2 Privacy Impact Assessment Methodology v2

“The data subject guidance on how to determine, describe, document and
demonstrate accountability, responsibility, risks, policy, control, and operation

of a managed data privacy and information security in an enterprise or agency
of personal data processing.”
Notification
Personal Data Privacy:
The name and email addresses collected, retained, and used in the seminar are to recognize the
participants and to send learning materials and training information. The participant during the online
live seminar may opt to close his or her camera and simply use the microphone or chat for questions
and comments. The online live seminar is not streamed in in Facebook or Youtube.
Copyright Notice:
The cited and annotated content of cited standards are duly owned by their research organization or
publishers.
The provided information about the rules and standards are for educational purpose.
The PowerPoint presentation of the guide is free to use.
Being Competent in Data Privacy Protection
“A competent person has definitive understanding, skills
and character needed to perform
at a given level of
performance standard,
the decision and work associated to the mandated function

and outcome.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Being Competent in Data Privacy Protection
It is indicated by the person’s ability to

transfer and apply knowledge, skills
and attitude
to new situations, and to the requirement of

collaborative results.
Competency Model on Data Privacy Protection
A competency model is about shareable

body of knowledge believed to define and
differentiate the essential indicators of the
required understanding, action and
attitude behind the successful delivery of
the performance objectives.
R.A. 10173 –Data Privacy Act 2012
Accountability and Responsibility
Data Privacy Protection
Competency Guide Privacy and Security Risks
Privacy Impact Assessment Process
Privacy and Security Controls

Privacy and Security Policy Making
Privacy and Security Management
Data Subject view of Outcome-Process-Procedure -Enabler
Rules and Standards Security Incident Management
Breach and Complaint Handling
Data Privacy Act of 2012 protects the
privacy rights and information security
of person or individual identified as:
Data Subject - whose personal, sensitive personal, or

privileged information is processed by an information
and communication system in the government and in
the private sector.
The legal liability of data privacy protection
belongs to:
1. Personal Information Controller
(Business Owner or Head of Agency)
2. Personal Information Processor
(Data Processing System Service Provider)
3. Data Protection Officer
(Privacy Oversight Organization)
The data protection 1. Privacy governance

obligation of the head of 2. Information system registration
3. Privacy impact assessment
agency is listed in the 4. Privacy and security policy
National Privacy 5. Personnel training on privacy policy
Commission 6. Storage of personal data
Circular 06-01 7. Access to personal data
Security of Personal Data 8. Transfer of personal data
in Government Agencies 9. Disposal of personal data
10. Data breach management
Consequences of failed Violations of these rules, shall, upon notice and hearing, be subject
to compliance and enforcement orders, cease and desist orders,
data privacy protection temporary or permanent ban on the processing of personal data,
based on or payment of fines, in accordance with a schedule to be published
by the Commission.
Circular 06-01
Security of Personal Data Failure to comply with the provisions of this Circular may be a
ground for administrative and disciplinary sanctions against any
in Government Agencies erring public officer or employee in accordance with existing laws
Section 34. or regulations. The commencement of any action under this
Circular is independent and without prejudice to the filing of any
action with the regular courts or other quasi-judicial bodies.
1. Level of risk to the rights and freedoms of data subjects
What triggers posed by personal data processing by a PIC or PIP
compliance check of the 2. Reports received by the Commission against the PIC or PIP,
agency? or its sector
3. Non-registration of a PIC or PIP that is subject to the
National Privacy mandatory registration requirement as provided under
Commission NPC Circular 17-01
4. Unsecured or publicly available personal data found on
Circular No. 18-02 the internet thatmay be traced to a PIC or PIP
Guidelines on 5. Other considerations that indicate non-compliance with
Compliance Section 5 the DPA or the issuances of the Commission.
1. Privacy Sweep.
How is compliance check The Commission shall review a PICs or PIPs compliance with respect to its obligation
under the DPA, and its related issuances based on publicly available or accessible
of the agency information, such as, but not limited to, websites, mobile applications, raffle coupons,
brochures, and privacy notices. This is the initial mode of Compliance Check.
conducted? 2. Documents Submission.
The Commission may require the submission of documents and additional
National Privacy information from a PIC or PIP that has undergone a privacy sweep to, among
others, clarify certain findings arising there from, and to determine the level
Commission of compliance of the PIC or PIP with respect to its obligations under the DPA
Circular No. 18-02 and its related issuances
3. On-Site Visit.
Guidelines on The Commission may subject a PIC or PIP to an on-site visit if there are persistent or
substantial findings of non-compliance with the obligations indicated in the DPA and
Compliance Section 5 its related issuances.
1. The National Privacy Commission, sua sponte
Who may file complaint 2. The persons who are the subject of a privacy violation or personal data
breach
against the agency? 3. The person who are otherwise personally affected by a violation of the
Data Privacy Act
National Privacy 4. The person who is the subject of the privacy violation or personal data
breach, or his or her duly authorized representative may file the
Commission complaint, Provided, that the circumstances of the authority must be
Circular No. 16-04 established.
5. Any person who is not personally affected by the privacy violation or
Rules of Procedures Rule personal data breach may: (a) request for an advisory opinion on
matters affecting protection of personal data; or (b) inform the
II Section 1 National Privacy Commission of the data protection concern, which
may in its discretion, conduct monitoring activities on the organization
or take such further action as may be necessary
Privacy and Security Risks
Privacy Impact Assessment Process
Basic Risks Management Methodology

Risks Criteria and Control Requirement
Identify, Analyze, Evaluate and Remedy
Privacy Impact Assessment Report
Privacy Rule Context of Privacy Impact Assessment
NPC Circular 16-01 Security of Personal Data in Government Agencies

NPC Advisory 2017-01 Designation of Data Protection Officers
NPC Advisory 2017-03 Guidelines on Privacy Impact Assessment
NPC Circular 17-01 Registration of Data Processing and Notification

Regarding Automated Decision Making
Basic Belief of Data The information
The personal data
Privacy Protection system owner and
developer are
has to be secured
against information
obligated to plan,
security threats that
The information design, build, test,
and release a violate the
controller and
personal data confidentiality,
The person has processor are
integrity, and
human rights, andR.A. 10173 obligated to protect processing product
confidentiality of
among those rightsImplementing theRules
privacy of and services that
conform to privacy personal information.
personal data in
is to be “let alone.”and Regulations
An individual is made their collection, and security rules
free to act against retention, use, and standards.
any intrusion that sharing, and
undermines the disposal.
privacy of personal National Privacy Commission
data Advisory Circular, and Case Resolution
What data is protected by R.A. 10173?
PERSONAL DATA
that represent a set of
information that identifies an
individual or person who is
called a
1. Personal Information The identifiable person has a
2. Sensitive Personal Information
3. Privileged Information human right called .
Personal
1. Name
Data Category
Given name, middle name, surname, alias
2. Identification number License number, tax number
3. Location data Address, GPS location
4. Online identifier e-mail, IP address
5. Digital identifier Biometric, CCTV data
6. Genetic Data DNA test result
7. Health Data Diagnostic report
8. Research Data Research question, enumerator interview logs
9. Physical factor Height, weight, sex
10. Physiological factor Body chemistry
11. Mental factor Intellectual aptitude test results
12. Economic factor Salary, debts, property
13. Cultural factor Nationality, tribe
14. Social identity factors Club membership, titles, legal record
Sensitive Personal Information (RA 10173 sec 3i)
1. Health, education, genetic or sexual life of a person
2. Proceeding for any offense committed or alleged to have been committed by
such individual, the disposal of such proceedings, or the sentence of any court
in such proceedings
3. Individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations
4. Identification document issued by government agencies peculiar to an
individual which includes, but is not limited to, social security numbers,
previous or current health records, licenses or its denials, suspension or
revocation, and tax returns
What is data privacy in R.A. 10173?
from intrusion into the private life or affairs of

an individual or person, when that intrusion results from undue
or illegal gathering and use of data about that individual.
(ISO 2382 – IT Vocabulary)
2. PRIVACY VIOLATION (RA 10173 chap VIII)
is illegal or unwanted act that endangers the privacy rights of a
person. Data privacy violation is penalized act to be complained
through NPC Complaint-Assisted Form.
Section 25 Unauthorized processing Section 30 Concealment of breach
Section 26 Negligence in access Section 31 Malicious disclosure
Section 27 Improper disposal Section 32 Unauthorized disclosure
Section 28 Unauthorized purpose Section 33 Combination of acts
Section 29 Unauthorized access or
intentional breach
Data Privacy Rights Violation
1. Unauthorized processing It is when personal information is processed
3-6 years imprisonment
500K-4M penalty
without the consent of the data subject, or
without being authorized using lawful criteria
2. Negligence in access It is when personal information is made

500K-4M penalty
accessible due to negligence and without being
authorized by any existing law.
3. Improper disposal It is when personal information is knowingly or
6 mos-3 years imprisonment
100K-1M penalty
negligently disposed, discard, or abandon in an
area accessible to the public or has otherwise
placed the personal information of an
individual in any container for trash collection
4. Unauthorized purpose It is when personal information is processed
500K-2M penalty
for purposes not authorized by the data
subject, or otherwise authorized by any
existing laws.
5. Unauthorized access It is when an individual handling personal information
or intentional knowingly and unlawfully, or violating data confidentiality
breach and security data systems, breaks in any way into any
1-3 years imprisonment system where personal and sensitive personal information
500K-2M penalty
are stored
6. Concealed breach It is when an individual or entity who has knowledge of a
1-5 years imprisonment security breach and of the obligation to notify the
500K-1M penalty
Commission pursuant to Section 20(f) of the Act,
intentionally or by omission conceals the fact of such
security breach.
7. Malicious disclosure It is when an individual or entity with malice
1-65years imprisonment
500K-1M penalty
or in bad faith, discloses unwarranted or false
information relative to any personal
information or sensitive personal information
obtained by him or her
8. Unauthorized disclosure It is when an individual or entity discloses to
500K-2M penalty
third party personal information not covered
by legitimate purpose, lawful criteria, and
without the consent of the data subject.
3. PRIVACY PROTECTION represents the definitive of respecting

the person's rights of privacy and the
security of personal data that are being
collected, processed, retained, shared, and
disposed by the personal information
controller and processor of business or
government
4. PERSONAL DATA PROCESSING
Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the
collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data.
1. Collection (Data Gathering)

2. Retention (Data Storage)
3. Use (Data Processing)
4. Sharing (Data Disclosure)
 Filing system
5. Disposal (Data Destruction) 

Information and Communication System
Automation Program
(RA 10173 chapter IV)
The rights to be exercised by an individual in the processing of personal data.
“Right to be informed”
“Right to block”
“Right to access” “Right to complain”
“Right to object” “Right to damages”
“Right to rectify”
“Right to erase”
“Right to data portability”
(RA 10173 chapter III)
The foundation of data processing system that is privacy by design and by default
Transparency Consent and choice

Accuracy Participation
Legitimate Purpose
Proportionality Accountability
Fairness Anonymity
Lawfulness Minimization
What is the data privacy concern of R.A. 10173?
The preservation of the confidentiality, integrity, and availability of information
CONFIDENTIALITY INTEGRITY
Authority is enforced to keep Trust is assured in the accuracy,
completeness, immediacy, usefulness,
secrecy and privacy of personal data
and reliability of personal data
AVAILABILITY
Accessibility is guaranteed in the connectivity,
uptime, reach ability, location, protection, and speed of personal
information exchange
Data Privacy Stakeholders
Whose Interest and Participation, Accountability and Responsibility
Benefit is Data Privacy
Act of 2012 R.A. 10173
1. Data Subject Represents the exercise of data privacy rights and main party to
associate personal data to be protected with privacy and security
2. National Privacy Commission Creates regulation; monitor compliance; educate the public;
enforces rules; and resolve cases on data privacy
3. Personal Information Directs and rules the processing of personal information with set
Controller limitations on data privacy
4. Personal Information Performs the instruction to process personal information based on

Processor privacy processing agreement with a Personal Information
Controller
Data Privacy Protection Stakeholders
Whose Interest and Participation, Accountability and Responsibility
Benefit is Data Privacy
Act of 2012 R.A. 10173
Perform the oversight function for the Personal Information Controller to
5. Data Protection Officer achieve the mandated accountability and responsibility on data privacy
Assist in the oversight function to direct, compliance, to monitor breach events,
6. Compliance Officer for to resolve and report privacy security incidents
Privacy
Provision of the technical measures to secure personal information protection in
7. IT and Infrastructure the location, hardware, software, and services of personal data processing
Service Providers
Responsible for the transferred or shared data to be used in compliance with
8. 3rd Party of Data Sharing data privacy regulation
Risk Management Concepts
1. Threat - Any potential danger to information
life cycle.
2. Vulnerability -Any weakness or flaw that
may provide an opportunity to a threat
agent.
3. Threat Agent -An entity that may act on a
vulnerability
4. Risk –The probability (likelihood) of a threat 6. Treatment – An administrative,
agent exploits a discovered vulnerability, legal, physical, operational, and
and severity (impact) of harm the threats
may create. technical remedy, mitigation,
5. Exposure - An instance of being countermeasure or safeguard
compromised by a threat agent. against the potential risk(s)
What is management of data privacy
and security risks?
Risk Assessment Concept (ISO 31000)
1. Risk identification - It applies risk identification tools and techniques,
the organization should identify risk sources, areas of impacts, events and
causes, and their potential consequences.
2. Risk analysis - It involves the development of understanding of the risk,

consideration of the causes and risk sources, their positive and negative
consequences, the likelihood that those consequences can occur, provides
an input to risk evaluation and decision whether risks need to be treated,
and on the most appropriate risk treatment strategies and methods.
Risk Assessment Concept
3. Risk evaluation -It assist in decision making about which risks
need treatment and priority for treatment implementation.
4. Risk treatment -It determines, describes, documents and

demonstrate the risk treatment options. The selected action to
remedy the evaluated impact of the risks must be based on the
outcome of the risk assessment, the expected cost for
implementing and benefiting from the available options.
BUSINESS PROCESS, SYSTEM & TECHNOLOGY DATA PRIVACY
PRIVACY Customer Relationship System Performance Control System
RIGHTS Republic Act DATA Enterprise Resource System
10173 – DPA 2012 COLLECT
1. Inform
2. Consent
6. Complain DATA PI DATA PI
7. Damage SUBJECT
3. Access
8. Portability
1,000 SHARE SPI
4. Block SPI Record 250
9. Correct Personnel
5. Change PVI
10. Erase PVI TRANSMIT
DATA PROCESSING SYSTEM DATA DATA
1.
PRIVACY COMPLIANCE
Compliance Organization
DATA RETAIN DISPOSESensors
2. Privacy Rights Process PERSONAL USE Network
3. Data Processing Privacy Principles INFORMATON Database
4. Lawful Criteria PI Processing CONTROLLER SECURITY
5. Condition SPI Processing PROCESSOR On-Premise
6. Accountability in Data Share OPERATION DataCenter
7. Data Protection Security Measures C On-cloud
8. Breach and Complaint Management
ENTER
Apps Platform
9.
10.
Supplier Relationship Security
System Development PrivacyThe
Copyright Notice: andcited
Security
TECHNOLOGY INFRASTRUCTURE
and annotated content of cited standards are duly owned by their research organization or publishers.
BUSINESS PROCESS, SYSTEM & TECHNOLOGY DATA PRIVACY
PRIVACY VIOLATION Organizational Security Measure
Physical Security Measures
1. Unauthorized processing DATA
2. Negligence in access Republic Act COLLECT
Technical Security Measures
3. Improper disposal
10173, Data DATA PI DATA PI
4. Unauthorized purpose
5. Unauthorized access Privacy Law SUBJECT Access SHARE Access
SPI
SPI Record Record
6. Intentional breach Use
Use PVI
7. Concealed breach PVI TRANSMIT
8. Malicious disclosure DATA DATA
9. Unauthorized disclosure DATA RETAIN DISPOSE Sensors
10. Combined acts
SECURITY VIOLATION PERSONAL USE Network
INFORMATON Database
1. Illegal Access 7. Computer
CONTROLLER SECURITY
2. Illegal Interception Forgery On-Premise
3. Data Interference 8. Computer PROCESSOR OPERATION DataCenter
On-cloud
4. System Interference Fraud CENTER Apps Platform
5. Misuse of Devices 9. Identity Theft
6. Cyber Squatting TECHNOLOGY INFRASTRUCTURE
10. LibelCopyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Without valid and verifiable (1) configuration inventory, (2) published
policies, (3) risks assessment, and (4) technical
measures to demonstrate data privacy protection and
information security,
... the privacy breach and security threats are not going to be
identified, analyzed, evaluated, and remedied.
Penalized violation is sure to happen.
1. Unauthorized processing
2. Negligence in access
3. Improper disposal
5. Unauthorized access
6. Intentional breach
7. Concealed breach
8. Malicious disclosure
9. Unauthorized disclosure
10.Combined violations
Impact: imprisonment and fines –Data Privacy Act of 2012
What kind of exploitations are involved in data breach
(Sans Survey)
Malware infections
Unauthorized access
Data breach (stealing sensitive data)
Advanced persistent threat or multistage attack
Insider breach
Unauthorized privilege escalation for lateral movement
Destructive attack (aimed at damaging systems)
Attack impacting data integrity
DDoS attack as the main attack
DDoS attack as a diversion
1. Illegal Access
2. Illegal Interception
3. Data Interference
4. System Interference
5. Misuse of Devices
6. Forgery
7. Fraud
8. Identity Theft
9. Cyber Squatting
10. Libel
Impact: imprisonment and fines – Cyber Crime Prevention Law of 2012
Systems to watch to be involved in breaches (SANS Survey)
o Business applications (e.g., Web apps, line-of-business systems) and services (e.g., email, file sharing) in
the cloud
o Corporate-owned laptops, smartphones, tablets and other mobile devices
o Internal network (on-premises) devices and systems
o Business-related databases hosted locally
o Corporate data center servers hosted locally (on-premises)
o Employee-owned computers, laptops, tablets and smartphones (BYOD)
o Business-related databases in the cloud
o Unapproved systems (shadow IT), applications or services hosted locally
o Corporate data center servers hosted in the public cloud (e.g., Azure or Amazon EC2)
o Unapproved systems (shadow IT), applications or services hosted in the cloud
o Employee social media accounts
o Embedded, or non-PC devices, such as media and entertainment boxes, printers, smart cards, connected
control systems, etc
o Business-related social media accounts or platforms
Privacy Threat Incidents and Controls
Privacy Breach Threats to Personal Data Security Controls
(SANS Threat Survey) (R.A. 10173 and GDPR)
Privacy Law 1. Ransomware 1. Security Policy
R.A. 10173 2. Elevation of privilege into sensitive systems 2. Network Protection
3. Confidentiality, Integrity, Availability, and
1. Unauthorized processing 3. Breaches in cloud-based, multitenant
Resilience Assurance of Processing System
2. Negligence in access architectures 4. Intrusion Detection and Prevention
3. Improper disposal 4. Denial of service 5. Network Security Monitoring
4. Unauthorized purpose 5. Data tampering 6. Vulnerability Assessment and Penetration
5. Unauthorized access 6. Identity theft Testing
6. Intentional breach 7. Insider threat 7. Backup and Data Recovery
7. Concealed breach 8. Questionable transactions 8. Identity, Access, Privilege Management
9. Security Incident Management System
8. Malicious disclosure 9. Corporate or foreign government espionage
10. Data Loss Prevention
9. Unauthorized disclosure 10. Information disclosure 11. Encryption and Pseudonymization, Host-based
10. Combination of unwanted act 11. Compromise of DNS infrastructure enabling encryption
stealing and exfiltration of data 12. Insider Threat Control
12. Anti-malware/Antivirus 13. Third-Party Risk Management
13. Spoofing of identity or access credential 14. Firewall/UTM
14. Drive-by Download 15. End-Point Protection
16. Email security
Security Threat Incidents and Controls
Violation/Threat Vulnerability/Exploitation Control Measures
(ETSI ISG ISI) (CIS Security Controls)
Cyber Crime Prevention Law -R.A. 10175 1. Website Forgery 1. Inventory and Control of Hardware Assets
1. Illegal access 2. Spam 2. Inventory and Control of Software Assets
3. Phishing 3. Continuous Vulnerability Management
2. Illegal interception
4. Intrusion 4. Controlled Use of Administrative Privileges
3. Data interference
5. Website Defacement 5. Secure Configuration for Hardware and Software on Mobile
4. System interference 6. Misappropriation of Resources Devices, Laptops, Workstations and Servers
5. Misuse of device 7. Denial of Service 6. Maintenance, Monitoring and Analysis of Audit Logs
6. Fraud 8. Malware 7. Email and Web Browser Protections
7. Forgery 9. Physical Intrusion 8. Malware Defenses
8. Identity Theft 10. Malfunction 9. Limitation and Control of Network Ports, Protocols and Services
11. Loss or theft of mobile device 10. Data Recovery Capabilities
9. Cyber-squatting
12. Trace Malfunction 11. Secure Configuration for Network Devices, such as Firewalls,
10. Libel
13. Internal Deviant Behavior Routers and Switches
14. Rights or Privileges Usurpation or Abuse 12. Boundary Defense
15. Unauthorized access to servers through remote access points 13. Data Protection
16. Illicit Access to Internet 14. Controlled Access Based on the Need to Know
17. Deactivating of Logs Recording 15. Wireless Access Control
18. Non-patched or poorly patched vulnerability exploitation 16. Account Monitoring and Control
19. Configuration vulnerability exploitation 17. Implement a Security Awareness and Training Program
20. Security incidents on non-inventoried and/or not managed assets 18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
What is privacy impact? (ISO 29134)
1. It is any thing that has effect on the data privacy
of personal information security of a data subject
2. It is result that comes from a data processing

system found to conform or violate the rules and
standards of safeguarding data privacy and
information security.
What is privacy impact assessment?
1. An instrument to assess the potential impacts on
data privacy and security of the filing system,
automation, technology platform, program, software
module, device or other project that is defined to act the
collection, processing, retention, sharing and disposal of
a data subject’s personal data.
2. It is a process at the initiation of data processing
system project to ensure privacy by design. It continues
until, and even after, the project has been deployed.
What is privacy impact assessment?
3. A consultation with stakeholders, for taking
actions as necessary in order to treat data privacy
and protection risk.
4. A report that documents on the measures to be
taken for the treatment of risk based on
established control criteria.
What reasons to cause privacy impact assessment?
1. The developed, acquired and operated data processing system
collects personal data
2. A change in applicable privacy related laws and regulations, internal
policy and standards, information system operation, purposes and
means for processing data, new or changed data flows.
3. A new or prospective technology, service or other initiative where
personal information is, or to be, processed
4. A decision that sensitive personal information is going to be
processed
5. A data privacy violation complaint is made against a system
operation.
Who conducts privacy impact assessment?
1. Personal information controller (PIC) has the
responsibility to conduct privacy impact assessment
and may request a personal information processor
to act on the PIC’s behalf.
2. Personal information processor (PIP) a data
processing supplier has the responsibility to
conduct privacy impact assessment in all of its
project and program associated with the processing
of personal data as required by law and as agreed
with a personal information controller.
Critical Steps in Doing Privacy Impact Assessment
1. JUSTIFY the conduct of privacy impact assessment with a
privacy threshold analysis
2. SCOPE the privacy impact assessment by identifying and
describing system context and configuration with impact
to privacy
3. ADOPT a privacy and security risks criteria and the
corresponding measurement that determine the
indicators and rating of threat, vulnerabilities and control
in the impact assessment.
Critical Steps in Doing Privacy Impact Assessment
4. IDENTIFY the stakeholders to participate in creating
privacy impact assessment report
5. PLAN the assessment activities
6. EXECUTE the privacy and security risks identification,
analysis, and evaluation
7. FILL-UP the Privacy Impact Assessment Report template
of the National Privacy Commission.
Threshold Analysis
Privacy threshold analysis determines the necessity for doing
privacy impact assessment.
1. Privacy Sensitive System

2. Privacy Compliance Requirement
3. New System Acquisition or Revision
4. Security Incident Report
Measuring Impact
Rating Type Description
1 Negligible The data subjects willeither not be affected or mayencounter a few inconveniences, which they
will overcome without any problem.
2 Limited The data subject may encounter significant inconveniences, which they will be ableto
overcomedespitea few difficulties.
3 Significant The data subjects may encounter significant inconveniences, which they shouldbeableto
overcomebutwith serious difficulties.
4 Maximum The data subjects may encounter significant inconveniences, or even irreversible,
consequences, which they may not overcome.
Measuring Probability
Rating Type Description
1 Unlikely Not expected, but there is a slight possibility it may occur at some time.
2 Possible Casual occurrence. It might happen at some time.
3 Likely Frequent occurrence. There is a strong possibility that it might occur.
4 Almost Certain Very likely. It is expected to occur in most circumstances
Privacy Risks Map
ISO 29134
Business Process Context
Function Name: Business Process Name:
Accountable: Responsible:
Legitimate Purpose: Trigger Event: Compliance:

What is the legal mandate for the value to be What is condition to What is the regulatory or policy reference to
created in processing personal data cause the start of the validate and verify acceptability of input-process-
What is legitimate interest to achieve process output and responsible
SOURCE INPUT PROCEDURE OUTPUT CUSTOMER

Who provides data What data to collect and How data is to be What information to Who is the user of
Who is data share for retain processed to achieve present, share, disclose, information.
data provision purpose store, and dispose Who benefit from
Whose compliance The required right steps released information
requirement to collect to fulfil agreed
compliance
Personal Data Processing Flow Visualization
ISO 29134
Business Process Event or Privacy/Security
Statutory Conformity
System Application Features Control Agreement
1 Personal Data Collection Data Subject Inform
Data Subject Consent
Legitimate purpose, minimal are observe and
security policy observed
2 Personal Data Retention Storage is secured
Storage time legitimate
3 Personal Data Use Data is used as defined by agreement and rules
4 Data Disclosure/ Sharing Data is disclosed as defined by agreement and
rules
5. Data Disposal Data is destroyed as per
Data Archiving Policy
Data is archived as per policy
Data Processing Privacy and Security Impact Assessment
Name of Data Processing System: Controller: Processor: [] Outsource {] In source
Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share:
SECURITY INCIDENT VULNERABILITIES
CONSIDERED AS THREAT
Privacy Rights Not Privacy Principles Lawful Criteria to Conditions to Process Data Sharing Condition
TO PRIVACY AND A
Respected Undermined Process Personal Sensitive Personal Not Applied
PENALIZED
Information Not Applied Information Not Applied
VIOLATION
1.Unauthorized processing
2.Negligence in access
R.A. 10173 R.A. 10173 R.A. 10173 R.A. 10173 R.A. 10173
3.Improper disposal Chapter IV Chapter III Chapter III Chapter III Chapter III-VI
5.Unauthorized access or R.A. 10173
intentional breach R.A. 10173 R.A. 10173 R.A. 10173 R.A. 10173 IRR Rule X-XII
6.Concealment of breach
IRR Rule VIII IRR Rule IV IRR Rule V IRR Rule IV
7.Malicious disclosure NPC Circular
8.Unauthorized disclosure
ISO 29100 16-02
R.A. 10173
RR Rule XIII
SECURITY INCIDENT VULNERABILITIES
CONSIDERED AS THREAT
Organizational Security Physical Security Technical Security CIS Security Control Not OWASP Security Control
TO PRIVACY AND A
Measures Measures Not Measures Not Installed Applied not Applied
PENALIZED
Not Instituted Implemented
VIOLATION
1.Unauthorized processing 1. Inventory and Control of C1: Define Security Requirements
R.A. 10173 Rule VI R.A. 10173 Rule VI R.A. 10173 Rule VI Hardware Assets C2: Leverage Security
1.Compliance Officers. 1.Policies and Procedures on 1.Security policy in processing personal
2.Negligence in access data 2. Inventory and Control of Frameworks and Libraries
2.Data Protection Policies Limited Physical Access 2.Safeguards to protect computer C3: Secure Database Access
Software Assets
3.Improper disposal 3.Records of Processing 2.Security Design of Office network again unlawful, illegitimate, and C4: Encode and Escape Data
destructive activities 3. Continuous Vulnerability C5: Validate All Inputs
Activities Space and Room 3.Confidentiality, integrity, availability, Management C6: Implement Digital Identity
4. Unauthorized purpose 4.Processing of Personal 3.Person Duties, and resilience of the processing systems
4. Controlled Use of C7: Enforce Access Controls
Data Responsibility and Schedule and services
5.Unauthorized access or 4.Vulnerability assessment and regular Administrative Privileges C8: Protect Data Everywhere
5.Personal Information Information monitoring for security breaches 5. Secure Configuration for C9: Implement Security Logging
intentional breach
Processor Contracts 4.Policies on transfer, 5.Ability to restore the availability and
Hardware and Software on and Monitoring
access to personal data
6.Concealment of breach removal, disposal, and re- 6.Regularly testing, assessing, and Mobile Devices, Laptops,
C10: Handle All Errors and
use of electronic media evaluating the effectiveness of security
Exceptions
Workstations and Servers
7.Malicious disclosure 5.Prevention policies against measures
7.Encryption of personal data during 6. Maintenance, Monitoring
mechanical destruction of storage and while in transit, and Analysis of Audit Logs
files and equipment authentication process
-20.
VIOLATION SOURCE OF SECURITY EXPLOITED IMPACT PROBABILITY REMEDY
THREAT VULNERABILITIES TREATMENT
1.Unauthorized processing Organizational No policy Negligible Unlikely Vulnerability test
2.Negligence in access Physical Poor office design Limited Possible Policy review
3.Improper disposal Technical Lack of procedures Significant Likely Acquire tools
4. Unauthorized purpose Organizational Weak monitoring Maximum Almost certain Organize team
5.Unauthorized access or Technical Not segmented network Training people
intentional breach
6.Concealment of breach
7.Malicious disclosure
PRIVACY AND SECURITY RISKS MAP
IMPACT
4 Unauthorized Unauthorized purpose Malicious disclosure

MAXIMUM processing
3 Unauthorized Negligence in access Combination of acts Intentional breach

SIGNIFICANT disclosure
2 Unauthorized access Improper disposal

LIMITED
1 Concealment of breach
NEGLIGIBLE
1 2 3 4
PROBABILITY Unlikely Possible Likely Almost Certain

2 Privacy Impact Assessment Methodology v2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2 Privacy Impact Assessment Methodology v2

Uploaded by

Copyright:

Available Formats

“The data subject guidance on how to determine, describe, document and

demonstrate accountability, responsibility, risks, policy, control, and operation

the decision and work associated to the mandated function

It is indicated by the person’s ability to

to new situations, and to the requirement of

A competency model is about shareable

Privacy and Security Controls

Data Subject - whose personal, sensitive personal, or

The data protection 1. Privacy governance

Basic Risks Management Methodology

NPC Circular 16-01 Security of Personal Data in Government Agencies

NPC Advisory 2017-03 Guidelines on Privacy Impact Assessment

NPC Circular 17-01 Registration of Data Processing and Notification

from intrusion into the private life or affairs of

2. Negligence in access It is when personal information is made

3. PRIVACY PROTECTION represents the definitive of respecting

1. Collection (Data Gathering)

The rights to be exercised by an individual in the processing of personal data.

Transparency Consent and choice

The preservation of the confidentiality, integrity, and availability of information

4. Personal Information Performs the instruction to process personal information based on

2. Risk analysis - It involves the development of understanding of the risk,

4. Risk treatment -It determines, describes, documents and

2. It is result that comes from a data processing

1. Privacy Sensitive System

2 Possible Casual occurrence. It might happen at some time.

3 Likely Frequent occurrence. There is a strong possibility that it might occur.

4 Almost Certain Very likely. It is expected to occur in most circumstances

Legitimate Purpose: Trigger Event: Compliance:

SOURCE INPUT PROCEDURE OUTPUT CUSTOMER

4 Unauthorized Unauthorized purpose Malicious disclosure

3 Unauthorized Negligence in access Combination of acts Intentional breach

2 Unauthorized access Improper disposal

You might also like