Understanding The Data Intermediary In Data Protection

Understanding The Data Intermediary In Data Protection

Under the PDPA, an organization that engages a data intermediary to process personal data on its behalf will have to ensure that such processing is in compliance with the PDPA. The data intermediary will also have to ensure compliance with the PDPA. However, the PDPA does not directly impose most of the data protection obligations on a data intermediary which is processing personal data on behalf of another organization under a written contract, except for the obligations relating to the security and retention of the personal data.

Meeting the Protection Obligation with Reasonable Security Arrangements

A data intermediary must make “reasonable security arrangements” to protect personal data from unauthorized access, collection, use, disclosure, or any similar risks, even though it is processing the personal data on behalf of another organization.

PurpleForest, for example, ensures that all its employees’ laptop accounts are locked such that only the IT administrator can access the system and install any software and programmes.

“This ensures that Trojans or potential data stealing malware occurrences are kept to a minimum. It also stores its data with a corporate cloud service provider that adheres to the ISO/IEC 27001 standard for information security management.”

Mr Soh

As an additional measure, scheduled security scans are set up by the cloud service provider and within the employee’s own computer system to automatically detect malware. These security scans are conducted every two days. A compulsory password change is also enforced by the cloud service provider every three months, reducing the likelihood of external hacking. The passwords are required to include alphanumeric characters and symbols and have to be eight characters long.

Ensuring All Employees Are On Board Ensuring All Employees Are On Board

One common challenge that organizations face is the need to ensure that all their employees are aware of the importance of personal data protection and the policies and processes that they have to adhere to. At MC Payment, besides having in place a User Management Policy, which governs data protection and access control processes, employees are briefed on any newly implemented data protection policies and processes, and their acknowledgment of these policies are tracked and recorded. In addition, MC Payment also makes it compulsory for employees to attend in-house and external training on data protection.

Also read: 4 easy guides to data breach assessment

No “One Size Fits All” Solution

There is no “one size fits all” solution for the protection of personal data by data intermediary – each organization is urged to consider adopting security arrangements that are “reasonable and appropriate” in their own circumstance. The measures taken will depend on various factors such as the nature of the data, the form in which it has been collected, and the possible impact on individuals should the personal data fall into the wrong hands.

Meeting the Retention Obligation

Besides putting in place security arrangements to protect personal data, all data intermediary are also required to meet the Retention Limitation Obligation under the PDPA. This means that they have to cease retention of documents containing personal data, or remove the means by which the personal data can be associated to specific individuals, as soon as the retention no longer serves the purpose the personal data was collected for, and is no longer necessary for legal or business purposes.

Setting Out the Responsibilities and Obligations

Under the PDPA, organisations are ultimately accountable for personal data that is being processed on their behalf by their data intermediary. As they hand over the data to a third party for processing, therefore, it is important that they include provisions in their written contract to clearly set out the data intermediary responsibilities and obligations to ensure compliance with the PDPA.

A data intermediary is fully responsible under the PDPA for other activities which do not constitute processing personal data on behalf of another organization under the written contract, e.g. collecting any personal data on its own accord or using personal data for its own purposes, or any processing of personal data on behalf of another organization that is not pursuant to a contract made or evidenced in writing.

Also read: Privacy policy template important tips for your business