DATA

PROTECTION &
SCHOOLS
Atty. Erlaine Vanessa D. Lumanog
Attorney IV, Privacy Policy Office
 Credit: Jimmy Kimmel Live!
Data Protection & Schools 2021
Data Protection & Schools 2021
 Credit: #Digital2021 by We are Social and Hootsuite

Data Protection & Schools 2021

 Credit: #Digital2021 by We are Social and Hootsuite

Data Privacy Act of 2012 2021

 Credit: #Digital2021 by We are Social and Hootsuite

Data Protection & Schools 2021

Data Protection & Schools 2021
 https://www.seoforbreakfast.com/what-did-we-do-before-the-internet/

Data Protection & Schools 2021

Data Protection & Schools 2021
Children do not lose their human rights by virtue of
passing through the school gates. Education must
be provided in a way that respects the inherent
dignity of the child and enables the child to express
his or her views freely.
UN Convention Committee on the Rights of the Child

*UN Convention Committee on the Rights of the Child; General Comment no. 1 (2001) on Article 29
(1): The aims of Education; 17 April 2001; The Convention on the Rights of the Child (unicef-irc.org)

Data Protection & Schools 2021

CHILDREN’S DATA
PROTECTION
IN AN EDUCATIONAL
SETTING
Adopted by the Committee of the
Convention for the protection of
individuals with regard to automatic
processing of personal data
(Convention 108)

Data Protection & Schools 2021

 The right to be let
alone - the most
comprehensive of
rights and the right
most valued by
civilized men.
[Brandeis J, dissenting in Olmstead v.
United States, 277 U.S. 438 (1928)]

Data Protection & Schools 2021

 WHAT The right to informational privacy is the right of
an individual to control the collection of, access
to, and use of personal information about him
or her that are under the control or custody of

IS the government and private sector.

It is essential to the protection of one’s ability to

INFORMATIONAL develop ideas and personal relationships, and

underpins human dignity and other values like
freedom of association and freedom of speech.

PRIVACY

Data Protection & Schools 2021

DATA PRIVACY ACT OF 2012
REPUBLIC ACT NO. 10173

AN ACT PROTECTING INDIVIDUAL PERSONAL

INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE GOVERNMENT
AND THE PRIVATE SECTOR, CREATING FOR THIS
PURPOSE A NATIONAL PRIVACY COMMISSION, AND
FOR OTHER PURPOSES

Data Protection & Schools

 CONSENT
FATIGUE &
DATA PRIVACY
COMPLIANCE
Data Protection & Schools 2021
WHAT Refers to any operation or any set of
operations performed upon personal
IS information including, but not limited to the
following:

PROCESSING Collection
Recording
Consultation
Use
Organization Consolidation
Storage Blocking
Updating or modification Erasure
Retrieval Destruction

Data Protection & Schools 2021

PERSONAL DATA • Any information whether recorded in a
material form or not, from which the
identity of an individual is apparent or can
PERSONAL be reasonably and directly ascertained by
the entity holding the information,
INFORMATION • or when put together with other
information would directly and certainly
identify an individual.

Data Protection & Schools 2021

 • Race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
SENSITIVE • Health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to
PERSONAL have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such
INFORMATION proceedings;
• Issued by government agencies peculiar to an individual
(SPI) (social security numbers, health records, licenses or its
denials, suspension or revocation, and tax returns); and
• Specifically established by law to be kept classified.

• Husband-Wife; Lawyer- Client; Doctor-Patient; Priest-Penitent

PRIVILEGED • any and all forms of data, which, under the Rules of Court
INFORMATION and other pertinent laws constitute privileged
communication

Data Protection & Schools 2021

 PERSONAL PERSONAL DATA
INFORMATION INFORMATION SUBJECT
CONTROLLER (PIC) PROCESSOR (PIP)

any natural or any natural or an individual whose

juridical person who juridical person to personal, sensitive
controls the whom a PIC may personal, or
processing of outsource or instruct privileged
personal data, or the processing of information is
instructs another to personal data processed
process personal data
on its behalf

Data Protection & Schools 2021

Pop Quiz:
You need to get consent for the processing of personal data.

True or False

Data Protection & Schools 2021

CONSENT ▪ The data subject agrees to the collection and processing of
personal information
✓ Freely given
✓ Specific
✓ Informed indication of will
▪ Evidenced by written, electronic or recorded means:
✓ signature
✓ opt-in box/clicking an icon
✓ sending a confirmation email
✓ oral confirmation
▪ Opt-in: silence, pre-ticked boxes or inactivity does not
constitute consent

Data Protection & Schools 2021

FREELY GIVEN, SPECIFIC, AND INFORMED
▪ Consent means giving data subjects genuine choice and
control over how a PIC uses their data.

▪ Data subjects must be able to refuse consent, and must be

able to withdraw consent easily at any time.

▪ Consent should be unbundled from other terms and

conditions (including giving granular consent options for
different types of processing) wherever possible.

▪ Clear affirmative action means someone must take

deliberate action to opt in.

Data Protection & Schools 2021

LAWFUL PROCESSING OF PERSONAL AND
SENSITIVE PERSONAL INFORMATION
Is consent always needed?
▪ No. Consent is just one criterion for lawful processing of
both personal and sensitive personal information.

▪ Consent will not always be the most appropriate basis

for processing personal data.

▪ PICs should choose the lawful basis that most closely

reflects the true nature of the relationship with the
individual and the purpose of the processing.

Data Protection & Schools 2021

WHAT ARE THE ALTERNATIVES TO CONSENT?
For processing of personal information:
▪ CONTRACT WITH THE INDIVIDUAL: to supply ▪ NATIONAL EMERGENCY: to respond to
goods or services they have requested, or to national emergency or to comply with the
fulfil your obligations under an employment requirements of public order and safety
contract. This also includes steps taken at
their request before entering into a contract ▪ PUBLIC TASK: if you need to process personal
information to carry out public function or
▪ COMPLIANCE WITH A LEGAL OBLIGATION: if service and you have a legal basis for the
you are required by law to process the data processing
for a particular purpose
▪ LEGITIMATE INTERESTS: for the private sector,
▪ VITAL INTERESTS: you can process personal you can process personal data without
information if it is necessary to protect the consent if you have a genuine and legitimate
data subject’s life and health reason, unless this is overridden by
fundamental rights and freedoms of the data
subject.

Data Protection & Schools 2021

LEGITIMATE INTEREST 3-PART TEST
1. PURPOSE TEST – The existence of a legitimate interest must be clearly established,
including a determination of what the particular processing operation seeks to achieve;
2. NECESSITY TEST – The processing of personal information must be necessary for the
purpose of the legitimate interest pursued by the PIC or third party to whom personal
information is disclosed, where such purpose could not be reasonably fulfilled by other
means; and
3. BALANCING TEST – The fundamental rights and
freedoms of data subjects must not be overridden
by the legitimate interests of the PIC or third party,
considering the likely impact of the processing on
the data subjects.

Data Protection & Schools 2021

WHAT ARE THE ALTERNATIVES TO CONSENT?
For processing of sensitive personal information:
▪ EXISTING LAW AND REGULATION: you can
process sensitive personal information (SPI)
when there is a law which requires the
processing of such data
▪ PROTECTION OF LIFE AND HEALTH: to protect
someone’s life – the data subject or another
person – and the data subject is not
legally/physically able to express consent
▪ PUBLIC ORGANIZATIONS: refers to processing
done by non-stock, non-profit organizations,
cooperatives, and the like, where processing is
only confined and related to the bona fide
members of these organizations
Data Protection & Schools
▪ MEDICAL TREATMENT: when processing is
carried out by a by a medical practitioner or a
medical treatment institution, and there is
adequate level of protection of SPI
▪ LAWFUL RIGHTS AND INTERESTS: when
processing is necessary to protect lawful
rights and interests of in court proceedings,
the establishment/ exercise/ defense of legal
claims, or when provided to government or
public authority.
2021
T TRANSPARENCY

The data subject

must be aware of the
L LEGITIMATE PURPOSE

The processing of
information shall be
P PROPORTIONALITY

The processing of
information shall be
following: compatible with a adequate, relevant,
• Purpose and declared and suitable, necessary,
extent of specified purpose, and not excessive in
processing; which must not be relation to a declared
• Risks and contrary to law, and specified
safeguards; morals, or public purpose.
• Identity of the PIC; policy.
• Rights as data Process only if the
subject and how purpose could not be
these can be reasonably fulfilled
exercised by other means.

Data Protection & Schools 2021

Data Privacy Act of 2012 2021
Data Protection & Schools 2021
 ❖ Identity Theft
❖ Unauthorized Use of Data

RISKS ❖
❖
❖
Unlawful Disclosure of Data
Loss or Destruction of Data
Violation of Data Privacy
& ❖ Hacking: Sabotage, Defacing

THREATS ❖ Software Attacks (Malware):

❖ Viruses, Worms, Trojan, etc.
❖ Adware, Spyware,
Ransomware, Scareware
❖ Social Engineering: Phishing

Data Protection & Schools 2021

 DATA
BREACH
CAUSES

Data Protection & Schools 2021

5
PILLARS
OF
COMPLIANCE

Data Protection & Schools 2021

REGISTRATION

Mandatory Registration
• A. at least 250 employees;
• B. processing 1,000 individuals;
• C. pose a risk to the rights and
freedoms of data subjects;
• D. the processing is not occasional.

Data Protection & Schools 2021

Processing of personal data that is likely to pose a risk
to the rights and freedoms of data subjects:
(NPC Circular No. 2017-01, Appendix 1)
1. Government branches, bodies or entities;
2. Banks and non-bank financial institutions;
3. Telecommunications networks, internet service providers and other entities or organizations
providing similar services;
4. Business process outsourcing companies;
5. Universities, colleges and other institutions of higher learning, and other schools and
learning institutions;
6. Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities,
diagnostic or therapeutic facilities, specialized outpatient facilities, and other organizations
processing genetic data;
7. Providers of Insurance undertaking;
8. Businesses involved mainly in direct marketing, networking, and companies providing
reward cards and loyalty programs;
9. Pharmaceutical companies engaged in research;
10. Personal information processors processing personal information of PICs included in the
above, and data processing systems involving automated decision making
Data Protection & Schools 2021
NPC DATA PRIVACY ACCOUNTABILITY AND
COMPLIANCE FRAMEWORK

GOVERNANCE RISK ASSESSMENT ORGANIZATION DAY-TO-DAY DATA SECURITY

A. Appoint your DPO B. Register systems E. Privacy G. Privacy Notice Q. Organizational Measures
C. Maintain records Management Program H-O. Data Subjects’ Rights R. Physical Measures
D. Conduct a PIA F. Privacy Manual P. Data Life Cycle S. Technical Security Measures

BREACH MANAGEMENT THIRD PARTIES HUMAN RESOURCES PROGRAM REVIEW LEGAL AND ICT
T. Data Breach Management U. Third Parties V. Training and Capacity X. Continuing Y. New technologies and
Security Policy Legal Basis for Building Assessment and Development standards
Data Breach Response Team Disclosure W. Security Clearances Regular PIA Z. New legal requirements
Incident Response Data Sharing and NDA Review Contracts
Internal Assessments
Procedure Agreements
Review PMP
Documentation Cross Border Transfer
Accreditations
Breach Notification Agreement
Data Protection & Schools 2021
Data Protection & Schools 2021
 DATA
PRIVACY IN
ONLINE
EDUCATION
Data Protection & Schools 2021
Data Protection & Schools 2021
Data Protection & Schools 2021
BEST PRACTICES
KEY AREAS A. Use of Learning Management Systems or Online
Productivity Platforms

OF CONCERN • If an LMS or OPP was officially adopted, all activities

pertaining to online learning, to the extent possible,
be conducted via such platform
• Adopt and implement policy on the use of the
platform, including destruction of personal data no
longer necessary.
• Users, faculty and students alike, should be properly
notified of the data processing activities within the
platform.

Data Protection & Schools 2021

 B. Use of Social Media
BEST PRACTICES •
•
Schools must create and implement a social media policy.
Teachers and other school personnel are prohibited from
KEY AREAS using personal data collected in an official capacity and/or
during an official school activity for personal purposes (e.g.

OF CONCERN posting in their personal social media accounts) unless

consent is obtained or it is provided for by existing
law/regulation.
• Submission of assignments and other requirements may be
done through available social media applications on a case-
to-case basis, with consideration to the circumstances of
teachers and/or students.
• Submissions/documents/communications that include
personal data should be sent directly to the appropriate
teacher or school personnel and not be made publicly
available.

Data Protection & Schools 2021

 C. Opening of video cameras and audio
• Opening of cameras & audio is allowed during synchronous
BEST PRACTICES •
learning or the conduct of examinations.
Policies or guidelines on the use of cameras for online classes

KEY AREAS and examinations should be reasonable and necessary to

supervise and monitor learners and help educators in
teaching.
OF CONCERN D. Recording of Online Class Sessions
• Recording may be done as long as it has legitimate purposes in
line with the educational framework.
• The recording may be used by the school and educators for
training purposes, with learners and/or parents and guardians
informed beforehand.
• Schools must include in their policies guidelines on use of
class session recording. These must be provided to both
parents and students at the beginning of the school year or as
soon as the policies are created.

Data Protection & Schools 2021

 ✓ PRIVACY
When • Students might feel uncomfortable displaying their living
space to their peers. Family members might not want
their image or video to be captured.
formulating • Students might also take a screenshot of their classmate’s
video feed, which is prone to cyberbullying and privacy

policies issues.

✓ EQUITY
Educators • Not all students have reliable internet access. Some
might have low bandwidth, cannot afford to stream
must videos, or have limited access to digital devices.

✓ PECULIARITY
consider: • Some students might feel shy or anxious on camera,
affecting their performance in class.

Data Protection & Schools 2021

 When
formulating
policies ✓Make sure to foster and
create a culture of data
Educators privacy on and offline
must
consider:
Data Protection & Schools 2021
CYBERSAFETY
& CHILD
ONLINE
PROTECTION
Data Protection & Schools 2021
STAIRWAY FOUNDATION, INC. &
DEPARTMENT OF EDUCATION

❖ PUBLIC ACCOUNTS:
❖ 4 out of 10 (7-12yrs)
❖ 5 out of 10 (13-16yrs)
❖ CHATTING WITH ONLINE STRANGERS
❖ 2 out of 10 (7-12yrs)
❖ 4 out of 10 (13-16yrs)
❖ POSTING PERSONAL INFORMATION
❖ 3 out of 10
Data Protection & Schools 2021
STAIRWAY FOUNDATION, INC. &
DEPARTMENT OF EDUCATION
❖ PORNOGRAPHIC LINKS VIA SOCMED:
❖ Yes: 6 out of 10

❖ CYBERBULLYING:
❖ VICTIMS: 3 out of 10 (7-12yrs)
4 out of 10 (13-16yrs)
❖ VIA SOCMED: 6 out of 10 (7-12yrs)
8 out of 10 (13-16yrs)
❖ WAYS: Threats – 3 out of 10 (7-12yrs)
Photo Editing – 3 out of 10 (13-
16yrs)

Data Protection & Schools 2021

STAIRWAY FOUNDATION, INC. &
DEPARTMENT OF EDUCATION
❖ PARENTS’ KNOWLEDGE OF ONLINE
ACTIVITIES:
❖ YES - 7 out of 10 (7-12yrs); 5 out of 10
(13-16yrs)
❖ OK for parents to know: 5f out of 10 (7-
12yrs); 4 out of 10 (13-16yrs)

Data Protection & Schools 2021

Data Protection & Schools 2021
RISKS OF CHILDREN ON THE
INTERNET & SOCIAL MEDIA
• Exposure to Strangers
• Cyberbullying
• Online Sexual Abuse and Exploitation
• Violation of Data Privacy

Data Protection & Schools 2021

WHAT SCHOOLS CAN DO NOW
❑ EDUCATE & CAPACITATE
✓ Administrators, faculty, personnel
✓ Students, parents and guardians
✓ Third-party contractors

❑ ENSURE COMPLIANCE
✓ Operational not merely substantial
✓ Policies and people

❑ ENDEAVOR TO CREATE A CULTURE OF PRIVACY

✓ Privacy by default
✓ Privacy by design
✓ Community effort
Data Protection & Schools 2021
Data Protection & Schools 2021
Data Protection & Schools 2021
Data Protection & Schools 2021
Data Protection & Schools 2021
info@privacy.gov.ph
invitation@privacy.gov.ph
compliancesupport@privacy.gov.ph

https://privacy.gov.ph

(02) 234-2225