About two years ago, the Personal Data Protection Commission (PDPC) released a Guide to Developing a Data Protection Management Programme that encourages organisations to adopt a systematic framework covering policies, processes and people. This enables them to demonstrate accountability and provides confidence to stakeholders.
The Law Society of Singapore examines the concept of accountability by outlining salient learning points from common lapses in data protection that can be managed better, with the proper mindset and approach.
An organisation is liable for the acts and conduct of its employees in relation to unauthorised disclosure of its stakeholders' personal data. The management and owner cannot, therefore, delegate their responsibility entirely to their employees in the expectation that the latter will carry out the proper safeguards. The organisation has to implement reasonable security arrangements that "commensurate with the sensitivity of the data in question".
It is mandatory for an organisation to designate at least one individual to be the Data Protection Officer (DPO), who will be responsible for ensuring that the organisation complies with the Personal Data Protection Act (PDPA). DPOs should undergo proper training and be the key contact point if a personal data breach is discovered.
Though the PDPA does not have a special or separate category of "sensitive" personal data, the PDPC does take a stricter view when considering a case where the personal data compromised is of a sensitive nature. For instance, a client's financial information, together with other identifying information, can constitute "sensitive" personal data. Disclosure of such data may expose the client to the risk of fraud and identity theft. As the PDPC has noted, personal data of a sensitive nature should be subjected to a higher standard of protection.
That said, the PDPC does recognise that "implementing additional checks and controls when handling sensitive personal data is not a mandatory requirement but one that should be adopted where appropriate", and that "ultimately the facts of the case and the type of personal data being handled will influence whether or not the current checks and controls implemented in the particular organisation are sufficient".
Accidentally or inadvertently sending letters and emails containing personal data to the wrong recipient is a major cause of data breaches. To address this, organisations should take steps to ensure that the destination information and personal data to be sent are correct, and that only relevant personal data is disclosed to the recipient.
Organisations and their employees should be vigilant in handling stakeholders' personal data, especially if they handle large volumes of such data on a daily basis. When a data breach occurs, remedial measures should be put in place immediately.
Organisations should carry out risk and impact assessments on specific departments that handle large volumes of personal data. Such assessments help to identify and address the specific risks and impact that exist in their operational processes and to put in place effective mitigation measures.
Organisations should have a system or process to segregate scrap paper containing personal data from other scrap paper that can be reused by employees. They should avoid using scrap paper containing personal data and exercise due diligence when using other reusable scrap paper.
Organisations should have some form of written data protection policy or practice in place, especially if complex processes are involved or if the organisation frequently deals with personal data of a sensitive nature, e.g. on a daily basis. As the PDPC has pointed out, verbal briefings would not be sufficient for an organisation to discharge its obligations under section 12 of the PDPA. A written policy would help reduce the risk of misunderstanding or miscommunication. This could take the form of written standard operating procedures setting out how employees should deal with personal data (especially for complex processes) to prevent breaches.
Training for employees, including senior management, on data protection is a necessary aspect of protecting stakeholders’ personal data.
Being implicated in a data breach is an unpleasant experience for any organisation. Should a breach occur, it is important to cooperate with the PDPC during their investigations. Organisations issued with a NTP should respond to the PDPC speedily as a failure to comply with the NTP may constitute an offence under the PDPA. Organisations that require an extension of time should inform the PDPC immediately, particularly since the PDPC takes into account the level of cooperation by the organisation in question in assessing the breach and determining the directions to be imposed.