Privacy Impact Assessment Guide

I. Project/System Description

II. Threshold Analysis

III. Stakeholder(s) Engagement

V. Privacy Impact Analysis

VI. Privacy Risk Management

VII. Recommended Privacy Solutions

SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Restricted Access

Access to all data centers owned and controlled by a government agency shall be restricted to
agency personnel that have the appropriate security clearance. This should be enforced by an
access control system that records when, where, and by whom the data centers are accessed.
Access records and procedures shall be reviewed by agency management regularly.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Service Provider as Personal Information Processor

When a government agency engages a service provider for the purpose of storing personal data
under the agency’s control or custody, the service provider shall function as a personal information
processor and comply with all the requirements of the Act, its IRR and all applicable issuances by
the Commission.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (
NPC-circular-16-01)
Encryption of Personal Data

All personal data that are digitally processed must be encrypted, whether at rest or
in transit. For this purpose, the Commission recommends Advanced Encryption
Standard with a key size of 256 bits (AES-256) as the most appropriate encryption
standard. Passwords or passphrases used to access personal data should be of
sufficient strength to deter password attacks. A password policy should be issued
and enforced through a system management tool.
Example of Encryption Softwares

● BitLocker is a full volume encryption feature included with Microsoft Windows

versions starting with Windows Vista.
● VeraCrypt is a free open source disk encryption software for Windows, Mac
OSX and Linux
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Access to or Modification of Databases.

Only programs developed or licensed by a government agency shall be allowed to

access and modify databases containing the personal data under the control or
custody of that agency.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Online Access to Personal Data

Agency personnel who access personal data online shall authenticate their identity via a secure
encrypted link and must use multi-factor authentication. Their access rights must be defined and
controlled by a system management tool.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Local Copies of Personal Data Accessed Online.

A government agency shall adopt and utilize technologies that prevent personal data accessible
online to authorized agency personnel from being copied to a local machine. The agency shall
also provide for the automatic deletion of temporary files that may be stored on a local machine by
its operating system.

Where possible, agency personnel shall not be allowed to save files to a local machine. They shall
be directed to only save files to their allocated network drive.

Drives and USB ports on local machines may also be disabled as a security measure. A
government agency may also consider prohibiting the use of cameras in areas where personal
data is displayed or processed.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Authorized Devices

A government agency shall ensure that only known devices, properly configured to the agency’s
security standards, are authorized to access personal data. The agency shall also put in place
solutions, which only allow authorized media to be used on its computer equipment.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Remote Disconnection or Deletion

A government agency shall adopt and use technologies that allow the remote disconnection of a
mobile device owned by the agency, or the deletion of personal data contained therein, in event
such mobile device is lost. A notification system for such loss must also be established.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Paper-based Filing System

If personal data is stored in paper files or any physical media, the government agency shall
maintain a log, from which it can be ascertained which file was accessed, including when, where,
and by whom. Such log shall also indicate whether copies of the file were made. Agency
management shall regularly review the log records, including all applicable procedures.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Personal Data Sharing Agreement

Access by other parties to personal data under the control or custody of a government agency
shall be governed by data sharing agreements that will be covered by a separate issuance of the
Commission
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Emails

A government agency that transfers personal data by email must either ensure that the data is
encrypted, or use a secure email facility that facilitates the encryption of the data, including any
attachments. Passwords should be sent on a separate email. It is also recommended that
agencies utilize systems that scan outgoing emails and attachments for keywords that would
indicate the presence of personal data and, if appropriate, prevent its transmission.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Personal Productivity Software

A government agency shall implement access controls to prevent agency personnel from printing
or copying personal data to personal productivity software like word processors and spreadsheets
that do not have any security or access controls in place.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Removable Physical media

Where possible, the manual transfer of personal data, such as through the use of removable
physical media like compact discs, shall not be allowed: Provided, that if such mode of transfer is
unavoidable or necessary, authentication technology, such as one-time PINs, shall be
implemented.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Fax Machines

Facsimile technology shall not be used for transmitting documents containing personal data.

Transmittal
A government agency that transmits documents or media containing personal data by mail or post shall
make use of registered mail or, where appropriate, guaranteed parcel post service. It shall establish
procedures that ensure that such documents or media are delivered only to the person to whom they are
addressed, or his or her authorized representative: Provided, that similar safeguards shall be adopted
relative to documents or media transmitted between offices or personnel within the agency.
SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES (NPC-circular-16-01)

Fax Machines

Facsimile technology shall not be used for transmitting documents containing personal data.

Transmittal
A government agency that transmits documents or media containing personal data by mail or post shall
make use of registered mail or, where appropriate, guaranteed parcel post service. It shall establish
procedures that ensure that such documents or media are delivered only to the person to whom they are
addressed, or his or her authorized representative: Provided, that similar safeguards shall be adopted
relative to documents or media transmitted between offices or personnel within the agency.
DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES (NPC-circular-16-02)

Consent

The personal information controller charged with the collection of personal data directly from the data subject, on its own or through
a personal information processor, shall obtain the consent of the data subject prior to collection and processing, except where such
consent is not required for the lawful processing of personal data, as provided by law. The personal information controller may
request an advisory opinion from the Commission in determining whether the data sharing requires consent from the data subject.
The data subject shall be provided with the following information prior to collection or before his or her personal data is shared:

1. Identity of the personal information controllers or personal information processors that will be given access to the personal
data;
2. Purpose of data sharing;
3. Categories of personal data concerned;
4. Intended recipients or categories of recipients of the personal data;
5. Existence of the rights of data subjects, including the right to access and correction, and the right to object; and
6. Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of
processing.
DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES (NPC-circular-16-02)

Content of a Data Sharing Agreement

A data sharing agreement shall be in writing and must comply with the following conditions:

A. It shall specify, with due particularity, the purpose or purposes of the data sharing agreement, including the public function or public service the
performance or provision of which the agreement is meant to facilitate: Provided, that if the purpose includes the grant of online access to
personal data, or if access is open to the public or private entities, these shall also be clearly specified in the agreement.

B. It shall identify all personal information controllers that are party to the agreement, and for every party, specify:

1. the type of personal data to be shared under the agreement;

2. any personal information processor that will have access to or process the personal data, including the types of processing it shall be allowed to
perform;
3. how the party may use or process the personal data, including, but not limited to, online access;
4. the remedies available to a data subject, in case the processing of personal data violates his or her rights, and how these may be exercised;
5. the designated data protection officer or compliance officer.

C. It shall specify the term or duration of the agreement, which may be renewed on the ground that the purpose or purposes of such agreement
continues to exist: Provided, that in no case shall such term or any subsequent extensions thereof exceed five (5) years, without prejudice to entering
into a new data sharing agreement.
DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES (NPC-circular-16-02)

Content of a Data Sharing Agreement

D. It shall contain an overview of the operational details of the sharing or transfer of personal data under the agreement. Such overview must adequately explain to a data
subject and the Commission the need for the agreement, and the procedure that the parties intend to observe in implementing the same.

E.It shall include a general description of the security measures that will ensure the protection of the personal data of data subjects, including the policy for retention or disposal
of records.

F. It shall state how a copy of the agreement may be accessed by a data subject: Provided, that the government agency may redact or prevent the disclosure of any detail or
information that could endanger its computer network or system, or expose to harm the integrity, availability or confidentiality of personal data under its control or custody. Such
information may include the program, middleware and encryption method in use, as provided in the next succeeding paragraph.

G. If a personal information controller shall grant online access to personal data under its control or custody, it shall specify the following information:

1. Justification for allowing online access;

2. Parties that shall be granted online access;
3. Types of personal data that shall be made accessible online;
4. Estimated frequency and volume of the proposed access; and
5. Program, middleware and encryption method that will be used.

H. It shall specify the personal information controller responsible for addressing any information request, or any complaint filed by a data subject and/or any investigation by the
Commission: Provided, that the Commission shall make the final determination as to which personal information controller is liable for any breach or violation of the Act, its IRR,
or any applicable issuance of the Commission.

I. It shall identify the method that shall be adopted for the secure return, destruction or disposal of the shared data and the timeline therefor.

J. It shall specify any other terms or conditions that the parties may agree on.
DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES (NPC-circular-16-02)

Online Access
Where a government agency grants online access to personal data under its control or custody,
such access must be done via a secure encrypted link. The government agency concerned must
deploy middleware that shall have full control over such online access.
DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES (NPC-circular-16-02)

Transfer of Personal Data

Where a data sharing agreement involves the actual transfer of personal data or a copy thereof
from one party to another, such transfer shall comply with the security requirements imposed by
the Act, its IRR, and all applicable issuances of the Commission.

Accountability for Cross-border Transfer of Personal Data

Each party to a data sharing agreement shall be responsible for any personal data under its
control or custody, including those it has outsourced or subcontracted to a personal information
processor. This extends to personal data it shares with or transfers to a third party located outside
the Philippines, subject to cross-border arrangement and cooperation.
Privacy and Security Controls
Privacy and Security Policy Making
Policy

Intentions and direction of an organization, as

formally expressed by its top management.
(ISO 27000 -3.53)
Security Implementation Standard

Document specifying authorized ways for realizing security

(ISO 27000 -3.73)

Information Security

Preservation of confidentiality , integrity and availability of information

(ISO 27000 -3.28)
Privacy Policy

Overall intention and direction, rules and commitment, as formally expressed by

the personal information controller related to the processing of personal
information in a particular setting
(ISO 29100 -2.16)
Policymaking

Leadership and management of data privacy protection must have a clear,

coherent, complete, and consistent understanding and record of the following:

1. The agreed mandated goals, accountability, and responsibility for the R.A.
10173 regulated data and information system.
2. The stakeholders registry and governance structure of planning, development,
execution, monitoring and improvement of the privacy and security policy
3. The asset registry of people, process, data, application, infrastructure,
supplier, and location that must be secured in order to prevent privacy
violation and cyber crime.
Leadership and management of data privacy protection must have a clear, coherent,
complete, and consistent understanding of the following:

4. The threat registry and risks assessment report that identifies, analyzes, evaluates,
and mitigates data privacy threats.

5. The key result areas and control indicators of data privacy protection and
information security management system

6. The rules and practice standards of valid and verifiable intention and direction to
protect data privacy and to secure confidentiality, integrity, and availability of personal
information
Policy Making Obligation

1. Personal Information Controller

● Implements reasonable and appropriate organizational, physical, and
technical security measures for the protection of personal data.
● Takes steps to ensure that any natural person acting under their authority
and who has access to personal data, does not process them except
upon their instructions, or as required by law.

R.A. 10173 IRR Rule VI

Policy Making Obligation

2. Head of the Agency

● The agency through the head of the agency has to create privacy and data
protection policies, taking into account the privacy impact assessments, as
well as Sections 25 to 29 of the IRR.

NPC Circular 16-01

Policy Making Obligation
3. The Data Protection Officer

Monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other
applicable laws and policies

Inform and cultivate awareness on privacy and data protection within the organization of the PIC
or PIP, including all relevant laws, rules and regulations and issuances of the NPC

Advocate for the development, review and/or revision of policies, guidelines, projects and/or
programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design
approach

NPC Advisory 2017-01

Data Privacy Policy Stakeholders
Whose Interest and Benefit is Data Participation, Accountability and
Privacy Act of 2012 R.A. 10173 Responsibility

1. Data Subject Represents the exercise of data privacy rights

and main party to associate personal data to
be protected with privacy and security

2. National Privacy Commission Creates regulation; monitor compliance;

educate the public; and resolve cases on data
privacy

3. Personal Information Controller Directs and rules the processing of personal

information with set limitations on data privacy

4. Personal Information Processor Performs the instruction to process personal

information based on privacy processing
agreement with a Personal Information
Controller
Data Privacy Policy Stakeholders
Whose Interest and Benefit is Data Participation, Accountability and
Privacy Act of 2012 R.A. 10173 Responsibility

5. Data Protection Officer Perform the oversight function for the Personal
Information Controller to achieve the mandated
accountability and responsibility on data
privacy

6. Compliance Officer for Privacy Assist in the oversight function to direct,

compliance, to monitor breach events, to
resolve and report privacy security incidents

7. IT and Infrastructure Service Providers Provision of the technical measures to secure

personal information protection in the location,
hardware, software, and services of personal
data processing

8. 3rd Party of Data Sharing Responsible for the transferred or shared data
to be used in compliance with data privacy
regulation
Privacy management stakeholders’ agreement?

1.Assets of data privacy to be secured

2.Privacy and security risks to be controlled

3.Privacy protection policies and measures to be maintained

4. Privacy and security agreements to be enforced

5. Business system and process to be ruled with data privacy and security controls

6.Privacy and security management methodology and technology to be acquired

7.Privacy capability building of personnel to be regularly conducted

8. Data privacy and information security ecosystem relationship to maintain

R.A. 10173 Data Privacy Management Requirements
Privacy Protection Requirements Management Results

1. Data privacy and security governance Governance and oversight roles,

and oversight accountability, responsibility

2. Personal data and processing system Registry of personal data, filing system,
visibility, registration, and risks assessment automation program and PIA report

3. Respect the exercise of data privacy Data privacy rights policy, procedures,
rights notification, consent, communication

4. Regulated personal data processing Inventory of process, system , technology

lifecycle of personal information and and risks assessment and system data
sensitive personal information privacy by design

5.Data privacy principles and lawful criteria Data processing privacy policy and system
in the behaviour of personal data conformity test
processing system
R.A. 10173 Data Privacy Management Requirements
Privacy Protection Requirements Management Results

6. Defined conditions to process sensitive Privacy policy and system conformity test
personal information

7. Accountability in personal data sharing Data sharing agreement, and security

measures

8. Security measures in personal Organization, physical and technical

information protection measures – policy, role, activities, product,
services and technology

9. Breach incident management and Breach reporting and case management

privacy violation complaint handling
procedures

10. Supplier relationship – privacy and Privacy and Security Agreements

security requirements
Policy Making Directives

The valid, verifiable, acceptable, and actionable implementation of the Data

Privacy Act of 2012 is based on the "Rules" that "enforce the Data Privacy Act and
adopt generally accepted international principles and standards for personal data
protection."

(R.A. 10173 -IRR Section 2)

Data Privacy Regulated
Privacy & Security Policies References
Information Processing
1. Privacy Governance
2. Privacy Regulation & Policies
3. Privacy Rights Processes
1. Collection RA 10173 2016 4. Privacy Principles
5. Criteria Lawful Processing
2. Retention Implementing Rules 6. Condition SPI Processing
3. Use and Regulation 7. Privacy Impact Assessment
8. Privacy Management System
4. Sharing
9. Privacy Breach Management
5. Disposal 10.ISO 29100 Privacy Controls
National Privacy 11.ISO 27701 ISMS Controls
Commission advisory, 12.ISO 27017-18 Cloud Security & Privacy

circulars and case

resolution issuances