IF YOUR child wins an award, can the school post his/her picture on the school website? If you fail to pay the tuition on time, can they post the student’s name on a list of creditors near the cashier’s booth? Can a teacher post a picture of herself with her students, on her social media account? If an online Zoom class is breached and the pictures posted online by the hackers, who should be responsible?
Do you know? Shouldn’t you know, as a parent, what are the obligations of the school to protect your and your child’s personal data?
A data privacy policy should address these question and all schools should have one. The Data Privacy Act (DPA) of 2012 requires all organizations processing personal data to put in place “organizational, technical and physical security measures” to protect the personal data that they process, and to inform the data subjects of the hows and whys of that process.
The burden on schools is greater because school records are considered sensitive personal information, the processing of which is allowed only under certain conditions.
In an advisory opinion in November last year, the National Privacy Commission said: “Under the DPA, information about an individual’s education is categorized as sensitive personal information, the processing of which is generally prohibited unless covered by the criteria set forth under Section 13 of the law and other existing laws, rules and regulations.
“Apart from the student’s name, the data set enumerated in the class roster, i.e, student’s school name, grade level, section and test scores, are considered sensitive personal information as these are related to the student’s education. The processing, which includes disclosure or posting, of the enumerated information must be in accordance with Section 13 of the DPA.”
Section 13 of the DPA enumerates the conditions under which sensitive personal information may be processed: if there is consent from the data subject/s; if the law allows the processing, and does not require the consent of the data subject/s; the processing is needed to protect the life and health of an individual, and the data subject is unable to give consent prior to the processing; the processing is needed for medical treatment, given by a medical professional and/or medical treatment institution; the processing is needed to protect rights and interests in court proceedings, or to establish or defend legal claims, or the personal data was provided to government or a public authority. In most of these instances, the law requires that the processing also ensure the protection of the personal data.
“Since the DPA should be read in parallel with existing laws, rules and regulations, the pertinent issuances of the Department of Education (DepEd) or the Commission on Higher Education (CHED) should also be consulted. If there is an existing issuance of DepEd and/or CHED on this matter, the same may be relied on as a lawful basis for the posting in the bulletin board or official social media account, provided that the issuances guarantee the protection of personal data,” the NPC said in Advisory Opinion No. 2020-046, dated November 9, 2020 (https://www.privacy.gov.ph/wp-content/uploads/2020/12/Redacted-Advisory-Opinion-No.-2020-046.pdf). If there are no issuances from the DepEd or CHED on posting on social media accounts or the bulletin board, the NPC said the school should get consent from the students or, if the students are minors, from their guardians.
So can a school post, on its website or social media account, the picture of a child that won an award?
“Honors, awards, achievements and results during any school-related competition and representation, including school or government scholarship grants, all fall under sensitive personal information since these are information on an individual’s education,” the NPC said. It advised school authorities to get consent from the concerned students and their guardians.
What about pictures of school activities? It depends on the picture and the reason for posting, the NPC said, pointing out that “the participation or involvement by a student in a school-related or sponsored activities and programs may be shown through different ways.”
Other factors would also have to be considered in evaluating whether a picture should be considered personal or sensitive personal information. Is it a picture of a single child, or a crowd in school events, with the faces unrecognizable?
“The school would have to make the determination of the most appropriate lawful basis for processing, taking into account all relevant circumstances of the processing, adherence to the general data privacy principles of transparency, legitimate purpose, and proportionality, as well as the students’ reasonable expectation of privacy and the impact on their rights and freedoms,” the NPC said.
(Dana Batnag heads the policy and risk management section in the data privacy office of a financial services institution. For inquiries, comments and clarifications, she may be contacted at yourdataprotectionofficer@protonmail.com)