explainer

Missing Privacy Elements: What Philippine Schools Must Display Online

RA 10173 requires schools to inform individuals about how their data is collected and used. Missing a privacy policy, cookie notice, or consent language isn't just a gap — it's a compliance violation that can trigger NPC investigation.

6 min readRA 10173, DPA, privacy policy

What the Law Requires

The Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations require schools — as Personal Information Controllers (PICs) — to be transparent about how they collect and process personal data. This transparency must be visible on any website that collects data.

When your school's website collects information — through enrollment forms, contact forms, newsletter signups, or even just analytics — it must clearly communicate:

1What data is being collected
2Why it is being collected (purpose)
3Who it may be shared with
4How long it will be kept
5What rights individuals have (access, correction, erasure, portability)

Required Privacy Elements for School Websites

1. Privacy Notice / Privacy Policy

A dedicated page explaining your school's data processing practices. This is not optional for schools with websites that collect personal data.

Minimum content under NPC guidelines:

Identity and contact details of the school (as PIC)
Contact details of the Data Protection Officer (DPO) — required if processing large volumes of student data
Types of personal data collected
Purposes and legal bases for processing
Data retention periods
Third-party recipients (cloud services, SIS vendors, payment processors)
Data subject rights and how to exercise them
How to file a complaint with the NPC

Your school must register a DPO with the NPC if it processes personal data of 1,000 or more individuals. Register here.

2. Cookie Consent Notice

If your school's website uses cookies beyond strictly necessary ones — including Google Analytics, Facebook Pixel, YouTube embeds, or advertising — you must:

Inform visitors that cookies are used
Obtain consent before setting non-essential cookies
Provide a way to withdraw consent

What counts as "strictly necessary": Session management, login authentication, shopping cart (if applicable). These do not require consent.

What requires consent: Analytics (Google Analytics, Matomo), social media embeds (YouTube, Facebook), advertising trackers, behavioral profiling.

3. Consent Language on Data Collection Forms

Any form on your school's website that collects personal information — enrollment, inquiry, contact, scholarship application — must include:

A clear statement of what the data will be used for
A reference to your privacy policy
An explicit consent checkbox (pre-ticked boxes are not valid consent under RA 10173)

Example compliant consent language:

"I consent to School Name] collecting and processing my personal information for enrollment purposes, in accordance with the [Data Privacy Act of 2012 and our Privacy Policy."

4. Data Protection Officer Contact

If your school has a registered DPO, their contact information (at minimum, an email address) should be accessible on the website — typically in the privacy policy or a dedicated contact page.

What Happens When These Are Missing

The NPC has issued compliance orders and investigated schools for:

No privacy policy on enrollment portals collecting student data
Online enrollment forms with no consent mechanism
Third-party analytics running without disclosure or consent

NPC can impose:

Compliance orders requiring immediate corrective action
Fines of up to ₱5 million per violation
Criminal liability for responsible officers in cases of negligence leading to a breach

Quick Compliance Checklist

[ ] Privacy policy page exists and is linked from the footer
[ ] Privacy policy covers NPC-required elements
[ ] DPO contact information is published (if required)
[ ] All data collection forms include consent language and checkbox
[ ] Cookie notice appears on first visit if using non-essential cookies
[ ] Privacy policy is written in plain language (not just legal boilerplate)

Check Your Site

The Site Scanner looks for common privacy elements on your school's website and flags missing components.

For a full DPA compliance assessment, use the DPA Compliance Checker.

Related Resources

Data Privacy Act 101 for Schools — full guide to RA 10173 requirements
School Privacy Policy Template — ready-to-customize template
DPA Compliance Checker — assess your school's overall compliance