Scope:

1. First Time Adult (18+) Passport Applicants

2. Appointment site is the DFA Passport On-Wheels movable facility
3. Releasing of passport is only limited to pick-up of Applicants
4. APO is the only PIP considered in this case
Data Processing Life Cycle
Process Name: DFA Passport on Wheels for (For new Adult Applicants
Only)
Stakeholders/ Parties
involved
Data Involved PI/SPI?
list down parties that will be involved in the
process, both internal and external to your
organization

INTERNAL Last Name, First Name, Middle Name PI

DFA Personnel Gender PI

Adult Applicants Date of Birth (MM-DD-YYYY) PI
Place of Birth (Country, Province, PI
City/Municipality)
Civil Status (Single, Married, Widow/er, SPI
Nullified/Annulled, Divorced)
EXTERNAL Birth Legitimacy SPI
APO Production Unit (APO) Citizenship PI
Home address PI
Present address PI
Telephone/Mobile number PI
Email address PI
Parents' name PI
Spouse’s name PI
Occupation PI

Photo of the Applicant PI

Biometric Data of the Applicant PI

Specimen Signature of the Applicant PI

Government-Issued IDs, PSA Birth Certificate, PSA Marriage SPI

Certificate for Married Applicants Other Valid Documents
for verification (Containing Personal Information)
 Collection & Creation Use / Processing
What data will be used for what
Users
Describe how data will be created and what process
data will be collected from whom and how How long will the data be
retained

DFA Online Passport Appointment

System Website
1. Applicant access the DFA website Internal
2. Applicant consents to processing of
personal information (Privacy Notice posted on
the DFA Website)
3. Applicant fills out the personal data
required by the online application form Identification -
4. Applicant submits/uploads application Processing/Issuance of New
form Passport
PICs
Personal data are retained as long
as necessary for the fulfillment of
the purposes for which they were
collected. (10 -year renewal
policy)
PIPs

DFA On-site processing:

1. During the on-site application/interview,
applicant is asked to verify the personal data
encoded on the DFA processing system.

2. Applicant’s photo, biometric data, and

specimen signature are taken/recorded.
 Description of Processing

Purpose(s) Benefit to the Data subject Legal Basis

1. For the efficient and effective

delivery of services related to
issuance of passports:

a. Identification of a passport
applicant pursuant to a
scheduled appointment;

b. Processing of application fees

and other applicable fee(s),
payment checking, and
verification;
c. Compliance with safety and
security requirements, reporting places requiring such documents.
requirements, and other
requirements provided by law;
d. To contact an applicant
regarding his/her passport
application, in case of an
emergency, or when otherwise
necessary;
The provided personal data will
be processed to be turned into a
legally-recognized document
called a Passport which the Data
subject can use for travelling to
Also, the document can also be
used as a valid ID if the data
subject wishes to for ex: Open a
bank account, purchase valuable
items, process other government
documents.
RA 8239, as amended by RA
10928 - Philippine Passport Act
Data Privacy Act of 2012 and its
Implementing Rules and
Regulations, NPC Circular No. 18-
03 or the Rules on Mediation
before the National Privacy
Commission, and/or other
applicable Government rules,
regulations, or laws.

2. To meet legal and regulatory

requirements of the
Government and/or any
appropriate Government
Agency and administer general
record keeping
g Storage and Transmission
Where will data be stored and how data will be
Location(s) transmitted;

Storage
DFA Online Passport Appointment Personal data processed online are stored in the
System- filled out application form DFA Data Center in the Philippines. If applicant
access or use the DFA Online Passport Appointment
System Website outside of the Philippines, personal
data is collected where he/she is at. These are then
transferred to our Data Center in the Philippines,
protected by layers of organizational,
technological, and physical measures. Paper copies
of application forms and other documentary
requirements are stored in a locked fire-proof steel
cabinet at the DFA office.

Transmission
Paper requirements collected from the applicants
will be transmitted from the Passport on Wheels
site to DFA office.

Passport on Wheels Site

 Sharing
To whom data will be shared for what
purpose
Personal data shared with APO
Production Unit (“APO”), a Government-
owned corporation and a recognized
Government printer and authorized data
processor of the DFA.
Disposal and Destruction
How data will be disposed /destructed
Reasonable steps are taken to delete and/or
destroy personal data in a secure manner when no
longer needed for the purposes for which it was
collected and retention is no longer necessary for
legal purposes. (Paper documents are shredded;
Data stored online are permanently deleted)
Risk Identification & Assessment
This section documents the assessment of the identified risks per privacy domains and principles,

Data Subject/s
Data Life
who are
Cycle
Impacted

Adult Applicants
ACQUISITION/
COLLECTION

Adult Applicants
ACQUISITION/
COLLECTION

Adult Applicants
ACQUISITION/
COLLECTION

Adult Applicants STORAGE

Adult Applicants STORAGE

Adult Applicants STORAGE

Adult Applicants USE

Adult Applicants USE

Adult Applicants
TRANSFER/
DISCLOSURE:

Adult Applicants
TRANSFER/
DISCLOSURE:

Adult Applicants
RETENTION/
DISPOSAL

Adult Applicants
RETENTION/
DISPOSAL
tification & Assessment & Controls
assessment of the identified risks per privacy domains and principles, against existing controls and recomm

Possible Consequence of Privacy Risk to the Data Type of Threat

Subject/s Confidentiality Integrity

Unauthorized personnel/persons are overhearing the collection of personal data

by the DFA Staff. This could lead to unauthorized disclosure exposing the data 1 0
subjects to data-related threats

Security guards/personnel assigned to check the application forms to provide

queueing numbers may see the personal data of the applicants. This brings about
1 0
the risk of unauthorized access and may lead to unauthorized disclosure if the
said staff are not aware of the DPA.

The DFA Online Passport Appointment System Website may contain links to
other websites, apps, content, services, or resources on the Internet which are 1 0
operated by third parties.

Copies of the Application forms submitted by the data subjects and the
Government-issued documents may be lost or destroyed, whether accidentally or
0 0
intentionally, due to unsecure physical storage for the said paper documents.
Availability of the personal data is at risk

Inadequate technical security measures DFA Online Passport Appointment

System Website used for the may lead to interception or manipulation of
electronic communications by third parties. This could expose the personal 1 1
information to be stolen, altered and make the data subjects vulnerable to
cybercrimes such as Fraud and Malware
IT Infrastructure used for storage of all databases may experience natural
0 0
disasters that could lead to destruction of storage devices.

The personal data collected by the DFA may be used by a malicious insider that
may leak, sell, and use for other illegitimate purpose not defined in the scope of 1 0
the DPS.

Passport data may be reproduced to create falsified passports. 0 1

Assigned Personnel/s from APO to perform activities relating to the outsourced

service of printing may cause the personal data to leak due to lack of awareness 1 0
of the DPA laws and agreement applicable to PIPs

Original Copies of the passports may be susceptible to loss and destruction

0 0
during transport.

Improper disposal/destruction of hardcopies of the documentary requirements

0 0
collected from the Data Subjects (e.g. Gov-issued IDs, application forms)

Electronic records that are supposed to be disposed may still be existing because
0 1
there is no standard Retention and Disposal Schedules
ontrols
ng controls and recommend mitigations including quick wins.

Type of Threat
Availability Unauthorized Violation
S L R Risk Level

0 0 1 2 2 4 Low

0 0 1 2 3 6 Medium

0 0 1 2 4 8 Medium

1 0 1 3 2 6 Medium

1 1 1 4 2 8 Medium
1 0 1 4 2 8 Medium

0 1 1 3 2 6 Medium

0 1 1 4 1 4 Low

0 1 1 2 2 4 Low

1 0 1 3 1 3 Low

1 0 1 2 3 6 Medium

0 1 1 2 3 6 Medium
 Proposed Control Measures
Organizational Physical

Implement queueing distance between

applicants to prevent leakage through
--
overhearing of collection activities in
the processing area

Only authorized personnel should be

given access to the personal data.
Security guards/personnel with access
to personal data of applicants should
--
be made to sign a Non-Disclosure
Agreement. Ensure that personnel are
aware of their obligations under the
DPA.

-- --

The DFA Passport On-Wheels should

be designed to protect the personald
data collected. For example, storage
areas on the vehicle should be built
--
with steel cabinets and locks. The
vehicle should be closed off and
inaccessible to unauthorized personnel
while parked its designated area.

Procure high-level technical trainings

regarding Cybersecurity for the IT --
Programmers
 Data should be backed up daily. The
data centers housing the servers used
to process and store personal data
--
should be designed to withstand
natural and man-made disasters like
floods, fires, earthquakes, etc.

All DFA employees and staff with

access to personal data should be
made to sign a Non-Disclosure
Agreement. All employees handling
personal data should be required to
--
attend a DPA Awareness seminar to
ensure that all of them are aware of
the penalties imposed by law on those
who maliciously disclose personal
information.

APO should use specialized paper and

DFA should work with law enforcement
printing material to ensure that original
authorities in order to track down and
passports are easily distinguishable
apprehend passport counterfeiters.
from fake passports.

Outsourcing Agreement between DFA

and APO should provide that all APO
employees should undergo DPA
--
Awareness Seminar. All outsourced
employees should be made to sign an
NDA.

DFA should only partner with couriers

that have a good track record. Also,
the Data Sharing
Agreement/Outsourcing agreement
--
should impose strict penalties on the
part of the courier in case of
successive loss/destruction of
passports being delivered.

DFA should revise their internal

Privacy Policy to provide for specific
retention periods and methods of Disposal of hard copies should be
disposal. The DPO of the DFA should done through paper shredding.
impose the retention and disposal
policies strictly.

DFA should revise their internal

Privacy Policy to provide for specific
retention periods and methods of
--
disposal. The DPO of the DFA should
impose the retention and disposal
policies strictly.
Measures Mitigate When?
Duration in S L R
Technical Start on Deadline days

09/01/2022 09/08/2022 7 1 1 1

-- 09/01/2022 09/30/2022 29 2 1 2

The IT Administrators of the DFA

Online Passport Appointment Sysem
Website should disable third-party
09/15/2022 09/22/2022 7 1 2 2
links.

10/01/2022 10/31/2022 30 1 1 1

The IT Administrators should ensure

that there is a firewall and virus
checker in place, and that the personal 10/01/2022 10/31/2022
information held electronically is
30 2 1 2
encrypted. The staff must also be
required to use strong passwords.
 -- 10/01/2022 10/31/2022 30 2 2 4

DFA should impose strict access

control and ensure that employees can
access only the data that they are
allowed to access. HR and IT should 11/1/2022 11/30/2022 29 2 2 4
work hand in hand to create security
clearance for each employee handling
personal data.

-- 11/01/2022 11/30/2022 29 3 1 3

-- 11/10/2022 11/20/2022 10 1 1 1

-- 11/20/2022 11/30/2022 10 1 1 1

-- 12/01/2022 12/31/2022 30 2 2 4

There should be a fixed disposal

schedule set by the IT Administrator to
ensure that no data is being kept for 12/01/2022 12/31/2022 30 2 2 4
longer than the retention periods
provided in the Privacy Policy.
Risk Level

Negligible

Low

Low

Negligible

Low
 Low

Low

Low

Negligible

Negligible

Low

Low
 PRIVACY RISK MAP
BEFORE

HIGH

4 4 8 12 16

3 3 6 9 12

2 2 4 6 8
MEDIUM

1 1 2 3 4

LOW

NEGLIGIBLE

OVERALL ASSESSMENT
Based on the Privacy Impact assessment performed on the program DFA
Passport on Wheels (For new Adult Applicants Only), the DFA Data Privacy
Office is recommending its commencement.

After all the recommended security controls have been implemented, the
identified privacy risks decreased in both likelihood and severity, which led the
team to conclude that the residual risks are negligible compared to the programs
overall benefits. Hence, the program may proceed to its implementation.
CY RISK MAP
AFTER

HIGH

4 4 8 12 16

3 3 6 9 12

2 2 4 6 8
MEDIUM

1 1 2 3 4

LOW

NEGLIGIBLE
Name of Data Processing System

PROCESS OWNER Mary Joy Guinaling

JOB TITLE DFA Personnel
SIGNATURE xxx
PIA STARTING DATE August 25, 2022
PIA ENDING DATE August 25, 2022

DPO Melando F. Nadaic

JOB TITLE DATA PROTECTION OFFICER
SIGNATURE
DATE SIGNED August 25, 2022
DATE OF NEXT PIA February 25, 2023

President Inrique Manalig

xxx
DATE SIGNED August 26, 2022
 Health Information System

g
ATTACHMENTS
1 Notice of meetings
2 Participants' Attendance
3 Budget
4 Photos
5 Others