30 July 2019
On 15 July 2019, the Personal Data Protection Commission (“PDPC”) published the “Guide to Accountability under the Personal Data Protection Act” (“Guide”) which explains the accountability principle in the context of personal data protection and how an organisation may demonstrate accountability for personal data in its care.
According to the Guide, accountability in relation to personal data protection is the undertaking and demonstration of responsibility for the personal data in the organisation’s possession or control. Accountability is a fundamental principle of the Personal Data Protection Act 2012 (“PDPA”), which requires an organisation to ensure and demonstrate compliance with the PDPA. Collectively, sections 11 and 12 of the PDPA form the accountability obligation under the PDPA. While there are mandatory accountability requirements under the PDPA, an organisation should consider accountability measures beyond merely complying with the law.
Guide to Accountability under the Personal Data Protection
The Guide provides guidelines for accountability within an organisation, accountability within industry and accountability in enforcement.
Accountability within an organisation
As good practice, the Guide provides that an organisation could consider demonstrating accountability in the following areas:
- Policy: To ensure a commitment to accountability, it is important to embed personal data protection into corporate governance because the involvement of senior management is crucial. Other accountability measures could include developing and communicating personal data protection policies clearly to both internal and external stakeholders. To provide clarity to internal stakeholders on the responsibilities and processes on handling personal data in daily work, dedicated internal policies should also be developed.
- People: A structured training and communications plan is critical to effectively equip staff with the necessary knowledge and resources to manage personal data. For staff who handle personal data and those with added responsibilities, such as the appointed Data Protection Officer, there should be in-depth training customised to their areas of responsibility. It is also important for personal data protection policies and processes to be clearly documented and easily accessible to staff for reference (e.g. on the organisation’s intranet).
- Process: An accountable organisation should put in place effective processes to operationalise its data protection policies throughout the data lifecycle (i.e. from collection to disposal of personal data) and across business processes, systems, products or services. For example, the organisation could implement a data protection management programme to operationalise their data protection policies, and also consider setting up processes for Data Protection Impact Assessments to be carried out to identify and address personal data protection risks. The organisation should review its processes on a regular basis to ensure it meets business needs and is up-to-date with regulatory and technological developments.
The Guide sets out a summary of resources in the form of guides, online assessments and customisable templates to help organisations put accountability into practice.
Accountability within industry
The Guide provides that an organisation may engage an independent third party assessor to certify their data protection policies and practices through the Data Protection Trustmark (“DPTM”) certification. The DPTM certification provides an additional option to organisations who require business partners or suppliers to adhere to an independently verified standard in their data protection practices.
As Singapore is also a participant of the APEC Cross Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) Systems, which comprise a set of APEC-approved requirements to demonstrate compliance and accountability, an organisation may also be certified under the APEC CPBR and/or PRP Systems.
Accountability in enforcement
Under PDPC’s Active Enforcement Framework, in the event of a data incident, an organisation with accountable practices may consider the option of (a) an undertaking and/or (b) expedited enforcement decision, instead of a full investigation, under certain circumstances specified by the PDPC.
Updated “Advisory Guidelines on Key Concepts in the Personal Data Protection Act”
PDPC has updated its “Advisory Guidelines on Key Concepts in the Personal Data Protection Act” to provide clarification on the relevant PDPA obligations and measures for accountability in personal data protection.
Updated Guide to Developing a Data Protection Management Programme
The “Guide to Developing a Data Protection Management Programme” has been updated to highlight the role of senior management in corporate governance and organisational policies. New resources such as the “Guide to Data Protection by Design for ICT systems” have also been included as reference.
The following materials are available on the PDPC website www.pdpc.gov.sg:
- Press release
- Fact Sheet on Guide to Accountability under the Personal Data Protection Act
- Guide to Accountability under the Personal Data Protection Act
- Updated Advisory Guidelines on Key Concepts in the Personal Data Protection Act
- Updated Guide to Developing a Data Protection Management Programme
- Keynote Speech by Mr Tan Kiat How, Commissioner of PDPC, at the IAPP Asia Privacy Forum 2019 on 15 July 2019