World-first framework spells out role, training for data protection officers

SINGAPORE — Singapore’s privacy watchdog on Wednesday (July 17) unveiled a world-first competency framework and training roadmap for an increasingly vital member of any organisation — a data protection officer (DPO).

The aim is to streamline and improve data protection training among organisations here, while encouraging data innovation, to ensure DPOs achieve prescribed standards.

Organisations are beginning to see how good data protection practices contribute to business growth and innovation, and the job scopes of DPOs have expanded, said the Personal Data Protection Commission (PDPC).

Under the Personal Data Protection Act (PDPA), every organisation must appoint a DPO to oversee the use and protection of data in organisations.

Announcing the new framework at the Personal Data Protection Seminar, Minister for Communications and Information S Iswaran said on Wednesday that the role of the DPO is “critical to the success” of every enterprise in the digital age.

The new framework spells out the set of skills DPOs require, from entry-level officers in small companies to those with regional responsibilities.

It also provides guidance on a viable career path in the nascent sector — such as a list of competencies that DPOs should have as they progress in their roles.

The framework — which can be found on the PDPC’s website — is also meant to serve as a guide for business owners in hiring decisions, and in planning the training for DPOs and data protection teams.

A table describing the roles of data protection officers (DPO) of varying levels of seniority. Source: PDPC

Mr Iswaran said businesses should not see data protection as simply a cost, a compliance requirement or a defensive measure.

“That would take a very limiting approach in our attitude towards data as a resource. Rather, if we manage this well, the management of data can be a source of business competitiveness and a means to create new opportunities,” he said.

At least 30,000 DPOs are registered with the PDPC, but before the release of the new framework, the training and skills required by these employees had not been standardised.

They were mostly trained in an ad hoc fashion, picking up skills in managing data breaches and stakeholder management among others, to ensure compliance with the PDPA.

In an industry survey by the PDPC this year, 39 per cent of organisations flagged concerns over whether their DPOs are equipped with the knowledge and skills to mitigate the risks of data breaches and recover from them.

The greater clarity on the career progression for aspiring and current DPOs could help provide new career opportunities and career progression pathways for workers, said National Trades Union Congress (NTUC) assistant secretary-general Patrick Tay.

For a start, PDPC will work together with the NTUC, Employment and Employability Institute (e2i) and NTUC LearningHub to launch a 12-month pilot programme for DPOs, said the PDPC.

The pilot programme, which will start in October, is expected to benefit about 500 DPOs in the first year.

The PDPC is also working with other training partners such as the Institute of Singapore Chartered Accountants, National University of Singapore Law Academy, Singapore Management University Academy and Singapore Polytechnic.

CHALLENGES IN HANDLING DATA

Some of the challenges that DPOs face include varying levels of understanding in amassing personal data.

Ms Eunice Toh, executive director of the Tan Tock Seng Hospital (TTSH) Community Fund, said that the standardised training would be helpful in tightening processes such as obtaining consent.

As the designated DPO of the charity arm of TTSH, which receives personal data of donors, beneficiaries and industry partners, Ms Toh said that there could be differences in interpreting when one gives consent.

“For example, (when) we work with beneficiaries, some may wish to say they are a patient, but not wish to disclose their condition.”

“To someone who is not trained, they could interpret a verbal ‘yes’ as consent,” she said.

Training is hence important for staff to learn how to nail down the “finer points” — such as getting consent for “the specific use of the information, how it will be used and when it can be used”.

Ms Joyce Chiew, who is the DPO of IT solutions provider Oneberry Technologies, said that one challenge in her work is drafting comprehensive legal contracts between the firm and external vendors.

“When we engage external vendors, they (have access) to our personal data, so we must ensure that clauses in our contracts lay out that such data cannot be spread,” she said.

She said undergoing courses identified in the training roadmap will give her more confidence to draft such legal contracts in greater detail.