Personal data protection in the MCST context: 3 Case studies
MCSTs are organisations that also need to comply with the PDPA. Since they process personal data, there is a need for them to comply with the PDPA obligations for the protection of personal data. Failure to do so means they can be liable for a financial penalty and other consequences accompanied by it.
The following are Decisions covering MCST and the things we can learn from their mistakes for our benefit:
Breach of PDPA obligation by MCST 3400
Our first case involves MCST 3400, where the PDPC was notified that a directory containing personal data from MCST Title Plan No. 3400 could be accessed on the internet by anyone. Prior to the incident, the MCST purchased a Network Attached Storage Device (NAS) for its internal file sharing among its administrative staff over a local network.
The MCST Title Plan No. 3400 (Directory) was one of the files stored in the NAS and contained the personal data of 562 affected individuals. The organisation did not intend for the NAS to be connected to the internet, and the organisation, prior to the incident, did not know that it could be accessed through it. Upon discovery, the organisation promptly disconnected it. With this incident, luckily, the organisation was only given a warning.
What we can learn from this case is how important it is to set up reasonable security measures to protect personal data and prevent the Protection Obligation breach. This includes:
- Doing code reviews and pre-launch testing before deploying any new IT features or changes to existing IT systems.
- In this case, NAS was used. Before a new IT feature or system is put into use, these processes help MCSTs find and fix any bugs or mistakes in it. There have been a number of cases where mistakes in the application code led to the accidental release or access of personal information.
- Checking the security of their IT systems every so often. The scope of these security reviews should depend on how the organisation thinks its data protection needs should be met.
- This could have discovered the problem of the NAS’ possible connectivity to the internet.
- Using up-to-date online vulnerability scanning tools as part of the regular security checks of their IT systems.
- Organisations should also learn how to use these tools well or get help from companies like Privacy Ninja that have the right expertise. When organisations use these kinds of tools, they have a good chance of finding common security holes in their IT systems.
Breach of PDPA obligation by MCST 3593 and New-E Security
Our next case involves MCST Title Plan No. 3593 and others where the PDPC was notified of the unauthorized disclosure of CCTV footage recorded at the premises of MCST 3593 by New-E Security.
This happened because an employee of the New-E Security sent CCTV Footage to the person requesting it where it had captured images of identifiable individuals who passed through the premises. The requested CCTV Footage was uploaded online through a Facebook Post. With this incident, MCST 3593 was made to pay a financial penalty of $5,000, and New-E Security was tasked to put in place a data protection policy and internal guidelines, including procedures for proper management and access control in respect of CCTV footage.
What we can get from this case is the importance of employing a Data Protection Officer. Such absence was the reason why there had been no data protection policies set in place with regards to the disclosure of the CCTV footage. Not only that it is necessary for every organisation’s data compliance, it is also required under the PDPA.
A DPO could have ensured that there would be no instances of CCTV footage transmission, and training for employees could have been employed for their awareness of the PDPA compliance and other relevant rules.
Breach of PDPA obligation by MCST 4375 and A Best Security Management (ABSM)
Our last case involves MCST Title Plan No. 4375 and others where the PDPC became aware of a CCTV footage uploaded online showing a glass door falling down on a woman at the premises of the MCST 4375.
This happened because an employee of ABSM recorded CCTV footage of the incident and transmitted it to others via What’sApp, which ended up being uploaded on YouTube. With this incident, the PDPC found out that both MCST and ABSM were in breach of the PDPA. Luckily, they were only given directions to follow.
What we can get from this case is the importance of employee awareness with regard to data protection policies and compliance. Employees are considered the weakest link toward robust cybersecurity hygiene; that is why it is important that cybersecurity efforts will be focused on them.
One of the directions given the MCST 4375 and ABSM were to implement necessary policies and security arrangements for the protection of personal data and to conduct training for its employees so that these instances will not happen again.
Do’s and Don’ts for MCSTs
1. Do ensure you have the people’s permission and let them know before you share or publish their personal information, especially if it’s not public information.
2. Do ensure that the MCST has all the security measures it needs to protect documents that contain information that can be used to identify a person. This could mean hiring third-party providers to do vulnerability assessments before a system goes live and putting in place policies for password protection if needed.
3. Do limit the number of copies of sensitive personal information to lower the risk of breaching the PDPA.
4. Don’t assume that a hired data intermediary, like a security service, is the only one responsible for protecting personal data.
5. Don’t give out or publish more personal information or keep it out there for longer than you need to.
Also Read: Data governance framework: What organisations in Singapore should know