PRIVACY IMPACT

ASSESSMENT
ATTY. KARL JOHN A. BAQUIRAN
 A PROCESS:

PRIVACY
- to evaluate and manage the impact of a program,
IMPACT process and/or measure on data privacy.
ASSESSMENT
- to identify and minimize the privacy risks of new
projects or policies.
“The determination of the appropriate
level of security under this section must
take into account the nature of the
personal information to be protected,
the risks represented by the processing,
the size of the organization and
complexity of its operations, current
data privacy best practices and the
cost of security implementation.”
• Section 20.c (R.A. 10173)
LEGAL BASIS
A government agency engaged in the
processing of personal data shall ensure
that its conduct of a privacy impact
assessment is proportionate or consistent
with the size and sensitivity of personal
data being processed, and the risk of
harm from the unauthorized processing
of that data.
• Section 5 of Circular 16-01
 The PIA will help to ensure
that potential problems are
BENEFITS identified at an early stage,
when addressing them will
often be simpler and less
costly.
Conducting a PIA should
benefit organizations by
producing better policies and
systems and improving the
relationship between
organizations and individuals.
 A PIA should be conducted for both new and existing systems,
programs, projects, procedures, measures, or technology
products that involve or impact processing personal data

The PIC or PIP is primarily accountable for the conduct of a

PIA.

KEY A PIC may require a PIP or a service or product provider to

CONSIDERATIONS conduct a PIA.

Stakeholder involvement is important in the conduct of a PIA

There is no prescribed standard or format for a PIA.

 Data Inventory

PIA : Description of the Processing Operations

WHAT’S
INCLUDED? An Assessment of the Necessity and
Proportionality of the Processing in relation to
the Purposes of the Processing; and

An Assessment of the Risks to the Rights and

Freedoms of Data Subjects.
 Make an Inventory

Identify Projects

PRELIMINARIES Threshold Analysis

Identify Stakeholders

Detailed Plan
INITIAL SCREENING
QUESTIONS
• If you have answered “Yes”
to any of the questions
please proceed and
complete stage 2. If “No”,
proceed to stage 3 and sign
off.
WHERE PIA IS NEEDED

01 02 03 04
Plan and Conduct the Sign Off Documentation
Mobilize PIA and Review
 Program,
Process, or Privacy Risk Benefit Controls Impact Assessment
Measure

X.1

X.2

X.3

X.4

PRIVACY RISK is the probability that the activity involving data will result in harm, or a loss
of the rights and freedoms of an individual.

CONTROLS may be applied in order to reduce severity, likelihood, and magnitude of the
privacy risk
 Program,
Process, or Privacy Risk Benefit Controls Impact Assessment
Measure

X.1 HIGH LOW UNACCEPTABLE

X.2 MEDIUM LOW HIGH UNREASONABLE

X.3 LOW HIGH LOW ACCEPTABLE

X.4 HIGH HIGH

 Program,
Process, or Privacy Risk Benefit Controls Impact Assessment
Measure

X.1 HIGH MEDIUM UNACCEPTABLE

X.2 HIGH LOW HIGH UNREASONABLE

X.3 LOW HIGH LOW ACCEPTABLE

X.4 MEDIUM
HIGH HIGH MEDIUM ACCEPTABLE
PRIVACY RISK MAP
C
O
N Extreme
Hackin Loss of
g data
S
E ID
Q Major theft
U
E Stressful
Telema
rketers
N
C
E Slight

Nil Low Med High

PROBABILITY
 Transparency Integrity Availability

Legitimate Purpose Confidentiality Retention

Purpose Limitation Data Minimization/ Cross border data

Proportionality transfers
WHO SHOULD PARTICIPATE IN THE PIA?

collect

dispose use

share store
 Step 1:
Define the Process
1. What data is being collected by this process (list all,
including personal as well as non-personal)?
2. Which data (if any) is considered sensitive personal
information (underline these)?

3. Who are we collecting this data from?

4. How are we collecting this data?

5. Why is this data being collected?

6. Will we use this data to make any decisions that have a
legal effect on the data subject?

7. Who will be handling and accessing this data?

8. Will the data be shared with any other organizations?

9. What is the key benefit/s the data subject gets from this
process?
10. What is the key benefit/s for the community or society?
 Step 2:
Ensure that processing is legally allowed and in compliance with the Data Privacy Act of 2012.
1. What is the legal basis for collecting this data
2. Are we over-collecting

3. How will consent be obtained

4. Do individuals have the opportunity and/or right to
decline to provide data
5. What happens if they decline
6. How will the data collected be checked for
accuracy
7. How will data subjects be allowed to correct errors,
if any
8. Will the data be re-used
9. How

10.How long are we required to keep the data

11.How do we plan to dispose of the data
 Step 3:
Define the the probability that the activity involving data will result in harm,
or a loss of the rights and freedoms of the data subject.
1. How easy would it be to identify me (on a scale of 1 1: virtually impossible
to 4) if this data were to be breached or exposed? 2: difficult but possible
3: relatively easy
4: extremely easy
2. What things might happen if someone unauthorized gets this 1: slight inconvenience
data 2: stressful inconvenience
3. How might this happen (describe scenario/s) 3: major difficulties
4. How much damage would this cause me (on a scale of 1 - 4) 4: extreme consequences

5. What things might happen if someone alters or changes my 1: slight inconvenience

data 2: stressful inconvenience
6. How might this happen (describe scenario/s) 3: major difficulties
7. How much damage would this cause me (on a scale of 1 - 4) 4: extreme consequences
8. What things might happen if this data suddenly becomes 1: slight inconvenience
unavailable 2: stressful inconvenience
9. How might this happen (describe scenario/s) 3: major difficulties
10.How much damage would this cause me (on a scale of 1 - 4) 4: extreme consequences
11.What things might happen if this data is used for other 1: slight inconvenience
purposes 2: stressful inconvenience
12.How might this happen (describe scenario/s) 3: major difficulties
13.How much damage would this cause me (on a scale of 1 - 4) 4: extreme consequences
 Step 4:
Review existing controls, if any. Identify new controls using privacy-by-design principles
Cost/Effort
(H/M/L
Is there a way we can increase the benefits
provided? If yes, how?

Is there a way we can collect less data and thus

reduce the exposure level?

How can we reduce the privacy risks related to

someone unauthorized getting this data?

How can we reduce the privacy risks related to

someone altering or changing the data?

How can we reduce the privacy risks related to the

data suddenly becoming inaccessible?

How can we reduce the privacy risks related to re-

using the data for other purposes?
 Step 5:
Summary (for sign-off by the “Chief Executive”)
Process

Legal Purpose

Providing this benefit (H/M/L)

Privacy risk (H/M/L)

Controls

Overall Assessment
 STAGE 3: FINAL REPORT AND SIGN OFF
IDENTIFIED RISKS, AGREED ACTIONS AND SIGN OFF FORM.
Privacy Issue Risk to Individuals Compliance Risk Corporate Risk What are the key privacy issues
and associated compliance and
corporate risks

Result: Is the risk reduced, Describe the actions you could

Risk Solution (s) eliminated or accepted? take to reduce the risk and any
future steps which would be
necessary (e.g. new guidance)

Risk Approved Solution Solution Approved by Describe the actions you could take
to reduce the risk and any future
steps which would be necessary
(e.g. new guidance)
Action to be taken Date for completion Responsibile for Action
What solutions need to
be implemented?

Data Protection Officer (DPO)

Name Sign Off
Job Title
Signature
Date

Process Owner
Name Sign Off
Job Title
Signature
Date
IN CONCLUSION

The conduct of a PIA is The conduct of a PIA shall

one of the ways a PIC or be considered in
PIP is able to demonstrate evaluating if the PIC or
its compliance with the PIP exercised due
DPA, its IRR, and related diligence in the processing
issuances of the NPC. of personal data
ANY
QUESTIONS?