Social Media Use and Public Disclosures in Campus Life

Based on RA 10173, its IRR (2016), and NPC Advisories and Circulars

Date Published: May 30, 2025

Overview

In today’s digital university environment, social media is widely used for communication, promotion, and community engagement. However, improper disclosure of personal data or sensitive personal information (SPI) through social media—whether by individuals, student organizations, or official university accounts—can lead to privacy violations under RA 10173. This article explains the risks, responsibilities, and lawful practices involving social media and public disclosures in the campus setting.

Key Legal Concepts and Grounds

1. Definition of Public Disclosure under RA 10173

Public disclosure refers to the act of making personal or sensitive information available to others without the data subject’s valid consent or legal basis. This includes posting names, grades, or health status online without permission.

Such action violates Section 11 (transparency and purpose limitation) and Sections 12–13 of RA 10173, which outline lawful processing requirements.

“Personal information must be... collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared purposes...”
— RA 10173, Section 11(a)
“The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public...”
— RA 10173, Section 12

2. Posting on Social Media by Campus Offices or Personnel

Campus offices may use social media for official communication and promotion. However, they must obtain valid, informed consent when posting content that contains personal data such as student photos or names. Consent must be documented (written, electronic, or recorded).

Posts must follow the data privacy principles: transparency, legitimate purpose, and proportionality.

University offices may use social media to:

However, when posting names, images, or identifiable information of students or employees, valid consent is required, unless based on public authority or legitimate interest.

“Consent of the data subject must be evidenced by written, electronic, or recorded means.”
— NPC Circular No. 2023-04, Section 11
“Photos and videos that are taken and shared online must adhere to the data privacy principles of transparency, legitimate purpose, and proportionality. Consent must be obtained prior to the sharing of photos and videos that may contain personal data.”
— National Privacy Commission, Reminder on Sharing Photos and Videos Containing Personal Data, January 11, 2024

3. Student Organization Use of Social Media

Student organizations are considered personal information controllers when they manage social media pages. They must comply with the same privacy laws as institutions. Unauthorized posting of grades, photos, or private matters may lead to penalties under RA 10173.

Organizations must ensure responsible handling of data by training page administrators and securing consent forms for public content.

“Personal information controllers shall implement reasonable and appropriate organizational, physical and technical measures for the protection of personal data.”
— IRR of RA 10173, Rule VI, Section 25
“The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”
— RA 10173, Section 11
“Sensitive personal information... must not be disclosed without the consent of the data subject and must be processed only when provided by law or with specific consent.”
— RA 10173, Section 13

Student orgs should ensure proper training of social media admins, pre-post review protocols, and secure consent documentation for posts that identify individuals.

4. What Constitutes Sensitive Personal Information (SPI)?

SPI includes data such as a person’s health, academic records, disciplinary actions, or political and religious beliefs. This type of data is protected by the stricter rules under Section 13 of RA 10173. Public disclosure without the subject’s specific consent or legal basis is illegal.

“Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life... or any proceeding for any offense committed or alleged to have been committed by such person...”
— RA 10173, Section 3(l)

Examples of SPI include:

Public disclosure without consent or legal authority is prohibited.

Common Privacy Violations in Campus Social Media Use

Scenario Violation Legal Reference
Posting class rankings on Facebook Unauthorized processing RA 10173, Section 11 (Principles), Section 12 (Lawful Processing)
Publishing COVID-19 status of students Unauthorized SPI disclosure RA 10173, Section 13 (SPI Processing)
Sharing screenshots of student complaints Improper purpose, unauthorized disclosure IRR of RA 10173, Section 34(b) (Right to Object)

Best Practices for Privacy-Compliant Social Media Use

  1. Secure Prior Consent – Always obtain clear, valid consent before posting identifiable photos or names.
    “Consent must be obtained prior to the sharing of photos and videos that may contain personal data.”
    (NPC, Reminder on Sharing Photos and Videos, Jan. 11, 2024)
  2. Anonymize or Redact Personal Identifiers – Only necessary details should be shared. Avoid revealing full names or faces unless needed and permitted.
    “Personal data shall be adequate, relevant, suitable, necessary and not excessive in relation to the declared purpose.”
    — RA 10173, Section 11(d)
  3. Restrict Posting Rights – Allow only trained staff to manage social media content to reduce risk of privacy violations.
    “Organizational security measures shall include measures to ensure that only authorized personnel have access to personal data, and that such personnel are properly trained.”
    — IRR of RA 10173, Section 26
  4. Include Privacy Notices in Forms – Event registration and media release forms should include a privacy notice explaining data use. All online registration or event forms must state how collected data will be processed.
  5. Avoid Posting SPI Without Legal Basis – Never post sensitive personal data like grades or medical info without the data subject’s explicit and informed consent.
    “The processing of sensitive personal information... shall be prohibited, except in the following cases: (a) When the data subject has given his or her consent...”
    — RA 10173, Section 13

Sanctions for Violations

Improper social media use resulting in data breaches can lead to:

References

  1. Republic Act No. 10173 – Data Privacy Act of 2012
  2. Implementing Rules and Regulations of RA 10173 (2016)
  3. NPC Circular No. 2023-04 – Guidelines on Consent
  4. National Privacy Commission. Reminder on Sharing Photos and Videos Containing Personal Data. Published January 11, 2024
  5. NPC Advisory Opinions and Privacy Tools