Since the coming into force of the Personal Data Protection Act (Cap 26 of 2012) (PDPA) in 2012, many organisations had focused only on part of their obligations under the PDPA, i.e. that of ensuring that their policies and practices for the collection, use and disclosure of personal data are in line with the PDPA.
In 2016 and up to the date of this article, the Personal Data Protection Commission (PDPC) has issued 13 decisions relating to the failure of organisations to protect personal data. This highlights the urgent need for organisations to take steps to examine how they protect and secure personal data in their possession.
Section 24 of the PDPA requires an organisation to “make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.”
The lessons learnt from decided cases
The cases which were under investigation by the PDPC involved various situations where personal data was compromised due to:
- inadequate supervision of physical process resulting in the sending of another person’s personal data to an individual;
- unauthorised access into websites resulting in personal data of individuals being published on the Internet;
- use of outdated software;
- failure to recognise vulnerabilities associated with software or hardware;
- failure to audit systems, carry out penetration tests and to test vulnerabilities;
- ignorance of security measures required;
- failure to remove unused user accounts;
- failure to implement secure passwords;
- failure to implement system which ensures compliance with password policy;
- failure to encrypt files containing personal data; and
- use of “auto fill” function.
In many of the cases, even though the organisation had outsourced the IT services to a third party vendor, and had relied on the third party vendor, the organisation was found to be in breach of its obligation under Section 24 of the PDPA. The PDPC issued warnings in some cases, and penalties meted out ranged from S$3,000 to S$50,000.
The message issued by the PDPC was clear – that even if an organisation appoints external vendors, it still remains responsible for ensuring that the vendors make reasonable security arrangements to protect the organisation’s personal data. This is in accord with Section 4(3) of the PDPA which states that “An organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.”
This puts many organisations (particularly small and medium sized enterprises) in a quandary as they may not have the technical ability to understand technical measures needed to protect their personal data, and rely on vendors to assist them.
In addition to the Advisory Guidelines on Key Concepts, the PDPC has also issued the following guidelines to assist organisations to comply with the requirement to protect personal data:
- Guide to Securing Personal Data in Electronic Medium
- Guide to Disposal of Personal Data on Physical Medium
- Guide on Building Websites for SMEs
These guidelines are not binding, but set out best practices, and are useful in assisting vendors and organisations take the necessary steps to protect personal data. The PDPC recognises that there is no “one size fits all”, and that the security arrangements needed to be implemented depends on the nature of the personal data.
In summary, the steps that an organisation should take include the following:
- take an inventory of the type of personal data it handles;
- categorise the personal data according to their sensitivity, and implement processes and policies appropriate to each type of personal data;
- conduct a risk assessment of its systems, policies, processes and practices;
- in addition to implementing technological measures to protect personal data, policies and physical processes should be reviewed and implemented;
- ensure that employees are aware of the obligation to protect personal data;
- limit access to personal data;
- implement secure passwords;
- consider encrypting passwords, files, communications etc;
- enable audit logs or other physical measures to trace unauthorised access;
- implement incident reporting;
- audit its own systems, policies, processes and practices, and those of its vendors; and
- test vulnerabilities.
What to do in case of a data breach
In the cases investigated by the PDPC, it appears that the PDPC is prepared to be more lenient if:
- the organisation voluntarily notified the PDPC of the data breach;
- the organisation has notified the individuals concerned;
- the organisation has taken immediate remedial action;
- the organisation fully cooperates with the PDPC;
- the personal data concerned are not of a highly confidential or sensitive nature.
As an organisation can be held liable in the event that its vendors fail to make security arrangements to protect the organisation’s personal data, it is important to ensure that its contractual arrangements with its vendors are as comprehensive as possible to protect the organisation.