Executive summary

The Government Technology Agency (GovTech) recently announced that SGD 2.4 billion worth of information and communications technology (ICT) tenders will be called in fiscal year 2017. Around SGD 528 million has been set aside for cybersecurity, a large part of which will be spent on a new Government Security Operations Centre (SOC). In all, spending on analytics projects and cyber security will account for more than SGD 1 billion. The proposed investment will also support the Smart Nation Sensor Platform (SNSP), which aims to facilitate the sharing of resources and data amongst agencies to contribute to more efficient urban and operational planning as well as improve the running of city services.

The Personal Data Protection Commission (PDPC) also recently released a series of decisions that highlight the importance of having data protection officers (DPO) who can effectively develop contextualised data protection policies and translate such policies into practice. Although the PDPC did not impose financial penalties on some of these organisations this time round, these enforcement actions nevertheless demonstrate that the PDPC takes any breach of data protection obligations seriously.

Organisations interested in tendering for projects under the recently announced ICT budget or concerned about the compliance with the Personal Data Protection Act (PDPA) should consider if their data protection policies are sound considering the potential pitfalls when dealing with big data and the increased scrutiny by the PDPC.

Government Tenders

Record SGD 2.4 billion in government technology tenders to be called in FY2017

GovTech announced on 24 May 2017 that the Singapore government will be calling for SGD 2.4 billion worth of ICT tenders in fiscal year 2017. This is to support Singapore’s digital transformation and its aspirations to become a Smart Nation, and builds on the momentum of fiscal year 2016’s SGD 2.82 billion in technology spending.

Close to half of this year’s budget will be spent on digital and data analytics projects, cyber security systems, and smart applications.

As part of Singapore’s investment into the SNSP, a tender for data analytics software and a communications backbone to link up nation-wide sensors and data centres will be called by the end of 2017. This is aimed at enhancing infrastructure that is envisioned to eventually enable use cases like video analytics for human and vehicular traffic management, and the guidance of autonomous vehicles. For example, Singapore’s 95,000 lamp posts island-wide could be equipped with sensors and navigation beacons if an ongoing pilot between the Land Transport Authority and GovTech is successful. In a recent Straits Times article,1 Mr Chan Cheow Hoe, the Government’s chief information officer, said:

The ability to sense everything around the country is important. We need to build a nationwide platform to allow us to make better decisions and respond quickly by analysing the data (collected)."

On the cyber security front, as much as S$528 million has been set aside to enhance Singapore’s response time to rising cyber security threats. A large part of this will go towards setting up the first SOC that features artificial intelligence and the analytics capabilities to detect cyber threats. The SOC will replace the Cyber-Watch Centre, to respond to cyber security threats that are becoming more automated and sophisticated with the use of robots. Last year, a massive and sustained attack launched with the help of compromised “Internet of Things” devices like CCTVs and digital video recorders took down certain popular websites. Such attacks underscore the need to bolster Singapore’s threat response capabilities.

Mr Aloysius Cheang, executive vice-president of global computing security association Cloud Security Alliance said in a Straits Times article2 that speeding up threat response is especially important as Singapore becomes a Smart Nation: "Singapore will be subjected to all kinds of attacks that will take advantage of citizens’ connected devices – from toilet bowls to smart TVs." In all, tenders for analytics projects and cyber security will amount to more than SGD 1 billion this year.

How this may affect you

As Singapore embraces the power of big data to better provide civil services and respond to cyber security threats, there is a need to ensure that organisations entrusted with working on such initiatives protect the personal data of data subjects.

There is a growing need for such organisations to put in place strong data protection policies to deliver utility without sacrificing security. Consumers are increasing concerned about privacy – a loss of trust translates into a loss of users. In the 2017 CIGI-Ipsos Global Survey on Internet Security and Trust,3 most of the respondents said they would likely stop using a service because of a data breach, regardless of what information was subject to the breach.

PDPA: Enforcement action reinforces importance of data protection compliance

The PDPC's recent line of enforcement actions provide a timely reminder of the importance of ensuring ongoing compliance with data protection policies put in place. As a result of a breach of their data protection obligations, some organisations were ordered to pay financial penalties of up to SGD 10,000. These enforcement actions demonstrate that the PDPC takes any breach of data protection obligations seriously.

One case also provides guidance on how organisations that outsource data processing to intermediaries should put in place adequate security arrangements to protect personal data.

Translating policy into practice

One discernible trend from these cases is that in order to comply with the PDPA, organisations should ensure that data protection policies put in place are effectively translated into practice. In one case, although an organisation had in place a Group Code of Conduct and Group Data Protection Policy, it was nevertheless found to be in breach of the PDPA for failing to contextualise the group level policies to its ground operations. This resulted in an employee discarding a partially-printed flight manifest containing passenger personal data like passengers' names and booking reference numbers (which one could then use to retrieve even more personal data like passengers' addresses, phone numbers, and email addresses from a web portal) into a bin placed in a publicly accessible area.

One way to ensure that policies are translated into practice is to provide employees with specific and practical guidance on handling personal data. One organisation failed to do so, leading an employee to use order forms containing personal data of other customers as packaging materials in hampers. This compromised the personal data of approximately 24 individuals.

Additionally, organisations should avoid having single points of failure that might result in a breach of the PDPA. In a recent case, due to human error, an employee did not correctly sort certain documents for further checks. As a result, statements containing the personal and financial details of two bank customers were sent to the wrong recipient.

Outsourcing and the PDPA

Beyond ensuring that its data protection policies are compliant when processing personal data in-house, an organisation should also ensure that reasonable security arrangements are put in place when outsourcing data processing to intermediaries. A recent case provides guidance on what such reasonable security arrangements are.

There, a major telecommunications company (the telco) had engaged a data intermediary to develop, maintain, and support the telco's single sign on service. In the course of a database update, the data intermediary caused one of the telco's customer's NRIC number to become potentially accessible by 2.78 million users. By the time the telco disabled access to the service, 2,518 users had viewed the affected customer's NRIC number.

Despite the scale of the disclosure, the telco was found not to be in breach of the PDPA as it had put in place reasonable security arrangements to protect the personal data of its customers. First, beyond contractually requiring the data intermediary to comply with the PDPA and the telco's security policies, the telco took steps to ensure that this was put into practice. In this regard, the telco conducted annual on-site security reviews of the data intermediary's premises, required the data intermediary to confirm its continued compliance with security protocols, and conducted penetration tests on the single sign on service. Second, the telco also gave specific instructions for the data intermediary to follow in relation to the particular database update, which if such instructions had been followed, would have prevented the incident.

In contrast, the data intermediary was found to be in breach of the PDPA. This is because although it had multiple internal security arrangements, the data intermediary did not adhere to them. This included failing to test the database script before deployment. Further, it failed to adhere to the telco's instructions that would have prevented the incident.

Factors affecting directions imposed

In addition to compliance guidance, these recent cases also reveal some factors that affect the directions imposed by the PDPC in the event of a breach of the PDPA.

The extent of the breach — While the PDPC issued a warning to an organisation for disclosing one individual's NRIC number to one person, another organisation, acting as a data intermediary, was fined SGD 10,000 for disclosing an individual's NRIC number to 2.78 million persons (of which 2,518 had actually viewed the NRIC number).

The sensitivity of the data — An organisation was directed to beef up its data protection policies after it had disclosed a customer's surname, address, phone number, and e-mail address to another customer. In contrast, another organisation, acting as a data intermediary, was fined SGD 3,000 for disclosing sensitive data such as the cash balance and information on other asset holdings of two bank customers to another customer.

How this may affect you

These enforcement decisions illustrate that data protection compliance continues to be an important priority for organisations that process personal data. In particular, where data protection policies have been implemented, we would also highlight that the designation of an individual as an organisation’s DPO should not merely be a symbolic exercise to meet the PDPA’s requirement that organisations must designate at least one DPO. The DPO should ensure that such policies are effectively implemented as well.

The PDPC emphasised that security policies and procedures are only effective when properly and consistently implemented and followed by employees. DPOs thus have an important role to play in ensuring an organisation’s compliance with the PDPA.

The PDPC’s willingness to enforce the PDPA sends a clear message to organisations in control of personal data as well as data intermediaries that the PDPC will take any breach of the data protection obligations seriously. The PDPC highlighted in its decision that it will not hesitate to take appropriate enforcement action against organisations.

Accordingly, organisations concerned about compliance with the PDPA should take immediate action to ensure compliance with their obligations under the PDPA. Organisations may consider conducting compliance audits to ensure that not only do policies put in place sufficiently address data risks, but are also effectively translated into practice by employees.