The Ninja Sensei’s Logbook: Disposing Of Personal Data The PDPA Compliant Way
It’s understandably more convenient to just throw unwanted documents into the trash bin. Or if you choose to recycle discarded files, you’re doing the Earth a huge favour.
However, it’s a different scenario altogether when personal data is added into the mix. Organisations (especially in Singapore!) should never be complacent in disposing of documents with personal data as this could be a potential cause of a breach.
In other words, when any document containing personal data is disposed of improperly, there are still risks that such personal data could be shared with anyone.
𝐖𝐡𝐚𝐭 𝐚𝐫𝐞 𝐭𝐡𝐞 𝐢𝐦𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬?
In Singapore, the PDPA applies when disposing of documents or electronic media containing personal data. Organisations could still be made to pay a financial penalty of up to S$1,000,000. Aside from that, businesses could also receive backlash and lose trust from customers and potential clients.
Fortunately, we have ways to ensure that in disposing of documents, both on physical media and electronic ones, no personal data can be recovered.
First, a case study.
Maid Agency A decided to reuse its paper documents containing personal data. The pieces of paper were cut into smaller writable sizes, where the blank side served as notepads for employees. Applicants occasionally got wind of other individuals’ personal data such as client companies’ NRIC number, passports, etc.
Fortunately for the agency, they got off with only a warning and some directions from the PDPC. It could have been worse.
Disposing of personal data on physical media
In the disposal of personal data on physical media, organisations can opt to use methods such as shredding, burning, and pulping paper containing personal data.
Disposing of personal data on electronic media
On the other hand, in ensuring proper destruction of electronic personal data, organisations can use software solutions that securely overwrite data, degaussing, and destruction.
Degaussing refers to the removal of magnetic fields using a machine that destroys any magnetically recorded data and destruction methods include shredding, crushing, or incineration of the electronic medium, so there is no risk of re-use or the data being restored.
The organisation that outsources its processes should make sure that its contracts with third-party service providers have the necessary terms and conditions to make sure that the service providers follow the PDPA. It will also need to know how these service providers will get rid of the media and how the supply chain works further down the line.
𝐆𝐞𝐭𝐭𝐢𝐧𝐠 𝐫𝐢𝐝 𝐨𝐟 𝐝𝐚𝐭𝐚 𝐬𝐡𝐨𝐮𝐥𝐝𝐧’𝐭 𝐛𝐞 𝐭𝐚𝐤𝐞𝐧 𝐥𝐢𝐠𝐡𝐭𝐥𝐲.
The process of getting rid of any document containing personal data needs to be well managed and controlled so that there is less chance of it being found and accidentally shared.
P.S. Got questions or do you need help with your cybersecurity and data protection compliance journey? don’t hesitate to reach out to us. We are always a text/call or email away!
📱 WhatsApp: +65 8750 4250
📧 Email: ninjas@privacy.com.sg
