Parents’ income tax forms, Central Provident Fund (CPF) statements, contact details – these are some examples of the personal data that childcare centre Carpe Diem @ ITE collects out of necessity.
Carpe Diem @ ITE has 178 children and 28 employees including teachers, cooks, cleaners, and administrative staff. Given the nature of the childcare business, various types of documents containing personal data are required to facilitate enrolment. Some parents even have to hand over their CPF statements or income tax forms to the centre in order to claim childcare subsidies.
But parents, employees and other stakeholders can rest assured that the information is in good hands, with the Data Protection Trustmark (DPTM) providing independent validation that the organisation has sound personal data protection policies and practices in place.
The protection of personal data is of paramount importance to Carpe Diem @ ITE. “We started paying more attention to personal data protection back in 2014, when the Personal Data Protection Act (PDPA) came into force,” said Mr Tan Kiah Hui, Centre Director and Data Protection Officer (DPO) of Carpe Diem @ ITE. “When parents place their children in our centre, they need to have the peace of mind that we will take care of their personal data.”
Children’s data, especially, is sensitive information as they are minors and their personal information requires greater care. Unintended disclosure of personal data such as their addresses, for example, could lead to safety concerns if the information were to fall into the wrong hands. These concerns provided Carpe Diem @ ITE with the impetus to go beyond mere compliance with the PDPA to making sure that it was accountable to all stakeholders in terms of its personal data protection policies and practices.
As a start, Mr Tan signed up for a basic course to understand the various obligations under the PDPA, and went on to attend an information privacy manager course.
Putting his new-found knowledge to good use, he guided the childcare centre through the process of identifying where data protection lapses may lie.
It took the centre about half a year to get its data protection policies, processes and practices sorted out. For example, prior to the review, all employees used to have open access to the children’s files. Upon realising that there had to be better access controls to prevent unintended disclosure, the centre put a stop to this practice and provided teachers access only to information that was necessary for their work, such as the children’s photographs for documentation purposes.
Measures were also put in place to address physical security, especially since most of the data held by Carpe Diem @ ITE is in hard copy. These include not just children’s and parents’ records, but also employees’ records with information such as their salaries.
To protect this data, the centre ensures that the cabinet containing files with personal data is locked at all times. Only three people have access to the key – the centre manager, an administrative staff and Mr Tan.
Besides the more obvious collection of personal data, the centre also handles a lot of worksheets which include children’s names and sometimes their photographs as well.
Previously, after a child left the centre, his or her worksheets were either thrown into wastepaper bins, or recycled without checking to see if there was any personal data on the reverse side of the paper.
With the push for better personal data protection, the centre introduced the practice of shredding all worksheets before disposing of them, to make sure that no personal or confidential information is divulged.
Carpe Diem @ ITE also emphasised staff education. “We reiterated to our staff the importance of protecting personal data,” said Mr Tan. To get them on board, he asked the staff to put themselves in other people’s shoes: Just as they would not want their information to be exposed to others, they too should take care of the personal data that they handle.
“That is where we were coming from. We want to protect personal information, not just of the children but the employees as well. Once our staff understood this, they were more willing to take the necessary steps to protect personal data.”
When the DPTM pilot was announced in July 2018, the centre decided to go for the certification. Explaining the reasons, Mr Tan said, “Can we prove to the parents and give them the assurance that we are doing our best to protect their data and their children’s data? To me, the DPTM is important. Parents can see that we are putting in our utmost effort to do the right thing.”
As part of the certification process, Carpe Diem @ ITE conducted a round of self-checks and rectifications. It found that some teachers simply placed the children’s files unattended on their tables, and had to remind them not to do so. It also put up posters to increase awareness of the importance of personal data protection.
By the time the DPTM assessor came down to check on their processes, the centre was well prepared. There were only a couple of gaps that it had to address.
For example, the assessor noted that Carpe Diem @ ITE had a retention policy but did not establish the retention period for the personal data that was being collected from employees as well as students. To rectify this, the centre set its retention period at five years and updated its retention policy accordingly.
The assessor also noted that the data protection impact assessment did not include approval from the holding company’s top management. While Carpe Diem @ ITE explained that their Centre Director Mr Tan was also the Group DPO of the Carpe Diem Holdings, and that his approval would suffice, it nonetheless went on to implement proper management approval for the impact assessment.
An ongoing journey
With Carpe Diem @ ITE certified, Mr Tan is now working with the Carpe Diem Headquarters to encourage the rest of the childcare centres in the group to apply for the DPTM. “We have to beef up our data protection standards in all our centres,” he said. “It should be a consistent, ongoing effort. We have attained the trustmark; now it is time to help other centres strive for the same standards.”
The data protection journey is an ongoing one. “We start by being compliant with the PDPA, but it doesn’t stop there. The DPTM serves as an important milestone in enabling us to demonstrate to parents and employees that we have gone beyond mere compliance to adopting accountable personal data protection practices,” said Mr Tan.