Appointing A Data Protection Officer (“DPO”) And Implementing Policies And Procedures To Comply With The Personal Data Protection Act (“PDPA”)
The recent decision of ACL Construction (S) Pte Ltd[i] is a timely and important reminder to every organisation in Singapore of the importance of appointing a DPO and implementing written policies and procedures to ensure compliance with the PDPA.
All organisations in Singapore have to comply with the accountability obligation under the PDPA.
Thus, organisations must appoint a DPO and implement written policies and procedures to ensure compliance with the PDPA.
What happened in ACL Construction (S) Pte Ltd
While investigating ACL’s data breach, the Personal Data Protection Commission (“PDPC”) found out that ACL had failed to appoint a DPO and did not have any data protection policies in place.
Even though no personal data was affected by the incident, ACL was still in breach of sections 11(3) and 12(a) of the PDPA respectively.
In lieu of a financial penalty, the PDPC directed ACL to (1) develop and implement policies and procedures to ensure compliance with the PDPA and (2) implement a programme of compulsory training for their employees on compliance with the PDPA when handling personal data.
Appointing a DPO
Under section 11(3) of the PDPA, organisations must designate one or more individuals, commonly known as a DPO, to be responsible for ensuring that the organisation complies with the PDPA.
Appointing a DPO is mandatory under the PDPA for all organisations, including sole proprietorships and non-profit organisations.
Organisations can either:
- appoint an existing employee as a DPO;
- hire a DPO; or
- outsource the DPO function to a service provider.
A DPO should be appointed from senior management since the contribution of a DPO is significant and leading personal data protection-related matters requires seniority. If the DPO is not appointed from senior management, the DPO should have a direct line of reporting to senior management.[ii]
Even when outsourcing the operational aspects of the DPO function, organisations should still ensure that an individual appointed from senior management remains responsible to work with the outsourced DPO. This is because only operational aspects of the DPO function can be outsourced. The DPO function will remain the management’s responsibility.
Responsibilities of a DPO
The following are some non-exhaustive responsibilities of a DPO:
- Ensuring compliance with PDPA when developing and implementing policies and processes for handling personal data;
- Fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
- Managing personal data protection-related queries and complaints;
- Alerting management to any risks that might arise with regard to personal data; and
- Liaising with the PDPC on data protection matters, if necessary.
DPO’s business contact information
Under section 11(5) of the PDPA, organisations must make publicly available the business contact information of at least one DPO.
Pursuant to the Personal Data Protection Regulations 2021, to comply with this obligation, organisations must make available the DPO’s business contact information in a readily accessible part of the organisation’s official website. Alternatively, ACRA registered organisations can fulfil this obligation by registering their DPO via ACRA BizFile⁺, since ACRA BizFile⁺ is generally publicly accessible.
Registering your DPO
Although registration of the DPO is voluntary, the PDPC encourages organisations to register their DPOs with the PDPC to help DPOs stay updated on relevant personal data protection developments in Singapore.
Non-ACRA registered organisations can register their DPOs by filling in the registration form at https://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-protection-officers/dpo-registration.
For ACRA registered organisations, you can register your organisation’s DPO with ACRA BizFile⁺. As mentioned above, whilst registering the DPO is voluntary, this ensures that you fulfil your obligation under the PDPA for the DPO’s business contact information to be publicly available.
Data protection policies and procedures
Under section 12(a) of the PDPA, organisations must also develop and implement policies and procedures that are necessary for the organisation to comply with the PDPA.
One useful tool you can use is the PDPA Assessment Tool for Organisations (PATO) found at https://www.pdpc.gov.sg/help-and-resources/2017/10/pdpa-assessment-tool-for-organisations. This is a free self-assessment tool which can not only highlight potential gaps in the personal data protection policies and practices, but can also provide specific recommendations on personal data protection policies to be implemented.
Personal data protection policies should be clearly communicated to external parties such as vendors and customers, as well as internal stakeholders such as employees.
For employees, such policies lend greater clarity as to how they are to handle personal data on a day-to-day basis. For external parties, such policies demonstrate accountability to them as they are informed about the organisation’s processes regarding handling of personal data.[iii]
Organisations can leverage on the PDPC’s Data Protection Notice Generator to generate basic data protection template notices to inform their stakeholders (such as customers, employees, job applicants, donors, service users and volunteers) of their personal data management practices. This can be found here: https://apps.pdpc.gov.sg/dp-notice-generator.
PDPA training for the staff
Organisations are expected to educate all staff on the organisation’s personal data protection policies and practices to ensure that they are properly implemented and adhered to. Further, PDPA training can help to promote awareness of potential data breaches amongst staff.[iv]
Some non-exhaustive recommendations offered by PATO as to how training and awareness plans can be structured include:
- PDPA policy and practice training during staff orientation;
- Customised PDPA training by functions/departments;
- Good data handling practices;
- Awareness of internal anonymous reporting mechanism/procedure should a misuse of personal data be observed;
- Regular updates on the PDPA, the organisation’s personal data protection measures, and ICT security measures; and/or
- Regular refresher trainings.
Additionally, conducting regular PDPA training sessions for employees is one of the administrative measures which organisations may implement, in conjunction with other measures, to fulfil their obligation to make reasonable security arrangements to protect personal data in the organisation’s possession or control.
[i] Personal Data Protection Commission (2022, April 21). Breach of Accountability Obligation by ACL Construction (S). Personal Data Protection Commission Singapore https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision–ACL-Construction-S-Pte-Ltd–030222.ashx?la=en
[ii] Personal Data Protection Commission Singapore, Guide to Developing a Data Protection Management Programme (2021), https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/DPMP/Guide-to-Developing-a-Data-Management-Programme-14-Sep-2021.ashx?la=en
At Infinity Legal LLC, our PDPA Practice, comprising lawyers who are Certified Personal Data Practitioners, aims to provide your organisation with a holistic, yet practical approach to complying with the PDPA. We help clients navigate through the variety of legal issues involving personal data protection including:
- Advising on the data lifecycle; from collection, use and disposal of personal data to ensure compliance with the PDPA
- Reviewing existing data protection policies and transactional documents for compliance
- Drafting relevant documents including personal data protection policies and notices
- Managing data breach, including working with IT forensic experts and notifying and dealing with regulators
- Training and education
- Advising and representing at enforcement and court proceedings
- Providing the services of an external Data Protection Officer (DPO)
© Infinity Legal LLC 2022
The content of this article is for general information purposes only, and does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances. Infinity Legal LLC does not accept any responsibility for any loss which may arise from reliance on information or materials published in this article. Copyright in this publication is owned by Infinity Legal LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval.
Infinity Legal LLC thanks and acknowledges Intern Chloe Kho for her contribution to this article.