Written by: Scott Thiel and Carolyn Biggs
Singapore’s Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA). Following the release of its first nine enforcement decisions in April this year, the PDPC has published a further enforcement decision in June and two decisions in July, and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank. The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures, which organisations should consider carefully.
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions:
- A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015. The enforcement decision was made even though there was no evidence that any personal data had actually been misused.
- A document processing company was fined SGD5,000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange.
- A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holder’s chiropractor) to obtain further medical information about the policy holder in September 2015. The PDPC found that the disclosure of the policy holder’s bank account details, being of a sensitive financial nature, was not for a reasonable purpose.
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA. Although the PDPA does not have a separate definition of “sensitive personal data” which requires additional protection, the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions.
As recently noted by Mr. Leong Keng Thai, Chairman of the PDPC, the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data.
Investigation on a multinational bank’s data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bank’s disposal of client documents. In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bank’s headquarters in Singapore.
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customers’ data.
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions, the PDPC has published new guides on data protection clauses for agreements relating to data processing, securing personal data in electronic medium and building websites for small to medium enterprises.
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing, IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the PDPA regarding content on withdrawal of consent and access requests. Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices.
Some interesting issues to note are:
- The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts. Such data protection clauses should contain specific security measures, a schedule containing the authorised personnel who are permitted to access the personal data on a ‘need to know’ basis, a requirement for a written undertaking about return or deletion of personal, as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA.
- The PDPC’s guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration, shredding or pulping. In relation to shredding, different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example, it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals).