On 15 July 2019, the Personal Data Protection Commission (PDPC) released a “Guide to Accountability under the Personal Data Protection Act”, which clarifies the accountability principle in the context of the Personal Data Protection Act 2012 (PDPA). This insight provides an overview of the examples and resources that organisations may use to translate accountability concepts into adoptable practical steps.
What does the accountability principle involve?
Accountability is one of the fundamental obligations under the PDPA. The concept of accountability refers to the undertaking and demonstration of responsibility for the personal data in an organisation’s possession or control. According to the Guide, organisations are required to undertake to ensure and demonstrate compliance with the PDPA.
Organisations should be aware of their responsibilities under the PDPA, including:
- Developing and implementing policies for data protection;
- Communicating and informing staff about such policies; and
- Implementing processes and practices to comply with the PDPA.
The Guide covers accountability in three broad areas: (1) within an organisation; (2) within the industry; and (3) in enforcement.
Within an organisation
Beyond mandatory accountability requirements under the PDPA, organisations should consider further accountability measures, which can be categorised under Policy, People and Process.
Policy: Organisations should embed personal data protection into their corporate governance with the involvement of senior management. This involves developing and communicating personal data protection policies clearly to internal and external stakeholders alike. Organisations need to ensure clarity on the responsibilities and processes for handling personal data in employees’ daily work.
People: Organisations should embed data protection-related topics as part of staff training and development throughout the employment journey. This means equipping employees with the knowledge and resources to effectively handle personal data with a structured training and communications plan. It is also important for personal data protection policies and processes to be clearly documented and easily accessible to staff for reference (for example, on the organisation’s intranet). Comprehensive and customised training should be conducted for staff who manage personal data and those with added responsibilities, such as the appointed Data Protection Officer.
Process: Organisations should implement effective processes to operationalise their data protection policies throughout the data lifecycle and across their business processes, systems, products and services. This means from collection to disposal of personal data. Install processes to document personal data flows to capture how personal data is being collected, stored, disclosed and archived/disposed within the organisation. Review data protection processes regularly to ensure that they meet business needs and reflect regulatory and technological developments. Organisations may demonstrate accountability by establishing an enterprise risk management framework with monitoring and reporting mechanisms as part of managing personal data protection risks.
Within the industry
Accountability may be demonstrated with data protection certification. These accreditations could also provide organisations with a competitive advantage and strengthen consumer trust and confidence. For example, organisations may engage independent third party assessors to certify their data protection policies and practices through the Data Protection Trustmark Certification. Alternatively, organisations may also explore obtaining certification under the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems.
Organisations certified under the APEC CBPR and/or PRP Systems will be recognised by other participating APEC economies.
The PDPC promotes positive behaviours by organisations when handling personal data incidents with its Active Enforcement Framework. In the event of a data incident, organisations demonstrating accountable practices may consider the option of: (a) an undertaking; or (b) an expedited enforcement decision, instead of a full investigation, under certain circumstances prescribed by the PDPC.
The PDPC has developed and published resources to guide organisations in building a robust personal data protection infrastructure. However, there is no blanket approach to personal data protection. Each organisation needs to assess the appropriate measures and tools suited to its commercial needs and circumstances.