BLOG 2: Countermeasures to take as a DPO

Blog 2: Countermeasures to take as a DPO

 

Statement:

          A state university in Mindanao digitized its student records to increase its productivity. The university's department has developed an online student portal so all students can view their enrollment information. Besides being able to view their enrollment information on the so-called online student portal, their grades and personal data are also included and shown on the online student portal. However, due to the inadequate security measures, most probably by the university body and the university's Protection Officer or DPO, a student from the university has unintentionally found fault in the access available to the public on the online student portal. The said student found that they could access the other students' information, including their personal information, grades, names, and even their contact details, in the public eye. This could be done by only altering a few web address numbers or URL numbers. numbers

          This incident happened due to the university's negligence in implementing appropriate access control to the university's most crucial asset, data, thus compromising the student records as they were exposed to unauthorized access. Furthermore, the university failed to disclose to the students that their information was highly vulnerable to hazards the system could cause, or even the measures to be taken to safeguard their personal data. Additionally, the survey was conducted to determine if the site complied with the data protection regulations before it was introduced and launched, eventually resulting in a data breach. As a result, the people's privacy was violated when most of the students ' information was made public without proper precautions and protection.

          Following the student's complaint, the NPC investigated the matter and discovered that the university handled the students ' data carelessly. Consequently, the university was mandated to address the security vulnerability and promptly inform the impacted students of the incident.

 

The question:

If you were the university, what short-term and long-term steps would you take to guarantee adherence to RA 10173 and stop data breaches in the future?


Technological advancements are a double-edged sword in an era of rapid digitization, especially within public institutions like state universities. While they offer improved productivity and efficiency, they also open doors to vulnerabilities if not properly secured. This blog entry reflects on a data privacy incident involving a state university in Mindanao, where a poorly secured student portal led to a serious data breach.

As the Data Protection Officer (DPO), I take this opportunity to articulate a comprehensive response plan, both short-term and long-term, to mitigate the damage, uphold the Data Privacy Act of 2012 (RA 10173), and, most importantly, rebuild trust in our institution's governance practices.

 

The university's transition to a digitized student information system was well-intentioned. The IT department designed a student portal to allow enrollees to access their academic records, grades, and personal information. However, a critical failure occurred: due to the absence of sufficient access control mechanisms, one student was able to access the personal data of others simply by modifying the URL, an attack vector known as Insecure Direct Object Reference (IDOR).

Exposed data included sensitive personal information such as names, addresses, contact numbers, student IDs, and academic performance records. This constitutes a serious violation of students ' privacy and represents unauthorized processing and exposure of personal and sensitive personal information under RA 10173.

 

Short-Term Measures (Crisis Response & Containment)

As the DPO, my first obligation is to immediately contain the breach and fulfill our legal obligations to data subjects and regulators. The following actions must be taken within the first 72 hours of discovery:

1. Immediate Takedown and Containment

  • Suspend access to the student portal to prevent further unauthorized access.
  • Isolate the vulnerability and conduct a forensic audit to determine the full scope of the breach.
  • Work with the IT department to patch the IDOR vulnerability and apply temporary access control mechanisms (ex., IP blocking, token-based authentication, session timeouts).

2. Data Breach Notification

  • Notify the National Privacy Commission (NPC) within 72 hours, as per the RPC Circular 16-03. requires
  • Provide the NPC with an initial breach report including:
    • Nature of the breach.
    • Number of affected data subjects.
    • Types of personal data involved.
    • Measures taken so far.
    • Contact details of the DPO for further correspondence.

3. Informing Affected Students

  • Send personalized notifications to all affected students informing them of:
    • What data was exposed.
    • How the breach happened.
    • What they should do (  e.g., monitor the account and report suspicious activity).
    • What the university is doing in response.
  • Provide a breach helpdesk (hotline/email/chatbot) to address individual concerns.

4. Conduct an Internal Data Privacy Audit

  • Review system logs to determine whether the vulnerability exists.
    • Who accessed what information and when.
  • Determine if there was intentional exploitation or malicious use of the data.

5. Legal Compliance and Risk Mitigation

  • Coordinate with legal counsel to assess the potential for civil or criminal liabilities.
  • Ensure compliance with RA 10173, especially Sections 11–22 on the rights of data subjects and obligations of personal information controllers (PICs).

6. Public Disclosure with Transparency

  • Publish a public statement acknowledging the breach, apologizing for the oversight, and summarizing corrective actions.
  • Emphasize that the institution is taking accountability and concrete steps moving forward.

 

Long-Term Measures (Governance, Policy, and Prevention)

Once the breach is contained and immediate risks are mitigated, our attention must turn to long-term institutional reforms to prevent future incidents and establish a culture of data protection.

1. Institutionalize a Comprehensive Data Privacy Program

  • Develop and implement a Data Privacy Management Program (DPMP) in line with NPC Advisory No. 2017-01.
  • Core elements should include:
    • Governance structure.
    • Privacy policies and manuals.
    • Risk management.
    • Training and awareness.
    • Breach management procedures.
    • Continuous improvement mechanisms.

2. Revise and Enforce Access Control Policies

  • Implement Role-Based Access Control (RBAC) so users can only view data appropriate to their identity and role.
  • Incorporate Multi-Factor Authentication (MFA) for system administrators and users accessing sensitive data.
  • Enforce session expiration, account lockouts, and activity logging.

3. Conduct Regular Privacy Impact Assessments (PIAs)

  • Mandate PIAs for all existing and future systems processing personal data.
  • A PIA should identify:
    • Privacy risks and vulnerabilities.
    • Impact on data subjects.
    • Necessary security and organizational safeguards.

4. Establish Secure System Development Practices

  • Adopt a Secure Software Development Life Cycle (SSDLC) framework, integrating privacy and security from design to deployment.
  • Ensure developers are trained in secure coding practices (ex., OWASP Top 10).
  • Conduct code reviews, vulnerability scanning, and penetration testing before any production launch.

5. Staff Capacity Building and Training

  • Roll out mandatory data privacy training for all university employees, especially those handling student data.
  • Conduct specialized workshops for:
    • IT and DevOps teams on secure coding and incident response.
    • Faculty on student data confidentiality.
    • Administrative staff on lawful processing and data sharing.

6. Appoint Privacy Champions in Each Department

  • Designate Departmental Privacy Coordinators who report to the DPO.
  • They act as the first line of defense for identifying potential risks and escalating concerns.

7. Revamp the Data Sharing and Retention Policy

  • Create clear protocols for:
    • When and how personal data can be shared (internally and externally).
    • Data retention schedules per type of record.
    • Secure disposal of outdated or irrelevant records.

8. Implement Data Encryption and Logging

  • Encrypt personal and sensitive personal data at rest and in transit.
  • Maintain detailed audit logs of all user access and data modification activities for at least one year.
  • Regularly monitor logs for suspicious behavior.

9. Promote Student Awareness

  • Run privacy literacy campaigns targeting students to educate them on:
    • Their rights under RA 10173.
    • Best practices for digital self-protection.
    • How to report data privacy violations.

10. Formalize Breach Response Plans

  • Create a Data Breach Response Manual, including:
    • Incident detection and escalation matrix.
    • Roles and responsibilities.
    • Templates for breach reports and notification letters.
  • Conduct simulated breach drills to evaluate preparedness.

11. Secure Third-Party Agreements

  • Review and revise contracts with third-party service providers to ensure:
    • Inclusion of Data Sharing Agreements (DSAs) and Data Processing Agreements (DPAs).
    • Clear accountability for data breaches and remedies.

12. Regularly Engage with the NPC

  • Submit Annual Security Incident Reports and maintain open communication.
  • Attend NPC webinars, conferences, and consultations to stay updated on compliance trends and expectations.

 

Institutional Accountability and Cultural Reform

No technological upgrade or checklist is complete without a change in mindset. The breach reflects a systemic undervaluing of data protection at the leadership level. As DPO, it is imperative to advocate for:

  • Privacy by Ddefault and by Ddesignprinciples iare used n all administrative and academic processes.
  • A “no l"unch without compliance” pol"cy for any new digital system.
  • An institutional culture where data privacy is seen not as a compliance burden but a human right.

This requires the active involvement of:

  • University President and Board of Regents.
  • Vice Presidents, Deans, and Department Chairs.
  • Student Government and stakeholders.

 

Conclusion

This incident was a wake-up call, a painful but necessary lesson in the importance of securing digital infrastructure before deployment. As the DPO, my mission is not merely to react to breaches, but to prevent them, educate the community, and cultivate an environment where data privacy is non-negotiable.

The road ahead will involve investment in technology, training, policies, and people, but above all, it requires commitment. A single lapse in access control compromised hundreds of students. But with decisive leadership and a well-designed roadmap, this university can emerge stronger, wiser, and more privacy-conscious than ever before.



Comments

Post a Comment

Popular posts from this blog

CASE STUDY 5: Improving Knowledge Management for the Growth of the seeEYEsee Student Organization

Case Study 5: Improving Knowledge Management for the Growth of the seeEYEsee Student Organization   INTRODUCTION The seeEYEsee Student Organization at ABC University struggled to retain and manage knowledge due to frequent leadership changes, a lack of continuity, and the absence of a centralized repository. These difficulties led to poor team involvement and inefficiency. To address the issues, MarieJohn, the newly elected governor, created a Knowledge Management (KM) road map. This strategy involved constructing a single knowledge base using a Google Form site, cultivating a culture of knowledge sharing through monthly gatherings known as "CICapehan," establishing a mentorship program for leadership transitions, and implementing user-friendly task management tools such as Trello. The implementation faced initial resistance, but with persistent efforts and training, students gradually embraced the new KM tools and processes. After a year, the organization saw a significant i...
Read more

CASE STUDY 1: A High Cost for Expertise

CASE STUDY 1: A High Cost for Expertise   The Problem           Due to financial issues and cutting costs, the university administration has decided to fire staff from the offices to regulate the budget. The top computer technician was included in the staff downsizing. Eventually, after a few months, the computer server went into a ceased of operation due to some issues with its system and damaged components. The remained university staff has attempted and done the best they could to fix the problem and restore its computer server services but to no avail on improvement nor success.   The Solution           As the computer server malfunctioned and while the university staff had little to no progress in resolving the problem, they were left with no choice but had decided to call upon the top technician to aid in fixing the issue at hand. As the former employed top technician offered his se...
Read more

CASE STUDY 4: Improving Academic Support and IT Services via Knowledge Management in a University MIS Department

CASE STUDY 4   Improving Academic Support and IT Services via Knowledge Management in a University MIS Department   The Context                     Many institutions make use of Management Information Systems or MIS in order to manage their data infrastructure, academic systems, and IT services and systems. Due to the influx of students and faculty population, an academic institution encountered certain and specific issues including optimizing its data use, enhancing its IT services, and making sure that information is efficiently and conveniently managed and dispersed among different teams and departments.                       The said MIS department kept a lot of various systems that included student records, faculty research databases, administrative software, and the Learning Mana...
Read more