The Personal Data Protection Act or PDPA which came into force on 2 July 2014 comprises various rules governing the collection, use, disclosure and storage of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
Today, vast amounts of personal data are collected, used and even transferred to third party organisations by charities which are not exempted from the provisions of the PDPA. This trend is expected to grow as charities embark on more donations drives, taking on more volunteers and serve more beneficiaries in their social programmes and activities. Ensuing such a growing trend comes the growing concern of donors, volunteers and beneficiaries as to how their personal data are managed and safeguarded. Hence, charities need to implement a data protection framework and put in place processes to govern the collection, use, disclosure and storage of personal data that are necessary to address these concerns and to maintain stakeholders’ confidence in the charities that manage their personal data.
The need to meet the obligations under the PDPA will require changes as to how charities operate. For example, policies and procedures need to be reviewed to ensure their relevance to PDPA requirement. Data protection policies and procedures need to be introduced and staff and volunteers need to be educated and trained to handle personal data. Data management and handling processes need to be tweaked to be PDPA compliant. IT systems and databases need more stringent protection from hackers and cyber intruders. Data protection policy also needs to be communicated publicly and displayed on the charities’ websites.
The introduction of the PDPA had changed the whole perspective of how charities should view and treat personal data which has an impact on operations. Since charities are now legally bound to meet their obligations under the PDPA, there may a direct competition of resources for PDPA and charities’ operations. Given limited resources, some charities particularly smaller charities may face challenges in committing in-house resources to this area and may find it hard to ensure that their charities are PDPA compliant. In this respect, such charities may need to look at options such as outsourcing and engagement of external consultants to undertake the work.
It is envisaged that PPDA compliance may be one of the benchmarks for good governance for charities, it is advisable for charities to start looking at their own processes to bridge any areas of operations that need to be enhanced to better meet their PDPA obligations.