Insights on the Data Protection Trustmark

Singapore’s Data Protection Trustmark or the DPTM is a domestic certification that came into full effect after the SingHealth case of 2018. When more than a million personal information of patients was hacked from SingHealth, the Singapore government announced that companies and organizations must now be certified with the DPTM to ensure effective and efficient data protection measures in place.

The DPTM certification is an assurance to clients and consumers alike that their personal data is being handled securely and safely. In this article, we summarized the criteria on how to be DPTM-certified and other insights you need to know about.

The dptm

Organizations and companies that want to obtain the DPTM must achieve the following criteria (as lifted from digitalguardian.com)

PRINCIPLE 1: GOVERNANCE AND TRANSPARENCY

Appropriate Policies and Practices

  • Establish data protection policies and practices
  • Establish queries, complaints and dispute resolution handling processes
  • Establish processes to identify, assess and address data protection risks
  • Establish a data breach management plan
  • Appoint Data Protection Officer (DPO)

Openness

  • Make available business contact information of the DPO to the public
  • Provide information on personal data protection policies to external stakeholders

Internal Communication and Training

  • Communicate data protection policies and practices to all employees
  • Implement data protection training for all relevant internal stakeholders

PRINCIPLE 2: MANAGEMENT OF PERSONAL DATA

Appropriate Purpose

  • Ensure collection of personal data is for purposes that are clear and appropriate in the circumstances

Appropriate Notification

  • Ensure notification of the purposes for the collection of personal data, on or before the collection of personal data
  • Ensure notification of new purposes before the use or disclosure of personal data

Appropriate Consent

  • Ensure that consent for the purposes has been obtained on or before collecting the personal data
  • Ensure that consent for personal data with special considerations has been obtained

Appropriate Use and Disclosure

  • Ensure the use of personal data is for purposes for which consent has been obtained
  • Ensure the disclosure of personal data is for purposes for which consent has been obtained

Compliant Overseas Transfer

  • Ensure appropriate personal data transfer policies are implemented as required under the law

PRINCIPLE 3: CARE OF PERSONAL DATA

Appropriate Protection

  • Ensure reasonable security policies and practices are implemented
  • Ensure third parties make reasonable security arrangements to protect personal data
  • Ensure testing of security measures

Appropriate Protection

  • Ensure reasonable security policies and practices are implemented
  • Ensure third parties make reasonable security arrangements to protect personal data
  • Ensure testing of security measures

Appropriate Retention and Disposal

  • Ensure personal data retention policies are implemented
  • Ensure appropriate implementation of processes and methods for the disposal, destruction or anonymization of personal data when there are no longer legal or business purposes to retain the personal data

Accurate and Complete Records

  • Ensure personal data for use or disclosure is accurate and complete
  • Ensure personal data disclosed to a third party organization is accurate and complete

PRINCIPLE 4: INDIVIDUALS’ RIGHTS

Effect Withdrawal of Consent

  • Ensure provision for the withdrawal of consent for the collection, use or disclosure of individuals’ personal data

Provide Access and Correction Rights

  • Ensure provision for individuals’ access to their personal data in the organization’s possession or under its control on request.
  • Ensure provision for individuals’ correction of their personal data in the organization’s possession or under its control on request.

Cost and Duration

At this point, let’s check out the cost and effectiveness duration of the DPTM.

The assessment fee will cost you at least $1,400 to $10,000, excluding GST. This, of course, depends on the size of your organization. The effectivity of the Data Protection Trustmark lasts for 3 years and reapplication is needed after the expiration date.

vismaya

Leave a Reply

Your email address will not be published. Required fields are marked *