Among the programmes that Tan Tock Seng Hospital’s (TTSH) Development Fund and Volunteer Management Office help administer is the TTSH Community Fund, the hospital’s charity arm that was first set up in 1995 to help needy patients. Today, the TTSH Community Fund supports more than 2,500 patient cases each year, particularly the elderly and those who have exhausted all avenues of financial help. The TTSH Community Fund also seeks to promote better patient care through medical research and training.
Due to its raison d'être, it is no surprise that the TTSH Community Fund holds troves of personal data. In addition to patient beneficiaries, it has in its possession the data of a few thousand donors – both individuals and corporations.
Separately, the Development Fund and Volunteer Management Office also manages the records of some 700 volunteers across 27 programmes, about half of whom are actively serving the TTSH Community Fund.
In view of the nature of work that this team undertakes, sensitivity and discretion are of the utmost importance when handling beneficiary and donor data, regardless of the Personal Data Protection Act (PDPA).
Mrs Eunice Toh, executive director of TTSH Community Fund and director of TTSH Development Fund and Volunteer Management, says, “We don’t take it for granted that we can use personal data provided to us, either by a donor or a beneficiary, for our publicity purposes. A donor may want to keep a low profile, or a beneficiary may be self-conscious. It is thus necessary to seek their approval if such personal information is going to be used.”
Although sensitive and discreet treatment of personal data had always been a priority for the TTSH Development Fund and Volunteer Management Office and TTSH Community Fund, the introduction of the PDPA was a timely reminder to review its policies.
- Study the requirements of the PDPA, review existing policies and make enhancements accordingly, along with corresponding staff and volunteer training
- To always check if donors are agreeable to being publicly acknowledged for their support and donations
- Obtain written consent from beneficiaries and grantees before personal data is used for media and publicity
- Have volunteers sign non-disclosure agreements before deployment
- Ensured that physical access to personal data is effectively managed through SOPs
- Data protection policies and SOPs are reviewed and/or updated every one to two years
- Reviewing policies periodically helped sieve out gaps in personal data protection
- Staff are more mindful when preparing reports and handling forms, thereby increasing protection of personal data
- Donors have more confidence in the TTSH Community Fund
“To us, the PDPA is an excellent reminder of the importance of personal data protection policies,” she adds. “As the PDPA places a mandatory obligation on organisations to comply with its requirements, it reminds us to check for gaps in our existing policies.”
As TTSH Community Fund’s data protection officer, Mrs Toh works closely with a staff member each from finance and volunteer management / fundraising support to assess and develop suitable data protection policies. Notably, the mountain of paperwork that comes through creates the biggest challenge for the team, which has to tackle the issue of data protection across multiple facets of the division’s operations.
Fundraising, a critical aspect of TTSH Community Fund’s work, requires donors to submit their personal particulars through hardcopy forms. In finance, receipts and payment vouchers would also contain donor and beneficiary information. While volunteers are encouraged to complete their applications online, dealing with hardcopies is inevitable.
Mrs Toh acknowledges that the sheer volume of physical paperwork that the team manages could give rise to the risk of data protection breaches, which is why she lauds the PDPA for bringing these issues to the fore.
Among the data protection measures that the TTSH Community Fund have implemented is to ensure that hardcopies containing personal data are always locked in cabinets and accessible only to authorised personnel. Similarly with its computerised accounting system, access to donor and beneficiary information is granted only to authorised personnel.
Aside from collecting personal data, the TTSH Community Fund also proactively obtains consent to use the said data. A visible use of donors’ personal data, for example, is the acknowledgement of their contributions in the Roll of Honour, which occupies a conspicuous position at TTSH’s ground floor main lobby.
Mrs Toh explains, “It is important for us to obtain donors’ consent before we place their names on the Roll of Honour because there will always be donors who prefer to remain anonymous. We also try to promote the Fund so written consent of beneficiaries, be these needy patients or grantees who are awarded grants, is another important point to note for media and publicity purposes. Confidentiality of their personal data cannot be compromised or taken for granted simply because we are assisting them with funding support.”
To ensure that donor and beneficiary data is not inadvertently disclosed, the TTSH Community Fund shares its personal data protection policies on the hospital intranet so that all other departments are also aware of the correct procedures for handling such data.
A CONTINUAL JOURNEY
Mrs Toh opines that the data protection policies and practices that the team has inplace are simple and well-suited for their purposes. The financial cost of compliance was negligible because development and implementation of data protection policies were all done in-house, and the Fund’s database was relatively small. However, Mrs Toh felt the real cost was the time and effort spent to read about the PDPA and brainstorm for the data protection policies.
“When the PDPA came into force, we studied the requirements, reviewed our existing policies and made the necessary enhancements. All that was done within a month because we already had a comprehensive structure in place and were clear as to what our obligations to stakeholders were,” Mrs Toh says.
Of course, the work does not stop there. Staff members are continually reminded to handle personal data responsibly and Mrs Toh notes that they are more mindful now when preparing reports and handling forms. Volunteers, too, are briefed on data protection policies before they are deployed and are required to sign a non-disclosure agreement which prohibits the exposure of any confidential information that they acquire in the course of their volunteer service.
Additionally, Mrs Toh insists on reviewing and updating TTSH Community Fund’s compliance policies and standard operating procedures (SOPs) every one to two years.
Evidencing the effectiveness of the team’s data protection policies, Mrs Toh was invited to share the template she had developed at a conference hosted by Charity Council in 2012, shortly after the PDPA was announced. She also gave a talk on the same subject to voluntary welfare organisations in 2014.
She says, “We don’t protect personal data just because of the law. Protecting personal data is a matter of integrity. It is every individual’s prerogative to decide how the personal data they provide can be used, so it is important for us to ask for consent.”