Data Privacy in schools under the new normal - #Data Privacy Bites for Fridays

Recently, the National Privacy Commission (NPC) published its call for schools to fortify information security due to the rising number of reports of data (or personal information) security incidents. Among the items mentioned in the recent NPC updates are: "1) The National Privacy Commission is looking into the reported security incidents sustained by prominent universities these past weeks; 2) Amid the increase in personal data security incidents, we (NPC) call on school officials to fortify their information systems. 3) As schools shift to digital operations and virtual learning systems in the wake of the pandemic, they must prioritize the security of their information technology infrastructures and deploy a “privacy by design” approach by embedding privacy into their policies, networks and business practices. 4. Security incidents that lead to personal data breaches could expose affected data subjects to possible harms including identity theft, scams, and phishing. Likewise, they undermine people’s trust in institutions, which are expected to keep personal data safe and private." (Privacy Commissioner Liboro urges schools to fortify information systems amid rising security incidents, 18 June 2020) Consistent with the said initial publication, the NPC just in the past week again published that the Commission has already made the following recommendations for the education sector:

"1) Create a data-breach response team, which will be responsible for creating and implementing an incident-response procedure. This will help schools contain the impact of the breach and immediately restore integrity to the information and communications system. 2) Create policies and implement them effectively to prevent or minimize breaches and ensure timely discovery of a security incident.

3) Conduct security audits and tests, such as privacy-impact assessment source-code audit, vulnerability assessment and penetration testing, especially when there are changes in conditions that warrant a review of data privacy and security policies." (NPC Initiates Code of Conduct to Guide Schools Amid Shift to Online Education, 28 June 2020)

With this information drive of the NPC with the education sector, it appears that the implementation of the Data Privacy Act of 2012 is becoming more timely, pressing and aggressive. On the other hand, the general public especially the parents whose minor children will be resuming their formal education this coming school year via online platforms do not appear very aware of the repercussions, dangers or risks to which their kids will be exposed to. Perhaps this aspect of the information drive should be fully addressed as well. It would be prudent for parents to be fully aware and educated with the privacy and data protection risks to which these online education platforms may present to the minor children. After all, minors cannot legally give their consent as data subjects as may be required under the Data Privacy Act. #DataPrivacyBites for Fridays #DataPrivacyComplianceAdviser @dataprivacyadvisor