Legal Bulletin February 2017

Home : Publications:Legal Bulletin February 2017


Published date: 27 Feb 2017

PDPC publishes new “Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data”

On 20 January 2017, the Personal Data Protection Commission (“PDPC”) published a new “Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data” (“Guide”) which highlights good practices for organisations that process and send physical documents or electronic communications containing personal data, be it for their own purposes, or on behalf of and
for the purposes of other organisations (e.g. services handling mail merging and enveloping of documents).The protection of personal data under the Personal Data Protection Act 2012 (“PDPA
”) includes preventing accidental disclosure of personal data by sending such data to the wrong recipients.
 
According to the Guide, some of the measures which organisations should consider adopting to prevent the unauthorised disclosure of personal data include:
 
·         Ensuring that destination information is correct by:
 
- Implementing automated processing of documents or communications containing personal data (e.g. merging content or populating fields from various sources), ensuring the accuracy and reliability of such processing  by checking these systems and processes regularly, and where data is more sensitive, incorporating additional checking mechanisms to cater for unexpected situations and ensure that no error arises from the automated processing;
 
­- Establishing procedures to include additional checks following the processing, printing and sorting of documents to ensure that the destination information is correct and matches that of the intended recipient(s) prior to sending;
 
­- Performing regular housekeeping of any auto-complete email lists used and double-checking recipients’ email addresses before sending out any emails or documents containing personal data and/or sensitive data; and
 
­- Where mass emails are sent regularly, using mailing lists where possible instead of manually typing out email addresses (which may be prone to inaccuracy);
 
·         Ensuring that personal data to be sent is correct by:
 
­- Setting up procedures for additional checks to ensure the right document containing personal data, or the right personal data contained in the document, is sent; and
 
­- When sending emails, double-checking that the right files (i.e. containing the correct personal data) are attached in the email;
 
·         Ensuring only the relevant personal data is disclosed to the recipients by:
 
­- Establishing a policy for sending compiled sets of personal data of different individuals (e.g. in spreadsheets); and
 
­Ensuring that consent from individuals to send their personal data to recipients other than themselves have been obtained;
 
·         Ensuring correct usage of software by:
 
­Ensuring that all emails sent externally to a group of recipients have the recipients’ email addresses placed in “bcc” fields to avoid disclosing recipients’ email addresses to all other recipients of the email;
 
­- Ensuring that staff are trained and familiar with the software used to process and send out documents containing personal data (e.g. staff using spreadsheets should be aware of how sorting data incorrectly may lead to errors such as mismatched name and address columns), and that staff are trained to spot any mismatched data after sorting has been carried out;
 
­- Establishing clear, step by step procedures when using software to send out emails, including ensuring that such software is configured correctly and updated regularly, and the correct email addresses are used; and
 
·         Minimising impact of accidental disclosure by:
 
­- Establishing an email policy for documents containing sensitive personal data to be secured with passwords when sending to internal and external recipients;
 
­- Putting a notice in all emails, faxes and letters to warn recipients against the unauthorised use, retention or disclosure of personal data, and to inform the recipients to delete and notify the organisation immediately of any personal data sent to them in error; and
 
­Ensuring that new and existing staff receive regular training so that they are well apprised and updated on the proper procedures for processing and sending personal data, regularly reminding them to perform the necessary checks and not to become complacent relying solely on automated systems, and reminding them to diligently verify any alert information instead of just “clicking through” any alerts received.
 
In addition, the Guide highlights that organisations that outsource the processing, printing and distribution of material containing personal data (e.g. to printing companies) should ensure that their vendors have in place policies and procedures to protect the personal data, and review such policies and procedures periodically to ensure that they are observed and updated as necessary. Some of the good practices that such organisations may consider adopting are listed in Appendix 2 of the Guide and include, for example, ensuring that the vendor has policies and procedures in place that are sufficient to ensure the organisation’s compliance with the PDPA, as well as other measures to minimise the risks and impact of accidental disclosures.
 
The Guide stresses that the measures highlighted are non-exhaustive and organisations may have unique processes that the Guide may not have covered. As there is no one size fits all solution for compliance, organisations should consider adopting security arrangements that are reasonable and appropriate in the circumstances.
 
In addition, PDPC also revised the following guides with effect from 20 January 2017:
 
·         Guide to Securing Personal Data in Electronic Medium: This guide has been revised to provide more guidance regarding the use of ready-made software.
 
·         Guide on Building Websites for SMEs: PDPC has added a new section in this guide to provide more information on the use of third-party software and/or software components.
 
·         Guide to Disposal of Personal Data on Physical Medium: The section on disposal chain control in this guide has been updated and new examples added.
 
Reference materials
 
To access the new and revised guides from the PDPC website www.pdpc.gov.sg, please click here.
 
For further information, please contact:
 
+65 6890 7883
 
+65 6890 7627
 
+65 6890 7833
 

<Back to Legal Bulletin February 2017

Find a Publication

For more information on Singapore law, please go to: www.singaporelaw.sg