Chapter 4: Identify and Document Personal Data Handling PDF

4. IDENTIFY AND DOCUMENT PERSONAL DATA HANDLING The key ‘takeaways’ from this chapter are: Identify and document the organisation’s personal data handling practices by: (a) identifying business processes which involve personal data and (b) documenting the way in which an organisation collects, uses, discloses and stores personal data and uses and discloses it as part of its business process using diagrams and charts such as data inventory maps or data flow diagrams Identify, Identify PD Assess and Develop Maintain Handled Manage DPMP DPMP Risks 54 4.1 Document Data lifecycle – what it is and why organisations need it _________________________________________________________________________ 4.1.1 The first thing an organisation needs to do when developing a DPMP is to document personal data flows in your organisation to understand how personal data is being collected, stored, used, disclosed, archived/disposed. This can be done using a data inventory map or data flow diagram. (A data inventory map template and a sample data flow diagram is available in the DPMP Guide. Available at https://www.pdpc.gov.sg/og) Each data inventory map or data flow diagram should include personal data handling details for each business process within an organisation. 4.1.2 A data inventory map is easy to develop, maintain and update, does not require high level software and skills, has no limitations on recording of information and is effective for extensive and complex data flows. However, it lacks visual representation of data flows and is limited in representation on interconnectivity of personal data. 4.1.3 On the other hand, a data flow diagram is handy for quick reference, general flow of personal data can be easily understood, no technical knowledge is required to understand with simple notation and is effective for small, interconnected data. However, it is challenging to develop and maintain, information to be presented is limited depending on size and/or type of personal data and it might not be effective for large, interconnected data. 55 4.2 How an organisation understands data life cycle _________________________________________________________________________ 4.2.1 To understand the data lifecycle, the organisation needs to analyse the flows of personal data in its business processes. To build a data inventory map/data flow diagram, the organisation must first identify the core processes in its business that involve the collection, use, disclosure and storage of personal data. Here are some examples of common business processes: (a) finance department: payroll, tax matters, employee claims (for example, reimbursement of expenses), associates’ commissions, customer invoicing and payment (b) customer service department: complaints handling, access and correction requests, customer servicing (c) human resource department: recruitment (including background checking), headcount planning and management, employee management, health check process, work passes for foreign employees, personnel movement and change, performance management, disciplinary procedures, grievance management and investigations, processing employee resignations / terminations, succession and talent planning, compensation and benefits, company insurance (d) sales and marketing department: leads generation (including by direct mail, telemarketing and e-marketing), prospecting (including by cold calling and following up on referrals), loyalty and rewards programmes, customer acquisition / onboarding, customer relationship management (e) information technology (IT) department: account, archival, access, systems, device (including mobile device), database, cloud, backup and security management and managing the organisations’ customer relationship database 4.2.2 A data inventory map or data flow diagram should be produced for each process/activity undertaken by a department in connection with the collection, use, disclosure and storage of personal data. In some cases, it will make sense to produce an overall data inventory map for a department; in other cases, a single map may be too complex and two or more separate maps will be more useful for analysing the collection, use, disclosure and storage of personal data for a department’s business processes 4.2.3 It is important to document the data lifecycle so that the organisation has detailed information that enables it to determine what it needs to do to comply with the PDPA. The organisation needs to know: (a) the types of personal data it processes so that it can: (i) consider whether it is collecting personal data excessively so as to comply with the obligation to not collect personal data beyond what is 56 reasonable to provide the organisation’s products or services to individuals unless consent is obtained; and (ii) so that the organisation can determine the level of security that should be attached to each process in order to comply with the protection obligation – for example, the personal data disclosed to IRAS is much more sensitive than the personal data collected in the complaints process and therefore requires a higher level of protection; (b) the different points at which data is collected so that the organisation can assess the risks that may arise, including in transferring the data from the collection point to its storage point, and decide how to control them so as to comply with the Protection Obligation; (c) the ways in which the data is collected so that the organisation can: (i) determine the appropriate method of obtaining consent to collect, use disclose and store personal data so that the organisation complies with the Consent Obligation, the Notification Obligation and the Purpose Limitation Obligation. For more information on notifying individuals of the purposes for which an organisation is collecting, using or disclosing their personal data see the PDPC’s Guide to Notification (available at https://www.pdpc.gov.sg/og); (ii) assess the risks posed by any third party collecting the personal data on behalf of the organisation and for which the organisation will be responsible; and (iii) assess whether there are risks arising from personal data being collected in paper documents and then entered into the organisation’s IT system that might result in the organisation failing to comply with the Accuracy Obligation; (d) when the personal data is collected so that it can, for example: (i) ensure the adequacy of any necessary express consent at the time of first collection; and (ii) assess whether the organisation can rely on any exceptions to consent or the relevant individual being deemed to have consented to the collection, use, disclosure and storage of their personal data; (e) all of the reasons why the personal data is collected so that it can ensure that any necessary consent for collection, use, disclosure and storage of the personal data is adequate; (f) where the data is stored so that it can assess the security arrangements – the controls – that it needs to put in place in order for the organisation to satisfy the Protection Obligation; 57 (g) which apps / vendors / third parties/ data intermediaries process data so that it can ensure that it has carried out appropriate due diligence on them and entered into a contract with them; (h) which departments process the personal data so that heads of those departments can be properly involved in the development of the DPMP insofar as it affects their business processes – also, for example, if the department uses the personal data to make cold calls the organisation would need to take the DNC provisions (see 1.3) into account; (i) to whom the personal data is disclosed so that: (i) the organisation can ensure that any necessary express consent is adequate to cover such disclosures – that is, that the organisation complies with the Consent Obligation, the Notification Obligation and the Purpose Limitation Obligation; (ii) the organisation will be aware of any sharing of personal data, including with companies related to/in the same corporate group as the organisation – for information on data sharing see the PDPC’s Guide to Data Sharing (available at https://www.pdpc.gov.sg/og; also see the PDPC’s comments on Data Sharing Arrangements available at https://www.pdpc.gov.sg/Help-and-Resources-Menu/Resource- DP-Professional and (iii) the organisation can ensure, in any event, that the PDPA permits it make such a disclosure in the manner that the personal data is being disclosed. (j) where an external service provider is located so that the organisation can take the transfer limitation obligation into account and comply with the relevant regulations under the PDPA; (k) how the data is disposed of securely so that the organisation can ensure that it is, in fact, disposed of in such a way that does not leave the situation open to a breach of the protection obligation; and (l) how long the data is retained and when the organisation disposes of it so that the organisation does not risk a failure to comply with the Retention Limitation Obligation. 58 Resources For Chapter 4 Identify And Document Personal Data Handling For more information on notifying individuals of the purposes for which an organisation is collecting, using or disclosing their personal data see the PDPC’s Guide to Notification (available at https://www.pdpc.gov.sg/og) For further information to document personal data handling, data inventory map template and sample data flow diagram see PDPC’s Guide to Developing a Data Protection Management Programme (DPMP Guide) (available at https://www.pdpc.gov.sg/og) For further information on data sharing see PDPC’s Guide to Data Sharing (available at https://www.pdpc.gov.sg/og) For further information to data sharing see PDPC’s comments on Data Sharing Arrangements (available at https://www.pdpc.gov.sg/Help-and-Resources- Menu/Resource-DP-Professional ) 59

Chapter 4: Identify and Document Personal Data Handling PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue