September 05, 2018

What Happens to Your Personal Data When an Organisation is Liquidated?

Have you ever wondered what happens to customers when an organisation ceases its operations? On 25th June this year, oBike abruptly announced its decision to wind up operations in Singapore[1]. Many have taken to forums and social media platforms to rally for accountability and voice refund demands. Amidst this frenzy however, are we missing the bigger picture?

The withdrawal of oBike from Singapore leaves more than a million users’ personal data unattended, as liquidation confirmations are still underway. Personal data in this case entails information from social media account details to credit card information and contact numbers, all of which are highly coveted by data mongers and criminals alike.

Who is responsible for our personal data?

According to the Personal Data Protection Act (PDPA), organisations are only allowed to hold onto personal data for as long as there is legal use for it. What happens then, when organisations cease to operate and legal responsibilities become grey and uncertain? A recent article by the TODAYOnline[2], points out that liquidators could still hold onto personal data with ambiguous accountability, justifying its necessity as refunds are still being sorted out and Singapore users are still able to utilise oBike services abroad.

With no laws that prohibit the transfer of personal data from one owner to the next as part of an asset sale, nor a specified time limit for the possession and deletion of personal data, your NRIC number, residential address or even more personal information such as food allergies or medical history could potentially be left unattended and vulnerable to the exploitation by data mongers and criminals. They can gain access to your stranded data and manipulate them for illegal activities such as money laundering and identity theft – and there is no one to point to and hold accountable when the damage is done.

Organisations need to safeguard personal and confidential data 

Working towards better transparency in handling personal data requires consistent calculated effort. With the many complications over what happens to unprotected personal data and in the face of a potential fine of up to a million dollars under the PDPA, businesses should consistently manage their customer data responsibly by adopting a regular disposal practice of unwanted data. By conscientiously destroying unwanted data, organisations can safeguard both consumer data and their own interests in the long run. 

How can Shred-it help protect your data

According to the Personal Data Protection Commission (PDPC), shredding is the most effective common mode of data destruction that is fast, safe and cost-effective. Developing a Data Security Plan for your organisation helps to document the flow of confidential information. The plan helps to identify areas of vulnerability – the first step towards making your organisation more secure. Implementing a Shred-it All Policy is important for organisations to ensure that no physical lists containing personal data can land in the wrong hands, safeguarding your organisation’s interests for the future.  

Shred-it consoles also ensure that your intact documents are kept under lock-and-key until trusted Shred-it staff pick them up to be safely shredded on organisation premises. This ensures that customer data is cleaned up and destroyed when the purposes of its retention are no longer required. A certificate of compliance to PDPA standards and protocols will also be given at the end of the data destruction process to facilitate a verifiable audit trail.

Start Protecting your Business

Organisations that are constantly on their toes and integrate personal data protection into their daily business practices can best safeguard the interests of their customers and reduce hefty costs from data breaches and the legal complications that ensue. Learn more about how Shred-it can protect your personal data by contacting us for a free quote and security assessment.

[1] The Straits Times. 2018. oBike ceases operations in Singapore, citing difficulties in meeting new LTA regulations. [ONLINE] Available at: https://www.straitstimes.com/singapore/obike-ceases-operations-in-singapore-citing-difficulty-in-meeting-new-lta-regulations. [Accessed 6 August 2018]

[2] TODAYOnline. 2018. Experts flag concerns over handling of oBike customers’ personal data. [ONLINE] Available at https://www.todayonline.com/singapore/experts-flag-concerns-over-handling-obike-customers-personal-data. [Accessed 1 August 2018]