Page: 1

Presentation Notes

Paul Southern, Pasoco Pte Ltd

Paul Southern

Speaker:

Content Manager:

Title of presentation:

Name of Event:

Location of Event:

Presentation date/time:

Length of presentation

Audience:

Thursday 26 June 2014, 7pm

90 (plus Q&A)

ITSMF Singapore Chapter

Singapore Management University, Administration Building, Function Room 4.1 - 4.2, 81 Victoria Street, Singapore 188065

Singapore Personal Data Protection Act (PDPA): What you cannot miss in your IT systems and projects?

Public, non NDA. ITSMF members, SPMI members, public.

Press Announcement: http://itsmf.org.sg/events/index.jsp

Host: Rashid Mohiuddin <rashid@itsmf.org.sg>

Page: 2

Page: 3

Intro

Page: 4

Paul Southern

• Nortel & Microsoft

• Startups: cloud, fintech, CDN, consulting

• PMP, IAPP

• Singapore PR, married, 2 children

Page: 5

Agenda

• An overview of the PDPA and the requirements it places on businesses • Behavioral changes

• What it means for IT and PM

• Sample risk evaluation criteria & example compliance plans

• Where to get more info

• An opportunity for Q&A and knowledge sharing

Page: 6

Disclaimer, no warranty

The information contained in this presentation and statements are for general guidance and of interest only. There may be errors or omissions in information contained. All information is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied. The information is provided with the understanding that Pasoco are not herein engaged in rendering legal advice and services. While Pasoco has made every attempt to ensure that the information is reliable, Pasoco is not responsible for any errors or omissions, or for the results obtained from the use of this information. In no event will Pasoco be liable to you or anyone else for any decision made or action taken in reliance on the information or for any consequential, special or similar damages, even if advised of the possibility of such damages.

Page: 7

The PDPA

Page: 8

Super high-level

• Personal Data Protection Act• B2C, not B2B, C2C, G2x

• Places obligations/limitations on Organizations (B)

• Empowers Individuals (C) with limited rights

• Protects Individual’s personal data from disclosure

• Is fully in-force on Wed July 2, 00:00hrs

• Fines up to S$1 million !

Page: 9

Full name, NRIC SNNxxxxNN

Full name, NRIC SxxxxNNNN

Page: 10

Page: 11

The criminal world exploits PD

• Robust black market of• Email address

• Spam-as-a-service, DIY botnets

• Credit card, debit card info

• Cyber-crimes• Identity theft, cyber-stalking

• Attack all, weakest succumb, eg: phishing

• Many x small amounts

Page: 12

Overview, Background

• PDPA = Personal Data Protection Act, Singapore, 2012• Includes a DNC / Do not call provision

• Law, enacted 2012, effective 2014: 2 Jan (DNC, PDPC), 2 July (all)

• Overseen by the PDPC/Commission, under IDA

• Breach could result in fine and civil proceedings

• Is all-covering, complements sectorial legislations

• Purpose is (1) expected / required, (2) Singapore as a trusted business locale.

Page: 13

Overview, Background

• Approach: lite, pragmatic, business friendly, business-only

• Similar to other law, eg: OECD, Malaysia, EU, Japan, Philippines, etc…

• Article 29 WG endorsement, soon?

Page: 14

The parties

• Organization• Individual, company, association or body of persons (eg:

MCST)• Singaporean or doing business here• Corporate or unincorporated• Staffed by employees or volunteers• Excludes government

• Person “Individual”• Everyone: citizen, PR, visitor, all persons in the world• Living or dead, any age• Prior to employment

• The Commission PDPC (Government)

Page: 15

PD (personal data)

• Anything about someone. When in doubt, it’s data!• Eg: name, gender, address, eddress, telephone, NRIC,

attendance, loyalty card info, history, photograph, family, financial info, health info, biodata, preferences, employment info, CCTV capture, whereabouts, gamertag, IP address, etc….

• Needn’t be true data, eg: aliases are PD

• Can be in paper or electronic form

• NOT business contact information (BCI)

• Discrete/obfuscated but re-identifiable / aggregatable

Page: 16

9+1 Key Areas

Page: 17

9+1 key areas:

• Organizations:• Consent obligation (to collect, use, disclose)• Purpose limitation• Accuracy obligation• Retention limitation• Transfer limitation• Protection obligation• Openness obligation

• Individuals:• ‘Not consent’ right• Access, correction, withdrawal rights

• +1... The DNC• Organization’s DNC (do not call) obligation• Individual’s DNC (do not call me) right

Page: 18

1. Consent obligation

• Organization must obtain consent from Individual before collect, use, disclose PD

• Concomitant with Purpose Notification

• Also ‘Deemed Consent’

• Minors by parent

• Third party consent

• Inbound datasets: due diligence

• Some exceptions, eg: in emergency, publicly-available

Page: 19

2,3. Purpose limitation

• Concomitant with Consent

• Notified

• Must be sufficiently specified

• New purpose requires new consent

Page: 20

4. Access, Correction and Withdrawal rights• Organization must provide an Individual access to

his PD

• Includes what PD was used for (and who it was disclosed to) in last 12 months

• If Individual notifies his PD is incorrect, Organization must correct it

• Organization can exclude certain data, eg:• Staff management data

• Evaluative data

• Investigation data

Page: 21

5. Accuracy obligation

• Organization must ensure its data is accurate

• Individual can request access, correction

Page: 22

6. Protection obligation

• Protection against disclosure

• Reasonable security arrangements• By administrative, physical, technical measures

• Databases/XLSs, BYODs

• Paper records

• “24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.”

• Extends to Data Intermediaries

Page: 23

7. Retention Limitation

• When purpose completed (or not needed for legal/business purposes), cease to retain

• Archive, “just in case”, “for our history” is not ok

Page: 24

8. Transfer Limitation

• Transfer is about PD being sent to other countries.• Corporate server

• SaaS applications

• Googledocs, Dropbox, Skype, etc…

• Entity caring for PD must do so as well as the PDPA obligates (protection from disclosure).

Page: 25

9. Openness Obligation

• “Organisations are required to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA and to make information about their data protection policies and practices available”.

• Appoint a DPO (data protection officer)• BCI readily available

• Committee

Page: 26

10. Do Not Call (DNC)

• In-force since Jan 2014

• Higher level of consent required (explicit)

• Contact via phone, text (SMS, Whatsapp, etc), fax –anything based on phone number

• Searchable, ie: check if number is registered, if not can call

• Excludes email

Page: 27

Special Considerations

Page: 28

Existing Data

• Existing PD = collected before 2 July 2014• If collected after, it’s new PD

• Collect: PDPA rules apply to new data

• Use:• Existing PD – can be used for “reasonable existing uses”

• New – Consent required

• Disclose: PDPA applies to ALL data

• Access & Correction, Care: PDPA applies to ALL data

Page: 29

Publically available data

• Using reasonable means

• Publically available at collection… so if made private later it’s still ‘public’

• Data not intended to be made public

• Special considerations for photo/videography

• Eg: Facebook closed group that readily allows joiners

Page: 30

“Reasonable”

• Used 31 times in the Act !• 3. The purpose of this Act is to govern the collection, use and

disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

• (2) An organisation shall not (a) as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or…

• Subjective / Advisory Guidelines

Page: 31

Data Intermediaries

• An entity an Organization disclose PD to• “an [3rd party] organisation which processes personal data on

behalf of another organisation…;”

• Closely related to Transfer Limitation• The Organization is responsible for the DI to meet PDPA

requirements• For example:

• Social Networks, Cloud computing systems, Ecommerce tools, SaaS applications, Content Delivery Networks, Payment gateway, CRM systems

• Outsourced services: Recruitment, Payroll, Accounting, taxation, Market research, Warranty, Logistics, Billing, Event management

Page: 32

Transfer limitation

• Out of Singapore

• Requires contractual safeguards

• Required legal & technical diligence• Is other country’s PDP regime sufficient?

• Is other party’s PDP policy/procedures sufficient?

• Some cloud-based SaaS apps claim PDPA compliance

• AWS, Azure, Google, Salesforce not explicit

Page: 33

Cookies

• PDPA not as strong as the EU’s Cookie Law (Consent required for Cookie use/storage)

• Cookies collecting (storing) data require Consent• Can be part of a Privacy Statement that is agreed to

• Deemed, eg: form filling, session cookie

• Not given when Cookies blocked. Eg: Persistent / 3rd

Party Cookies

• Just because the user doesn’t block Cookies doesn’t mean they Consent !

Page: 34

Encryption, Anonymization

• Encrypted (or tokenized) data still protected even if breached (unless keys/tokens also breached)• Some of the most egregious breaches were unencrypted

password

• Encryption on-the-wire or just in database?

• Anonymization keeps data in the clear but sterilized• Useful for analytics

• Primary purpose irrelevant, since has no useful PD

• Be careful of reconstitution

• PDPC’s recommendation for NRIC: S0XXXX45A

Page: 35

Behavioral changes

Page: 36

An IHL in Singapore

Page: 37

A hospital

Photo courtesy CIS – Centre for Internet Security, Australia

Page: 38

A clinic in Singapore

Page: 39

Full name, NRIC

A Custcare counter in Singapore

Page: 40

An event manager

Page: 41

A retailer in Singapore

Page: 42

NRIC as member number !

A retailer in Singapore

Page: 43

A law firm in Singapore

Page: 44

Change management

• Policy and procedure… but deeply rooted in culture and behaviour

• Levers: law, impacts, “do unto others…”

• Primes in departments, eg: cascaded DPO

• Data stewards, Data custodians

Page: 45

Data Steward

• Responsible for lifecycle

• Understanding governance policy, legal frameworks, 3rd

party contracts

• Assigning data classification

• Assigning Data Custodian

• Approving standards and procedures related to day-to-day administrative and operational management

• Determining access criteria

• Oversight of Data Custodians

• Approving how data is stored, processed and transmitted

• Approving Data Intermediaries

• Defining risk tolerance and accepting or rejecting risk

Page: 46

Data Custodian

• Responsible for specific parts of lifecycle

• Documenting & reporting on day-to-day administrative and operational management

• Implementing appropriate physical and technical safeguards

• Provisioning and deprovisioning access

• Understanding how data is stored, processed and transmitted

• Oversight of Data Intermediaries

• Understanding & reporting risk

Page: 47

What the PDPA means…

Page: 48

To IT in general:

• Privacy (Law) is about governance and use, eg: policy & rules re collect/not, consent, retention, handling requests, etc...

• IT Security (Good practice) is about protection. Part of Data Privacy. Eg: the PDPA has one section on ‘protection’.

• Can have high security and no privacy.• Must think not in tech terms but in behavior/people

terms, individuals' rights, organizations' responsibilities.• Security normally about IT systems, digital data. Privacy

covers paper also.• A good privacy team needs CISSP, CISM, CISA, etc

Page: 49

To Product managers & devs:

• Privacy by Design, www.privacybydesign.ca

• Similar to Microsoft’s TWC initiative

• 7 Foundational Principles• Proactive not Reactive; Preventative not Remedial: Anticipate

and prevent• Privacy as the Default Setting • Privacy Embedded into Design: Core not add-on• Full Functionality: privacy AND security, not privacy OR

security• End-to-End Security: Full Lifecycle Protection • Visibility and Transparency: verifiable, audited• Respect for User Privacy: Keep it User-Centric

Page: 50

For webmasters

• Scrub websites for oldpages

• Editorial review for new

Page: 51

To Big Data:

• Big data’s treasure is in correlation, secondary use

• Consent is for primary use

• Obfuscation / anonymization important• Case: Netflix Prize’s data + IMDB ratings• Case: Massachusetts GIC + voter roles

• 3rd party sources vetted?

• Growing push for ‘forward thinking’ PDP• Less focus on notice and nhoice, regulate use• Assessments of risks and harms• Oversight of user (Organization)• Ref Viktor Mayer-Schönberger, Oxford

Page: 52

To CIO:

• Risk of BYOD/CYOD

• Risk of BYOA

• MDM and group policy are required, kill switch

Page: 53

To PMs – managing projects

• DPO is a stakeholder

• Starting stage: GRC business processes

• Implementation stage:• Collect less PD

• PDPA applies: Consent required for CUD, etc…

• Staff candidate data is PD and/or Evaluative

• Closing stage: cleansing, anonymizing, destroying

Page: 54

To PMs – PDP is the project

• It’s a GRC program• Multiple projects, eg: risk evaluation, training material

development

• Change management

• Multiple parties:• IT• HR, HRD• Procurement• Business operations• Legal• Custcare

• Insurance

Page: 55

Risk evaluationCompliance plans

Page: 56

1. Governance

• Policy & Procedure

• Establish the DPO

• Complaint handling, whistleblower

• Audit powers

• Measurement

• Sectorial legislation

• Data Stewards, Data Custodians

Page: 57

2. Audit / inventory

• Who holds what PD?

• Why collected? Purpose

• How used? Consistent with Purpose?

• Protection, storage

• Sharing, transfer

Page: 58

3. Gap assessment

• Staff awareness

• Purpose notification

• Data intermediaries & Transfer

• Access and Correction

• Protection

• Retention and/or disposal

Page: 59

4. Staff / people

• Change of culture?

• Policies & Procedures

• Awareness & communications

• Training & support

• Workplace contracts, eg: Consent, background checks, NDA, discipline, rights to inspect

• Monitor, Audit & Report

Page: 60

More information

Page: 61

PDPC documents

• The Act (statutes online)

• Advisory Guidelines www.pdpc.gov• Key Concepts

• Sectorial advice• Telecoms

• Real estate

• VWO

• Healthcare

• Education

• Professional Photography

Page: 62

PDPC documents

• Sample Risk Assessment Questionnaire

• Email Q&A: info@pdpc.gov

Page: 63

Training

• PDPC’s workshop (1 day)

• WDA’s workshop (4 day)

• Formal certifications

Page: 64

Final thoughts

Page: 65

You as an Individual

• Register on DNC• Who has (had) my PD?

• Why? (Purpose limitation)• Do I want them to have it? Withdraw it!• What key do they use? My NRIC?• NRIC copy? Address or everything?

• My business card is BCI not PD• Even if it has PD on it, eg: Skypename• Unless it’s obviously not

• Unless it’s collected at a business function

• Children & cyber-stalking/bullying• Social networks, pleaserobme

Page: 66

Future of PDP

• Poster boy culprits

• Insurance

• Harmonization of law

• Move to regulate use

Page: 67

Final thoughts

• Thank you Sing.gov & IDA

• "You have zero privacy anyway. Get over it.”

• Privacy assists security of our nation

Page: 68

Thank you