Professional Documents
Culture Documents
Developed for training purposes only. © 2021 Unauthorized use is strictly prohibited.
Contents
Pillar II. Conduct A Privacy Impact Assessment: Know Your Risks...............................1
General Principles.........................................................................................................1
Key Considerations.......................................................................................................1
Objectives.....................................................................................................................2
Responsibility................................................................................................................2
Stakeholder Involvement..............................................................................................2
Structure and Form.......................................................................................................3
Planning a PIA...............................................................................................................4
Preparatory Activities for the PIA: CHECKLIST.........................................................5
Conduct of the PIA: CHECKLIST................................................................................6
Developed for training purposes only. © 2021 Unauthorized use is strictly prohibited.
1
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
Stakeholder Involvement
Stakeholder involvement is important in the conduct of a PIA. This may be
accomplished through their direct participation in the process, through
consultations in a public forum or focus group discussions, or through the use of
surveys and feedback forms.
2. It includes an assessment of the adherence by the PIC or PIP to the data privacy
principles, the implementation of security measures, and the provision of
mechanisms for the exercise by data subjects of their rights under the DPA.
3. It identifies and evaluates the risks posed by a data processing system to
the rights and freedoms of affected data subjects, and proposes measures that
address them.
1. Risk identification. Risks include natural dangers such as accidental loss or
2
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
destruction, and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration and contamination.
2. Risks evaluation based on impact and likelihood. The severity or extent of
the impact of a breach or privacy violation on the rights and freedoms of
data subjects must be determined. The probability of the risk happening
and the sources of such risk should also be taken into consideration.
3. Remedial measures. Based on an assessment of risks, measures should be
proposed on how to address and manage the said risks.
Planning a PIA
The following should be considered when planning the conduct of a PIA:
1. The PIC or PIP should signify its commitment to the conduct of a PIA. This means:
a. deciding on the need for a PIA;
b. assigning a person responsible for the whole process;
c. providing resources to accomplish the objectives of the PIA; and
d. issuing a clear directive for its conduct.
2. The program, project, process, measure, system or technology product on which a PIA will
be conducted should be identified. The scope of the PIA must be clearly delineated.
How do you determine (or choose) the system or process that should be
subjected to a PIA?
1. Which system or systems have or process employee data? This would be
the first and obvious system or process that processes personal data?
2. What other classification of data subjects do you have or are collecting and
processing in the company? Some examples of systems or processes are: CRM
systems (customer data); purchasing system (supplier data; contracting
system (provider data), enrollment system (participant data).
The scope of the PIA will be limited by the extent of the processing that the
chosen or selected type or class of personal data is subjected to.
3. The process owners, participants, and the persons in charge of conducting the PIA,
including the preparation of its report, should be identified. When the scope of the
PIA is determined to be broad and/or comprehensive, a taskforce or secretariat may
be necessary. The PIC or PIP may also outsource the conduct of the PIA, but great
care should be taken in evaluating the adequacy and propriety of the methodology
that will be utilized, and the expected outputs.
3
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
4. The PIC or PIP should determine how internal and external stakeholders will be
involved.
4
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
Preparatory Activities for the PIA: CHECKLIST
Preparatory Activities Yes No To Do
1. Gather records of the processing activities of the PIC or
PIP, and an inventory of the personal data involved in
such activities.
5
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
6
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
Activity Yes No To Do
1. Evaluate the records of processing activities, the personal data inventory,
and the personal data flows to determine whether additional information
are necessary for the proper conduct of a PIA.
The following constitute the baseline information to be evaluated:
7
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
operations of the PIC or PIP, vulnerabilities and threats, as well as existing
safeguards, if any. Determine how the risk will affect the rights and
freedoms of data subjects based on the amount and nature of personal
data involved, and the impact of possible harm.
7. Identify and propose measures to address the risks. They may mitigate,
accept, avoid, or transfer the risks posed by the processing, by taking into
account the likelihood and impact of a breach or privacy violation, the
available resources of the organization to address the risks, current data
privacy best practices, and industry or sector standards. The proposed
measures should include:
a. risks and strategies for risk management;
b. implementing activities, including definite plans and specific
projects;
c. controlling mechanisms to monitor, review, and support
implementation;
8
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
9
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
may find intrusive?
e. Will information about individuals, be disclosed, to organizations or
people who have not previously had routine access to the
information?
f. Does the initiative involve you using new technology, which, may be
perceived as being privacy intrusive (e.g. biometrics or facial
recognition)?
g. Will the initiative result in you making decisions or taking action against
individuals in ways, which can have a significant impact on them?
h. Were the personal data collected, prior to August 2016?
10
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
IV. Personal Data Flows
Sample Data Flow in Table Form
Employee
Collected Use Retain/Store Disclose/Share Dispose
Data
Officers and
recruitment HR
By HR Staff; office staff HR Dept; IT Manager; HR Officer Dept/Board
manager/officer/
To authorized staff
From applicant; employee
Recommending
hiring decision,
performance Hard
reports and disk/system
employee related delete/wipe
Application form; official Hard disk copy; email or verbal function;
How web communications paper copy acknowledgement shredding
upon approval by Upon
Applying to Staff authorizing officer; instruction of
company; during review/evaluatio confirmation of authorized
When their employment n period When received legitimate use officer
Hard disk back office; workplace;
Office or up; 201 cabinets authorized meeting office; data
Where Web or office workplace only (cloud?) area location
Reference in
making decision
on employee
Part of hiring and performance, For reasons
Basis for qualifying employment training, Legitimate employee approved by
Why employee/applicant process promotions. activity? the Board
Until disposed;
How Long not specified
Part of job task or Company policy; HR Board
Authority responsibility discretion resolution
11
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
V. Lawful Processing
Rule V. Lawful Processing of Personal Data
When are you allowed to collect or process personal and/or sensitive personal
information?
Legi
tim
For processing Sensitive PersonaI
ate For processing Personal Info
Info
Pur (Section 21, IRR)
(Section 22, IRR)
pos
e
1. Given prior to the collection, Given prior to the processing, which
Con or as soon as practicable and shall be undertaken pursuant to a
sent reasonable. (Sec. 21a) declared, specified, and legitimate
of purpose. (Sec. 22a)
the
data
subj
ect
2. To fulfill obligations under the
Con contract, or to take steps at
trac the request of the data
tual subject prior to entering the
agre contract. (Sec. 21b)
eme
nt
3. For compliance with a legal As provided for by existing laws and
Leg obligation to which the PIC is regulations that do not require
al subject. (Sec. 21c) consent and that guarantee the
obli protection of personal data. (Sec.
gati 22b)
on
4. To protect vitally important To protect the life and health of the
To interests of the data subject, data subject or another person, and
prot including his/her life and the data subject is not able to
ect health. (Sec. 21d) express consent. (Sec. 22c)
vital
inte
rest
s
5. For as long as processing is confined
Law to the members of the public
ful organization or association, and the
and data is not transferred to third
12
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
Legi
tim
For processing Sensitive PersonaI
ate For processing Personal Info
Info
Pur (Section 21, IRR)
(Section 22, IRR)
pos
e
non parties, and consent was obtained
com prior to processing. (Sec. 22d)
mer
cial
obje
ctiv
es
6. Processing is necessary for medical
For treatment; provided that processing
med is carried out by a medical
ical practitioner or institution, and an
trea adequate level of protection of
tme personal data is ensured. (Sec. 22e)
nt
7. To respond to national
Publ emergency or to comply with
ic the requirements of public
ord order and safety, as
er prescribed by law. (Sec. 21e)
and
safe
ty
8. For the fulfillment of the For the protection of lawful rights
Publ constitutional or statutory and interests of persons in court
ic mandate of a public authority. proceedings or legal claims, or when
aut (Sec. 21f) provided to public authority
hori pursuant to a constitutional or
ty statutory mandate. (Sec. 22f)
9. To pursue the legitimate
Legi interests of the PIC or PIP,
tima except where such interests
te are overridden by
inte fundamental rights and
rest freedoms. (Sec. 21g)
s of
the
PIC
List all personal data (e.g. Personal Full Name, address, gender, phone number,
etc.,) and underline which is/ are the sensitive personal information (e.g. race,
ethnicity, marital status, health, genetic, government issued numbers).
All the information stated above will be in accordance to the next section.
Collection Commen
t
1. State who collected or will be collecting the personal information Limit to
and/or sensitive information. authorized
HR Staff (authorized position or representative) persons/po
sitions
2. How the personal information/sensitive personal information is
collected and from whom it was collected?
By filling up of application form/ employee form. From Applicant /
Employee
14
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
r)
4. How was or will the consent be obtained? If none,
Contractual Agreement; from Application Form, (consent form?) draft/use
consent
form
» Do individuals have the opportunity and/or right to Yes, this is
decline to provide data? Yes one of
their rights
(object)
» What will happen if they decline? Find
another
way? Or do
not process
the data!
Storage Co
m
me
nt
1. Where is it currently being stored?
company Server, 201 cabinet, HR Custodian
Usage Co
m
me
nt
1. How will the data be used or what is the purpose of its processing? Legi
tim
ate
busi
nes
s
pur
pos
e?
» Describe how the collected information is being used or will
be used.
Retention By
1. How long are the data being retained? And why? Put
a
dat
e or
tim
e
peri
od!
» State the length of time the data is being retained?
16
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
co
me
up
wit
h
any
tim
e
peri
od
or
max
.5
yea
rs.
Disclosure/Sharing By
1. To whom is the data being disclosed?
Disposal/Destruction By
1. How will the data be disposed? Measur
securely e for
secured
disposal
» Describe the process of disposing the personal Should
information be
secured.
17
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
2. Who will facilitate the destruction of the data? IT or DPO or HR Authoriz
e na
ngayon.
» State if the process is being managed in-house or if it is Should
a third party be
secured
and
official.
Alternatively, if you use this questionnaire approach, you can create an Excel file
with the following columns as shown above: Data; Collection; Storage; Usage;
Retention; Disclosure/Sharing; Disposal/Destruction. You then get an easily,
understandable and clearer picture of the whole process (data life cycle) with the
least effort and faster reference when you need it, going into the next stages of
the impact analysis.
18
Unauthorized use is strictly prohibited. © 2021 For training purposes only.
VII. Privacy Impact Analysis
Each program, project or means for collecting personal information should be tested for consistency with the following Data Privacy Principles:
19
20
a. Policies and procedures shall be implemented to monitor and limit access to and
activities in the room, workstation or facility, including guidelines that specify the
proper use of and access to electronic media;
b. Design of office space and work stations, including the physical arrangement of
furniture and equipment, shall provide privacy to anyone processing personal data,
taking into consideration the environment and accessibility to the public;
c. The duties, responsibilities and schedule of individuals involved in the processing of
personal data shall be clearly defined to ensure that only the individuals actually
performing official duties shall be in the room or work station, at any given time;
d. Any natural or juridical person or other body involved in the processing of personal
data shall implement Policies and procedures regarding the transfer, removal,
disposal, and re-use of electronic media, to ensure appropriate protection of
personal data;
e. Policies and procedures that prevent the mechanical destruction of files and
equipment shall be established. The room and workstation used in the processing of
personal data shall, as far as practicable, be secured against natural disasters, power
disturbances, external access, and other similar threats.
Section 29. Appropriate Level of Security. The Commission shall monitor the
compliance of natural or juridical person or other body involved in the processing
of personal data, specifically their security measures, with the guidelines provided
in these Rules and subsequent issuances of the Commission. In determining the
level of security appropriate for a particular personal information controller or
personal information processor, the Commission shall take into account the nature
of the personal data that requires protection, the risks posed by the processing, the
21
size of the organization and complexity of its operations, current data privacy best
practices, and the cost of security implementation. The security measures provided
herein shall be subject to regular review and evaluation, and may be updated as
necessary by the Commission in separate issuances, taking into account the most
appropriate standard recognized by the information and communications
technology industry and data privacy best practices.
22
IX. Privacy Risk Management
A risk refers to the potential of an incident to result in harm or danger to a data
subject or organization. Risks are those that could lead to the unauthorized
collection, use, disclosure or access to personal data. It includes risks that the
confidentiality, integrity and availability of personal data will not be maintained,
or the risk that processing will violate the rights of data subjects or the privacy
principles (transparency, legitimacy and proportionality).
The first step in managing risks is to identify them, including threats and
vulnerabilities, and by evaluating its impact and probability (likelihood).
Risk - “the potential for loss, damage or destruction as a result of a threat exploiting a
vulnerability”;
Threat - “a potential cause of an unwanted incident, which may result in harm to a
system or organization”;
Vulnerability - “a weakness of an asset or group of assets that can be exploited by
one or more threats”;
Impact - severity of the injuries that might arise if the event does occur (can be
ranked from trivial injuries to major injuries); and
Probability - chance or probability of something happening;
Impact
Rating Types Description
1 Negligible The data subjects will either not be affected or may encounter a few
inconveniences, which they will overcome without any problem.
2 Limited The data subject may encounter significant inconveniences, which they will
be able to overcome despite a few difficulties.
3 Significant The data subjects may encounter significant inconveniences, which they
should be able to overcome but with serious difficulties.
Probability
1 Unlikely Not expected, but there is a slight possibility it may occur at some
time.
2 Possible Casual occurrence. It might happen at some time.
3 Likely Frequent occurrence. There is a strong possibility that it might
occur.
4 Almost Certain Very likely. It is expected to occur in most circumstances.
23