A maturity model toolkit on information governance for Philippine Universities to aid in implementing compliance to the Data Privacy Act of 2012 (RA10173) of the Republic of the Philippines

Abstract

Data Privacy has become a primary concern globally in recent years with the Philippines included when it enacted Republic Act 10173 (RA10173) (Philippine Fifteenth Congress, 2012) or more commonly referred to as the Data Privacy Act of 2012. However, the National Privacy Commission (NPC) was only established early 2016 and the Implementing Rules and Regulations of RA10173 only became enforceable in September 2016 (NPC, 2016a). Several years into the implementation and enforcement of the regulation, companies, and institutions experienced varying levels of success due to their differing background, status, sector, data processed, and capability (Fabito et al., 2018; Gonzales & Ching, 2018; Tirante & Ching, 2018). One sector that encountered greater difficulty is the education sector where the data processed, capability, and background do not immediately relate to such types of compliance efforts (Alqatawna, 2014; Archuleta, 2006; Doce & Ching, 2018; Presbitero & Ching, 2018). Traditional approaches to implementing compliance such as the adaption of available industry standards and practices encountered conflicts in the education sector due to challenges on awareness, capability, and customization of practices to consider nuances that is unique to higher education institutions or colleges and universities in the sector (DP Council Education Sector, 2020; Huang et al., 2020; Natonton, 2018; Ulven & Wangen, 2021). The study aimed to contextualize existing industry guidance to the operating environment of a private university in the Philippines. It aims to addresses the evident gap to compliance using information governance for a holistic approach combining this with a maturity model for a calibrated approach to factor in constraints in the sector. The study also focuses on private universities as the target domain where the challenges of the sector are more evident such as the existence of academic freedom (Beiter et al., 2016; Constitutional Commission, 1986; Frank & Melanie, 2014). Through analysis of existing literature including industry standards, issuances from the NPC, related documents, and case study, the study developed a maturity modelled toolkit based on information governance to provide calibrated practice requirements for each governance domain and maturity level to a Philippine private university. To assist the university in its journey to compliance, the toolkit serving as a roadmap and a self-assessment monitoring tool, incorporates a document of the guidance, a spreadsheet-based tool with baseline data classifications and alignment to regulatory and industry standards requirements to be used for monitoring level of compliance, sample process flow diagrams in Business Process Management Notation (BPMN) to support automation requirements, and sample templates and advisories specific to the context of universities To determine the applicability and alignment of the toolkit to the sector, the study utilized an iterative mixed method seeded by information from existing industry framework and a case study where initial outputs were evaluated by the regulator, industry practitioners, education sector data protection officers, and stakeholders within the university. . One common suggestion that surfaced was to provide additional and more specific examples or cases to help guide the user of the guidance. Their feedback was considered and used to realign the study from a purely guidance document to the development of the final toolkit which was reviewed again by similar respondents. The final set of respondents agree that the spreadsheet format improves the usability of the guidance and is still useful even if the compliance journey has already started. Feedback showed that the toolkit is a step in the right direction but still needs to continuously evolve to consider constant changes in regulations and be further simplified to improve the usability of the toolkit. Also, the current toolkit only provided ‘guidance on practices’ statements for one domain in the information governance framework. Future studies can consider completing the ‘guidance on practices’ for all domains of information governance and integration of design thinking both in the design of the toolkit as well as in the ‘guidance on practices’ statements. The study showed that a holistic, contextualized, and calibrated guidance and toolkit addresses the gap between high level compliance and policy statements to operationalizing and executing the policies considering the nuances of the sector. Such an approach can be applied to other sectors as it serves as a proof-of-concept for sharing accepted practices. Having developed the structure of the toolkit, future studies can investigate sector driven contributions that originate directly from the community through an evolutionary process allowing for the toolkit to evolve as the environment and context changes over time. A risk-based approach can also be incorporated beyond a maturity model to allow for further complement the toolkits’ ability to calibrate to the specific needs of a sector and organization.

Date of Award	2024
Original language	English
Awarding Institution	Aberystwyth University
Supervisor	Sarah Higgins (Supervisor) & Jonathan Davies (Supervisor)