Chapter 7: Developing the Data Protection Management Programme (DPMP) PDF

7. NEXT STEPS TO DEVELOPING THE DATA PROTECTION MANAGEMENT PROGRAMME (DPMP) The key ‘takeaways’ from this chapter are to understand how an organisation: (a) Develop a data protection policy and designate data protection roles and responsibilities; and (b) Design processes to operationalise policy. 116 7.1 Develop Policy – The policy lifecycle _________________________________________________________________________ 7.1.1 An organisation’s governance and risk management structure will shape its data protection policies and practices. 7.1.2 As part of its corporate governance structure, the organisation should develop appropriate data protection policy and practices, and communicate them to both its internal stakeholders (e.g. staff) and external parties (e.g. vendors, customers). This will provide clarity to internal stakeholders on the responsibilities and processes on handling personal data in their day-to-day work. Policies also demonstrate accountability to external parties by informing them of the value the organisation places on data protection and how it will protect personal data in its care. 7.1.3 The ‘policy lifecycle’ (including for policies other than a personal data protection policy) has four steps: (a) drafting, reviewing, revising; (b) getting management approval; (c) communicating to stakeholders; and (d) training and enforcing the policy. 7.1.4 In the drafting, reviewing, revising phase the DPO should draft the personal data protection policy: (a) with input and review from the PDPA Project Team and the senior management executive sponsor, there will usually be a few discussion drafts for such input and review and a finalisation process; and (b) the DPO, the PDPA Project Team and the senior management executive sponsor overseeing and supporting the project should keep in mind that the purpose of the policy is to define what the organisation needs to do to comply with the PDPA – the two vital steps, which are iterative, not sequential, are to: (i) establish the purpose and scope of each of the policies that the organisation needs to adopt to comply with the PDPA; and (ii) identify key areas (and risks) to which policies need to apply. 7.1.5 Again, there is no ‘one-size-fits-all’, but items that should generally be included in a personal data protection policy include: (a) policies and practices about consent clauses, together with notification of purpose, in forms / contracts and a Consent Registry (see 3.6.6); 117 (b) Policies and practices on handling access, correction, and data portability requests, complaints and other queries in relation to individuals’ personal data; (c) including confidentiality obligations in employment contracts (which may be done either by including them directly into the contract or by including them in an Employee Handbook (or similar document) that is incorporated into the employment contracts and specifically mentioning personal data in such confidentiality obligations; (d) an Acceptable Use Policy – sometimes called a Fair Use Policy, an Acceptable Use Policy sets out constraints and practices that an employee must agree to for access to an organisation’s IT network and/or for access to the Internet via the organisation’s IT network; (e) a Bring-Your-Own-Device (BYOD) Policy – a BYOD Policy sets out the rules governing the circumstances under which an employee can connect a device owned by them to the organisation’s IT network, the degree to which the organisation will support the device and the extent to which the organisation may monitor that device, including the employee’s own personal information on it and wipe the device clean of all data if it is lost or stolen; (f) standard operating procedures – procedural or operational rules that apply to the employee in connection with the collection, use, disclosure and storage of personal data; (g) the due diligence that employees must do before deciding to engage a data intermediary and the personal data protection-related terms that employees must include in all contracts with data intermediaries; (h) non-disclosure / confidentiality agreements with all third parties with whom the organisation may share personal data; (i) an IT Policy and an Information Security Policy; (j) a data / document retention policy; and (k) personal data protection notices (see 7.3.1). For further information about policy lifecycle, refer to International Association of Privacy Professional’s (IAPP) Certified Information Privacy Manager programme (CIPM). 118 7.2 Develop Policy – Internal data protection policies and practices _________________________________________________________________________ 7.2.1 A ‘personal data protection policy’ is an internal statement for users of personal data – for example, the organisation’s employees – defining the policies established in relation to the ways in which they must, and must not, collect, use, disclose and store personal data in the organisation’s possession or under its control. The PDPA requires the policy to be accompanied by the organisation’s ‘practices’ – its standard operating procedures (SOPs) for collecting, using, disclosing and storing personal data. The personal data protection policy and accompanying practices are documents that are internal to the organisation. 7.2.2 There are two reasons why an organisation must develop an internal personal data protection policy. 7.2.3 The first reason is that it is required by the Accountability Obligation of the PDPA to do so. The Accountability Obligation requires an organisation to develop policies and practices (SOPs) that are necessary for the organisation to meet the obligations of the organisation under the PDPA. See the Advisory Guidelines on Key Concepts in the PDPA; and the Guide to Accountability under the Personal Data Protection Act for more information on the obligation (available at www.pdpc.gov.sg/ag). Accountabilty under the PDPA requires organisations to undertake measures in order to ensure that they meet their obligations under the PDPA and, importantly, demonstrate that they can do so when required. 7.2.4 The second reason is that the principles set out in a personal data protection policy set the tone and provide guidance for the organisation’s treatment of personal data in its possession or under its control. They provide clarity to internal stakeholders – that is, employees and volunteers – on their individual responsibilities and the processes they must adopt in connection with collecting, using, disclosing and storing personal data in their day-to-day work. 7.2.5 Some organisation’s struggle with the question of who within the organisation ‘owns’ the organisation’s personal data protection policy, including its SOPs, and its data protection notice. The answer is ‘it depends’. Again, there is no ‘one-size-fits-all’. For an organisation engaged solely in B2B business, it likely makes sense for the HR Department to own these documents. For an organisation that is B2C and, due to say a loyalty programme or intense marketing initiatives, holds a large amount of personal data about its customers, it may make sense for the Marketing Department to own at least the data protection notice. For an organisation that has a Legal Department and/or a Compliance Department, it may make sense for a DPO sitting within such a department to own both the personal data protection policy and the data protection notice. 7.2.6 The point that an organisation must not overlook is that ownership of its personal data protection policy, including its SOPs, and its data protection notice must be clear. An organisation needs to avoid the risk of no one in particular having ownership. 119 The PDPC has published Sample Clauses and Templates for Customers at https://www.pdpc.gov.sg/Help-and-Resources-Menu/Resource-DP-Professional PDPC has published Sample Clauses and Templates for Customers Sample Clauses for Obtaining and Withdrawing Consent (available at https://www.pdpc.gov.sg/Help-and-Resources-Menu/Resource-DP-Professional Sample Clauses and Templates for Employees and Job Applicants (available at https://www.pdpc.gov.sg/Help-and-Resources-Menu/Resource-DP-Professional The PDPC has published a Guide to Handling Access Requests (available at ttps://www.pdpc.gov.sg/og) 120 7.3 Develop Policy – External data protection notices _________________________________________________________________________ 7.3.1 An external data protection ‘policy’ is often made available publicly / externally: an organisation typically includes what it calls a ‘Data Protection Policy’ or a ‘Privacy Policy’ on its website. This is mis-named: it is a notice, not a policy. This must be distinguished from an internal data protection ‘policy’ 7.3.2 An external personal data protection notice also demonstrates accountability to external parties by informing them of the ways in which the organisation collects, uses, discloses and stores personal data and of certain other matters. 7.3.3 An organisation’s personal data protection policy is developed first. A ‘personal data protection notice’ is developed next and is an external statement made to the public, including the organisation’s stakeholders: (a) reflecting what is in the personal data protection policy about how the organisation collects, uses, discloses and stores personal data; (b) describing the the rights of the individual in connection with that personal data (such as the right to withdraw consent and the right to access the personal data the organisation holds about them), which also reflects what is in the personal data protection policy about how an individual exercises these rights; and (c) describing how stakeholders can contact the organisation’s Data Protection Officer (DPO) to make a general query or complaint, for example, how the organisation has processed personal data about them. 7.3.4 The data protection notice that an organisation posts on its website may be the most obvious example, but most organisations have various other notices that cover at least some of the same ground. Here are some examples: (a) notices given in a contract with the organisation – for example, a credit card contract and an employment contract; (b) a separate consent form that an organisation might decide to use to obtain consent from, and notify the purpose of collection, use, disclosure and storage of personal data to, an individual – a consent form separate from the document used to collect personal data might be used where, for example, the consent and notification of purpose language needs to be quite extensive (perhaps because it requires various levels of explanation) and therefore a separate consent form is less confusing for the relevant individual; (c) notices given to an individual when they make an application to the organisation – for example, the consent and notification of purpose language on an application to join a club or to become a volunteer with a social service organisation (SSO) or voluntary welfare organisation (VWO); 121 (d) notices given on a website when, for example, an individual has the opportunity to complete an online registration or application process – for example, a short notice about the specific online collection occasion, which may be in addition to a link to the data protection notice on the organisation’s website; and (e) notices given in signage – for example, a notice that CCTV is operating for security and safety purposes. 7.3.5 In both the data protection notice that an organisation posts on its website and in any other data protection notice that an organisation might give or publish there are a few common sense do’s and don’ts that an organisation should keep in mind: (a) do be clear and informative – be genuinely informative and think about the notice as an exercise in communication with the organisation’s stakeholders rather then the notice being merely a legal requirement; (b) do be easy to understand – do not assume that everybody has the same level of understanding, so use simple language. Adopt a simple style that your intended audience will find easy to read and understand; (c) do use a simple style – again, think of the notice as an exercise in communication and, as such, an organisation and do not use terminology that might confuse the general public and do not use legalistic language; and (d) do consider using a layered notice – a layered notice can be relevant where it makes sense to highlight important points that could be of concern to stakeholders and give them the ability (such as through a hyper-link) to find out more details on these important points. 7.3.6 The common-sense do’s and don’ts that apply to drafting an external personal data protection policy (see 7.3.5) also apply to an organisation’s internal personal data protection policy, including its SOPs, because the data protection notice reflects the personal data protection policy (see 7.2). In summary, the relevant stakeholders (the organisation’s employees) must be able to understand the personal data protection policy and it must communicate to them what they must do, and what they must not, do. It must use terminology that does not confuse them and it should not use legalistic language. 122 For more details on notification, see Guide to Notification (available at: https://www.pdpc.gov.sg/og) The PDPC also has a Data Protection Notice Generator (available at: https://www.pdpc.gov.sg/Help-and-Resources) to generate basic data protection template notices to inform their stakeholders on how they manage personal data. The PDPC has also published various sample clauses and notices for organisations to use depending on the manner and type of personal data that was collected (available at https://www.pdpc.gov.sg/Help-and-Resources?persona=dp- professional&type=sample-clauses-and-templates) 123 7.4 Develop Policy – Management approvals _________________________________________________________________________ 7.4.1 An organisation’s personal data protection policy is inward facing and the policies, including SOPs, should be practical, easy to understand and as simple to follow as possible. They should also be aligned with each other and consistent – in other words, the DPO must take care to ensure that complying with one policy / SOP does not result in failing to comply with another policy / SOP. As mentioned above, checklists are often useful as part of the SOP component 7.4.2 The DPO should also get legal sign off on PDPA compliance aspects (as contrasted with practical / operational aspects) of the draft personal data protection policy 7.4.3 The process in the ‘getting management approval’ phase varies, typically depending on the size and internal rules of the organisation: (a) in some organisations senior management that need to approve the personal data protection policy comprise the PDPA Project Team; (b) in other organisations the DPO will need to endorse the draft DPMP and send it to senior management for approval; and (c) some other organisations will have a different, but defined, approval process that DPO will need to follow to get the draft personal data protection policy approved. 124 7.5 Develop Policy – Regular reviews of policies _________________________________________________________________________ 7.5.1 The policy life cycle is continuous – organisations should learn from: (a) general feedback, including from operational employees, about its personal data protection policy, including its SOPs; (b) complaints the organisation receives about the way the way the organisation collects, uses, discloses and stores personal data; (c) good data protection developments in their specific industries; (d) international trends and best practices; and (e) enforcement decisions published by the PDPC as well as new guidelines and other documents published by the PDPC, about what needs to change in order to improve the organisation’s personal data protection policy and/or keep it up-to-date with new developments in the compliance landscape or in the organisation’s business. 7.5.2 An organisation should review its personal data protection policy, such review may be immediate (ad-hoc) or periodic. Here are some of the situations where an organisation would need to consider conducting an immediate review: (a) when there are legislative changes and updates to the PDPA and other related legislation; (b) after the organisation suffers a personal data breach or other major incident; (c) whenever business circumstances change majorly, including when the organisation introduces a new product or services that involves it in collecting, using, disclosing and storing personal data and/or is involved in selling part of its business, acquiring a new business or merging with another organisation; and (d) whenever the PDPA issues an enforcement decision or new guidelines that may indicate that an amendment to the organisation’s personal data protection policies and/or its SOPs may be necessary. 7.5.3 In addition, the organisation may conduct periodic (e.g. annual) review, which may take into account of minor incidents (e.g. accidental unauthorised access by employee to personal data); or revision of processes or systems that have minimal effect on data protection (e.g. change of DPO’s business contact information). 7.5.4 In this respect, organisations would need to keep abreast of the changes and developments within and outside the organisation, which may include technological 125 changes or emerging technologies which may result in increased data protection risks, or feedback from stakeholders. 7.5.5 An organisation’s data protection policies and practices should be accessible. Organisations should keep stakeholders apprised of the changes to their policies or practices as part of their training and communication plan. 7.5.6 In addition to a personal data protection policy, including SOPs, an organisation needs to develop and information security policy that focuses on the organisation complying with the Protection Obligation under the PDPA. 126 7.6 Develop People - Structuring the team, roles and responsibilities _________________________________________________________________________ 7.6.1 There are various ways in which an organisation can structure its data protection office / function. Depending on the size of an organisation it might have either: (a) a data protection officer (DPO); (b) a data protection office staffed with a team that is led by a DPO; or (c) a governance committee (that deals with a range of governance and compliance issues including personal data matters), that, in each case, reports either: (d) to senior management, such as the Chief Executive Officer (CEO) or an executive committee comprised of staff who report directly to the CEO and chaired by the CEO) or the Chief Operating Officer (COO), with such senior management, in turn, reporting to the organisation’s board of directors; or (e) to the organisation’s board of directors directly. 7.6.2 A data protection office would be staffed by, and a governance committee would consist of, employees appointed from senior management with specific personal data protection-related job experience, such as: (a) department representatives: a representative of each department in the organisation that collects, uses, discloses and/or stores personal data – each such person would be responsible for personal data protection measures and awareness in their respective departments; (b) communications: an employee responsible for external communications and internal communications to engage external and internal stakeholders on the organisation’s personal data protection policies and practices, and to train staff; (c) access, correction and data porting request handling: an employee with responsibility for handling access,correction and data porting requests made by members of the public; (d) incident response: an employee responsible for handling complaints and incidents related to the PDPA, (See PDPC’s DPMP Guide for a resource on how to develop a dispute resolution process – www.pdpc.gov.sg/Legislation- and -Guidelines/Guidelines/Other-Guides), supported (optionally) by: (e) internal audit: to provide independent assurance when checking the organisation’s adherence to the PDPA; and (f) legal: to provide legal opinions on PDPA-related matters. 127 7.7 Develop People – Communication and Training Strategies _________________________________________________________________________ 7.7.1 Personal data protection cuts across roles, functions and hierarchy in the organisation; it should be recognised and practiced by all levels in the organisation (including volunteers, agents and contract staff) and not limited to the appointed data protection representatives. 7.7.2 All employees of the organisation and any contractors with the organisation that function as internal contractors (that is, similarly to employees and as contrasted with external contractors who do not) must be trained in the organisation’s personal data protection policies and practices / SOPs. The necessary training may be indicated by the following progression: (a) on-boarding: upon commencing work with the organisation all employees and internal contractors must have: (i) a briefing on the fundamentals of the PDPA; and (ii) access to an internal repository on data protection matters (for example, policies); (b) on-the-job assignment: all employees and internal contractors whose role requires them to collect, use, disclose and/or store personal data (for example, HR staff, Sales and Marketing staff) must have: (i) in-depth training on the organisation’s data protection processes; and (ii) if there is a change in their job scope, in-depth training on specific personal data protection processes, if any; (c) ongoing: all employees, contractors and volunteers must have: (i) refresher training on the fundamentals of the PDPA; (ii) briefings on specific personal data protection policies and processes / SOPs; (iii) reminders on personal data protection policies and processes / SOPs; (iv) updates on any changes to personal data protection policies and processes / SOPs; (d) promotion: employees and internal contractors with greater responsibility over personal data protection must have in-depth training on specific data protection processes, if any; and 128 (e) exit: employees and internal contractors who are leaving the organisation must be subject to requirements on proper handling of personal data upon exit – for example, requirements about not mis-using personal data handled. 7.7.3 Organisations can adopt various personal data protection initiatives to demonstrate accountability – in other words, to help the organisation to assure its customers that it takes responsibility for collecting, using, disclosing and storing the personal data in the organisation’s possess and/or under its control. These initiatives may include: (a) increasing the awareness of its customer about the organisation’s personal data protection initiatives by, for example, including a personal data protection notice on the organisation’s website or providing it promptly upon request by a customer; (b) ensuring staff are able to handle personal data protection-related requests made by customers, such as requests to withdraw consent as well as access and correction requests – you may wish to refer to the DPMP guide for a resource on “Developing a Process for Dispute Resolution” (see the DPMP Guide https://www.pdpc.gov.sg/og); (c) providing regular updates on key developments in the organisation’s personal data protection policies by, for example, including them in e-newsletters sent to customers; and (d) being open to feedback from customers on the way the organisation collects, uses, discloses and stores personal data – this is particularly important if an organisation is a data intermediary (because it processes personal data on behalf of its customers – and, in this case, the organisation should actively engage with its customers and seek clarity on the way they want to deal with the relevant type of personal data. For example, some customers may have special requirements because the data they provide for processing is sensitive (such as health information or financial information). 129 7.7.4 Policies need to be communicated to relevant stakeholders and training of staff conducted. Organisations may wish to consider adopting practical ways to share personal data protection measures and embed personal data protection- related topics into their training and communication plan. A snapshot of the various initiatives, and the phases at which they may be conducted throughout a typical employment journey, is illustrated below 7.7.5 When communicating the personal data protection policy to (relevant) stakeholders: (a) the most obvious group of stakeholders for this step is employees: all members of the PDPA Project Team should have actively engaged at least key employees working in their respective departments involved in that process, seeking input from them and resolving any concerns raised by them, particularly any concerns they have that a personal data protection policy will prevent them from achieving their key performance objectives (KPIs); and (b) the personal data protection policy should be communicated to other stakeholders (i.e. third party service providers) who may be required by the organisation to comply with it. 7.7.6 Communication and training of data protection should be done in the way that best suits the way the organisation operates but might include, for example: (a) heads of department presenting them to department members at a regular department meeting or a department meeting called specifically for that purpose; (b) by email from senior leadership to all employees; (c) publishing the personal data protection policy on the organisation’s Intranet; and 130 (d) including the personal data protection policy as part of the organisation’s on- boarding process for new employees. 7.7.7 The organisation needs to ensure that all employees and any other stakeholders who are required to comply with its data protection policies and practices are thoroughly trained on both the policies necessary for compliance with the PDPA and the SOPs that may affect how they do their jobs. While this may be part of the job of the DPO (perhaps in conjunction with the head of HR and/or the members of the PDPA Project Team), the DPO needs to have visible leadership / senior management support in order to be successful in executing this phase of the policy life cycle. 7.7.8 The organisation must ensure that the personal data protection policy is implemented. Organisations may want to consider conducting regular checks or audits should be carried out to ensure employees comply. Failure to comply should have disciplinary consequences and those consequences must be clearly and consistently applied. 7.7.9 Examples of Training 131 132 7.8 Develop People – Examples of Training Activity _________________________________________________________________________ 7.8.1 An organisation should ensure that its employees, volunteers and internal contractors who collect, use, disclose and/or store personal data receive in-depth PDPA training that is specific to the organisation’s personal data protection policies and practices / SOPs. They should be trained upon assignment to a specific job role and when there is a change in their role or job scope. They should also be trained when the organisation makes a change to its personal data protection policies and practices / SOPs. Consequently, an organisation should develop targeted personal data protection training that is aligned with its personal data protection policies and practices / SOPs. There are various ways in which employees and internal contractors who handle personal data can received training, including by attending: (a) the PDPC’s sectoral briefings; (b) ‘An Introduction to the Fundamentals of Personal Data Protection Act for Non- Legal Personnel (under the Business Management WSQ); and (c) training provided by external vendors. 7.8.2 An organisation should provide refresher training to all of its employees and internal contractors on a periodic basis (for example, annually) and on an ad-hoc basis where there is a revision to the PDPA, to the PDPC’s guidelines or a revision to the organisation’s personal data protection policies and practices / SOPs. The organisation should do this by providing a course to refresh employees’ and internal contractor’s knowledge of the PDPA and to facilitate compliance with the PDPA. It should also circulate to them updated materials on personal data protection. This refresher training can be done in various ways, including: (a) reminding all employees and internal contractors on the organisation’s personal data protection policies and practices / SOPs through newsletters, electronic direct mailers (eDMs), posters, videos, the organisation’s Intranet, circulars or holding roadshows, town hall sessions or brownbag discussions; and (b) attending PDPC events, such as seminars and briefings. 7.8.3 Organisations may also consider supporting their employees and internal contractors who are part of the data protection office (see 7.6.1 and 7.6.2) to: (a) attend personal data protection-related trainings and seminars so that they are updated about personal data protection regulations and requirements; and (b) obtain personal data protection certification, such as Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT) and Certified Information Privacy Professional, Asia (CIPP/A) certifications by the International Association of Privacy Professionals (IAPP) – see https://iapp.org/certify/programs/, as part of their career development. 133 7.9 Develop Process – HR policies and practices _________________________________________________________________________ 7.9.1 As the human being is often the weakest link in any data protection or information security system, it is important for organisations to perform due diligence on the people it hires as employees or takes on as internal contractors. An organisation should develop and implement human resources policies and practices / SOPs about, for example: (a) conducting screening and background checks of potential candidates for employment or internal contracting during the recruitment stage and doing additional checks on those individuals taking up trusted or sensitive positions (including those at the sites of clients of the organisation); (b) ensuring that all employees, internal contractors, interns and volunteers are bound by a confidentiality / non-disclosure agreement concerning proprietary information and personal data; (c) ensuring that employees collecting, using, disclosing and/or storing personal data have clear information security roles and responsibilities; (d) including PDPA clauses in employment contracts (which may be done by including them in an Employee Handbook (or similar document) that is incorporated into each employment contract) and in service contracts to ensure that: (i) employees and internal contractors are specifically required to comply with the organisation’s personal data protection policies and practices / SOPs and any related policies and practices / SOPs; and (ii) if they fail to do so they will be subject to disciplinary procedures, up to and including dismissal / termination of their service contract; and (e) upon termination of an employment contract or a service contract, ensuring that: (i) the employee’s or internal contractor’s access to the organisation’s premises and their IT rights (for example, their email account with the organisation and their log in credentials for various applications used by the organisation) must be terminated immediately; and (ii) the employee or internal contractor must return all access cards, keys, IT equipment, storage media, etc. to the organisation on or before their last day of employment / service. 7.9.2 The organisation may also remind employees that subject to certain exemptions and defences, Individuals, including employees, can now be held accountable for: (a) knowing or reckless unauthorised disclosure of personal data; 134 (b) knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and (c) knowing or reckless unauthorised re-identification of anonymised data. 7.9.3 The key risk addressed by an organisation’s human resources policies and procedures / SOPs is unauthorised access to, and/or abuse of, personal data in possession or under the control of the organisation. The PDPA obligation addressed by such policies and procedures / SOPs is the protection obligation. Such policies and practices / SOPs may be ‘owned’ by: (a) if the organisation has a HR department, by the head of the HR department; (b) if HR in the organisation is handled by an administrative department, by the head of that administrative department; or (c) otherwise, by the DPO. 7.9.4 Organisations may wish to consider adopting practical ways to share personal data protection measures and embed personal data protection-related topics into their training and communication plan. See 7.7 for a snapshot of the various initiatives that an organisation should adopt and the phases in the typical employment journey at which they should be conducted. Organisations may also adopt a DPMP Checklist containing an implementation date and the process owner for: (a) policies: the organisation’s: (i) personal data protection policy; (ii) personal data protection notice; (iii) other policies related to the personal data protection policy, such as an information security policy, a data retention policy, a social media policy, a bring-your-own-device (BYOD) policy and HR policies and procedures; (b) people: the organisation’s training plan; (c) process: the organisation’s (i) PDPA Assessment Tool for Organisations (PATO); (ii) consent registry; (iii) practices / SOPs that are included in, and underpin, its personal data protection policy; (iv) data classification policy (see 5.2); (v) ‘maker checker’ process or a buddy system – a maker checker process is a process one individual “makes” or inputs personal data 135 from a paper form into an IT system and another individual “checks” that the input is correct; (vi) contractual clauses to protect the organisation from PDPA risks arising from a third party’s actions or inactions; and (vii) third party measures, such as doing appropriate due diligence on a potential data intermediary so that the organisation can decide whether or not that potential data intermediary is capable of complying with the PDPA. 136 7.10 Develop Process - Access, Correction and Data Porting requests _________________________________________________________________________ 7.10.1 Organisations need to develop policies and practices on how to handle requests made by individuals for access to personal data about them, on how to handle requests for correction of such personal data, and on how to handle requests for data porting, so that they comply with the Access and Correction Obligation, and the Data Portability Obligation. 7.10.2 For instance, with respect to access requests, an organisation might consider the following points when developing such policies and practices: (a) how the organisation intends to receive all access request – for example, is there, or should there be, a standard access request form that a requestor may use and, if not, what information will the organisation require the applicant to provide to it in order for the organisation to proceed with the access request (b) what channels (for example, email, post or an avenue specified by the organisation) may a requestor use to submit an access request? (c) what specific information does the organisation require to search for and locate the requested personal data in a timely manner (for example, the type of personal data requested, the date and time the organisation collected the personal data) (d) will the organisation charge a fee to process an access request and, if so: (i) how would the organisation compute the fee in a way that accurately reflects the time and effort required to respond to the access request and (ii) are the fees provided in writing to the requestor? (e) if the organisation intends to charge a fee to process an access request that is higher than originally estimated how would the organisation communicate the higher fees in writing to the applicant (f) what procedures are established, or should the organisation establish, to verify the identity of the individual making an access request (for example, proof of identity required from the applicant, verification questions to be asked to establish the identity of the requestor)? If the request is by another party, to check if the requestor is validly acting on behalf of the individual? (g) what procedures are established, or should the organisation establish, to verify the identity of an individual making an access request on behalf of another individual and what forms of proof of identity are required? 137 (h) how will the organisation assess whether an access request is within one of the prohibitions or exceptions to access so that access must not be given or that the organisation is not required to give it? (i) what records will the organisation keep of access requests and how will it keep them? (j) what process will the organisation put into place for recording all access requests received and processed by it, including access requests received and not processed due to an applicable exception? (k) what retention policy will the organisation establish for records of access requests received? The PDPC has published a Guide to Handling Access Requests (available at https://www.pdpc.gov.sg/og). 138 7.11 Develop Process – Establish risk monitoring, reporting and internal audit structure _________________________________________________________________________ 7.11.1 As part of corporate governance, organisations are encouraged to establish an enterprise risk management framework with monitoring and reporting mechanisms (i.e., regular risk reporting and internal audit) that addresses personal data protection issues. Such a structure provides clarity on the direction and manner in which an organisation manages personal data protection risks, among others. 7.11.2 A fundamentally important part of risk management in connection with personal data protection is for an organisation to have a documented process in place for the DPO to monitor, communicate and report identified personal data protection risks regularly to senior management. This enables the DPO and senior management to have a shared understanding about what senior management wants to know about – what matters should be escalated to senior management either routinely or when an incident that may relate to a failure to comply with the PDPA occurs. It avoids a situation where: (a) the DPO hesitates to report matters early in case senior management considers that the DPO is wasting their time; and (b) senior management becomes frustrated by the DPO not reporting matters early enough for senior management to be able to do something about them. 7.11.3 Larger organisations should have a formal enterprise-wide risk management programme in place with requirements for conducting internal audits and with agreed reporting mechanisms. In any such case, the report required by the DPO in connection with compliance risks under the PDPA can be integrated into that existing enterprise- wide risk management framework. Similarly, the organisation’s requirements about conducting internal audits to monitor and evaluate the implementation of data protection policies and practices / SOPs can be integrated into that existing enterprise- wide risk management framework. 7.11.4 Where an organisation does not have a formal enterprise-wide risk management programme the organisation should establish a framework with reporting mechanisms (that is, with regular risk reporting and internal data protection audits) as part of the organisations DPMP. 7.11.5 The basic factors that must be determined in reporting PDPA compliance risks are: (a) to which member or members of senior management (by job title) should the DPO report personal data protection risk-related matters; and (b) which matters should the DPO report to senior management: (i) all risks or only, say, the top five or the top 10 risks or, say, the top five risks plus any other risks relating to defined factors – for example, senior management of a voluntary welfare organisation might want to know about all risks relating to donors or senior 139 management of an accounting firm might want to know about all risks relating to its clients’ financial information; (ii) the risks that, if they occur, are likely to have an impact in excess of certain parameters defined by senior management, such as financial impact and/or reputation risk in social media; and/or (iii) the risks defined in accordance with other considerations specified by senior management as being of particular concern to the organisation; (c) how often should the DPO report to senior management and with what level of formality – for example: (i) on an ad hoc basis and verbally for any matter that the DPO considers to be urgent with a follow-up written report as soon as practicable; (ii) monthly, quarterly or annually in connection with changes to the organisation’s personal data protection policies and practices / SOPs; (iii) monthly, quarterly or annually for the results of, and actions identified by the organisation after completing, a Data Protection Impact Assessment (DPIA) and/or a PDPA Assessment Tool for Organisations (PATO); (iv) monthly, quarterly or annually on items such as personal data protection audit plans, on the status of existing and new risks, risk ratings and action plans and on current personal data protection issues that are routine (versus being urgent) but significant enough for the DPO to report them to senior management; (v) quarterly or annually on items such as refreshed personal data protection risk profiles and summaries of remediation plans; 7.11.6 To function effectively as a DPO, the DPO should before reporting risks to senior management of an organisation: (a) consider what questions senior management are likely to ask and to seek to forestall such questions by providing answers to them – however, the DPO should also consider the sometimes fine balance between providing basic information quickly and providing more comprehensive information less quickly; (b) ensure that a matter is within the scope of matters that senior management has agreed should be escalated to them, either routinely or on a case-by-case base – if in doubt, the DPO should escalate a matter; and (c) consider how best to present the matter to senior management – again individual senior management preferences are important, but most members of senior management are likely to want to see recommended next steps and/or controls from the DPO while again finding the sometimes fine balance between speed and comprehensiveness. 140 7.11.7 Another very important part of risk management in connection with personal data is for an organisation to establish an internal audit protocol to regularly monitor and evaluate the overall implementation of the organisation’s personal data protection policies and practices / SOPs. Depending on the size and needs of the organisation such an audit could consist of: (a) conducting a formal internal audit on a periodic basis; (b) conducting “surprise checks” or inspections from time to time and at irregular intervals; (c) engaging an external party on either a periodic basis or as and when required to evaluation the organisation’s implementation of its personal data protection policies and practices / SOPs; or (d) obtaining and maintaining certifications for the organisation’s personal data protection measures, such as the Data Protection Trustmark (DPTM) Certification. For more information on the DPTM, see www.imda.gov.sg/dptm. 141 Resources For Chapter 7 Developing The Data Protection Management Programme (DPMP) For further information about policy lifecycle, refer to IAPP’s Certified Information Privacy Manager programme (CIPM) https://iapp.org/certify/programs/ For further information on the Accountabilty Obligation see PDPC’s Advisory Guidelines on Key Concepts in the PDPA https://www.pdpc.gov.sg/ag) For further information on Sample Clauses and Templates for Customers https://www.pdpc.gov.sg/Resources/For-Organisations For further information on Sample Clauses for Obtaining and Withdrawing Consent https://www.pdpc.gov.sg/Resources/For-Organisations For further information on Sample Clauses and Templates for Employees and Job Applicants https://www.pdpc.gov.sg/Resources/For-Organisations For further information about handling access requests see PDPC’s Guide to Handling Access Requests https://www.pdpc.gov.sg/og For further information handling complaints and incidents related to the PDPA see PDPC’s DPMP Guide for a resource on how to develop a dispute resolution process – https://www.pdpc.gov.sg/og 142

Chapter 7: Developing the Data Protection Management Programme (DPMP) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue