Posting the names of qualified university applicants is not automatically a data privacy violation in the Philippines. A university may have a lawful reason to publish a limited list of passers or qualified applicants, especially to inform applicants and maintain transparency in admissions. But it can become a violation of the Data Privacy Act of 2012 if the school publishes more information than necessary, has no lawful basis, fails to inform applicants beforehand, posts the list in an unnecessarily public place, or ignores a valid request to correct, limit, or remove the information.
The practical answer depends on what exactly was posted, where it was posted, why it was posted, and whether the applicants were properly informed. A printed list on a campus bulletin board is treated differently from a searchable Facebook post or public website that can be copied, tagged, shared, indexed by Google, and preserved indefinitely.
The main legal issue: names are personal information
Under Republic Act No. 10173, or the Data Privacy Act of 2012, “personal information” includes information from which a person’s identity is apparent or can reasonably be ascertained. A full name on a university admissions list clearly identifies a person, so it is personal information. “Processing” also includes use, disclosure, storage, and other handling of personal information, so posting a list is a form of processing. (National Privacy Commission)
This means a school cannot simply say, “It is only a name, so the Data Privacy Act does not apply.” The law applies. The better question is whether the posting was lawful, fair, transparent, necessary, and proportionate.
When posting qualified applicants may be allowed
A university may be able to justify posting the names of qualified applicants if all of these are present:
- The list serves a legitimate admissions purpose, such as informing applicants of results.
- The school publishes only the minimum information needed.
- Applicants were informed through a privacy notice, application form, admissions portal, or similar document.
- The posting is limited in time and access as much as reasonably possible.
- The school has a lawful basis under the Data Privacy Act.
- The posting does not include unnecessary sensitive details such as scores, rankings, birthdates, addresses, phone numbers, emails, scholarship status, disability information, religion, citizenship, or family income.
The National Privacy Commission has discussed school practices involving posted class rosters, entrance or qualifying exam information, bulletin boards, official websites, and social media accounts. In NPC Advisory Opinion No. 2020-046, the NPC explained that education-related information may be sensitive personal information, and that posting or disclosure must comply with the lawful grounds under the Data Privacy Act.
Importantly, the NPC distinguished between a simple list of names of entrance exam passers and a list containing more detailed education-related information. It noted that names of entrance exam passers were treated as personal information and may, in appropriate cases, be anchored on the school’s legitimate interest, subject to a three-part test of purpose, necessity, and balance. But more detailed education-related information, such as school name, grade level, section, and test scores, may be sensitive personal information and cannot rely on legitimate interest alone.
When posting names becomes risky or unlawful
Posting may become a data privacy violation when the school does any of the following:
| Situation | Why it is a problem |
|---|---|
| Posts names without any privacy notice or lawful basis | Applicants were not properly informed and the school may not satisfy transparency requirements |
| Publishes entrance exam scores, ranking, grades, school history, or program details unnecessarily | These may reveal education-related sensitive personal information |
| Posts on Facebook or a public website when a private portal or email would work | Public social media creates wider and harder-to-control disclosure |
| Leaves the list online indefinitely | Personal data should not be kept publicly available longer than necessary |
| Includes minors without parent or guardian consent where consent is needed | Minors require greater protection |
| Uses the list for marketing, publicity, or promotional content without clear permission | The purpose changes from admissions notice to publicity |
| Publishes wrong names or outdated results | Data must be accurate and corrected when needed |
| Ignores requests for correction, takedown, or explanation | Data subjects have rights under the Data Privacy Act |
The Data Privacy Act requires processing to follow the principles of transparency, legitimate purpose, and proportionality. Personal information must be collected and used for specified legitimate purposes, processed fairly and lawfully, kept accurate, and be adequate but not excessive for the purpose. (National Privacy Commission)
Legal basis under Philippine law
Data Privacy Act of 2012: RA 10173
For ordinary personal information, such as a name, Section 12 of the Data Privacy Act allows processing only when at least one lawful ground exists. These include consent, contract-related necessity, legal obligation, protection of vital interests, public authority, or legitimate interests that are not overridden by the rights and freedoms of the data subject. (National Privacy Commission)
For sensitive personal information, Section 13 is stricter. Information about a person’s education is classified as sensitive personal information under the law. Processing sensitive personal information is generally prohibited unless a specific Section 13 exception applies, such as specific consent, an applicable law or regulation with safeguards, protection of life and health, legal claims, or provision to public authority. (National Privacy Commission)
This matters because a bare list of names of applicants who passed an entrance exam may be treated differently from a post saying:
- “Qualified applicants for BS Nursing, ranked by entrance test score”
- “Waitlisted applicants from public high schools”
- “Foreign applicants qualified for interview”
- “Scholarship qualifiers based on family income”
- “Applicants with special admission consideration”
Those added details may reveal education, financial, citizenship, or other sensitive information.
Rights of applicants as data subjects
Applicants are data subjects, meaning they are individuals whose personal information is being processed. They have rights under Section 16 of the Data Privacy Act, including the right to be informed, the right to reasonable access, the right to correction, the right to object or seek blocking/removal in proper cases, and the right to lodge a complaint with the National Privacy Commission. (National Privacy Commission)
Constitution and Civil Code
The right to privacy is also protected more broadly under Philippine law. Article III, Section 3 of the 1987 Constitution protects the privacy of communication and correspondence. The Civil Code, particularly Article 26, also recognizes that every person must respect the dignity, personality, privacy, and peace of mind of others, and allows damages, prevention, and other relief for certain privacy intrusions. (Supreme Court E-Library)
In serious cases where public posting causes humiliation, harassment, discrimination, or reputational harm, the issue may go beyond regulatory compliance and may raise possible civil liability.
Public university vs private university: does it matter?
Yes, but only partly.
A public university may have a stronger argument when posting is tied to its charter, public mandate, admissions transparency, or government rules. For example, the University of the Philippines privacy notice states that UP may post the list of students qualified to enroll and waitlisted applicants online or on bulletin boards pursuant to its Charter functions and transparency in admissions. (privacy.up.edu.ph)
But this does not mean every public university can publish anything it wants. Even a public institution must still observe proportionality, transparency, security, and proper retention.
A private university may rely on legitimate interest, contract-related necessity, or consent, depending on the exact data and purpose. But if the post includes sensitive education-related information, the school must look to the stricter grounds under Section 13, not merely “legitimate interest.”
Bulletin board, website, Facebook page, and admissions portal are not the same
The place of posting matters.
A list posted on a physical bulletin board inside the admissions office is relatively limited. A list posted on Facebook, TikTok, Instagram, or a public website is much broader. It can be shared, screenshotted, commented on, indexed, tagged, downloaded, and reposted by people who have no legitimate admissions-related reason to see it.
The NPC has specifically noted that posting on a physical school bulletin board has a different context from posting on a publicly accessible website or social media platform.
As a practical rule, the wider the audience, the stronger the school’s justification must be.
The safest way for schools to release admissions results
A privacy-friendly university admissions process usually uses one of these methods:
Private applicant portal Applicants log in using their application number, email, password, or one-time code.
Individual email or SMS notice The university sends results privately to the applicant’s registered contact details.
Application numbers instead of full names This is safer if only the applicant can connect the number to the identity.
Limited public list with minimal data If public posting is truly necessary, publish only what is needed, such as full name or application number, with no scores, ranking, address, contact details, birthdate, or other unnecessary identifiers.
Short retention period Remove the list after the confirmation or enrollment deadline.
No search indexing Public webpages should ideally be configured so they do not remain searchable long after the admissions cycle.
Clear privacy notice before application Applicants should know, before submitting their application, whether their name may be published if they qualify.
What applicants and parents can do if their name was posted
1. Check exactly what was posted
Before concluding that there is a violation, identify the exact content.
Ask:
- Was it only your name?
- Did it include your application number?
- Did it include your score, rank, strand, school, age, address, email, or phone number?
- Did it reveal scholarship status, family income, disability, religion, nationality, or other sensitive details?
- Was it posted on a campus bulletin board, private portal, official website, or public social media page?
- Is it still online after the admissions deadline?
- Was there a privacy notice or consent clause in the application form?
The strongest complaints usually involve unnecessary details, public social media posting, lack of notice, or refusal to remove/correct information.
2. Preserve evidence before asking for removal
Take screenshots showing:
- the full page or post;
- the date and time;
- the URL;
- the account or page name;
- comments, tags, shares, or public reactions if relevant;
- the personal data shown;
- whether the page is searchable on Google.
If it is a physical bulletin board, take a clear photo showing the location and date if possible. Keep a copy of the application form, privacy notice, consent checkbox, student handbook provision, or admissions instructions.
3. Read the school’s privacy notice
Look for sections on:
- publication of admissions results;
- use of applicant data;
- lawful basis for processing;
- consent;
- disclosure to third parties;
- retention period;
- Data Protection Officer contact details;
- applicant rights.
If the notice clearly says that qualified applicants’ names may be posted for admissions transparency, the school has a stronger position. If there is no notice at all, or if the notice only covers internal admissions processing but not public posting, the school’s position is weaker.
4. Write first to the admissions office and Data Protection Officer
A calm written request is often faster than immediately filing a complaint. Send it to the admissions office and the university’s Data Protection Officer, if listed.
You may write:
I am an applicant whose name appears in your posted list of qualified applicants. Please inform me of the lawful basis for this posting, the purpose of publication, the intended retention period, and whether the list will be removed after the admissions deadline. I am also requesting that any unnecessary personal information be removed or that access be limited, especially because the post is publicly available online.
If the post includes scores, ranking, contact details, or other unnecessary information, say so clearly.
5. Request correction, takedown, or limitation if appropriate
Depending on the facts, you may request:
- correction of a wrong name or status;
- removal of scores, rankings, or unnecessary identifiers;
- replacement of names with application numbers;
- removal from Facebook or other social media;
- de-indexing or takedown after the enrollment deadline;
- explanation of the lawful basis;
- copy of the privacy notice relied upon by the school.
6. Escalate to the National Privacy Commission if unresolved
The National Privacy Commission receives complaints and institutes investigations on matters affecting personal information. Its 2025 Citizen’s Charter states that both Filipino citizens whose personal data are processed and foreign nationals whose personal data are processed in the Philippines may avail of the complaints process.
The NPC’s official complaint page says a formal complaint must use the proper form, be printed, filled out, notarized, and submitted in person, by courier, or by scanned email to the NPC. (National Privacy Commission)
Documents usually needed for an NPC complaint
| Document or evidence | Why it matters |
|---|---|
| Screenshot, printout, or photo of the posted list | Shows what was disclosed |
| URL, date, time, and page/account name | Helps identify the publication |
| Application form and privacy notice | Shows whether you were informed or gave consent |
| Emails or letters to the school | Shows you tried to resolve the issue |
| School’s response or refusal | Helps prove dispute and timeline |
| Valid government ID | Confirms identity of complainant |
| Proof of relationship if parent/guardian files for a minor | Shows authority to act for the child |
| Authorization letter or Special Power of Attorney if represented | Needed if someone files on your behalf |
| Notarized complaint form or complaint-affidavit | Required for formal filing |
| Evidence of harm, if claiming damages | Supports monetary or corrective relief |
The NPC Citizen’s Charter refers to a notarized Complaints-Assisted Form and evidence, with copies depending on the number of respondents, plus file copies. It also lists requirements for representatives and indigent complainants.
For applicants abroad, documents signed outside the Philippines may need consular notarization or proper authentication, depending on the document and where it will be used. Philippine embassies and consulates can notarize private documents such as affidavits and powers of attorney. (Philippine Embassy)
Fees and practical timelines
As of NPC Circular No. 2023-01, the filing fee for complaints is ₱500, with additional fees if damages are claimed. Indigent litigants may be exempt from legal fees if they meet the income and property requirements and submit the required documents, such as a barangay certificate of indigency, notarized affidavits, and tax declaration if any.
In practice:
| Step | Practical timeline |
|---|---|
| School-level email to DPO/admissions | Often a few days to a few weeks |
| Simple takedown or correction | Can be same day if the school agrees |
| Formal NPC complaint preparation | Depends on notarization, documents, and evidence |
| NPC assessment/payment/filing | Initial assessment may be quick, but formal proceedings take longer |
| Full dispute with answer, mediation, investigation, or adjudication | Commonly months, depending on complexity and caseload |
If the post is still public and causing immediate harm, ask for temporary removal or limitation while the school reviews the matter.
Possible consequences for the university
If a university violates the Data Privacy Act, consequences may include:
- orders to remove, correct, block, or limit processing;
- orders to improve privacy notices, policies, and safeguards;
- administrative fines;
- damages or indemnity where legally supported;
- possible criminal liability for serious unauthorized processing or disclosure.
The Data Privacy Act provides criminal penalties for unauthorized processing of personal information and sensitive personal information, including imprisonment and fines. (National Privacy Commission)
The NPC also has guidelines on administrative fines. Under NPC Circular No. 2022-01, grave infractions may carry administrative fines of 0.5% to 3% of annual gross income, while major infractions may carry fines of 0.25% to 2%, subject to the limits and factors in the circular. The total imposable fine for a single act is capped at ₱5,000,000. (National Privacy Commission)
Common real-life scenarios
Scenario 1: The university posted only names of passers on its admissions page
This is not automatically a violation. If the school has a clear privacy notice, a legitimate admissions purpose, and a short retention period, the posting may be defensible.
But the school should still consider safer methods, especially for applicants who have safety, harassment, or personal security concerns.
Scenario 2: The list includes entrance exam scores and rankings
This is much more sensitive. Scores and rankings are education-related information. The school must show a stronger lawful basis, and the publication must be necessary and proportionate. Publicly ranking applicants by score is often harder to justify than simply informing each applicant privately.
Scenario 3: The post is on Facebook and people are tagging or mocking applicants
The school’s original post may be lawful or unlawful depending on the facts, but Facebook greatly increases privacy risk. The school should consider deleting the post, disabling comments, replacing names with application numbers, or moving results to a private portal.
Scenario 4: A parent complains because the applicant is a minor
For minors, the school should be especially careful. If consent is used as the basis, consent should generally come from the parent or legal guardian. The NPC Advisory Opinion on school practices specifically mentions obtaining students’ or legal guardians’ consent where no applicable rules support posting.
Scenario 5: A foreign applicant’s name was posted by a Philippine university
Foreign applicants are also protected when their personal data is processed in the Philippines. The NPC Citizen’s Charter expressly includes foreign nationals whose personal data are processed in the Philippines among those who may avail of the complaints process.
Scenario 6: The applicant agreed to a broad “data privacy consent” checkbox
A checkbox helps the school only if the consent was specific, informed, and freely given for the particular processing. A vague statement such as “I consent to processing of my data” may not be enough to justify public posting on social media, especially if more intrusive methods were available.
The Data Privacy Act defines consent as a freely given, specific, informed indication of will, evidenced by written, electronic, or recorded means. (National Privacy Commission)
Practical checklist for universities
Before posting names of qualified applicants, a university should ask:
- Is public posting truly necessary?
- Can applicants be notified privately instead?
- Did the application form or privacy notice clearly say results may be posted?
- What lawful basis applies?
- Is the list limited to the minimum information needed?
- Are scores, rankings, birthdays, addresses, emails, and phone numbers excluded?
- Are minors involved?
- Are foreign applicants involved?
- Is the post on a controlled official page, not a personal account?
- Is there a takedown date?
- Is there a process for correction, objection, or special safety concerns?
- Has the Data Protection Officer reviewed the method?
A good admissions publication policy usually says:
- what information will be posted;
- where it will be posted;
- why it will be posted;
- how long it will remain available;
- who to contact for privacy concerns;
- what alternative notification method is available.
Frequently Asked Questions
Is posting names of qualified university applicants illegal in the Philippines?
Not automatically. It may be allowed if the school has a lawful basis, publishes only necessary information, informs applicants beforehand, and limits the scope and duration of the posting. It becomes risky if the school posts excessive data, uses public social media without need, or has no privacy notice or lawful basis.
Is my name considered personal information?
Yes. A full name that identifies an applicant is personal information under the Data Privacy Act. Even if a name is not highly sensitive by itself, posting it still counts as processing personal information.
Is admission status sensitive personal information?
It depends on the context. A simple list of entrance exam passers has been treated by the NPC as personal information that may be supported by legitimate interest in proper cases. But when the post includes education-related details such as scores, grades, school information, section, ranking, or similar data, it may involve sensitive personal information about education.
Does the university need my consent before posting my name?
Not always. For ordinary personal information, a university may sometimes rely on legitimate interest, contract-related necessity, legal obligation, or public authority. But if no applicable law or regulation supports the posting, or if the data is sensitive, consent may be necessary. Consent should be specific and informed.
Can the school rely on a student handbook provision?
A handbook provision may help prove notice, but it is not a magic waiver. The provision should be clear, specific, and consistent with the Data Privacy Act. A vague handbook statement cannot automatically justify publishing excessive personal data online.
Is posting on a bulletin board safer than posting on Facebook?
Usually, yes. A campus bulletin board has a more limited audience. Facebook or a public website can be shared, copied, indexed, commented on, and kept indefinitely. The NPC has recognized that a physical bulletin board has a different context from a publicly accessible website or social media platform.
Can I ask the university to remove my name?
Yes, you may request removal, limitation, correction, or an explanation of the lawful basis. Whether the school must remove it depends on the facts, including the lawful basis, the purpose, the amount of data posted, and whether the posting is still necessary.
Can foreign applicants file a complaint with the NPC?
Yes, if their personal data was processed in the Philippines. The NPC complaints process covers foreign nationals whose personal data are processed in the Philippines.
Should I complain to CHED or the National Privacy Commission?
For a data privacy issue, the main agency is the National Privacy Commission. CHED may be relevant if the issue also involves higher education rules, admissions policies, or institutional regulation. In many cases, the first practical step is to write to the university’s Data Protection Officer and admissions office, then escalate to the NPC if unresolved.
Can I claim damages?
Possible, but you need evidence of harm and legal basis. Screenshots, public comments, harassment, loss of opportunity, emotional distress evidence, medical records, or other proof may matter. The NPC fee schedule also imposes additional fees if damages are claimed.
Key Takeaways
- Posting names of qualified university applicants is not automatically illegal in the Philippines.
- A name is personal information, so the Data Privacy Act applies.
- A simple admissions list may be lawful if supported by legitimate interest, consent, legal obligation, public authority, or another lawful basis.
- Posting scores, rankings, school history, financial status, citizenship, or other extra details is much riskier.
- Public Facebook or website posting is more privacy-invasive than a private portal, email, or campus bulletin board.
- Applicants may ask the school for the lawful basis, retention period, correction, limitation, or takedown.
- If unresolved, a complaint may be filed with the National Privacy Commission using the proper notarized forms and supporting evidence.
- Schools should use the least intrusive method: private portals, applicant numbers, short retention periods, and clear privacy notices.