Protecting Personal Data
Do you have a personal data security policy?
Is the personal data you hold adequately classified?
Is the personal data kept in a secure manner?
Do external parties have easy access to the personal data you hold?
Do you have a remedial plan in place in the event of a breach of the PDPA?
Do you conduct regular audits on your data protection processes?
If you have outsourced contractors, are there contract clauses to ensure proper safeguards of personal data you disclosed to these outsourced parties?
Access to personal data should be on a need-to-know basis. You should classify and store personal data according to different parties who may be authorised to access data.
You should take reasonable measures to keep personal data secure. This could be physical and digital security. You should ensure no unauthorised access, modification, disclosure, use, copying, disposal or other such risks. See the PDPC's Guide to Securing Personal Data in Electronic Medium (updated on 20 January 2017).
You should consider having access control measures such as password protection and multi-factor authentication. Passwords should be robust and changed frequently. Appropriate destruction methods, e.g. degaussing and incinerating, may have to be employed for storage media. Computer and network systems should have sufficient defence devices and software. Transmission of personal data may have to be encrypted.
You should ensure that external parties are not able to easily access personal data. For example, visitors to your office should not be able to have sight of personal data stored in your office.
Have a remedial plan for managing personal data security breaches. See the PDPC's Guide on Managing Data Breaches.
Did You Know?
The PDPC has slapped heavy financial penalties on organisations which suffered hacking and malware attacks, resulting in PDPA breaches?
In 2016, a $50,000 fine and other directions were meted out against karaoke chain K Box Entertainment Group Pte Ltd for not putting in place sufficient security measures to protect the personal data of 317,000 members (a list of the members’ details were uploaded onto some website), for inadequate data protection policies and the absence of a Data Protection Officer (DPO).
Its IT vendor in charge of managing its content management system, Finantech Holdings Pte Ltd, was also fined for failing to patch security vulnerabilities in K Box's IT system and for maintaining a vulnerable admin account password: "admin".