Trust is of paramount importance to a charity. “It is not only about ensuring trust with the giving public, but also the beneficiaries who need to have confidence that their personal data will not be exposed,” said Mrs Eunice Toh, Executive Director of the Tan Tock Seng Hospital (TTSH) Community Fund. This includes data such as the beneficiaries’ socioeconomic status, and the medical condition and history of patients, which is very personal.
To uphold this trust and the confidence of its stakeholders, TTSH Community Fund made a concerted move to elevate its data protection approach from compliance to accountability. This meant going beyond complying with rules, to taking proactive steps to protect personal data. “We want to strive to a higher level, and having a third party to certify our standards will make it more objective,” said Mrs Toh.
It was for this reason that TTSH Community Fund applied for the Data Protection Trustmark (DPTM) and went on to become the first charity organisation in Singapore to attain the certification.
TTSH Community Fund is the charity arm of Tan Tock Seng Hospital. It has more than 100 programmes focusing on four main areas – research and innovation, training, patient care and, most importantly, needy patients.
“We catch those cases that fall through the cracks, or where traditional charities cannot adequately help them,” said Mrs Toh.
For example, a TTSH Community Fund programme called Help Me Go Home&supports needy patients by paying for the costly breathing equipment that they will need when they are discharged. This helps to ensure they can continue to breathe properly, which in turn improves their quality of life.
The charity also helps to cover basic but necessary out-of-pocket expenses ranging from assistive equipment such as wheelchairs and walking aids to even taxi fare for the physically challenged who need to go to the hospital for follow-up consults or treatment.
As a charity, TTSH Community Fund collects personal data of donors and beneficiaries to service them better.
For example, medical social workers who refer patients to TTSH Community Fund will provide the charity with the beneficiaries’ personal particulars, some brief information on their medical condition as well as background information such as their sources of income, type of housing, number of children, family history and other related details.
TTSH Community Fund was an early adopter of the Personal Data Protection Act (PDPA). As early as 2014 when the Act came into force, it took concrete steps to protect personal data. It started with the review and development of templates, policies and standard operating procedures for personal data protection. “I got my team to sit down to think about their processes, and to review and revise policies and procedures for better and more effective buy-in and ownership,” said Mrs Toh.
For example, before featuring patients in any of its publicity materials, the staff would make it a point to be mindful about getting their permission, explaining to them exactly what information would be collected and why, and how it was going to be used.
Having thought through its policies and processes and put them into practice, TTSH Community Fund then embarked on developing its own personal data protection policy and procedures manual.
The manual was subsequently incorporated into the department’s staff on-boarding process, ensuring that new hires are in sync with the organisation’s personal data protection policies and practices. Mrs Toh also conducts regular PDPA updates through internal platforms such as weekly “roll-call” meetings and departmental meetings, to ensure that staff are kept up to date with the latest developments in the PDPA and that all issues are looked into and clarified.
Checks and references
When the DPTM was announced, Mrs Toh saw it as a good opportunity to put the organisation’s data protection policies and practices to the test. “I knew that my team had moved forward, but did we really cover all our bases? I felt it would be good to get a third party to assess this.”
Having worked in audit during the early part of her career, Mrs Toh believes in the need for checks and monitoring “to ensure that things are in good order”.
“It made sense for us to get certified, because then there is a benchmark for us to measure where we are and which areas we can improve on,” she said.
During the certification process, TTSH Community Fund found that the DPTM self-assessment portion was not a problem. “We were able to fill in the answers quite easily,” said Mrs Toh. “The real test was when the assessors came on board to validate our standards.”
“When you are being assessed, it makes you look into all aspects of personal data protection, big or small,” she said.
The organisation realised that it had certain blind spots such as the handling of personal data of staff seconded to the organisation. It took steps to ensure that data on all staff – including those who were there on secondment – was accurate and up-to-date.
By and large, however, the assessors were impressed by TTSH Community Fund’s focus on personal data protection, the effort that it had put in, the progress that it had made and its commitment to personal data protection.
A robust standard
For TTSH Community Fund, attaining the DPTM has helped the organisation build trust with its stakeholders and partners who include beneficiaries, donors, staff, vendors and the hospital itself.
“For a charity, to be trusted is integral. The DPTM is a robust standard. It shows that appropriate governance is in place where data protection is concerned. It gives people confidence in us.”
This was important not just for TTSH Community Fund but also for the charity sector as a whole, said Mrs Toh, who sits on the organisation’s board and also advises other charities. She often takes the opportunity to share her organisation’s DPTM experience with these other charities, and the response has been positive.
“They see the DPTM as a milestone achievement and expressed motivation to pursue the same for themselves. It is something tangible to strive towards and they are inspired.”
“As the charity sector moves forward with personal data protection and as more organisations get certified, personal data protection standards will naturally be raised across the industry as a whole,” said Mrs Toh. In the process, public trust will be strengthened. “We are all here to do good, all serving the community, so at the end of the day, everyone gains. I think that is fantastic.”
Brought to you by