PRIVACY IMPACT ASSESSMENT

* In compliance with the Data Privacy Act of 2012 *

I. Introduction
a. Purpose of the PIA: Explain the objectives of conducting a Privacy Impact
Assessment in compliance with the Data Privacy Act of 2012 for the Catholic
private school.
b. Scope of the PIA: Define the boundaries of the assessment, including the types
of personal information considered and the school activities, processes, or
systems reviewed.
II. School Overview
a. School Description: Provide an overview of the school, including its mission, size,
demographics, and educational programs.
b. Data Subjects: Identify and describe the individuals whose data is collected,
including students, parents, faculty, and staff.
III. Legal and Regulatory Framework
a. Data Privacy Act of 2012: Outline the key provisions of the Data Privacy Act of
2012 relevant to the school.
b. Other Applicable Laws and Regulations: List and describe any other relevant
laws, regulations, and policies governing data privacy in the school context.
c. School Policies: Review the school's existing privacy and data protection policies
and procedures in line with the Data Privacy Act.
IV. Data Collection and Use
a. Types of Personal Information Collected: Detail the specific types of personal
information collected (e.g., names, addresses, health records, academic records,
religious affiliation).
b. Data Collection Methods: Describe how personal information is collected (e.g.,
enrollment forms, online portals, health forms).
c. Purpose of Data Collection: Explain the purposes for which the data is collected
and how it is used.
V. Data Processing Principles
a. Fairness and Transparency: Ensure data processing is done in a lawful, fair, and
transparent manner.
b. Purpose Limitation: Personal data should be collected for specified, explicit, and
legitimate purposes.
c. Data Minimization: Data collected should be adequate, relevant, and limited to
what is necessary.
d. Accuracy: Personal data should be accurate and kept up to date.
e. Storage Limitation: Data should be kept in a form that permits identification of
data subjects for no longer than necessary.
f. Integrity and Confidentiality: Personal data should be processed in a manner that
ensures appropriate security.
VI. Data Storage and Security
a. Data Storage Methods: Describe where and how personal information is stored
(e.g., electronic databases, paper files).
 b. Security Measures: Outline the physical, technical, and administrative security
measures in place to protect personal information (e.g., encryption, access
controls, security training).
VII. Data Sharing and Disclosure
a. Internal Sharing: Identify who within the school has access to personal
information and under what circumstances.
b. External Sharing: Detail any instances where personal information is shared with
third parties (e.g., service providers, government agencies) and the safeguards in
place to protect data during sharing.
VIII. Data Retention and Disposal
a. Retention Policies: Describe the policies and procedures for retaining personal
information, including the duration of retention.
b. Disposal Methods: Explain how personal information is securely disposed of
when it is no longer needed.
IX. Privacy Risks and Mitigation Strategies
a. Risk Identification: Identify potential privacy risks associated with the collection,
storage, use, and sharing of personal information.
b. Risk Assessment: Assess the likelihood and impact of identified risks.
c. Mitigation Strategies: Propose measures to mitigate identified risks and enhance
data protection (e.g., policy updates, additional training, enhanced security
measures).
X. Rights of Data Subjects
a. Right to be Informed: Ensure data subjects are informed about the collection and
use of their personal data.
b. Right to Access: Describe how data subjects can access their personal data.
c. Right to Rectification: Detail the process for data subjects to correct inaccurate
personal data.
d. Right to Erasure: Explain the circumstances under which data subjects can
request the deletion of their data.
e. Right to Restrict Processing: Outline the conditions under which processing of
personal data may be restricted.
f. Right to Data Portability: Describe how data subjects can obtain and reuse their
personal data across different services.
g. Right to Object: Explain how data subjects can object to the processing of their
data.
h. Rights Related to Automated Decision Making: Describe protections related to
automated processing of personal data.
XI. Stakeholder Consultation
a. Stakeholder Engagement: Detail the process for consulting with stakeholders
(e.g., students, parents, faculty, staff) during the PIA process.
b. Feedback and Responses: Summarize the feedback received from stakeholders
and how it was addressed in the PIA.
XII. Recommendations and Action Plan
a. Summary of Findings: Provide a summary of the key findings from the PIA.
b. Recommendations: List the recommended actions to improve privacy protection
and address identified risks.
 c. Implementation Plan: Outline a plan for implementing the recommendations,
including timelines and responsible parties.
XIII. Conclusion
a. PIA Approval: Note the approval of the PIA by school leadership.
b. Ongoing Monitoring and Review: Describe the process for regularly monitoring
and reviewing privacy practices to ensure ongoing compliance and effectiveness.
XIV. Appendices
a. Appendix A: Glossary of Terms: Define key terms used in the PIA.
b. Appendix B: Relevant Legal and Policy Documents: Include copies or references
to relevant legal and policy documents.
c. Appendix C: Data Flow Diagrams: Provide visual representations of how data
flows through the school's systems.
d. Appendix D: Stakeholder Feedback: Include detailed feedback from stakeholder
consultations.