Student unintentionally found that they could access other students’ personal information, such as grades, addresses, and contact details, by altering a few numbers in the web address (URL)
The question that now arises is whether the student reported the incident to the National Privacy Commission. As defined in Chapter I, Section 3, paragraph (a) of the Data Privacy Act, the term Commission refers specifically to the National Privacy Commission (NPC) created by virtue of the said law. If the student did not report the incident, this may fall under Chapter VIII, Penalties, Section 30 — Concealment of Security Breaches Involving Sensitive Personal Information. Under this provision, any person who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals such a breach, shall be penalized. The prescribed penalty is imprisonment of one (1) year and six (6) months to five (5) years, and a fine ranging from five hundred thousand pesos (₱500,000.00) to one million pesos (₱1,000,000.00). This section clearly imposes a legal duty to report any known data breach to the Commission, and failure to do so constitutes a punishable offense. Therefore, if the student was aware of a breach and failed to disclose it appropriately, liability may extend not only to the act itself but also to the omission to report it.
Another point of concern is the student’s deliberate alteration of certain numbers in the web URL. The intent behind such an action must be scrutinized, as this is not typical user behavior. Ordinary users do not modify URL parameters, as they generally have neither the interest nor the technical background to do so. Altering a web URL suggests at least a rudimentary understanding of how web systems function and an awareness of potential vulnerabilities. This kind of probing is similar to what cybersecurity professionals—commonly known as ethical hackers or penetration testers—do to identify security weaknesses. However, in professional settings, such activities are strictly regulated under formal contracts or authorizations granted by the organization’s security team. These contracts clearly outline the scope of testing, such as whether testers may probe web URLs, scan networks with tools like Nmap, or perform specific types of vulnerability assessments. Every action beyond that authorized scope may constitute a violation of data privacy and security laws.
In the student’s case, the act of altering the URL cannot easily be classified as “unintentional.” One cannot claim inadvertence when manually changing web parameters—this indicates a conscious decision to manipulate the system. Given this, it may be argued that the student knowingly attempted to access restricted areas or data, which aligns with the offense defined under Chapter VIII, Section 29, Unauthorized Access or Intentional Breach. This provision penalizes any person who knowingly and unlawfully breaches the confidentiality and security of data systems, accessing in any manner systems where personal or sensitive personal information is stored. The corresponding penalty for this violation is imprisonment ranging from one (1) year to three (3) years, and a fine between five hundred thousand pesos (₱500,000.00) and two million pesos (₱2,000,000.00).
In conclusion, the incident potentially exposes the student to one or both of the following penalties under the Data Privacy Act: (1) Concealment of Security Breaches under Section 30, if there was failure to report the incident to the National Privacy Commission; and (2) Unauthorized Access or Intentional Breach under Section 29, if the act of altering the URL constitutes a deliberate attempt to access the system without authority. Both offenses carry serious legal implications and underscore the importance of adhering to data protection principles, responsible system use, and prompt reporting of any security incidents.
Student records were exposed to unwanted access because the university neglected to implement appropriate access controls.
Since the student records were exposed to unauthorized access, the incident constitutes a data breach. Student records inherently contain personal and sensitive personal information—such as full names, identification numbers, academic performance, and contact details—that are considered confidential and must be safeguarded at all times. Any unauthorized person gaining access to such records, whether through accidental exposure or deliberate intrusion, represents a violation of the principles of data privacy and security as outlined in the Data Privacy Act of 2012. The responsibility to implement technical, organizational, and physical safeguards lies with the personal information controller, in this case, the university. The failure to establish or maintain adequate access controls and security measures demonstrates negligence in protecting personal information.
Under Chapter VIII – Penalties, Section 26 of the Data Privacy Act, titled Accessing Personal Information and Sensitive Personal Information Due to Negligence, such negligence is explicitly penalized. The law provides that any person who, due to negligence, provides access to personal information without proper authority under the Act or any existing law, shall face imprisonment ranging from one (1) year to three (3) years and a fine of not less than five hundred thousand pesos (₱500,000.00) but not more than two million pesos (₱2,000,000.00). The university’s failure to employ sufficient measures—such as user authentication protocols, data encryption, and proper monitoring systems—may therefore fall under this penal provision. Regardless of whether the exposure was unintentional or caused by an internal or external actor, the institution bears accountability for the lapse that allowed the breach to occur.
Beyond legal penalties, a data breach involving student records can have severe consequences for the university’s reputation and operations. Once sensitive data are exposed, malicious actors may exploit the information for identity theft, fraud, or even sell it for profit on the black market. The affected students, in turn, may suffer personal harm such as privacy invasion or misuse of their personal details. Institutionally, such a breach undermines the university’s credibility as a trusted custodian of personal data. The resulting loss of trust can have long-term implications—prospective students and their families may hesitate to enroll, faculty and partners may question the university’s integrity, and regulators may impose sanctions or enhanced oversight.
In summary, this breach not only signifies a failure of data protection but also exposes the university to both legal liabilities and reputational damage. Under Republic Act No. 10173, or the Data Privacy Act of 2012, educational institutions are mandated to uphold the privacy, integrity, and security of personal data. Negligence in fulfilling this duty, such as failing to prevent unauthorized access, makes the institution liable under Section 26, thereby reinforcing the importance of proactive compliance, regular security audits, and prompt incident reporting to the National Privacy Commission.
The university violated people’s right to privacy by making student data public without proper protections and the university failed to disclose to students the system’s possible hazards or the measures taken to safeguard their personal data.
As a data subject, individuals are entitled to be informed whether personal information pertaining to them is being processed, has been processed, or is intended to be processed. Prior to the entry of their personal information into the processing system of the personal information controller, they should be furnished with essential information. This transparency should occur at the initial point of data entry or at the next practical opportunity thereafter. It is crucial for individuals to receive a clear description of the personal information that will be entered into the system, including the purposes for which this information is being processed or is to be processed. Understanding the scope and method of personal information processing is vital. Data subjects have the right to know who may receive this information or which classes of recipients may have access to it in the future. Furthermore, if automated access methods are utilized, individuals should be informed, provided that they have given consent for such access, and should be made aware of the extent of the authorization for that access. It is equally important for the data subjects to be informed about the identity and contact details of the personal information controller or their representative. This transparency allows individuals to know whom to reach out to with questions or concerns regarding their personal data. Data subjects should be made aware of how long their information will be stored, ensuring that they understand the timeline for data retention and any related obligations that the controller may have to adhere to in this regard. Moreover, individuals should receive comprehensive information about their rights, which include access to their own data, the right to request corrections to any inaccuracies, and the right to lodge a formal complaint before the appropriate regulatory body, such as a data protection commission. This legal framework is designed to empower data subjects and safeguard their personal information from unauthorized use or disclosure. Any information provided or declarations made to the data subject regarding these matters should not be subject to amendments without prior notification to the data subject. This stipulation ensures ongoing communication and fosters trust between individuals and the entities handling their personal data. Ultimately, these provisions are fundamental in promoting transparency, accountability, and respect for personal privacy within the realm of data processing and management. As society becomes increasingly data-driven, understanding these rights and protections becomes crucial for everyone.
The determination of the appropriate level of security must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization, and the complexity of its operations, as well as current data privacy best practices and the cost of security implementation. Organizations handle a variety of personal information, from basic identifiers like names and addresses to sensitive data such as social security numbers and financial records. The sensitivity of this data plays a crucial role in guiding the required security measures. In assessing the risks associated with data processing, it is vital to consider not only the potential for unauthorized access but also the implications of data loss or exposure. Organizations must evaluate the potential threats posed by hackers, internal breaches, and even natural disasters that could affect data integrity and availability. The size and complexity of an organization further influence the security framework, as larger organizations typically have more extensive networks and a higher volume of data, which can attract more targeted cyber-attacks. Implementing effective safeguards is essential for protecting a computer network against accidental, unlawful, or unauthorized usage or interference. A comprehensive security policy must be established that outlines how personal information will be processed and protected. This policy should also address compliance with legal and regulatory requirements, reinforcing the organization’s commitment to safeguarding data. Additionally, organizations need a robust process for identifying and assessing reasonably foreseeable vulnerabilities within their computer networks. This includes regularly conducting security audits and penetration testing to uncover weaknesses that could be exploited by malicious actors. Taking preventive, corrective, and mitigating actions against identified vulnerabilities is critical to maintaining the integrity of the system and ensuring that personal data remains secure. Regular monitoring for security breaches should be an ongoing practice within any organization. This includes not only detecting potential breaches in real-time but also evaluating the response protocols in place should a security incident occur. Organizations must be prepared to take decisive action, which may involve notifying affected individuals, reporting incidents to regulatory bodies, and implementing enhanced security measures to prevent future occurrences. By prioritizing a comprehensive security approach that encompasses these various aspects, organizations can significantly bolster their defenses against potential threats, thus fostering a culture of trust and responsibility in handling personal information.
The processing of personal information shall be allowed, subject to compliance with the requirements of the law that permits disclosure of information to the public and adherence to the principles of transparency, legitimate purpose, and proportionality. It is essential that personal information be collected for specified and legitimate purposes, which should be clearly determined and declared before collection, or as soon as reasonably practicable thereafter. Once collected, this information must be processed in a manner that is compatible with the declared, specified, and legitimate purposes only. The processing must involve fair and lawful methods, ensuring that the data collected is accurate, relevant, and, where necessary, kept up to date. Inaccurate or incomplete data must be rectified, supplemented, or destroyed to maintain the integrity of the information maintained by the organization, or at a minimum, their further processing must be restricted. The collection and processing of personal information should be adequate and not excessive in relation to the intended purposes. This means organizations should carefully evaluate what information is truly necessary to achieve their objectives and refrain from requesting or keeping unnecessary data.
Furthermore, personal information should be retained only for as long as necessary to fulfill the purposes for which it was obtained. This could include the need for the information for the establishment, exercise, or defense of legal claims, for legitimate business purposes, or as may be mandated by law. Organizations must implement robust data retention policies to ensure that they do not keep data longer than required, thereby mitigating potential risks associated with data breaches or misuse. Lastly, personal data must be stored in a manner that allows for the identification of data subjects, but only for a duration that is necessary for the purposes of which the data was collected and processed. This practice not only protects individual privacy rights but also reinforces the organization’s commitment to respecting the principles of data protection. By adhering to these guidelines, organizations can foster trust and reliability, creating a safer environment for all stakeholders involved. Ultimately, the proper handling of personal information is crucial in today’s digital age, where data privacy is of paramount importance and where individuals expect organizations to treat their data with care and respect.
The university also didn’t check to see if the site followed data protection rules before it went live, which led to the data breach, negligence, and security policies.
Data Protection Policy defines “Personal Data” as any information, regardless of its accuracy, that pertains to an individual and allows for that individual to be identified. This identification can occur either directly from the data itself or indirectly when it is combined with other information to which we have access, including any records we may maintain and update periodically. Personal Data encompasses a variety of identifiers, such as your name, passport or other identification numbers, telephone numbers, mailing addresses, email addresses, and any additional details relating to individuals that you have supplied to us through various forms of communication or documentation. The collection of Personal Data occurs through several interactions with us. For instance, when you complete an application form, a registration form, or any other paperwork related to the products and services we offer, you are sharing your Personal Data. This process also includes entering into agreements or submitting other documentation related to your engagement with us. Additionally, Personal Data’s collection can happen when you interact with our student service officers, which may take place through different mediums such as telephone calls, written correspondence, face-to-face meetings, social media platforms, and emails. Furthermore, when you utilize our electronic services or engage with any of our websites, your actions may lead to the collection of Personal Data. If you request that a specific group within the website contact you or ask to be added to a mailing list, that interaction can also generate Personal Data. All of these instances contribute to a comprehensive understanding of how we gather and manage your information. Moreover, we may collect Personal Data when you respond to our promotional campaigns, initiatives, or any requests for further information we might send. These data-gathering methods are crucial for tailoring our services and ensuring that we can meet your needs effectively. Our goal is to create a responsive and supportive environment where your needs are met through careful handling and protection of your Personal Data. As we continue to evolve as an organization, we are committed to updating our practices to safeguard your information while ensuring transparency in how we collect and use Personal Data. Your trust is fundamental to us, and we strive to maintain the highest standards of data protection to keep your information secure and used only for its intended purposes.
Moreover, when your images are captured by us via CCTV cameras while you are present on our premises, or through photographs or videos taken during events at our facilities (if any), we collect various kinds of data. This includes instances when you are contacted by and respond to student representatives and customer service officers, as well as when we receive references from business partners and third parties, particularly in situations where you have been referred by them. Additionally, we track responses when you fill out surveys administered by our third-party surveying service providers, and when we seek information from third parties about you in connection with the products and services you have applied for. Lastly, when you submit your Personal Data to us for any other reason, these are all methods utilized in gathering data on a university’s website. When you browse our websites or use applications and digital services, you generally do so in an anonymous capacity. It is important to note that our website, applications, and digital services do not automatically collect Personal Data unless you actively provide such information or log in with your account credentials. The privacy of our users is paramount to us. We are committed to ensuring that any data collected is managed in accordance with applicable data protection laws and regulations. If you are providing us with any Personal Data pertaining to a third party, such as details about your spouse, children, parents, or employees, you must ensure that you have obtained the necessary consent from that individual before sharing their information with us. By submitting such data, you represent and warrant that you have the right to disclose this information for the respective purposes. Furthermore, we strongly encourage data subjects, particularly our students, to ensure that all Personal Data submitted to us is complete, accurate, true, and correct. Providing inaccurate or incomplete data may result in our inability to deliver the products and services you have requested, which could hinder your overall experience with us. These rules are integral to our data protection strategy, ensuring compliance before the website goes live for public access. Our commitment is to build trust with our users by safeguarding their information. We continuously review and update our data protection practices to adapt to changing regulations and to uphold the best standards for privacy and security. By engaging with our systems, you are also contributing to a more secure and efficient data-processing environment that benefits the entire community.
The purposes for the collection, use, and disclosure of personal data must be clearly stated. The organization collects, uses, and discloses personal data for several specific purposes. These include responding to inquiries, feedback, complaints, and requests from individuals. Additionally, it is essential to verify the identity of users to ensure that personal data is protected and only shared with the rightful owners. Proper management of administrative and business operations is crucial, alongside compliance with institutional policies and procedures that guide data handling practices. Facilitating business asset transactions is another vital reason for collecting personal data. This ensures that any transfer of assets is handled efficiently and securely. Furthermore, the organization may match personal data held concerning students with the purposes listed herein, which could include improving educational outcomes or enhancing the overall student experience. The collection of personal data also allows the organization to request feedback or participation in surveys, enabling a better understanding of customer perspectives. Conducting market research and analysis aids in gathering statistical data for various purposes, including profiling which informs how products and services are developed and improved over time. By understanding market trends and consumer needs, the organization can adjust its offerings, ensuring they remain relevant and useful. Moreover, the organization is committed to preventing, detecting, and investigating crime, which necessitates the thorough analysis and management of commercial risks. This proactive approach safeguards the interests of both the organization and its clients. Facilities management is also a critical aspect, which encompasses maintaining the security of premises, including data centers that host the website. This ensures a safe environment for information storage and processing. Managing the safety and security of both the premises and services is paramount. This may involve conducting CCTV surveillance and security clearances to protect against potential threats. All these measures contribute to a secure business environment where personal data can be handled appropriately and responsibly. Finally, it is important to note that personal data may be utilized for any other purpose that is reasonably related to the aforementioned categories. The organization is dedicated to transparency and ensuring that individuals are well-informed about how their data is being used, thus fostering trust and confidence in our commitment to data protection and privacy policies. By adhering to these principles, the organization aims to maintain high standards of integrity and accountability.
Disclosure of Personal Data
The data officer will take reasonable steps to protect your Personal Data against unauthorized disclosure. This includes implementing various security measures, protocols, and best practices to safeguard the information we collect from you. Subject to the provisions of any applicable law, the Personal Data may be disclosed by the data officer for the explicit purposes listed in our privacy policy. The data may be shared with the following entities or parties, which include trusted partners, service providers, and regulatory agencies, all of which are committed to maintaining the confidentiality and integrity of your information. Your privacy is of utmost importance to us.
Use of Cookie
A cookie is a small piece of information that is placed on your computer when you visit certain websites. This data, often in the form of text files, helps enhance your browsing experience by remembering preferences, login information, and other details that can streamline your interactions with the site. The cookies placed by the servers hosting our websites are readable only by us, ensuring that your privacy is maintained. Importantly, cookies cannot access, read, or modify any other data on an electronic device, nor do they capture any data that would allow us to identify you individually. Cookies serve as a convenient way to remember your activities across web sessions. For example, when you log into a site or fill out certain fields, cookies make it possible for that information to be remembered the next time you visit. This means you might not have to re-enter your password or preferences each time, enhancing functionality and user experience on our sites. However, while they play a crucial role in website functionality, it is also important to understand user control over their data. All web browsers offer the option to refuse any cookie, thereby allowing users to maintain a higher level of privacy if they so choose. If you decide to refuse our cookies, then we will not gather any information about that particular visitor, which adheres to respecting your autonomy as a user. Should you wish to disable the cookies associated with your browser, you may do so by changing the settings in your browser options. This feature is available in most browsers and provides a straightforward way for users to manage their cookie preferences. It is important to note, however, that if you choose to completely disable cookies, you may not be able to access certain parts of our websites or enjoy the full enhancement benefits of cookies. Functionality that relies on cookies could be compromised, potentially leading to a less optimal experience. For instance, you might find that items in a shopping cart do not persist between visits, or that automated login features do not work as intended. Therefore, while managing cookies is your right, we recommend considering the balance between privacy and usability when making your choice. In conclusion, understanding cookies and how they function is essential in navigating the online landscape. These small pieces of data play a significant role in personalizing your experience, making your time online smoother and more efficient while still providing the option to maintain your privacy whenever you prefer.
As the data officer, I will make reasonable efforts to protect Personal Data in our possession or under our control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. However, it is important to note that the university website cannot ensure the security of the information transmitted by students via the Internet. When you browse our websites or use our applications and/or digital services, there is an inherent risk associated with the method of electronic storage and transmission. As additional precautions, the website urges students to remain vigilant and take every necessary measure to safeguard their Personal Data while online. This includes being cautious when accessing our websites or engaging with our applications and/or digital services. We recommend that students frequently change their passwords, utilizing a combination of letters and numbers for enhanced security. Moreover, students should always ensure that they are using a secure browser and be mindful of the security settings available to them. If applicable, you undertake to keep your username and password secure and confidential. Under no circumstances should you disclose or permit disclosure of your credentials to any unauthorized person. We emphasize that you also have a responsibility to inform the administration as soon as reasonably practicable if you know or suspect that someone else may have access to your username and password. It is critical to promptly address any concerns regarding the confidentiality of your credentials, especially if you believe they have been lost, stolen, or compromised in any way. In the event of unauthorized transactions or suspicious activities linked to your account, immediate reporting to the relevant administrative body is essential. This proactive approach aids in mitigating potential risks and helps us implement further protective measures. While we strive to maintain the highest security standards, we must underscore that we are not liable for any damages that may arise from security breaches or unauthorized and/or fraudulent usage of your username and password. All users are encouraged to maintain an active engagement in their online security practices. Developing good habits not only protects individual accounts but also enhances the overall security of our digital environment. By prioritizing awareness and caution in digital interactions, we collectively contribute to a safer online experience for all members of the university community.