Building ISO 27701:2019-Compliant Systems: Halodoc's Privacy-Centric Approach

Introduction

With the growing need for privacy protection, especially in healthcare, Halodoc, Indonesia's foremost healthcare platform, places a high priority on the privacy of its users. Earning ISO 27701:2019 certification demonstrates our dedication to protecting our users' privacy through international data protection standards.

This blog post describes our quest to establish a strong privacy practice and obtain ISO 27701:2019 certification. We will discuss our initial actions and management's role in staff training, policy formulation, and technology deployment. Our goal is to share real experiences that will assist other organization improve their privacy practice and acquire similar certifications.

Understanding ISO 27701:2019

What is ISO 27701:2019?

ISO 27701:2019 is an international standard that provides guidelines and requirements for developing, maintaining, and enhancing Privacy Information Management Systems (PIMS). It extends on ISO 27001 and ISO 27002 standards, with a focus on protecting personally identifiable information (PII).

Key Requirement and Objectives

The primary objectives of ISO 27701:2019 include:

• Improving Information Security Management with extending ISO 27001 implementation to address privacy concerns.
• Establishing Privacy Controls with adding particular controls to protect PII and reduce privacy risk.
• Supporting Compliance.

Benefits of ISO 27701:2019 Certification

For healthcare platforms like Halodoc, this certification offers numerous benefits:

• Increasing Trust and Confidence: Reassures users, partners, and regulators of our commitment to global privacy standards.
• Regulatory Compliance: Ensures adherence to national and international privacy regulations.
• Enhanced Data Protection: Improves data security, minimizing breach risks and ensuring data accuracy and availability.
• Operational Efficiency: Promotes efficient and effective data handling practices, improving overall operational performance.

Foundation of a Privacy Practice

Building a privacy-centric practice at Halodoc was essential for achieving ISO 27701:2019 certification. This foundation was laid through strategic actions and commitments, making privacy integral to our values and daily operations.

Recognizing the Need for a Robust Privacy Practice

The first step was understanding the necessity of strong privacy practices. Handling sensitive personal and health information required us to prioritize data protection. We conducted initial assessments, including privacy risk assessments, to evaluate our current privacy landscape and identify improvement areas.

Setting the Tone at the Top

The understanding from the assessment’s results, particularly the impact of privacy risk on customers, the Organization, and partners, has driven our management's commitment. Halodoc's leadership manifested this and strategically integrated privacy and data protection as core operational requirements. A dedicated privacy governance team was tasked with the continuous development and optimization of privacy controls. Privacy was technically embedded into operations and decision-making processes.

Employee Training and Awareness

At Halodoc, building a privacy practice meant ensuring that all employees understood the importance of privacy and knew how to protect personal information. To achieve this, we developed comprehensive training programs and ongoing education initiatives.

Developing Comprehensive Training Programs

Effective privacy management involves everyone, regardless of their role.

• Onboarding Training: New hires received training on privacy basics, data protection, and Halodoc's privacy policies.
• Role-Specific Training: Specialized modules were created for different roles, such as in-depth data handling training for employees managing sensitive information, and privacy interaction training for customer service representatives.
• Annual Refresher Training: Annual courses kept staff updated on changes to privacy regulations and internal policies.

Continuous Education and Awareness Campaigns

Beyond formal training, we maintained privacy awareness through continuous education campaigns.

• Privacy Day Campaigns: These events engaged staff with various activities focused on privacy.
• Monthly Tech Sharing Sessions: Regular sessions addressed technological aspects of privacy.
• Awareness Campaign Tracker: Automated system for monitoring the awareness campaigns program outcomes and coordination with line managers

Engaging Employees with Webinars and E-learning

To accommodate diverse learning styles, we provided a variety of training approaches.

• Webinars: Internal specialists led these events, which covered issues such as data protection, incident response, and regulatory compliance.
• E-Learning Modules: Flexible, self-paced learning options that include multimedia content and quizzes to increase engagement and retention.

Halodoc implemented various training programs and initiatives to ensure that all employees were aware of and concerned about privacy, building a strong privacy practice throughout the organization.

Privacy Policies and Procedures.

Halodoc's ISO 27701:2019 certification required the development and implementation of precise privacy policies and procedures. These standards established a structure for handling personal information, ensuring that all employees knew their roles in protecting privacy.

Developing Clear Privacy Policies

The initial step involved creating comprehensive policies that demonstrated our commitment to data protection and compliance with regulations.

• Policy Development: Policies were created for data collection, processing, storage, and sharing.
• Standards Alignment: Our policies adhered to ISO 27701:2019 and Indonesia’s Personal Data Protection Law (PDP Law), ensuring both international and local compliance.
• Stakeholder Review: We included stakeholders across the organization to review and provide feedback, ensuring the policies were practical and effective.

Documenting Procedures and Ensuring Accessibility

We developed detailed procedures to guide the implementation of our privacy practices.

• Procedure Documentation: Each procedure was thoroughly documented, outlining steps, responsible parties, and expected outcomes. This included data handling, incident response, and data subject rights.
• Centralized Repository: All privacy policies and procedures were stored in a centralized digital repository for easy access by employees.
• Regular Updates: Policies and procedures were regularly reviewed and updated to reflect regulatory changes, best practices, and organizational needs. This involved periodic reviews, stakeholder consultations, and senior management approval.

Keeping Policies Current.

We continuously monitor regulatory changes, adopt industry best practices, and update policies. The updated policies are consistently communicated to employees through announcements, training, and related channels to ensure compliance.

Integrating Privacy into Daily Operations

Integrating privacy into every aspect of our operations was crucial for protecting personal information and complying with ISO 27701:2019 standards. We embedded privacy into our workflows to create a privacy-centric system across the organization.

Embedding Privacy Considerations into Operations

To make privacy a core part of our operations, we adopted a privacy-by-design and privacy-by-default approach.

• Privacy-by-Design: We ensured privacy was considered from the start of all new projects and processes. This involved conducting data protection impact assessments (DPIAs) to identify and mitigate potential privacy risks early on. One of the parts of this approach is described in Implementing Privacy by Design Through Privacy Checkpoint in CI Pipeline.
• Privacy-by-Default: We implemented default settings and configurations that prioritized privacy. Data collection forms were designed to minimize data collection, and our applications had the highest level of protection set by default.

Privacy by Design and Default in Product Development and Service Delivery.

We take a disciplined approach to integrating privacy into our product development and service delivery operations.

• Design Review: Regular design reviews with privacy specialists, engineers, and product teams ensure that privacy standards are integrated into all projects.
• Data minimization: We collect just the personal data required for defined objectives, lowering risks and ensuring compliance with data protection legislation.
• User Consent: We make certain that our consent processes are transparent and easy to understand, allowing users to make informed decisions about their data.

Performing regular data protection impact assessments, risk assessments, and audits.

We conduct DPIAs, risk assessments, and audits on a regular basis to ensure strong privacy protections.

• Data Protection Impact Assessments (DPIAs): We do DPIAs for new projects that involve major modifications to our platform, services, or activities, as well as new data processing activities. We use Jira Service Management to handle requests.
• Privacy Risk Assessments: We regularly assess the privacy risks in our data processing activities, detecting and minimizing potential issues.
• Internal audits: We conduct regular internal audits to evaluate the effectiveness of our privacy policies and verify compliance with ISO 27701:2019.
• Results from DPIAs, risk assessments, and audits promote continuous improvement. We adjust policies, processes, and controls to close any gaps or issues.

By incorporating privacy into our daily operations, Halodoc ensures that privacy concerns are integrated into all tasks and activities. This approach is critical for getting ISO 27701:2019 certification and instilling a strong privacy practice in our organization.

Technology and Data Management

Utilizing Technology to Enhance Privacy and Data Protection

Technology is crucial in protecting personal information.

• Data Masking and Anonymization: These techniques allow us to use realistic data for testing without compromising privacy. One of the examples of this implementation is already published in Automated Data Governance Strategies: Securing PII in Our Data Warehouse.
• Monitoring and Logging: We continuously monitor data access and processing activities, using automated systems to detect and respond to security incidents. Examples include Secure Conversations: Automated PII Detection and Response in Slack Channels, Data Loss Prevention (DLP), Cyber Threat Intelligence.

Implementing Robust Data Management and Security Measures

Effective data management is important to maintain data integrity and confidentiality.

• Data Inventory and Classification: We use tools like OpenMetadata to track and classify personal data, understanding data flows, and applying appropriate protections.
• Data Retention and Disposal: Clear policies ensure personal data is retained only as necessary and securely disposed of when no longer needed, minimizing breach risks.
• Regular Security Assessments: We perform regular security assessments, including vulnerability scans and penetration testing, to identify and address potential weaknesses. For this security assessment, the approaches are described in Vulnerability Prioritisation with Crowdstrike Falcon Spotlight Vulnerability Management, Halodoc Bug Bounty Program, Automated API Security Testing to Enhance Security Posture.

Leveraging Encryption and Access Controls to Safeguard Data

Our data protection efforts are bolstered by encryption and access controls.

• Encryption Technologies: Advanced encryption protects sensitive data both at rest and in transit.
• Access Control Mechanisms: Strict access controls, including multi-factor authentication and regular access reviews, limit data access to authorized personnel. This approach is detailed in Data Access Protection in Data Lake using AWS Lake Formation.

Engaging with Stakeholders

We ensure transparency and accountability in our privacy practices by clearly communicating our data protection policies to customers and partners. We maintain open channels for privacy-related inquiries, conduct regular audits and third-party reviews. This approach allows us to continuously improve our privacy measures and build trust with all stakeholders.

Audit and Certification Process

The journey to achieving ISO 27701:2019 certification was a meticulous process that required careful preparation and thorough internal reviews.

Mandatory Requirement for ISO 27001 Certification

Before we could pursue ISO 27701:2019, we needed ISO 27001 certification. ISO 27701 builds on ISO 27001, extending its framework to include privacy information management. How we implement ISO 27001 is described in ISO 27001 based Information Security Management System in Halodoc.

Preparing for the Audit: Gap Analysis, Internal Audits, and Pre-Assessment Checks

Preparation was crucial for a smooth certification process. We started with:

• Gap Analysis: We identified areas needing improvement to address potential non-conformities and strengthen our privacy management system.
• Internal Audits: These audits helped us evaluate compliance with ISO 27701:2019 by reviewing our privacy policies, procedures, and controls.
• Pre-Assessment Checks: Prior to the external audit, we engaged in pre-assessment checks. These checks provided the last status of our readiness.

The External Audit: Stages, Interactions, and Key Focus Areas

The external audit had several key stages:

• Stage 1: Documentation Review: Auditors reviewed our mandatory documents to ensure they met the standards and to familiarize themselves with our organization. This helped them prepare a detailed audit plan.
• Stage 2: Implementation Assessment: Auditors verified our privacy management system through virtual interviews, remote observations, and digital inspections.
• Interactions with Auditors: We maintained open and transparent communication, providing necessary information and addressing queries promptly to facilitate a smooth audit process.
• Key Focus Areas: Auditors focused on some key areas, assessing how well privacy practices were integrated into our daily operations and compliance with regulations.

Achieving Certification

At the end of the audit, we were pleased to comply with the ISO 27701:2019 standard. This validated our privacy management system’s effectiveness, confirming that Halodoc meets high standards for managing personal information.

Through meticulous preparation, transparent communication, and strong privacy practices, Halodoc successfully achieved ISO 27701:2019 certification. Our focus now is on maintaining compliance and continuously improving our privacy management system.

Maintaining Certification

Achieving ISO 27701:2019 certification was an important step for Halodoc, but our commitment to compliance and continuous improvement is ongoing.

Continuous Monitoring and Improvement

Maintaining certification requires ongoing vigilance and enhancement of privacy practices.

• Regular Audits and Reviews: We frequently conduct internal audits to ensure our privacy management system remains effective and compliant. These audits help identify areas for improvement.
• Continuous Improvement Program: Feedback from audits, regulatory updates, and industry best practices guide our continuous improvement efforts. We update our policies, procedures, and controls regularly to address new challenges and risks.
• Ongoing Training: Continuous education and training keep our employees aware of their privacy responsibilities and any new regulatory requirements.

Future Plans and Commitments

Our dedication to privacy and data protection goes beyond certification.

• Adopting New Technologies: We are always exploring and adopting new technologies as needed to improve our data protection capabilities.
• Engaging with Experts: We stay up to date on the latest trends and best practices in privacy management by speaking with privacy experts and participating in industry discussions.
• Proactive Risk Management: Regular updates to our risk assessments and mitigation strategies allow us to remain ahead of developing threats to personal data.

Halodoc maintains ISO 27701:2019 accreditation by constantly reviewing, upgrading, and developing our privacy procedures, which also reaffirms our dedication to protecting personal information. This continual effort establishes a high benchmark for the healthcare business and beyond.

Conclusion

Achieving ISO 27701:2019 certification was a major milestone for Halodoc, showcasing our commitment to privacy and data protection and setting a new standard in the healthcare sector. Reflecting on our path, several critical steps stand out:

• Leadership Commitment: Strong support from top management was essential.
• Comprehensive Training: Ensured everyone understood their role in data protection.
• Robust Policies: Provided a solid framework for managing personal data.
• Daily Integration: Embedded privacy into daily operations.
• Advanced Technology: Enhanced data protection capabilities.
• Stakeholder Engagement: Build trust through transparency.
• Audit Preparation: Conducted gap analyses and internal audits for a seamless certification process.

About Halodoc

Halodoc is the number 1 all around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 3500+ pharmacies in 100+ cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allow patients to book a doctor appointment inside our application. We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek, and many more. We recently closed our Series D round and In total have raised around USD$100+ million for our mission. Our team works tirelessly to make sure that we create the best healthcare solution personalised for all of our patient's needs, and are continuously on a path to simplify healthcare for Indonesia.