Name of DPS

(Data Processing System – either electronic or Manual, both)

AGENCY/ ORGANIZATION NAME

Brief Description of the DPS
 Data Process Flow
• Please provide a SIMPLE flow chart where
the data/information goes upon collection
up to storing it.
 STEP 1: Define the process.

1. What data is being collected by this

process (list all, including personal as
well as non-personal)
2. Which data (if any) is considered
sensitive personal information
(underline these)
3. Who are we collecting this data from
4. How are we collecting this data

5. Why is this data being collected

6. Will we use this data to make any
decisions that have a legal effect on
the data subject

7. Who will be handling and accessing

this data
8. Will the data be shared with any
other organizations

9. What is the key benefit/s the data

subject gets from this process
10. What is the key benefit/s for the
community or society
 Step 2: Ensure that processing is legally allowed
and in compliance with the Data Privacy Act of 2012.
1. What is the legal basis for
collecting this data
2. Are we over-collecting
3. How will consent be obtained
4. Do individuals have the
opportunity and/or right to decline
to provide data
5. What happens if they decline

6. How will the data collected be

checked for accuracy
7. How will data subjects be
allowed to correct errors, if any

8. Will the data be re-used

9. How

10. How long are we required to

keep the data
11. How do we plan to dispose of
the data
Criteria for Severity & Likelihood
Summary of Privacy Risks Identified
Privacy Risk Type of risk Severity Likelihood
 Privacy Risk Map
Level 4 Unsecured
Device Improper
and Disposal
Extreme Computers

Level 3 Wrong
Capture
Major
Level 2 Unauthoriz
ed access-

Stressful Intentional

Level 1
Slight
Nil Low Med High
 Summary
Given this process HR Recruitment
With legal purpose Legal basis (CSC rules) recruitment of applicants
Providing this benefit Step 1 – No. 9 to 10 (PIA Template)
Which collects this data Step 1 – No. 1 to 2, personal data
The privacy risks that may lead to level 3 or 4 harm Refer to your risk register and risk map
are as follows
-No consent
-Unauthorized Disclosure
-Improper Disposal
Overall privacy risk (H/M/L) High
High – at least 3 or more identified risk
Medium – at least 2 identified risk
Low – one identified risk

Controls Identified (Refer to your list of control)

-consent form, informed DS
-Establish retention policy
OVERALL ASSESSMENT ACCEPTABLE
List of proposed controls with type (organizational, physical, or technical),
estimated cost, and estimated implementation timeframe:
Proposed Control Type of Control Budget Timeframe Responsible
Measures

1. Access Policy Technical 1 month IT and infosec

2. Privacy Notice Organizational 1 month Legal

3. Shredding Machine Physical 1 month Procurement

Approval and Sign off:

____________________ _________________ _______________

Program/Process Owner Signature Date

____________________ _________________ _______________

Data Protection Officer (DPO) Signature Date

____________________ _________________ _______________

Head of the Organization Signature Date