTEN LANGUAGE

The development of written language, such as cuneiform and hieroglyphics, enabled the recording and preservation of
information.

The Sumerians in ancient Mesopotamia developed cuneiform writing around 3200 BCE.This system allowed them to
record important information on clay tablets, such as laws and administrative records, which were essential for
governing their city-states.

PAPER AND PRINTING PRESS

The invention of paper in China around 105 AD and later the printing press by Johan Gutenberg in the 15th century
revolutionized communication by making the mass production of written materials possible.

example of the impact of the printing press is Gutenberg's Bible, printed in the 15th century.

TELEGRAPH

developed in the early 19th century, enabled long-distance communication by transmitting messages in Morse code
over electrical wires.

One of the most famous telegrams is the first message sent in 1844: "What hath God wrought?" This marked the
beginning of rapid long-distance communication in the United States.

TELEPHONE

Alexander Graham Bell's invention of the telephone in 1876 introduced real-time voice communication over long
distances. was a game-changer for both personal and business communication, as it made remote conversations
possible.

RADIO AND TELEVISION

The 20th century saw the rise of radio and television, enabling broadcasted audio and visual communication to reach a
mass audience.

In 1920, the first commercial radio station, KDKA in Pittsburgh, broadcasted the results of the U.S. presidential
election. This marked the beginning of radio as a primary source of news and entertainment.

COMPUTERS AND THE INTERNET

The advent of computers and the development of the internet in the late 20th century revolutionized communication
once again.

ARPANET, the precursor to the modern internet, sent its first message in 1969, which was "LOGIN." This laid the
foundation for the internet as we know it today, connecting computers and facilitating the exchange of information
globally.
MOBILE PHONES

The introduction of mobile phones in the 1980s transformed personal communication. These devices allowed for voice
calls and text messaging, and over time, they evolved into smartphones with internet connectivity, GPS, and a wide
range of applications.

Mobile phones made communication more convenient and portable.The first mobile phone call was made by Martin
Cooper in 1973. He called a rival at Motorola and said, "I'm ringing you just to see if my call sounds good at your end."
This marked the beginning of the era of personal mobile communication.

SOCIAL MEDIA

The rise of social media platforms like Facebook, Twitter, and Instagram in the 21st century changed the way people
interacted and shared information.

In 2004, Mark Zuckerberg and his co-founders launched Facebook from a dorm room at Harvard University. Facebook
allowed users to create profiles, connect with friends, and share updates and photos, transforming the way people
socialize online.

VIDEO CONFERENCING

Video conferencing platforms like Skype, Zoom, and Microsoft Teams became essential tools for business and personal
communication. Video conferencing platforms like Skype, Zoom, and Microsoft Teams became essential tools for
business and personal communication

5G AND BEYOND

Fifth-generation wireless (5G) is the latest iteration of cellular technology, engineered to greatly increase the speed and
responsiveness of wireless networks. With 5G, data transmitted over wireless broadband connections can travel at
multigigabit speeds, with potential peak speeds as high as 20 gigabits per second (Gbps) by some estimates.

Communication system

-is a set of interconnected components or devices that transmit, receive, process, and interpret information or data
between individuals, groups, or entities.

-are essential for conveying messages, sharing information, and facilitating interactions in various contexts, including
personal, business, and technological communication

KEY COMPONENTS AND CONCEPTS OF A COMMUNICATION SYSTEM

❑ -INFORMATION SOURCE
❑ -TRANSMITTER
❑ -COMMUNICATION CHANNEL
❑ -RECEIVER
❑ -DESTINATION
❑ -NOISE AND INTERFERENCE
❑ -FEEDBACK
❑ -PROTOCOLS
❑ -BANDWIDTH
❑ -MODULATION AND DEMODULATION
❑ -ENCRYPTION

Information Source
-This is the origin of the information or message to be communicated. It can be a person, a computer, a sensor, or any
device capable of generating data or content.

The transmitter

is responsible for encoding, formatting, and transmitting the information in a suitable form for transmission. It converts
the information into signals that can be transmitted over a communication channel.

The Communication Channel

is the physical or logical path through which the signals or information travel from the transmitter to the receiver.
Channels can be wired (e.g., copper cables, optical fibers) or wireless (e.g., radio waves, microwave links).

Receiver

is responsible for receiving the transmitted signals, decoding them, and extracting the original information.

Destination

-is the intended recipient of the information or message. It can be a person, a computer, or any device capable of
receiving and interpreting the information.

Noise and Interference

Noise refers to any unwanted signals or disturbances that can degrade the quality of the transmitted information.

Interference can be caused by external sources or other signals in the same channel.

Information Source

-This is the origin of the information or message to be communicated. It can be a person, a computer, a sensor, or any
device capable of generating data or content.

Bandwidth

-refers to the range of frequencies or data rates that a communication channel can support. It determines the capacity
of the channel to carry information. Higher bandwidth allows for faster data transmission.

Modulation and Demodulation

-information is modulated onto carrier signals for transmission and then demodulated at the receiver to extract the
original information. Modulation techniques vary depending on the type of communication channel and the
requirements of the system.

Feedback

-can be used to ensure that the message was received correctly and to adjust the transmission if needed.

Protocols

-ensure that different components and systems can communicate effectively with each other.

Encryption

-is the process of encoding information to protect it from unauthorized access.

-In secure communication systems, encryption is often used to ensure the privacy and security of transmitted data.

E GOVERNMENT

E-government
- short for electronic government, refers to the use of information and communication technologies (ICTs) to enhance
and streamline government operations, improve service delivery to citizens, businesses, and other government entities,
and facilitate greater transparency and efficiency in government processes.

ONLINE SERVICES

- E-government encompasses a wide range of online services provided by government agencies. These services can
include tax filing, permit applications, social services applications, voting registration, and more.

IMPROVED ACCESS

-E-government initiatives aim to make government services and information more accessible to a broader audience,
including individuals with disabilities and those living in remote areas.

EFFICIENCY AND COST SAVINGS

-By automating administrative processes and reducing paperwork, e-government can lead to significant cost savings for
government agencies. It can also increase the efficiency of government operations by reducing manual data entry and
paperwork handling.

TRANSPARENCY

-E-government can enhance transparency by making government information, documents, and data more readily
available to the public.

DATA SECURITY

-E-government initiatives place a strong emphasis on data security and privacy.

CITIZEN ENGAGEMENT

-E-government can facilitate citizen engagement by providing platforms for citizens to provide feedback, participate in
online forums, and contribute to the decision-making process.

DIGITAL INCLUSION

-Governments work to ensure that e-government initiatives are inclusive and that all citizens have access to digital
services.

OPEN DATA

-Many e-government initiatives involve the publication of open data—non-sensitive government data that is freely
available for anyone to access, use, and share.

-Many e-government initiatives involve the publication of open data—non-sensitive government data that is freely
available for anyone to access, use, and share.

E-GOVERNMENT

Many e-government initiatives involve the publication of open data—non-sensitive government data that is freely
available for anyone to access, use, and share.

E-GOVERNMENT In the Philippines

-the Philippines has been actively pursuing e-government initiatives to modernize government services, enhance
transparency, and improve citizen engagement.

-E-government efforts in the Philippines have made significant progress, but it's important to note that the landscape of
e-government is continually evolving, and new developments may have occurred since then.

PHILIPPINE E-GOVERNMENT MASTER PLAN (EGMP)

-The Philippine government launched the eGMP to guide its e-government initiatives. This comprehensive plan outlines
strategies for leveraging information and communication technology to improve governance, public service delivery, and
citizen engagement.

PHILIPPINE GOVERNMENT PORTAL

-The official government portal, www.gov.ph, serves as a central gateway for accessing government services and
information online.

E-BIR (ELECTRONIC BUREAU OF INTERNAL REVENUE)

-The Bureau of Internal Revenue (BIR) has implemented various electronic services to simplify tax-related processes.
Taxpayers can file their income tax returns, pay taxes, and access tax-related information online through the e-BIR
portal.s.

ONLINE GOVERNMENT TRANSACTIONS

-The government has introduced various initiatives to enable online government transactions. This includes online
registration of businesses through the Department of Trade and Industry's (DTI) Business Name Registration System
(BNRS) and other e-services provided by different government agencies.

NATIONAL ID SYSTEM

-The Philippine Identification System (PhilSys) is an ambitious project aimed at providing each Filipino with a unique
national identification number. This digital ID system is intended to streamline access to government services and
promote financial inclusion.

E-LGU (ELECTRONIC LOCAL GOVERNMENT UNITS)

-Many local government units (LGUs) in the Philippines have implemented e-government initiatives to improve local
services.

NATIONAL BROADBAND PLAN

-The government has been working on a National Broadband Plan to improve internet connectivity across the country,
especially in rural areas.

DIGITAL LITERACY PROGRAMS

The government has recognized the importance of digital literacy and has implemented programs to enhance digital
skills among citizens, particularly in underserved areas.

E-GOVERNMENT

It's important to check for updates and developments in the field of e-government in the Philippines, as the government
continually evolves its strategies and initiatives to better serve its citizens and businesses through digital means.

BIG DATA
Big data refers to extremely large and complex datasets that cannot be easily managed, processed, or analyzed with
traditional data processing tools. These datasets typically involve a wide variety of data types, including structured data
(like databases), semi-structured data (like XML and JSON files), and unstructured data (like text, images, and videos).

BIG DATA IS CHARACTERIZED BY THE "THREE VS"

VOLUME

Big data involves vast amounts of data. Traditional databases and data processing tools are not designed to handle the
sheer volume of data generated in today's digital world. Examples of high-volume data sources include social media, IoT
(Internet of Things) devices, and scientific research.

VELOCITY

Data is generated and collected at an incredibly high speed. This data needs to be ingested, processed, and analyzed in
real-time or near-real-time. Examples of high-velocity data sources include stock market data, social media updates, and
sensor data from manufacturing processes.

VARIETY

Big data encompasses a wide variety of data types and formats. This includes structured data, like traditional database
records, as well as unstructured data, like text documents, images, audio, and video. Dealing with this diversity requires
specialized tools and techniques.

IN ADDITION TO THE THREE VS, THERE ARE OFTEN TWO MORE VS ADDED TO THE DEFINITION OF BIG DATA

VARIABILITY

The data can have inconsistent or varying data formats. This variability can make it challenging to process and analyze
the data effectively.

Ex. E-COMMERCE DATA

• Volume: E-commerce websites generate large volumes of data, including customer transactions, browsing
history, and product reviews.
• Velocity: Online shopping leads to a constant stream of transactions and customer interactions.
• Variety: Data includes structured (order details), unstructured (product reviews), and semi-structured (customer
profiles).
• Veracity: Product reviews may contain biased or inaccurate information.

THREATS TO DATA PRIVACY

DATA PRIVACY COUNCIL EDUCATION SECTOR ADVISORY NO. 2020-1 DATA PRIVACY AND ONLINE LEARNING I.
GENERAL PROVISIONS

A. Purpose

This document aims to guide schools and other educational institutions, as well as other stakeholders in the education
sector, in their efforts to ensure adequate data protection in the conduct of online learning and other related activities.
B. Nature and Scope This document is meant to be a set of recommendations and shall not be treated as some type of
policy. Each educational institution retains the prerogative to decide on the measures it shall deem appropriate for its
context. It may define, adopt, and implement its own data protection policies that seek to protect personal data under
its control or custody. While this document covers different areas relevant to online learning, it is not intended to be an
exhaustive list of such concerns. Neither does it include issues which, while related to online learning, do not involve the
processing of personal data. This Advisory may be updated periodically, as the need arises.

C. Definitions

Whenever used in this document, the following terms shall the have their corresponding meanings provided here:

1. “Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject
agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall
be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful
representative or an agent specifically authorized by the data subject to do so.

2. “Data Privacy Act of 2012” or “DPA” refers to Republic Act No. 10173 (AN ACT PROTECTING INDIVIDUAL PERSONAL
INFORMATION IN INFORMATION AND 1 COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR,
CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES).

3. “Data processing systems” refers to the structure and procedure by which personal data is collected and further
processed in an information and communications system or relevant filing system, including the purpose and intended
output of the processing;
4. “Data sharing” is the disclosure or transfer to a third party of personal data under the custody of a personal
information controller or personal information processor. In the case of the latter, such disclosure or transfer must have
been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the
disclosure or transfer of personal data by a personal information controller to a personal information processor;

5. “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed;

6. “Learning Management System” or “LMS” refers to a software application for the administration, documentation,
tracking, reporting, automation and delivery of educational courses, training programs, or learning and development
programs.

7. “Social Media refers” to interactive computer-mediated technologies that facilitate the creation or sharing of
information, ideas, career interests and other forms of expression via virtual communities and networks.

8. “Personal data” refers to all types of personal information as defined under the DPA.

9. “Personal information” or “PI” refers to any information whether recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information,
or when put together with other information would directly and certainly identify an individual.

10. “Personal information controller” or “PIC” refers to refers to a person or organization who controls the collection,
holding, processing or use of personal information, including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

11. “Personal information processor” or “PIP” refers to any natural or juridical person qualified to act as such under this
Act to whom a personal information controller may outsource the processing of personal data pertaining to a data
subject.

12. “Privileged information” refers to any and all forms of data which under the Rules of Court and other pertinent laws
constitute privileged communication.

13. “Sensitive personal information” or “SPI” refers to personal information: a. About an individual‚ race, ethnic origin,
marital status, age, color, and religious, philosophical or political affiliations; b. About an individual‚ health, education,
genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in such proceedings; c. Issued by
government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or
current health records, licenses or its denials, suspension or revocation, and tax returns; and d. Specifically established
by an executive order or an act of Congress to be kept classified. 2

D. Key Points and Principles

When conducting personal data processing activities deemed necessary or related to online learning, the following
points and principles shall be observed to greatest extent possible:

1. Accountability. An educational institution is accountable for all the personal data it collects and processes. This
obligation subsists even in the following conditions: a. It outsources or subcontracts its personal data processing
activities b. It has properly obtained the consent of its students (or their parent or legal guardian, in the case of minors).

2. Information about Education as Sensitive Personal Information. According to the DPA, information about education is
SPI. As such, its processing is generally prohibited. It may only be processed in specific circumstances provided in the law
(see: Section 13, DPA):

a. when the data subject has given consent

b. when the processing is provided by applicable law or regulations, that afford adequate data protection
 c. when processing is necessary to protect the life or health of the data subject or another person, and the data subject
is unable to give consent

d. when processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their
associations. However, processing must be confined only and related to the bona fide members of such organizations or
associations. The information must also not be transferred to third parties, and the affected data subjects must have
given their consent prior to processing.

e. when processing is necessary for purposes of medical treatment. However, such treatment must be performed by a
medical practitioner or a medical institution, and an adequate level of data protection is ensured.

f. when processing involves information necessary for the protection of lawful rights and interests of natural or legal
persons in court proceedings

g. when processing involves information necessary for the establishment, exercise, or defense of legal claims

h. when the information is to be provided to government or a public authority pursuant to a constitutional or statutory
mandate.

3. Legitimate Interest. In order for legitimate interest to be an appropriate basis for the lawful processing of personal
information, the following three-part test must be met:

a. Purpose Test – Does the processing have a legitimate interest or purpose?

b. Necessity Test – Is the processing necessary to achieve such interest or purpose? Is there a less intrusive way to
achieve the purpose?

c. Balancing Test – Is such interest or purpose not overridden by the concerned individual’s rights and freedoms? For
additional guidance on this matter, refer to the following NPC Advisory Opinions: (i) NPC Advisory Opinion No. 2018-
020; (ii) NPC Advisory Opinion No. 2018-050; (iii) NPC Advisory Opinion No. 2020-006

4. Legitimate Purpose. The processing of personal data must have a declared and specified purpose that is not contrary
to law, morals, or public policy. (see: Section 11(a), DPA)

5. Proportionality. The processing of personal data shall be adequate, relevant, suitable, necessary, and not excessive in
relation to its declared and specified purpose. It shall only 3 be undertaken if the purpose thereof cannot be reasonably
fulfilled by other means.(see: Section 11(d), DPA)

6. Transparency. An individual must be aware of the nature, purpose, and extent of the processing of his or her
personal data, including the risks and safeguards involved, the identity of the PIC, his or her rights as a data subject, and
how these rights can be exercised. Any information and communication relating to the processing of personal data must
be easy to access and understand using clear and plain language.(see: Section 11, DPA)

II. Areas of Concern

A. On the use of a Learning Management System and Online Productivity Platforms

1. Where an educational institution has officially adopted a particular Learning Management System (LMS) or Online
Productivity Platforms (OPP), all activities pertaining to online learning should, to the extent possible, be conducted via
such a platform.

2. Where the official LMS or OPP adopted by an educational institution is its own (i.e., it has developed), the educational
institution shall make sure it has adequate data protection features and is governed by an appropriate policy and/or
manual.

3. Where the official LMS or OPP adopted by an educational institution is owned and/or provided by a third party, its use
should be covered by a Data Processing Outsourcing Agreement, or any equivalent document. For this purpose, the
presence or insertion of standard data protection clauses in the contract between the educational institution and the LMS
or OPP provider and/or the terms and conditions governing the use of said LMS or OPP may be deemed sufficient (see
also: NPC Advisory Opinion No. 2020-018).

4. An announcement or posting that involves personal data (e.g., grades, results of assignments, etc.) should be made in
a manner that only makes it viewable by its intended recipient/s. For instance, exam results should be given on an
individual basis and not released en masse even if the students belong to the same class.

5. Downloading of personal data stored in the LMS or OPP should be kept to a minimum and/or limited to that which is
necessary for online learning. Ideally, a policy should determine what is necessary for such purpose. In line with this, it is
also important that any downloaded data be retained only until there is a legitimate need for such offline copy. This, too,
may be covered by an appropriate policy.

6. There should be mechanisms in place so that submissions (e.g., assignments, projects, etc.) may be carried out in a safe
and secure manner. Submissions via social media platforms are discouraged since these platforms were never designed
for such purpose.

7. Exercise caution when integrating applications, tools, and other services to an LMS or OPP. They may introduce
vulnerabilities to an otherwise secure system. A Privacy Impact Assessment may be undertaken by a multidisciplinary
team before formalizing any planned 4 integration. The team shall review key areas such as security, data protection,
compatibility, and administration.

B. On other available unofficial supporting tools for online learning

1. The use of tools or technologies for online learning that have not been officially adopted by an educational institution
(i.e., there is no formal relationship between the institution and the developer of these tools) should be limited. Since no
active effort has been made to make sure there is adequate protection in their use, the security of any personal data
processed through them may be suspect—or worse, nonexistent.

2. If or when these tools are being evaluated in terms of the level of protection they provide to personal data uploaded to
them or processed through their use, an educational institution may determine if they are covered by any industry-
accepted certification or third party audit report, such as:

a. Philippine National Standards (PNS) ISO/IEC 27001:2018 Information technology - Security techniques - Information
security management systems

b. PNS ISO IEC 27018:2015 Information technology - Security techniques – Code of practice for protection of personally
identifiable information (PII) in public clouds acting as PII processors

c. PNS ISO/IEC 29100:2019 Information technology – Security techniques – Privacy framework (equivalent of NIST’s Privacy
Framework)

d. ISO 27701:2019 - Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information
management — Requirements and guidelines

e. SOC2 - System and Organization Controls (SOC) Type 2 - Trust Services Criteria

f. HECVAT - Higher Education Community Vendor Assessment Toolkit

3. The geographical location of the developer or provider of an online tool or platform (including its data centers) as well
as the governing laws in said jurisdiction should also be considered as part of the evaluation. While the DPA has extra-
territorial application, its enforcement may be rendered impossible or at least extremely difficult, depending on said
location and the laws therein.

4. Ideally, a Privacy Impact Assessment (PIA) should be conducted prior to the use of these tools in order to determine the
level and type of attendant risks. The PIA should include a proper Personal Data Inventory.
C. On the use of social media

1. All personal data posted on social media are considered public by nature unless appropriate privacy tools and settings
made available by the platform are properly utilized. (see: Vivares vs. St. Theresa’s College, GR No. 202666, September
29, 2014). NOTE: While the DPA was already in force when this decision came out, the law was not consulted by the
Supreme Court presumably since the events that led to the case occurred before the law was enacted.). However, this
does not mean they can be used or processed by any person or entity for any purpose or reason. Their processing must
still comply with the DPA. 5

2. Posting or sharing of personal data (e.g., photos, videos, etc.) on social media must always have a legitimate purpose.
Such purpose, along with the type of personal data involved, often determines whether or not the consent of affected
data subjects is necessary prior to such posting or sharing.

3. Even when posting of personal data is determined to be allowed: a. the numerous risks inherent in social media
platforms should still be properly appreciated. Adherence to the principles of legitimate purpose and proportionality is
encouraged at all times. b. it must be carried out using only authorized or official social media accounts of the educational
institution (or any of its units or offices). There should be appropriate rules or protocols governing the use of these official
accounts.

4. If personal data is posted on social media as a course requirement, the lifespan of such data usually coincides with that
of the course. Thus, once the course has concluded, it means the lifespan of the data will have also elapsed. It must then
be removed or deleted, unless there is some other lawful basis for keeping it online.

5. If personnel of an educational institution have collected personal data in their official capacity and/or during an official
activity, such data must not be used for personal purposes or reasons. The posting of such data using personal social media
accounts may be a violation of the educational institution’s social media policy, if any, and could merit disciplinary action.
On the other hand, if they have collected personal data in their individual or personal capacity, but then decide to use it
for work-related purposes, they should first ask permission from the affected data subjects in accordance with the
principles of fairness and transparency.

D. Publication of information or files in via other means or platforms

Personal data (including the files or records that contain them) stored or uploaded to an LMS or OPP may be covered by
a number of legal or technical requirements (e.g., confidentiality, access restriction, retention, and even intellectual
property laws). As such, publicly disseminating, reposting, or resharing them may run afoul of not just the DPA but also
other applicable laws and regulations. Extreme care must be exercised when handling them. Consulting the appropriate
offices and, when necessary, securing consent or authorization is strongly advised before any of the foregoing actions are
taken.

E. On the storage of personal data

1. Ideally, all personal data collected during the conduct of an online course should be stored in the LMS or OPP adopted
by the educational institution in order to ensure adequate data protection measures are in place. If they will be collected
outside of the LMS or OPP, proper data protection and data governance policies should be developed for such purpose.
These policies should preserve the confidentiality, integrity, and availability of the data.

2. Storing of personal data collected as part of the conduct of a class in a personal account or device should be avoided or
at least kept to a minimum in order to minimize the risk of unauthorized use or access. Official educational institution
accounts typically include access 6 to official storage facilities. Personal data collected via official activities should be kept
in such facilities so that they stay within the official work environment of the concerned institution.

3. Unless some other lawful basis for their continued retention exists, personal data should be disposed of securely when
the declared purpose for its collection and processing is no longer valid.

F. On the use of webcams and the recording videos of online discussions

1. Whenever possible, the use of webcams in synchronous online classes or sessions should be optional.

2. When the education institution is considering the recording of these online classes or discussions, the principles of
Legitimate Purpose and Proportionality should be primary considerations. Among the legitimate uses of recorded sessions
could include: a. Review of the lecture presentations (e.g. slides) and ensuing class discussions at a later time. b. Viewing
by students (and/or their parents) who are unable to attend, subject to appropriate school protocols.

3. Where consent is necessary for the recording of these classes or sessions (as determined by attendant circumstances)
and the data subject is a minor, consent must be obtained from the parent, legal guardian, or any other person validly
exercising parental authority over the child. and consider having the legal guardian or parent present.

4. When the student is a minor, consider having the parent or legal guardian present during these recorded classes or
sessions.

5. Posting the recorded classes or sessions or making them available on public platforms (e.g., social media, school website,
etc.) must also adhere to the principles of Legitimate Purpose and Proportionality. Individuals who may be affected
thereby must have been informed beforehand of the school’s intention to make the recording public. Depending on the
nature of the recording, prior approval of said individuals may also be necessary.

6. Educational institutions should establish a policy or guidelines governing the use of webcams and the recording of online
classes or sessions. Such policy should take into account not only its legitimate interests, but also individual privacy rights.
It should also address the possible recording and use of such classes or sessions by the participants themselves.

G. Online proctoring

1. When determining the propriety of carrying out online proctoring, the principles of Legitimate Interest and
Proportionality should be key considerations. Specifically, the interests of the students should be weighed against those
of the educational institution in order to ascertain the appropriate balance. A similar approach must be taken when looking
at the invasive nature of online proctoring and the legitimate aim it seeks to achieve. 7

2. Explicit consent of the student (or parent or legal guardian, in the case of minors) should be obtained prior to the
conduct of online proctoring and the use of related tools or technologies.

3. In carrying out online proctoring, take note of the following critical data processing activities:

a. The tool or technology to be used may request for the installation of software such as a secure browser or a plugin to a
browser.

b. The tool may also require access to scan the computer for processes that are running and the number of monitors
currently connected.

c. The tool may perform various forms of verification or identification processes, including the taking of images of the
student and the venue or room where the exam will be taken.

d. The session may be recorded for the entire duration of the exam and automated processing techniques may be
incorporated to detect potential cheating behavioral patterns from the student.

4. To the extent possible, human-based evaluation should still be included as a secondary validation process for any or all
data processed in the course of or as a result of automated proctoring.

H. Data Security

To ensure proper protection of personal data, refer to the following resources published by the NPC:

1. FAQs on Data Security

2. 30 Ways to Love Yourself Online: A Beginner’s Guide to Personal Data Privacy

3. NPC COVID-19 Bulletins

4. Data Breach Prevention

5. NPC Advisory No. 2020-02: Guidelines on the use of videoconferencing technology for the remote appearance and
testimony of parties before the national privacy commission

DATA PRIVACY THE BASICS

Protecting individual personal information in information and communications systems in the government and the
private sector, creating for this purpose a national privacy commission, and for other purposes.

WHAT IS THE SCOPE OF THE DATA PRIVACY ACT?

The Data Privacy Act applies to any natural or juridical persons involved in the processing of personal information. It
also covers those who, although not found or established in the Philippines, use equipment located in the Philippines, or
those who maintain an office, branch, or agency in the Philippines.

National Privacy Commission (NPC)

The National Privacy Commission (NPC) is the country's privacy watchdog; an independent body mandated to administer
and implement the DPA, and to monitor and ensure compliance of the country with international standards set for data
protection.

National Privacy Commission (NPC)

The National Privacy Commission (NPC) is the country's privacy watchdog; an independent body mandated to administer
and implement the DPA, and to monitor and ensure compliance of the country with international standards set for data
protection

DOES THE DIFFERENCE BETWEEN PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION MATTER?

Yes. The law treats both kinds of personal information differently. Personal information may be processed, provided
that the requirements of the Data Privacy Act are complied with. On the other hand, the processing of sensitive personal
information is, in general, prohibited. The Data Privacy Act provides the specific cases where I processing of sensitive
personal information is allowed.

WHAT ARE SENSITIVE PERSONAL INFORMATION? SEC. 3(L)

1. race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2. health, education, genetic or sexual life of a person,

3. civil, criminal or administrative proceedings

4. Unique identifiers issued by government agencies peculiar to an individual

5. Specifically established by law as classified

WHAT IS THE DIFFERENCE BETWEEN PERSONAL INFORMATION CONTROLLER (PIC) AND PERSONAL INFORMATION
PROCESSOR (PIP)?

1. Under the DPA a PIC refers to a person or organization who controls the collection. holding, processing or use of
personal information, including a person or organization who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information on his or her behalf. The term does not include:
• A person or organization who performs such functions as instructed by another person or organization; and
 • An individual who collects, holds, processes or uses personal information in connection with the individual's
personal, family or household affairs
2. On the other hand, PIP refers to any natural or juridical person qualified to act as such under the DPA to whom
a PIC may outsource the processing of personal data pertaining to a data subject

DATA PROTECTION OFFICER: MR. RAMON RODRIGUEZ

A DPO has the formal responsibility for data protection compliance within a company, The duties of the DOares

Monitor compliance with NPC and other national data protection laws as well as policies established by controllers or
processors for the protection of personal data

Perform internal audits to ensure compliance Elevate awareness Wie the organistic about compliance requirements

Train staff involved in processing operations Act as a liaison between the organization and supervisory authorities

Manage internal data protection activities Advise on data protection impact assessments

An important part of the DPO's role is to remain independent while conducting these duties. The organization cannot
tell them how to perform their duties and must also provide them with the resources needed to carry out their duties.

DATA PRIVACY COMPLIANCE OFFICER: MR. RONALD ‘GORBY’ T. RESUELLO -COMPLIANCE OFFICER FOR PRIVACY

central responsibility for a compliance officer is to ensure the company is conducting all its business activities in
accordance.

serve both an ethical role and a practical one. They help manage risk, maintain a favorable reputation, and avoid
litigation.

keeping business operations compliant, they also often take part in educating the entire company about compliance and
establishing practices to foster this kind of culture.

Level 1: Compliance with the external rules imposed upon an organization.

Level 2: Compliance with internal systems of control to attain compliance with externally imposed rules.

DATA BREACH: 3 KINDS OF BREACHES

AVAILABILITY BREACH – from the loss accidental or unlawful destruction of personal data.

INTEGRITY BREACH. – from the unauthorized alteration of personal data

CONFIDENTIALITY BREACH. – from the unauthorized disclosure of or access to personal data

RIGHTS OF THE DATA SUBJECT

An individual whose personal, sensitive personal or privileged information is processed has the following rights.
 • Right to be Informed
• Right to Access
• Right to Object
• Right to Rectification
• Right to Erasure or Blocking
• Right to Damages
• Right to Data Portability
• Right to File a Complaint

DATA PRIVACY PRINCIPLES

TRANSPARENCY

- genuine choice and control

- unbundled from other terms and conditions

-Clear affirmative action means someone must take deliberate action

LEGITIMATE PURPOSE

For legitimate interest to be an appropriate basis for the lawful processing of personal information

PROPOTIONALITY

BRING 2PCS 2X2 PICTURE (EXAMPLE)

KEY POINTS AND PRINCIPLES

Accountability. An educational institution is accountable for all the personal data it collects and processes.

Information about Education is a Sensitive Personal Information.

BEGINNER’S GUIDE TO PERSONAL DATA PRIVACY