Noi questions

Questions and Answers

The following are the four (4) steps in the DPMP program, list the four steps (a to d) in order:

Step 1 = Identify PD Handled Step 2 = Identify, Assess and Manage Risks Step 3 = Develop DPMP Step 4 = Maintain DPMP

Sam wanted to understand a bit more of DPMP's benefit. His classmate explained the benefits of organization to implement DPMP include the following key points, except for:

• To help organisations develop, manage and maintain a robust data protection infrastructure.
• To help foster a culture of data protection within the organisation.
• To help an organization demonstrate accountability in data protection.
• To provide ensure that organization don't need extra policies/process to comply with PDPC. (correct)

Under the People approach of DPMP, there is a need for training to develop general staff that could be as follows:

1. Educate staff on the PDPA and the organisation's data protection policies and processes
2. Make available data protection training materials in an accessible platform (eg intranet)
3. Rationalise business benefits of personal data protection.
4. Suggested topics include: Importance of Personal Data Protection. Identify which if the above points are "true" with regards to the training needs of staff.

• Only 3 and 4
• 1, 2 and 3
• 1, 2 and 4 (correct)
• All 1 to 4 are needed to training general staff.

For Process strategy under DPMP, the following points are used to ensure process is done well, except for:

Important to use PATO supplied by PDPC. (A)

Which of the following risk is not associated with data protection:

Managing risk related to appointment of key personnel (B)

As part of Data Breach Notification obligation, a data intermediary has the:

Duty to notify the data controller (A)

Which of the following are options that the PDPC can take with regard to enforcement:

1. Voluntary undertaking
2. Suspension / discontinuation
3. Expedited breach decision
4. Full investigation

All 1 to 4 of the above (D)

David, who is the HR Assistant Director of a manufacturing company, misplaced his company-issued hard-disk in his office premises on a Friday evening. The hard-disk, which has the label "Property of HR department" pasted on it, contains the entire database of their 800 employees' personal data. The cleaning lady, who comes in very early on Monday morning to clean up the office before the employees arrive, found the misplaced hard-disk and handed it to her supervisor who immediately returned it to the HR department. Who should the organization notify?

Do not need to notify PDPC or affected individuals (D)

The Data Protection Impact Assessment can be conducted in six (6) phases. The first two phases are Phase 1 (Assess need for DPIA) and Phase 2 (Plan DPIA). Arrange the remaining four (4) phases in the correct sequence: a) Implement & Monitor Action Plan b) Identify Persona Data (PD) and PD Flows c) Create Action Plan d) Identify & Assess Data Protection Risks

b, d, c, a (C)

One of the key strategies in DPMP is Policy where organization need to develop a personal data protection policy. Policies has life cycle with four (4) steps. List the steps in order of the life cycle of a DPMP:
a) Communicate policies to stakeholders. b) Get Management Approval for the policies c) Draft, review and revise the policies. d) Train staff and enforce policies.

c, b, a, d (B)

The advantage of using a data flow diagram is:

it can be easily understood (C)

In order to understand the data lifecycle, an organisation must:

analyse the flows of personal data in its business processes (B)

When an organisation does something that may risk the breach of personal data, what kind of risk is it directly exposed to:

compliance risk (D)

Personal Data Protection risk management is not:

registering Patent for a product (C)

The risk level in terms of personal data protection may be determine by the following, except:

cost of implementing risk measures (D)

One way in which an organisation can do scoring under a risk assessment framework is by using a quantitative approach or a qualitative approach

False (B)

When an organisation put in controls to manage its risks, the organisation is responding to the risk by:

modifying the risk (A)

In order to operationalise controls, it is necessary to lift a few simple rules out from the formal policies and practices and to present them to staff in a simple and straightforward set of requirements.

True (A)

In order to comply with the purpose limitation obligation, employees could be instructed to:

collect only what is reasonable (D)

The following are examples of administrative controls, except for:

restriction of access to organisation's premises (A)

In order to comply with the PDPA where IT vendors are involved, the organisation must state clearly in the contract that:

the IT vendor is required to consider how personal data should be handled (C)

The following are good data protection by design practices, except:

maximising the collection of personal data (C)

As personal data protection is a continuous compliance process, which of the following statements is true

organisation should learn from feedback about its personal data protection policy (C)

A Data Protection Policy on a website is mis-named. It is not a policy; it is a notice.

True (A)

When drafting a notice, it is important to be clear and informative and:

use a simple style (B)

Match the steps in the DPMP program in order:

Identify PD Handled = Step 1 Identify, Assess and Manage Risks = Step 2 Develop DPMP = Step 3 Maintain DPMP = Step 4

Sam was appointed a DPO recently in a Singapore organization. His classmate explained the benefits of organization to implement DPMP include the following key points, except for:

To provide ensure that organization don't need extra policies/process to comply with PDPC. (B)

List the steps in order of the life cycle of a DPMP policy diagram:

Draft, review and revise the policies. = Step 1 Get Management Approval for the policies = Step 2 Train staff and enforce policies. = Step 3 Communicate policies to stakeholders. = Step 4

Under the People approach of DPMP, which of the following points are 'true' with regards to the training needs of staff?

1, 2 and 4 (B)

Arrange the remaining four (4) phases in the correct sequence for Data Protection Impact Assessment:

Identify Persona Data (PD) and PD Flows = Phase 1 Identify & Assess Data Protection Risks = Phase 2 Create Action Plan = Phase 3 Implement & Monitor Action Plan = Phase 4

Which of the following are options that the PDPC can take with regard to enforcement:

All 1 to 4 of the above (D)

Who should the organization notify in the scenario, where David misplaced his company-issued hard-disk containing the entire database of their 800 employees' personal data?

Do not need to notify PDPC or affected individuals (D)

Flashcards

DPMP

A four-step program to establish a robust personal data protection infrastructure.

DPMP Steps (Order)

1. Identify PD Handled. 2. Identify, Assess and Manage Risks. 3. Develop DPMP. 4. Maintain DPMP.

DPMP Benefits

Organizations implement DPMP to demonstrate accountability, develop a data protection infrastructure, and foster a culture of data protection.

DPMP: Not a Replacement

To show compliance with PDPC extra policies are needed and do not replace any existing policies/processes.

DPMP Policy Lifecycle

1. Draft, review, and revise the policies. 2. Get Management Approval. 3. Communicate policies. 4. Train staff and enforce policies.

DPMP Training (Staff)

Educate staff on PDPA, policies; provide accessible training; rationalize benefits; emphasize importance of data protection.

DPMP - Process Strategy

Using pre-supplied PATO is not a process strategy to ensure processes in DPMP are well done.

Data Protection Processes

Policies for Data Protection must be developed and enforced.

Non-Data Protection Risk

Outsourcing of IT services is not typically a data protection risk; it's a business or security risk.

DPIA Phases (Sequence)

1. Assess the need for DPIA. 2. Plan DPIA. 3. Identify Personal Data (PD) and PD Flows. 4. Identify & Assess Data Protection Risks. 5. Create Action Plan. 6. Implement & Monitor Action Plan.

Data Intermediary Duty

Data intermediary has a duty to conduct assessment.

PDPC Enforcement Options

Voluntary undertaking, Expedited breach decision, and Full investigation are all options PDPC can use for enforcements.

Internal Breach Notifications

Misplaced hard-disk isn't data breach, therefore not needing notification.

CUDA (PDPA)

Collection, Use, Disclosure, and Access (CUDA) define the scope of PDPA.

Consent (PDPA)

Consent is required for the collection, use, or disclosure of personal data.

Purpose Limitation

Giving clear explanation of why data is collected.

Limitation Obligation

Collect only necessary data.

Accuracy Obligation

Keep data accurate and complete.

Security Obligation

Protect data with security arrangements.

Access Obligation

Give right to access and rectify personal data.

Transfer Limitation

Transfer data overseas within PDPA.

Retention Limitation

Retain data only as needed

Openness Obligation

Be transparent about data practices.

DPO Appointment

Appoint a DPO.

Response Obligation

Respond to data protection inquiries.

Withdrawal of Consent

The individual can withdrawl consent at anytime.

9 Data protection obligations

The 9 obligations are: Consent, Purpose Limitation, Limitation Obligation, Accuracy Obligation, Security Obligation, Access Obligation, and Transfer Limitation, Retention Limitation, Openness.

Rights of Individuals

Individuals have rights to their data.

Data Breach notifications

Notification is required for a personal data breach if it results, or is likely to result, in significant harm to affected individuals.

Significant Harm

Significant harm includes identity theft, financial loss, reputational damage.

Data Flow Diagram Advantage

A visual representation of data movement within a system, easily understood by various stakeholders.

Understanding Data Lifecycle

Analyzing data flows to understand how personal data moves through business processes.

Compliance Risk

The risk of failing to comply with data protection laws and regulations.

Personal Data Protection Risk Management

Actively working to minimize, monitor, and control risks related to personal data.

Risk Level Factor

The direct costs shouldn't determine risk level.

Risk Assessment Scoring

Organizations use quantitative or qualitative approaches for scoring in risk assessment.

Modifying the Risk

Changing the nature or impact of a risk through controls.

Operationalise Controls

For controls to be effective, policies should also translate into a clear and simple set of requirements for staff.

Purpose Limitation Compliance

Instructing employees to collect only what is reasonable and necessary for the stated purpose.

Administrative Controls

Physical barriers like restricted access to the organizations' premises.

IT Vendor PDPA Compliance

Vendors must seek consent of the persons whose data they are processing

Bad Data Protection by Design

It is not data protection by design to maximize data collection.

Continuous Compliance

Learning from feedback to improve personal data protection practices.

Website Data Protection

A Data Protection Policy shown on a website is actually a notice.

Drafting a Notice

When drafting a notice being clear, informative, and using a simple style.

Data flow advantage

Advantage: Easily understood

Data lifecycle

Analyze the flows of personal data.

Risk of Data breach

What risk it is exposed to: Compliance Risk

Personal Data Prot. Risk Mgt

Not Personal Data Protection risk management: Registering patent for a product

Personal Data Protection (Risk)

The risk level in terms of personal data protection may be determined by the following, except Cost of implementing risk measures

Approach to risk assessment

Organization can do scoring under a risk assessment framework by using quantitative Approach

Risk management by organisations

When an organisation put in controls to manage its risks, the organisation is responding to the risk by Modifying the risk.

Operationalise controls

It is ncessary to lift a few simple rules out from the formal policies and practices and to present them to staff in a simple and straightforward set of requirements

Comply with Purpose Imitation Obligation

Collect only what is reasonable

Administrative controls

Restriction of access to organisations premises

Comply with PDPA where IT vendors involve

The Vendor needs obtain consent of the persons whose data it is processing

data protection by design practices

maxmising the collection of personal data

personal data protection continuous process

Organisation should learn from feedback about its personal data protection policy

Data Protection

A Data Protection on a website is miss-named, it is not a policy it is a notice

Drafting a notice

Use a simple style

Study Notes

• A Data Protection Management Program (DPMP) is a four-step program to help organizations build a solid personal data protection infrastructure.

DPMP Program Steps:

• Step 1: Identify PD Handled
• Step 2: Identify, Assess, and Manage Risks
• Step 3: Develop DPMP
• Step 4: Maintain DPMP
• Benefits of implementing a DPMP include demonstrating accountability in data protection.
• Implementing a DPMP is beneficial for developing, managing, and maintaining a robust data protection infrastructure.
• Another benefit of a DPMP is fostering a culture of data protection within the organization.
• A key strategy in DPMP is policy development, where organizations need to create a personal data protection policy.

DPMP Policy Lifecycle Steps:

• Step 1: Draft, review, and revise the policies.
• Step 2: Get Management Approval for the policies.
• Step 3: Communicate policies to stakeholders.
• Step 4: Train staff and enforce policies.

Training Needs Under the People Approach of DPMP

• Educate staff on the PDPA (Personal Data Protection Act) and the organization's data protection policies and processes.
• Make data protection training materials available on an accessible platform, like an intranet.
• Topics should include: Importance of Personal Data Protection.

Process Strategy Under DPMP

• Process strategy does not include using Persons Appointed to assist Organisations (PATO) supplied by PDPC
• Points that ensure this is done includes:
• Develop and enforce Data Protection Policy.
• Set up SOPs in the organization for data protection processes.
• Managing risks related to appointment of key personnel is not a risk associated with data protection.

Data Protection Impact Assessment (DPIA) Six Phases:

• Phase 1: Assess the need for DPIA.
• Phase 2: Plan DPIA.
• Phase 3: Identify Persona Data (PD) and PD Flows.
• Phase 4: Identify & Assess Data Protection Risks.
• Phase 5: Create Action Plan.
• Phase 6: Implement & Monitor Action Plan.

Data Breach Notification Obligation

• As part of data breach notification, a data intermediary has the duty to notify the data controller.

Enforcement Options for PDPC

• The Personal Data Protection Comission (PDPC) has a range of enforcement options:
• Voluntary undertaking
• Suspension / discontinuation
• Expedited breach decision
• Full investigation
• An organization does not need to notify PDPC or affected individuals of an internal breach.
• A data flow diagram, allows for ease of understanding
• To understand the data lifecycle, an organisation must analyse the flows of personal data in its business processes
• Breaching personal data directly exposes the organisation to compliance risk
• Personal Data Protection risk management does not include registering a patent for a product
• Cost of implementing risk measures does not determine the level of personal data protection
• Organizations can use a quantitative or qualitative approach to score under a risk assessment framework (False)
• An controls implemented by an organisation to manage its risks, is modifying the risk
• Operationalising controls involves setting simple to follow requirements
• To comply with purpose limitation obligation, employees should only collect what is reasonable
• Examples of administrative controls do not include restriction of access to organisation's premises
• To comply with the PDPA where IT vendors are involved, the organisation must ensure the IT vendor is required to consider how personal data should be handled
• Good data protection by design practices do not include maximising the collection of personal data
• Constant feedback about the organisation's personal data protection policy is essential, as personal data protection is a continuous compliance process
• A data protection policy on a website is mis-named, it is a notice (True)
• When drafting a notice, it is important to be clear and informative; using a simple style

Description

The Data Protection Management Program (DPMP) is a structured approach for organizations to establish a strong personal data protection infrastructure. It involves identifying handled personal data, assessing risks, developing a DPMP, and maintaining it. Implementing a DPMP demonstrates accountability and fosters a culture of data protection.