Name of Project/System: (PROGRAM)

Assistance to Individuals in Crisis Situations (AICS)

I. Project/System
Description
a. Description
Ø The Assistance to Individuals in Crisis Situation
(AICS) is part of the DSWD's protective services for the
poor, marginalized and vulnerable/disadvantaged
individuals. The AICS has been implemented by the
DSWD for decades, as part of its technical assistance and
resource augmentation support to LGUs and other
partners.
B. SCOPE OF PIA

CRISIS INTERVENTION SYSTEM

II. Threshold Analysis

The following questions are intended to help you decide

whether a PIA is necessary. Answering ‘yes’ to any of
these questions is an indication that a PIA would be a
useful exercise. You can expand on your answers as the
project develops if you need to.

a. Will the project or system involve the collection of new

information about individuals?
[ ] No [/ ] Yes
b. Is the information about individuals sensitive in nature
and likely to raise privacy concerns or expectations e.g.
health records, criminal records, or other information
people would consider particularly private?

[ ] No [ /] Yes
c. Are you using information about individuals for a
purpose it is not currently used for, or in a way it is not
currently used?

[ /] No [ ] Yes

d. Will the initiative require you to contact individuals in

ways which they may find intrusive?

[/ ] No [ ] Yes

e. Will information about individuals be disclosed to

organizations or people who have not previously had
routine access to the information?

[ ] No [ /] Yes
 f. Does the initiative involve you using new technology
which might be perceived as being privacy-intrusive (e.g.
biometrics or facial recognition)?

[ ] No [ /] Yes

g. Will the initiative result in you making decisions or

taking action against individuals in ways which can have
a significant impact on them?

[ ] No [ /] Yes
h. Are the personal data collected prior to August 2016?
[ ] No [ /] Yes

III. Stakeholder(s) Engagement

State all project stakeholders, consulted in
conducting PIA. Identify which part they were
involved in. (Describe how stakeholders were
engaged in the PIA process)
 Name Role Involvement Inputs/
Recommenda
tions
CLIENTS ASK FOR DATA EXACT
ASSISTANCE GATHERED INFORMATIO
N OF DATA
SECURIT REVIEW THE ASSESSMEN APPROVAL
Y GUARD GATHER DATA T
SOCIAL INTERVIEWER/ DIRECT END CASE
WORKER ASSESSMENT USER/GATH STUDY
ERING DATA
HEAD OF SIGNATORY SUPERVISIO APPROVAL
THE NS
SECTION/
UNIT

IV. Personal Data Flow

Collection: COLLECTION OF DATA THRU GENERAL

INTAKE SHEET OF CLIENT (HARD COPY)

Storage: CRISIS INTERVENTION UNIT INFORMATION

SYSTEM DATABASE

Retention: DSWD FIELD OFFICE, NPMO OFFICE

Disclosure/Sharing: COA
 Disposal/Destruction
V. Privacy Impact Analysis

Transparency Yes No Not

Applic
able
1. Are data subjects aware of the /
nature, purpose, and extent of the
processing of his or her personal
data?
2. Are data subjects aware of the /
risks and safeguards involved in
the processing of his or her
personal data?
3. Are data subjects aware of his or /
her rights as a data subject and
how these can be exercised?
Below are the rights of the data
subjects:
- Right to be informed
- Right to object
- Right to access
- Right to correct
- Right for erasure or blocking
- Right to file a complaint
- Right to damages
- Right to data portability
4. Is there a document available for /
 public review that sets out the
policies for the management of
personal data?

Please identify the document(s)

and provide link where available:

5. Are there steps in place to allow an /

individual to know what personal
data it holds about them and its
purpose of collection, usage, and
disclosure?
6. Are the data subjects aware of the /
identity of the personal information
controller or the organization/entity
processing their personal data?
7. Are the data subjects provided /
information about how to contact
the organization’s Data Protection
Officer (DPO)?
Legitimate Purpose Yes No Not
Applic
able
1. Is the processing of personal data /
compatible with a declared and
specified purpose which are not
contrary to law, morals, or public
policy?
2. Is the processing of personal data /
 authorized by a specific law or
regulation, or by the individual
through express consent?
Proportionality Yes No Not
Applic
able
1. Is the processing of personal data /
adequate, relevant, suitable,
necessary, and not excessive in
relation to a declared and
specified purpose?
2. Is the processing of personal data /
necessary to fulfill the purpose of
the processing and no other means
are available?
Collection Yes No Not
Applic
able
1. Is the collection of personal data /
for a declared, specified,, and
legitimate purpose?
2. Is individual consent secured prior /
to the collection and processing of
personal data?
If no, specify the reason

3. Is consent time-bound in relation to /

the declared, specified, and
 legitimate purpose?
4. Can consent be withdrawn? /

5. Are all the personal data collected /

necessary for the program?
6. Are the personal data anonymized /
or de-identified?
7. Is the collection of personal data /
directly from the individual?
8. Is there authority for collecting /
personal data about the individual
from other sources?
9. Is it necessary to assign or collect /
a unique identifier to individuals to
enable your organization to carry
out the program?
10. Is it necessary to collect a unique /
identifier of another agency?
e.g. SSS number, PhilHealth, TIN,
Pag-IBIG, etc.,
Use and Disclosure Yes No Not
Applic
able
1. Will Personal data only be used or /
disclosed for the primary purpose?
2. Are the uses and disclosures of /
 personal data for a secondary
purpose authorized by law or the
individual?
Data Quality Yes No Not
Applic
able
1. . Please identify all steps taken to /
ensure that all data that is
collected, used or disclosed will be
accurate, complete and
up to date:
1.1 *Please identify all steps taken to /
ensure that all data that
is collected, used or disclosed will be
accurate, complete
and up to date:

1.2 *The system is regularly tested /

for accuracy
1.3 *Periodic reviews of the /
information
1.4 *A disposal schedule in place that /
deletes information
that is over the retention period

1.5 *Staff are trained in the use of the /

tools and receive
periodic updates
1.6 *Reviews of audit trails are /
undertaken regularly
1.7 *Independent oversight /
1.8 *Incidents are reviewed for /
lessons learnt and systems/
processes updated appropriately
1.9 *Others, please specify

Data Security Yes No Not

Applic
able
1. Do you have appropriate and /
reasonable organizational, physical
and technical security measures in
place? organizational measures -
refer to the system’s environment,
particularly to the individuals
carrying them out. Implementing
the organizational data protection
policies aim to maintain the
availability, integrity, and
confidentiality of personal data
against any accidental or unlawful
processing (i.e. access control
policy, employee training,
surveillance, etc.,)
physical measures – refers to policies
 and procedures shall be
implemented to monitor and limit
access to and activities in the
room, workstation or facility,
including guidelines that specify
the proper use of and access to
electronic media (i.e. locks, backup
protection, workstation protection,
etc.,)
technical measures - involves the
technological aspect of security in
protecting personal information (i.e.
encryption, data center policies,
data transfer policies, etc.,)

*Have you appointed a data /

protection officer or
compliance officer?

*Are there any data protection and /

security measure
policies in place?
*Do you have an inventory of /
processing systems? Will you
include this project/system?
*Are the users/staffs that will process /
personal data
through this project/system under
strict confidentiality if
the personal data are not intended for
 public disclosure?
*If the processing is delegated to a /
Personal Information
Processor, have you reviewed the
contract with the
personal information processor?
Physical Security Yes No Not
Applic
able
*Are there policies and procedures to /
monitor and limit
the access to this project/system?
*Are the duties, responsibilities and /
schedule of the
individuals that will handle the
personal data processing
clearly defined?
*Do you have an inventory of /
processing systems? Will you
include this project/system?
Technical Security Yes No Not
Applic
able
*Is there a security policy with respect /
to the processing of
personal data?
*Do you have policies and /
procedures to restore the
availability and access to personal
data when an incident
happens?
*Do/Will you regularly test, assess /
and evaluate the
effectiveness of the security
measures of this project/
system?
2. The program has taken reasonable /
steps to protect the
personal data it holds from misuse
and loss and from
unauthorized access, modification or
disclosure?
3. If yes, which of the following has /
the program undertaken to
protect personal data across the
information lifecycle:
3.1 * Identifying and understanding /
information types

3.2 * Assessing and determining the /

value of the information
3.3 * Identifying the security risks to /
the information
3.4 * Applying security measures to /
protect the information
3.5 * Managing the information risks. /
Disposal Yes No Not
Applic
able
1. The program will take reasonable /
steps to destroy or de-identify
personal data if it is no longer
needed for any
purpose.
If YES, please list the steps
Cross-border Data Flows (optional) Yes No Not
Applic
able
1. The program will transfer personal /
data to an organization
or person outside of the Philippines
If YES, please describe
2. Personal data will only be /
transferred to someone outside of
the Philippines if any of the following
apply:
a. The individual consents to the
transfer
b. The organization reasonably
believes that the recipient is
subject to laws or a contract
enforcing information handling
principles substantially similar to the
DPA of 2012
c. The transfer is necessary for the
performance of a contract
 between the individual and the
organization
d. The transfer is necessary as part
of a contract in the interest
of the individual between the
organization and a third party
e. The transfer is for the benefit of the
individual;
3. The organization has taken /
reasonable steps so that the
information transferred will be stored,
used, disclosed and
otherwise processed consistently with
the DPA of 2012
If YES, please describe

VI. Privacy Risk Management

Ref Threats/ Impact Probability Risk
# Vulnerabilities Rating
1 2 3 4 1 2 3 4
1 2 3 4 1 2 3 4
1 2 3 4 1 2 3 4
1 2 3 4 1 2 3 4
1 2 3 4 1 2 3 4
*add additional rows if needed

VII. Recommended Privacy Solutions

Recommended Solutions (Please provide

justification)

ANTI VIRUS
INSTALL FIREWALL
SET UP A PRIVATE NETWORK
CONDUCT NETWORK OR SYSTEM
VULNERABILITY TEST
NO DATA SHARING POLICY