July 12, 2018

Do You Know What Happens to Your Personal Data When You Share It?

Personal data refers to any data about an individual that can be used to identify them. Information such as full name, passport number, NRIC, photograph, mobile number, residential address as well as personal email addresses can all be classified under personal data. But under certain circumstances, less obvious information such as account, policy or membership numbers, IP addresses or employee ID numbers could also be considered personal data. In Singapore, personal data is protected by the Personal Data Protection Act (PDPA).

In the age of digitilisation, it's not uncommon to share personal data with multiple organisations every day .For example, during online shopping full names, credit card numbers as well as residential addresses are shared, without hesitation. Another common example is filling out medical, banking or insurance forms. But what happens to your personal data after you've shared it?

Sadly, sharing personal data with people and organisations always comes at a risk. Online retailers are a goldmine of personal data and information, making them a popular target for data thieves. Personal information is highly valuable and can be used or sold on to other criminals as well as criminal organisations, giving them the access to manipulate the data for a wide variety of nefarious activities including money laundering and identity theft.

In the case of medical records, doctor’s offices can be broken into by perpetrators, or online systems can be compromised much like online retailers. What is surprising is often data is misplaced, stolen or sold by insiders within an organization, or even third parties working closely with them.

Under the PDPA in Singapore, you have the right to decide which organisations can collect your data, how it is used and whether it can be shared. At times, it might not even be necessary for you to provide your personal data for companies to provide their services to you. An organisation cannot force you to agree to the collection, use or disclosure of your personal data beyond what is reasonable to provide a product or service to you. You also have the right to tell an organisation to stop collecting, using or disclosing your personal data. Everyone has the responsibility to manage their personal data to avoid it from being misused, misplaced or stolen.

Organisations should implement effective safeguards to protect confidential and personal data against unlawful processing and disclosure. Some examples include:

IT controls including authentication processes, encryption, security software, and access controls;
Comprehensive policies and procedures for document management and retention;
Ongoing training to educate employees about appropriate handling and protection of sensitive data (the protection of data in all forms must be prioritised in and out of the workplace);
Embedded workplace procedures such as a Clean Desk Policy and a Shred-it All Policy;
Partnering with a document destruction expert for secure disposal of confidential information (secure shredding of paper documents and hard drives and electronic media).