Robust and accountable personal data protection policies and practices can help organisations circumvent severe enforcement actions in the event of a data breach.
Data use is becoming increasingly complex with new innovative ways to create more value out of the data. As more and more personal data is collected and processed, an increase in associated data breach risks becomes inevitable. Such personal data is not only used by organisations that individuals transact directly with, but also third-party service providers who make use of the data to fulfil different business functions. While the responsibilities can be set out and shared with such third parties, the accountability remains and cannot be delegated away from the organisation.
Operating within this data ecosystem, organisations have to ensure that they have strong personal data protection policies and good practices in place. It has become more important to display values of accountability which entails responsibility integrated into organisational culture of stewardship, in order to establish and maintain trust among organisations, consumers and other stakeholders.
Having a sound and well-thought through foundation for data protection can help organisations circumvent severe enforcement actions in the event of an unfortunate data breach. The Personal Data Protection Commission (PDPC) takes a serious view on any instance of non-compliance under the Act and there have been multiple instances where the data breaches have been brought to its attention.
In many of these breaches, after thorough investigations and considerations, the offending organisations are liable to financial penalties or are issued directions to review their policies and perform remediation actions.
There were organisations that were investigated and did not warrant any penalty. These organisations have put in place reasonable security arrangements to protect personal data prior to the breach.
One example was showcased in an incident involving a real estate agency, CBRE. Documents containing personal data were found disposed in a publicly accessible garbage area of an office building. These included documents related to customers’ lease agreements and payments of fees.
However, no enforcement actions were taken.
In its investigations, the PDPC found that CBRE had put in place robust and accountable policies that dealt with the retention, destruction and disposal of business records; the use and disclosure of confidential information; information security protocols; as well as security measures for physical and electronic documents. CBRE also conducted regular trainings for its employees and set out specific guidance on the disposal of confidential and proprietary information.
These corporate policies undertaken by CBRE are closely aligned to the PDPC's Data Protection Management Programme (DPMP) in which the framework guides the implementation of management policies and processes, as well as roles and responsibilities of the people in the organisation.
In this particular instance, negligence and improper disposal lapses by its staff had led to the breach incident despite the deliberate measures put in place by the agency. The PDPC concluded that this was not a systemic or recurring issue, and that the agency had discharged its protection obligation prudently under the PDPA. As such, the PDPC concluded that the agency had conducted its affairs reasonably and appropriately.
Having clarity on roles and responsibilities
There are numerous instances where data breaches did not originate from a lapse or breach within the organisation. This happens as increasingly, organisations are outsourcing their data processing functions to third-party service providers as part of business optimisation.
Of particular interest here is the role of data intermediaries who process personal data on behalf of an organisation but do not include employees of the said organisation.
Processing refers to any operation or set of operations related to personal data. This includes the recording, holding, organisation, adaptation or alteration, retrieval, combination, transmission, erasure or destruction of the data.
Data intermediaries, who are involved in any of these activities, include technology partners who host and process data; marketing companies that run targeted promotions and campaigns; printing companies that generate letters for your customers; and even professional photographers who take photos of your company events.
As a mandatory requirement, data intermediaries who process personal data on behalf of other organisations must adhere to obligations under the PDPA relating to the protection and retention limitation of the said personal data handled by them.
While the processing functions can be delegated, the organisation ultimately has to take accountable measures and take ownership of the way it manages data inside and outside of the organisation.
Citing an example, food caterer Smiling Orchid risked exposing personal particulars of their customers on their online order preview page. They had engaged a web design and development company, T2 Web, to design its website and build a content management system to manage its bakery and catering content.
The PDPC found that there was no clear contractual appointment of the website’s security responsibilities to T2 Web. The caterer simply indicated that they had depended on the web design company to be “in charge of the site” without properly engaging the latter to provide security oversight.
“In the absence of such clarity of intent and procedures, it is risky to hold that the outsourced service provider is a data intermediary,” PDPC said in its report.
As Mr Poh Chee Yong, Data Protection Officer with ERA Singapore, pointed out, “When we hand over the data to a third party for processing, it is important that we include provisions in the written contract to clearly set out the data intermediaries’ responsibilities and obligations to ensure compliance with the PDPA.”
It is important for client organisations to clearly define respective roles and responsibilities when working with data intermediaries, and also put in place robust accountable practices to safeguard themselves in any event of a data breach. They are in the best position to put in place standard operating procedures (SOPs) to ensure proper handling of personal data by both parties.
When we hand over the data to a third party for processing, it is important that we include provisions in the written contract to clearly set out the data intermediaries’ responsibilities and obligations to ensure compliance with the PDPA.
Detailing data protection obligations upfront in the contract
In a case involving AIG Asia Pacific Insurance and its data intermediary Toppan Forms, the latter mailed out policy renewal letters with incorrect business reply envelopes bearing another company’s address. This could potentially result in AIG’s customers sending their personal information to the wrong recipient.
In its investigations, the PDPC found that AIG had complied with the PDPA by including the relevant personal data protection clauses in its agreement with Toppan Forms. For example, in its agreement, AIG required Toppan Forms to have “industry best practice administrative, technical and physical safeguards in place” to ensure the security and confidentiality of its client’s personal data. As the clauses were mutually agreed by both parties, no further action was thus taken against AIG, whilst its data intermediary, Toppan Forms was directed to pay a financial penalty of $5,000 for breaching the protection obligation of the PDPA.
In an incident in 2016, food caterer Fu Kwee Kitchen Catering Services had failed to detail data protection obligations in its contract with its IT service provider, Pixart. The contract was to develop an online ordering system for its corporate website and to host, support and maintain the website. Pixart processed personal data of customers as part of the online ordering system, and was held as a data intermediary.
However, the scope of the system development did not include the implementation of security measures to protect customers’ order details and personal data. The system design was inherently vulnerable and unintentionally allowed customers’ order information to be viewed publicly without requiring any password access.
Although Fu Kwee had outsourced the website functions to Pixart, the former was responsible for the security design of the website and customers’ personal data as if the personal data was processed by them.
Maintaining trust with regulators and consumers
Post-breach actions taken by the organisation and its data intermediary help maintain trust with regulators and consumers. In Toppan Form’s case, the company cooperated fully with PDPC’s investigations and took prompt remedial action to prevent future breaches of a similar nature.
Other mitigating factors include whether:
- the organisation took immediate steps to reduce the damage caused by a breach;
- the organisation has taken reasonable steps to prevent or reduce the harm of a breach such as putting in place strong passwords, or encrypting the personal data to prevent unauthorised access;
- the organisation notifies PDPC as soon as practicable from the time the organisation determines that the breach is likely to result in significant harm or impact to individuals, and of a significant scale; and
- the organisation has actively and promptly tried to resolve the matter with the individuals affected by the data breach.