PDPC: New guidance on personal data protection practices

Personal data protection

As defined by the Personal Data Protection Commission, Personal Data refers to data regarding an individual who can be identified from that data or from that data and other information to which the Organization has or is likely to have access. 

Under the Personal Data Protection Act (PDPA), these data that Organizations have access into are protected in the way of fining them when there is a data breach that occurred. The Organization usually pays a hefty fine as a consequence which ranges up to 1,000,000 SGD.

The PDPA and PDPC

The PDPA is the law imposed by the PDPC, which provides for a baseline standard of protection for personal data in Singapore. Furthermore, the PDPA complements the sector-specific legislative and regulatory frameworks, such as Insurance Act and Banking Act.

Over the years, the PDPA has been amended by the PDPC for it to be more comprehensive and for it to cover the PDPC decisions and undertakings. Currently, the PDPC released a new guidance on data protection practices to cover further such PDPC decisions and undertaking, which we will discuss in a few.

Also Read: The DNC Singapore: Looking At 2 Sides Better

Personal Data Protection Commission’s new guidance on data protection practices: The Guide, Handbook, and Checklists

The new edition of the Guide to Data Protection Practices for ICT Systems comprises data protection practices from PDPC’s past advisory guidelines and guides. It also includes the learning from PDPC decisions and undertakings, and it recommends both enhanced and basic practices that organizations include in their ICT systems, processes, and policies. 

The Checklists to Guard Against Common Types of Data Breaches was also based on PDPC decisions and undertakings regarding breaches and identified the five (5) common gaps in ICT system management and processes, which may result in a data breach.

Lastly, the PDPC also released two (2) Checklists to Guard Against Common Types of Data Breaches to assist organizations in putting in place policies and reviewing them together with technology controls and processes to avoid any mistakes caused by negligence which often results in a data breach. 

The Guide to Data Protection Practices for ICT Systems

For easy reference by the ICT team of Organizations, as well as its vendors, the new Guide on data protection practices for ICT systems has been grouped into three main sections, and it recommends the basic and enhanced ICT practices that Organizations can implement to support the data lifecycle in each stage:

• Collection of personal data, Policies, and risk management practices, covering governance; a collection of personal data; correction and accuracy of personal data; notification of purpose; managing consent; access; housekeeping of personal data; and retention of personal data
• Web applications and website security; ICT control measures, covering authentication, authorization, and passwords; database security; ICT security and testing; and computer networks.
• Compliance, monitoring, alerts, testing, and audits; standard operating procedures and ICT operations, covering security awareness; portable computing devices and removable storage media; cloud computing; and personal computers and other computing devices.

The Handbook on How to Guard Against Common Types of Data Breaches

Such Handbook composed by the PDPC identifies the five common gaps in any Organization’s ICT system management and processes based on PDPC decisions and undertakings:

1. Accounts and passwords: Accounts and passwords must be securely managed to prevent easy access to the database and cause breaches. It must only be accessed by authorized personnel, and Organizations must periodically review user accounts and remove unneeded ones. As always, to limit any risk of brute force attacks, Organizations must see to it that they implement a strong password.
2. Coding issues: There are instances that in the early phase of programming of the software, there are mistakes done which can lead to errors that can disclose the personal data of individuals. To limit this, the IT team can first design before coding and perform a thorough impact analysis, invest the effort to document all software, functional and technical specifications; and make sure that the application has been tested thoroughly and there have been code reviews done.
3. Configuration issues (including issues in code management and deployment): Many ICT systems can be configured. When such settings are unsecured, including leaving settings in their default, this can result in unintended personal data disclosure. This can be prevented by hardening system configuration and introducing changes to the settings, managing configuration settings systematically, and automating build and deployment processes.
4. Malware and phishing: Many organizations fall victim to phishing emails with malicious malware in their attachments. With its sophistication in copying a legitimate website or known company, workers can easily be deceived and end up clicking the attached file or link. To prevent this, the Organization can introduce simulated phishing exercises and educate their employees to be alert when they come across emails sent to their accounts.
5. Security and responsibility issues: In the ICT’s development and design phases, the Organization must consider the probability of breach upon testing it. In such testing, the Organization must see to it that the team will only use synthetic data and never the actual data. Furthermore, for administrative log-in for accounts, the Organization must use multi-factor authentication and require complex passwords.

Checklists to Guard Against Common Types of Data Breaches

The checklist for personal data protection practices complements the Handbook, and it aims to help Organizations:

• Enhance responsibilities during coding and security awareness; and
• Avoid any issues in coding through setting good data protection practices during the development phase of the application and support practices.

The PDPC expects that the organizations that handle personal data implement the relevant enhanced practices suggested in each section, especially those that handle large quantities of different types of personal data or data that might be more sensitive to the individuals or the organizations.

Also Read: The Data Protection Act of Singapore and how it affects businesses