The National Privacy Commission on Tuesday said it had summoned the management and other responsible officials of seven schools, institutions and local government units who had reported breaches of their websites on April 1.

In a statement, the privacy body said it earlier sent notice to top officials of Taguig City University; the Department of Education offices in Bacoor City, Cavite and Calamba City, Laguna; the province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City, Pampanga; and Laguna State Polytechnic University in Laguna to appear before it from April 23 to April 24.

The officials will be asked to explain why they did not notify the commission and the affected data subjects about the breach since the subjects’ personal data were made available for downloading via links posted on Facebook.

The breaching was unreported for 72 hours.

As of Tuesday, none of the affected organizations issued any data breach notifications as part of their obligation as Personal Information Controllers (PICs) under the Data Privacy Act of 2012.

“PICs are required to employ organizational, technical and physical measures to protect personal data,” Commissioner Raymund Enriquez Liboro of the privacy body said.

“This includes the duty to inform data subjects and this commission if there is a serious data breach,” Liboro added.

Digital investigators from the National Privacy Commission determined that each of the exposed databases contained sensitive personal information or information that could be used to perpetuate identity fraud; that the exposed data are in the hands of unauthorized persons; and that the exposure of the data raises a real risk of serious harm to the affected data subjects.

In its initial estimate, the commission said at least 2,000 individual data subjects were breached, including their name, address, phone number, email address and, in some instances, even passwords and school details.