Call for Expression of Interest - Data Privacy, Security and Protection Consultant

In the Philippines, 12 women die of cervical cancer daily. It is the second most common cancer among women and leading cause of death among women living with HIV. The high incidence of cervical cancer in the Philippine is attributable to low screening and vaccine coverage, low early detection rates and late diagnosis of cancer cases.

The ACCE Project supports the Department of Health in collaboration with local health officials, private sector, and civil society to strengthen the country’s cervical cancer control and management program and align the country’s efforts with global strategies through datacentric program response and planning to effectively eliminate cervical cancer as public health burden by 2030.

The project during the initial quarter of the year has spearheaded the development of a health information system (HIS) capturing the cervical cancer service delivery strategies from preventive screening to secondary treatment of pre-cancer lesions. Serving as a demonstration project, it aims to assist supported facilities in strengthening their clientcentred health recording and streamline patient navigation using the iSCerv and access to reporting data through development of interactive reporting dashboard.

Further, iSCerv as the electronic medical record of supported facilities handles, collects and stores personal and sensitive information of clients in lieu of cervical cancer service delivery provision of health care provider, thus to ensure the compliance of the developed health information system with the Data Privacy Act of 2012 and adheres to the highest standards of data protection and confidentiality, the project aims a thorough assessment of the system’s privacy and security measures.

As part of Jhpiego’s commitment to uphold the highest standards of data protection, a Data Privacy and Digital Security Compliance Audit will be conducted to assess and strengthen the safeguards surrounding the handling of personal and sensitive health information collected through the iSCerv health information system and across Jhpiego’s cervical cancer secondary prevention portfolio.

This exercise is necessary to ensure full compliance with the Data Privacy Act of 2012 (RA10173), its Implementing Rules and Regulations (IRR), and global standards for health data security, particularly given the sensitive nature of the data being processed—such as patient demographics, screening results, treatment details.

This activity will require the following services of a Data Privacy, Security and Protection Consultant

Estimated Level of Effort:

The Data Privacy, Security and Protection Consultant will be engaged for a total of 15 days LOE from June to July 2025.

Expected Deliverables:

• Inception Report - Detailed work plan, methodology and timeline
• Privacy Audit Report - Includes gap analysis and recommendations
• Revised Privacy Policies - Includes all reviewed/updated documents
• PIA Reports - Completed PIAs for key systems or processes
• Training Report - Documentation of training sessions conducted
• Final Technical Report - Summary of tasks completed, tools developed, and recommendations

Monitoring, Finances and Payment Scheme:

1. The consultant shall be directly supervised by the Project Officer, Donna Miranda.
2. Financial, contractual, and administrative concerns shall be supervised by the Finance Manager, Airene Dasal, and the Country Program Manager, Dr. Ingrid Magnata.
3. Payment for the professional fees shall be based on the estimated level of effort and deliverables. Payment shall be requested after recommendation of the Project Officer or Monitoring & Evaluation Analyst and upon review and acceptance of the consultant’s outputs by the Country Program Manager.
4. Logistics and other requirements for the identified activity shall be shouldered by Jhpiego.

• Bachelor’s degree in information technology, Computer Science, Law, Health Information Management, Public Health, or related field.
• A master’s degree or equivalent postgraduate training in Cybersecurity, Data Privacy, Information Governance, or Health Informatics is an asset.
• At least one recognized certification, such as:
  • National Privacy Commission (NPC) DPO Certification
  • CIPP, CISSP, CISM, CDPSE, HCISPP, or ISO/IEC 27001 certification
• Experience conducting PIAs, policy reviews, and data protection training
• Familiarity with the Philippine Data Privacy Act of 2012 and NPC Circulars
• Experience working with government agencies, NGOs, health sector, or international development projects is an advantage.
• Strong interpersonal and training facilitation skills.
• Excellent written and verbal communication, including reporting to high-level stakeholders.