Your SlideShare is downloading. ×
0
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Pasoco ITSMF,SPMI-PDPA-140626-public
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Pasoco ITSMF,SPMI-PDPA-140626-public

208

Published on

A presentation to the Singapore chapters of PMI and ITSMF on the PDPA.

A presentation to the Singapore chapters of PMI and ITSMF on the PDPA.

Published in: Law, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
208
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Page: 1 Presentation Notes Paul Southern, Pasoco Pte Ltd Paul Southern Speaker: Content Manager: Title of presentation: Name of Event: Location of Event: Presentation date/time: Length of presentation Audience: Thursday 26 June 2014, 7pm 90 (plus Q&A) ITSMF Singapore Chapter Singapore Management University, Administration Building, Function Room 4.1 - 4.2, 81 Victoria Street, Singapore 188065 Singapore Personal Data Protection Act (PDPA): What you cannot miss in your IT systems and projects? Public, non NDA. ITSMF members, SPMI members, public. Press Announcement: http://itsmf.org.sg/events/index.jsp Host: Rashid Mohiuddin <rashid@itsmf.org.sg>
  • 2. Page: 2
  • 3. Page: 3 Intro
  • 4. Page: 4 Paul Southern • Nortel & Microsoft • Startups: cloud, fintech, CDN, consulting • PMP, IAPP • Singapore PR, married, 2 children
  • 5. Page: 5 Agenda • An overview of the PDPA and the requirements it places on businesses • Behavioral changes • What it means for IT and PM • Sample risk evaluation criteria & example compliance plans • Where to get more info • An opportunity for Q&A and knowledge sharing
  • 6. Page: 6 Disclaimer, no warranty The information contained in this presentation and statements are for general guidance and of interest only. There may be errors or omissions in information contained. All information is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied. The information is provided with the understanding that Pasoco are not herein engaged in rendering legal advice and services. While Pasoco has made every attempt to ensure that the information is reliable, Pasoco is not responsible for any errors or omissions, or for the results obtained from the use of this information. In no event will Pasoco be liable to you or anyone else for any decision made or action taken in reliance on the information or for any consequential, special or similar damages, even if advised of the possibility of such damages.
  • 7. Page: 7 The PDPA
  • 8. Page: 8 Super high-level • Personal Data Protection Act • B2C, not B2B, C2C, G2x • Places obligations/limitations on Organizations (B) • Empowers Individuals (C) with limited rights • Protects Individual’s personal data from disclosure • Is fully in-force on Wed July 2, 00:00hrs • Fines up to S$1 million !
  • 9. Page: 9 Full name, NRIC SNNxxxxNN Full name, NRIC SxxxxNNNN
  • 10. Page: 10
  • 11. Page: 11 The criminal world exploits PD • Robust black market of • Email address • Spam-as-a-service, DIY botnets • Credit card, debit card info • Cyber-crimes • Identity theft, cyber-stalking • Attack all, weakest succumb, eg: phishing • Many x small amounts
  • 12. Page: 12 Overview, Background • PDPA = Personal Data Protection Act, Singapore, 2012 • Includes a DNC / Do not call provision • Law, enacted 2012, effective 2014: 2 Jan (DNC, PDPC), 2 July (all) • Overseen by the PDPC/Commission, under IDA • Breach could result in fine and civil proceedings • Is all-covering, complements sectorial legislations • Purpose is (1) expected / required, (2) Singapore as a trusted business locale.
  • 13. Page: 13 Overview, Background • Approach: lite, pragmatic, business friendly, business-only • Similar to other law, eg: OECD, Malaysia, EU, Japan, Philippines, etc… • Article 29 WG endorsement, soon?
  • 14. Page: 14 The parties • Organization • Individual, company, association or body of persons (eg: MCST) • Singaporean or doing business here • Corporate or unincorporated • Staffed by employees or volunteers • Excludes government • Person “Individual” • Everyone: citizen, PR, visitor, all persons in the world • Living or dead, any age • Prior to employment • The Commission PDPC (Government)
  • 15. Page: 15 PD (personal data) • Anything about someone. When in doubt, it’s data! • Eg: name, gender, address, eddress, telephone, NRIC, attendance, loyalty card info, history, photograph, family, financial info, health info, biodata, preferences, employment info, CCTV capture, whereabouts, gamertag, IP address, etc…. • Needn’t be true data, eg: aliases are PD • Can be in paper or electronic form • NOT business contact information (BCI) • Discrete/obfuscated but re-identifiable / aggregatable
  • 16. Page: 16 9+1 Key Areas
  • 17. Page: 17 9+1 key areas: • Organizations: • Consent obligation (to collect, use, disclose) • Purpose limitation • Accuracy obligation • Retention limitation • Transfer limitation • Protection obligation • Openness obligation • Individuals: • ‘Not consent’ right • Access, correction, withdrawal rights • +1... The DNC • Organization’s DNC (do not call) obligation • Individual’s DNC (do not call me) right
  • 18. Page: 18 1. Consent obligation • Organization must obtain consent from Individual before collect, use, disclose PD • Concomitant with Purpose Notification • Also ‘Deemed Consent’ • Minors by parent • Third party consent • Inbound datasets: due diligence • Some exceptions, eg: in emergency, publicly- available
  • 19. Page: 19 2,3. Purpose limitation • Concomitant with Consent • Notified • Must be sufficiently specified • New purpose requires new consent
  • 20. Page: 20 4. Access, Correction and Withdrawal rights • Organization must provide an Individual access to his PD • Includes what PD was used for (and who it was disclosed to) in last 12 months • If Individual notifies his PD is incorrect, Organization must correct it • Organization can exclude certain data, eg: • Staff management data • Evaluative data • Investigation data
  • 21. Page: 21 5. Accuracy obligation • Organization must ensure its data is accurate • Individual can request access, correction
  • 22. Page: 22 6. Protection obligation • Protection against disclosure • Reasonable security arrangements • By administrative, physical, technical measures • Databases/XLSs, BYODs • Paper records • “24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.” • Extends to Data Intermediaries
  • 23. Page: 23 7. Retention Limitation • When purpose completed (or not needed for legal/business purposes), cease to retain • Archive, “just in case”, “for our history” is not ok
  • 24. Page: 24 8. Transfer Limitation • Transfer is about PD being sent to other countries. • Corporate server • SaaS applications • Googledocs, Dropbox, Skype, etc… • Entity caring for PD must do so as well as the PDPA obligates (protection from disclosure).
  • 25. Page: 25 9. Openness Obligation • “Organisations are required to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA and to make information about their data protection policies and practices available”. • Appoint a DPO (data protection officer) • BCI readily available • Committee
  • 26. Page: 26 10. Do Not Call (DNC) • In-force since Jan 2014 • Higher level of consent required (explicit) • Contact via phone, text (SMS, Whatsapp, etc), fax – anything based on phone number • Searchable, ie: check if number is registered, if not can call • Excludes email
  • 27. Page: 27 Special Considerations
  • 28. Page: 28 Existing Data • Existing PD = collected before 2 July 2014 • If collected after, it’s new PD • Collect: PDPA rules apply to new data • Use: • Existing PD – can be used for “reasonable existing uses” • New – Consent required • Disclose: PDPA applies to ALL data • Access & Correction, Care: PDPA applies to ALL data
  • 29. Page: 29 Publically available data • Using reasonable means • Publically available at collection… so if made private later it’s still ‘public’ • Data not intended to be made public • Special considerations for photo/videography • Eg: Facebook closed group that readily allows joiners
  • 30. Page: 30 “Reasonable” • Used 31 times in the Act ! • 3. The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. • (2) An organisation shall not (a) as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or… • Subjective / Advisory Guidelines
  • 31. Page: 31 Data Intermediaries • An entity an Organization disclose PD to • “an [3rd party] organisation which processes personal data on behalf of another organisation…;” • Closely related to Transfer Limitation • The Organization is responsible for the DI to meet PDPA requirements • For example: • Social Networks, Cloud computing systems, Ecommerce tools, SaaS applications, Content Delivery Networks, Payment gateway, CRM systems • Outsourced services: Recruitment, Payroll, Accounting, taxation, Market research, Warranty, Logistics, Billing, Event management
  • 32. Page: 32 Transfer limitation • Out of Singapore • Requires contractual safeguards • Required legal & technical diligence • Is other country’s PDP regime sufficient? • Is other party’s PDP policy/procedures sufficient? • Some cloud-based SaaS apps claim PDPA compliance • AWS, Azure, Google, Salesforce not explicit
  • 33. Page: 33 Cookies • PDPA not as strong as the EU’s Cookie Law (Consent required for Cookie use/storage) • Cookies collecting (storing) data require Consent • Can be part of a Privacy Statement that is agreed to • Deemed, eg: form filling, session cookie • Not given when Cookies blocked. Eg: Persistent / 3rd Party Cookies • Just because the user doesn’t block Cookies doesn’t mean they Consent !
  • 34. Page: 34 Encryption, Anonymization • Encrypted (or tokenized) data still protected even if breached (unless keys/tokens also breached) • Some of the most egregious breaches were unencrypted password • Encryption on-the-wire or just in database? • Anonymization keeps data in the clear but sterilized • Useful for analytics • Primary purpose irrelevant, since has no useful PD • Be careful of reconstitution • PDPC’s recommendation for NRIC: S0XXXX45A
  • 35. Page: 35 Behavioral changes
  • 36. Page: 36 An IHL in Singapore
  • 37. Page: 37 A hospital Photo courtesy CIS – Centre for Internet Security, Australia
  • 38. Page: 38 A clinic in Singapore
  • 39. Page: 39 Full name, NRIC A Custcare counter in Singapore
  • 40. Page: 40 An event manager
  • 41. Page: 41 A retailer in Singapore
  • 42. Page: 42 NRIC as member number ! A retailer in Singapore
  • 43. Page: 43 A law firm in Singapore
  • 44. Page: 44 Change management • Policy and procedure… but deeply rooted in culture and behaviour • Levers: law, impacts, “do unto others…” • Primes in departments, eg: cascaded DPO • Data stewards, Data custodians
  • 45. Page: 45 Data Steward • Responsible for lifecycle • Understanding governance policy, legal frameworks, 3rd party contracts • Assigning data classification • Assigning Data Custodian • Approving standards and procedures related to day-to-day administrative and operational management • Determining access criteria • Oversight of Data Custodians • Approving how data is stored, processed and transmitted • Approving Data Intermediaries • Defining risk tolerance and accepting or rejecting risk
  • 46. Page: 46 Data Custodian • Responsible for specific parts of lifecycle • Documenting & reporting on day-to-day administrative and operational management • Implementing appropriate physical and technical safeguards • Provisioning and deprovisioning access • Understanding how data is stored, processed and transmitted • Oversight of Data Intermediaries • Understanding & reporting risk
  • 47. Page: 47 What the PDPA means…
  • 48. Page: 48 To IT in general: • Privacy (Law) is about governance and use, eg: policy & rules re collect/not, consent, retention, handling requests, etc... • IT Security (Good practice) is about protection. Part of Data Privacy. Eg: the PDPA has one section on ‘protection’. • Can have high security and no privacy. • Must think not in tech terms but in behavior/people terms, individuals' rights, organizations' responsibilities. • Security normally about IT systems, digital data. Privacy covers paper also. • A good privacy team needs CISSP, CISM, CISA, etc
  • 49. Page: 49 To Product managers & devs: • Privacy by Design, www.privacybydesign.ca • Similar to Microsoft’s TWC initiative • 7 Foundational Principles • Proactive not Reactive; Preventative not Remedial: Anticipate and prevent • Privacy as the Default Setting • Privacy Embedded into Design: Core not add-on • Full Functionality: privacy AND security, not privacy OR security • End-to-End Security: Full Lifecycle Protection • Visibility and Transparency: verifiable, audited • Respect for User Privacy: Keep it User-Centric
  • 50. Page: 50 For webmasters • Scrub websites for old pages • Editorial review for new
  • 51. Page: 51 To Big Data: • Big data’s treasure is in correlation, secondary use • Consent is for primary use • Obfuscation / anonymization important • Case: Netflix Prize’s data + IMDB ratings • Case: Massachusetts GIC + voter roles • 3rd party sources vetted? • Growing push for ‘forward thinking’ PDP • Less focus on notice and nhoice, regulate use • Assessments of risks and harms • Oversight of user (Organization) • Ref Viktor Mayer-Schönberger, Oxford
  • 52. Page: 52 To CIO: • Risk of BYOD/CYOD • Risk of BYOA • MDM and group policy are required, kill switch
  • 53. Page: 53 To PMs – managing projects • DPO is a stakeholder • Starting stage: GRC business processes • Implementation stage: • Collect less PD • PDPA applies: Consent required for CUD, etc… • Staff candidate data is PD and/or Evaluative • Closing stage: cleansing, anonymizing, destroying
  • 54. Page: 54 To PMs – PDP is the project • It’s a GRC program • Multiple projects, eg: risk evaluation, training material development • Change management • Multiple parties: • IT • HR, HRD • Procurement • Business operations • Legal • Custcare • Insurance
  • 55. Page: 55 Risk evaluation Compliance plans
  • 56. Page: 56 1. Governance • Policy & Procedure • Establish the DPO • Complaint handling, whistleblower • Audit powers • Measurement • Sectorial legislation • Data Stewards, Data Custodians
  • 57. Page: 57 2. Audit / inventory • Who holds what PD? • Why collected? Purpose • How used? Consistent with Purpose? • Protection, storage • Sharing, transfer
  • 58. Page: 58 3. Gap assessment • Staff awareness • Purpose notification • Data intermediaries & Transfer • Access and Correction • Protection • Retention and/or disposal
  • 59. Page: 59 4. Staff / people • Change of culture? • Policies & Procedures • Awareness & communications • Training & support • Workplace contracts, eg: Consent, background checks, NDA, discipline, rights to inspect • Monitor, Audit & Report
  • 60. Page: 60 More information
  • 61. Page: 61 PDPC documents • The Act (statutes online) • Advisory Guidelines www.pdpc.gov • Key Concepts • Sectorial advice • Telecoms • Real estate • VWO • Healthcare • Education • Professional Photography
  • 62. Page: 62 PDPC documents • Sample Risk Assessment Questionnaire • Email Q&A: info@pdpc.gov
  • 63. Page: 63 Training • PDPC’s workshop (1 day) • WDA’s workshop (4 day) • Formal certifications
  • 64. Page: 64 Final thoughts
  • 65. Page: 65 You as an Individual • Register on DNC • Who has (had) my PD? • Why? (Purpose limitation) • Do I want them to have it? Withdraw it! • What key do they use? My NRIC? • NRIC copy? Address or everything? • My business card is BCI not PD • Even if it has PD on it, eg: Skypename • Unless it’s obviously not • Unless it’s collected at a business function • Children & cyber-stalking/bullying • Social networks, pleaserobme
  • 66. Page: 66 Future of PDP • Poster boy culprits • Insurance • Harmonization of law • Move to regulate use
  • 67. Page: 67 Final thoughts • Thank you Sing.gov & IDA  • "You have zero privacy anyway. Get over it.” • Privacy assists security of our nation
  • 68. Page: 68 Thank you

×