When in doubt, shred documents containing personal data, says Singapore privacy watchdog

A logo of the United Overseas Bank Limited (UOB) outside a branch in Singapore's central business district.
A logo of the United Overseas Bank Limited (UOB) outside a branch in Singapore's central business district.PHOTO: REUTERS

SINGAPORE - Paper containing personal information must be shredded into small pieces and not dumped in unsecured dumpsters.

Similarly, personal data stored on electronic media such as computer hard disks, USB drives or DVDs must be wiped clean using specialised software to avoid accidental data leak.

The clarifications, contained in new advisory guidelines issued to organisations here on Wednesday (July 20), have come from Singapore's privacy watchdog.

"When in doubt whether the paper document contains personal data, shred the document," said the Personal Data Protection Commission.

On Tuesday (July 19) , it was reported that the Monetary Authority of Singapore and the Commission were investigating United Overseas Bank for allegedly leaving unshredded documents of clients in a trash bag under a tree at Boat Quay.

The Commission said organisations should build up the habit of shredding documents among employees. It also recommended industrial shredders with cross-cutting capability, allowing paper to be sliced in at least two different directions. This creates small individual pieces of paper that are harder to reassemble. Confetti shredders, pulping by mixing paper with chemicals and burning documents achieve similar outcomes.

 

The Commission also addressed in detail the risk of becoming a target for "dumpster diving" or theft, saying documents being sent for destruction should not be kept in unsecured boxes or containers.

This could be what happened in the UOB case, which is still being investigated. The trash bag containing corporate statements, individual loan applications and internal bank reports was found in June behind the bank's headquarters at Raffles Place.

Speaking on Wednesday at the fourth annual Personal Data Protection Seminar at Raffles City Convention Centre, Minister for Communications and Information Dr Yaacob Ibrahim said: "Data is the new 'oil' of the 21st century... It is no longer an option to treat data protection as an afterthought."

Even as organisations mine customer data to deliver better services or targeted marketing, they must build trust by securing the data collected, he noted.

The foundation of trust is key to innovation to spur the nation's goals to become smarter and drive greater economic value.

Commission chairman Leong Keng Thai said it will continue to educate organisations on what the best practices are with the issuing of three advisory guides.

Its Guide to Building Websites for SMEs, for one, is aimed at helping small and medium enterprises understand that they must ensure that third-party contractors adequately protect personal data from unauthorised access, among other security requirements.

The second - Guide on Data Protection Clauses for Agreements relating to the Processing of Personal Data - provides sample contractual clauses that organisations may want to consider when engaging vendors to process personal data.

The third - Guide to Disposal of Personal Data in Physical Medium - aims to educates organisations on how they should dispose paper documents and DVDs containing personal data.

The Commission hopes that through these advisory guidelines, it can change organisations' mindset from one that focuses on merely complying with the law to one that focuses on being accountable.

On Wednesday, the Commission also launched a scheme to help SMEs defray up to 70 per cent of the costs of data protection initiatives including consultancy, training and software deployment.

In April this year, the Commission fined four organisations and warned seven others for flouting the Personal Data Protection Act. Lax security procedures were behind most of the sanctions imposed, the first time the Commission took action against rule breakers since the law took full effect in July 2014.

The heaviest fine of $50,000 was slapped on karaoke chain K Box for a data breach involving 317,000 customers, resulting in their names, contact numbers and residential addresses being posted on file sharing website pastebin.com in September 2014. Others at fault included industry body Institution of Engineers Singapore, and brand name retail chains like Metro and Challenger.

Organisations that fail to protect consumers' personal data can be fined up to $1 million per breach.