What is a Privacy Impact Assessment or PIA? It is a tool used to identify the potential risk of existing personal or sensitive personal information on the agency’s systems, technology, programs/process or activities to an individual’s privacy.

The PIA shall serve as a guide for organizations and it is through this process that organizations can identify various privacy risks and how to address them. Each organization must ensure that potential privacy risks are identified and properly mitigated.

The conduct and structure of a PIA will always be based on the complexity and intrinsic nature of the organization’s functions vis-à-vis the projects the organization is undertaking or will plan to undertake involving personal and sensitive personal information.

The benefits that organizations may achieve in conducting a PIA may include:

  1. The ability to demonstrate due diligence and evidence of compliance needed to support informed decision-making during the development of business process flows. This can be critical to an organization in the event of a privacy breach or complaint received by the National Privacy Commission, since it can be a determining factor in evaluating the organization’s liability concerning the breach.
  2. The reassurance of data subjects, other organizations, partners and the management that rights of data subjects are being taken seriously, and helps promote a culture of privacy within the organization.
  3. To ensure that corporations instill best practices within their respective departments and data subjects are made aware of the organization’s actions on data privacy protection.
  4. Helps minimize unnecessary collection of personal information.
  5. Earning stakeholders’ trust and confidence in business transactions and undertakings, knowing that the project underwent extensive scrutiny.

The National Privacy Commission promotes the conduct of a PIA through its Memorandum Circulars 2016-01 on Security of Personal Data in Government Agencies and 2016-03 on Personal Data Breach Management.

PIAs should be administered to every processing system of the organization dealing with personal information and sensitive personal information. Once an effective and thorough PIA is administered, it would be easier to identify possible privacy breaches on projects, programs or systems set-up within the various departments.

The Data Protection Officer in every organization should be the frontrunner in pushing for the administration of the PIA within the soonest possible time. Depending on the complexity of the organization, the organization may opt to hire an external consultant to conduct its PIA to address its concerns. The DPO of the organization may be consulted on the results arrived at in the PIA and raise his or her suggestions on how to mitigate or eliminate the risks that may be determined as a result thereof.