Having helped early childhood educator Modern Montessori International Group (MMI) meet a series of international and industry standards, such as those developed by the International Organisation for Standardisation (ISO), MMI's Manager (Chairman's Office), Mr Steven Kho, is no stranger to implementing processes.
So when tasked to ensure that MMI was Personal Data Protection Act (PDPA) compliant, he was clear about what he needed to do.
"We identified all the personal data we have, followed by the situations where our staff needed to use these data," says Mr Kho.
"This allowed everyone to be clear about how to handle and process personal data. We identified areas that could go wrong and focused on developing solutions for those areas."
A Small and Medium Enterprise (SME), MMI provides pre-school education for children through 30 centres in Singapore, as well as in other parts of the world such as India, Kenya, Malaysia, Nigeria, Thailand and Vietnam.
It also conducts teacher-training courses for adults, offering diplomas in the Montessori method of education and early childhood care.
"Before the introduction of PDPA, we were more concerned about copyrights relating to the use of a child's image in our marketing and publicity materials.
As a result of the PDPA and its mandatory requirements, our data protection policies now cover more processes and are more comprehensive," says Mr Kho.
The PDPA presented MMI with the opportunity to develop and implement a more wide-ranging and comprehensive personal data protection policy, but not without initial resistance from internal stakeholders.
- Chief DPO attended a training course and drafted an enhanced personal data protection policy with the help of a lawyer.
- Mapped out areas where personal data are collected and used and set out policies to deal with these areas
- Entrusted responsibility of data protection to all staff members, particularly heads of departments, centre managers and principals.
- Broke the PDPA into relatable, bite-sized information for staff members to understand their role in protecting personal data.
- A more comprehensive and systematic policy, which plugged gaps in the operations.
- Processes are more systematic, resulting in greater efficiency.
- Armed staff with a better understanding of the processes to protect personal data.
- Greater confidence in the use and protection of parents and students' personal data.
Enrolment, for example, is one key process that has been enhanced.
During registration, parents are required to fill up a form containing personal data such as contact details, birth certification numbers and other relevant personal data.
As a personal data protection measure, MMI explicitly seeks the parent's consent for the use and disclosure of the data to support the provision of service.
This includes sharing the personal data with pre-school education industry regulator Early Childhood Development Agency (ECDA), providing vendors with the student's data for the organisation of extra co-curricular activities, and using pictures or videos taken of students during activities for MMI's online and offline publications.
To ensure that there is no misunderstanding, MMI also consolidates what parents have consented to in a list that is distributed to parents along with its standard enrolment handbook.
In its dealings with third-party vendors and contractors, MMI places personal data protection related conditions in the contract agreements.
"There are times when we have to share personal data with third-parties such as bus operators, field trip organisers and event managers. Through the conditions, we can hold them to agreements not to misuse the information we provide them and not to share that data for unsolicited marketing calls or other unauthorised purposes," Mr Kho says.
ENTRUSTING COMPLIANCE TO THE WHOLE ORGANISATION
It is no mean feat managing the personal data of more than 3,000 students and some 300 staff members across 30 education centres in Singapore. As such, PDPA compliance is a shared responsibility at MMI.
"We believe that everyone in the organisation has a responsibility to protect personal data," says Mr Kho.
"All department heads at MMI headquarters play a crucial role in enforcing our personal data protection policies. In our pre-school centres, the centre managers and principals take on the role of data protection officer."
Mr Kho is the chief data protection officer (DPO) for the organisation.
To familiarise himself with the relatively new law at the onset, he enrolled for a course that provided an introduction to the fundamentals of the PDPA which was designed for non-legally trained persons, offered under the Workforce Development Agency's (WDA) Business Management Workforce Skills Qualifications framework.
He found the curriculum straightforward and useful in his development of MMI's enhanced data protection policy. He then consulted a lawyer to firm up the overarching policy.
Implementation of the new processes took three to four months, and the transition was fairly smooth apart from some internal resistance.
Mr Kho recalls that the most often asked question was, "We haven't had problems before, so are these changes really necessary?"
To help staff members internalise the requirements, he explains the obligations of the PDPA in parts and how each applies to MMI's operations during the training sessions.
He feels that showing how the new data protection procedures are relevant to each staff member's area of work helps increase acceptance of these measures.
"When you do it this way, staff members will be keen to learn as they are familiar with the operational situation," he shares. "They may even be able to provide feedback or suggestions to improve the data protection policy."
He believes that MMI is now more systematic in its handling of personal data, which increases efficiency. He also feels more confident when speaking to parents and students about the security of their personal data with the organisation.
Overall, MMI spent an estimated $20,000 in the development and implementation of an enhanced personal data protection policy in line with the PDPA.
The bulk of this cost was expended on man-hours used to draft and implement the new procedures, staff training, and the upgrading of MMI's information technology (IT) systems to include access control and boosted password protection.
When asked what advice he might have for other SMEs, Mr Kho says, "They should not feel that the PDPA is difficult to comply with. What they need to do is to understand how the PDPA relates to aspects of their company's operations. Once they are able to identify the processes that have to be improved or put in place, they will not find it difficult to develop the policies."