The National Privacy Commission (NPC) is planning on creating a “Code of Conduct” to guide schools in the shift to online learning. Several universities experienced hacking incidents in the past weeks and the Commission gathered volunteer-partners to contribute to the guidelines.

“Setting clear-cut guidelines is crucial today as the pandemic has compelled most businesses to migrate online. As this is uncharted territory for many, including the education sector, intensified guidance and awareness on data privacy and security practices must be provided to all,” Privacy Commissioner Raymund Liboro said.

The Philippine privacy watchdog reports the education sector’s January-June breach notifications surging to 19, already exceeding 2019’s 18 notifications and even likely to grow for the rest of the year.

NPC issues ‘work-from-home’ guidelines to safeguard personal data

NPC says FaceApp has improved privacy clauses after major overhaul

“We see this trend in the education system to continue as we migrate our processes online,” said Khane Raza, OIC director, Data Security and Compliance Office, NPC.

Notifications

DaSCO data show that 69% of notifications were due to malicious attacks such as a hacked portal (73%), phishing (18%), and stolen laptops (9%). Meanwhile, 19% of the first semester’s attacks were due to system glitches and 12% because of human errors.

The Commission has observed that the events exposed schools’ lack of effective detection systems and of awareness on breach notification procedures.

“The events exposed campuses’ data security vulnerabilities, which demonstrate insufficient adoption of measures at the prevention level. On reporting, many breach notifications failed to be exhaustive. Details such as the nature of the breach and the scope of the damage could have enabled them to identify the best remedial measures to contain the negative impacts of the breach,” Liboro said.

Together with the initial batch of volunteer-partners from the education, the Commission came up with the following recommendations.

1. Create a data-breach response team, which will be responsible for creating and implementing an incident-response procedure. This will help schools contain the impact of the breach and immediately restore integrity to the information and communications system.
2. Create policies and implement them effectively to prevent or minimize breaches and ensure timely discovery of a security incident.
3. Conduct security audits and tests, such as privacy-impact assessment source- code audit, vulnerability assessment, and penetration testing, especially when there are changes in conditions that warrant a review of data privacy and security policies.
4. Proactively explore and adopt measures that can help prevent intrusions. This includes investing in secure web applications and automated detection systems where practicable to their available resources.

NPC welcomes more volunteers that will join DPOs of Ateneo de Manila University (AdMU), Ateneo de Iloilo, Batangas State University, Central Mindanao University, De La Salle College of Saint Benilde, De La Salle University (DLSU), Laguna State Polytechnic University, and Lyceum of the Philippines University. Also volunteering were Manila Central University, San Beda College-Alabang, San Beda University, Technological University of the Philippines, University of Sto. Tomas Legazpi, University of the Philippines (UP) Cebu, UP Diliman, UP Manila, and University of Perpetual Help System DALTA.

The Commission hopes to complete the Code of Conduct before the opening of the school year 2021-2022.