Here’s a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
As you conduct business, you may be required to process personal data in its possession.
Sometimes, you may even need to send such personal data to third-parties or the individuals whom the personal data relates to.
Did you know that under the Personal Data Protection Act (PDPA), organisations (including companies) are required to make “reasonable security arrangements” to protect personal data in their possession or control from unauthorised disclosure?
Disclosure of personal data will generally be unauthorised if the individual, whom the personal data relates to, has not consented to his personal data being disclosed in such a manner.
Also, companies should not simply rely on their employees to diligently protect personal data in the company’s possession.
Instead, companies are required to go one step further and impose “reasonable security arrangements” to ensure that personal data is protected while being processed and/or sent. This is especially since companies can be held liable for their employees’ PDPA breaches.
Here is a 7-step plan (with case studies), as summarised from the Personal Data Protection Commission (PDPC)’s Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data, on how your company can prevent unauthorised disclosure of personal data that is being processed and/or sent.
1. Train employees on proper data processing and sending procedures regularly
Companies should ensure that all employees undergo regular training to keep them updated and aware of all proper procedures for the processing and/or sending of personal data.
Employees should also be regularly reminded to comply with such procedures diligently, instead of going through the motions.
2. Ensure that employees use company software correctly
Employees should be trained and familiar with company software used for processing and/or sending of personal data. Companies should introduce clear standard operating procedures to be adhered to when using such software, such as:
- Checking that the software is properly configured before use; and
- Making sure that the correct personal data is keyed into the software.
Where the processing and/or sending of personal data has been automated by IT systems, employees should still be required to double-check that such personal data has been processed correctly and/or will be sent to the correct destination(s).
3. Ensure that only the relevant personal data is disclosed
Companies should establish a policy on how compiled sets of personal data should be sent.
For example, instead of sending out the entire set of personal data, employees could be required to extract and send only what is relevant and/or necessary to the recipient,
Where personal data is to be sent to recipients other than the individual whom such data relates to, companies should obtain that individual’s consent for the disclosure.
For the sending of mass emails, recipients’ email addresses could be placed in the email’s “BCC” field instead of the “To” or “CC” fields. This will ensure that recipients’ email addresses will not be disclosed to everyone in the mailing list.
Case Study 1:
Travel Agency A emailed a spreadsheet containing personal data of all individuals in the same tour group to certain of these individuals. The purpose of doing so was so that these individuals could use the spreadsheet as a supporting document for their travel insurance claims. While this was done at the request of those few individuals, the rest of the individuals had not consented to such disclosure of their personal data.
This disclosure is therefore unauthorised. Instead, Travel Agency A could ensure that:
- Where customers request for the personal data, employees extract only the relevant information from the company database; and
- Customers’ personal data is sent separately to each requesting customer.
Travel Agency A could also conduct regular training for its employees to keep them updated of such standard operating procedures.
Case Study 2:
Retail Company A sent a mass marketing email to all its subscribers. The recipients could see everyone else’s email addresses as the email addresses were put in the email’s “To” field. However, the subscribers had not authorised Retail Company A to disclose their email addresses to other subscribers.
To prevent subscribers’ email addresses from being disclosed in such a manner, Retail Company A could:
- Establish email procedures for recipients’ email addresses to be put in the “BCC” field of emails; or
- Use a group mailing list of undisclosed recipients when sending such mass emails.
Retail Company A could also conduct regular training for its employees to keep them updated of such standard operating procedures.
4. Ensure personal data to be sent is correct
Companies should implement procedures to ensure that employees double-check that personal data to be sent is correct. For example, where personal data is to be emailed to the recipient, employees could be required to check that:
- They are sending the correct document;
- The personal data in this document is correct; and
- They have attached this document to the email (and not another document by mistake).
5. Secure all sensitive personal data
Companies could establish an email policy for documents containing sensitive personal data to be encrypted or secured with passwords when being sent to recipients. Alternatively, the email itself could be encrypted.
Companies may refer to PDPC’s Guide to Securing Personal Data in Electronic Medium for other recommendations on securing personal data which is electronically stored.
6. Ensure that destination information is correct
Destination information is information on where personal data will be sent in order to reach the recipient. It may be in the form of:
- Mailing addresses
- Email addresses
- Fax numbers
It is crucial to ensure that the destination information is correct so that only the intended recipient receives the personal data.
To achieve this, companies could consider implementing automated processing of documents containing personal data. This way, personal data can be automatically extracted from specified sources and filled into documents by software. This could reduce the risk of destination information being inaccurate, especially if such information was previously keyed in by hand.
After the relevant documents are processed, printed and sorted, additional non-automated checking mechanisms could be implemented to ensure that the destination information matches that of the intended recipient(s) before the documents are sent.
Specifically, for the sending of mass emails, employees could use mailing lists instead of manually typing every single email address, which could cause inaccuracies in destination information.
Case Study 3:
(The facts of this case study are based on Aviva Ltd, a decision handed down by the PDPC in October 2017.)
An employee of insurance company Aviva mailed letters containing a policyholder’s personal data to the wrong address. Sensitive personal data, including the policyholder’s NRIC and CPF account numbers, were disclosed to the wrong person as a result.
During investigations, it was found that the only person checking the letters before they were mailed was the assigned processing employee. This constituted a “systemic weakness” in Aviva’s letter-sending procedure.
Due to the absence of second-level checks, Aviva was found to have failed to implement reasonable security measures to protect personal data, as required by the PDPA. It was fined $6,000.
Case Study 4:
Medical Clinic A wanted to send Laboratory B its patients’ health records. However, as the email addresses of Laboratory B and client C began with the same few letters, the “To” field of the email was wrongly auto-completed with the email address of client C and not Laboratory B. The health records were therefore wrongly sent to client C.
To prevent such a situation from arising in the future, Medical Clinic A could:
- Require employees to password-protect documents containing sensitive personal data (such as patients’ health records);
- Disable its email software’s email address auto-complete function;
- Require employees to double-check the recipient’s email address before sending the email; and
- Configure its email software to delay the sending of emails by a few minutes after the employee has pressed the Send button, to allow emails to be recalled if necessary.
Medical Clinic A could also conduct regular training for its employees to keep them updated of its standard operating procedures relating to the emailing of documents containing sensitive personal data.
7. Use notices in communications to warn and inform recipients on personal data protection
Companies could include a notice in all emails, faxes and letters to:
- Warn recipients against the unauthorised use, retention or disclosure of personal data; and
- Inform them to delete and notify it immediately of any personal data sent to them in error.
The PDPC’s Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data, which also includes a useful checklist of good practices to follow when processing and/or sending personal data, are fairly comprehensive. However, it is ultimately up to companies to decide which measures would be most appropriate for them to adopt, in order to suit their specific circumstances.
If you require legal advice on drafting and implementing company policies on preventing unauthorised disclosure of personal data in your company’s possession or control, feel free to get in touch with one of our data protection lawyers.
- Annual General Meetings (AGMs) in Singapore: What are They?
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- What is Withholding Tax and When to Pay It in Singapore
- The Business Owner’s Guide to Dividend Payments in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Company Audits in Singapore: Requirements and Exemptions
- How to Transfer Shares in a Singapore Private Company: The Essential Guide
- How to Hold an Extraordinary General Meeting (EGM) in Singapore
- How to Issue Shares in a Singapore Private Company
- How to Reduce the Share Capital of Your Singapore Company
- How Businesses Can Legally Conduct Lucky Draws in Singapore
- Corporate Tax in Singapore: How to Pay, Tax Rate and Tax Exemptions
- Essential Regulatory Compliance Guide for Singapore Companies
- Finding a Suitable Corporate Secretarial Firm in Singapore
- Oppression of Minority Shareholders
- Process Agents in Singapore
- Company Constitution in Singapore: What It is and How to Draft One
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Memorandum of Understanding (MOU): Does Your Business Need One?
- Minutes of Company Meeting in Singapore: How to Record
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Company Memorandum and Articles of Association
- Filing Annual Returns For Your Business
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- Director's Remuneration: When Can Company Directors be Remunerated For Their Services?
- How to Remove a Director from a Company in Singapore
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Appointing a Company Secretary: Roles and Responsibilities
- Directors' Duties in Singapore
- Essential PDPA Compliance Guide for Singapore Businesses
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- How Can Companies Dispose of Documents Containing Personal Data?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- Summary: Your Organisation's 9 Main Obligations under the Personal Data Protection Act
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- PDPA Consent Requirements: How Can Your Business Comply?
- Insolvency: Claw-back of Assets from Unfair Preference and Undervalue Transactions
- Striking Off a Company
- What Should a Creditor Do When a Company Becomes Insolvent?
- Dissolution of partnerships in Singapore
- Validation of Payments Made by Companies Being Wound Up
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Are You Closing Your Singapore Business? Have You Settled All of the Following?
- How to File a Proof of Debt against a Company in Liquidation
- Winding Up a Company