Amicus Curiae

Gov’t body issues guidelines for conducting privacy impact assessments

Danielle S. Cadiz

December 12, 2017

Pursuant to Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA) and in preparation for the March 8, 2018 deadline for the second phase of the registration process, the National Privacy Commission (NPC) issued NPC Advisory No. 2017-03, which prescribes guidelines for conducting a Privacy Impact Assessment (PIA) for entities that deal with personal information and sensitive personal information. A PIA is a tool used to evaluate and identify the potential risks of existing personal or sensitive personal information on the entity’s systems technology, programs, processes, or activities to an individual’s privacy.

The NPC first introduced the concept of conducting PIAs under NPC Circular 16-01 on Security of Personal Data in Government Agencies. Section 5 of the Circular mandated government agencies to conduct a PIA for every program, process, or measure within the agency that involves personal information.

Subsequently, the NPC issued NPC Circular 16-03 on Personal Data Breach Management, which recommended the undertaking of a PIA as a measure intended to prevent or minimize the occurrence of a personal data breach in any organization.

The undertaking of a PIA is intended to:

  • identify, assess, evaluate, and manage the risks represented by the processing of personal data;
  • assist the personal information controller (PIC) or personal information processor (PIP) in preparing the records of its processing activities, and in maintaining its privacy management program;
  • facilitate compliance by the PIC or PIP with the DPA, its implementing rules and regulations, and other applicable issuances of the NPC, by determining:
  • its adherence to the principles of transparency, legitimate purpose and proportionality;
  • its existing organizational, physical and technical security measures relative to its data processing systems;
  • the extent by which it upholds the rights of data subjects; and
  • aid the PIC or PIP in addressing privacy risks by allowing it to establish a control framework.

It is essential for a PIC or PIP to undertake a PIA for all systems, programs, projects, procedures, measures, or technology products that involve or impact personal information.

The results must be properly documented in a report which should include information on the involvement of stakeholders, proposed steps in order to mitigate identified risks, and the procedure through which the results of the PIA will be communicated to internal and external stakeholders.

Before conducting a PIA, the following must be taken into consideration:

  • The PIC or PIP should signify its commitment to the conduct of the PIA by:
    • deciding on the need for a PIA;
    • designating a person responsible for the whole process;
    • providing resources to accomplish the objectives of the PIA; and
    • issuing a clear directive for the conduct of a PIA.
  • The PIC or PIP must identify:
    • the program, project, process, measure, system, or technology product on which the PIA will be conducted;
    • The process owners, participants, and the persons in charge of conducting and preparing the PIA and its corresponding report;
    • the procedure on how internal and external stakeholders will be involved; and
    • the procedure for integrating the recommendations of the PIA into the control framework of the organization.
  • The PIC or PIP should consider in the preparatory activities leading up to the conduct of the PIA that:
    • records of the processing activities of the PIC or PIP and an inventory of the personal data involved in such activities are maintained;
    • a preliminary assessment is undertaken in order to determine baseline information, including existing policies and security measures of the organization;
    • stakeholders are consulted to identify their concerns, expectations, and perception of risk posed by the entity’s processing activities;
    • the objectives, scope, and methodology of the PIA are established; and
    • a detailed plan for the conduct of the PIA is prepared.

NPC Advisory No. 2017-03 does not provide for a specific standard or format for conducting a PIA. Accordingly, a PIC or PIP may utilize any existing methodology provided that the PIA contains a systematic description of its personal data flow and processing activities, includes an adherence by the PIC or PIP to the DPA, identifies and evaluates the risks posed by the system to the rights of affected data subjects, proposes measures to address these risks, and insures the involvement of all interested parties.

The conduct of a PIA is one of the means by which a PIC or PIP demonstrates its due diligence and compliance with the DPA, its implementing rules and regulations, and the issuances of the NPC. It is also an effective method of managing risks represented by the processing of personal information by ensuring that the unnecessary collection of personal information is kept to a minimum and the rights of the data subjects are protected.