Chapter 2: Accountability PDF
Document Details
Uploaded by AthleticSilver740
NUS Faculty of Law
Tags
Related
Summary
This chapter focuses on accountability and data protection. It details the importance of accountability-based approaches to personal data management, explaining the benefits of a proactive and systematic design. It also addresses misconceptions surrounding PDPA compliance and offers useful resources for further information.
Full Transcript
2. ACCOUNTABILITY The key ‘takeaways’ from this chapter are: (a) understanding accountability and the benefits of an accountability-based approach to personal data management (b) understanding data protection by design (c) addressing misconceptions rela...
2. ACCOUNTABILITY The key ‘takeaways’ from this chapter are: (a) understanding accountability and the benefits of an accountability-based approach to personal data management (b) understanding data protection by design (c) addressing misconceptions relating to PDPA compliance 32 2.1 What accountability means and requires _________________________________________________________________________ 2.1.1 All organisations are required to comply with the PDPA and its related legislation and regulations. Organisations should not view data protection as a mere compliance exercise but as a responsibility given to them by their customers, and fully integrated into the organisational culture. 2.1.2 Accountability is a fundamental principle of the Personal Data Protection Act (“PDPA”) which involves a risk-based approach to identifying, monitoring and responding to personal data risks, and is a way of demonstrating compliance. 2.1.3 Adopting an accountability-based approach to personal data management helps to: (a) demonstrate responsible use of personal data in the organisation’s possession or under its control; (b) demonstrate that the organisation is proactive, systematic and adept in implementing relevant personal data protection tools and best practices to ensure that personal data they are responsible for is properly managed and protected in an evolving business environment; and (c) strengthen trust with the public, enhance business competitiveness and provide customers whose personal data is collected and used by the organisation with the confidence that is necessary for organisations to thrive in the digital economy. 33 2.2 Data Protection by Design Approach _________________________________________________________________________ 2.2.1 An effective data protection policy is one that can be operationalised into business processes. One way to translate data protection policies to business processes is by adopting a Data Protection by Design (DPbD) approach in which organisations consider the protection of personal data from the earliest possible design stage of any project, and throughout the project’s operational lifecycle. This can be as simple as putting data protection considerations in the foreground of any project development instead of as an afterthought. 2.2.2 Designing data protection from the start may help organisations to: (a) identify data protection issues early; (b) increase awareness of data protection across the organisation; and (c) meet its data protection obligations under the PDPA. 2.2.3 A key component of the wider DPbD approach could be conducting a Data Protection Impact Assessment (DPIA) for each project. This involves identifying, assessing and addressing personal data protection risks based on the organisation’s functions, needs and processes. 2.2.4 By conducting a DPIA, an organisation would be better positioned to assess if the handling of personal data complies with the PDPA or data protection best practices, and implement appropriate technical or organisational measures to safeguard against data protection risks to individuals. 2.2.5 The PDPC has issued the following guides and tools that organisations may consider implementing so that they can demonstrate responsibility – accountability – for personal data: (a) Guide to Developing a Data Protection Management Programme (DPMP Guide) – it introduces a systematic framework to help organisations establish a robust personal data protection infrastructure (available at https://www.pdpc.gov.sg/og) (b) Guide to Data Protection Impact Assessments (DPIA Guide) – it introduces key principles and illustrations for conducting a DPIA, which is a process that identifies, assesses and addresses personal data protection risks (available at https://www.pdpc.gov.sg/og) (c) PDPA Assessment Tool for Organisations (PATO) – it is a digital self- assessment tool that: helps organisations identify potential gaps in their compliance with the PDPA based on the organisation’s inputs and directs them to relevant PDPC advisory guidelines, guides and resource (available at https://www.pdpc.gov.sg/PATO) 34 2.3 Addressing misconceptions of PDPA compliance ________________________________________________________________________ 2.3.1 One common misconception is that staff and even management think that good data protection management is the responsibility of the DPO. As part of corporate governance, the commitment and involvement of senior management is key to ensure that there is accountability and oversight over the management of personal data in the organisation. 2.3.2 In order for a DPO to provide data protection oversight, the DPO would need inputs and the cooperation of various departments and staff as he would need information on the projects/services/activities that handle personal data to formulate data protection measures, execute and maintain these measures. 2.3.3 It is important to establish a proper governance structure for data protection matters so that there is clarity as to various roles and responsibility of each officer identified within the organisation, as well as, to set out the rules for flow of information and for making decisions on data protection matters. 2.3.4 Good data protection management is the responsibility of all staff who in any way collect, use, disclose and store personal data in the possession, or under the control, of the organisation. 2.3.5 Another misconception to smaller organisations – such as small and medium-size enterprises (SMEs), sole proprietorships or freelancers that handle personal data – is thinking that the requirement for a DPMP is, or should be, relevant only to listed companies and multi-national corporations (MNCs) which is incorrect. All organisations in Singapore are required to comply with the PDPA and therefore, it would be useful if they develop and implement a DPMP to demonstrate accountability. 2.3.6 A similar misconception arises among organisations that are, for example, operating on a business-to-business (B2B) basis, such as an organisation that manufactures goods and sells them on a wholesale basis to a retailer. The management may think that it is not relevant to them because they do not process a lot of personal data and may only collect, use, disclose and store personal data in connection with recruitment and HR management. 2.3.7 All organisations in Singapore are required to comply with the PDPA whether or not the quantity of such data is large or small therefore it would be helpful to develop and implement a DPMP no matter what size the company is. 2.3.8 Some voluntary welfare organisations (VWOs) may perceive that the PDPA does not apply to them as they are non-profit entitites. The PDPA applies to all organisations that handle personal data and is particularly important for VWOs as the reputational damage caused by a lack of good policies and processes in connection with personal data or, worse, a data breach, could have an adverse effect on donors and members of the public. 35 2.3.9 Finally, there is a commonly-encountered misconception that protection of personal data that is required by law is just a legal issue and that all an organisation needs to do is to have their lawyers draft policies. This is a misconception by management and should be corrected. 2.3.10 A DPMP should be developed on an operational basis by all management responsible for those parts of the organisation that handle personal data and implemented by staff who should receive practical training in the relevant policies and practices documented in the DPMP. In this way, they can be embedded into day-to-day operations. 36 Resources For Chapter 2 Accountability For further information to the Accountability Obligation and concept of accountability in relation to personal data protection see PDPC’s Advisory Guidelines on Key Concepts in the PDPA and the Guide to Accountability https://www.pdpc.gov.sg/ag For further information to a systematic framework to help organisations establish a robust personal data protection infrastructure see PDPC’s Guide to Developing a Data Protection Management Programme (DPMP Guide) https://www.pdpc.gov.sg/og For further information to key principles and illustrations for conducting a DPIA, which is a process that identifies, assesses and addresses personal data protection risks see PDPC’s Guide to Data Protection Impact Assessments (DPIA Guide) https://www.pdpc.gov.sg/og For further information to a digital self-assessment tool that helps organisations identify potential gaps in their compliance with the PDPA based on the organisation’s inputs and directs them to relevant PDPC advisory guidelines, guides and resources see PDPC’s PDPA Assessment Tool for Organisations (PATO) https://www.pdpc.gov.sg/PATO 37
