To assess the potential impacts on privacy of the process, information system, program, software module, device or other initiative which processes personal information, the Cooperative Development Authority (CDA) conducted its Privacy Impact Assessment (PIA) on September 30 – October 1, 2024, held at Madison 101 Hotel, Quezon City.
This is given the Authority’s collection of personal information in view of its developmental, registration and regulation, and quasi-judicial powers, functions, and responsibilities.
The assessment is pursuant to Sections 4, 5, 6 of the National Privacy Commission’ (NPC) Circular 2016-01 which requires government agencies to conduct a PIA for each program, process, or measure within the agency that involves personal data. At the same time, Section 6 of NPC Circular 2016-03 recommends the conduct of said assessment as part of any organization’s security incident management policy.
Mr. Cleo R. Martinez, Information Technology Officer II, Compliance and Monitoring Division of the NPC, the Resource Person during the Data Privacy Awareness Training on August 9, 2024, also served as the Resource Person during the two-day assessment which consisted of a lecture on the first day and an actual workshop on the second day.
The lecture focused on understanding the importance of PIA for a Personal Information Controller (PIC) like the Authority which has multiple processes and learning how to conduct them effectively.
Afterwhich, an actual workshop was conducted resulting in the assessment of some of the Authority’s key processes/systems which include the Cooperative Assessment Information System (CAIS), Accreditation Facility Information System (AFIS), Electronic Cooperative Registration Information System (E-COOPRIS) and Annual Submission of Updated Personal Data Sheet.
With this assessment, the participants are expected to identify, assess, evaluate, and manage the risks represented by the processing of personal data in their respective offices; assist the Authority in preparing the records of its processing activities, and in maintaining its privacy management program; facilitate compliance by the Authority with the Data Privacy Act (DPA) its IRR, and other applicable issuances of the NPC; and aid the Authority in addressing privacy risks by allowing it to establish a control framework.
Meanwhile, a total of forty (40) participants attended the said assessment which included the Data Protection Officer, the Compliance Officers for Privacy/CDA Lawyers, Data Focal Persons per division and the PIA Secretariat.