PDPC issues guide on personal data protection considerations for blockchain design and infographic on good practices to secure personal data in the cloud platform

30 August 2022

On 18 July 2022, the Personal Data Protection Commission (“PDPC”) issued the Guide on Personal Data Protection Considerations for Blockchain Design (“Guide”) and an accompanying infographic, as well as an infographic on good practices to secure personal data in the cloud platform.  

Guide and infographic on personal data protection considerations for blockchain design

The Guide aims to help organisations with blockchain adoption by clarifying how an organisation is able to comply with the Personal Data Protection Act 2012 when deploying blockchain applications to ensure a more accountable management of customers’ personal data.

Broadly, the Guide covers the policy considerations and risks associated with writing personal data on both permissionless and permissioned blockchains, and considerations for data protection by design (DPbD) approaches with respect to the storage and transmission of personal data on blockchains.

The Guide targets organisations which:

• govern, configure and operate blockchain networks and consortia (i.e. blockchain operators);
• design, deploy and maintain applications on blockchain networks (i.e. application service providers); and
• use blockchain applications (i.e. participating organisations).

PDPC also issued an infographic which sets out the following key takeaways from the Guide:

• Anticipate potential compliance issues when planning to store personal data on blockchains.
• Do not store any personal data on-chain on a permissionless blockchain, whether in-clear, encrypted or anonymised.
• Encrypt or anonymise all personal data written on-chain on a permissioned blockchain
• Use off-chain approaches to further mitigate personal data protection risks on permissionless or permissioned blockchains.

Infographic on good practices to secure personal data in the cloud platform

This infographic provides a compilation of basic good practices to avoid common types of cloud-related data breaches. For example:

• Implement robust control to cloud resources such as whitelist or allowlist IP addresses that are allowed access to cloud resources, configure “private” access for cloud resources by default, and periodically audit cloud configurations and security controls to ensure compliance with the organisation’s security policy.
• Protect cloud infrastructure against malware and phishing such as through turning on advanced protection services (e.g. Microsoft 365 advanced protection and Google Protection service) for cloud-based email server to protect incoming mail, disabling email auto-forwarding feature by default for cloud-based email server especially if the email accounts handle sensitive information, and using one-time password (OTP) or 2-Factor Authentication (2FA) / Multi-Factor Authentication (MFA) to secure administrator account(s) whose job function entails regular access to sensitive personal data or large volumes of personal data.
• Adopt good cloud security practices such as using standard key management solutions to store and manage critical keys and conducting periodic review on deletion and rotation of critical keys.

PDPC encourages organisations to start implementing the basic good practices to protect personal data in the cloud.

Reference materials

The following materials are available on the PDPC website www.pdpc.gov.sg:

• PDPC announcement: Guide on personal data protection considerations for blockchain design

• Guide on personal data protection considerations for blockchain design

• Infographic on protecting personal data on blockchain

• PDPC announcement: Infographic on good practices to secure personal data in the cloud platform
• Infographic on good practices to secure personal data in the cloud platform