CONDUCT A PRIVACY RISK OR IMPACT ASSESSMENT

Pillar 2

A Privacy Impact Assessment (PIA) is an instrument for assessing the potential impacts on privacy of a process, information system, program, software module, device or other initiative which processes personal information and in consultation with stakeholders, for taking actions as necessary to treat privacy risk. A PIA report may include documentation about measures taken for risk treatment, for example, measures arising from the use of the information security management system (ISMS) in
ISO/IEC 27001.

A PIA is more than a tool: its process that begins at the earliest possible stages of an initiative, when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that continues until, and even after, the project has been deployed. Initiatives vary substantially in scale and impact.

This document is intended to provide scalable guidance that can be applied to all initiatives. Since guidance specific to all circumstances cannot be prescriptive, the guidance in this document should be interpreted with respect to individual circumstance. A Personal Information Controller may have a responsibility to conduct a PIA and may request a Personal Information Processor to assist in doing this, acting on the Personal Information Controller’s behalf. A Personal Information Processor or a third party may also wish to conduct their own PIA

Privacy Impact Assessment Guide

I. Project/System Description

a. Description Describe the program, project, process, measure, system or technology product and its context.

Define and specify what it intends to achieve. Consider the pointers below to help you describe the project. • Brief Description of the project/system — Describe the process of the projects — Describe the scope and extent — Any links with existing programs or other projects • The system/project’s overall aims (purpose of the project/system) — What is the project/system aims to achieve? — What are the benefits for the organizations and data subjects? • Any related documents to support the projects/system — Project/System Requirements Specification — Project/System Design Specification — Or any related documents

b. Scope of the PIA This section should explain, what part or phase of the program the PIA covers and, where necessary for clarity, what it does not cover. • What will the PIA cover? • What areas are outside scope? • Is this just a “desk-top” information gathering exercise, do I have to get information from a wide variety of sources? • Who needs to be involved and when will they be available? • Where does the PIA need to fit in the overall project plan and timelines? • Who will make decisions about the issues identified by the PIA? What information do the need and how long will it take to get sign-off from them? • Do I need to consult with anyone (for instance the individuals whose personal information the project will involve)? When and how should this happen? • Are there any third parties involved and how long do I need to allow for them to play their part?

Back to Top

PILLAR #1

Appoint a Data Protection Officer

PILLAR #3

Create a Privacy Management Program

PILLAR #4

Implement your Privacy and Data Protection Measures

PILLAR #5

Regularly Exercise your Breach Reporting Procedures

II. Threshold Analysis

The following questions are intended to help you decide whether a PIA is necessary. Answering ‘yes’ to any of these questions is an indication that a PIA would be a useful exercise. You can expand on your answers as the project develops if you need to.

a. Will the project or system involve the collection of new information about individuals? O No O Yes

b. Is the information about individuals sensitive in nature and likely to raise privacy concerns or expectations e.g. health records, criminal records or other information people would consider particularly private?
O No O Yes


c. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
O No O Yes


d. Will the initiative require you to contact individuals in ways which they may find intrusive?
O No O Yes


e. Will information about individuals be disclosed to organizations or people who have not previously had routine access to the information?
O No O Yes


f. Does the initiative involve you using new technology which might be perceived as being privacy intrusive (e.g. biometrics or facial recognition)?
O No O Yes


g. Will the initiative result in you making decisions or taking action against individuals in ways which can have a significant impact on them?
O No O Yes


h. Are the personal data collected prior to August 2016?
O No O Yes

Back to Top

III. Stakeholder(s) Engagement

State all project stakeholders, consulted in conducting PIA. Identify which part they were involved. (Describe how stakeholders were engaged in the PIA process)

Back to Top

IV. Personal Data Flows

  • Objective: To identify information flows of personal information under assessment.
  • Input: Description of the process and information system to be assessed.
  • Expected output: Summary of findings on the information flow of personal information within the process.
  • Actions: The person responsible for conducting a PIA should consult with others in the organization and perhaps external to the organization to describe the personal information flows and specifically: – how personal information is collected and the related source; – who is accountable and who is responsible within the organization for the personal information processing; – for what purpose personal information is processed; – how personal information will be processed; – personal information retention and disposal policy; – how personal information will be managed and modified; – how will personal information processors and application developers protect personal information; – identify any personal information transfer to jurisdictions where lower levels of personal information protection apply; – whether applicable, notify the relevant authorities of any new personal information processing and seek the necessary approvals.

Output of this process in terms of the information flow of personal information should be documented in the PIA report

  • Implementation Guidance:

Use of personal information (or transfer of personal information) may include approved data sharing flows of personal information to other parties.

As an input to the PIA, the organization should describe the information flow in as detailed a manner as possible to help identify potential privacy risks. The assessor should consider the impacts not only on information privacy, privacy related regulations, e.g. telecommunications acts. The whole personal information life cycle should be considered.

Identify the personal data involved and describe the data flow from collection to disposal by answering the following questions below:

What personal data are being or will be processed by this project/system?

List all personal data (e.g. Personal Full Name, address, gender, phone number, etc.,) and state which is/ are the sensitive personal information (e.g. race, ethnicity, marital status, health, genetic, government issued numbers). All the information stated above will be in accordance to the next section.

Collection 1. State who collected or will be collecting the personal information and/or sensitive information. 2. How the personal information/sensitive personal information is collected and from whom it was collected? » If personal information is collected from some source other than the individual? 3. What is/are the purpose(s) of collecting the personal data? » Be clear about the purpose of collecting the information » Are you collecting what you only need? 4. How was or will the consent be obtained? » Do individuals have the opportunity and/or right to decline to provide data? » What happen if they decline?

Storage 1. Where is it currently being stored? » Is it being stored in a physical server or in the cloud? 2. Is it being stored in other country? » If it is subject to a cross-border transfer, specify what country or countries. 3. Is the storage of data being outsourced? » Specify if the storing process is being done in-house or is it handled by a service provider

Usage 1. How will the data being used or what is the purpose of its processing? » Describe how the collected information is being used or will be used » Specify the processing activities where the personal information is being used.

Retention 1. How long are the data being retained? And Why? » State the length of period the data is being retained? » What is the basis of retaining the data that long? Specify the reason(s) 2. The data is being retained by the organization or is it being outsourced? » Specify if the data retention process is being done in-house or is it handled by a service provider

Disclosure/Sharing 1. To whom it is being disclosed to? 2. Is it being disclosed outside the organization? Why is it being disclosed? » Specify if the personal information is being shared outside the organization » What are the reasons for disclosing the personal information

Disposal/Destruction 1. How will the data be disposed? » Describe the process of disposing the personal information 2. Who will facilitate the destruction of the data? » State if the process is being managed in-house or if it is a third party

Back to Top

V. Privacy Impact Analysis

Each program, project or means for collecting personal information should be tested for consistency with the following Data Privacy Principles (as identified in Rule IV, Implementing Rules and Regulations of Republic Act No. 10173, known as the “Data Privacy Act of 2012”). Respond accordingly with the questions by checking either the “Yes” or “No” column and/or listing the what the questions may indicate

Back to Top

VI. Privacy Risk Management

For the purpose of this section, a risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks are those that could lead to the unauthorized collection, use, disclosure or access to personal data. It includes risks that the confidentiality, integrity and availability of personal data will not be maintained, or the risk that processing will violate rights of data subjects or privacy principles (transparency, legitimacy and proportionality).

The first step in managing risks is to identify them, including threats and vulnerabilities, and by evaluating its impact and probability.

The following definitions are used in this section,
Risk - “the potential for loss, damage or destruction as a result of a threat exploiting a vulnerability”;
Threat - “a potential cause of an unwanted incident, which may result in harm to a system or organization”;
Vulnerability - “a weakness of an asset or group of assets that can be exploited by one or more threats”;
Impact - severity of the injuries that might arise if the event does occur (can be ranked from trivial injuries to major injuries); and Probability - chance or probability of something happening;

Back to Top

VI. Privacy Risk Management

From the risks stated in the previous section, identify the recommended solution or mitigation measures. You can cite your existing controls to treat the risks in the same column

Back to Top
REPUBLIC OF THE PHILIPPINES

All content is in the public domain unless otherwise stated.

ABOUT GOVPH

Learn more about the Philippine government, its structure, how government works and the officials behind it.

GOV.PH
Open Data Portal
Official Gazette
GOVERNMENT LINKS
Department of Information and Communications Technology
Office of the President
Office of the Vice President
Senate of the Philippines
House of Representatives
Supreme Court
Court of Appeals
Sandiganbayan
NPC PRIVACY NOTICE
CONTACT US

+632 5322 1322

[email protected]