Accountability - PDPC expectations
Last week I wrote about what ‘accountability’ means in our day-to-day lives. I hope you remember worried spouse and responsible spouse and picking up the kids from their enrichment class. I also hope that you have not had the experience of the sales person who was not accountable for hitting their sales targets and thought that a compliance approach was good enough.
This week we look at what the Personal Data Protection Commission, the PDPC, expects of organisations in terms of accountability.
Pivot from Compliance to Accountability
The PDPC Commissioner, Mr Tan Kiat How gave a speech on Thursday, 4 October 2018, at NUS Law Bukit Timah Campus. Among other things, he addressed the PDPC’s ‘Pivot from Compliance to Accountability’.
Mr Tan remarked on the importance of trust, saying that the PDPC firmly believes that advanced technologies and new uses of data would be pointless without trust. He also made the point that, while a nimble, balanced and forward-looking approach to tech regulations will provide an environment to build trust and facilitate innovation, organisational compliance to data protection laws will be necessary but no longer a sufficient condition in today’s competitive and data-driven landscape.
Mr Tan said that:
‘accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is a demonstration that an organisation has put in place measures which pre-emptively identifies and addresses data protection risks’.
The organisational tools of accountability
There are several aspects of accountability – that is, to what underpins an organisation’s promise to customers – and they all relate to pre-emptively identifying and addressing data protection risks.
Data Protection Management Programme (DPMP)
It is obvious that an organisation cannot address – in other words, manage – its risks in relation to data protection unless it first identifies those risks. A Data Protection Management Programme (DPMP) is a first and most necessary step to step in identifying and managing data protection risks.
A DPMP involves an organisation (often through its various Heads of Department):
working out / identifying all the points at which the organisation may collect personal data in its day-to-day operations – for example, through online forms, phone calls, reception and service counters, registration forms and other documents
mapping the flow of personal data through the organisation to see how the organisation uses that personal data and to whom the organisation discloses it as part of those day-to-day operations
identifying the data protection risks in those day-to-day operations and deciding what may need to be changed in order to manage those risks (or even to decide to accept some of them) and then implementing those changes
maintaining the DPMP by first educating staff and then providing regular awareness training and, secondly, by regular monitoring of the programme in terms of effectiveness
At its heart, this process is no different from the plans that an employee may make about how to achieve their ‘key performance indicators’ (KPIs) and therefore earn their bonus and/or an annual salary increase. The employee has to figure out the components of their KPIs and how to achieve each of them. They have to identify what risks may arise and stand in the way of achieving their KPIs and figure out how to avoid them or reduce their impact. Or have a plan that involves accepting at least some of the risks. In any event, the employee ‘takes ownership’ for achieving their KPIs, rather than leaving achievement up to chance.
Data protection impact (risk) assessment
A Data Protection Impact Assessment (DPIA) forms part of a DPMP. An organisation may do a DPIA as part of an initial DPMP; it should also do a DPIA when it creates a new system or process that involves personal data and when it changes an existing system or process that involves personal data.
All relevant stakeholders should be involved in a DPIA, including both internal organisational functions and relevant external parties. It is an opportunity for a ‘deep dive’ into the data protection issues that may arise in a system or process and to remedy them as part of their design – in that way, it can lead to ‘data protection by design’, where data protection is built into the system or process.
Think back to worried spouse and responsible spouse. The change in the usual Saturday morning process was that worried spouse could not pick up the kids from their enrichment class on this one particular Saturday. I said that responsible spouse might have set an alarm on their phone so that they wouldn’t forget the time and not pick up the kids at the end of their class. Now I will argue that worried spouse should have been involved in assessing the risk of responsible spouse being absent-minded and, if they assessed this as a real risk, thinking about what reminder system could have been put in place.
Consent registers – openness
The Personal Data Protection Act, and its counterparts in other countries, place a high degree of focus on ‘openness’, which might also be called ‘transparency’. It centres around the idea that individuals are entitled to know the purposes for which organisations will use their personal data and to know to whom organisations might disclose it.
Organisations in Singapore are required to notify individuals of the purpose(s) for collecting their personal data and, unless there is a relevant exception from the need to do so, to get their consent. Consent can be either express, such as a specific written consent, or it may be deemed / inferred by the conduct of the individual.
As part of accountability, organisations should maintain ‘registers’ of the consents that they have obtained and from which individuals they have obtained them. Logically, these registers should be underpinned by evidence of the organisation notifying such individuals of the purpose for which the organisation may use and/or disclose personal data about them.
Data Protection Trust Marks
Besides the adoption of accountability tools like risk assessments, data protection management programmes and consent registers, the PDPC sees the pivot from compliance to accountability to also include a dialogue between corporate and consumer. One of the channels for this dialogue would be a data protection trust mark.
We’ll say something about data protection trust marks, DPTMs, in a future blog.