Is that your name,address,phone number in the dump?

Firms throw out documents with personal data without shredding

Personal information is still being improperly collected, used and disposed of, even though there is a new law to protect personal data.

Seventy organisations - especially those in retail, healthcare and property - are under investigation following complaints that they used e-mail addresses and other personal information for marketing purposes or collected identity card and other personal details without prior consent.

If found guilty under the Personal Data Protection Act, which came into effect last July, they can be fined up to $1 million.

Another 70 complaints against retailers, property companies and various other organisations were resolved after the authorities brought together the parties and complainants to discuss the matter.

The Personal Data Protection Commission (PDPC) which enforces the Act said no financial penalties were imposed in the cases resolved.

The investigations were conducted under the Act which has two pillars: the Do Not Call (DNC) Registry and personal data protection.

Much of the initial attention was focused on the DNC Registry which was implemented in January last year and lets people opt out of having telemarketing messages sent to their mobile phones.

The personal data protection part of the Act makes it necessary for organisations to take measures to protect names, IC and passport numbers, addresses and other personal data in their possession.

This is to prevent the unauthorised collection, use and disclosure of such information.

That means these organisations must ensure that such information is properly disposed of as well.

But a recent check by The Sunday Times in the Raffles Place area found that documents containing personal information are still being thrown out in the trash from offices in high-rise buildings there.

Among other things, The Sunday Times found photocopies of passports, resumes of various professionals and details of commissions paid to property agents.

Most of the documents had the names and logos of local and foreign banks and other companies, and they included reports on industrial projects in Japan and Indonesia and project progress reports.

All were marked confidential or strictly confidential.

There were also printouts of e-mail with addresses, names and telephone numbers. The documents were dated from 2013 to this year.

Access to the rubbish bins was easy. One karung guni man, who was seen sorting out the documents into neat piles, said he would sell them to recycling companies.

Corporate information does not come under the purview of the commission, which is concerned only with personal data protection.

When told of The Sunday Times' findings, PDPC chairman Leong Keng Thai said he was very concerned.

"Organisations are strongly advised to put in place processes to ensure the proper disposal of documents containing personal data," he said.

The commission has helped to raise awareness of the requirements of the new law by working with industry groups to run briefings, workshops and seminars.

So far, more than 18,000 people from over 3,400 organisations have attended these events.

Another 7,500 people have attended work-skills qualification courses or accessed e-learning courses on the Act's requirements.

In May, the commission will conduct a personal data protection seminar, called Securing Personal Data for a Competitive Edge, aimed at organisations and companies.

Guidelines on ways to keep personal data secure and manage data breaches will be issued later this year.

Sample templates will be provided for organisations to seek consent from individuals for the collection, use or disclosure of their personal data.

Experts on personal data protection say many organisations think their job is done when they appoint a data protection officer as required by the law.

Lawyer Toh See Kiat, who has consulted for companies, charities and educational institutions on the Act, said legal compliance is only the first step.

"You need to have the tools and systems running properly in the background so that this new personal data protection policy becomes the new organisational culture," he said. "Then, and only then, is it sustainable."

Organisations have also not gone to the root of privacy breaches.

Instead, they continue to have "a deep-set resistance to changing the ways they have been collecting, using, storing and processing data", he added.

Mr Kevin Shepherdson, co-founder of personal data protection specialist Straits Interactive which provides training in compliance with the Act, said many organisations comply with the law by having data protection officers, for example.

However, these organisations do not know how to implement the Act in daily operations.

"They have to understand the data workflow, how personal data is collected, used, disclosed and then destroyed," said Mr Shepherdson.

Documents for disposal, for example, should be shredded and not tossed out with the rubbish, he said.

Mr Neil Percy, vice-president of market development of document destruction firm Shred-it, said that while many companies shred documents on their premises using their own shredding machines, the documents for disposal are not kept securely.

Instead, they are sometimes left next to the shredder or piled on desks, accessible to any passer-by, including those not authorised to view their contents.

Shredding should be done by someone authorised to see the information, he added.

PDPC's Mr Leong stressed that keeping personal data is a responsibility and may, in some cases, become a liability.

"If they don't need the information, they should dispose of it properly."