10 Simple Steps to Secure Personal Data in Your Organisation’s IT Systems
Article By Ronald JJ Wong and Douglas Pang.
Fines for breaches of the Personal Data Protection Act 2012 (“PDPA”) are going to get heftier: up to 10% of annual Singapore turnover or up to S$1 million (whichever higher).
This year, SPH Magazine was fined S$26,000 because a hacker accessed the account of a moderator of HardwareZone and attempted to view user profiles more than 700,000 times. The problem? The account password was simple and unchanged for 10 years.
We set out 10 simple steps to secure your organisation’s information technology (IT) systems to reduce the risk of PDPA breaches.
1. Set Strong Passwords
Require your staff to set strong passwords which have at least 8 characters containing at least 1 alphabetical character and 1 numeric character. Passwords should not have reference to the organisation’s or user’s names (Re Chizzle Pte Ltd [2020] SGPDPCR 1). If deemed necessary, require two-factor authentication of accounts.
2. Reset Passwords
Implement a policy or an automatic function within your domain or email server to reset or expire passwords every few months. For example, G Suite allows admins to turn on automatic password reset.
3. Encrypt Files
Require staff to encrypt files containing personal data before sending or sharing them (Institute of Singapore Chartered Accountants [2018] SGPDPC 28). Low-cost means to do so include using freeware such as 7z to compress files with password encryption. Ensure password is given to the intended recipient in a separate email or communication.
4. Secure File Sharing
If staff need to share files containing personal data with anyone, whether internal within the organisation or external parties, ensure that files are shared securely.
In Institute of Singapore Chartered Accountants [2018] SGPDPC 28, the auto-complete function led to a staff sending an email intended for another staff to an external party with the same first name. Staff should be trained to double check against errors.
For file sharing with third parties using cloud, private links with expiry dates should be used.
5. Penetration Testing
A penetration test is a simulated cyberattack against your IT system to check for vulnerabilities.
If your website or any IT system (application protocol interface (API), frontend/backend servers) containing personal data is potentially accessible to the public, conduct a penetration testing on the site or system before launch and from time to time (Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26).
If you have an IT vendor handling your website or system, instruct them in writing to conduct such tests and address the vulnerabilities.
6. Set Up a Firewall
Properly set up and configure a firewall on your server hosting your data (Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26).
You can use a web security service like Cloudflare to set up a firewall and screen unauthorised traffic.
7. Anti-Virus Software
Install and ensure continual monitoring by anti-virus, anti-malware, anti-spyware and firewall software in every computer, device and server within the organisation. Ensure that its auto-update function is on (Marshall Cavendish Education Pte. Ltd. [2019] SGPDPC 34).
8. Update Patches
In Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26, the PDPC stated that organisations should test and apply updates and security patches as soon as they are available to the relevant components (e.g. network devices, servers, database products, operating systems, applications, software libraries, programming frameworks and firmware) of their IT system. There should also be processes and people responsible to monitor new patches and updates that become available with respect to such components. If this cannot be done in-house, this should be expressly outsourced to an IT vendor.
9. Additional Checks and Automated Functions for Sending Routine Emails
In Matthew Chiong Partnership [2019] SGPDPC 7, a law firm employee made a typographical error in the recipients’ email addresses and sent emails containing personal data to the wrong persons. The PDPC considered that such inadvertent errors should be addressed by using process-based supervision to technological controls like using the “mail-merge” function in Outlook (Re Credit Counselling Singapore [2017] SGPDPC 18).
It may be impractical and commercially unrealistic for every or even most emails to be checked by a supervisor before being sent. Hence, a risk-based approach should be set out in a written policy and adopted. E.g., emails containing high amount of personal data could be checked by a supervisor before sending.
Hence, using mail-merge functions or third-party mailing list services or software (with the adequate level of security and personal data obligations in the engagement with the third party) would be useful especially for routine or mass emails.
10. Install SSL and TLS Certificates in Server
If your website or server contains personal data (even if hidden or stored in a password-secured area), install Secure Sockets Layer (“SSL”) or Transport Layer Security (“TLS”) certification in the server.
SSL or TLS certificates are data files that digitally bind a cryptographic key to an organisation’s details. When installed on a server, it activates a lock and HTTPS secure protocol and allows secure connections from a web server to a browser.
Write It All Down!
In many PDPA breach cases, organisations say they did train or brief their staff but could not produce documentary evidence of it. In Re Furnituremart.sg [2017] SGPDPC 7, the PDPC stated: “Without having a policy in writing, employees and staff would not have a reference for the Organisation’s policies and practices which they are to follow in order to protect personal data. Such policies and practices would be ineffective if passed on by word of mouth, and indeed, the Organisation may run the risk of the policies and practices being passed on incorrectly. Having a written policy is conducive to the conduct of internal training, which is a necessary component of an internal data protection programme.”
It is an express obligation in section 12 of the PDPA for an organisation to develop and implement proper policies, to communicate them to its staff, and to make information on these policies available on request.
So, whatever PDPA compliance process or measure you implement, make sure it is written down in a policy.
Data Breach Notifications
Do note that the PDPA was recently amended to require data breach notifications. Data breaches which are likely to result in significant harm or impact or of a significant scale (generally, involving more than 500 individuals’ data) would have to be notified within a certain timeline.
Conclusion
Given the ubiquity of emails, messaging platforms and data in today’s digitised workplace, and the ease of disclosure of confidential information (intended or otherwise), it is sensible to implement a robust set of policies so as to comply with the PDPA and to protect confidential information.
The above tips are not meant to be a comprehensive guide on PDPA obligations. If you require advice on PDPA compliance, feel free to contact us.