RA 10173 requires schools to inform individuals about how their data is collected and used. Missing a privacy policy, cookie notice, or consent language isn't just a gap — it's a compliance violation that can trigger NPC investigation.
The Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations require schools — as Personal Information Controllers (PICs) — to be transparent about how they collect and process personal data. This transparency must be visible on any website that collects data.
When your school's website collects information — through enrollment forms, contact forms, newsletter signups, or even just analytics — it must clearly communicate:
A dedicated page explaining your school's data processing practices. This is not optional for schools with websites that collect personal data.
Minimum content under NPC guidelines:
Your school must register a DPO with the NPC if it processes personal data of 1,000 or more individuals. Register here.
If your school's website uses cookies beyond strictly necessary ones — including Google Analytics, Facebook Pixel, YouTube embeds, or advertising — you must:
What counts as "strictly necessary": Session management, login authentication, shopping cart (if applicable). These do not require consent.
What requires consent: Analytics (Google Analytics, Matomo), social media embeds (YouTube, Facebook), advertising trackers, behavioral profiling.
Any form on your school's website that collects personal information — enrollment, inquiry, contact, scholarship application — must include:
Example compliant consent language:
"I consent to School Name] collecting and processing my personal information for enrollment purposes, in accordance with the [Data Privacy Act of 2012 and our Privacy Policy."
If your school has a registered DPO, their contact information (at minimum, an email address) should be accessible on the website — typically in the privacy policy or a dedicated contact page.
The NPC has issued compliance orders and investigated schools for:
NPC can impose:
The Site Scanner looks for common privacy elements on your school's website and flags missing components.
For a full DPA compliance assessment, use the DPA Compliance Checker.