What is Privacy Impact Assessment?
A Privacy Impact Assessment or PIA is a process used to assess and manage privacy impacts in planned or existing systems technology, programs, processes or activities. It is a tool for identifying and assessing privacy risks throughout the development life cycle of a program or system. A PIA states what personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected and how it will be shared.
The NPC issued NPC Circular 16-03 on Personal Data Breach Management, which outlines the need of conducting of a PIA as a way to prevent or reduce the occurrence of a personal data breach in organizations.
Objectives of PIA
The conduct of a Privacy Impact Assessment is intended to:
- Identify, evaluate and mitigate the risks associated with the processing of personal data.
- Assist the Personal Information Controllers (PIC) and Personal Information Processors (PIP) in preparing records of the processing activities.
- Aid PIC and PIP in maintaining the privacy management program.
- Promote compliance by the PIC or PIP with the DPA, its IRR, and other applicable issuances of the National Privacy Commission.
- Assist the PIC or PIP in addressing privacy risks by allowing it to establish a control framework.
Why do we need to conduct a PIA?
The results of the Privacy Impact Assessment need to be properly documented. The results of a PIA should be then communicated to the stakeholders via a written report.
How to conduct a PIA?
NPC Advisory No. 2017-03 does not require a specific standard or format for conducting a PIA. The PIC or PIP may utilize any existing report system as long as the report contains a systematic description of its personal data flow and processing activities, identifies and assesses the risks posed by the system to the rights of affected data subjects, recommends measures to address these risks, and assure the involvement of all interested parties.
To aid an organization, here are some of the references and methodologies they can use to conduct a Privacy Impact Assessment.
PIA Methodologies:
- Audit
- Interview
- Survey
- Workshop
PIA References
Here are a few sets of regulations or standards that can help an organization perform PIA. These standards can also aid them in the whole process of data protection program initiatives.
1. ISO/IEC 29134:2017: Information technology — Security techniques — Guidelines for privacy impact assessment
It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations. This standard is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.
2. ISO 31000 – Risk Management
A structured risk assessment process as part of your privacy impact assessment is vital and necessary key in your first steps in RA 10173 compliance. Evaluating risks can help you identify potential threats and vulnerabilities in your organization’s systems or processes and how you hold personal data. The aim is to reduce risk to an acceptable level by mitigating the privacy risks.
3. ISO/IEC 27001:2013 : Information technology — Security techniques — Information security management systems — Requirements
Security Requirements:
A.9 Access Control
A.10 Cryptography
A.12.6 Technical Vulnerability Management
A.16 Information Security Incident Management
A.18 Compliance
A.18.1.4 Privacy and protection of personally identifiable information
4. ISO/IEC 29101:2013: Information technology — Security techniques — Privacy architecture framework
This standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.
5. PCI DSS — Payment Card Industry Data Security Standard
Both the PCI DSS and the Data Privacy Act (DPA) aim to ensure organizations secure personal data. PCI DSS focuses on payment card and cardholder data, while DPA focuses on protecting personal data.
About the Author:
Sarah Vasquez is an experienced ISMS and Data Privacy Practitioner with comprehensive knowledge and extensive expertise gained in both multinational semiconductor manufacturing and information and communications technology industries. She currently holds the lead role in ECC International’s IT Excellence domain.
Know more about her here: https://www.linkedin.com/in/sarahrvasquez/
—