MASTERCLASS

Privacy Impact Assessment

(PIA) WorkGuide
17 August 2021

Developed for training purposes only. © 2021 Unauthorized use is strictly prohibited.
Contents
Pillar II. Conduct A Privacy Impact Assessment: Know Your Risks...............................1
General Principles.........................................................................................................1
Key Considerations.......................................................................................................1
Objectives.....................................................................................................................2
Responsibility................................................................................................................2
Stakeholder Involvement..............................................................................................2
Structure and Form.......................................................................................................3
Planning a PIA...............................................................................................................4
Preparatory Activities for the PIA: CHECKLIST.........................................................5
Conduct of the PIA: CHECKLIST................................................................................6

Guide to the Privacy Impact Assessment (PIA)..................................................................8

Overview........................................................................................................................8
I. Project/System Description........................................................................................8
II. Threshold Analysis....................................................................................................9
III. Stakeholder(s) Engagement...................................................................................10
IV. Personal Data Flows..............................................................................................11
V. Lawful Processing...................................................................................................12
VI. The Questionnaire..................................................................................................13
VII. Privacy Impact Analysis.......................................................................................16
VIII. Security Measures...............................................................................................23
IX. Privacy Risk Management.....................................................................................27
X. Recommended Privacy Solutions...........................................................................28

Developed for training purposes only. © 2021 Unauthorized use is strictly prohibited.
 1
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
Stakeholder Involvement
Stakeholder involvement is important in the conduct of a PIA. This may be
accomplished through their direct participation in the process, through
consultations in a public forum or focus group discussions, or through the use of
surveys and feedback forms.

Stakeholders may be involved in the whole process, or may be consulted for

specific stages, such as in preparatory stage, during risk analysis and evaluation,
or after the process during review that leads up to the preparation of the
report.

The results of a PIA should be communicated to the stakeholders via a written

report.

Structure and Form

There is no prescribed standard or format for a PIA. As such, the PIC or PIP may
determine the structure and form of the PIA that it will use. It is not
precluded from utilizing any existing methodology, provided the latter is
6

acceptable based on the following criteria: 7

1. It provides a systematic description of the personal data flow and processing

activities of the PIC or PIP. This includes:
1. purpose of the processing, including, where applicable, the legitimate
interest pursued by the PIC or PIP;
2. data inventory identifying the types of personal data held by the PIC or PIP;
3. sources of personal data and procedures for collection;
4. functional description of personal data processing, including a list of all
information repositories holding personal data and their location, and types
of media used for storage;
5. transfers of personal data to another agency, company, or organization,
including transfers outside the country, if any;
6. storage and disposal method of personal data;
7. accountable and responsible persons involved in the processing of personal
data; and
8. existing organizational, physical and technical security measures

2. It includes an assessment of the adherence by the PIC or PIP to the data privacy
principles, the implementation of security measures, and the provision of
mechanisms for the exercise by data subjects of their rights under the DPA.
3. It identifies and evaluates the risks posed by a data processing system to
the rights and freedoms of affected data subjects, and proposes measures that
address them.
1. Risk identification. Risks include natural dangers such as accidental loss or
2
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 destruction, and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration and contamination.
2. Risks evaluation based on impact and likelihood. The severity or extent of
the impact of a breach or privacy violation on the rights and freedoms of
data subjects must be determined. The probability of the risk happening
and the sources of such risk should also be taken into consideration.
3. Remedial measures. Based on an assessment of risks, measures should be
proposed on how to address and manage the said risks.

4. It is an inclusive process in that it ensures the involvement of interested parties

and secures inputs from the DPO and data subjects.

Planning a PIA
The following should be considered when planning the conduct of a PIA:

1. The PIC or PIP should signify its commitment to the conduct of a PIA. This means:
a. deciding on the need for a PIA;
b. assigning a person responsible for the whole process;
c. providing resources to accomplish the objectives of the PIA; and
d. issuing a clear directive for its conduct.

2. The program, project, process, measure, system or technology product on which a PIA will
be conducted should be identified. The scope of the PIA must be clearly delineated.

How do you determine (or choose) the system or process that should be
subjected to a PIA?
1. Which system or systems have or process employee data? This would be
the first and obvious system or process that processes personal data?
2. What other classification of data subjects do you have or are collecting and
processing in the company? Some examples of systems or processes are: CRM
systems (customer data); purchasing system (supplier data; contracting
system (provider data), enrollment system (participant data).

The scope of the PIA will be limited by the extent of the processing that the
chosen or selected type or class of personal data is subjected to.

3. The process owners, participants, and the persons in charge of conducting the PIA,
including the preparation of its report, should be identified. When the scope of the
PIA is determined to be broad and/or comprehensive, a taskforce or secretariat may
be necessary. The PIC or PIP may also outsource the conduct of the PIA, but great
care should be taken in evaluating the adequacy and propriety of the methodology
that will be utilized, and the expected outputs.
3
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 4. The PIC or PIP should determine how internal and external stakeholders will be
involved.

5. Other matters that should be established:

a. objectives, schedules, and available resources; [today and tomorrow]
b. means of communicating the results of the PIA to stakeholders; and
c. procedure for integrating the recommendations of the PIA into the control
framework of the organization .

4
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
Preparatory Activities for the PIA: CHECKLIST
Preparatory Activities Yes No To Do
1. Gather records of the processing activities of the PIC or
PIP, and an inventory of the personal data involved in
such activities.

Create data flows for the processing activities: from the

collection of personal data, all the way up to its deletion
or disposal, including storage. Assign the process
owners to provide these documents prior to conduct of
the PIA.
2. Determine baseline information, including existing Tomorrow
policies and security measures of the organization. !
Coordinate with the different units or offices of the
organization, such as those in charge of compliance,
quality management, records and information
management, information technology, administration
and planning, customer relations, and legal concerns.
3. Consult stakeholders during the preparatory stage to
identify their concerns, expectations, and perception of
the risks posed by the processing activities of the
organization. Existing reports may be considered, if
available, such as customer satisfaction surveys,
internal audits, and other assessment activities.
4. Establish the objectives, scope, and methodology of the
PIA. Select an appropriate control framework. For
agencies that process the personal data records of more
than one thousand (1,000) individuals, including agency
personnel, the Commission recommends the use of the
ISO/IEC 27002 and ISO/IEC 29151 control set as the
minimum standard to assess any gaps in the agency’s
control framework.
5. Prepare the detailed plan for the conduct of the PIA,
including:
1. schedules and timelines for the completion of
preparatory activities, conduct of the PIA, and
reporting or publication of results;
2. approval of resource and budget allocations;
3. participants and methods for stakeholder
involvement;
4. documentation and review process;
5. other supporting documents.

5
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 6
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 Activity Yes No To Do
1. Evaluate the records of processing activities, the personal data inventory,
and the personal data flows to determine whether additional information
are necessary for the proper conduct of a PIA.
The following constitute the baseline information to be evaluated:

a. purpose and legal basis of the processing activities, including

data sharing and other forms of data transfers.;
b. persons responsible for processing personal data, including a
list of those individuals with access thereto;
c. list of all information repositories and technology products
used;
d. sources and recipients of personal data; and
e. existing policies, procedures and security measures relevant
to personal data protection.
2. Evaluate the processing activities against the legal obligations of the PIC or
PIP, and the latter’s chosen control framework.
3. The control framework should adhere to the data privacy principles. It
should implement security measures and establish procedures for the
proper exercise by data subjects of their rights. Privacy and data
protection measures, whether planned and existing, should be considered.
4. Assess the data processing systems of the PIC or PIP to determine if there
are gaps at any stage of the processing. There is a gap when:
a. there is a violation of any data privacy principle;
b. the organizational, physical, and technical security measures
are inadequate to safeguard the confidentiality, availability,
and/or integrity of personal data; or
c. the exercise of data subjects of their rights is not possible or
restricted without legal basis.
5. Gaps should be evaluated to determine the risks involved to personal data,
possible threats, and existing vulnerabilities of the systems. Risks include
the following:
a. unauthorized or unlawful processing;
b. confidentiality breach;
c. integrity breach;
d. availability breach; and
e. violations of rights of data subjects

6. Assess the risks to determine whether the breach or privacy violation it

poses is likely to happen. The assessment should consider the processing

7
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 operations of the PIC or PIP, vulnerabilities and threats, as well as existing
safeguards, if any. Determine how the risk will affect the rights and
freedoms of data subjects based on the amount and nature of personal
data involved, and the impact of possible harm.
7. Identify and propose measures to address the risks. They may mitigate,
accept, avoid, or transfer the risks posed by the processing, by taking into
account the likelihood and impact of a breach or privacy violation, the
available resources of the organization to address the risks, current data
privacy best practices, and industry or sector standards. The proposed
measures should include:
a. risks and strategies for risk management;
b. implementing activities, including definite plans and specific
projects;
c. controlling mechanisms to monitor, review, and support
implementation;

d. proposed time frame, expected completion, or schedules;

e. responsible and accountable persons; and

f. necessary and available resources.

8. Document the Involvement of stakeholders.

9. Review the (PIA) report featuring the results of the PIA before being
finalized and approved. It should include the proposed measures that
should serve as basis for implementing changes in the organization (e.g.,
new policies and procedures, security measures to strengthen data
processing systems, etc.). The report should also include
recommendations as to when the PIA will be updated and reviewed.
10. Report results of the PIA to management and communicate to internal and
external stakeholders. The PIC or PIP can limit the information provided to
the public based on its legitimate interests, such as the legal, business
operation, or security risks that disclosure may give rise to.

8
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 9
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 may find intrusive?
e. Will information about individuals, be disclosed, to organizations or
people who have not previously had routine access to the
information?
f. Does the initiative involve you using new technology, which, may be
perceived as being privacy intrusive (e.g. biometrics or facial
recognition)?
g. Will the initiative result in you making decisions or taking action against
individuals in ways, which can have a significant impact on them?
h. Were the personal data collected, prior to August 2016?

III. Stakeholder(s) Engagement

State all project stakeholders, consulted in planning, preparing and conducting your PIA.
Identify which part they were involved. (Describe how stakeholders were engaged in the PIA
process).

Name Role Involve Input/

ment Recommendations
Anne Securit Review 201 file details and
De La y all process
Cruz Advise security
r measure
s
Steve Proces Domain Answers to
Gates s knowled questionnaire
owner ge
Bill HR Provide Sample documentation
Jobs Staff processi and forms used
ng
details
Jose IT Security Extended assistance in
Bonifac Head measure providing storage
io s protection and IT
measures

* add additional rows if needed.

10
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 IV. Personal Data Flows
Sample Data Flow in Table Form
Employee
Collected Use Retain/Store Disclose/Share Dispose
Data
Officers and
recruitment HR
By HR Staff; office staff HR Dept; IT Manager; HR Officer Dept/Board
manager/officer/
To authorized staff
From applicant; employee
Recommending
hiring decision,
performance Hard
reports and disk/system
employee related delete/wipe
Application form; official Hard disk copy; email or verbal function;
How web communications paper copy acknowledgement shredding
upon approval by Upon
Applying to Staff authorizing officer; instruction of
company; during review/evaluatio confirmation of authorized
When their employment n period When received legitimate use officer
Hard disk back office; workplace;
Office or up; 201 cabinets authorized meeting office; data
Where Web or office workplace only (cloud?) area location
Reference in
making decision
on employee
Part of hiring and performance, For reasons
Basis for qualifying employment training, Legitimate employee approved by
Why employee/applicant process promotions. activity? the Board
Until disposed;
How Long not specified
Part of job task or Company policy; HR Board
Authority responsibility discretion resolution

11
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
V. Lawful Processing
Rule V. Lawful Processing of Personal Data

When are you allowed to collect or process personal and/or sensitive personal
information?

Legi
tim
For processing Sensitive PersonaI
ate For processing Personal Info
Info
Pur (Section 21, IRR)
(Section 22, IRR)
pos
e
1. Given prior to the collection, Given prior to the processing, which
Con or as soon as practicable and shall be undertaken pursuant to a
sent reasonable. (Sec. 21a) declared, specified, and legitimate
of purpose. (Sec. 22a)
the
data
subj
ect
2. To fulfill obligations under the
Con contract, or to take steps at
trac the request of the data
tual subject prior to entering the
agre contract. (Sec. 21b)
eme
nt
3. For compliance with a legal As provided for by existing laws and
Leg obligation to which the PIC is regulations that do not require
al subject. (Sec. 21c) consent and that guarantee the
obli protection of personal data. (Sec.
gati 22b)
on
4. To protect vitally important To protect the life and health of the
To interests of the data subject, data subject or another person, and
prot including his/her life and the data subject is not able to
ect health. (Sec. 21d) express consent. (Sec. 22c)
vital
inte
rest
s
5. For as long as processing is confined
Law to the members of the public
ful organization or association, and the
and data is not transferred to third

12
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 Legi
tim
For processing Sensitive PersonaI
ate For processing Personal Info
Info
Pur (Section 21, IRR)
(Section 22, IRR)
pos
e
non parties, and consent was obtained
com prior to processing. (Sec. 22d)
mer
cial
obje
ctiv
es
6. Processing is necessary for medical
For treatment; provided that processing
med is carried out by a medical
ical practitioner or institution, and an
trea adequate level of protection of
tme personal data is ensured. (Sec. 22e)
nt
7. To respond to national
Publ emergency or to comply with
ic the requirements of public
ord order and safety, as
er prescribed by law. (Sec. 21e)
and
safe
ty
8. For the fulfillment of the For the protection of lawful rights
Publ constitutional or statutory and interests of persons in court
ic mandate of a public authority. proceedings or legal claims, or when
aut (Sec. 21f) provided to public authority
hori pursuant to a constitutional or
ty statutory mandate. (Sec. 22f)
9. To pursue the legitimate
Legi interests of the PIC or PIP,
tima except where such interests
te are overridden by
inte fundamental rights and
rest freedoms. (Sec. 21g)
s of
the
PIC

VI. The Questionnaire

Identify the personal data involved and describe the data flow from collection to
13
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 disposal by answering the following questions below:

What personal data are being or will be processed by this project/system?

HR System: Employee Data

Name, address, contact number, date of birth, SS Number, Email, TIN,

Employee Number, etc?

BIO-data; application form; staff performance data; health info;

List all personal data (e.g. Personal Full Name, address, gender, phone number,
etc.,) and underline which is/ are the sensitive personal information (e.g. race,
ethnicity, marital status, health, genetic, government issued numbers).

All the information stated above will be in accordance to the next section.

Collection Commen
t
1. State who collected or will be collecting the personal information Limit to
and/or sensitive information. authorized
HR Staff (authorized position or representative) persons/po
sitions
2. How the personal information/sensitive personal information is
collected and from whom it was collected?
By filling up of application form/ employee form. From Applicant /
Employee

» Is personal information collected from some source

other than the individual? Jobstreet, ??
3. What is/are the purpose(s) of collecting the personal data? Remove
For employment review, promotion, performance evaluation the
illegitimate
purpose
» Are you collecting only what you need? Limit data
Not sure to what we
need.
Identify
those that
we need.
(get input
from
stakeholde

14
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 r)
4. How was or will the consent be obtained? If none,
Contractual Agreement; from Application Form, (consent form?) draft/use
consent
form
» Do individuals have the opportunity and/or right to Yes, this is
decline to provide data? Yes one of
their rights
(object)
» What will happen if they decline? Find
another
way? Or do
not process
the data!

Storage Co
m
me
nt
1. Where is it currently being stored?
company Server, 201 cabinet, HR Custodian

» Is it being stored in a physical server or in the cloud?

2. Is it being stored in another country? No, not sure? Pls

con
firm
!
» If it is subject to a cross-border transfer, specify what
country or countries. NA

3. Is the storage of data being outsourced? No Nee

da
DSA
or
Out
sou
rce
d
agr
ee
me
15
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 nt?
» Specify if the storing process is being done in-house or is it
handled by a service provider. Inhouse

Usage Co
m
me
nt
1. How will the data be used or what is the purpose of its processing? Legi
tim
ate
busi
nes
s
pur
pos
e?
» Describe how the collected information is being used or will
be used.

» Specify the processing activities where the personal

information is being used.

Retention By
1. How long are the data being retained? And why? Put
a
dat
e or
tim
e
peri
od!
» State the length of time the data is being retained?

» What is the basis of retaining the data that long? Specify If

the reason(s) no
basi
s,

16
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 co
me
up
wit
h
any
tim
e
peri
od
or
max
.5
yea
rs.

Disclosure/Sharing By
1. To whom is the data being disclosed?

Is it being disclosed outside the organization? Why is it DSA (PIC

being disclosed? Bank? to PIC)

» Specify if the personal information is being shared

outside the organization. For payroll purposes

» What are the reasons for disclosing the personal

information s

Disposal/Destruction By
1. How will the data be disposed? Measur
securely e for
secured
disposal
» Describe the process of disposing the personal Should
information be
secured.

17
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
2. Who will facilitate the destruction of the data? IT or DPO or HR Authoriz
e na
ngayon.
» State if the process is being managed in-house or if it is Should
a third party be
secured
and
official.

Alternatively, if you use this questionnaire approach, you can create an Excel file
with the following columns as shown above: Data; Collection; Storage; Usage;
Retention; Disclosure/Sharing; Disposal/Destruction. You then get an easily,
understandable and clearer picture of the whole process (data life cycle) with the
least effort and faster reference when you need it, going into the next stages of
the impact analysis.

18
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
 VII. Privacy Impact Analysis

Privacy Impact Analysis Checklist

Process/System Name: __HRIS – Employee Data_____________________________________

Each program, project or means for collecting personal information should be tested for consistency with the following Data Privacy Principles:

Name of process or system tested: _________________________________________________

Prepared by: ___[person assessing the system]___________ Reviewed by: _____________________

Date submitted: ____________ Date reviewed: _____________

19
20
a. Policies and procedures shall be implemented to monitor and limit access to and
activities in the room, workstation or facility, including guidelines that specify the
proper use of and access to electronic media;
b. Design of office space and work stations, including the physical arrangement of
furniture and equipment, shall provide privacy to anyone processing personal data,
taking into consideration the environment and accessibility to the public;
c. The duties, responsibilities and schedule of individuals involved in the processing of
personal data shall be clearly defined to ensure that only the individuals actually
performing official duties shall be in the room or work station, at any given time;
d. Any natural or juridical person or other body involved in the processing of personal
data shall implement Policies and procedures regarding the transfer, removal,
disposal, and re-use of electronic media, to ensure appropriate protection of
personal data;
e. Policies and procedures that prevent the mechanical destruction of files and
equipment shall be established. The room and workstation used in the processing of
personal data shall, as far as practicable, be secured against natural disasters, power
disturbances, external access, and other similar threats.

Section 28. Guidelines for Technical Security Measures. Where appropriate,

personal information controllers and personal information processors shall adopt
and establish the following technical security measures:

a. A security policy with respect to the processing of personal data;

b. Safeguards to protect their computer network against accidental, unlawful or

unauthorized usage, any interference which will affect data integrity or hinder the
functioning or availability of the system, and unauthorized access through an
electronic network;
c. The ability to ensure and maintain the confidentiality, integrity, availability, and
resilience of their processing systems and services;
d. Regular monitoring for security breaches, and a process both for identifying and
accessing reasonably foreseeable vulnerabilities in their computer networks, and for
taking preventive, corrective, and mitigating action against security incidents that
can lead to a personal data breach;
e. The ability to restore the availability and access to personal data in a timely manner
in the event of a physical or technical incident;
f. A process for regularly testing, assessing, and evaluating the effectiveness of security
measures;
g. Encryption of personal data during storage and while in transit, authentication
process, and other technical security measures that control and limit access.

Section 29. Appropriate Level of Security. The Commission shall monitor the
compliance of natural or juridical person or other body involved in the processing
of personal data, specifically their security measures, with the guidelines provided
in these Rules and subsequent issuances of the Commission. In determining the
level of security appropriate for a particular personal information controller or
personal information processor, the Commission shall take into account the nature
of the personal data that requires protection, the risks posed by the processing, the

21
size of the organization and complexity of its operations, current data privacy best
practices, and the cost of security implementation. The security measures provided
herein shall be subject to regular review and evaluation, and may be updated as
necessary by the Commission in separate issuances, taking into account the most
appropriate standard recognized by the information and communications
technology industry and data privacy best practices.

22
IX. Privacy Risk Management
A risk refers to the potential of an incident to result in harm or danger to a data
subject or organization. Risks are those that could lead to the unauthorized
collection, use, disclosure or access to personal data. It includes risks that the
confidentiality, integrity and availability of personal data will not be maintained,
or the risk that processing will violate the rights of data subjects or the privacy
principles (transparency, legitimacy and proportionality).

The first step in managing risks is to identify them, including threats and
vulnerabilities, and by evaluating its impact and probability (likelihood).

The following definitions are used as follows:

 Risk - “the potential for loss, damage or destruction as a result of a threat exploiting a
vulnerability”;
 Threat - “a potential cause of an unwanted incident, which may result in harm to a
system or organization”;
 Vulnerability - “a weakness of an asset or group of assets that can be exploited by
one or more threats”;
 Impact - severity of the injuries that might arise if the event does occur (can be
ranked from trivial injuries to major injuries); and
 Probability - chance or probability of something happening;

Impact
Rating Types Description
1 Negligible The data subjects will either not be affected or may encounter a few
inconveniences, which they will overcome without any problem.

2 Limited The data subject may encounter significant inconveniences, which they will
be able to overcome despite a few difficulties.

3 Significant The data subjects may encounter significant inconveniences, which they
should be able to overcome but with serious difficulties.

4 Maximum The data subjects may encounter significant inconveniences, or even

irreversible, consequences, which they may not overcome.

Probability
1 Unlikely Not expected, but there is a slight possibility it may occur at some
time.
2 Possible Casual occurrence. It might happen at some time.
3 Likely Frequent occurrence. There is a strong possibility that it might
occur.
4 Almost Certain Very likely. It is expected to occur in most circumstances.

23