Its beneficiaries are people in crisis – homeless men, women and families. In rendering them help, New Hope Community Services knows it is vital to protect their personal data as well. It is part of the organisation’s overall push to ensure good governance and strengthen public trust.
And this was the reason why New Hope decided to apply for the Data Protection Trustmark (DPTM) when the certification was announced. Having achieved the Charity Governance Award in 2017 and received the Charity Transparency Award for consecutive years since 2016, the DPTM certification was a logical next step for the organisation.
Dealing with personal data
New Hope started its services in 2004 with one shelter for homeless male ex-offenders. In 2007, it expanded its scope by collaborating with the then-Ministry of Community Development, Youth and Sports (now Ministry of Social and Family Development or MSF) to look into arranging housing for other homeless individuals and families.
In carrying out its work, New Hope needs to have information not just about its beneficiaries but also their family members, especially those who will be staying together in the rental flats, said Ms Leah Tan, Centre Manager (HQ) and Data Protection Officer (DPO), New Hope Community Services. For example, the personal data it has to gather includes information on the beneficiaries’ children and the children’s schools.
When helping its beneficiaries to apply for rental flats, it also needs to have other personal data such as the beneficiaries’ financial information - how much savings they have and their outstanding debts - in order to find out if they are eligible for assistance.
To ensure that all this information is well protected, New Hope’s founder and Chief Executive Officer Pastor Andrew Khoo and its Chief Operating Officer James Chua initiated the organisation’s personal data protection drive. They wanted to engender trust amongst donors and beneficiaries by making sure that its policies and practices were aligned with the Personal Data Protection Act (PDPA).
In 2014, soon after the PDPA came into effect, New Hope put in place the basics of personal data protection. It appointed a DPO, and published its DPO’s contact details and PDPA notice on their website.
Subsequently, when it learnt that CITREP+ (Critical Infocomm Technology Resource Programme Plus) funding was available for the training of DPOs, it decided to apply for the grant and sent ten staff representing different departments, including the DPO, for a Hands-On DPO Training course.
Translating policies to practice
After the training, the representatives formed a committee to drive the organisation’s data protection initiatives. The committee sat down to map out the organisation’s data inventory and identified processes that presented a risk to personal data protection. Next, it looked into policy development for the respective departments and for the organisation as a whole, and put in measures to translate these policies into practice.
“It was important that we did not stop at just developing policies. We had to prepare the people and constantly remind them about good personal data protection practices,” said Ms Tan.
For example, reminders were sent out to staff to be extra careful with case files that contained personal information about their beneficiaries. Only people working directly on the cases were authorised to access these files. Even administrative staff supporting the programmes were not allowed to have access to the details of the cases.
With its personal data protection policies and practices in place, New Hope decided to go for DPTM certification because it saw the trustmark as a good test of its efforts in putting in place measures to comply with the PDPA.
A learning experience
The certification process was tough, said Ms Tan, but it helped the organisation to further strengthen its policies.
For example, the DPTM self-assessment checklist introduced a requirement on data protection impact assessment. This underscored the importance of carrying out a personal data risk assessment based on the functions and needs of the organisation, and implementing the appropriate measures to address these risks.
Using a data protection impact assessment template from its external consultant, the organisation listed down the personal data that it collected, where it was stored, the risk level of the data, what would happen if the data were to be exposed, and what action the organisation would take if this were to happen.
Dos and don’ts
It also came up with a list of “dos and don’ts” to help staff make the connection between personal data protection and their everyday tasks. For example, one of the “don’ts” on the list is that staff should not leave their printouts unattended at the photocopier. “Sometimes, we don’t know who the printouts belong to because no one collects them. This exposes the personal data on the printouts to other people who may not be authorised to view the information,” said Ms Tan.
Some of the “dos” include logging out of the desktop and putting documents away when leaving the desk, and making sure that application forms are not left lying around in case the personal data they contain are inadvertently exposed to people who should not have access to the information.
Simple solutions were also implemented to help the staff protect personal data. For example, “Confidential” stickers are provided so that staff can stick them onto documents with personal data. The stickers provide a visual indication and reminder that a document contains personal data, so that the staff will take more care to ensure that the said document is adequately protected, for example, by keeping it in a locked cabinet or drawer when not in use.
An ongoing effort
Attaining the certification was an important milestone for New Hope. “Nowadays, charity governance is a very big thing. We may get into trouble if we don’t do things right,” said Ms Tan. “Also, there are so many charities, and people don’t know who to trust. When donors are deciding which organisation to support, the DPTM helps by providing us that trust factor.”
New Hope also knows that the personal data protection effort does not stop here. “Having achieved the DPTM, we must continue to find opportunities to let people know that we are not just PDPA compliant, but that we take everyone’s personal data seriously,” said Ms Tan. “Because we are DPTM-certified, all the more we must be on our toes and be able to demonstrate our accountability in practice to the rest of the social services sector.”
For more information, visit the Data Protection Trustmark webpage.
(This story was first published in the Data Protection Trustmark Success Stories e-booklet.)