Back to Blog
Data & Privacy

Parents Are Asking for Their Child's Data — Here's How Schools Should Respond

March 3, 2026Updated March 12, 202613 min readBy Ocean Team

A parent walks into your registrar's office with a letter. "I am formally requesting a copy of all personal data your school holds on my child." She's calm, polite, and citing Section 16 of the Data Privacy Act.

Your registrar has no idea what to do.

This scenario is no longer rare. Data subject access requests (DSARs) from parents are increasing — driven by rising DPA awareness, transfer disputes, enrollment conflicts, and NPC education campaigns. And most Philippine schools have no documented process for handling them.

That's a compliance problem. A 15-day deadline starts the moment a valid request is received. Miss it without documentation of an extension, and the school is exposed.

This guide gives you the process.

The Request Schools Aren't Ready For

"I want a copy of all data you have on my child."

Under Section 16 of Republic Act No. 10173 (the Data Privacy Act of 2012), data subjects — or in the case of minors, their parents or legal guardians — have the right to access all personal data the school holds on their child. This isn't a courtesy. It's a legal right, and denying it without lawful basis is a violation of the DPA.

These requests are increasing for predictable reasons:

Enrollment disputes. When a parent is challenging a school's decision — a failed grade, a disciplinary record, a withheld diploma — they may file a DSAR to see exactly what the school has documented and whether it's accurate.

School transfers. A family changing schools wants to know what records will follow their child and whether anything problematic is on file.

NPC awareness campaigns. The National Privacy Commission has been actively educating Filipinos about their data rights. More parents know these rights exist. Public resources like SchoolBreach.org, which tracks data breach incidents in Philippine schools, are also raising awareness about how school data is handled and whether it is secure.

Legal proceedings. When disputes escalate, lawyers advise clients to formally request all records before filing.

The awkward reality: most schools couldn't compile a complete response in 15 days even if they wanted to. Data is scattered across the registrar's office, the clinic, the guidance office, the finance department, and teacher records — often in separate systems with no unified view.

This is the real compliance gap. It's not that schools don't want to comply. It's that their data architecture makes compliance operationally impossible.

What the Law Requires

The Data Privacy Act grants data subjects three core rights that schools must be prepared to fulfill.

Section 16: Right to Access

A parent or guardian can request a complete copy of all personal data the school holds on their child. This includes:

  • Academic records (grades, report cards, transcripts)
  • Attendance records
  • Enrollment and registration data
  • Medical and health records from the school clinic
  • Disciplinary records and incident reports
  • Financial records (fees, payments, balances)
  • Communications between parents and school staff
  • Counselor or guidance notes
  • Any other data held in any system

The school must provide not just the data itself, but also information about who has access to it, how long it will be retained, and its source — if that information is available.

Section 17: Right to Correction

If a data subject believes personal data held by the school is inaccurate, incomplete, or outdated, they can request a correction. The school must either make the correction or document why it disagrees.

Common correction requests in schools:

  • Wrong birthdate in the student information system
  • Incorrect name spelling
  • Inaccurate disciplinary record ("my child was cleared but the incident is still on file")
  • Wrong grades or attendance records

Schools cannot simply ignore correction requests. If they disagree with the requested change, they must communicate the disagreement and the reason for declining.

Section 18: Right to Erasure

Data subjects can request that their personal data be deleted. This is the most complicated right for schools to navigate, because DepEd and NPC retention requirements limit when schools can actually comply.

When erasure can be granted: Data that was collected without proper consent, data that is no longer necessary for the purpose it was collected, or data that the school has no retention obligation for.

When erasure can be denied: DepEd-mandated permanent records (Form 137, Form 138, diplomas), data needed for ongoing legal proceedings, data required for legitimate business purposes the school must document.

If the school denies an erasure request, it must document the justification. This documentation is required by the NPC — a verbal denial is not sufficient.

The 15-Day Deadline

Once a valid DSAR is received, the school has 15 calendar days to respond. This is not a business-day timeline. The clock starts on receipt of the request.

For complex requests, the DPA allows schools to notify the requestor of a delay and provide a date by which they will comply. But this extension notice must be sent within the 15-day window — not after it expires.

When You Can Decline

The DPA does not create an absolute right to access in all circumstances. Schools can lawfully refuse or limit a DSAR when:

  • Providing the data would reveal another student's personal information (e.g., a disciplinary report involving multiple students)
  • Ongoing legal proceedings require data preservation and disclosure restrictions
  • DepEd mandates retention and the erasure request conflicts with those mandates
  • The request is manifestly unfounded or excessive (rare, and must be documented carefully)

Declining a DSAR incorrectly — or without documentation — is itself a DPA violation.

Building a Data Subject Request Process

Schools that handle DSARs well don't improvise. They have a documented process that staff follow consistently. Here's the seven-step framework:

Step 1: Designate Who Receives Requests

Every school should have a single designated point of contact for DSARs — typically the Data Protection Officer (DPO) or the registrar. This person is responsible for logging the request, coordinating the response, and communicating with the requestor.

Without a designated person, requests get lost, misrouted, or ignored. The DPO is the legally appropriate designee under the DPA; if your school lacks a DPO, the registrar is the practical default.

Publish this contact information. Parents should know exactly where to send a DSAR — not have to guess or submit to a general inquiry email.

Step 2: Verify the Requestor's Identity

Before compiling any data, the school must confirm that the requestor is actually the parent or legal guardian of the student in question.

Required verification:

  • Government-issued ID of the requestor
  • Proof of relationship to the student (birth certificate, legal guardianship documents)
  • If submitted by mail or email: require notarized authorization or callback verification

This step protects against unauthorized disclosure. A request submitted by someone claiming to be a parent but who cannot prove it should be placed on hold until identity is confirmed — and the 15-day clock does not start until a valid request from a verified identity is received.

Document the verification: who verified, what documents were reviewed, and when.

Step 3: Log the Request with a Timestamp

The moment a valid request is received, it must be logged. The log entry should capture:

  • Date and time of receipt
  • Requestor's name and relationship to the student
  • Student's name and year level
  • Type of request (access, correction, erasure)
  • Method of submission (in-person, email, mail)
  • Assigned staff member

The 15-day deadline runs from this timestamp. Everything downstream depends on this step being done correctly.

Step 4: Gather Data Across All Systems

This is the hardest step for most schools — and the one that reveals whether data architecture is actually compliant.

A complete data compilation for a student access request requires pulling from:

System / OfficeData Held
RegistrarEnrollment records, Form 137, Form 138, grades
Attendance systemDaily and period-by-period attendance records
School clinic / health officeMedical history, clinic visit logs, medical certificates
Finance / accountingFee schedule, payment history, outstanding balances
Guidance / counselingSession notes, referral records, intervention logs
Discipline officeIncident reports, sanctions, clearance records
CommunicationsEmails, messages, parent-teacher meeting notes
IT / SIS platformUser account data, login history if applicable

In most schools, this requires physically going to each office or system, requesting exports, and then reviewing each piece of data individually. Schools without an integrated system will spend most of their 15-day window on this step alone.

Step 5: Review for Exemptions

Before packaging the data for release, the school's DPO or a designated reviewer must check for exemptions:

Third-party data: If a disciplinary record involves another student, that student's name and personal information must be redacted before the report is shared. You are obligated to protect all students' data simultaneously.

Staff personal opinions vs. personal data: Notes in a teacher's private journal are different from formal records stored in a school system. Not everything a staff member has ever thought or written is subject to disclosure — only personal data that is processed as part of the school's operations.

Litigation holds: If the school is in active legal proceedings related to this student, consult legal counsel before releasing data.

Retention-mandated records: If an erasure request covers DepEd-mandated permanent records, document the applicable retention requirement and inform the requestor why the erasure cannot be completed.

Step 6: Package in a Portable Format and Deliver

The DPA requires that data be provided in a format that is reasonably accessible to the requestor. For most parents, this means printed documents or a PDF compilation. For requestors who specify, digital formats (PDF, spreadsheet export) are appropriate.

Delivery options:

  • In-person pickup with signature acknowledgment
  • Registered mail with tracking
  • Secure email (if the requestor has provided a verified email address)

The school should obtain a signed acknowledgment of receipt from the requestor. This documentation completes the audit trail.

Step 7: Document the Response

Once the request has been fulfilled (or denied), the school's DSAR log must be updated to reflect:

  • Date of completion or denial
  • What data was provided or withheld
  • Reason for any withheld data
  • Method and date of delivery
  • Signature or acknowledgment from the requestor

If the request was denied (fully or partially), the denial letter must state the specific lawful basis for refusal. "It's school policy" is not a lawful basis. The DPA or DepEd regulations must be cited specifically.

This documentation is what protects the school if the parent later files a complaint with the NPC.

The Three Request Types Schools Will Get

Access Requests

The most common type. A parent wants to know what data the school holds on their child.

Common triggers: Transfers, grade disputes, disciplinary appeals, general curiosity following NPC awareness campaigns.

Response approach: Full data compilation across all systems, redaction of third-party personal information, delivery in portable format within 15 days.

What makes these hard: Siloed data systems. A school that keeps grades in one platform, attendance in another, and health records in a physical logbook will struggle to compile a complete response within the deadline.

Correction Requests

A parent believes something in the school's records is inaccurate and requests a change.

Common examples:

  • Birthdate is wrong in the SIS
  • Name is misspelled on official documents
  • A disciplinary record contains inaccuracies the parent disputes
  • Attendance records don't match the parent's documentation

Response approach: Verify the claimed inaccuracy against source documents. If the correction is valid, make it and document the change. If the school disagrees, inform the parent in writing with the specific reason for declining.

The tricky part: What if the parent is wrong? Schools can decline corrections they believe are unwarranted — but they must say so in writing and cite the basis for their position. Simply ignoring a correction request is not an option.

Erasure Requests

A parent requests deletion of their child's personal data, typically after transferring schools.

Common scenario: "We've transferred. Please delete all of our child's records from your system."

The complication: This is the most nuanced request type because DepEd's records retention requirements conflict with many erasure requests. Schools are legally required to retain Form 137, Form 138, and other official documents — sometimes permanently.

Response framework:

  1. 1.Identify which data is subject to DepEd retention requirements
  2. 2.Identify which data has no retention obligation
  3. 3.Delete what can be deleted
  4. 4.Document the retention justification for what must be kept
  5. 5.Inform the parent in writing what was deleted and what was retained, with the specific legal basis for retention

What the NPC requires: If you're denying an erasure request, the justification must be documented in the school's records. Oral explanations don't create an audit trail. The NPC, if it ever investigates, will look for written documentation of the retention basis.

How Ocean Helps

Data subject access requests reveal whether a school's data infrastructure supports compliance — or fights against it. When student data lives in a single integrated system rather than scattered across offices, responding to a DSAR becomes significantly more manageable.

Centralized student data. Because Ocean consolidates academic records, attendance, health information, financial history, and enrollment data in one platform, schools can locate and compile the data a DSAR requires without chasing records across multiple offices and systems.

Request logging and tracking. Ocean's workflow tools help schools log incoming requests with timestamps, track their status, and maintain the kind of documentation trail that supports a well-organized response process.

Structured record exports. Schools can export a student's data across modules in a portable format, reducing the manual effort of compiling records from separate systems.

Built-in retention context. When schools need to deny an erasure request due to DepEd retention requirements, Ocean helps staff document the justification as part of the request record — supporting the kind of written documentation the NPC expects.

Response letter guidance. Ocean's documentation includes sample language for common DSAR response scenarios — access, correction, and erasure — to help staff understand what a well-structured response looks like. Schools should work with their own legal counsel to develop templates that meet their specific needs.

A data request doesn't have to mean a week of scrambling. Having student data in one system makes it far easier to respond within the 15-day deadline and maintain organized records of how requests were handled.

Want to see how Ocean organizes student data? Book a demo.

Sources

  1. 1.Republic Act No. 10173 (2012). Data Privacy Act of 2012, Sections 16–18: Rights of Data Subject. Establishes the rights of access, correction, and erasure for data subjects and their authorized representatives, including parents acting on behalf of minor children. Data Privacy Act of 2012
  2. 2.National Privacy Commission. (2016). Implementing Rules and Regulations of Republic Act No. 10173. Rule VI, Section 34–36 details the procedural requirements for responding to data subject rights requests, including the 15-day response deadline and documentation requirements. IRR of the DPA
  3. 3.National Privacy Commission. (2017). NPC Advisory No. 2017-01: Privacy Notice. Establishes that data subjects must be informed of their rights to access, correction, and erasure at the point of data collection, reinforcing the school's obligation to have a documented DSAR process. NPC Advisory No. 2017-01
  4. 4.Department of Education. (2016). DepEd Order No. 13, s. 2016: School Calendar and Activities. In conjunction with DepEd records management circulars, establishes which student records schools are required to retain permanently and the retention periods for others, creating the legal basis for denying certain erasure requests. DepEd Orders
  5. 5.National Privacy Commission. (2022). NPC Circular No. 2022-01: Registration of Data Processing Systems. Requires personal information controllers to document their data processing activities, including the categories of personal data held and their retention periods — information directly relevant to compiling complete DSAR responses. NPC Circular No. 2022-01
data privacyDPAdata subject access requestDSARNPC complianceparent rightsschool managementPhilippinesdata rightscompliance

Written by

Ocean Team

Data Privacy & Compliance

More Articles

View all