In the Republic of the Philippines, any security incident associated with a personal data breach in the information and communication system of a government agency or business enterprise brings forward the question of done security level assessment and the application of information security measures as listed and described in Rule VI of the implementing rules and regulations of R.A. 10173.
Critical to data privacy management is the admission of the personal information controller, personal information processor and data protection officer on the measured security level of their organization’s information and communication system to protect information confidentiality, processing integrity, system reliability, user safety, and data privacy.
The National Privacy Commission is mandated by its own rule to monitor personal information controllers and processors to implement the appropriate security measures or level of security -Section 29 of the implementing rules and regulation of R.A. 10173. The action is made visible by the reported registration of the information system by its personal information controller or processor, and in the submission of a privacy impact assessment report in the event, the said system is complained about by a data subject.
The mandated requirement for the personal information controller and processor to conduct a privacy impact assessment of their information and communication systems is specified in the following issuances of the National Privacy Commission:
1. NPC Advisory 2017-01
2. NPC Advisory 2017-03
3. NPC Circular 16-01
The determination, description, documentation, and demonstration of information security level are reported by a legitimately conducted Privacy Impact Assessment (PIA). Hence, a government agency or business enterprise claiming compliance with R.A. 10173 demonstrates the capability in conducting Privacy Impact Assessment based on an agreed threshold analysis for its requirement.
Legitimately conducted Privacy Impact Assessment (PIA) means that measuring security level has observed the requirement, procedure, and metrics that are provided by regulatory guidance and adopted international community-driven standards on data privacy and information security risk management. Namely:
1. NPC Advisory 2017-03
2. ISO 29134 -Privacy Impact Assessment Guidance
3. ISO 29151 – Privacy Security Controls
4. ISO 27005 – Information Security Risks
5. ISO 22307 – PIA Financial System
6. ISO 27701 – Privacy Information Security Management System
7. EU GDPR – General Data Protection Regulation
An E.O. 605-2007 government agency is for sure to adopt international standards for their quality management system that complies with R.A. 10173.
The primary evidence indicates the capability of the personal information controller, personal information processor and data protection officer to lead, direct and control information confidentiality, processing integrity, system reliability, user safety and data privacy in the organization’s information and communication system is in their adopted and published privacy impact assessment methodology to report information security level, to create security and privacy policies and to plan information security measures
Privacy impact assessment is necessary to identify, analyze, evaluate, and mitigate the impact of the information and communication system on information confidentiality, processing integrity, system reliability, user safety, and data privacy as identified and elaborated by the rules and adopted standards in implementing the Data Privacy Act of 2012.
The critical indicators to challenge and attest privacy of personal data and security of personal information in the information and communication system of a government agency or business enterprise:
1. Information confidentiality
- Authentication
- Authorization
- Accountability
2. Processing integrity
- Accuracy
- Immediacy
- Legitimacy
3. Processing Availability
- Reliability
- Recoverability
- Continuity
4. User safety
- Alert
- Assistance
- Agreement
5. Data Privacy
- Privacy Rights
- Processing privacy principles
- Personal information security measures
Privacy impact assessment is done the first time and every time right with the following determined, described, documented, and demonstrated information or meaningful facts.
1. Digital technology-enabled service delivery system context
2. Threshold Analysis
3. Risks stakeholders
4. Registry of information asset configuration
5. Security and privacy risk criteria
6. Threat modeler
7. Risk identification
8. Risk analysis
9. Risk evaluation
10. Risk report
11. Risk mitigation approach
12. Security measures implementation plan
13. Monitoring and evaluation plan
Basic governance principles in data privacy and information security management to require privacy impact assessment.
1. Control is failed by “what” the governing body and executive management do not know
2. Assessment is failed by “what” the governing body and executive management do not measure
3. Operation is failed by “what” the governing body and executive management have not strategically acquired
4. Response is failed by “what” the governing body and executive management have not organized and made competent
5. Compliance is failed by “how” the governing body and executive management have identified, analyzed, mapped, and applied the published rules and adopted international standards of demonstrated agreement with privacy rights, privacy processing principles, and information security controls.
jmlogic: Knowledge & Technology 