On managing Data Intermediaries and being compliant with the PDPA

Managing Data Intermediaries: Data Protection Obligations under the PDPA

The PDPA defines a Data Intermediary (DI) as an entity that handles personal information on behalf of a Data Controller (DC) under contract. The DI may perform any action or series of operations on personal data, including, but not limited to, the following:

a) recording;
b) storage;
c) organization, adaptation, or alteration;
d) retrieval;
e) combination;
f) transmission; and
g) erasure or destruction.

When processing personal data on behalf of the DC and for the DC’s objectives, a DI is subject to the Data Protection Provisions relating to the protection of personal data (Protection Obligation) and retention of personal data (Retention Limitation Obligation).

Suppose a DI uses or discloses personal data in its custody or control beyond the authority granted by the DC. In that case, the DI shall be accountable for adhering to all Data Protection Provisions under the PDPA.

Also Read: The Singapore financial services and markets bill: Everything you need to know

Understanding Data Intermediaries under Data Protection

An organization that uses a data intermediary to process personal data on its behalf must ensure compliance under the PDPA. Additionally, the data intermediary must also guarantee compliance with the said data protection law. The PDPA does not directly impose the majority of data protection requirements on a data intermediary that processes personal data on behalf of another organization under a written contract, with the exception of the protection and retention obligations.

Organizations should select the right data protection procedures to implement based on the associated data protection risk. In general, while determining the right measures to apply, organizations should evaluate the scope of the outsourcing and the sensitivity of the personal data that their DI is processing, as well as the duration of the DI contract.

Complying with the Protection Obligation with reasonable security measures

Even if it is processing personal data on behalf of another organization, a data intermediary must have “reasonable security arrangements” to protect personal data against unauthorized access, collection, use, or disclosure.

PurpleForest, for instance, ensures that all staff laptop accounts are password-protected so that only the IT administrator may install software and programs.

In addition, the cloud service provider and the employee’s computer system are configured to run scheduled security scans to detect malware automatically. Every two days, these security scans are undertaken. Every three months, the cloud service provider enforces a mandatory password change, lowering the likelihood of external hacking. The passwords must contain alphanumeric and special characters and must be eight characters long.

Ensuring that every employee is on board

A major challenge for organizations is the need to ensure that all employees understand the relevance of personal data protection and the policies and procedures they must follow.

Employees are considered the weakest link when it comes to the cybersecurity of every organization. It is because employees have access to the organization’s system, and a slight mistake on their end, such as clicking the attachment on a suspicious email, could potentially penetrate the organization by bad actors.

This is why it is necessary that each employee must be onboard the security arrangements made by the organization to ensure that there will be no loophole in its cybersecurity hygiene.

Considerations to make while choosing a DI

Under the PDPA, depending on the scope of the work and the structure of the arrangement, such third parties may be considered data intermediaries of the employing organization. An organization should be aware that if a data intermediary processes personal data on its behalf, the organization is subject to the same personal data duties under the PDPA as if it had processed the personal data directly.

The PDPC recommends that these organizations:
(i) conduct an adequate level of due diligence to ensure that a potential data intermediary is capable of complying with the PDPA; and
(ii) emphasize in written contracts the scope of work that the data intermediary will perform on their behalf and for their purposes.

How a DPO can help organizations and its DIs comply with PDPA

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). In this case, the DPO makes sure that the organization and its DIs comply with the PDPA and that instances of breaches will be limited. 

For instance, at Privacy Ninja, we help our clients understand their responsibility in managing their DIs. We always remind them that upon outsourcing a DI, the organization has the full responsibility of ensuring that such DIs comply with the Data Protection law. 

DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.

As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.

Also Read: Guarding against common types of data breaches in Singapore