How Can Companies Dispose of Documents Containing Personal Data?

Last updated on September 27, 2018

Featured image for the "How Can Companies Dispose of Documents Containing Personal Data?" article. It features a hand holding a crumpled ball of paper over a wastepaper bin.

Before throwing unwanted documents into the bin, think again.

Did you know that companies are legally obliged under the Personal Data Protection Act (“PDPA”) to properly dispose of documents containing personal data, and may be penalised if they fail to do so?

Read on to find out more.

 

View this post on Instagram

 

One man’s trash is another man’s treasure ? That’s a saying that rings true when you don’t properly dispose of documents containing personal data (data from which an individual can be identified), or confidential information. – Fun fact! ? If you snoop around the CBD, it’s possible to buy documents containing personal/ confidential data from the rag and bone men (better known as karangunis) working in the area, as they collect unshredded papers from the offices around them. If you think about it, that makes it pretty easy to get your hands on some pretty valuable information. ? – Companies are legally obligated to protect personal data in their possession or under their control, and the Commissioner for Personal Data Protection has the power to fine a company that fails to properly dispose of documents containing said personal data. – That said, simply throwing such documents away doesn’t count as proper disposal, as the information on the documents can still be read. We propose that you dispose of such documents by shredding them – that’s the cheapest and safest method. Don’t say we never say ah, protect your data! ?‍♀️ #SingaporeLegalAdvice

A post shared by SingaporeLegalAdvice.com (@singaporelegaladvice) on

Do Your Company’s Documents Contain “Personal Data”?

The PDPA defines “personal data” very broadly. Under the PDPA, personal data refers to data from which an individual can be identified.

Accordingly, information such as a person’s name, identification number and even height and gender may be regarded as personal data. It does not matter that such data may be false.

Obligation to Protect Personal Data

Under the PDPA, companies are required to make “reasonable security arrangements” to protect personal data in their possession or control from:

  • Unauthorised access;
  • Collection;
  • Use;
  • Disclosure;
  • Copying;
  • Modification;
  • Disposal; or
  • Other similar risks.

This obligation applies even to the disposal of documents, so long as the documents contain personal data.

Methods of Disposing of Documents Containing Personal Data

Personal data can be contained in 2 main forms:

  • Physical documents: e.g. paper; and
  • Electronic media: e.g. hard disks, CDs and DVDs.

Companies are required to implement policies and measures to ensure that personal data is properly disposed of, according to the form it is contained in.

How to dispose of personal data in physical documents

The Personal Data Protection Commission (“PDPC”), which administers and enforces the PDPA, recommends disposing of physical documents through one (or a combination) of the following methods:

  • Shredding: Shredding is the most commonly-used method as it is fast, safe and cost-effective. It involves cutting the physical document into pieces to make it difficult (or almost impossible) to put back together. Straight-cut shredders are not recommended as they merely cut paper into long strips. The PDPC is of the view that companies should, at the minimum, use level P-3 cross-cut shredders which cut paper into small pieces with a maximum area of 320 mm2, according to the internationally-referenced DIN 66399 security standard.
  • Incineration: Burning physical documents into ashes.
  • Pulping: Mixing physical documents with water and chemicals to break down the documents’ paper fibres.

These methods of disposal can be carried out in-house by the company itself, or by engaging an external service provider. However, companies should not leave documents containing personal data unattended while waiting for external service providers to collect them, such as leaving them at the office’s rear entrance or the ground floor of the building. This is to prevent unauthorised third-parties from gaining access to the documents’ contents.

It also goes without saying that simply throwing physical documents into the rubbish bin is not sufficient. The PDPC has fined a financial consultant $1,000 for failing to properly dispose of his clients’ policy-related documents. This was in view of how:

  • The financial consultant had merely put the documents in a plastic bag, tied it up and placed it in a rubbish bin in a residential estate;
  • The plastic bag did not have the effect of securing the documents, but merely concealed them; and
  • The documents were unshredded and intact, and it was easy for others to open the plastic bag to retrieve the documents inside (and the personal data on them).

How to dispose of personal data stored on electronic media

Personal data in electronic media can be disposed of in 2 ways:

  • Physical destruction of the media itself to render stored data inaccessible: e.g. cutting up CDs and DVDs, or smashing hard disks with a hammer until they no longer work (and cannot be repaired); or
  • Disposal of the personal data in the media only: Specialised software tools can be used to securely erase all personal data contained in the media. Deleting files by simply moving them to the computer’s “Recycle Bin” is insufficient as the files may still be recoverable (even after the “Recycle Bin” has been emptied).

Companies are free to choose their preferred method(s) of disposal, so long as the personal data contained in the medium cannot be recovered in part or full.

Companies’ Liability for Acts of Employees

Companies should take appropriate measures to ensure that employees to adhere to company policies on disposing documents containing personal data. This is because companies are liable for their employees’ breaches of the PDPA if these breaches occurred in the course of the employee’s employment with the company.

This is even if the company hadn’t approved of the employee’s acts, or didn’t even know of them in the first place.

However, companies may be able to avoid liability if they can prove that they had taken steps, as were practicable, to prevent the employees in breach from improperly disposing of documents containing personal data.

Engagement of External Service Providers

Engaging external service providers to dispose of documents containing personal data does not relieve companies of their obligation under the PDPA to protect personal data.

The responsibility ultimately remains with companies themselves to ensure that personal data on documents are protected until they are properly destroyed.

The disposal of documents containing personal data is not as simple as you may think. It is every company’s responsibility to ensure that it has implemented adequate measures and policies for disposing of documents containing personal data, so as to avoid breaching its obligation under the PDPA to protect personal data.

If you require legal advice on drafting and implementing policies on the proper disposal of company documents containing personal data, feel free to get in touch with one of our data protection lawyers.

Appointment and Removal of Company Officers and Other Key Personnel
  1. Appointing Company Directors in Singapore: Eligibility, Process etc.
  2. Managing Director vs CEO in Singapore: Roles and Obligations
  3. Guide to Directors' Remuneration in Singapore
  4. Directors' Duties in Singapore
  5. Shadow Directors: Who are They and What Duties Do They Owe to the Company?
  6. How to Remove a Director from a Company in Singapore
  7. Removal and Resignation of Company Auditor in Singapore
  8. Appointing a Company Secretary: Roles and Responsibilities
  9. Appointing an Authorised Representative for Foreign Companies in Singapore
  10. Process Agents in Singapore
Holding Meetings
  1. What are Annual General Meetings (AGMs) in Singapore?
  2. How to Hold Extraordinary General Meetings (EGMs) in Singapore
  3. How to Hold a Board Meeting in Singapore
Shareholder Matters
  1. 2 Ways to Remove a Singapore Company Shareholder ASAP
  2. Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
  3. Preparing a Register of Shareholders for a Singapore Company
  4. How to Issue Shares in a Singapore Private Company
  5. Guide to Transferring Shares in a Singapore Private Company
  6. Your Guide to Share Certificates in Singapore: Usage and How to Prepare
  7. Shareholder Rights in Singapore Private Companies
  8. Shareholder Roles and Obligations in Singapore Companies
  9. Dividend Payments Guide for Singapore Business Owners
  10. Share Transmission: What Happens If a Shareholder Dies in Singapore?
  11. How to Reduce the Share Capital of Your Singapore Company
  12. Buy-Sell Agreements: How to Write & Fund Them in Singapore
  13. Oppression of Minority Shareholders
Compliance
  1. Essential Regulatory Compliance Guide for Singapore Companies
  2. Dormant Companies and Their Filing Obligations in Singapore
  3. Anti-Money Laundering Regulations and Your Business: What You Need to Know
  4. Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
  5. Legally Conducting Lucky Draws for Singapore Businesses
  6. Restaurant Inspection and Food Safety Rules in Singapore
Company Management
  1. Does Your Company Need a Legal Team (In-House Counsel)?
  2. Acqui-Hiring of Singapore Companies: How Does It Work?
  3. How to Change the Name of Your Singapore Company
  4. Can Directors be Liable for Company Debts in Singapore?
  5. Company Loans to Directors/Shareholders in Singapore
  6. 3 Types of Insurance Every Singapore Business Needs
  7. Creating and Registering Charges in Singapore: Guide for Companies
  8. Guide to Effective Business Continuity Planning in Singapore
  9. Business Asset Sale & Disposal in Singapore: How Do They Work?
  10. Business Partnership Disputes in Singapore: How to Resolve
  11. How to Commence a Derivative Action on Behalf of a Company in Singapore
  12. Business Will: How to Pass on Your Business to Your Successors in Singapore
Company Documents
  1. Record-Keeping Requirements for Singapore Companies
  2. Company Constitutions in Singapore and How to Draft One
  3. Company Memorandum and Articles of Association
  4. Company Resolutions: What are They?
  5. Board Resolutions in Singapore
  6. Minutes of Company Meeting in Singapore: How to Record
  7. How to Set Up a Register of Controllers
  8. How to Set Up a Register of Nominee Directors
  9. Guide to Filing Financial Statements for Singapore Business Owners
  10. Filing Annual Returns For Your Business
Tax, Accounting and Audit Matters
  1. Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
  2. Start-Up Tax Exemption Guide for New Singapore Companies
  3. GST Registration: Requirements and Procedure in Singapore
  4. What is Withholding Tax and When to Pay It in Singapore
  5. Singapore Influencers: Here's How to Calculate Your Income Tax
  6. Tax Investigation of Tax-Evading Business Owners in Singapore
  7. Small Business Accounting Services in Singapore
  8. Company Audits in Singapore: Requirements and Exemptions
Data Protection
  1. Suspect a PDPA Data Breach? Here's What to Do Next
  2. Must You Notify PDPC About a Data Breach in Your Business?
  3. Summary: Your Organisation's 10 Main PDPA Obligations
  4. Essential PDPA Compliance Guide for Singapore Businesses
  5. PDPA Consent Requirements: How Can Your Business Comply?
  6. Is It Legal for Businesses to Ask for Your NRIC in Singapore?
  7. Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
  8. Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
  9. Drafting a Comprehensive Privacy Policy For Your Singapore Website
  10. GDPR Compliance in Singapore: Is it Required and How to Comply
  11. Appointing a Data Protection Officer For Your Business: All You Need to Know
  12. How Can Companies Dispose of Documents Containing Personal Data?
  13. Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
  14. How to Legally Install CCTVs for Home/Business Use in Singapore
  15. Is Web Scraping or Crawling Legal in Singapore?
  16. Legal Options If Employees Breach Confidentiality in Singapore
Marketing
  1. Dealing with Defamation of Your Business: Can You Sue?
  2. Sending Email Newsletters That Comply With Singapore Law
  3. A legal guide to drafting a social media policy for your company
  4. Your Guide to a Media Release Form in Singapore
  5. Your Guide to an Influencer Marketing Agreement in Singapore
  6. Outdoor Advertising: How to Legally Display Public Ads in Singapore
Franchising
  1. Starting a Franchise in Singapore: What Franchisors Should Look Out For
  2. Running a Franchise in Singapore: What To Look Out for as a Franchisee
Debt Restructuring
  1. What is Judicial Management and How It Works in Singapore
  2. Schemes of Arrangement: How They Work and How to Apply
  3. Informal Debt Restructuring and Workout in Singapore
Ending a Business
  1. Voluntary Suspension of Business in Singapore: How to Handle
  2. Winding Up a Singapore Company: Grounds and Procedure
  3. Closing Your Singapore Business: What You Need to Settle
  4. Striking Off a Company
  5. Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
  6. Dissolution of partnerships in Singapore
  7. What Should a Creditor Do When a Company Becomes Insolvent?
  8. How to File a Proof of Debt Against a Company in Liquidation
  9. Insolvency: Claw-Back of Assets From Unfair Preference and Undervalued Transactions
  10. Validation of Payments Made by Companies Being Wound Up