Here’s a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
As you conduct business, you may be required to process personal data in its possession.
Sometimes, you may even need to send such personal data to third-parties or the individuals whom the personal data relates to.
Did you know that under the Personal Data Protection Act (PDPA), organisations (including companies) are required to make “reasonable security arrangements” to protect personal data in their possession or control from unauthorised disclosure?
Disclosure of personal data will generally be unauthorised if the individual, whom the personal data relates to, has not consented to his personal data being disclosed in such a manner.
Also, companies should not simply rely on their employees to diligently protect personal data in the company’s possession.
Instead, companies are required to go one step further and impose “reasonable security arrangements” to ensure that personal data is protected while being processed and/or sent. This is especially since companies can be held liable for their employees’ PDPA breaches.
Here is a 7-step plan (with case studies), as summarised from the Personal Data Protection Commission (PDPC)’s Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data, on how your company can prevent unauthorised disclosure of personal data that is being processed and/or sent.
1. Train employees on proper data processing and sending procedures regularly
Companies should ensure that all employees undergo regular training to keep them updated and aware of all proper procedures for the processing and/or sending of personal data.
Employees should also be regularly reminded to comply with such procedures diligently, instead of going through the motions.
2. Ensure that employees use company software correctly
Employees should be trained and familiar with company software used for processing and/or sending of personal data. Companies should introduce clear standard operating procedures to be adhered to when using such software, such as:
- Checking that the software is properly configured before use; and
- Making sure that the correct personal data is keyed into the software.
Where the processing and/or sending of personal data has been automated by IT systems, employees should still be required to double-check that such personal data has been processed correctly and/or will be sent to the correct destination(s).
3. Ensure that only the relevant personal data is disclosed
Companies should establish a policy on how compiled sets of personal data should be sent.
For example, instead of sending out the entire set of personal data, employees could be required to extract and send only what is relevant and/or necessary to the recipient,
Where personal data is to be sent to recipients other than the individual whom such data relates to, companies should obtain that individual’s consent for the disclosure.
For the sending of mass emails, recipients’ email addresses could be placed in the email’s “BCC” field instead of the “To” or “CC” fields. This will ensure that recipients’ email addresses will not be disclosed to everyone in the mailing list.
Case study 1:
Travel Agency A emailed a spreadsheet containing personal data of all individuals in the same tour group to certain of these individuals. The purpose of doing so was so that these individuals could use the spreadsheet as a supporting document for their travel insurance claims. While this was done at the request of those few individuals, the rest of the individuals had not consented to such disclosure of their personal data.
This disclosure is therefore unauthorised. Instead, Travel Agency A could ensure that:
- Where customers request for the personal data, employees extract only the relevant information from the company database; and
- Customers’ personal data is sent separately to each requesting customer.
Travel Agency A could also conduct regular training for its employees to keep them updated of such standard operating procedures.
Case study 2:
Retail Company A sent a mass marketing email to all its subscribers. The recipients could see everyone else’s email addresses as the email addresses were put in the email’s “To” field. However, the subscribers had not authorised Retail Company A to disclose their email addresses to other subscribers.
To prevent subscribers’ email addresses from being disclosed in such a manner, Retail Company A could:
- Establish email procedures for recipients’ email addresses to be put in the “BCC” field of emails; or
- Use a group mailing list of undisclosed recipients when sending such mass emails.
Retail Company A could also conduct regular training for its employees to keep them updated of such standard operating procedures.
4. Ensure personal data to be sent is correct
Companies should implement procedures to ensure that employees double-check that personal data to be sent is correct. For example, where personal data is to be emailed to the recipient, employees could be required to check that:
- They are sending the correct document;
- The personal data in this document is correct; and
- They have attached this document to the email (and not another document by mistake).
5. Secure all sensitive personal data
Companies could establish an email policy for documents containing sensitive personal data to be encrypted or secured with passwords when being sent to recipients. Alternatively, the email itself could be encrypted.
Companies may refer to PDPC’s Guide to Securing Personal Data in Electronic Medium for other recommendations on securing personal data which is electronically stored.
6. Ensure that destination information is correct
Destination information is information on where personal data will be sent in order to reach the recipient. It may be in the form of:
- Mailing addresses
- Email addresses
- Fax numbers
It is crucial to ensure that the destination information is correct so that only the intended recipient receives the personal data.
To achieve this, companies could consider implementing automated processing of documents containing personal data. This way, personal data can be automatically extracted from specified sources and filled into documents by software. This could reduce the risk of destination information being inaccurate, especially if such information was previously keyed in by hand.
After the relevant documents are processed, printed and sorted, additional non-automated checking mechanisms could be implemented to ensure that the destination information matches that of the intended recipient(s) before the documents are sent.
Specifically, for the sending of mass emails, employees could use mailing lists instead of manually typing every single email address, which could cause inaccuracies in destination information.
Case study 3:
(The facts of this case study are based on Aviva Ltd, a decision handed down by the PDPC in October 2017.)
An employee of insurance company Aviva mailed letters containing a policyholder’s personal data to the wrong address. Sensitive personal data, including the policyholder’s NRIC and CPF account numbers, were disclosed to the wrong person as a result.
During investigations, it was found that the only person checking the letters before they were mailed was the assigned processing employee. This constituted a “systemic weakness” in Aviva’s letter-sending procedure.
Due to the absence of second-level checks, Aviva was found to have failed to implement reasonable security measures to protect personal data, as required by the PDPA. It was fined $6,000.
Case study 4:
Medical Clinic A wanted to send Laboratory B its patients’ health records. However, as the email addresses of Laboratory B and client C began with the same few letters, the “To” field of the email was wrongly auto-completed with the email address of client C and not Laboratory B. The health records were therefore wrongly sent to client C.
To prevent such a situation from arising in the future, Medical Clinic A could:
- Require employees to password-protect documents containing sensitive personal data (such as patients’ health records);
- Disable its email software’s email address auto-complete function;
- Require employees to double-check the recipient’s email address before sending the email; and
- Configure its email software to delay the sending of emails by a few minutes after the employee has pressed the Send button, to allow emails to be recalled if necessary.
Medical Clinic A could also conduct regular training for its employees to keep them updated of its standard operating procedures relating to the emailing of documents containing sensitive personal data.
7. Use notices in communications to warn and inform recipients on personal data protection
Companies could include a notice in all emails, faxes and letters to:
- Warn recipients against the unauthorised use, retention or disclosure of personal data; and
- Inform them to delete and notify it immediately of any personal data sent to them in error.
The PDPC’s Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data, which also includes a useful checklist of good practices to follow when processing and/or sending personal data, are fairly comprehensive. However, it is ultimately up to companies to decide which measures would be most appropriate for them to adopt, in order to suit their specific circumstances.
If you require legal advice on drafting and implementing company policies on preventing unauthorised disclosure of personal data in your company’s possession or control, feel free to get in touch with one of our data protection lawyers.
- What is a Nominee Director, How to Appoint and Other FAQs
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- Share Buybacks in Singapore: Procedure, Cost and More
- How to Split Shares (or Stocks) in a Singapore Company
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Is Your Business Collaboration Competition Law-Compliant?
- Explained: Registered Filing Agent for Singapore Businesses
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- Does Your Company Need a Legal Team (In-House Counsel)?
- Acqui-Hiring of Singapore Companies: How Does It Work?
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Carbon Tax in Singapore: What is the Rate and Who Must Pay?
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Must You Notify PDPC About a Data Breach in Your Business?
- Data Room: Should Your Singapore Company Set Up One?
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Social Media Marketing: Legal Guide for Singapore Businesses
- Your Guide to E-commerce Website Terms of Service in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- Applying to the MAS FinTech Regulatory Sandbox
- Payment Services Act Licensing Guide for Fintech Businesses
- How to Get a Payment Service Provider Licence in Singapore
- Financial Adviser's Licence Guide for Singapore Businesses
- Capital Markets (CMS) Licence Requirements in Singapore
- How to Offer E-Wallet Services in Singapore: Licensing Guide
- Digital Payment Token Services Licence Guide in Singapore
- How to Legally Offer Crypto Services in Singapore
- How to Restore a Struck-Off Company in Singapore
- Claw-Back of Assets From Unfair Preference and Undervalued Transactions
- Should You Save or Close Your Zombie Company in Singapore?
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Restoring a Company That was Struck Off Without You Knowing
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Validation of Payments Made by Companies Being Wound Up