Managing Personal Data

Here are some possible steps to help your organisation better manage personal data*:

Step 1 - Appoint a Data Protection Officer

Designate at least one person to develop your organisation’s personal data policies and oversee your organisation's compliance with the PDPA. This person may be an existing employee in your organisation, and his or her role may include the following:

  • Developing good policies for handling personal data in electronic and/or manual form, that suit your organisation’s needs and comply with the PDPA;
  • Communicating the internal personal data protection policies and processes to customers, members and employees;
  • Handling queries or complaints about personal data from customers, members and employees;
  • Alerting your organisation to any risks that might arise with personal data; and
  • Liaising with the PDPC, if necessary.

Step 2 - Map Out Your Personal Data Inventory

Your organisation is responsible for the personal data in its care. Be clear about:

  • What personal data your organisation has collected;
  • How and where are the points of collection, whether consent was obtained and in what manner;
  • What the purposes and uses of the personal data are;
  • Who the personal data has been disclosed to;
  • Who is authorised to access the personal data;
  • Where and how the personal data is kept and secured; and
  • What the personal data to be retained within your organisation are and for how long.

Auditing and indexing your personal data properly will make your records management more effective.

Step 3 - Implement Data Protection Processes

After understanding your organisation’s personal data inventory, your data protection officer may review your organisation’s processes and align them with the PDPA. Here are some things to consider:

i. Collection, Use and Disclosure

  • Define the types of personal data that may be collected for the provision of a particular product or service.
  • Set out how consent may be obtained and recorded.
  • Set up a process to allow an individual to withdraw consent at anytime upon giving reasonable notice, and ensure that the individual understands the consequences of his or her withdrawal.
  • Make your organisation’s personal data protection policies available to the public.
  • Provide the business contact information of your data protection officer to the public, should they require more information on your organisation’s data protection policies and practices.
  • Review the terms of engagement with third parties such as agents, partners or data intermediaries, if any.

ii. Access & Correction

  • Establish a clear practice for assessing and processing both access and correction requests.
  • Make available information on how customers may request to access or correct their personal data with your organisation.
  • Ensure your employees know who to pass the requests on to, if it is not their responsibility to respond to such requests.

iii. Care for Personal Data

  • Set out how the personal data in custody may be well-protected.
  • Classify the personal data to better manage housekeeping.
  • Set clear timelines for the retention of the various personal data and cease to retain documents containing personal data that is no longer required for business or legal purposes.
  • For the transfer of personal data overseas, include the use of contractual agreements with the organisations involved in the transfer to provide a comparable standard of protection overseas.
*The information provided here are best practices tips, and not to be construed as legal advice. They are not legally binding and do not modify or supplement the legal effect and interpretation of the PDPA and regulations issued under the PDPA or any other laws.