Privacy Starts Local: Strengthening Data Privacy One LGU at a Time

Data protection is now a fundamental right in many countries—and a government obligation—yet many local government units (LGUs) remain ill-equipped to uphold it. Limited resources, competing priorities, and institutionalized unsound practices all widen this gap.

To address this, the Foundation for Media Alternatives (FMA) launched Privacy Starts Local: Advancing Data Protection for Good Governance and Empowered Communities, a project aimed at building the data protection capacity of public servants at the grassroots level. FMA works with a pool of subject-matter experts and advisers to deliver privacy training and consultations that help LGUs build their own privacy programs. LIGHTS Institute is one of the organizations in this pool, and I am honored to be among its resource persons.

 Click on the photos to expand and navigate.

The first LGU to take up the challenge is the City Government of Naga. Prior to the signing of a formal Memorandum of Agreement, the City and FMA held a two-day training on February 23–24, 2026 at the PAGCOR Events Center, gathering heads and representatives from its various offices alongside its data protection officer.

I was assigned to cover two sessions: privacy impact assessment (PIA) and data subject rights. The engagement felt particularly significant because data privacy issues in LGU operations touch communities directly, including the most vulnerable sectors — which made it all the more important for participants to fully grasp the implications of these topics.

In the PIA session, participants worked through an exercise to identify vulnerabilities in and threats to their operations and found that many issues cut across departments. They also surfaced a structural challenge: certain national government policies require LGUs to process personal data in ways where risks are already known but difficult to mitigate locally. While we were not able to conduct a full PIA, the exercise demonstrated the value of identifying privacy risks before processing begins, and underscored how poor policy decisions at the national level cascade downward.

The session on data subject rights opened with a candid observation from me: despite being at the core of data privacy law, it is among the most neglected compliance elements. Participants initially found the concept unfamiliar — then recognized they were already upholding several of these rights in their day-to-day work without realizing it. Scenario-based exercises revealed that while participants could resolve some requests correctly, a deeper understanding of the grounds for invoking and rejecting rights is still needed, particularly where overlapping and contradictory policy requirements complicate decisions.

The training concluded with a group activity facilitated by FMA and the resource speakers, where participants drafted an initial compliance roadmap to guide their next steps toward a full privacy program.

I would consider the event a success. More than anything, participants left with a shared understanding: data privacy matters, and making it work requires commitment from the entire organization.

But this is only the beginning. A second batch of participants from the city is scheduled for training in April, and discussions on establishing a Data Privacy Council and developing a formal Privacy Program are underway. I hope that Naga's example will draw other LGUs to partner with FMA and take on the same endeavor.

Waiting for change to come from the top may be a long wait. Advancing it one local government at a time is a more practical — and perhaps more powerful — path forward. It may take just one LGU to spark a movement for stronger data protection across the country.