Implementation of

Data Privacy Act

in Schools
• The school is a PERSONAL INFORMATION
CONTROLLER and the student is a DATA
SUBJECT within the context of the Data
Privacy Act.
• DATA SUBJECT refers to an individual whose
personal information is processed.

• PERSONAL INFORMATION CONTROLLER refers

to a person or organization who controls the
collections, holding, processing or use of personal
information, including a person or organization
who instructs another person or organization to
collect, hold, process, use, transfer or disclose
personal information on his or her behalf.
• The term excludes:

1. A person or organization who performs such

functions as instructed by another person or
organization;

2. An individual who collects, holds, processes or

uses personal information in connection with the
individual’s personal, family or household affairs.
 Why is the school considered
Personal Information Controller?
• The school is deemed a Personal Information
Controller under the law because the school
controls the collection, holding, processing or
use of personal information of students from
admission up to the completion of the course
or program.
What is “processing” in the context of
DPA of 2012?

• Processing refers to any operation or any set

of operations performed upon personal
information including but not limited to, the
collection, recording, organization, storage,
updating or modification, retrieval,
consultation, use, consolidation, blocking,
erasure or destruction of data.
What are the general data privacy
principles in the processing of
personal information?

• Transparency
• Legitimate purpose
• Proportionality
• Necessity
 What are the 3 types of personal
information covered by the DPA of
2012?
• Personal Information in General
• Sensitive Personal Information
• Privilege Information
What is covered by the term Personal
Information?
• It refers to any information whether recorded
in a material form or no, from which the
identity of an individual is apparent or can be
reasonably and directly ascertained by the
entity holding the information, or when put
together with other information would
directly and certainly identify an individual.
 What is Sensitive Personal
Information?
• Personal Information about:

1. About an individual’s race, ethnic origin, marital

status, age color, and religious, philosophical or
political affiliations;

2. About an individual’s health, education, genetic

or sexual life of a person, or to any proceeding
for any offense committed or alleged to have
been committed by such person, the disposal of
such proceedings, or the sentence of any court
in such proceedings.
3. Issued by the government agencies peculiar to
an individual which includes, but not limited to,
social security numbers, previous or current
health records, licenses or its denials,
suspension or revocation, and tax returns;

4. Specifically established by an executive order or

an act of Congress to be kept confidential.
 What is Privileged Information?

• It refers to any and all forms of data which

under the Rules of Court and other pertinent
laws constitute privileged communication.
 Criteria for the Lawful Processing of
Personal Information
• The data subject has given his or her consent;

• The processing of personal information is

necessary and is related to the fulfillment of a
contract with the data subject or in order to
take steps at the request of the data subject
prior to entering into a contract;
• The processing is necessary for compliance with a
legal obligation to which the personal
information controller is subject;

• The processing is necessary to protect vitally

important interests of the data subject, including
life and health;

• The processing is necessary in order to respond

to national emergency, to comply with the
requirements of public order and safety, or to
fulfill functions of public authority which
necessarily includes the processing of personal
data for the fulfillment of its mandate; or
• The processing is necessary for the purposes
of the legitimate interests pursued by the
personal information controller or by a third
party or parties to whom the data is disclosed,
except where such interests are overridden by
fundamental rights and freedoms of the data
subject which require protection under the
Philippine Constitution.
 Criteria for the Lawful Processing of
Sensitive Personal Information
• The data subject has given his or her consent, specific
to the purpose prior to the processing, or in the case of
privileged information, all parties to the exchange have
given their consent prior to processing;

• The processing of the same is provided for by existing

laws and regulations: Provided, That such regulatory
enactments guarantee the protection of the sensitive
personal information and the privileged
information: Provided, further, That the consent of the
data subjects are not required by law or regulation
permitting the processing of the sensitive personal
information or the privileged information;
• The processing is necessary to protect the life and
health of the data subject or another person, and the
data subject is not legally or physically able to express
his or her consent prior to the processing;

• The processing is necessary to achieve the lawful and

noncommercial objectives of public organizations and
their associations: Provided, That such processing is
only confined and related to the bona fide members of
these organizations or their associations: Provided,
further, That the sensitive personal information are not
transferred to third parties: Provided, finally, That
consent of the data subject was obtained prior to
processing;
• The processing is necessary for purposes of
medical treatment, is carried out by a medical
practitioner or a medical treatment institution,
and an adequate level of protection of personal
information is ensured; or

• The processing concerns such personal

information as is necessary for the protection of
lawful rights and interests of natural or legal
persons in court proceedings, or the
establishment, exercise or defense of legal
claims, or when provided to government or
public authority.
 What are the Rights of the Data
Subject?
• Be informed whether personal information
pertaining to him or her shall be, are being or
have been processed;

• Be furnished the information indicated

hereunder before the entry of his or her personal
information into the processing system of the
personal information controller, or at the next
practical opportunity;

• Reasonable access;
• Dispute the inaccuracy or error in the personal
information and have the personal information
controller correct it immediately and accordingly,
unless the request is vexatious or otherwise
unreasonable. If the personal information have been
corrected, the personal information controller shall
ensure the accessibility of both the new and the
retracted information and the simultaneous receipt of
the new and the retracted information by recipients
thereof: Provided, That the third parties who have
previously received such processed personal
information shall he informed of its inaccuracy and its
rectification upon reasonable request of the data
subject;
• Suspend, withdraw or order the blocking,
removal or destruction of his or her personal
information from the personal information
controller’s filing system upon discovery and
substantial proof that the personal information
are incomplete, outdated, false, unlawfully
obtained, used for unauthorized purposes or are
no longer necessary for the purposes for which
they were collected. In this case, the personal
information controller may notify third parties
who have previously received such processed
personal information; and
• Be indemnified for any damages sustained
due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use
of personal information.