PRIVACY RISK ASSESSMENT
Philippine Data Guardians
SECTION I
General Description
Provide basic information about the project or system being assessed for privacy impact.
SECTION II
Threshold Analysis
Determine whether a full PIA is required. Answer each question and provide rationale.
2.1
Does the project involve the collection, use, or disclosure of personal information?
2.2
Does the project involve new technology or a significant change to existing systems that handle personal data?
2.3
Does the project process sensitive categories of personal data (health, biometrics, financial, religious beliefs, etc.)?
2.4
Does the project involve sharing personal data with third parties (including cloud providers or contractors)?
2.5
Does the project involve transferring personal data outside the country or across jurisdictions?
2.6
Does the project involve automated decision-making, profiling, or use of AI/ML on personal data?
2.7
Is there a risk that the project could result in unauthorized access, data breach, or misuse of personal data?
2.8
Does the project involve data about minors, vulnerable persons, or other protected groups?
Complete all questions above to see PIA requirement determination.
SECTION III
Full PIA Questionnaire
Complete all subsections A–G. Indicate "N/A" for fields not applicable. Do not leave any item blank.
3A
Personal Data Inventory
Mark all personal data that will be collected, used, stored, retained, disclosed, and/or disposed of. All fields are optional — check what applies and add any items not listed.
3B
Purpose Specification, Use Limitation & Legitimate Processing
B.1
For what purposes (primary and secondary) are the personal data being collected and processed? Are these purposes different from the original purposes for which the data were initially collected? State the purpose of data collection and if this purpose is aligned with the original purpose of collection.
The purpose of data processing should be disclosed to data subjects. Processing should be for a legitimate purpose, proportionate to the specified purpose, and in line with the entity's privacy policy.
B.2
If sensitive personal data is processed, what is the purpose of such processing? Is the purpose of processing sensitive personal data in line with the entity's internal policy?
Processing of sensitive personal data should be in line with the entity's privacy policy.
B.3
What is the legitimate basis for processing the personal data? (Check all that apply)
B.4
Is it possible to fulfill the purposes of data processing with anonymized or pseudonymized data?
Information is anonymous when it does not relate to an identified or identifiable natural person. Pseudonymization means personal data can no longer be attributed to a specific data subject without additional information.
B.5
Are all personal data ticked above necessary for the indicated purpose? Or is it possible to use less data while still achieving the same purpose?
Personal data processed should not be excessive in relation to the intended purpose.
3C
Storage, Retention & Disposal
C.1
Where is personal data currently being stored or where will it be stored? In case storage is out of the country, please specify.
Storage of personal data should adhere to the entity's privacy policy.
C.2
How long will data be retained? Is there a process in place to monitor the retention of data across all relevant containers, including third parties?
Retention period should be in line with the entity's retention policy.
C.3
Describe the process of disposing of data across all containers. Specify parties (internal and external) involved and manner of disposal (e.g., anonymization, physical destruction, electronic destruction).
Disposal of personal data should be secure and should adhere to the entity's privacy policy.
3D
Sharing & Disclosure
D.1
To whom (internal, external, within the agency group) will the personal data be shared? Describe the role of the parties in the processing of personal data.
Disclosure of personal data should adhere to the entity's privacy policy.
D.2
How will the personal data be shared with these parties?
D.3
Is there a written agreement in place between the parties which complies with the internal privacy policy?
Written agreements should contain requirements from NPC. Indicate "N/A" if not applicable.
D.4
Will the personal data be sold to third parties? If yes, explain why.
D.5
For disclosure outside the country, have the data privacy law requirements been considered prior to disclosure? Describe the manner in which it was addressed.
3E
Automated Decision-Making & Profiling
E.1
Will the collected personal data be processed in an automated manner to evaluate certain personal aspects relating to an individual? Please describe.
Processes involving automated decision-making should be reported to NPC through the registration process.
E.2
Will the decisions be made based solely on the automated processing results provided by the automated tool?
If data processing does not involve automated decision-making, answer "N/A".
E.3
Which condition(s) applies to the use of automated tool(s)? (Check all that apply)
E.4
Are suitable measures taken to safeguard the legitimate interest of the individual? Please describe.
Describe how the system safeguards the legitimate interest of an individual, particularly where the data subject is a child.
3F
Transparency & Rights
F.1
Are the following details communicated using clear and plain language to the data subjects prior to collection? (Check all that apply)
Note: will check TOR or if there is a Privacy Notice before usage of the app.
F.2
Is the personal data directly or indirectly obtained from the data subject? Describe the manner of collection. If indirectly, have the details above been communicated to the data subjects accordingly?
F.3
Is there a process in place for data subjects to access their rights? If yes, describe how. If none, explain why.
F.4
If a data subject requests access and/or correction of his/her data, how will this be addressed, and can this be implemented across all data containers?
F.5
If a data subject withdraws consent, objects to certain processing, or requests for erasure of his/her data, how will this be addressed, and can this be implemented across all data containers?
3G
Technical & Organizational Measures
G.1
Are there internal policies or organizational measures that govern the processing of data? Please indicate and describe their consistency with data processing activities.
G.2
Do the IT applications involved in the process adhere to the entity's IT / InfoSec policy? Please indicate.
G.3
Who is the individual responsible for granting access (physical and logical) to the personal data?
G.4
Who has physical and/or logical access to the personal data? Identify, including access rights provided.
G.5
For physical data, are there physical measures in place to protect data from unauthorized access or accidental loss? Please describe.
G.6
Are there measures in place to detect and respond to a personal data breach or incident?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.
G.7
Is there a breach or incident response process? Who should be contacted, and what is the subsequent notification process to data subjects, if applicable?
SECTION IV
Privacy Risk Assessment
For each observation, enter the inherent risk scores (before treatment) and residual risk scores (after treatment). Ratings are auto-calculated. Add rows as needed.
RATING SCALE
LOW Score 1–5
MEDIUM Score 6–14
HIGH Score 15–25
|
Inherent Risk Rating = Likelihood (Inherent) × Impact (Inherent)
Residual Risk Rating = Likelihood (Residual) × Impact (Residual)
| # | Observation | Risk | Inherent Risk | Risk Treatment Plan | Residual Risk | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Likelihood (1–5) |
Impact (1–5) |
Rating | Likelihood (1–5) |
Impact (1–5) |
Rating | |||||
Overall Risk Profile
4B