Data Privacy Policy Template for Philippine Schools

How to Use This Template

This privacy policy template is designed specifically for Philippine K-12 schools. Customize the bracketed sections with your school's information, review with your DPO, and publish on your school's website and enrollment forms.

Note: This template covers common scenarios but may need additional sections depending on your school's specific data processing activities.

[SCHOOL NAME] Data Privacy Policy

Effective Date: [Date]

Last Updated: [Date]

Data Protection Officer: [Name, Contact Details]

1. Introduction

[School Name] ("the School") is committed to protecting the personal information of our students, parents/guardians, faculty, staff, and other stakeholders in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.

This policy explains how we collect, use, store, and protect personal information in the course of providing educational services.

2. Information We Collect

We collect and process the following categories of personal information:

Student Information:

• Full name, date of birth, gender, nationality
• Learner Reference Number (LRN)
• Home address and contact information
• Academic records (grades, attendance, assessments)
• Health and medical records
• Disciplinary records
• Photographs and identification documents
• Parent/guardian information

Parent/Guardian Information:

• Full name and relationship to student
• Contact details (address, phone, email)
• Employment information (for financial aid purposes)
• Financial information (for tuition and fees)

Employee Information:

• Full name, date of birth, contact details
• Employment history and qualifications
• Government-issued IDs (SSS, TIN, PhilHealth, Pag-IBIG)
• Payroll and compensation details
• Performance evaluations

3. Purpose of Data Collection

We collect personal information for the following purposes:

• Enrollment and registration of students
• Academic management including grading, assessments, and report cards
• Student welfare including health services and counseling
• Communication with parents, guardians, and students
• Financial management including billing, payments, and financial aid
• Regulatory compliance including DepEd reporting requirements
• Safety and security including CCTV monitoring and visitor management
• Employment administration for faculty and staff
• Alumni relations and institutional development

4. Legal Basis for Processing

We process personal information based on:

• Consent provided during enrollment
• Contractual necessity for providing educational services
• Legal obligation for regulatory compliance (DepEd, NPC, BIR, etc.)
• Legitimate interest for school safety and security
• Vital interest for student health and safety emergencies

5. Data Sharing

We may share personal information with:

• Department of Education (DepEd) — as required for LIS reporting and compliance
• Government agencies — BIR, SSS, PhilHealth, Pag-IBIG (for employee data)
• Authorized service providers — [list specific systems, e.g., Student Information System provider, LMS provider, payment processor]
• Parents/guardians — regarding their child's academic performance and welfare
• Receiving schools — when students transfer (with appropriate authorization)

We require all service providers to maintain the confidentiality and security of personal information through Data Processing Agreements.

We do NOT sell, trade, or rent personal information to third parties.

6. Data Security Measures

We implement the following security measures:

Organizational: Staff training, access controls, privacy policies, regular audits

Physical: Locked storage, restricted access areas, visitor management

Technical: Encryption, firewalls, access authentication, regular updates, backups

7. Data Retention

We retain personal information only as long as necessary:

• Active student records: Duration of enrollment plus [5] years
• Academic transcripts: Permanent (as required by DepEd)
• Financial records: [10] years (as required by BIR)
• Employee records: Duration of employment plus [5] years
• CCTV footage: [30] days
• Application records (non-enrollees): [1] year

8. Your Rights

Under the Data Privacy Act, you have the right to:

• Access your personal information held by the School
• Correct inaccurate or incomplete information
• Object to processing you believe is unlawful
• Erase or block data that is no longer necessary
• Data portability — obtain a copy of your data in a standard format
• Lodge a complaint with the National Privacy Commission

To exercise these rights, contact our Data Protection Officer at [email/phone].

9. Breach Notification

In the event of a personal data breach that poses a real risk of serious harm, we will:

• Notify the National Privacy Commission within 72 hours
• Notify affected individuals within a reasonable period
• Take immediate steps to contain and remediate the breach

10. Changes to This Policy

We may update this policy periodically. Changes will be communicated through [school website, parent circulars, etc.]. Continued enrollment or employment after notification constitutes acceptance of updates.

11. Contact Us

For questions, concerns, or requests regarding this policy or your personal data:

Data Protection Officer: [Name]

Email: [email]

Phone: [phone]

Address: [school address]

National Privacy Commission:

Website: privacy.gov.ph

Email: info@privacy.gov.ph

Customization Notes

1. 1Replace all [bracketed] text with your school's specific information
2. 2Review data retention periods with your legal counsel
3. 3List all specific third-party service providers you share data with
4. 4Have your DPO review the final version
5. 5Publish on your website and include a summary in enrollment forms
6. 6Review and update annually