Data Privacy for Student Grades in the Philippines
A comprehensive legal primer (updated 30 April 2025)

1 | Why student grades are a privacy issue

Under section 3(l)(2) of the Data Privacy Act of 2012 (RA 10173, “DPA”), “education, academic or professional records” are Sensitive Personal Information (SPI). Grades therefore enjoy the highest level of statutory protection; any handling of them triggers the stricter requirements and penalties that apply to SPI. (Republic Act 10173 - Data Privacy Act of 2012)

2 | Governing legal framework

Level	Instrument	Key provisions on grades
Statute	RA 10173 (DPA)	§3(l)(2) SPI; §11–13 lawful criteria; §16 data-subject rights; §20 security measures; §§28-34 penalties. (Republic Act 10173 - Data Privacy Act of 2012, [

Republic Act 10173 - Data Privacy Act of 2012 - National Privacy CommissionNational Privacy Commission    ](https://privacy.gov.ph/data-privacy-act/)) |

| Regulations | IRR of RA 10173 (2016, as amended) | Rule IV principles (transparency, legitimate purpose, proportionality); Rule XII penalties for SPI breaches. ([PDF] IMPLEMENTING RULES AND REGULATIONS OF REPUBLIC ACT ...) | | Sectoral rules – Basic Ed. | DepEd Order 54 s. 2016 (records transfer); DepEd Order 35 s. 2022 (enrolment data disposal); DepEd Order 18 s. 2021 (publication of awardees); DepEd DO 19 s. 2021 (FOI & privacy) (DO 54, s. 2016 – Guidelines on the Request and Transfer of Learner’s School Records | Department of Education, [PDF] DO_s2022_035.pdf - DepEd, [PDF] 'tffii - DepEd) | | Sectoral rules – Higher Ed. | CHED forms & memoranda include privacy clauses (e.g., CAV form) and require HEIs to observe the DPA when transmitting grades to CHED. ([PDF] Certification, Authentication & Verification (CAV) Form - chedro3) | | NPC issuances | Advisory Opin. 2020-046 (posting class lists & screenshots); Education-sector Bulletin No. 16 (online-learning dos & don’ts) ( NPC PHE BULLETIN No. 16: Privacy Dos and Don’ts for Online Learning in Public K-12 Classes - National Privacy CommissionNational Privacy Commission ) | | Case law / enforcement | NPC RJC v. DL (2022) – unlawful disclosure of a student’s grades; SC Bar Matter 4968 (2024) – bar-exam scores deemed SPI. ([PDF] RJC, Complainant, -versus- DL, Respondent. x, SC: Individual Bar Exam Score Cannot Be Disclosed Without Examinee’s Consent – Supreme Court of the Philippines) |

3 | Lawful bases for processing grades

Because grades are SPI, processing must satisfy §13 DPA in addition to §12. The most common bases are:

Statutory or regulatory mandate – public schools fulfill a legal duty (§13(b)).
Contract with the student – private schools may rely on §12(b) plus §13(a) (explicit consent) to the extent the contract (student handbook/enrolment agreement) is specific about grade processing.
Parental consent for minors – IRR §54 requires consent to be given by parents/guardians for students below 18 unless another §13 ground applies.
Data-subject consent – required for disclosures outside the original purpose (e.g., giving a recruiter direct access to class standings).

4 | Data-subject rights

Students (or parents, if the student is a minor) may:

Access and obtain a copy of their grades (§16(b)).
Rectify computation errors (§16(c)).
Block or erase grades processed without a valid basis (§16(e)).
Object to onward disclosures that are not “compatible” with the original purpose (§16(d)).

Schools must act on requests within 15 days or explain the lawful ground for refusal, mindful of academic-freedom limits.

5 | Obligations of schools and teachers

Area	Minimum compliance steps
Governance	Appoint a Data Protection Officer and register data-processing systems with the NPC (IRR Rule VI).
Privacy notices	Publish learner-facing notices (DepEd, CHED, HEI examples) specifying why grades are collected, where they are stored, and how long they are kept. ([Data Privacy Notice
Security	Apply organisational, physical, and technical controls (§20 DPA). DepEd Order 35-2022 mandates shredding of paper enrolment forms once encoded. ([PDF] DO_s2022_035.pdf - DepEd)
Retention & disposal	Keep report cards/Form 138 for two years after graduation; Form 137 (permanent record) is retained indefinitely (DepEd Order 54-2016). ([DO 54, s. 2016 – Guidelines on the Request and Transfer of Learner’s School Records
Training & policies	Follow NPC Bulletin 16 for online-learning etiquette; integrate rules on screenshots, webcam use, and posting of scores. ([

NPC PHE BULLETIN No. 16: Privacy Dos and Don’ts for Online Learning in Public K-12 Classes - National Privacy CommissionNational Privacy Commission    ](https://privacy.gov.ph/npc-phe-bulletin-no-16-privacy-dos-and-donts-for-online-learning-in-public-k-12-classes/)) |

| Data-sharing agreements | Execute written DSAs when transmitting grades to CHED, TESDA, scholarship boards, etc., incorporating IRR §9 and NPC Circular 2021-01 templates. |

6 | Typical disclosure scenarios

Scenario	Is it allowed?	Conditions / Best practice
Handing report cards to parents of minors	Yes	Parents have a statutory right; no consent needed. (Can schools share students' grades with their parents without ...)
Posting honor-roll lists on a public bulletin board	Generally discouraged	NPC AO 2020-046 says posting names + grades online or in a public area needs consent or another §13 ground and must pass the proportionality test.
Uploading grades to an LMS	Yes	Ensure platform has appropriate security clauses; restrict visibility to the data subject.
Sharing class rankings with recruiters	Not without consent	Aggregated or anonymised data is preferred (cf. SC Bar Matter 4968). (SC: Individual Bar Exam Score Cannot Be Disclosed Without Examinee’s Consent – Supreme Court of the Philippines)
Responding to FOI requests	Generally exempt	DepEd DO 19-2021 recognises DPA exceptions; release only anonymised statistics. ([PDF] 'tffii - DepEd)

7 | Enforcement landscape and penalties

NPC trends – Education ranked 3rd-highest sector for breach notifications in 2024. (dbnmslivestats - National Privacy Commission)
Recent ruling (RJC v. DL) – College official fined and ordered to implement additional controls after emailing a student’s grades to an external office without consent. ([PDF] RJC, Complainant, -versus- DL, Respondent. x)
Criminal exposure – unauthorised disclosure of SPI is punishable by 3–5 years’ imprisonment and up to ₱2 million fine (IRR §59[b]).

8 | Emerging issues (2025 onward)

AI-driven analytics – Schools using predictive-grading tools must conduct a Privacy Impact Assessment and ensure outputs cannot re-identify students.
Remote-proctoring data – NPC positions treat full video recordings that capture grade-related assessments as SPI; consent and strict retention limits are mandatory.
Cross-border EdTech – Export of grades to cloud servers outside the Philippines triggers DPA §21 on data-export restrictions and requires ensuring “substantially similar” protection.

9 | Quick compliance checklist for schools

Designate and empower a DPO
Publish a clear Grade-Processing Privacy Notice
Collect only data points needed for assessment (proportionality)
Restrict grade access to teachers and authorised staff (need-to-know)
Encrypt digital gradebooks; lock physical cabinets
Use unique student identifiers instead of full names in analytics exports
Obtain specific consent before any public disclosure
Dispose of temporary grade documents securely
Document every data-sharing instance in a DSA log
Report breaches to the NPC within 72 hours (§20[f])

10 | Take-aways

The Philippine legal regime recognises student grades as high-risk data. Compliance is not optional: failing to protect or mishandling grades can lead to hefty fines, imprisonment, civil damages, and reputational harm. By embedding privacy-by-design into grading workflows—both traditional and digital—schools can respect learners’ rights while still fulfilling their academic mandate.