9 February, 2017
Businesses must take steps to understand how personal data might be collected, used and disclosed, and how that data would be protected, when deploying 'off the shelf' software, Singapore's data protection watchdog has said.
In revised guidance it has issued, the Personal Data Protection Commission (PDPC) said organisations "need to understand the capabilities, features and limitations of ready-made software", which it said includes 'commercial off-the-shelf' software, social media platforms and 'open source' code.
"For ready-made software, organisations should give consideration as to whether sufficient protection is provided to personal data," the PDPC said in its new guidance. "If unfamiliar, organisations should find out how the software collects, protects, uses and discloses personal data before using it. This applies to the overall software and plugins as well."
"Organisations should obtain a clear understanding of: the intended purpose of the software; how the software functions; how the software collects and processes personal data; whether the software discloses or transfers out personal data; how the software protects personal data; how to implement the software and integrate it with existing components (if necessary) of the organisation; and how to configure the software correctly," it said.
"Unless an ICT system is entirely developed from scratch and deployed under full control of the organisation, it likely makes use of ready-made components or services to some extent. While such ready-made components or services cannot be completely controlled by the organisations, Organisations should always ensure sufficient protection for the parts for which they retain control," the PDPC said.
The authority also issued revised guidance to help Singapore comply with data protection laws when building websites and disposing personal data stored on paper and other physical media. The PDPC also issued new guidance to help businesses from accidentally disclosing personal data when processing and sending that data.
Data protection law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said a number of complaints that the PDPC has received since beginning its oversight of compliance with Singapore data protection rules concerned accidental disclosures by SMEs relating to websites they operate. He said it was unsurprising as a result to see the PDPC issued new guidance to address the issue.
The new guidance outlined a range of measures businesses should consider adopting to prevent personal data being sent to the wrong recipient. It said businesses should have a cross-checking process in place after documents are processed, printed or sorted to ensure the "destination information" is "correct and matches that of the intended recipient(s) prior to sending".
Businesses should also encourage staff to "perform regular housekeeping" of their "autocomplete email list" and to use "mailing lists" when sending mass emails on a regular basis to avoid errors from manually typing out email addresses, it said.
Email procedures should also be implemented to ensure that staff use the 'bcc' field for entering intended recipients' email addresses so as to not disclose those details to other people the email is being sent to, it said.
For further information, please contact:
Ian Laing, Partner, Pinsent Masons
ian.laing@pinsentmasons.com