Protection Obligation: What every organization should know

What every organization should know about the Protection Obligation

Organizations should implement the necessary security measures to safeguard the personal data in their possession or under their control, as well as the storage media or devices on which such data is stored. This is done to prevent any unauthorized access, collection, use, or disclosure of such data.

This is inscribed Section 24 of the Personal Data Protection Act, which provides that “organizations should make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.”

Organizations cannot comply with the Protection Obligation using a “one-size-fits-all” approach. Each organization should consider adopting security measures that are reasonable and appropriate in the circumstances, such as taking into account the nature of the personal data, the form in which the personal data has been collected (e.g., physical or electronic), and the possible impact on the individual if an unauthorised person obtained, modified, or disposed of the personal data.

For instance, in the employment environment, it would be appropriate to assume a higher level of security for highly secret employee evaluations than for more general information about a worker’s past projects.

In practice, an organization should:

a) design and organize its security arrangements to fit the nature of the personal data held by the organization and the possible harm that could result from a security breach;
b) identify reliable and well-trained personnel responsible for ensuring information security;
c) implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying sensitivity; and
d) be prepared and able to respond to information security incidents.

In addition, organizations may find it valuable to do a risk assessment to determine whether current information security measures are adequate. In doing so, the following things may be taken into account:
a) the size of the organization and the quantity and type of personal data it has;
b) who within the organization has access to the personal data; and
c) if the personal data is or will be held or used on behalf of the organization by a third party.

Also Read: The Singapore financial services and markets bill: Everything you need to know

Breach of Protection Obligation by Trinity Christian Centre

The recent decision that was released by the PDPC involving the Trinity Christian Centre underscores the importance of exercising the Protection Obligation by the PDPA. After breaching such an Obligation, Trinity was made to pay a whopping S$20,000 fine.

In this case, the PDPC was notified on March 11, 2021, that its database servers containing personal data were infected with ransomware.

The database servers housed the data of 72,285 individuals at the time of the Incident. Each individual’s data were impacted differently and at times included their name, full identification number, residential address, contact number, email address, photograph, date of birth, age, marital status, education level, and description of a medical condition.

Upon the investigation done by the organization, it was revealed that it maintained an open and publicly exposed remote desktop protocol port. This was how the bad actor had access to the compromised administrator account credentials and was able to enter the organization’s network and database server, leading to the execution of the ransomware attack.

With this Incident, Trinity Christian Centre was made to pay a financial penalty of S$20,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that safeguards are placed so that a ransomware infestation will not result in the future.

This decision also undertakes the importance of appointing a DPO to ensure that there is no vulnerability present in the organization’s networks and servers. It is under the DPO’s scope of work to ensure that the vulnerabilities present are patched up so that threat actors will not exploit them.

How a DPO can help organizations

The Protection Obligation is the most common obligation under the PDPA that is violated by organizations, especially SMEs. Of course, when Organizations fail to observe such obligation, a financial penalty can be imposed by the PDPC. To ensure that this will never happen to your organization, a DPO can help.

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of cyber threats and instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

For instance, at Privacy Ninja, we regularly conduct a penetration testing to see if the organization’s systems can be exploited or taken advantage of, and patch it up as quickly as possible before any bad actor can do it.
DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.

As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.

Also Read: Guarding against common types of data breaches in Singapore