Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with the Singapore
Personal Data Protection Act
A Practical Guide
1 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
The Singapore Personal Data Protection Act (PDPA), effective January 2013, obliges
organizations to take specific responsibilities regarding the protection of personal
information. These responsibilities concern the collection, accuracy, protection and
disclosure of personal information and can significantly impact organization’s handling of
personal information and data. This white paper outlines the data protection requirements
under the PDPA, and provides information on available solutions to address the
requirements, with a focus on Microsoft-specific security and privacy technologies. We also
discuss several process-driven and technology-enabled approaches that emphasize the
importance of IT management in supporting organizations to comply their PDPA obligations.
The views discussed in this white paper are jointly presented by Protiviti and Microsoft. The
focus is on management awareness, roles and responsibilities, data mapping, data flow,
personal data management processes, and, risk assessment and analysis to implement an
organization’s compliance program. We will present a Microsoft data governance and
access control framework that includes five key elements for the management and
protection of personal data Secure Infrastructure; Identity and Access Control; Data
Encryption; Document Protection; and Auditing and Reporting. For each of these five
elements, we discuss appropriate tools and technologies developed by Microsoft and
applicable to Microsoft systems.
We conclude by encouraging organizations seeking to comply with the PDPA to engage
their IT departments actively in the process and to partner with external experts where
applicable to develop a process that would address the risks inherent in compliance-related
implementation. Organizations should also deploy relevant tools, technologies, and products
to automate control over private information as much as possible and ensure organization-
wide consistency in how personal information is handled and managed.
All rights, products, company names, brand names, trademarks and logos are the property of their respective
owners. This document is provided "as-is." Information and views expressed in this document, including URL and
other Internet website references, may change without notice. You bear the risk of using it. This document does
not provide you with any legal rights to any intellectual property in any product. You may copy and use this
document for your internal, reference purposes.
2 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
The nature of technology today allows for an increasing volume of personal data to be
captured, stored, and processed with great ease. The wide availability of personal
information – whether employee, visitor, customer or contractor – provides opportunities for
companies to increase productivity and improve their marketing. At the same time, the
advancement of technology also calls for greater responsibility in managing and protecting
The enactment of the PDPA in January 2013 tasks organizations that process personal data
with new responsibilities for protecting personal information. Because of the technology-
driven nature of businesses, IT management will be required to play an important role and
support the efforts by organizations to meet their obligations under the PDPA.
The PDPA governs the consent, purpose, reasonableness of collection, use, disclosure and
care of individuals’ personal data by organizations. Figure 1 summarizes both data
protection and Do-Not-Call (DNC) provisions of the PDPA. DNC is already in force since
January 2014, and the deadline for complying with the data protection provisions is July 2,
Figure 1: The Data Protection and DNC Provisions of PDPA
3 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Data Protection Provisions – Nine Obligations
Figure 2 below outlines the PDPA’s nine obligations for organizations that own and process
personal data. The obligations apply to data stored in both electronic and physical forms.
Figure 2: The Nine Obligations of PDPA
Impact of PDPA on Organizations
Complying with the PDPA is a legal requirement for organizations. In January 2013, the
Personal Data Protection Commission (PDPC) was set up to administer and enforce the
PDPA. Apart from undertaking promotional and outreach activities, the PDPC is empowered
to conduct investigations – upon complaint or on its own accord – to establish whether an
organization is complying with all nine PDPA obligations.
If the PDPC finds that an organization is in breach of any of the data protection provisions of
the PDPA, it can direct the organization to rectify the breach with a specific action such as
ceasing to collect, correcting, or removing the affected personal data, and it can also impose
a financial penalty on the organization of up to S$1 million. Any person found to have
violated the provisions, knowingly or otherwise, may be subject to a fine not exceeding
S$5,000 or to imprisonment for up to 12 months or both.
If the breach consists of authorizing sales and marketing messages to individuals on the
Singapore Do Not Call registry, in the form of voice calls, text or fax, the organization can be
found to have contravened the DNC (Do Not Call) provisions of the PDPA and can be liable,
upon conviction, for fines of up to S$10,000 for each offense.
4 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
How IT Management Can Support the PDPA Obligations
Some organizations may act quickly to address personal data protection at the operational
level but have a limited idea on how to engage with IT management to meet the PDPA
obligations. IT management needs to engage and support the data protection officer (DPO)
and business users in achieving, maintaining and monitoring for PDPA compliance.
To do so, IT management first needs to understand the key data protection program
milestones and devise the correct engagement strategy. The following sections discuss
these milestones in detail.
Milestone 1: Management Awareness and Support for Data Protection
Leading practices for Personal Data Protection (PDP) programs initially involve the
awareness-creation session for the organization’s senior management. Once the awareness
is created, management should decide on the roles and responsibilities of the DPO
necessary to support the organization in its compliance with the PDPA. The DPO may
establish a task force to enable effective execution of the PDP program. For the program to
be successful, it is imperative that IT management be involved as a member of this task
Milestone 2: Identify Different Roles and Responsibilities in Data Protection
IT management should understand the roles and responsibilities of the various parties in the
task force. Table 1 below suggests how IT could involve the various roles and
responsibilities for data protection. Microsoft has developed a technology framework for data
governance and access control which provides a flexible and comprehensive approach to
managing and protecting personal data. It consists of five key elements, all of which are
necessary to protect and manage personal data responsibly in a distributed device and
computing infrastructure. The five key elements are: Secure Infrastructure, Identity and
Access Control, Data Encryption, Document Protection, Auditing and Reporting. These
elements will be further explained in the later sections of this paper. The data protection
roles and responsibilities to be considered for each of the five key elements in this
framework are presented in Table 1 below.
The roles and responsibilities are initiated following these definitions:
Responsible – Party responsible for performing the process
Accountable – Party accountable and contactable regarding the decision and process effectiveness
Contributing (or Consulted) – Party providing information and/or advice needed to make the process
Informed – Party concerned or dependent upon the information that is managed by this process
5 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 1: The Data Protection Roles & Responsibilities Mapping To Microsoft Technology Framework
Data Protection Roles and Responsibilities
Framework for Data
Governance and Access
Refers to an organization's management (person
or team) that is accountable to comply with the
PDPA obligations over personal data.
A A A A A
A Data Protection Officer is an individual or
individuals responsible for ensuring that the
organization complies with the PDPA, including
the implementation of personal data protection
policies within the organization. The business
contact information of at least one DPO should be
made available to the public. Compliance with the
PDPA remains the responsibility of the
I R C I R
Data Controller A Data Controller is the person who determines
(alone or jointly with others) the purpose and
manner in which any personal data is, or is going
to be, processed.
I R I R I
Data Processor A Data Processor, in relation to personal data, is
any person (other than an employee of the Data
Controller) who processes personal data on
behalf of the Data Controller.
I R R R I
Data Subject A Data Subject is an individual whose personal
data is in the control of the organization.
- - I I I
Data Intermediary A Data Intermediary is a person or persons who
may be contracted to use or process personal
data on behalf of the organization. A Data
Intermediary is any person/organization other
than the Data Subject, the Data Controller, Data
Processor or any other person authorized to use
and/or process data for the Data Controller or
I R R R I
6 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Milestone 3: Complete Personal Data Inventory Map and Data Flow Diagrams
After understanding the roles and responsibilities of the different parties involved in data
protection, the next step is to create a personal data inventory map. The data inventory map
includes possible record classifications and record types organized by business function.
The DPO will work with the respective data controllers to determine which record types are
in-scope for PDPA purposes and should be included in the company’s PDP program. IT
management should be instrumental in defining and completing the data inventory map. IT
should work with the DPO and other task force members to develop an in-depth
understanding of the organization’s personal data and corresponding application
A personal data inventory map may include the attributes highlighted in Table 2:
Table 2: Personal Data Inventory Map Attributes
Data Inventory Attributes Description
Record Class Record Class classifies data by the business function. ADM
(Administration), HUM (Human Resource), and FIN (Finance) are
possible examples of Record Classes.
Record Class Name A Record Class Name indicates the specific information type that
belongs to the record class. For example, the record class ADM would
have a record class name “Internal Services” that could be described as:
“Records related to internal support provided to the organization’s
personnel, including services and products. Also includes records related
to the procurement of travel services, transportation, and lodging. These
records document the extent and purpose of travel undertaken by
employees on Company business, and include trip itineraries and copies
Content Type The Content Type provides the specific document name or attributes.
The record class name “Internal Services” may include:
Transport Ticket Copies
PDPA In-Scope (Y/N) Content type is either PDPA in-scope or not in-scope. The Data
Controller would determine this.
The data inventory map could be further customized for those records indicated as PDPA in-
scope. For instance, the DPO and Data Controller could identify and document the
associated purpose, policies, guidelines, and even retention requirements for each of the
PDPA in-scope records.
Leading practices in the area of data protection also recommend the use of a data flow
diagram for each of the PDPA in-scope content types. Data flow diagrams give DPOs and
the data controller better visibility of the personal data source, points of collection, the data
owners, controllers and processors, as well as how the data is kept and secured on which IT
server/application. A sample data flow diagram may involve the details presented in Figure
3. Similar tools and references are available to Protiviti KnowledgeLeader®
7 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Figure 3: Sample Personal Data Flow Diagram
Upon understanding the data inventory map and data flow diagram, IT management could
assist the DPO and data controller to classify personal data that resides in the identified IT
servers and applications. The Microsoft five elements of technology framework for data
governance and access control provided in this paper could be considered for each of the IT
servers and applications identified.
IT management could consider established IT security standards and leading practices such
as the ISO 27001 over the use of data classification. Table 3 provides extracts from ISO
27001 specific to data classification controls that the DPO and IT could evaluate across ISO
27001 suggested elements: Business Policies; Business Processes; People and
Organization; Management Reports; Methodologies; Systems and Data.
Table 3: ISO 27001 Control Objectives and Control Attributes
ISO 27001 Control Objectives
Section 7.2: Information
Suggested Control Attributes
To ensure that information receives
an appropriate level of protection.
Classification Guidelines Information shall be classified in terms of
its value, legal requirements, sensitivity, and criticality to the
organization. Control attributes include:
A security classification scheme for major assets
Security classification scheme is formalized
Security classification includes value, legal requirements,
sensitivity and criticality to the organization
8 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
ISO 27001 Control Objectives
Section 7.2: Information
Suggested Control Attributes
Information Labeling and Handling An appropriate set of
procedures for information labeling and handling shall be developed
and implemented in accordance with the classification scheme
adopted by the organization. Control attributes include:
Procedures are implemented for the labeling and handling
of information/assets that require security protection
Procedures are regularly reviewed and updated
Procedures consider identification (labeling) of electronic
and physical sensitive/critical assets
Milestone 4: Establish the Personal Data Management Process
The DPO is also required to establish a set of procedures to support the PDPA obligations.
To facilitate the personal data management process, Protiviti developed the Personal Data
Protection (PDP) Process Classification Scheme (PCS). This scheme helps organize
required PDP practices according to relevant processes, and defines the areas that should
be addressed for each of the nine obligations. Identifying each PDP practice as a set of
defined processes or sub-processes helps promote a common language and provides a
“roadmap” to help identify process-related risks and potential controls that may be applicable
in compliance with the PDPA. A sample of the Protiviti PCS meeting the Consent, Purpose,
Notification and Protect obligations of the PDPA is illustrated in Figure 4.
Figure 4: Sample of Personal Data Management Process Classification Scheme
The PCS is not an all-inclusive list of existing PDP processes. The Protiviti PCS (processes
and associated sub-processes) needs to be customized to fit the facts, circumstances and
culture of the organization. IT management could, however, understand the major process
activities and areas to identify necessary IT platform attributes for personal data protection
9 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Milestone 5: Assessment and Gap Analysis
With the data inventory map, data flow diagrams and processes designed, it is necessary to
conduct an initial assessment over these areas to identify gaps and improvement
opportunities. Protiviti’s assessment approach considers the PDPA requirements in the
context of the Generally Accepted Privacy Principles (GAPP). The objective is to enable the
Management/Sponsor to determine whether the company has defined and is managing
personal data following the PDPA guidelines. As part of this assessment (see Figure 5),
interviews with staff in different data protection roles and responsibilities are conducted to
identify improvement opportunities.
Figure 5: Sample of Assessment and Gap Analysis Report
Each of the milestones discussed above concerns specific IT platforms and management
considerations to support the protection and management of personal data. However,
attempting to address every IT platform with its own unique attributes can be expensive and
time-consuming. A more effective approach is to complement the program with a technology
framework in managing and protecting personal data. The Microsoft five elements of
technology framework for data governance and access control discussed in the next section
could be considered to support the improvement opportunities and action plans.
10 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
A Technology Framework for Data Governance and Access Control
Microsoft has developed a technology framework for data governance and access control
that provides a flexible and comprehensive approach to managing and protecting personal
data. It consists of five key elements, all of which are necessary to protect and manage
personal data responsibly in a distributed device and computing infrastructure. The five
elements are described in Table 4.
Table 4: Microsoft Technology Framework for Data Governance and Access Control
Key Elements Description
Secure Infrastructure Safeguards that help protect against malware, intrusions and
unauthorized access to personal information, and protect systems from
Identity and Access Control Systems that help protect personal information from unauthorized
access or use, and provide management controls for identity access
Data Encryption Safeguards that help protect sensitive personal information by
converting data into incomprehensible code that requires a “key” for
decoding, with the key held by an authorized recipient.
Document Protection Protection of personal information stored in a document throughout its
entire life cycle via digital signature, encryption, and file validation.
Auditing and Reporting Monitoring the integrity of systems and data in compliance with
The following sections describe some of products and technologies Microsoft provides
relative to each of the five elements of the technology framework listed above.
The growing importance of information technologies to the way we work underscores the
need of securing the underlying infrastructure as much as possible. Fundamentally,
safeguarding and managing personal identifiable information (PII) depends on a secure
infrastructure that protects against malicious software and hacker intrusions. Table 5
describes a number of Microsoft products and technologies which could help provide a
11 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 5: Secure Infrastructure - Products and Technologies
Product or Technology Description
Windows Client Security Technologies
A host-based firewall controls access to inbound and outbound
This feature enables Windows computers to automatically update the
operating system with the latest security updates.
User Account Control (UAC)
This technology allows users to run with the least-required privilege and help
prevent malware from installing in the background without the user’s
knowledge. UAC presents an obstacle to non-UAC aware malware.
Windows services are designed and configured to run with the least-required
privilege, reducing the harm that can be done by a compromised service.
Kernel Patch Protection
This technology helps prevent malware from making alterations to the
operating system kernel, which helps prevent installation and execution of
An anti-malware, anti-virus application in Windows 8/8.1 that helps prevent
the installation and execution of spyware and other unwanted software.
Windows Security Essential was the equivalent software for earlier versions
Network Access Protection
A network-access control solution which helps prevent unapproved client and
server systems from connecting to network resources.
USB and Removable
A hardware control system enables administrators to block access to USBs
and other removable devices.
A flexible, easy-to-administer mechanism that allows IT to specify what is
allowed to run in the desktop infrastructure and gives users the ability to run
applications, installation programs, and scripts that they require to be
A technology that helps prevent a thief who boots another operating system
or runs a software hacking tool from breaking Windows 7/8 file and system
protections or performing offline viewing of the files stored on the
A security standard developed by members of the PC industry to help make
sure that PC/server boots using only firmware that is trusted by the PC
manufacturer. Windows 8.1, Windows Server 2012 R2, Windows RT 8.1,
Windows 8, and Windows Server 2012 support this technology.
System Center Endpoint
A technology that uses the monitoring and deployment capabilities of System
Center Configuration Manager (SCCM) to streamline the deployment of
antimalware definitions and uses SCCM to provide an in-console monitoring
solution. You can also use Endpoint Protection to configure Windows Firewall
settings on computers in the enterprise.
12 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Product or Technology Description
Microsoft Server Security Technologies
Fundamental Server Security
These fundamental security elements work together to define trusted users,
servers, connections, and operations to help provide a secure foundation for
Microsoft server products such as Windows Server, SQL Server, SharePoint,
Dynamics CRM/AX, Lync, etc.
Active Directory Domain Services integration
Role-based access control
Public Key Infrastructure
TLS, HTTPS, MTLS support
Industry standard protocol for authentication
Security features provided by Windows PowerShell that are enabled
by default so that users cannot easily or unknowingly run scripts
Exchange Server 2013 Data
Performs deep content analysis through keyword matches, dictionary
matches, regular expression evaluation, and other content examination to
help detect content that violates organizational DLP policies.
SQL Server Security Labeling
Provides fine-grained access control at the row and cell level of database
System Center Data
Protection Manager (DPM)
Enables disk-based and tape-based data protection and recovery for servers
such as SQL Server, Exchange Server, SharePoint, virtual servers, file
servers, and support for Windows desktops and laptops. DPM can also
centrally manage system state and Bare Metal Recovery (BMR).
Features and methods introduced in Windows Server 2012 R2 and Windows
8.1 for credential protection and domain authentication controls to reduce
Windows Phone Security Technologies
Embedded Trusted Platform
Module (TPM) 2.0 Chip
The TPM chip protects encryption keys, contains a crypto processing engine,
and is a foundational element of a secure boot chain.
Unified Extensible Firmware
Interface (UEFI) Secure Boot
In a UEFI Secure Boot process the firmware, the bootloader, the kernel and
kernel extensions, are all cryptographically signed. This makes it easy to
detect when any of these layers has been tampered with.
Integrated Information Rights
The built-in IRM could help prevent authenticated users on a trusted device
from sharing data with unintended parties, willingly or unwillingly.
Device locking and BitLocker
Windows Phone supports alpha-numeric and complex passwords for device-
locking. It also supports the same BitLocker technology used in Windows 7/8
client to encrypt the data on the phone.
Crypto signing from OS kernel
to the apps
The entire OS and every app on the system are code-signed to establish a
chain of trust from the hardware all the way up.
Local/Remote device wipe
Local device wipe occurs after a specified number of incorrect login attempts.
Remote device wipe erases data and helps to prevent unauthorized use.
13 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Identity and Access Control
To reduce the risk of a deliberate or accidental data breach, and to help organizations
comply with PDPA compliance requirements, Microsoft offers identity and access control
technologies that help protect PII from unauthorized access, while facilitating its availability
to legitimate users.
Table 6 describes a number of Microsoft products and technologies that could help meet
identity and access control challenges in a distributed computing environment.
Table 6: Identity and Access Control - Products and Technologies
Product or Technology Description
A centralized database of user and machine accounts enables centralized
management of machines and users within the organization.
Active Directory Federation
This technology enables federation of multiple Windows domains, which
streamlines management and control of partner access to corporate
Forefront Identity Manager
The technology provides self-service identity management for users,
automated lifecycle management across heterogeneous platforms for
administrators, and a rich policy framework for enforcing corporate security
policies and detailed audit capabilities.
Windows Smart Card Support
This technology enables two-factor authentication for user logon and data
access for Windows clients.
Exchange Server support for
Two-factor authentication requires two methods to gain access to
resources. Typically users provide a physical card or token and a PIN to
access authorized resources.
Dynamic Access Control
In Windows Server 2012, you can apply data governance across your file
servers to control who can access information and to audit who has
accessed information. It enables data classification, central access policy
definition and auditing, and automatic rights management protection.
14 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Supported by strong identity and access controls, data encryption can help safeguard
information that is stored in databases, on mobile devices, laptops and desktop computers,
or transferred via email, across the Internet or other non-trusted networks. Encryption used
to secure storage, transmission and disposal of sensitive information greatly reduces the risk
of a harmful data breach by an intruder or hacker break-in, or from a lost or stolen computer
or mobile device. Table 7 describes a number of Microsoft products and technologies that
support data encryption in a distributed computing scenario.
Table 7: Data Encryption - Products and Technologies
Product or Technology Description
Encrypting File System (EFS) EFS encrypts disk data on a per-file or per-folder basis.
This technology helps prevent offline and other attacks against the disk data
by encrypting all data on the system disk volume.
Virtual Private Networking
This encryption and network access control technology can be used to
control access to servers and encrypt data over the network.
Exchange Server support for
Encrypted email helps prevent unauthorized persons from reading or
capturing email in transit.
SQL Server Transparent Data
TDE causes the data and log files (and full-text catalogs, if present) to be
encrypted on disk. The encryption occurs transparently as data moves
through the SQL Server’s IO buffers, so no complicated setup is required
and the encryption is all-encompassing for the encrypted database.
Rights Management tools help assure document protection. These technologies can be
applied to desktop productivity, email and line-of-business applications to help safeguard
information and control how information is used, through “persistent protection” that extends
throughout the life of the document. They also help prevent sensitive data such as PII or
confidential email messages from getting into the wrong hands, intentionally or accidentally.
Table 8 describes a number of Microsoft products and technologies that could help protect
documents in a distributed environment.
15 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 8: Document Protection - Products and Technologies
Product or Technology Description
Rights Management Services
A collection of technologies controls which users can access documents
and what they can do with those documents. They can be integrated with
SharePoint and Exchange servers for strong document/mail access
control and auditing.
Support for XrML/XPS
XrML is a technology that enables rights management controls for virtually
any type of document. XPS is a document format that enables strong
access controls based on Rights Management Services.
Exchange Server Ethical
This policy-based solution enables organizations to control what content is
allowed through the email channel. It can be implemented via transport
rules on Hub Transport servers.
Office file encryption
Office 2013, in addition to maintaining support for Cryptography API
(CryptoAPI), also includes support for CNG (CryptoAPI: Next Generation).
CNG allows for more agile encryption, where encryption and hashing
algorithms that are supported on the host computer can be specified for
use during the document encryption process. CNG also allows for better
extensibility encryption, where third-party encryption modules can be
Office file digital signature
Users can digitally sign an Office 2013 Excel, PowerPoint, or Word
document for many of the same reasons that they might place a
handwritten signature on a paper document. A digital signature is used to
help authenticate the identity of the creator of digital information, such as
documents, email messages, and macros, by using cryptographic
Office file validation
A security feature in Office 2013 that helps prevent file format attacks by
scanning Office binary file formats before they are opened in Excel 2013,
PowerPoint 2013, or Word 2013.
Auditing and Reporting
Compliance with internal policies, government regulations, and consumer demands for
better control over PII requires the use of monitoring technologies to assist organizations
with audit and reporting related to data, systems and applications. Systems management
and monitoring technologies can help verify that system and data access controls are
operating effectively, and identify suspicious or noncompliant activities.
Table 9 describes a number of Microsoft products and technologies that could help audit and
report tasks for data protection and incident investigation.
16 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 9: Auditing and Reporting - Products and Technologies
Product or Technology Description
An enterprise-ready network and server management solution enables
centralized reporting and management of all computing devices on the
network. Operations Manager also provides strong Audit Collections
functionality (through Audit Collections Services) and provides data
segregation, thus providing separation of duties and non-repudiation.
An enterprise-ready systems management solution enabling centralized
software deployment and management throughout the organization.
SharePoint eDiscovery and
The SharePoint 2013 eDiscovery and Compliance features allow
enterprises to manage and recover evidence used in civil litigation, and
manage the records for the whole organization. A central SharePoint site is
used to manage preservation (in-place hold), search, and export of content
stored across SharePoint farms and Exchange servers.
SQL Server Audit
The Audit feature allows fine-grained, secure auditing of any access to
objects in a database. In particular, it is an excellent tool for rigorously
tracking changes to the metadata tables and role memberships in the label
Personal Data Protection Considerations Using Cloud Services
Cloud computing has become an important part of corporate IT strategy for many companies
in recent years because of its merits such as readily expandable resources, a pay-as-you-go
charge model, and faster time-to-market, which traditional on-premises technology
deployment model can hardly match. Unlike conventional IT outsourcing and hosting
arrangements where service providers supplies IT infrastructure and services to customers
through dedicated environment and staff resources, cloud service providers deliver IT
infrastructure and services to customers through a multi-tenant, shared environment from
data centers around the world. Because of that, many market studies and the dialogues
among prospective customers and service providers show that certain themes have
emerged as potential barriers to rapid adoption of cloud services, where security, privacy,
reliability, and operational control are top concerns.
Whether a consumer’s personal information is stored on their own computer or in an online
setting, or whether an organization’s mission-critical data is stored on premises or is on a
hosted server and cloud, Microsoft recognizes that all of these environments must provide
the trustworthy computing experience through focus on three areas:
Utilizing a risk-based information security program that assesses and prioritizes
security and operational threats to the business;
Maintaining and updating a detailed set of security controls that mitigate risk;
Operating a compliance framework that ensures controls are designed
appropriately and are operating effectively;
Based on these trustworthy computing principles, we illustrated in previous sections the
Microsoft technology framework for data governance and access control which Microsoft has
developed through years of experience managing security risks in traditional development
and operating environments. Since the launch of MSN®
in 1994, Microsoft has also been
building and running cloud services at the global scale based on the same security and
governance framework. Global Foundation Services (GFS) division of Microsoft delivers the
core infrastructure and foundational technologies for the company’s over 200 online
businesses including Bing, MSN, Office 365, Xbox Live, Skype, SkyDrive and the Windows
17 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Azure platform. The infrastructure is comprised of a large global portfolio of data centers,
servers, content distribution networks, edge computing nodes, and fiber optic networks. The
portfolio is built and managed by a team of subject matter experts working 24x7x365 to
support services for more than 1 billion customers and 20 million businesses in over 89
countries worldwide. Microsoft’s Online Information Security Program defines how Online
Services Security and Compliance (OSSC) team operates in GFS. The program has been
independently certified by British Standards Institute (BSI) Management Systems America
as being compliant with ISO/IEC 27001:2005.
To help customers avoid financial loss and other consequences of opportunistic and
targeted online attacks, and as part of a steadfast commitment to trustworthy computing,
Microsoft employs people, processes, and technologies leveraging its broad experience and
deep expertise to provide a safer digital experience for consumer and a more secure global
operating environment for businesses, be it on premises or in the cloud.
Some companies in Singapore are also concerned about how or where their data would be
stored and processed if they were to use cloud services for their business. Besides general
concerns about data security and privacy in the cloud, Clause 26 of PDPA also states that
personal data may only be transferred to a country or territory outside of Singapore in
compliance with requirements prescribed under the PDPA to ensure that organizations
provide a standard of protection that is comparable to the protection under PDPA. The
implementing regulations which will prescribe these requirements in Clause 26 have yet to
be finalized. Microsoft is monitoring this closely and will put in place the necessary
arrangements to ensure compliance. Customers using Microsoft cloud services such Office
365 and Windows Azure may specify the geographic area(s) ("geos" and "regions") of the
Microsoft data centers in which customer data will be stored. For example, customers can
choose “Southeast Asia” as the “Region” to specify that their data should reside in Microsoft
Singapore data center. Information on available geos and regions of Microsoft data centers
are available at the Trust Center websites listed in References section of this white paper.
Microsoft may transfer customer data within a geo (e.g., within Europe) for data redundancy
or other purposes. For example, Windows Azure replicates Blob and Table data between
two regions within the same geo for enhanced data durability in case of a major data center
disaster, however, customer can choose to disable the geo-redundancy to avoid data being
transferred out of Singapore. Microsoft will not transfer customer data outside the geo(s) the
customer specifies (for example, from Europe to the United States or from the United States
to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the
service, or comply with legal requirements; or where the customer configures the account to
enable such transfer of customer data, including through the use of:
Features that do not enable geo selection, such as Content Delivery Network
(CDN), which provides a global caching service;
Web and Worker Roles, which back-up software deployment packages to the
United States regardless of deployment geo;
Preview, beta, or other pre-release features that may store or transfer customer
data to the United States regardless of deployment geo;
Windows Azure Active Directory (except for Access Control), which may transfer
Active Directory Customer Data to the United States for European customers, or to
the United States or Europe for Asian customers;
However, Microsoft does not control or limit the geos from which customers or their end
users may access customer data. For more information on how Microsoft online services
address security, privacy and compliance issues, please refer to the Trust Center websites
in the Reference section of this white paper.
18 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Organizations seeking to comply with the PDPA should engage their IT departments actively
in the process, and partner with external experts to develop a process that will take full
consideration of the requirements and also address the risks inherent in compliance-related
implementations. Organizations should also deploy relevant tools, technologies and products
to automate control over personal information as much as possible, and ensure organization
wide consistency in how personal data is handled and managed.
Call to Action
In this white paper, we propose a general approach and framework to guide organizations in
addressing PDPA compliance requirements from people, process, and technology
perspectives. The journey toward compliance is likely to be a continuous process as the
regulation adjusts to meet the changing landscape of international business practices and
the legal environment. Protiviti and Microsoft can provide further assistance to help our
clients kick-start this journey by identifying capability gaps, prioritizing initiatives, and
developing an organization and architecture blueprint, which could help set the foundation
for a sustainable culture transformation and technical enablement for PDPA compliance in
the long run. For inquiries about topics in this white paper, or to find out more about our
offerings, products and services, please approach your Microsoft or Protiviti representatives,
or contact the following:
19 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Generally Accepted Privacy Principles:
“Information Protection Strategies for Financial Services,” Microsoft U.S. National Security Team, Co-
authored by Thomas W. Shinder and Norm Barber, Sept 2007
“Microsoft’s Compliance Framework for Online Services,” Microsoft Global Foundation Services, Oct
“Information Security Management System for Microsoft Cloud Infrastructure,” Microsoft Corporation,
“Securing Microsoft’s Cloud Infrastructure,” Microsoft Corporation, May 2009
Global Foundation Service Security & Compliance:
O365 Trust Center:
Windows Azure Trust Center:
Dynamics CRM Online Trust Center:
Microsoft Windows Safety & Security Center:
Active Directory Rights Management Services:
Windows Phone Security:
Secure Windows Server 2012:
SQL Server 2012 Security & Compliance:
The Security Model of Microsoft Dynamics CRM:
Authentication, Authorization, and Security in SharePoint 2013:
Microsoft Lync Server 2010 Security Guide:
System Center 2012 Configuration Manager, Operations Manager, Endpoint Protection, and Data
Exchange Server Data Loss Prevention: