Conduct of Privacy Impact Assessment

P.I.A.
-
August 18, 2017
CHED National Capital Region
CP Garcia Ave., UP Campus, Diliman, Quezon City

Dr. Rolando R. Lansigan

Chief, Compliance and Monitoring Division
National Privacy Commission (NPC)
THE
FIVE
PILLARS
OF
COMPLIANCE
Commit to Know Your Risk: Be
Comply: Conduct a Accountable:
Appoint a Data Privacy Impact Create your
Protection Assessment Privacy
Officer (DPO) (PIA) Management
Program and
Privacy Manual
Demonstrate Be Prepared for
Your Breach:
Compliance: Regularly
Implement your exercise your
privacy and Breach
data protection Reporting
(PDP) Procedures
measures. (BRP).
How to Conduct a
P rivacy I mpact A ssessment
 Privacy Impact Assessment
• What is PIA?
– A privacy impact assessment (PIA) is a tool for identifying and assessing privacy risks
throughout the development life cycle of a program or system.
– A privacy impact assessment states what personally identifiable information (PII) is collected
and explains how that information is maintained, how it will be protected and how it will be
shared.
• A PIA should identify:
– Whether the personal data being collected complies with legal requirements of the DPA
– The risks and effects of collecting, maintaining and disseminating PII.
– Protections and processes for handling information to alleviate any potential privacy risks.
– Options and methods for individuals to provide consent for the collection of their PII.
• Stages of PIA
– Stage 1: Initial Screening
– Stage 2: PIA
– Stage 3: Final Report and Sign Off
 Assign the Roles
• In your teams, assign the
following roles:
– Head of the Organization
– Process Owner
– Data Subject
– Legal Officer
– ICT Officer
– DPO
– Civil Society
– HR
– National Privacy Comm.
Case Study B
Closed Circuit TV Feelings Graph
In an effort to reduce
criminality in the barangay,
barangay officials decide to
install high- definition CCTVs
at critical locations in the
neighborhood.
To save costs, the cameras
were connected by wi-fi to
the cable TV network in the
area and feed into a data
center in the barangay hall.
Some hackers took over one
of the cameras and used it to
film an intimate moment with
another neighbor. This
footage was broadcast on
pornographic website.
Case Study C
In order to test a new feature
in its smartwatch, a company
ordered all 500 of its
employees to wear the new
smartwatch 24 x 7.
The new feature collects
information on heartbeat and
skin temperature at any given
time, e.g. when talking to the
boss, or while having
merienda with a co-employee.
is then posted to a social
media site where the wearer
can attach captions to specific
events on the graph to explain
what was happening on key
portions of the graph.
Case Study D
Email Invitation
A church worker collected
emails of church-goers
interested to participate in a
seminar on alcoholism and
drug-abuse self-rehabilitation.
These seminars are
conducted once a month.
An email blast was sent
displaying all the emails of the
persons who were invited or
expressed interest. One of
the invited seems to be a
known celebrity, and another
seems to be an LGU member.
The list is leaked to the press,
and speculation about the
identities becomes a trending
topic on Twitter.
 Case Study A
Vaccination Program
The Department of Health requires those who participate in the Libreng
Bakuna Program to sign up using forms provided for the purpose by
the DOH.

The forms indicated that the participants must enter their name, age,
address, name of child, proof of billing/ residence, government-issued
identification details and photo.

The sheets will be kept in a folder in the office of the Barangay Health
Officer. Around one hundred families plan to avail of the free
vaccination.
STAGE 1 Initial Screening Questions
factor that will have to be further analyzed to ensure those risks are identified, assessed
and fully mitigated.
Q Category Screening Yes/No
question
1.1 Identity Will the project involve the collection of new information
about individuals?
1.2 Identity Will the project compel individuals to provide information
about themselves? If you have
1.3 Multiple Will information about individuals be disclosed to answered
organizations organizations or people who have not previously had
routine access to the information?
1.4 Data Are you using information about individuals for a purpose it
is not currently used for, or in a way it is not currently used?
the questions
please proceed
1.5 Data Does the project involve using new technology which
might be perceived as being privacy intruding for and complete
example biometrics or facial recognition?
1.6 Data Will the project result in you making decisions or taking
stage 2. If
action against individuals in ways which could have a
significant impact on them?
1.7 Data Is the information about individuals of a kind particularly to stage 3 and
likely to raise privacy concerns or expectations? For
example health records, criminal records, or other sign off.
information that people are likely to consider as private?
1.8 Data Will the project require you to contact individuals in ways
which they may find intrusive?
 PROCESS OWNER: As the owner of this process, I have called this meeting today to conduct
a privacy impact assessment. To get all of us on the same page, let us review the following:
1. What data is being collected by this
process (list all, including personal as Name of resident, age, address, proof of residence
well as non-personal)
2. Which data (if any) is considered Government-issued identification details and photo
sensitive personal information
(underline these)
Full name of child.
3. Who are we collecting this data
from
Residents who want to avail of free vaccination for
4. How are we collecting this data their children. Using DOH Form
5. Why is this data being collected
6. Will we use this data to make any
To provide vaccination benefit
decisions that have a legal effect on If not a valid resident, benefit will not be provided
the data subject

7. Who will be handling and

accessing this data
Rural health worker
8. Will the data be shared with any
other organizations
Shared with DOH (for monitoring and budgeting)

9. What is the key benefit/s the data

subject gets from this process
Free vaccination
10. What is the key benefit/s for the Reduction of diseases
community or society
LEGAL OFFICER: As the legal officer, I need to ensure that what we are doing is legally allowed
and in compliance with the Data Privacy Act of 2012. Let us review the following:

1. What is the legal basis for

collecting this data
DOH regulation
2. Are we over-collecting Do we really need proof of billing/residency?
3. How will consent be obtained
4. Do individuals have the
Through registration
opportunity and/or right to decline If they decline to provide information, they will not be
to provide data
5. What happens if they decline allowed to join the program
6. How will the data collected be
checked for accuracy
Ask for corroboration from other residents
7. How will data subjects be allowed Correction through the rural health worker <?>
to correct errors, if any

8. Will the data be re-used

9. How
Yes, for monitoring effectivity of vaccinations
Yes, for budgeting of booster shots
10. How long are we required to
keep the data
For the life of the child/vaccinated person
11. How do we plan to dispose of the No disposal plan
data
DATA SUBJECT: As one of those whose data is being collected by this process, I have certain
fears and concerns about the impact of this process on my data privacy. Allow me to express
these:
1. How easy would it be to identify me (on a scale 1: virtually impossible
of 1 to 4) if this data were to be breached or
exposed?
2: difficult but possible
3: relatively easy
4
4: extremely easy
2. What things might happen if someone 1: slight inconvenience
unauthorized gets this data
3. How might this happen (describe scenario/s)
2: stressful inconvenience
3: major difficulties
2-3 identify thieves may use
4. How much damage would this cause me (on a 4: extreme consequences the ID and billing information
scale of 1 to 4)

5. What things might happen if someone alters or 1: slight inconvenience

changes my data
6. How might this happen (describe scenario/s)
2: stressful inconvenience
3: major difficulties
3-4 wrong booster shot may
7. How much damage would this cause me (on a 4: extreme consequences be administered
scale of 1 to 4)

8. What things might happen if this data suddenly 1: slight inconvenience

becomes unavailable
9. How might this happen (describe scenario/s)
2: stressful inconvenience
3: major difficulties
3-4 wrong booster shot may
10. How much damage would this cause me (on a 4: extreme consequences be administered
scale of 1 to 4)

11. What things might happen if this data is used 1: slight inconvenience
for other purposes
12. How might this happen (describe scenario/s)
2: stressful inconvenience
3: major difficulties
1-2 telemarketers may use this
13. How much damage would this cause me (on a 4: extreme consequences information
scale of 1 to 4)
MAYOR/CEO/HoA: Allow me to recap the discussion so far:
Given this process
With legal purpose
Providing this benefit (H/M/L)
Which collects this data
With identification level of (1-4)
The privacy risks that may lead to
level 3 or 4 damage are as follows
Overall privacy risk (H/M/L)
Vaccination Program
DoH Regulation
High
name, age, address, name of child,
proof of billing/ residence,
government-issued ID, photo
4
Alteration of integrity
Loss of availability
High
 ICT/Developer: In order to design and implement the system properly, I need to
understand the system requirements. Help me to answer the following:

The system will process personal data of Filipino nationals. T F D

The system will process personal data of citizens of other countries. T F D
The total no. of data subjects whose records we will store is more than 250. T F D
The total no. of data subjects whose records we will store is more than 100,000. T F D Instructions
Encircle T (True), F
We process personal data on paper and other media such as microfilm, microfiche. T F D
We process personal data using digital media such as hard disks, CDs, and servers. T F D not sure)

The personal data is used to make decisions with legal effect about the data subject. T F D
The personal data that we process is scattered over several geographical sites. T F D Scoring
The personal data will be accessed by users outside of our organization. T F D 5 points for every T
5 points for every D
The personal data will be accessed by users from other parts of the world. T F D
The personal data will be accessed by programs not developed by us. T F D
The personal data must be accessible 24 hours a day, 7 days a week. T F D Technical Risk
The data and the system can be located in the premises of a service provider. T F D 0 to 35: LOW
40 to 70: MEDIUM
There is a sub-second response time requirement for access to our data. T F D Above 70: HIGH
The number of people who will have access to the personal data is more than 50. T F D
The number of people who will have access to the personal data is more than 250. T F D
There is a high risk of natural calamity in our area. T F D
The data we hold is considered an attractive target for hackers and identity thieves. T F D
The data and the system must be kept on-premise and cannot be moved to the cloud. T F D
TOTAL
 DPO: As your DPO, I would like to support this process.
However, allow me to ask the following questions:
Cost/Effort
Is there a way we can increase the (H/M/L)
benefits provided? If yes, how? Give additional services M
Is there a way we can collect less data
and thus reduce the exposure level? Another method to prove L
residency
How can we reduce the privacy risks
related to someone unauthorized Locked filing cabinet L
getting this data?
How can we reduce the privacy risks
related to someone altering or Backup copy to refer to in M
changing the data?
case of doubt
How can we reduce the privacy risks
related to the data suddenly Backup copy in case M
becoming inaccessible?
original is lost
How can we reduce the privacy risks
related to re-using the data for other M
purposes? Anonymize the data
MAYOR/CEO: As Mayor/CEO, allow me to summarize the discussion:

Given this process

Vaccination Program
With legal purpose
DoH Regulation
Providing this benefit (H/M/L)
High (free vaccination)
Which collects this data
Proof of residency
With identity exposure level of (1-4)
4
Overall privacy risk (H/M/L)
High
Technical risk (H/M/L)
Medium
Controls Complexity (H/M/L)
Medium
Overall Assessment
ACCEPTABLE
Stage 3: Final Report and Sign Off
Identified Risks, Agreed Actions and Sign Off Form.
Privacy Issue Risk to Individuals
Compliance Risk Corporate Risk What are the key privacy
issues and associated
compliance and corporate
risks? (Some Privacy Issues
may have more than one type
of risk i.e. it may be a risk to
individuals and a corporate
risk)

Risk Solution (s) Result: Is the risk reduced, eliminated Describe the actions you
or accepted? could take to reduce the
risk and any future steps
which would be necessary
(e.g. new guidance)
Risk Approved Solution Solution Approved by Describe the actions you
could take to reduce the risk
and any future steps which
would be necessary (e.g.
new guidance)

Action to be taken Date for completion Responsibility for Action What solutions
need to be
implemented?
 SIGN OFF SHEET
Data Protection Officer (DPO)
Name
Job Title
Signature
Date

Process Owner
Name
Job Title
Signature
Date
 Summary
• This is not the OFFICIAL way to do a PIA or PbD. There are
many ways to do a PIA, such as a workshop, a workflow, a
survey, an interview. (See ISO 29134)
• This SIMULATION is meant to show the ROLES that need to be
included in a PIA, the CONCEPTS which must be considered,
and the essential ELEMENTS.
• PIAs submitted to the NPC will be reviewed for: stakeholder
involvement, thoroughness of risk analysis, and completeness
of controls framework.
• After six months, we will also review status of controls
implementation, as well as results of a breach drill for the
process.
Thank you! Any questions?
[email protected]