NPC Initiates Code of Conduct to Guide Schools Amid Shift to Online Education

The National Privacy Commission (NPC) is working closely with various universities and colleges to create a Code of Conduct that will guide and enable school management, teachers, students and parents to cultivate a data privacy-conscious environment, especially as most activities are done online amid the quarantine.

"The planned Code of Conduct will set the standard policies and measures schools must adopt to prevent data breaches and be able to act accordingly in such occurrences," Privacy Commissioner Raymund E. Liboro said at a Friday meeting with more than 40 data privacy officers from various schools across the country

"Setting clear-cut guidelines is crucial today as the pandemic has compelled most businesses to migrate online. As this is uncharted territory for many, including the education sector, intensified guidance and awareness on data privacy and security practices must be provided to all," Liboro added.

At the meeting, the NPC gathered a handful of volunteer-partners to work on the guidelines. Among them were the DPOs of Ateneo de Manila University (AdMU), Ateneo de Iloilo, Batangas State University, Central Mindanao University, De La Salle College of Saint Benilde, De La Salle University (DLSU), Laguna State Polytechnic University, and Lyceum of the Philippines University.

Also volunteering were Manila Central University, San Beda College-Alabang, San Beda University, Technological University of the Philippines, University of Sto. Tomas Legazpi, University of the Philippines (UP) Cebu, UP Diliman, UP Manila, and University of Perpetual Help System DALTA.

The Commission welcomes more volunteers as it aims to complete the Code of Conduct before the opening of school year 2021-2022.

Learning from the recent hacking surge

In light of the recent wave of breaches at universities and colleges, the NPC reports the education sector's January to June breach notifications surging to 19, already exceeding 2019's 18 notifications and even likely to grow for the rest of the year.

“We see this trend in the education system to continue as we migrate our processes online,” said the Commission's Data Security and Compliance Office (DaSCO) Officer-in-Charge Director Khane S. Raza.

DaSCO data showed that 69% were due to malicious attacks such as hacked portal (73%), phishing (18%) and stolen laptops (9%). Meanwhile, 19% of the first semester's attacks were due to system glitches and 12% because of human errors.

The Commission has observed that the events exposed schools' lack of effective detection systems and of awareness on breach notification procedures.

"The events exposed campuses' data security vulnerabilities, which demonstrate insufficient adoption of measures at the prevention level. On reporting, many breach notifications failed to be exhaustive. Details such as the nature of the breach and the scope of the damage could have enabled them to identify the best remedial measures to contain the negative impacts of the breach," Liboro said.

As such, the following are the recommendations of the Commission:

  1. Create a data-breach response team, which will be responsible for creating and implementing an incident-response procedure. This will help schools contain the impact of the breach and immediately restore integrity to the information and communications system.
  2. Create policies and implement them effectively to prevent or minimize breaches and ensure timely discovery of a security incident.
  3. Conduct security audits and tests, such as privacy-impact assessment source- code audit, vulnerability assessment and penetration testing, especially when there are changes in conditions that warrant a review of data privacy and security policies.

    Danny Cheng, DLSU DPO, said tests were effective preventive measures, likening it to the importance of COVID-19 testing.

    "Continuously invest in testing like in COVID. At least you'll know the possible holes which are visible or can be taken advantage of by hackers. The actions you may take after will depend on your own mitigating capabilities and resources," Cheng added.

  4. Proactively explore and adopt measures that can help prevent intrusions. This includes investing in secure web applications and automated detection systems where practicable to their available resources.

Liboro said the Code of Conduct to be crafted for the education sector would build on these recommendations, which were thoroughly studied by the Commission, while ensuring to adopt a consultative approach in order for the Code to capture and address the realities on the ground the best and most accurate way possible.

Schools intensify awareness efforts

AdMU DPO Jamael Jacob shared how his office has ramped up its awareness campaign for the University community given the growing number of security incidents that involve schools.

"Because of this recent turn of events, we've made a conscious effort to ante up the release of our reminders. To make them more accessible to people, we converted them into infographics, particularly those relevant to work-from-home arrangements like the proper use of emails,” Jacob said.

“So far, the feedback is positive. We hope, eventually, we can change the behavior and culture of our community," he added.

Elson B. Manahan, UP-Diliman DPO, said his university was also intensifying its awareness campaign by rolling out numerous policies for guidance.

"We have issued several guides on how professors and management can safeguard their systems as they work from home. We coordinate and will continue to coordinate with the Commission, especially as we embark on formulating an industry-wide Code of Conduct. This goes to show that the Commission is making education a priority sector and we appreciate it," Manahan said.

Commissioner Liboro affirmed that the NPC would continue to focus on the education sector, as it makes up 17% of the breaches received in the first half of the year.

"We hope that all of us will come out of the recent ordeal wiser and more intent to create breach-proof systems within our campuses. We fervently hope that the outcome of this future work, this Code of Conduct, will prevent a repeat of the dangerous event that caused panic and fear among several data subjects," he said.

"We also hope that this Code of Conduct in the education sector will be a best practice for other sectors to replicate."

# # #