Based on RA 10173, its IRR (2016), and NPC Advisories and Circulars
In today’s digital university environment, social media is widely used for communication, promotion, and community engagement. However, improper disclosure of personal data or sensitive personal information (SPI) through social media—whether by individuals, student organizations, or official university accounts—can lead to privacy violations under RA 10173. This article explains the risks, responsibilities, and lawful practices involving social media and public disclosures in the campus setting.
Public disclosure refers to the act of making personal or sensitive information available to others without the data subject’s valid consent or legal basis. This includes posting names, grades, or health status online without permission.
Such action violates Section 11 (transparency and purpose limitation) and Sections 12–13 of RA 10173, which outline lawful processing requirements.
“Personal information must be... collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared purposes...”
— RA 10173, Section 11(a)
“The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public...”
— RA 10173, Section 12
Campus offices may use social media for official communication and promotion. However, they must obtain valid, informed consent when posting content that contains personal data such as student photos or names. Consent must be documented (written, electronic, or recorded).
Posts must follow the data privacy principles: transparency, legitimate purpose, and proportionality.
University offices may use social media to:
However, when posting names, images, or identifiable information of students or employees, valid consent is required, unless based on public authority or legitimate interest.
“Consent of the data subject must be evidenced by written, electronic, or recorded means.”
— NPC Circular No. 2023-04, Section 11
“Photos and videos that are taken and shared online must adhere to the data privacy principles of transparency, legitimate purpose, and proportionality. Consent must be obtained prior to the sharing of photos and videos that may contain personal data.”
— National Privacy Commission, Reminder on Sharing Photos and Videos Containing Personal Data, January 11, 2024
Student organizations are considered personal information controllers when they manage social media pages. They must comply with the same privacy laws as institutions. Unauthorized posting of grades, photos, or private matters may lead to penalties under RA 10173.
Organizations must ensure responsible handling of data by training page administrators and securing consent forms for public content.
“Personal information controllers shall implement reasonable and appropriate organizational, physical and technical measures for the protection of personal data.”
— IRR of RA 10173, Rule VI, Section 25
“The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”
— RA 10173, Section 11
“Sensitive personal information... must not be disclosed without the consent of the data subject and must be processed only when provided by law or with specific consent.”
— RA 10173, Section 13
Student orgs should ensure proper training of social media admins, pre-post review protocols, and secure consent documentation for posts that identify individuals.
SPI includes data such as a person’s health, academic records, disciplinary actions, or political and religious beliefs. This type of data is protected by the stricter rules under Section 13 of RA 10173. Public disclosure without the subject’s specific consent or legal basis is illegal.
“Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life... or any proceeding for any offense committed or alleged to have been committed by such person...”
— RA 10173, Section 3(l)
Examples of SPI include:
Public disclosure without consent or legal authority is prohibited.
Scenario | Violation | Legal Reference |
---|---|---|
Posting class rankings on Facebook | Unauthorized processing | RA 10173, Section 11 (Principles), Section 12 (Lawful Processing) |
Publishing COVID-19 status of students | Unauthorized SPI disclosure | RA 10173, Section 13 (SPI Processing) |
Sharing screenshots of student complaints | Improper purpose, unauthorized disclosure | IRR of RA 10173, Section 34(b) (Right to Object) |
Improper social media use resulting in data breaches can lead to: