The Personal Data Protection Commission (PDPC) published the Guide to Accountability (Guide) to emphasise the importance of organisations developing a culture of compliance and responsibility when handling and managing personal data, particularly in a digital economy where data processing is pervasive. The Guide encourages organisations to demonstrate accountability in three areas – policy, people and processes – and provides practical guidance on how organisations may demonstrate accountability.
Under the Personal Data Protection Act 2012 (PDPA), an organisation is responsible for ensuring that the processing of personal data in its care complies with the PDPA. This principle (i.e., the Accountability Principle) is embodied in sections 11 and 12 of the PDPA, which require each organisation to:
Beyond compliance with the accountability obligations in the PDPA, accountable organisations are encouraged to use appropriate mechanisms relating to policy, people and processes to ensure the effective implementation of their policies and practices and to foster an organisational culture of responsibility in their businesses.
The Guide emphasises the role of organisational leaders in ensuring good accountability practices, including by incorporating data protection matters (such as compliance and IT risks) into an organisation’s corporate governance framework and having specific internal policies for clearer guidance to staff regarding the proper handling of personal data.
The Guide also enumerates some responsibilities of senior management, including:
The Guide stresses the importance of having a structured data protection communications and training plan to effectively educate all staff and employees (regardless of roles, functions, hierarchy and nature and term of engagement) and third-party service providers about an organisation’s data management policies and practices. It is also equally important that these policies and practices are easily accessible to the staff for reference.
The PDPC also encourages the implementation of regular training and exercises to develop an organisational culture of data protection compliance. More in-depth training should be given to the DPO, data protection representatives and any staff who handles personal data.
Apart from developing and communicating data protection policies and practices, an organisation should implement an effective operations-wide process to put those policies and practices into effect. In developing this process, the Guide suggests first understanding the organisation’s data cycle and then identifying key weaknesses that require improvement. For example, an organisation could conduct a data protection impact assessment to identify key data protection risks and design its business operations and IT systems to address those risks. The process itself should be reviewed on a regular basis to ensure that it meets with the organisation’s business needs and complies with any new or updated regulations and technology developments.
An organisation may also implement an enterprise risk management framework to identify, assess, manage, monitor and report data protection risks.
The Guide suggests that an organisation may voluntarily have its data protection policies and practices certified as compliant under different certification schemes, to assure its customers and other parties that it has appropriate policies and practices in place to safeguard personal data. In Singapore, the PDPC developed the Data Protection Trustmark (DPTM) Certification scheme, whereby independent third-party assessors recognised by the Info-communications Media Development Authority may certify an organisation as having accountable and responsible data protection policies and practices. In addition, an organisation may apply for certification under the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Privacy Recognition for Processors (PRP) systems to confirm an organisation’s compliance with APEC requirements on compliance and accountability.
Corollary to the Accountability Principle, the PDPC developed the Active Enforcement Framework, which sets out the PDPC’s approach in exercising its enforcement powers in case of data breaches or PDPA violations. Our article on the PDPC’s Guide to Active Enforcement can be found here.
One of the key takeaways from the Guide is that the PDPC will consider several factors in determining whether an organisation has complied with the PDPA, particularly the Accountability Principle, and there is no one-size fits all data protection programme for all organisations.
For example, having data protection policies and practices in place will not automatically mitigate an organisation’s liability in case of a data breach. The PDPC will still consider whether an erring organisation used appropriate mechanisms and processes, consistent with its data processing operations, to ensure the effective implementation of those policies and practices. It is therefore imperative that organisations carefully examine their data processing operations through a data protection impact assessment and design an appropriate DPMP to address risks that are identified from such assessment.
