Fostering a culture of privacy through the conduct of Privacy Impact Assessments
In many, if not all, organizations, a new project or policy is normally preceded by a series of studies and consultations before actual implementation. These studies are conducted for the purpose of determining the project or policy’s feasibility, financial bearing, sustainability, and cumulative impact both in the short and long run.
Lately, however, with the advent of privacy laws and the necessity of securing the vast troves of personal information routinely accumulated, used, and stored by organizations, it has become imperative for new projects and policies to be subjected to another type of study known as the Privacy Impact Assessment or simply PIA.
The National Privacy Commission (through its Compliance and Monitoring Division) defines the PIA as “a tool for identifying and assessing privacy risks throughout the development life cycle of a program or system.” It seeks to identify “whether the personal data being collected complies with the legal requirements of the Data Privacy Act; the risks and effects of collecting, maintaining, and disseminating Personally Identifiable Information (PII); protections and processes for handling information to alleviate any potential privacy risks; and options and methods for individuals to provide consent for the collection of their PII.”
Mandatory security measure
It is important to note that although the conduct of a PIA is not prescribed anywhere in the Data Privacy Act of 2012, the NPC expects each Personal Information Controller (PIC) or Personal Information Processor (PIP) to produce a Privacy Manual which shall mandate the PIC or PIP to, among others, conduct a PIA “relative to all activities, projects, and systems involving the processing of personal data.” In its Guide to Creating a Privacy Manual, the NPC considers the conduct of a PIA as a mandatory security measure which may be carried out either by the organization itself or by a third party outsourced for the purpose.
The necessity of a PIA applies to any project or policy that deals with PII. For illustration, the UK’s Information Commissioner’s Office lists some of the projects that might require a PIA, including, among others, a data-sharing initiative, a new IT system for storing and accessing personal data, a new surveillance system, and a new database system.
There is no particular way of doing a PIA. In fact, organizations are free to design their PIAs in a way that would suit their individual needs, as well as address specific metrics and other niche concerns. Some of the ways a PIA may be conducted may be through a workshop, a survey, or even an interview.
Data privacy analysis and stakeholder engagement
For convenience, however, the NPC has issued a draft PIA template that may be used by organizations in conducting their own PIAs. The draft template, which can be downloaded from the NPC website, is divided into six parts, namely: (a) General Description, which identifies the name of the organization, proposed project, description of program, and the process or measure involving personal data; (b) Threshold Analysis, which identifies the personal information that is currently or will be used in the project; (c) Stakeholder Engagement, which identifies all project stakeholders that can affect, be affected by, or perceive themselves to be affected by a decision or activity; (d) Data Privacy Analysis, which highlights the information flow of the project and compliance with information privacy principles; (e) Privacy Risk Management, which identifies threats and vulnerabilities in order to properly manage risks; and (f) Summary of Assessment and Sign Off, which presents a summary or overview of the most significant findings.
The conduct of the PIA does not end with the sign off, organizations must submit their PIAs to the NPC for review. The NPC utilizes metrics, such as stakeholder involvement, thoroughness of risk analysis, and completeness of controls framework in assessing PIAs submitted to it. Six months after the submission of PIAs, the NPC may review the status of controls implementation, as well as the results of a breach drill for the process.
In sum, the conduct of a PIA in reviewing new projects or policies involving PII is a step towards creating a more privacy-conscious environment. By developing initiatives geared toward adherence to privacy laws and respect for privacy rights of individuals even before the implementation of any new project or policy, a culture of privacy is slowly but surely fostered down the line.
