Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

i. INSTRUCTIONS

a) Provide all necessary information in this form. Indicate “NA” for the fields that are not applicable. Do not leave any
field blank.

i) Ensure to complete Section I: Program, Project, Process, Measure, System or Technology (PPPMST)
Summary and Section II: Threshold Analysis.

ii) If there is no personal data exposure based on your answers in Section II, no need to accomplish Sections III-
XI. Sign and submit this form (See item d below).

iii) If there is personal data exposure based on your answers in Section II, accomplish all succeeding Sections.
Sign and submit this form (See item d below).

b) Attach data flow diagram / data map to illustrate flow of personal data in the data processing operation covered
by this privacy impact assessment (PIA).

c) To facilitate the review of the PIA, attach or email all relevant documents such, but not limited to, the following:
• Project charter
• Draft contract
• Presentation materials about the PPPMST

d) After completing this form, submit / email to the following:

• Data Protection Officer (DPO) at Email
• Compliance Officer for Privacy (COP); cc DPO at Email

ii. DEFINITION OF TERMS

• Data Subject – refers to an individual whose personal, sensitive personal, or privileged information is processed.
• De-identification of Personal Data – refers to the process of removing any personal information from a record or
data set, those information that identifies an individual, or for which there is a reasonable expectation that the
information could be used, either alone or with other information, to identify an individual
• External Party – refers to all individuals and organizations – including, but not limited to subsidiaries, affiliates,
contractors, suppliers, vendors and service providers, that are not within the Company.
• Internal Party – includes all individuals, business units or groups that are within the Company.
• Natural Individual – a person (in legal meaning, one who has his own legal personality) that is an individual human
being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental
organization) or public (i.e., government) organization.
• Personal Data – refers to all types of personal information.
• Personal Information – refers to any information, whether recorded in a material form or not, from which the identity
of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify an individual.
• Personal Information Controller (PIC) – refers to a natural or juridical person, or any other body who controls the
processing of personal data, or instructs another to process personal data on its behalf. The terms excludes (i) a
natural or juridical person, or any other body, who performs such functions as instructed by another person or

Page 1 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

organization; or (ii) a natural person who processes personal data in connection with his personal, family, or
household affairs.
• Personal Information Processor (PIP) – refers to any natural or juridical person or any other body to whom a
personal information controller may outsource or instruct the processing of personal data pertaining to a data
subject.
• PPPMST - Program, Project, Process, Measure, System or Technology
• Privacy Impact Assessment - is a process undertaken and used to evaluate and manage impacts on privacy of a
particular program, project, process, measure, system or technology product of a PIC or PIP program, project,
process, measure, system or technology product of a PIC or PIP. It takes into account the nature of the personal
data to be protected, the personal data flow, the risks to privacy and security posed by the processing, current
data privacy best practices, the cost of security implementation, and, where applicable, the size of the
organization, its resources, and the complexity of its operations.
• Sensitive Personal Information – refers to personal information about an individual’s race, ethnic origin, marital
status, age, color, and religious, philosophical or political affiliations; about an individual’s health, education,
genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
issued by government agencies peculiar to an individual which includes, but is not limited to, social security
numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns;
and specifically established by an executive order or an act of Congress to be kept classified.
• Unique Identifier – may refer to a numeric or alphanumeric string that provides the capability to uniquely identify
a wide variety of items. For example, an employee number matched with a corresponding unique employee is
considered as a unique identifier.

Page 2 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

I. PPPMST SUMMARY

If the following information is available in the project charter, draft contract, or other materials that you have submitted
together with the PIA Form, no need to fill up the table below. In each field, just indicate the reference document/s.

PIA Reference Number

Name of Program, Project,

Process, Measure, System or
Technology (PPPMST)

Project Manager / Department

Manager / Group Head

Date of PPPMST

Objective of the PPPMST

Any other PPPMST (if any) of

which it is a part of? Specify
the name of the PPPMST.

Has a PIA been completed

and submitted for the related
PPPMST?

Name of Third Party Vendor/s

(if applicable)

Internal Stakeholders (groups

that can affect or be affected
by the PPPMST)

External Stakeholders (third

parties that can affect or be
affected by the PPPMST)

Page 3 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

II. THRESHOLD ANALYSIS

Mark “X” in the appropriate box. If you answer yes to any of the questions below, complete all succeeding Sections
of this form. If you answer No to all of the questions below, sign and submit this form.

Item
Question Yes No N/A Remarks
No.
1 Will the data processing operation involve the ☐ ☐ ☐
collection of personal data about natural individuals?

If Yes, specify from whom personal data will be

collected (e.g. COMPANY management and
employees, separated members of the COMPANY
management and employees, third party vendors,
former vendors, customers, etc.).

If YES to item #1 above, is the personal data about ☐ ☐ ☐

individuals sensitive in nature and likely to raise
privacy concerns (e.g. health records, criminal
records or other information people would consider
particularly private)?

2 Are you using information about individuals for a ☐ ☐ ☐

purpose it is not currently used for, or in a way it is
not currently used?

3 Will the data processing operation require you to ☐ ☐ ☐

contact individuals in ways which they may find
intrusive?

4 Will information about individuals be disclosed to ☐ ☐ ☐

organizations or people who have not previously had
access to the information?

5 Does the data processing operation involve using ☐ ☐ ☐

new technology which might be perceived as being
privacy intrusive (e.g. biometrics or facial recognition,
etc.)?

6 Will the data processing operation result in you ☐ ☐ ☐

making decisions or taking action against individuals
in ways which can have a significant impact on
them?

Page 4 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

III. INVENTORY OF PERSONAL DATA

Mark “X” in the appropriate box for the personal data that the PPPMST will collect, use, store, retain, disclose, and/or
dispose.

Item
Personal Data Yes No
No.
1 Name
2 Business Address
3 Home Address
4 Email Address – Business
5 Email Address – Personal
6 Telephone No. – Business
7 Telephone No. – Home
8 Age
9 Date of Birth
10 Marital Status
11 Color, Race, or Ethnic Origin
12 Religion
13 Education
14 Photo
15 Biometrics
16 Political Association
17 Philosophical Beliefs
18 Health Records (previous or current)
19 Sexual life / preference / practice
20 Offence committed or alleged to have been committed, the disposal of such
proceedings, or the sentence of any court in such proceedings
21 Document issued by government agencies peculiar to an individual:
• Unique identifiers (e.g. TIN, UMID ID number, driver's license number, passport
number, GSIS/SSS number, voter's registration number, etc.)
• Licenses or its denials, suspension, or revocation
• Tax returns
22 Document/Information specifically established by an executive order or an act of
Congress to be kept classified
23 Others ( indicate below as many as will be collected, used, stored, retained,
disclosed, and/or disposed):
• (Add as many as will be collected.)

Page 5 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

IV. COLLECTION OF PERSONAL DATA

Provide your answers to all questions or indicate the reference document/s (Provide a copy of the reference
document/s). Indicate “NA” for the fields that are not applicable. Do not leave any item blank.

Item
Question Answer
No.
1 From whom will the personal information and/or
sensitive personal information be collected?

Is the collection of personal data directly from the

individual or from other sources?

Specify.

2 Who collected or will be collecting the personal

information and/or sensitive personal
information?

3 How will the personal information/sensitive

personal information be collected?

4 What is the purpose of collecting the personal

information/sensitive personal information?

Notes:
• Purpose must not be contrary to law, morals,
or public policy.
• The processing of personal data must be
authorized by a specific law or regulation.
Specify applicable law or regulation.
• The collection of personal data must be for a
declared, specified, and legitimate purpose.
• Processing of personal data should be
adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and
specified purpose.

5 Was or will consent be obtained? How?

Note:
• There must be express consent from the
individual.
• Consent should be time-bound in relation to
the declared, specified, and legitimate
purpose.

Page 6 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

Item
Question Answer
No.
6 Are the data subjects aware of the nature,
purpose, and extent of the processing of his
personal data, including the risks and safeguards
involved in the processing of his personal data?

Describe how they were made aware.

7 Are the data subjects aware of their rights as

data subjects and how these can be exercised?
Describe briefly.

Is there a process in which the Company can

serve the rights of the data subjects?

The rights of data subjects are as follows:

 Right to be informed
 Right to object
 Right to access
 Right to correct
 Right for erasure or blocking
 Right to file a complaint
 Right to damages
• Right to data portability

8 Are the data subjects aware of the identity of the

personal information controller (PIC) or the
organization/entity processing their personal
data?

Are the data subjects provided information about

how to contact the organization’s Data Protection
Officer (DPO)?

Describe how they were made aware.

9 Are the personal data anonymized or de-

identified?

Describe briefly.

Page 7 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

V. STORAGE OF PERSONAL DATA

Provide your answers to all questions or indicate the reference document/s (Provide a copy of the reference
document/s). Indicate “NA” for the fields that are not applicable. Do not leave any item blank.

Item
Question Answer
No.
1 Where is the personal data currently being
stored or where will it be stored?

In addition, is it being stored or will be stored in

other countries? If yes, specify.

2 Is the storage of personal data being or will be

outsourced?

If yes, specify to whom.

3 Is there a contract / agreement with the

outsourced party with the appropriate DPA
provisions?

Provide copy or indicate reference document/s.

VI. USAGE OF PERSONAL DATA

Provide your answers to all questions or indicate the reference document/s (Provide a copy of the reference
document/s). Indicate “NA” for the fields that are not applicable. Do not leave any item blank.

Item
Question Answer
No.
1 How will the personal data be used and what is
the purpose of their processing?

2 How will the accuracy and completeness of the

personal data be maintained?

3 Who is responsible for granting access to the

personal data and keeping it up-to-date?

4 What is the process for withdrawing access

rights when access is no longer needed (e.g. if
an employee leaves Company or moves to
another role for which access is no longer
required)?

Page 8 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

VII. RETENTION OF PERSONAL DATA

Provide your answers to all questions or indicate the reference document/s (Provide a copy of the reference
document/s). Indicate “NA” for the fields that are not applicable. do not leave any item blank.

Item
Question Answer
No.
1 How long are the personal data being retained?

2 What is the basis of the retention period (in item

#1 above)?

3 Are the personal data being retained by the

Company or the retention is being outsourced?

If outsourced, specify to whom.

4 Is there a contract with the outsourced party with

the appropriate DPA provisions?

Provide copy or indicate reference document/s.

VIII. DISCLOSURE / SHARING OF PERSONAL DATA

Provide your answers to all questions or indicate the reference document/s (Provide a copy of the reference
document/s). Indicate “NA” for the fields that are not applicable. do not leave any item blank.

Item
Question Answer
No.
1 Will the personal data be disclosed / shared with
internal and/or external parties?

If yes, answer the questions below.

2 What personal data are being transferred?

Specify.

3 To whom are the personal data being disclosed

to or shared with (internal and/or external)?

Specify.

4 Why are the personal data being

disclosed/shared with internal and/or external
parties?
Page 9 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

5 Will the personal data be used or disclosed to

internal and/or external parties only for legitimate
purposes (as specified in the consent form,
contract / agreement, etc.)?

6 Is there a contract / data sharing agreement (with

the appropriate DPA provisions) with the outside
party, to whom personal data will be disclosed /
shared with?

Provide copy or indicate reference document/s.

IX. DISPOSAL / DESTRUCTION OF PERSONAL DATA

Provide your answers to all questions or indicate the reference document/s (Provide a copy of the reference
document/s). Indicate “NA” for the fields that are not applicable. do not leave any item blank.

Item
Question Answer
No.
1 How will the personal data be disposed?

2 Who will facilitate the destruction of the personal

data?

If a third party is involved, specify the name.

3 Is there a contract / agreement with the third

party with the appropriate DPA provisions?

Provide copy or indicate reference document/s.

4 Are there protocols / procedures to prevent

accidental or unauthorized destruction of files
generated by the data processing operation?

Specify.

5 Will the data processing operation take

reasonable steps to destroy or de-identify
personal data if they are no longer needed for
any purpose?

Describe briefly.

Page 10 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

X. DATA SECURITY

Provide your answers to all questions or indicate the reference document/s (Provide a copy of the reference
document/s). Indicate “NA” for the fields that are not applicable. do not leave any item blank.

Item
Question Answer
No.
1 Have you consulted IT / Information Security
(InfoSec) regarding the PPPMST?

Things to consider (not limited to the following):

• Regular testing and assessment of the
effectiveness of the information security
measures of the data processing operation
• Encryption of personal data while in transit or
at rest
• Interdependencies with other systems /
processes
• Security measures in place to ensure safe
transfer of personal data and prevent further
transfer or unauthorized transfer of personal
data

If No, justify why no consultation was performed.

2 Has IT / InfoSec cleared your PPPMST from an

information security perspective?

Attach relevant document/s (e.g. list of IT-related

items to be complied with, status, proof of
InfoSec’s clearance, etc.).

3 Who has access to the personal data?

Identify, including access rights provided.

4 Are there protocols / procedures to administer,

monitor and limit the personal data access
related to this PPPMST?

Describe briefly.

5 Are the duties and responsibilities of the

individuals, who will handle the processing of
personal data, clearly defined and documented?

Describe briefly.

Page 11 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

6 Are the users/staffs, who will process personal

data, under strict confidentiality if the personal
data are not intended for public disclosure?

7 Do you have protocols / procedures to restore

the availability and access to personal data when
an incident happens?

Describe briefly.

8 Has the PPPMST taken reasonable steps to

protect the personal data it holds from misuse,
loss, and from unauthorized access, modification
or disclosure?

Specify the controls in place or will be

implemented.

9 Is it possible to extract a personal profile should

there be a request to do so?

Describe briefly.

10 Will this data processing operation utilize

servers?

Where are the servers housed (e.g. Philippines,

US, etc.)?

11 Will the PPPMST transfer personal data to an

organization or person outside of the
Philippines?

Specify where.

12 What is the purpose of the transfer (e.g.

storage, additional access requirements,
etc.)?

13 Has the Company taken reasonable steps so

that the personal data transferred will be held,
used, and disclosed consistently with the
DPA?

Describe briefly.

Page 12 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

14 Is the recipient subject to laws or a contract

enforcing information handling principles
substantially similar to the DPA?

XI. PRIVACY RISK ASSESSMENT

Identify data privacy risks related to the potential of an incident to result in harm or danger to a data subject (whether
employees or third parties) and/or the Company. Data privacy risks are those that could lead to the unauthorized
collection, use, disclosure or access of personal data. It includes risks that the confidentiality, integrity and availability
of personal data will not be maintained, or the risk that processing will violate the rights of data subjects or the privacy
principles (transparency, legitimacy and proportionality). Consequently, the data privacy risks may negatively impact
the Company’s reputation and may result to financial losses.

A. Impact Criteria

Impact
Rating Types Description
A small minority of data subjects will be affected or may encounter a
1 Low
few inconvenience that is acceptable to the data subject
A subset of data subject will be affected or may encounter significant
2 Moderate
inconveniences.
Affects all or majority of data subjects will be affected or may
encounter that could result to discrimination, identity theft or fraud,
3 High
reputational damage public shaming, or any other significant
economic or social disadvantage

B. Likelihood Criteria

Likelihood
Rating Types Description
Not expected, but there is a slight possibility it may occur at some
1 Low
time but inaction will result to eventual data leakage.
Casual occurrence or it might happen at some time since the threat
2 Moderate
source is not significantly motivated
Frequent occurrence or there is a strong possibility that it might
3 High occur. High leakage potential or non-compliance with required
organization-wide controls.

Page 13 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

C. Risk Summary
Summarize your risk assessment in the table below using the Impact Criteria in Item XI-A and Likelihood Criteria in Item XI-B. To get the risk rating: Risk =
Impact x Likelihood. Add additional rows as necessary.

Current State (i) Current Target State (ii) Target

Risk Description Risk Risk Treatment Plan Risk
Impact Likelihood Impact Likelihood
Level Level

(i) Considering existing controls/mitigating measures that are already implemented

(ii) Considering planned controls/mitigating measures that will be implemented

Page 14 of 15
 Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

XII. SUMMARY OF ACTION ITEMS

The table below shall be accomplished by the DPO and/or COP, and/or relevant subject matter resources (SMRs).
Add additional rows as necessary.

Status
Target (Completed; Work
Ref# Recommended action item/s Responsible
Completion in Progress; Not
yet Started)
1
2
3
4
5

Prepared by: Date:

Reviewed by: Date:

<Data Protection Officer / Compliance Officer for Privacy>

Approved by: Date:

<Project Manager / Group Head>

Page 15 of 15