Personal Data Protection Part 1 – What it Means to be ‘Accountable’

2019 was the year that the Personal Data Protection Commission (PDPC) shifted its focus from a compliance-based approach to that of accountability.  The reason for this shift is stated in the opening paragraphs from the PDPC website:

Organisations today operate in an increasingly connected and competitive digital economy where individuals’ online and real-world activities generate a burgeoning amount of data. In such a competitive and evolving business environment, a “checkbox” compliance approach towards the handling of personal data is increasingly impractical and insufficient to keep pace with the developments in data processing activities. Organisations that focus on compliance through such an approach may find themselves disadvantaged and unable to use data for innovation. 

Over time, with greater awareness of the risks surrounding the unauthorised collection, use and disclosure of personal data, consumers are increasingly cautious about how organisations are using and managing personal data, and place greater value on trust and accountability. It is thus important for organisations to shift from a compliance-based approach to an accountability-based approach in managing personal data.

But what is the meaning of “accountability”? This two-part blog by our partner, Straits Interactive, provides a clear explanation of the term and what companies need to do.

The word ‘reasonable’ and other words based on it – for example, ‘reasonably’ – appears in the Personal Data Protection Act (PDPA) … a lot of times. The word ‘accountable’ and other words based on it, such as accountability, appears in the PDPA exactly zero times.

But we are hearing a lot about accountability in connection with data protection. Before we get to ‘Why?’ let’s look at a couple of examples of compliance versus accountability.

Traditionally, businesses are required to comply with a wide range of regulatory requirements. If they were caught not complying, they had to fix the shortfall; it they were not caught, then they did nothing much at all. So, compliance is a rather passive approach.

Accountability is different. The Cambridge Dictionary says that ‘someone who is accountable is completely responsible for what they do and must be able to give a satisfactory reason for it.’ Accountability is an active approach.

Vignette #1

It’s dinner time on Friday evening. Mum and Dad are chatting about their plans for the weekend.

‘Oh, tomorrow morning I have an appointment with the doctor so I can’t pick the kids up from their enrichment class that finishes at 11 o’clock. Can you do it?’

‘Yes, of course,’ says the responsible spouse.

‘Are you sure? You won’t forget, will you? You won’t be late? They’re too young to be wandering around by themselves,’ says the worried spouse.

‘Stop worrying. It will be OK.’

If the responsible spouse forgets – say they get distracted by reading the newspaper and, suddenly realise that it’s past 11 o’clock already – what happens? Yup, probably the worried spouse will scold them a lot and tell them not to let it happen again. That’s a compliance approach. The worried spouse isn’t going to think that ‘I got distracted and forgot the time’ is a satisfactory reason for the kids being left to wander around alone after their class.

But by contrast, if the responsible spouse takes an accountability approach, they will take proactive steps to make sure that they don’t forget. For example, they might set a timer on their phone that will alert them when it’s 10:30 and they have to get ready to be there before the kids come out of their class at 11 o’clock.

Vignette #2

It’s performance appraisal time at work. A manager and a staff are having a discussion about why the staff didn’t meet their sales targets. (Spoiler alert: this might not end well.)

Staff says, ‘It’s not my fault. A few things didn’t turn out as I expected, and these things were outside of my control.’

Manager says, ‘So, what did you do to plan for unexpected events and other things outside of your control?’

Staff says, ‘Er, well … I …’

I’m rather sure that if the staff’s answer is that they didn’t do anything, but just sat back and waited to see what would happen, they aren’t going to get a good performance appraisal.

But if the staff is able to demonstrate that they did various things to achieve their sales goals even in the face of unexpected events and other things outside of their control, they could get a good performance appraisal despite not meeting their sales goals.

We can see from both examples, that accountability is about being able to demonstrate actively taking steps with the aim of making sure that something happens. Compliance is about passively waiting to see how things turn out.

We are hearing a lot about accountability in connection with personal data protection simply because regulators do not think that a passive compliance approach is good enough.

The concept of accountability in the context of data protection is a few years old now, but we’ve been hearing a lot more about it in the last two or three years. Part of the reason is that the General Data Protection Regulation (GDPR) specifically requires accountability.

Mr Yeong Zee Kin, Deputy Commissioner of the Personal Data Protection Commission (PDPC) of Singapore gave the Keynote Speech at the 39th International Conference of Data Protection and Privacy Commissioners in September 2017 in Hong Kong. Amongst other things, Mr Yeong spoke about ‘the pivot from compliance to accountability’. He said that:

‘Accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is about being able to demonstrate to customers that measures which pre-emptively identify and address risks to personal data have been put in place.’

This is especially applicable for companies like BoardRoom that deal with a significant amount of sensitive personal data. With a service offering focused on outsourcing critical back-end business operations like Share Registry, Payroll & Accounting, BoardRoom handles more personal data than most organisations. As a result, they cannot rely on processes tailored towards compliance, BoardRoom is expected to prove accountability around personal data protection. For any businesses interested in outsourcing, a critical evaluation factor when selecting their partner should be ensuring the organisation can demonstrate accountability surrounding personal data protection.

In practice, organisations have to do the equivalent of the responsible spouse setting a phone alert to make sure that that picking up the kids on time isn’t forgotten, or the equivalent of a staff planning to make sure sales goals are achieved in spite of unexpected events. And being able to demonstrate that they have done these things.

Lyn Boxall (CIPM, CIPP/A, CIPP/E, FIP, GRCP, GRCA) is an Advocate and Solicitor in Singapore and co-author of the book “99 Privacy Breaches to Beware of: Practical Data Protection Tips from Real-Life Experiences”.

She practices law in Singapore as Lyn Boxall LLC and is a consultant with Straits Interactive Pte Ltd, a leading specialist in personal data protection and Do-Not-Call (DNC) solutions.

With the wealth of our experience as outsourcing experts in areas such as payroll outsourcing, corporate secretarial and accounting services, BoardRoom handles a significant amount of our clients personal data. We do not take this responsibility lightly and have been working closely with Straits Interactive for years to ensure that BoardRoom is able to prove accountability.

A key piece towards demonstrating Accountability is the appointment of a Data Protection Officer (DPO) within your organisation. It’s now easier than ever to appoint a DPO with the Personal Data Protection Commission (PDPC) collaborating with the Accounting and Corporate Regulatory Authority (ACRA) to allow for organisations registered with ACRA to register and/or update their DPO’s name and contact information via ACRA’s BizFile+ using their CorpPass accounts. Head to our article on this to find out more.

Interested in learning more about our accountability measures regarding personal data? Get in touch with one of our outsourcing experts who will explore in detail how BoardRoom ensures more than just compliance when it comes to personal data protection.