Confronting Potential Data Breach - A Test of Leadership and Integrity - Part 2

In the domain of non-profit organizations., the protection of sensitive data is paramount. As charities handle a wealth of personal information, including that of beneficiaries, donors, and volunteers, maintaining data security is not just a legal obligation but also a moral imperative.

In this part, I will explore into the events surrounding a potential data breach, the actions I took to address it, and the repercussions I faced. This is not an attempt to bring down the organization but rather to share my real experience and provide insights for fellow charity members to learn from.

The Beginning

Early this year, I was approached by a couple of board members requesting to hand over some important documents containing personal data. I advised them to formally raise the request during the next board meeting.

To my surprise, no such request was made or raise in subsequent meetings.

The Potential Data Breach

Around May 2023, another board member insisted on immediate access to the same files. I proposed seeking approval from all board members via email, which was rejected. It was then suggested handing over the documents to our newly certified IT Manager, a DPO. I expressed my concerns about the lacking of policy and procedures as he just got his DPO cert. The board member persisted, emphasizing that as the ED, I should not hold onto sensitive data.

He then raised the possibility of a data breach among board members. I requested more details and expressed my concern about his involvement due to his current position on the board, conflict of interest.

Their constant interest in these documents piqued my curiosity.

I posed several basic questions: How was the board member certain that there was a data breach? What specific actions were taken? Which guidelines supported this claim?

I suggested an independent inquiry but my suggestion was dismissed, raising further suspicions.

Taking Swift Action to Address the Situation

Given the gravity of the situation and the potential repercussions, I promptly notified all board members. I emphasized the urgency of addressing the allegation, as a potential data breach could severely damage the organization's reputation and invite sanctions from the Personal Data Protection Commission (PDPC).

Despite my concerns, the board failed to comprehend the seriousness of the matter. In the absence of established policies, I made the difficult decision of temporarily freezing access for all staff and volunteers to safeguard the sensitive data we handled from multiple ministries, both residential and non-residential clients, and donors. You know, like a reboot.

The lack of user access management, coupled with unrestricted access for board members to our offices and physical documents and case files, heightened the potential for data exposure. Additionally, our recent data protection agreement with a key ministry further underscored the urgency of addressing the situation.

I communicated the temporary access freeze to all staff and board members via email, emphasizing the need for formal access requests.

The HR and IT department was then tasked with prioritizing staff access requests to maintain our 24/7 operations. They are to rectify and document all access requests, ensuring proper approval for file and office access.

The revised accesses for board members were as follows;

eBoard : Given the office bearers' unfettered access to sensitive information, I created a board portal specifically for them, to provide with the necessary governance documents.

Office Bearer’s office: The current office space, along with entry permissions for Office Bearers and Board Members, has been temporarily put on hold or suspended. To ensure the safety of both staff and board members, and to safeguard sensitive data against unauthorized access, a specific meeting and conference room has been strategically moved to another unit, reserved solely for the use of board members.

Seeking External Guidance

I reached out to the National Council of Social Service (NCSS) for advice and potential funding support. They provided valuable guidance and recommended engaging legal counsel too, in case of a data breach.

Subsequently, I contacted Personal Data Protection Commission (PDPC) , explaining the situation and requesting further instructions. They commended our prompt action in addressing the allegation and informed us that an investigation would not be necessary as the files and documents remained under my control at that time.

I promptly updated the board members all via email.

Taking Decisive Action to Protect Sensitive Data

With the support and funding from NCSS, we managed to outsourced DPO.

We are supposedly to work together, embarking on a thorough investigation, meticulously examining every access point and implementing stringent security measures, root cause analysis. This included documenting procedure, proper access to sensitive documents, enhancing user access management, and educating staff and board, creating awareness on data protection protocols.

The Challenges

However, not everyone welcomed these changes. The board, accustomed to unfettered access, perceived my actions as an affront to their authority. They failed to grasp the gravity of the situation and the potential consequences of a data breach.

Despite their resistance, I remained steadfast in my commitment to protecting the organization's data. I knew that compromising data security for the sake of appeasement would be a betrayal of the trust placed in us by our stakeholders and non-compliance to our regulators.

The Humiliating Experience of Police Involvement

My unwavering stance on data protection, however, came at a personal cost. The board, blinded by their agenda, orchestrated my abrupt suspension, seizing my office and laptop and escorting me out with the help of police officers. This humiliating experience left me reeling, questioning my decision to stand up for what was right.

The trauma of being treated like a criminal, in front of my own team, was immeasurable.

Emerging Stronger from the Adversity (I hope)

Despite months of uncertainty and struggle, I am deeply grateful for the unexpected support that carried me through this challenging period. When I felt utterly alone, I was humbled by the kindness and generosity of individuals and organizations who reached out to help me back on my feet. Their compassion and selfless assistance have played an instrumental role in my recovery journey.

I am truly blessed to have been surrounded by such incredible people during this difficult time.

I chose to share my story to raise awareness about the importance of data protection in the non-profit sector. My experience highlights the delicate balance between upholding data protection responsibilities and maintaining harmonious relationships with governing bodies. It underscores the need for clear governance structures and a shared understanding of data security protocols among all stakeholders.

Key Lessons Learned

1. Regular Training and Awareness, Awareness and Awareness: Regular training and awareness programs should be conducted for staff and board members.
2. Legal Protection: In hindsight, I should have filed a police report upon hearing the data breach allegation, not just reporting it to PDPC.
3. The Importance of Vigilance: In the face of potential data breaches, prompt and decisive action is crucial.
4. Clear Data Governance Policies: Clear and comprehensive data governance policies should be established and enforced.
5. Independent Data Protection Audit: Regular independent data protection audits should be conducted to identify and address vulnerabilities
6. Transparency and Communication: Open communication among all stakeholders is essential to foster trust and prevent misunderstandings.
7. Seeking External Expertise: Engaging experts in data protection can provide invaluable guidance and support.
8. Protecting Personal Integrity: Upholding personal integrity, even in difficult circumstances, is paramount.
9. Insubordination Challenges: With staff reporting directly to board members, managing insubordination became a significant hurdle.

Resources available

There are several resources available for Singapore charities to obtain data protection guidelines, consultancy, funding, and frameworks. Here are some of the key options (click on the links):

Data Protection Guidelines:

1. Commissioner of Charities (COC): The COC has published a comprehensive "Data Protection Guide for Charities: Managing & Securing Electronic Personal Data" to help charities comply with the Personal Data Protection Act (PDPA) and manage electronic personal data securely.
2. Personal Data Protection Commission (PDPC): The PDPC provides a range of resources on its website, including guides, toolkits, and templates, to help organizations implement data protection practices. Click here >Advisory guidelines for Social Service Sector
3. Infocomm Development Authority of Singapore (IDA): The IDA offers various cybersecurity resources, including the "Cybersecurity Essentials for Social Service Agencies and Charities" guide, to help charities protect their data from cyber threats.
4. The?Data Management Guide for Social Services?aims to provide guidance to Social Service Agencies and Charities on recommended practices for handling data in a data lifecycle approach with relevant resources, guides and references.

Consultancy and Funding available:

1. National Council of Social Service (NCSS): The NCSS provides several funding programs to support social service agencies (SSAs), including charities, in implementing data protection measures. You may find the details here > Funding support for SSAs.
2. Tech-and-GO! Tech-and-GO! is an initiative by the NCSS to help SSAs adopt technology effectively. They offer consultancy services, guides, and toolkits to assist with data protection and other technology-related needs.
3. Charities Capability Fund The Charities Capability Fund (CCF) aims to enhance productivity, operational efficiency, governance and management capabilities of the exempt, registered charities and Institutions of a Public Character (IPCs). You may find more details here >> CCF and Grants

In the absence of board support, I found myself isolated and vulnerable. The question lingered: Who can advocate for non-profit leaders like myself who stand firm in their commitment to data protection?

In Part 3, I will be sharing on the inquiry steps done that led to my career setback and how others can learn and avoid similar experiences. Have a great work week ahead!