16 September 2020
Under the Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA") together with guidelines issued by the Personal Data Protection Commission ("PDPC"), organisations are required to comply with nine main obligations including the Accountability Obligation (sections 11 and 12 of the PDPA).
In order to comply with the Accountability Obligation, it is not sufficient for organisations to merely have written policies and procedures in place; organisations are required to have monitoring mechanisms and process controls to ensure that such policies and procedures are effectively implemented.
Part of this involves ensuring that policies and procedures are clearly communicated to relevant stakeholders. It is also important that staff are clear about their responsibilities and equipped with the necessary resources to ensure that they are able to effectively fulfil their responsibilities. This may include regular training, refreshers, reference material and channels within the organization for staff to raise concerns or clarify any doubts. For organisations that handle large amounts of personal data or have particular needs, they can consider sending staff for more specific training or external qualifications which can be part of career progression for their staff.
Organisations should also look into their processes and procedures to ensure that they reflect regulatory and technological developments while fulfilling their business needs. Effective processes and procedures often make it easier for staff to fulfil their responsibilities and minimize the data protection risks.
While data protection officers ("DPO") (an individual or group designated by an organization pursuant to the PDPA) are generally responsible for ensuring the organisation's compliance with the PDPA (section 11(3)), it is expressly stated in the PDPA that this does not relieve the organization of its obligations under the PDPA (section 11(6)). Further, officers can be found guilty of the same offence when an organization commits an offence under the PDPA, and it is proven that the offence was (a) committed with the consent or connivance of an officer, or (b) attributable to any neglect of an officer. The PDPA defines "officer" to include directors, partners, members of the committee of management, chief executives, managers, secretaries or other similar officers of the body corporate and includes any person purporting to act in any such capacity (section 52(5)). This definition is more specific but nonetheless compatible with the definition in the Companies Act (cap. 50) which defines "officer" to include a director or secretary of a corporation or a person employed in an executive capacity by the corporation (section 4).
It is thus imperative that directors, management, executives and other officers of a company are familiar with their responsibilities under the PDPA and take a holistic approach to include data protection risks and compliance as part of their corporate governance strategy.
For further information, please contact:
Sandra Seah, Partner, Bird & Bird
sandra.seah@twobirds.com