Guidelines and best practices in disposing of personal data
In the middle of last year, the Personal Data Protection Commission (PDPC) gave instructions to a data intermediary of an airline company and a warning to a gift company for failing to put in place reasonable security measures to keep personal data from being accidentally shared.
These two cases show that some organizations don’t pay enough attention to the proper disposal of personal data, which is an important part of taking care of personal data.
Protection Obligation (Section 24) of the Personal Data Protection Act (PDPA) says that an organization must make reasonable security arrangements to protect personal data in its possession or under its control. This is to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or other similar risks.
Some organizations don’t realize that their responsibility to protect personal data doesn’t end when any document containing it is thrown away, whether it’s on paper or in an electronic file. Personal data breaches can still caused by improper or incomplete disposals. This could lead to a fine of up to S$1,000,000 and a loss of trust and confidence from customers and potential clients.
Disposal of personal data on physical media
The right way for an organization to get rid of personal information is to change it or delete it so that it can no longer be used to identify or connect to a person. For personal information stored on paper, the right way to get rid of or destroy it is usually to shred, burn, or pulp it.
Depending on the type of information on the document, the paper may need to be shredded with a different type of shredder. When compared to a straight-cut shredder, for example, a cross-cutting or confetti shredder makes it much harder for a third party to put back together pieces of paper into the original documents.
When paper is burned, it turns into ashes. For pulping, paper is mixed with water and chemicals to break down the paper fibers so they can be recycled.
At LG Electronics Singapore, it is a rule that all paper documents that contain personal information or confidential information should not be thrown away in trash cans but instead in special, locked bins. The secure bins are locked, so only the legal and compliance department, which is also the company’s Data Protection Office and has the keys to the bins, can get the documents out.
The company’s service provider will empty the trash cans every two weeks. The documents are taken to the service provider’s truck, which has a paper shredder, and LG’s legal manager will make sure that the documents are shredded on the spot.
Ensuring proper destruction of electronic personal data
When data is stored in electronic form, organisations have to take steps to ensure that it is securely deleted, erased, or destroyed before the storage media is redeployed, exchanged, or disposed of. Total deletion or disposal of data in an electronic (re-writable) medium is commonly referred to as “sanitisation”.
Some common methods of disposal include software solutions that securely overwrite data, degaussing and destruction.
Degaussing refers to the removal of magnetic fields using a machine that destroys any magnetically recorded data. While data may be erased through the degaussing process, it can still be restored using technology when not done properly. On the other hand, destruction methods such as shredding, crushing, or incineration ensures complete destruction of the electronic medium, so there is no risk of re-use or the data being restored.
Managing third-party service providers
The organization or a third-party service provider can dispose of personal information.
It’s important to remember that the company that gives its work to a third party is still responsible for the personal information. The organization must make sure that the processing is still in line with the Protection Obligation of the PDPA even though it is being done by someone else.
The organization that outsources its processes should make sure that its contracts with third-party service providers have the necessary terms and conditions to make sure that the service providers follow the PDPA. It will also need to know how these service providers will get rid of the media and how the supply chain works further down the line.
Getting rid of data shouldn’t be taken lightly, especially if it has personal information in it. Any personal data, either physical or digital, is not safe just because it is thrown away in a trash can or on a computer’s recycle bin. The process of getting rid of information needs to be well managed and controlled so that there is less chance of it being found and accidentally shared.