Singapore has launched a new way for organizations to certify they've deployed sound and accountable data protection practices.
The “Data Protection Trustmark” (DPTM) certification – officially launched this week – pits organizations against a series of data protection assessments. Once passed, DPTM certification is valid for three years.
The Singapore Infocomm Media Development Authority, a statutory board of the country's government, under the Ministry of Communications and Information, devised the certification in hopes of replicating some elements of Singapore's Personal Data Protection Act of 2012 (PDPA) as well as best practices outlined in privacy frameworks like APEC CBPR/PR.
Organizations looking to achieve DPTM compliance need to achieve the following criteria:
Principle 1: Governance and Transparency
Appropriate Policies and Practices
- Establish data protection policies and practices
- Establish queries, complaints and dispute resolution handling processes
- Establish processes to identify, assess and address data protection risks
- Establish a data breach management plan
- Appoint Data Protection Officer (DPO)
Openness
- Make available business contact information of the DPO to the public
- Provide information on personal data protection policies to external stakeholders
Internal Communication and Training
- Communicate data protection policies and practices to all employees
- Implement data protection training for all relevant internal stakeholders
Principle 2: Management of Personal Data
Appropriate Purpose
- Ensure collection of personal data is for purposes that are clear and appropriate in the circumstances
Appropriate Notification
- Ensure notification of the purposes for the collection of personal data, on or before the collection of personal data
- Ensure notification of new purposes before the use or disclosure of personal data
Appropriate Consent
- Ensure that consent for the purposes has been obtained on or before collecting the personal data
- Ensure that consent for personal data with special considerations has been obtained
Appropriate Use and Disclosure
- Ensure the use of personal data is for purposes for which consent has been obtained
- Ensure the disclosure of personal data is for purposes for which consent has been obtained
Compliant Overseas Transfer
- Ensure appropriate personal data transfer policies are implemented as required under law
Principle 3: Care of Personal Data
Appropriate Protection
- Ensure reasonable security policies and practices are implemented
- Ensure third parties make reasonable security arrangements to protect personal data
- Ensure testing of security measures
Appropriate Protection
- Ensure reasonable security policies and practices are implemented
- Ensure third parties make reasonable security arrangements to protect personal data
- Ensure testing of security measures
Appropriate Retention and Disposal
- Ensure personal data retention policies are implemented
- Ensure appropriate implementation of processes and methods for the disposal, destruction or anonymization of personal data when there are no longer legal or business purposes to retain the personal data
Accurate and Complete Records
- Ensure personal data for use or disclosure is accurate and complete
- Ensure personal data disclosed to a third party organization is accurate and complete
Principle 4: Individuals’ Rights
Effect Withdrawal of Consent
- Ensure provision for the withdrawal of consent for the collection, use or disclosure of individuals’ personal data
Provide Access and Correction Rights
- Ensure provision for individuals’ access to their personal data in the organization’s possession or under its control on request
- Ensure provision for individuals’ correction of their personal data in the organization’s possession or under its control on request
In addition to the principles, there are a series of questions, related to the above criteria, organizations need to ask themselves as well.
Some are data management specific: Does the org have policies and practices in place to manage personal data? Does it take into account data protection by design when developing a product, service, system, or process? Others are related to security measures in place, data retention policies, and how to handle individuals' rights around personal data.
In order to become certified, organizations need to have one of three assessment bodies, ISOCert Pte Ltd, Setsco Services Pte Ltd, or TÜV SÜD PSB Pte Ltd, carry out an audit. The assessment fee can run organizations between $1,400 and $10,000 depending on the company's size. Ordinarily the application costs $535; the fee is being waived for small and medium enterprises and non-profit organizations until the end of 2019.
The board hopes the certification, while voluntary, will allow organizations to better exhibit data protection policies and practices in place, increase data governance and protection standards, uncover weaknesses and assist them in taking steps to remediate risks.
The certification scheme was piloted by IMDA, with help from Singapore's Personal Data Protection Commission (PDPC) last summer in hopes of fostering the nation's data protection ecosystem and giving accredited organizations more freedom to transfer data across borders to other certified Asia-Pacific organisations.
"While the Government will do its part to facilitate innovative and accountable data use, we strongly encourage organisations to put in place measures to do the same," the country's Minister for Communications and Information, S. Iswaran, said of the initiative last summer.
Judging by the IMDA's site, a handful or organizations - a bank, a healthcare app, a hospital, and a forensics firm among them - have already taken the necessary steps to become certified.
