What is a Privacy Impact Assessment or PIA? It is a tool used to identify the potential risk of existing personal or sensitive personal information on the agency’s systems, technology, programs/process or activities to an individual’s privacy.
The PIA shall serve as a guide for organizations and it is through this process that organizations can identify various privacy risks and how to address them. Each organization must ensure that potential privacy risks are identified and properly mitigated.
The conduct and structure of a PIA will always be based on the complexity and intrinsic nature of the organization’s functions vis-à-vis the projects the organization is undertaking or will plan to undertake involving personal and sensitive personal information.
The benefits that organizations may achieve in conducting a PIA may include:
The National Privacy Commission promotes the conduct of a PIA through its Memorandum Circulars 2016-01 on Security of Personal Data in Government Agencies and 2016-03 on Personal Data Breach Management.
PIAs should be administered to every processing system of the organization dealing with personal information and sensitive personal information. Once an effective and thorough PIA is administered, it would be easier to identify possible privacy breaches on projects, programs or systems set-up within the various departments.
The Data Protection Officer in every organization should be the frontrunner in pushing for the administration of the PIA within the soonest possible time. Depending on the complexity of the organization, the organization may opt to hire an external consultant to conduct its PIA to address its concerns. The DPO of the organization may be consulted on the results arrived at in the PIA and raise his or her suggestions on how to mitigate or eliminate the risks that may be determined as a result thereof.