Chapter 7: Personal Data Protection Policy Guidelines

Questions and Answers

What is the primary purpose of drafting a personal data protection policy according to the guidelines?

• To establish penalties for data breaches
• To create a comprehensive IT infrastructure plan
• To define what the organisation needs to do to comply with the PDPA (correct)
• To outline employee behavior related to social media

Which of the following is NOT typically included in a personal data protection policy?

• Personal data protection notices
• Policies on consent clauses and notification of purpose
• An Acceptable Use Policy
• Comprehensive marketing strategies (correct)

Which factor must the DPO consider during the drafting phase of the personal data protection policy?

• The latest technology trends
• Input from the PDPA Project Team and senior management executive sponsor (correct)
• Market competition analysis
• Employee preferences for remote work

What is one of the key iterative steps in establishing a personal data protection policy?

Identifying key areas and risks to which policies need to apply (C)

How should confidentiality obligations be incorporated in employment contracts?

By including them directly in the contract or an Employee Handbook (A)

What does the Bring-Your-Own-Device (BYOD) Policy specifically address?

Rules for connecting personal devices to the organisation's IT network (A)

What must employees do before engaging a data intermediary according to the guidelines?

Conduct due diligence and include data protection terms in contracts (B)

What role is primarily responsible for leading a data protection office?

Data Protection Officer (DPO) (A)

Which employee would be responsible for evaluating the effectiveness of personal data protection measures in different departments?

Department Representative (B)

To whom does the governance committee typically report?

Board of Directors (C)

What is one optional role that can support a data protection office?

Internal Auditor (D)

Which scenario exemplifies the use of notices given during an application process?

Information provided to an individual when they apply to volunteer with a social service organization. (A)

What is the primary purpose of using a separate consent form in data collection?

To provide extensive explanations without confusion. (B)

Which of the following is NOT a recommended practice for data protection notices?

Using technical jargon to explain concepts. (A)

Which example illustrates signage as a means of notice?

CCTV operation notices for security purposes. (D)

Which component is essential for a data protection notice on a website?

A hyperlink to the full data protection policy. (B)

What should organizations avoid when drafting data protection notices?

Using jargon that could confuse the reader. (A)

What is a fundamental goal when creating data protection notices?

To facilitate genuine communication with stakeholders. (C)

What incidental information might a website notice provide during online data collection?

A link to the data protection notice. (B)

Which document provides notice in a more formal context than casual signage?

Credit card contracts detailing terms and conditions. (D)

Which of the following phases can influence the process of getting management approval for a personal data protection policy?

The size and internal rules of the organisation (B)

What is a key aspect that should be considered while aligning policies and SOPs?

Avoiding conflicting interpretations between policies (C)

What should organizations regularly review to enhance their personal data protection policy?

International best practices and industry-specific developments (C)

Which component is often useful as part of the SOP in ensuring compliance?

Checklists (B)

How can organizations learn from complaints regarding their personal data protection practices?

By analyzing them for trends and needed improvements (D)

What is an essential step for a Data Protection Officer (DPO) regarding PDPA compliance?

To obtain senior management sign-off on compliance aspects of the policy (B)

Which of the following is NOT a recommended source for feedback on personal data protection policies?

Random social media comments (A)

When should an organization conduct reviews of its personal data protection policy?

Immediately or periodically based on feedback and developments (A)

What characterizes the policy life cycle related to data protection in organizations?

It is a continuous process of learning and adapting (C)

Under which situation should an organisation NOT necessarily conduct an immediate review of its data protection policies?

After a minor incident such as accidental data access by an employee (D)

What is a key reason for an organisation to periodically review its data protection policies?

To address minor incidents and changes in systems (A)

Which factor should NOT be considered when determining the need for a data protection policy review?

Employee satisfaction with current data protection measures (C)

When should an organisation consider immediate reviews based on the PDPA?

When new enforcement decisions or guidelines are issued (A)

Which of the following represents a method for structuring an organisation's data protection office?

Developing a dedicated team with specific roles and responsibilities (C)

What is the primary focus of an organisation's information security policy within data protection?

To comply with the Protection Obligation under the PDPA (D)

Which scenario does NOT indicate a significant change in business circumstances warranting a review?

Changing the contact information of the Data Protection Officer (B)

What is a typical outcome of an organisation conducting an immediate review after a data breach?

Enhancing data protection measures and policies (A)

What aspect should organisations monitor to mitigate data protection risks effectively?

Emerging technologies and their impact on data protection (D)

Select the correct sequence for policy lifecycle: The 'policy lifecycle' consists of four steps: c) drafting, reviewing, revising; a) getting management approval; b communicating to stakeholders; and d) training and enforcing the policy. What is the correct order?

c, (a), (b), (d) (C)

Why do organizations need a personal data protection policy? (select two that apply)

To define the policies on how personal data should be collected and used. (A), To comply with PDPA requirements that the company's policies are accompanied by its standard operating processes (C)

A 'personal data protection policy' and accompanying practices are documents that are internal to the organisation.

True (A)

What are the two reasons why the organization must develop an internal personal data protection policy? (Select two)

To provide clarity on individual responsibilities of internal stakeholders (C), To ensure compliance with the accountability obligation under the PDPA (A)

What is often mis-named as a 'policy' when it is actually a notice regarding data protection (select two)?

Privacy Policy (B), Data Protection Policy (A)

An organisation’s personal data protection policy (internal document) is developed first, followed by the 'personal data protection notice' (external document).

True (A)

What is included in the content of a personal data protection notice? (Select all that apply)

Reflecting on the organization's policy regarding the collection, use, disclosure, and storage of personal data. (A), Describing the individual's rights related to personal data, including the right to withdraw consent and access their data. (B), Specifying how stakeholders can contact the organization’s Data Protection Officer (DPO) for queries or complaints. (C)

What sort of inputs are learned from for a continuous policy lifecycle? (Select all that apply)

All of the above (@)

How should both the personal data protection notice (i.e. external document) and the personal data policy (i.e. internal document) be drafted? (Select all that apply)

Be clear and informative (A), Be easy to understand (C), Consider using a layered notice (D)

When should the organisation conduct a review of its personal data protection policy on an immediate basis? (select all that apply)

All of the above. (@)

When should employees and contractors receive training? (Select all that apply)

Ongoing training for all employees, contractors, and volunteers (D), On-boarding for all employees and internal contractors (A), On-the-job assignment for roles handling personal data (C), Promotion with greater responsibility (@), Exit (@)

Identify the basic factors that must be determined in reporting PDPA compliance risks (select all that apply):

DPO to report risks in excess of certain parameters (A), DPO to report specific risks designated by senior management (B), DPO to report to senior management top five (e.g.) risks (C), To which member(s) of the senior management should DPO report to (D)

Flashcards

Drafting a Personal Data Protection Policy

The process of creating a formal document that outlines an organization's commitment to protecting personal data, often involving multiple drafts, reviews, and approvals.

Personal Data Protection Policy

A comprehensive set of guidelines and procedures designed to ensure the responsible handling of personal data within an organization.

Data Protection Law (e.g., PDPA)

The legal framework that governs the collection, use, disclosure, and storage of personal data in a specific region. It sets out the rules and regulations that organizations must adhere to.

Establishing Purpose and Scope

The process of identifying the specific purposes for which personal data is being collected and processed, as well as defining the scope of data collection and processing activities.

Identifying Key Areas and Risks

Understanding and managing the potential risks associated with collecting, using, disclosing, and storing personal data, as well as creating policies to mitigate those risks.

Acceptable Use Policy (AUP)

A document that outlines the rules and procedures for employees using company-owned devices, such as computers, laptops, or mobile phones, ensuring appropriate data security and responsible use.

Bring-Your-Own-Device (BYOD) Policy

Rules and guidelines governing the use of personal devices, often owned by employees, on company networks, including data security and access control measures.

Personal data

Information about a specific person, including their name, address, contact details, and other identifying data.

Data protection notice

A formal document that outlines how an organization collects, uses, discloses, and stores personal data in accordance with relevant laws and regulations.

What is a purpose statement in a data protection notice?

A document that provides detailed information about how an organization uses a person's personal data, including the purpose, legal basis, and storage duration.

Informing individuals about the purpose of personal data collection

A clear and concise explanation of the purpose for which personal data is collected and used. It should be understandable for the average person.

Separate consent form for personal data

A document that specifically seeks consent from individuals for the collection, use, disclosure, and storage of their personal data.

Data protection notices in signage

Notices that are placed in a clear and visible location, like a website or signage, to inform individuals about the collection and use of their personal data.

Do be clear and informative

Inform people clearly and thoroughly. Think about the communication aspect.

Do be easy to understand

Use simple language so that anyone can understand the notice.

Do not assume everyone understands

Avoid assuming everyone has the same understanding. Use clear and simple language.

Data Protection Policy

A set of procedures that outline the steps for managing and protecting personal data in an organization.

Policy Alignment

The process of ensuring that different policies and procedures related to data protection work together harmoniously, avoiding conflicts.

SOP Checklist

A formal checklist that ensures all necessary steps for data protection are followed.

Data Protection Officer (DPO)

The person in charge of overseeing and implementing data protection policies within an organization.

Legal Sign Off

The DPO seeks a legal opinion to verify that the personal data protection policy aligns with relevant data protection laws.

Management Approval

The process of obtaining approval from senior management for a draft personal data protection policy.

Policy Review

The continuous process of reviewing and updating data protection policies to reflect changes in laws, industry trends, and the organization's own experiences.

General Feedback

Feedback from employees and stakeholders about the impact and effectiveness of the data protection policy.

Periodic Policy Review

Regularly reviewing the organization's data protection policy to ensure its adequacy and compliance with evolving data protection landscape.

Ad-Hoc Policy Review

Immediate reviews of the data protection policy triggered by specific events, such as a data breach or a change in regulations.

Governance Committee (Data Protection)

A group of individuals, often senior management, who oversee the organization's data protection policies and compliance. They might report to the CEO or board of directors.

Access, Correction, and Data Porting Request Handling

A dedicated department within an organization responsible for handling requests from individuals to access, correct, or delete their personal data.

Department Representatives (Data Protection)

Individuals representing different departments within an organization, responsible for data protection practices and awareness within their respective areas.

Incident Response (Data Protection)

A team responsible for responding to complaints and incidents related to data breaches or violations of data protection laws.

Legislative Change Review

A formal review process triggered by significant changes in legislation affecting data protection, such as updates to the PDPA.

Incident Response Review

An urgent review initiated after a data breach or major incident, focusing on identifying and addressing security vulnerabilities.

Business Change Review

A comprehensive review triggered by significant business changes, such as introducing new products, acquiring companies, or merging with another organization.

PDPA Guideline Review

An assessment prompted by new PDPA enforcement decisions or guidelines, potentially requiring adjustments to internal policies and procedures.

Periodic Data Protection Review

Regular, typically annual, reviews focusing on minor incidents or process/system changes with minor data protection impacts.

Keeping Abreast of Changes

The practice of staying informed about internal and external changes, such as technological advancements, that might pose new data protection risks.

Data Protection Transparency

Making an organization's data protection policies and practices accessible to stakeholders through clear communication and training.

Information Security Policy

A separate policy focusing on information security, complementing a personal data protection policy and ensuring compliance with data protection obligations.

Data Protection Office/Function

A dedicated team or function within an organization responsible for implementing and maintaining data protection policies and practices.

Structuring Data Protection Roles

The process of establishing clear roles and responsibilities within an organization for data protection, assigning tasks and ensuring accountability.

Study Notes

Next Steps to Developing the Data Protection Management Programme (DPMP)

• Key takeaways from this chapter are understanding how an organization: -Develops a data protection policy and designates data protection roles and responsibilities. -Designs processes to operationalize policy.

Develop Policy - The Policy Lifecycle

• An organization's governance and risk management structure shapes its data protection policies and practices.
• The organization should develop appropriate data protection policy and practices and communicate them to internal and external stakeholders.
• The policy lifecycle has four steps: -Drafting, reviewing, revising -Obtaining management approval -Communicating to stakeholders -Training and enforcing the policy.
• The Data Protection Officer (DPO) should draft the personal data protection policy with input from the PDPA Project Team and senior management.
• The PDPA policy should define what the organization needs to do to comply with the PDPA and identify areas and risks covered by the policy.
• Policies and practices should include consent clauses, notification of purpose, and a Consent Registry.
• Policies and practices should address access, correction, data portability, requests, complaints, and other queries.
• An 'Acceptable Use Policy' or 'Fair Use Policy' outlines constraints on employee access to the organization's IT network or internet.
• 'Bring Your Own Device' (BYOD) policies govern circumstances in which employees connect their own devices to the company network.
• Standard operating procedures govern the collection, use, disclosure, and storage of personal data.
• Due diligence should be exercised when engaging data intermediaries and contracts must include data protection clauses.
• Non-disclosure/confidentiality agreements with parties sharing personal data, an IT policy, and an information security policy, are essential.
• A data/document retention policy and personal data protection notices are also necessary, and organisations should refer to the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) program.

Develop Policy - Internal Data Protection Policies and Practices

• A personal data protection policy is a statement outlining data handling practices for employees and defining policies and procedures.
• The policy and procedures should be practical, easy to understand, and in line with each other.
• Organizations must ensure their policies comply with the (PDPA), based on the Accountability Obligation.
• The personal data protection policy establishes tone and guidance for personal data handling, clearly defining the responsibilities of employees. The policy must be 'owned' by someone within the company (e.g., an HR department).
• Organisations should be clear on their internal ownership of data protection notices and policies.
• Organisations should include a personal data protection notice.

Develop Policy - External Data Protection Notices

• An external data protection policy or Privacy Policy, typically on a company website, outlines how the company handles and communicates its handling of personal data to external stakeholders.
• The external notice reflects the contents of the internal data protection policy.
• Notice should clearly detail an individual's rights concerning their personal data, for example, the right to access, the correct, withdraw, and what they can do to contact the Data Protection Officer (DPO).
• Organisations must clarify how stakeholders can contact a DPO in case of queries or complaints.
• Notices may include different scenarios, like contract, consent forms, applications to organisations, etc.
• Organisations must use plain language; avoid excessive legal jargon.
• Consider a layered approach (through hyperlinks) for complex information.

Develop Policy - Management Approvals

• In some organisations, senior management teams manage and sign off the processes and policies, while in others the DPO endorses the DPMP and submits it for senior management approval.
• The process of approval varies based on organizational structure and internal rules.

Develop Policy - Regular Reviews of Policies

• Policy review and update are crucial to stay abreast of legislative changes, data breaches, major business changes, and enforcement decisions.
• Organisations should conduct periodic reviews of their policies.
• Review should include feedback from employees, complaints regarding data handling, relevant industry trends, international best practices, and PDPC guidelines/enforcement decisions/publications.

Develop People - Structuring The Team, Roles, and Responsibilities

• Organisations need a data protection office/function.
• This may include a dedicated Data Protection Officer (DPO) or a DPO-led team, or a governance committee handling data protection matters. Teams should be staffed with department representatives dealing with data in their area, communication and training specialists, data access/correction experts, legal experts, and likely an internal auditing department.

Develop People - Communication and Training Strategies

• Data protection considerations span all organizational levels, including volunteers, agents, and contract staff.
• Staff and contractors should be trained on data protection policies and SOPs.
• Training should be ongoing and should include: onboarding, specific job role assignments, ongoing training updates, refresher information, and promotion based on data protection responsibilities.
• Organisations must make personal data protection easily accessible. Regular communication plans should be in place to effectively disseminate necessary data protection information.

Develop Process - HR Policies and Practices

• Organisations must have clear HR policies that align employee/contractor dealings with data handling procedures.
• Policies should cover screening, background checks, confidentiality agreements, information security, and handling procedures.
• Policy must require compliant data handling from employees/contractors.
• Clear procedures should encompass the employee's/contractor's usage, handling, and safeguarding data following termination/separation of service.

Develop Process – Access, Correction, and Data Porting Requests

• Organisations should create policies outlining processes for access, correction, and data porting requests.
• These processes need to comply with data protection obligations, including procedures regarding request forms, data location criteria, handling, fees, verification of the requester, exceptions, and records keeping procedures for requests.

Develop Process – Establish Risk Monitoring, Reporting, and Internal Audit Structure

• Establish a comprehensive enterprise risk management framework with proper monitoring and reporting mechanisms.
• The DPO must regularly monitor and report identified risks to senior management.
• This framework must include clear reporting mechanisms on data protection compliance risks.
• Establish a framework for a documented process to report, track, and escalate issues.
• Employ internal audits to monitor the effectiveness of data protection measures and identify areas for improvement.