Dumping paper with personal info? Shred it, says watchdog

A logo of the United Overseas Bank Limited seen in Singapore's central business district on January 7.
A logo of the United Overseas Bank Limited seen in Singapore's central business district on January 7. PHOTO: REUTERS

Paper containing personal information must be shredded into small pieces and not dumped in unsecured bins.

Similarly, personal data stored on electronic media such as computer hard disks, USB drives or DVDs must be erased using specialised software to avoid accidental data leaks.

These were among new advisory guidelines released yesterday by Singapore's privacy watchdog.

"When in doubt whether the paper document contains personal data, shred the document," the Personal Data Protection Commission advised.

The move followed a report on Tuesday that the Monetary Authority of Singapore and the commission were investigating United Overseas Bank (UOB) for allegedly leaving clients' unshredded documents in a trash bag under a tree in Boat Quay.

The commission said organisations should develop the habit of shredding documents among employees.

 

It also recommended shredders with cross-cutting capability, allowing paper to be sliced in at least two different directions. This creates small shreds of paper that are harder to reassemble. Confetti shredders, pulping by mixing paper with chemicals and burning documents achieve similar outcomes.

The commission also addressed the risk of "dumpster diving" - the theft of documents from bins - saying documents being sent for destruction should not be kept in unsecured boxes or containers.

This could have been what happened in the UOB case. The rubbish bag - containing corporate statements, individual loan applications and internal bank reports - was found last month behind the bank's headquarters in Raffles Place.

UOB declined to confirm or deny the report, except to say it has "strict" procedures to secure the handling and disposal of confidential information.

Speaking yesterday at the fourth annual Personal Data Protection Seminar at the Raffles City Convention Centre, Minister for Communications and Information Yaacob Ibrahim said: "Data is the new 'oil' of the 21st century... It is no longer an option to treat data protection as an afterthought."

Commission chairman Leong Keng Thai said its guidelines are part of efforts to educate organisations on the best practices. It hopes to change organisations' mindset from one that focuses on merely complying with the law to one that focuses on being accountable.

Yesterday, the commission also launched a scheme to help small and medium-sized enterprises defray up to 70 per cent of the costs of data protection initiatives.

In April, the commission hauled up 11 organisations - including karaoke chain K Box and retail chains Metro and Challenger - for lax security procedures. It was the first time that the commission took action against rule breakers since the Personal Data Protection Act took full effect in July 2014.

Organisations that fail to protect consumers' personal data can be fined up to $1 million per breach.

A version of this article appeared in the print edition of The Straits Times on July 21, 2016, with the headline 'Dumping paper with personal info? Shred it, says watchdog'. Print Edition | Subscribe