Professional Documents
Culture Documents
i. INSTRUCTION
a. Complete this form when performing an overall privacy impact assessment of identified Program, Project,
Process, Measure, System or Technology (PPPMST). All fields must be accomplished, unless not
applicable. Provide all the necessary information or indicate “N/A” if not applicable.
i) Ensure to complete Section I: Program, Project, Process, Measure, System or Technology (PPPMST)
Summary and Section II: Threshold Analysis.
ii) If there is no personal data exposure based on your answers in Section II, no need to accomplish Sections
III-XI. Sign and submit this form (See item d below).
iii) If there is personal data exposure based on your answers in Section II, accomplish all succeeding
Sections. Sign and submit this form (See item d below).
b. Attach data flow diagram/ data map to illustrate flow of personal data in the data processing operation
covered by this privacy impact assessment (PIA).
c. To facilitate the review of the PIA, attach or email all relevant documents such, but not limited to, the following:
Project charter
Contract
Presentation materials about the PPPMST
d. After completing this form, submit/ email to the following:
Data Protection Officer (DPO) at Email
Compliance Officer for Privacy (COP) at Email; cc DPO at Email
Page 1 of 16
DATA PRIVACY MANUAL
• Personal Information Controller (PIC) – refers to a natural or juridical person, or any other body who controls
the processing of personal data, or instructs another to process personal data on its behalf. The terms
excludes (i) a natural or juridical person, or any other body, who performs such functions as instructed by
another person or organization; or (ii) a natural person who processes personal data in connection with his
personal, family, or household affairs.
• Personal Information Processor (PIP) – refers to any natural or juridical person or any other body to whom a
personal information controller may outsource or instruct the processing of personal data pertaining to a data
subject.
• PPPMST - Program, Project, Process, Measure, System or Technology
• Privacy Impact Assessment - is a process undertaken and used to evaluate and manage impacts on privacy
of a particular program, project, process, measure, system or technology product of a PIC or PIP. It takes
into account the nature of the personal data to be protected, the personal data flow, the risks to privacy and
security posed by the processing, current data privacy best practices, the cost of security implementation,
and, where applicable, the size of the organization, its resources, and the complexity of its operations.
• Sensitive Personal Information – refers to personal information about an individual’s race, ethnic origin,
marital status, age, color, and religious, philosophical or political affiliations; about an individual’s health,
education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to
have been committed by such individual, the disposal of such proceedings, or the sentence of any court in
such proceedings; issued by government agencies peculiar to an individual which includes, but is not limited
to, social security numbers, previous or current health records, licenses or its denials, suspension or
revocation, and tax returns; and specifically established by an executive order or an act of Congress to be
kept classified.
• Third Party – natural or legal person, public authority, agency or body, other than the data subject, the
controller, the processor and the persons who, under the direct authority of the controller or the processor
are authorized to process the data
• Unique Identifier – may refer to a numeric or alphanumeric string that provides the capability to uniquely
identify a wide variety of items. For example, an employee number matched with a corresponding unique
employee is considered as a unique identifier.
Page 2 of 16
DATA PRIVACY MANUAL
I. PPPMST SUMMARY
If the following information is available in the project charter, contract, or other materials that you have submitted
together with the PIA Form, no need to fill out the table below. In each field, just indicate the reference
document(s).
Name of Program, Project, Customer Credit Accreditation Commented [NCGDL1]: Change to Sales Process
Process, Measure, System or
Technology (PPPMST)
Objective of the PPPMST To perform customer credit accreditation processes and process sales
transactions
Name of outsourced party(ies) N/A Commented [NCGDL2]: Explain the relationship of TDI and
and/ or third party(ies) involved their marketing arm. Aslo indicate that no information were bening
in the PPPMST (if applicable) proessed by TDI.
Page 3 of 16
DATA PRIVACY MANUAL
Page 4 of 16
DATA PRIVACY MANUAL
Page 5 of 16
DATA PRIVACY MANUAL
2 Who collected or will be collecting the personal The personal information and sensitive personal
information and/ or sensitive personal information is collected by the Sales Personnel.
information?
3 How will the personal information/ sensitive The personal information and sensitive personal
personal information be collected? information is collected through the Customer
Credit Accreditation Form filled-up by the
customers.
4 What is the purpose of collecting the personal Personal information and sensitive personal
information/ sensitive personal information? information are used to identify credit-worthy
customers and process sales transactions
Notes:
• Purpose must not be contrary to law,
morals, or public policy.
• The collection of personal data must be for
a declared, specified, and legitimate
purpose.
• Collection of personal data should be
adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and
specified purpose.
Notes:
• There must be express consent from the
individual.
Page 6 of 16
DATA PRIVACY MANUAL
9 Are the personal data anonymized or de- No, collection of information attributes specifically
identified? to an individual.
V. STORAGE OF PERSONAL DATA
Provide your answers to all the questions below or cross-refer to relevant document(s) and include as
attachment to this form. Indicate “N/A” for the fields that are not applicable. Do not leave any item blank.
Item
Question Answer
No.
1 Where is the personal data currently being The hardcopies of personal data is stored in a
stored or where will it be stored? cabinet within the Sales Department and the
personal data encoded in File Maker is stored in
the application itself.
2 Is it being stored or will it be stored in other No, personal data is not and will not be stored in
countries? If yes, specify. other countries.
3 Is the storage of personal data being or will be No, the storage of personal data is not and will not
outsourced? be outsourced.
Page 8 of 16
DATA PRIVACY MANUAL
3 Who is responsible for granting access to the Sales Personnel is responsible for granting access
personal data and keeping it up-to-date? to the personal data and keeping it up-to-date.
Item
Question Answer
No.
Page 10 of 16
DATA PRIVACY MANUAL
Briefly describe.
X. DATA SECURITY
Provide your answers to all the questions below or cross-refer to relevant document(s) and include as attachment to
this form. Indicate “N/A” for the fields that are not applicable. Do not leave any item blank.
Item
Question Answer
No.
1 Have you consulted IT and/ or Information No
Security Office regarding the PPPMST?
3 Who has physical and/or logical access to the The employees in the Purchasing Department has
personal data? physical and/or logical access to the personal data.
Page 11 of 16
DATA PRIVACY MANUAL
Item
Question Answer
No.
Identify, including access rights provided.
5 Are the duties and responsibilities of the Duties and responsibilities of personnel involved in
individuals, who will handle the processing of personal data processing is not documented.
personal data, clearly defined and
documented?
Briefly describe.
Briefly describe.
10 Will this data processing operation utilize Yes, the servers are housed within the Philippines.
servers?
Page 12 of 16
DATA PRIVACY MANUAL
Item
Question Answer
No.
Where are the servers housed (e.g.,
Philippines, US, etc.)?
Describe briefly.
Page 13 of 16
DATA PRIVACY MANUAL
Moderate
(Casual occurrence or it might
happen at some time since the Low Moderate High
threat source is not significantly
motivated)
Low
(Not expected but there is a slight
possibility it may occur at some Low Low Moderate
time and inaction will result to
eventual data leakage.)
High
(All or majority of data subjects will
Low
Moderate be affected or may encounter that
(A small minority of data subjects
(A subset of data subjects will be could result to discrimination,
will be affected or may encounter a
affected or may encounter identity theft or fraud, reputational
few minor and acceptable
significant inconveniences.) damage public shaming, or any
inconveniences)
other significant economic or social
disadvantage)
Impact
Page 14 of 16
DATA PRIVACY MANUAL
B. Risk Summary
Summarize your risk assessment in the table below using the criteria in Item XI-A. Use the privacy risk map to grade the risk(s) found during PIA. To get the
risk rating: Risk = Impact x Likelihood.
(i) Considering existing controls/ mitigating measures that are already implemented.
(ii) Considering planned controls/ mitigating measures that will be implemented.
Page 15 of 16
DATA PRIVACY MANUAL
Page 16 of 16