Chapter 4: Personal Data Handling Practices

Questions and Answers

What is the primary purpose of developing a Data Protection Management Plan (DPMP)?

• To improve customer service interactions
• To enhance marketing strategies
• To document personal data handling practices (correct)
• To comply with international financial regulations

Which of the following statements about a data inventory map is true?

• It lacks visual representation of data flows and is limited in representation on interconnectivity of personal data.
• It offers a visual representation of data flows, but limited if large size (correct)
• No technical knowledge required (correct)
• It can be challenging to develop and maintain (correct)
• It requires advanced software for development.

What key aspect should be documented in personal data handling practices?

• Organizational marketing strategies
• How personal data is disclosed and stored (correct)
• Employee performance data
• Sources of funding and budget allocation

Which statement is true regarding data flow diagrams?

Challenging to develop and maintion for large interconnected data. (@), They are useful for showcasing the general flow of personal data. (D)

What initial step should an organization take when developing a DPMP?

Document personal data flows within the organization (C)

Which limitation is associated with data inventory maps?

They can only represent small data sets. (C)

Why might a data flow diagram not be suitable for large interconnected data?

They may present limited information depending on data type. (D)

Which business process aspect should be prioritized when identifying personal data handling practices?

How personal data is collected and stored (C)

What should an organization consider regarding the location of an external service provider?

The transfer limitation obligations under the PDPA. (A)

Which of the following is essential for secure data disposal?

Verifying that the disposal method complies with the protection obligations. (C)

What does the Retention Limitation Obligation prevent an organization from doing?

Keeping data longer than necessary for its intended purpose. (A)

What is a key purpose of the PDPC’s Guide to Notification?

To inform individuals about the purposes for which their data is collected, used or disclosed. (B)

What is one of the resources mentioned for developing a Data Protection Management Programme?

A data inventory map template. (C)

What is one reason an organization must assess risks associated with third parties collecting personal data?

To comply with the Accuracy Obligation (A)

Why is it necessary for organizations to ensure express consent at the time of first collection of personal data?

To meet the Consent Obligation (A)

When evaluating the adequacy of consent for personal data collection, what should organizations also assess?

Whether any exceptions to consent can apply (C)

What is a core purpose of knowing where personal data is stored?

To assess security arrangements and controls (C)

Which of the following is a crucial action organizations must take regarding third-party data processors?

Carry out due diligence and enter into contracts (C)

Why must departments involved in processing personal data be engaged in developing the DPMP?

To account for departmental specific data usage and processes (D)

What is the benefit of knowing to whom personal data is disclosed?

To ensure adequate consent covers such disclosures (D)

Which obligation requires organizations to notify individuals about the purposes for collecting their personal data?

Notification Obligation (A)

What must organizations evaluate concerning personal data collected on paper documents?

The risks that might hinder compliance with the Accuracy Obligation (D)

What is a key reason organizations must disclose personal data only under specific circumstances?

To comply with the Consent Obligation and other relevant laws (D)

Why is it important to document the data lifecycle within an organization?

To determine compliance needs for the PDPA. (C)

What must an organization assess to comply with the Protection Obligation?

The risks involved in data transfer from collection to storage. (D)

How does the sensitivity of personal data affect its processing requirements?

It dictates the level of security needed for that specific data. (A)

What factor should an organization consider to ensure it is not collecting personal data excessively?

The personal data required to provide products or services. (D)

Which of the following obligations may be impacted by the method of data collection?

The Consent Obligation. (C)

At what points must an organization assess the risks associated with data handling?

At the collection, transfer, and storage points. (D)

What might indicate that an organization is not complying with the Consent Obligation?

Not providing sufficient notification before collecting personal data. (D)

What should an organization do first when identifying the types of personal data it processes?

Evaluate the potential risks associated with each data type. (C)

Which of the following actions does NOT contribute to compliance with the Purpose Limitation Obligation?

Using personal data for marketing without further consent. (D)

What is an essential aspect of controlling risks associated with personal data collection?

Implementing strong data loss prevention measures. (A)

What is the purpose of a data inventory map or data flow diagram in an organization?

Where it stores data. (C), How and why the organisation uses and discloses that personal data. (@), When it ceases to retain that personal data and how it securrely deletes or destoys it. (@), To visualize the flow of personal data within various business processes (A)

What is a primary responsibility of the IT department in relation to personal data?

Manage customer relationship database and security (B)

Which of the following processes would be included in a data inventory map for the customer service department?

Complaints handling (B)

What is one of the first steps an organization must take to build a data inventory map?

Identify the core processes involving personal data (C)

To identify personal data handling, which of the following questions should the PDPA Project Team consider? (Select all that apply)

What types of personal data does the organization collect, use, disclose, and store? (A), For what purpose(s) does the organization collect personal data? (B), Does the organization obtain consent from individuals after notifying them? (C), Does the organisation maintain a consent registry? (@)

Which of the following questions should the PDPA Project Team consider when identifying personal data handling? (Select all that apply)

All of the above. (@)

What is the purpose of a consent registry?

To record consent provided by individuals for the collection, use, and disclosure of their personal data for a particular purpose. (B)

Why would an organization need a data classification policy?

To ensure the protection of various categories of data in accordance with different standards of protection. (A)

It is important to document the [blank] so that the organisation has detailed information that enables it to determine what it needs to do with its data to comply with the PDPA.

Data life cycle (@)

Flashcards

Data Lifecycle

Understanding how personal data is handled throughout its life cycle within an organisation, from collection to disposal.

Data Flow Diagram

A visual representation of how personal data is collected, stored, used, disclosed, and disposed of within an organisation.

Data Inventory Map

A comprehensive list of all personal data handled by an organisation, including its source, purpose, and storage details.

Strengths of Data Inventory Maps

A data inventory map is easy to create and update, doesn't require complex software, and can capture extensive data flows.

Limitations of Data Inventory Maps

Data inventory maps lack visual representation of data flow and are not ideal for complex interconnections.

Strengths of Data Flow Diagrams

Data flow diagrams are easy to understand and use, requiring no technical expertise.

Limitations of Data Flow Diagrams

Data flow diagrams can be challenging to create and maintain, and are limited in representing complex data interconnections.

Importance of Data Flow Diagrams & Inventory Maps

Both data flow diagrams and data inventory maps help document personal data handling and are valuable tools for organisations.

Excessive Data Collection

The risk of collecting too much personal data, exceeding what's necessary for providing services or products.

Protection Obligation

The obligation to protect personal data with appropriate security measures based on its sensitivity.

Consent Obligation

The obligation to obtain explicit consent before collecting, using, disclosing, and storing personal data.

Notification Obligation

The obligation to inform individuals how their personal data will be used and for what purpose.

Purpose Limitation Obligation

The obligation to limit the use of personal data to only the purposes it was collected for.

Identifying Core Business Processes

The initial step in creating a data inventory map or flow diagram is identifying every business process that handles personal data.

Departmental Data Mapping

Each department within an organization must create a data inventory map or flow diagram specifically for their processes involving personal data.

Data Handling in Finance

Finance-related processes, such as payroll, taxes, reimbursements, and customer billing often deal with sensitive personal data.

Data Handling in Customer Service

Customer service activities, including handling complaints, requests, and service interactions, frequently involve collecting and using personal data.

Data Handling in Human Resources

HR processes, such as recruitment, employee management, performance reviews, and termination procedures, often involve extensive collection and use of personal data.

Data Handling in Sales and Marketing

Sales and marketing activities, including lead generation, prospecting, customer relationship management, and loyalty programs, heavily rely on personal data.

Data Handling in IT

IT departments handle various data-related tasks, including account management, data storage, security, and management of customer databases, all of which involve personal data.

Secure Data Disposal

The requirement for businesses to dispose of personal data securely, ensuring it's not easily accessible and preventing data breaches.

Data Retention Limitation

The legal obligation to limit the amount of time personal data is kept, ensuring it's only retained for as long as necessary.

Data Transfer Location

The obligation to inform individuals where their personal data is being processed, especially when handling it through an external service provider.

Third-Party Processor Assessment

Ensuring an organization has a record of all third-party processors handling personal data on their behalf, including those they will be responsible for.

Data Entry Risk Assessment

Understanding the risks involved when data collected on paper documents is entered into an organization's IT system.

Consent Exception Assessment

Examining the risks associated with any exceptions to consent requirements, ensuring compliance with Data Protection regulations.

Consent Adequacy Assessment

Verifying that the consent obtained for collecting, using, disclosing, and storing personal data is adequate and aligns with the organization's stated purposes.

Storage Security Assessment

Determining the necessary security measures based on the location of data storage to ensure compliance with the Protection Obligation.

Due Diligence on Data Processors

Conducting due diligence on apps, vendors, third parties, and data intermediaries to meet regulatory obligations.

Departmental Collaboration on Data Protection

Involving department heads in data protection policies, especially those related to their specific business processes, such as making cold calls.

Disclosure Consent Assessment

Assessing the adequacy of consent for disclosing data to third parties, including related companies within the same corporate group.

Legal Compliance for Data Disclosure

Ensuring any disclosure of personal data complies with the local Data Protection Act, including legal requirements for data sharing.

Data Protection Management Plan (DPMP)

Developing a comprehensive Data Protection Management Plan (DPMP) that addresses all aspects of data privacy and security.

Study Notes

Personal Data Handling Practices

• Identify and document an organization's personal data handling practices by:
  • Identifying business processes involving personal data.
  • Documenting how the organization collects, uses, discloses, and stores personal data as part of its business processes.
  • Use diagrams like data inventory maps or data flow diagrams.

Data Lifecycle Documentation

• The first step in developing a Data Protection Management Plan (DPMP) is to document personal data flows.
• This involves understanding how data is collected, stored, used, disclosed, archived, and disposed of.
• This can be achieved using a data inventory map or data flow diagram.
• Each data inventory map/data flow diagram should detail how personal data is handled for each business process.
• A data inventory map allows the easy development, maintenance and updating of data. It does not need advanced software and is suitable for extensive complex data flows. However, it lacks visual representation.
• A data flow diagram is useful for quick reference. It clarifies the flow of personal data with simple notation and requires no technical knowledge. However, it is harder to maintain.

Understanding the Data Lifecycle

• To understand the data lifecycle, analyze the flows of personal data within business processes.
• Identify core processes involving data collection, use, disclosure, and storage.
• Examples of common business processes: finance, customer service, human resources, sales & marketing, and IT.
  • Finance: payroll, taxes, employee claims, customer invoicing
  • Customer Service: complaints handling
  • Human Resources: recruitment, employee management, payroll

Data Lifecycle Documentation - Key Considerations

• The organisation must know the types of personal data it processes.
• Different data requires different security levels.
• The organization needs to know the different points at which data is collected.
• Understanding how data is collected, used, and stored.
• Assess risks posed by third parties handling data.
• Ensure adequate consent is obtained for data collection, use, disclosure, and storage.
• Understand the regulations and policies regarding personal data retention. Different methods to obtain consent for data collection and storage.

Resources for Further Information

• Guides and resources are available on the website pdpc.gov.sg to address specific issues.