Complying with Singapore Personal Data Protection Act - A Practical Guide


Published on

A practical guide of how to comply with the provisions in Singapore Personal Data Protection Act from people, process, and technology (Microsoft specific) perspective.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Complying with Singapore Personal Data Protection Act - A Practical Guide

  1. 1. Complying with the Singapore Personal Data Protection Act A Practical Guide March 2014
  2. 2. 1 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Synopsis The Singapore Personal Data Protection Act (PDPA), effective January 2013, obliges organizations to take specific responsibilities regarding the protection of personal information. These responsibilities concern the collection, accuracy, protection and disclosure of personal information and can significantly impact organization’s handling of personal information and data. This white paper outlines the data protection requirements under the PDPA, and provides information on available solutions to address the requirements, with a focus on Microsoft-specific security and privacy technologies. We also discuss several process-driven and technology-enabled approaches that emphasize the importance of IT management in supporting organizations to comply their PDPA obligations. The views discussed in this white paper are jointly presented by Protiviti and Microsoft. The focus is on management awareness, roles and responsibilities, data mapping, data flow, personal data management processes, and, risk assessment and analysis to implement an organization’s compliance program. We will present a Microsoft data governance and access control framework that includes five key elements for the management and protection of personal data  Secure Infrastructure; Identity and Access Control; Data Encryption; Document Protection; and Auditing and Reporting. For each of these five elements, we discuss appropriate tools and technologies developed by Microsoft and applicable to Microsoft systems. We conclude by encouraging organizations seeking to comply with the PDPA to engage their IT departments actively in the process and to partner with external experts where applicable to develop a process that would address the risks inherent in compliance-related implementation. Organizations should also deploy relevant tools, technologies, and products to automate control over private information as much as possible and ensure organization- wide consistency in how personal information is handled and managed. Disclaimer All rights, products, company names, brand names, trademarks and logos are the property of their respective owners. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any product. You may copy and use this document for your internal, reference purposes.
  3. 3. 2 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Overview The nature of technology today allows for an increasing volume of personal data to be captured, stored, and processed with great ease. The wide availability of personal information – whether employee, visitor, customer or contractor – provides opportunities for companies to increase productivity and improve their marketing. At the same time, the advancement of technology also calls for greater responsibility in managing and protecting personal information. The enactment of the PDPA in January 2013 tasks organizations that process personal data with new responsibilities for protecting personal information. Because of the technology- driven nature of businesses, IT management will be required to play an important role and support the efforts by organizations to meet their obligations under the PDPA. The PDPA governs the consent, purpose, reasonableness of collection, use, disclosure and care of individuals’ personal data by organizations. Figure 1 summarizes both data protection and Do-Not-Call (DNC) provisions of the PDPA. DNC is already in force since January 2014, and the deadline for complying with the data protection provisions is July 2, 2014. Figure 1: The Data Protection and DNC Provisions of PDPA
  4. 4. 3 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Data Protection Provisions – Nine Obligations Figure 2 below outlines the PDPA’s nine obligations for organizations that own and process personal data. The obligations apply to data stored in both electronic and physical forms. Figure 2: The Nine Obligations of PDPA Impact of PDPA on Organizations Complying with the PDPA is a legal requirement for organizations. In January 2013, the Personal Data Protection Commission (PDPC) was set up to administer and enforce the PDPA. Apart from undertaking promotional and outreach activities, the PDPC is empowered to conduct investigations – upon complaint or on its own accord – to establish whether an organization is complying with all nine PDPA obligations. If the PDPC finds that an organization is in breach of any of the data protection provisions of the PDPA, it can direct the organization to rectify the breach with a specific action such as ceasing to collect, correcting, or removing the affected personal data, and it can also impose a financial penalty on the organization of up to S$1 million. Any person found to have violated the provisions, knowingly or otherwise, may be subject to a fine not exceeding S$5,000 or to imprisonment for up to 12 months or both. If the breach consists of authorizing sales and marketing messages to individuals on the Singapore Do Not Call registry, in the form of voice calls, text or fax, the organization can be found to have contravened the DNC (Do Not Call) provisions of the PDPA and can be liable, upon conviction, for fines of up to S$10,000 for each offense.
  5. 5. 4 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 How IT Management Can Support the PDPA Obligations Some organizations may act quickly to address personal data protection at the operational level but have a limited idea on how to engage with IT management to meet the PDPA obligations. IT management needs to engage and support the data protection officer (DPO) and business users in achieving, maintaining and monitoring for PDPA compliance. To do so, IT management first needs to understand the key data protection program milestones and devise the correct engagement strategy. The following sections discuss these milestones in detail. Milestone 1: Management Awareness and Support for Data Protection Leading practices for Personal Data Protection (PDP) programs initially involve the awareness-creation session for the organization’s senior management. Once the awareness is created, management should decide on the roles and responsibilities of the DPO necessary to support the organization in its compliance with the PDPA. The DPO may establish a task force to enable effective execution of the PDP program. For the program to be successful, it is imperative that IT management be involved as a member of this task force. Milestone 2: Identify Different Roles and Responsibilities in Data Protection IT management should understand the roles and responsibilities of the various parties in the task force. Table 1 below suggests how IT could involve the various roles and responsibilities for data protection. Microsoft has developed a technology framework for data governance and access control which provides a flexible and comprehensive approach to managing and protecting personal data. It consists of five key elements, all of which are necessary to protect and manage personal data responsibly in a distributed device and computing infrastructure. The five key elements are: Secure Infrastructure, Identity and Access Control, Data Encryption, Document Protection, Auditing and Reporting. These elements will be further explained in the later sections of this paper. The data protection roles and responsibilities to be considered for each of the five key elements in this framework are presented in Table 1 below. The roles and responsibilities are initiated following these definitions: Responsible – Party responsible for performing the process Accountable – Party accountable and contactable regarding the decision and process effectiveness Contributing (or Consulted) – Party providing information and/or advice needed to make the process successful Informed – Party concerned or dependent upon the information that is managed by this process
  6. 6. 5 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Table 1: The Data Protection Roles & Responsibilities Mapping To Microsoft Technology Framework Data Protection Roles and Responsibilities Microsoft Technology Framework for Data Governance and Access Control Roles Responsibilities Secure Infrastructure Identityand AccessControl DataEncryption Document Protection Auditingand Reporting Management and Sponsor Refers to an organization's management (person or team) that is accountable to comply with the PDPA obligations over personal data. A A A A A Data Protection Officer A Data Protection Officer is an individual or individuals responsible for ensuring that the organization complies with the PDPA, including the implementation of personal data protection policies within the organization. The business contact information of at least one DPO should be made available to the public. Compliance with the PDPA remains the responsibility of the organization's management. I R C I R Data Controller A Data Controller is the person who determines (alone or jointly with others) the purpose and manner in which any personal data is, or is going to be, processed. I R I R I Data Processor A Data Processor, in relation to personal data, is any person (other than an employee of the Data Controller) who processes personal data on behalf of the Data Controller. I R R R I Data Subject A Data Subject is an individual whose personal data is in the control of the organization. - - I I I Data Intermediary A Data Intermediary is a person or persons who may be contracted to use or process personal data on behalf of the organization. A Data Intermediary is any person/organization other than the Data Subject, the Data Controller, Data Processor or any other person authorized to use and/or process data for the Data Controller or Processor. I R R R I
  7. 7. 6 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Milestone 3: Complete Personal Data Inventory Map and Data Flow Diagrams After understanding the roles and responsibilities of the different parties involved in data protection, the next step is to create a personal data inventory map. The data inventory map includes possible record classifications and record types organized by business function. The DPO will work with the respective data controllers to determine which record types are in-scope for PDPA purposes and should be included in the company’s PDP program. IT management should be instrumental in defining and completing the data inventory map. IT should work with the DPO and other task force members to develop an in-depth understanding of the organization’s personal data and corresponding application architecture. A personal data inventory map may include the attributes highlighted in Table 2: Table 2: Personal Data Inventory Map Attributes Data Inventory Attributes Description Record Class Record Class classifies data by the business function. ADM (Administration), HUM (Human Resource), and FIN (Finance) are possible examples of Record Classes. Record Class Name A Record Class Name indicates the specific information type that belongs to the record class. For example, the record class ADM would have a record class name “Internal Services” that could be described as: “Records related to internal support provided to the organization’s personnel, including services and products. Also includes records related to the procurement of travel services, transportation, and lodging. These records document the extent and purpose of travel undertaken by employees on Company business, and include trip itineraries and copies of tickets.” Content Type The Content Type provides the specific document name or attributes. The record class name “Internal Services” may include:  Transport Ticket Copies  Travel Itineraries  Traveler Profiles PDPA In-Scope (Y/N) Content type is either PDPA in-scope or not in-scope. The Data Controller would determine this. The data inventory map could be further customized for those records indicated as PDPA in- scope. For instance, the DPO and Data Controller could identify and document the associated purpose, policies, guidelines, and even retention requirements for each of the PDPA in-scope records. Leading practices in the area of data protection also recommend the use of a data flow diagram for each of the PDPA in-scope content types. Data flow diagrams give DPOs and the data controller better visibility of the personal data source, points of collection, the data owners, controllers and processors, as well as how the data is kept and secured on which IT server/application. A sample data flow diagram may involve the details presented in Figure 3. Similar tools and references are available to Protiviti KnowledgeLeader® subscribers.
  8. 8. 7 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Figure 3: Sample Personal Data Flow Diagram Upon understanding the data inventory map and data flow diagram, IT management could assist the DPO and data controller to classify personal data that resides in the identified IT servers and applications. The Microsoft five elements of technology framework for data governance and access control provided in this paper could be considered for each of the IT servers and applications identified. IT management could consider established IT security standards and leading practices such as the ISO 27001 over the use of data classification. Table 3 provides extracts from ISO 27001 specific to data classification controls that the DPO and IT could evaluate across ISO 27001 suggested elements: Business Policies; Business Processes; People and Organization; Management Reports; Methodologies; Systems and Data. Table 3: ISO 27001 Control Objectives and Control Attributes ISO 27001 Control Objectives Section 7.2: Information Classification Suggested Control Attributes To ensure that information receives an appropriate level of protection. Classification Guidelines  Information shall be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization. Control attributes include:  A security classification scheme for major assets  Security classification scheme is formalized  Security classification includes value, legal requirements, sensitivity and criticality to the organization
  9. 9. 8 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 ISO 27001 Control Objectives Section 7.2: Information Classification Suggested Control Attributes Information Labeling and Handling  An appropriate set of procedures for information labeling and handling shall be developed and implemented in accordance with the classification scheme adopted by the organization. Control attributes include:  Procedures are implemented for the labeling and handling of information/assets that require security protection  Procedures are regularly reviewed and updated  Procedures consider identification (labeling) of electronic and physical sensitive/critical assets Milestone 4: Establish the Personal Data Management Process The DPO is also required to establish a set of procedures to support the PDPA obligations. To facilitate the personal data management process, Protiviti developed the Personal Data Protection (PDP) Process Classification Scheme (PCS). This scheme helps organize required PDP practices according to relevant processes, and defines the areas that should be addressed for each of the nine obligations. Identifying each PDP practice as a set of defined processes or sub-processes helps promote a common language and provides a “roadmap” to help identify process-related risks and potential controls that may be applicable in compliance with the PDPA. A sample of the Protiviti PCS meeting the Consent, Purpose, Notification and Protect obligations of the PDPA is illustrated in Figure 4. Figure 4: Sample of Personal Data Management Process Classification Scheme The PCS is not an all-inclusive list of existing PDP processes. The Protiviti PCS (processes and associated sub-processes) needs to be customized to fit the facts, circumstances and culture of the organization. IT management could, however, understand the major process activities and areas to identify necessary IT platform attributes for personal data protection and management.
  10. 10. 9 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Milestone 5: Assessment and Gap Analysis With the data inventory map, data flow diagrams and processes designed, it is necessary to conduct an initial assessment over these areas to identify gaps and improvement opportunities. Protiviti’s assessment approach considers the PDPA requirements in the context of the Generally Accepted Privacy Principles (GAPP). The objective is to enable the Management/Sponsor to determine whether the company has defined and is managing personal data following the PDPA guidelines. As part of this assessment (see Figure 5), interviews with staff in different data protection roles and responsibilities are conducted to identify improvement opportunities. Figure 5: Sample of Assessment and Gap Analysis Report Each of the milestones discussed above concerns specific IT platforms and management considerations to support the protection and management of personal data. However, attempting to address every IT platform with its own unique attributes can be expensive and time-consuming. A more effective approach is to complement the program with a technology framework in managing and protecting personal data. The Microsoft five elements of technology framework for data governance and access control discussed in the next section could be considered to support the improvement opportunities and action plans.
  11. 11. 10 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 A Technology Framework for Data Governance and Access Control Microsoft has developed a technology framework for data governance and access control that provides a flexible and comprehensive approach to managing and protecting personal data. It consists of five key elements, all of which are necessary to protect and manage personal data responsibly in a distributed device and computing infrastructure. The five elements are described in Table 4. Table 4: Microsoft Technology Framework for Data Governance and Access Control Key Elements Description Secure Infrastructure Safeguards that help protect against malware, intrusions and unauthorized access to personal information, and protect systems from evolving threats. Identity and Access Control Systems that help protect personal information from unauthorized access or use, and provide management controls for identity access and provisioning. Data Encryption Safeguards that help protect sensitive personal information by converting data into incomprehensible code that requires a “key” for decoding, with the key held by an authorized recipient. Document Protection Protection of personal information stored in a document throughout its entire life cycle via digital signature, encryption, and file validation. Auditing and Reporting Monitoring the integrity of systems and data in compliance with business policies. The following sections describe some of products and technologies Microsoft provides relative to each of the five elements of the technology framework listed above. Secure Infrastructure The growing importance of information technologies to the way we work underscores the need of securing the underlying infrastructure as much as possible. Fundamentally, safeguarding and managing personal identifiable information (PII) depends on a secure infrastructure that protects against malicious software and hacker intrusions. Table 5 describes a number of Microsoft products and technologies which could help provide a secure infrastructure.
  12. 12. 11 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Table 5: Secure Infrastructure - Products and Technologies Product or Technology Description Windows Client Security Technologies Windows Firewall A host-based firewall controls access to inbound and outbound communications. Automatic Updates This feature enables Windows computers to automatically update the operating system with the latest security updates. User Account Control (UAC) This technology allows users to run with the least-required privilege and help prevent malware from installing in the background without the user’s knowledge. UAC presents an obstacle to non-UAC aware malware. Service Hardening Windows services are designed and configured to run with the least-required privilege, reducing the harm that can be done by a compromised service. Kernel Patch Protection This technology helps prevent malware from making alterations to the operating system kernel, which helps prevent installation and execution of root kits. Windows Defender An anti-malware, anti-virus application in Windows 8/8.1 that helps prevent the installation and execution of spyware and other unwanted software. Windows Security Essential was the equivalent software for earlier versions of Windows. Network Access Protection A network-access control solution which helps prevent unapproved client and server systems from connecting to network resources. USB and Removable Device Control A hardware control system enables administrators to block access to USBs and other removable devices. AppLocker A flexible, easy-to-administer mechanism that allows IT to specify what is allowed to run in the desktop infrastructure and gives users the ability to run applications, installation programs, and scripts that they require to be productive. BitLocker A technology that helps prevent a thief who boots another operating system or runs a software hacking tool from breaking Windows 7/8 file and system protections or performing offline viewing of the files stored on the safeguarded drive. Secure Boot A security standard developed by members of the PC industry to help make sure that PC/server boots using only firmware that is trusted by the PC manufacturer. Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 8, and Windows Server 2012 support this technology. System Center Endpoint Protection A technology that uses the monitoring and deployment capabilities of System Center Configuration Manager (SCCM) to streamline the deployment of antimalware definitions and uses SCCM to provide an in-console monitoring solution. You can also use Endpoint Protection to configure Windows Firewall settings on computers in the enterprise.
  13. 13. 12 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Product or Technology Description Microsoft Server Security Technologies Fundamental Server Security These fundamental security elements work together to define trusted users, servers, connections, and operations to help provide a secure foundation for Microsoft server products such as Windows Server, SQL Server, SharePoint, Dynamics CRM/AX, Lync, etc.  Active Directory Domain Services integration  Role-based access control  Public Key Infrastructure  TLS, HTTPS, MTLS support  Industry standard protocol for authentication  Security features provided by Windows PowerShell that are enabled by default so that users cannot easily or unknowingly run scripts Exchange Server 2013 Data Loss Prevention Performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, and other content examination to help detect content that violates organizational DLP policies. SQL Server Security Labeling Provides fine-grained access control at the row and cell level of database tables. System Center Data Protection Manager (DPM) Enables disk-based and tape-based data protection and recovery for servers such as SQL Server, Exchange Server, SharePoint, virtual servers, file servers, and support for Windows desktops and laptops. DPM can also centrally manage system state and Bare Metal Recovery (BMR). Credential Protection Features and methods introduced in Windows Server 2012 R2 and Windows 8.1 for credential protection and domain authentication controls to reduce credential theft. Windows Phone Security Technologies Embedded Trusted Platform Module (TPM) 2.0 Chip The TPM chip protects encryption keys, contains a crypto processing engine, and is a foundational element of a secure boot chain. Unified Extensible Firmware Interface (UEFI) Secure Boot In a UEFI Secure Boot process the firmware, the bootloader, the kernel and kernel extensions, are all cryptographically signed. This makes it easy to detect when any of these layers has been tampered with. Integrated Information Rights Management (IRM) The built-in IRM could help prevent authenticated users on a trusted device from sharing data with unintended parties, willingly or unwillingly. Device locking and BitLocker Support Windows Phone supports alpha-numeric and complex passwords for device- locking. It also supports the same BitLocker technology used in Windows 7/8 client to encrypt the data on the phone. Crypto signing from OS kernel to the apps The entire OS and every app on the system are code-signed to establish a chain of trust from the hardware all the way up. Local/Remote device wipe Local device wipe occurs after a specified number of incorrect login attempts. Remote device wipe erases data and helps to prevent unauthorized use.
  14. 14. 13 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Identity and Access Control To reduce the risk of a deliberate or accidental data breach, and to help organizations comply with PDPA compliance requirements, Microsoft offers identity and access control technologies that help protect PII from unauthorized access, while facilitating its availability to legitimate users. Table 6 describes a number of Microsoft products and technologies that could help meet identity and access control challenges in a distributed computing environment. Table 6: Identity and Access Control - Products and Technologies Product or Technology Description Active Directory A centralized database of user and machine accounts enables centralized management of machines and users within the organization. Active Directory Federation Services This technology enables federation of multiple Windows domains, which streamlines management and control of partner access to corporate resources. Forefront Identity Manager The technology provides self-service identity management for users, automated lifecycle management across heterogeneous platforms for administrators, and a rich policy framework for enforcing corporate security policies and detailed audit capabilities. Windows Smart Card Support This technology enables two-factor authentication for user logon and data access for Windows clients. Exchange Server support for two-factor authentication Two-factor authentication requires two methods to gain access to resources. Typically users provide a physical card or token and a PIN to access authorized resources. Dynamic Access Control In Windows Server 2012, you can apply data governance across your file servers to control who can access information and to audit who has accessed information. It enables data classification, central access policy definition and auditing, and automatic rights management protection.
  15. 15. 14 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Data Encryption Supported by strong identity and access controls, data encryption can help safeguard information that is stored in databases, on mobile devices, laptops and desktop computers, or transferred via email, across the Internet or other non-trusted networks. Encryption used to secure storage, transmission and disposal of sensitive information greatly reduces the risk of a harmful data breach by an intruder or hacker break-in, or from a lost or stolen computer or mobile device. Table 7 describes a number of Microsoft products and technologies that support data encryption in a distributed computing scenario. Table 7: Data Encryption - Products and Technologies Product or Technology Description Encrypting File System (EFS) EFS encrypts disk data on a per-file or per-folder basis. BitLocker Encryption This technology helps prevent offline and other attacks against the disk data by encrypting all data on the system disk volume. Virtual Private Networking and IPSec This encryption and network access control technology can be used to control access to servers and encrypt data over the network. Exchange Server support for encrypted email Encrypted email helps prevent unauthorized persons from reading or capturing email in transit. SQL Server Transparent Data Encryption TDE causes the data and log files (and full-text catalogs, if present) to be encrypted on disk. The encryption occurs transparently as data moves through the SQL Server’s IO buffers, so no complicated setup is required and the encryption is all-encompassing for the encrypted database. Document Protection Rights Management tools help assure document protection. These technologies can be applied to desktop productivity, email and line-of-business applications to help safeguard information and control how information is used, through “persistent protection” that extends throughout the life of the document. They also help prevent sensitive data such as PII or confidential email messages from getting into the wrong hands, intentionally or accidentally. Table 8 describes a number of Microsoft products and technologies that could help protect documents in a distributed environment.
  16. 16. 15 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Table 8: Document Protection - Products and Technologies Product or Technology Description Rights Management Services A collection of technologies controls which users can access documents and what they can do with those documents. They can be integrated with SharePoint and Exchange servers for strong document/mail access control and auditing. Support for XrML/XPS XrML is a technology that enables rights management controls for virtually any type of document. XPS is a document format that enables strong access controls based on Rights Management Services. Exchange Server Ethical Firewall This policy-based solution enables organizations to control what content is allowed through the email channel. It can be implemented via transport rules on Hub Transport servers. Office file encryption Office 2013, in addition to maintaining support for Cryptography API (CryptoAPI), also includes support for CNG (CryptoAPI: Next Generation). CNG allows for more agile encryption, where encryption and hashing algorithms that are supported on the host computer can be specified for use during the document encryption process. CNG also allows for better extensibility encryption, where third-party encryption modules can be used. Office file digital signature Users can digitally sign an Office 2013 Excel, PowerPoint, or Word document for many of the same reasons that they might place a handwritten signature on a paper document. A digital signature is used to help authenticate the identity of the creator of digital information, such as documents, email messages, and macros, by using cryptographic algorithms. Office file validation A security feature in Office 2013 that helps prevent file format attacks by scanning Office binary file formats before they are opened in Excel 2013, PowerPoint 2013, or Word 2013. Auditing and Reporting Compliance with internal policies, government regulations, and consumer demands for better control over PII requires the use of monitoring technologies to assist organizations with audit and reporting related to data, systems and applications. Systems management and monitoring technologies can help verify that system and data access controls are operating effectively, and identify suspicious or noncompliant activities. Table 9 describes a number of Microsoft products and technologies that could help audit and report tasks for data protection and incident investigation.
  17. 17. 16 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Table 9: Auditing and Reporting - Products and Technologies Product or Technology Description System Center Operations Manager An enterprise-ready network and server management solution enables centralized reporting and management of all computing devices on the network. Operations Manager also provides strong Audit Collections functionality (through Audit Collections Services) and provides data segregation, thus providing separation of duties and non-repudiation. System Center Configuration Manager An enterprise-ready systems management solution enabling centralized software deployment and management throughout the organization. SharePoint eDiscovery and Compliance The SharePoint 2013 eDiscovery and Compliance features allow enterprises to manage and recover evidence used in civil litigation, and manage the records for the whole organization. A central SharePoint site is used to manage preservation (in-place hold), search, and export of content stored across SharePoint farms and Exchange servers. SQL Server Audit The Audit feature allows fine-grained, secure auditing of any access to objects in a database. In particular, it is an excellent tool for rigorously tracking changes to the metadata tables and role memberships in the label policy. Personal Data Protection Considerations Using Cloud Services Cloud computing has become an important part of corporate IT strategy for many companies in recent years because of its merits such as readily expandable resources, a pay-as-you-go charge model, and faster time-to-market, which traditional on-premises technology deployment model can hardly match. Unlike conventional IT outsourcing and hosting arrangements where service providers supplies IT infrastructure and services to customers through dedicated environment and staff resources, cloud service providers deliver IT infrastructure and services to customers through a multi-tenant, shared environment from data centers around the world. Because of that, many market studies and the dialogues among prospective customers and service providers show that certain themes have emerged as potential barriers to rapid adoption of cloud services, where security, privacy, reliability, and operational control are top concerns. Whether a consumer’s personal information is stored on their own computer or in an online setting, or whether an organization’s mission-critical data is stored on premises or is on a hosted server and cloud, Microsoft recognizes that all of these environments must provide the trustworthy computing experience through focus on three areas:  Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business;  Maintaining and updating a detailed set of security controls that mitigate risk;  Operating a compliance framework that ensures controls are designed appropriately and are operating effectively; Based on these trustworthy computing principles, we illustrated in previous sections the Microsoft technology framework for data governance and access control which Microsoft has developed through years of experience managing security risks in traditional development and operating environments. Since the launch of MSN® in 1994, Microsoft has also been building and running cloud services at the global scale based on the same security and governance framework. Global Foundation Services (GFS) division of Microsoft delivers the core infrastructure and foundational technologies for the company’s over 200 online businesses including Bing, MSN, Office 365, Xbox Live, Skype, SkyDrive and the Windows
  18. 18. 17 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Azure platform. The infrastructure is comprised of a large global portfolio of data centers, servers, content distribution networks, edge computing nodes, and fiber optic networks. The portfolio is built and managed by a team of subject matter experts working 24x7x365 to support services for more than 1 billion customers and 20 million businesses in over 89 countries worldwide. Microsoft’s Online Information Security Program defines how Online Services Security and Compliance (OSSC) team operates in GFS. The program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005. To help customers avoid financial loss and other consequences of opportunistic and targeted online attacks, and as part of a steadfast commitment to trustworthy computing, Microsoft employs people, processes, and technologies leveraging its broad experience and deep expertise to provide a safer digital experience for consumer and a more secure global operating environment for businesses, be it on premises or in the cloud. Some companies in Singapore are also concerned about how or where their data would be stored and processed if they were to use cloud services for their business. Besides general concerns about data security and privacy in the cloud, Clause 26 of PDPA also states that personal data may only be transferred to a country or territory outside of Singapore in compliance with requirements prescribed under the PDPA to ensure that organizations provide a standard of protection that is comparable to the protection under PDPA. The implementing regulations which will prescribe these requirements in Clause 26 have yet to be finalized. Microsoft is monitoring this closely and will put in place the necessary arrangements to ensure compliance. Customers using Microsoft cloud services such Office 365 and Windows Azure may specify the geographic area(s) ("geos" and "regions") of the Microsoft data centers in which customer data will be stored. For example, customers can choose “Southeast Asia” as the “Region” to specify that their data should reside in Microsoft Singapore data center. Information on available geos and regions of Microsoft data centers are available at the Trust Center websites listed in References section of this white paper. Microsoft may transfer customer data within a geo (e.g., within Europe) for data redundancy or other purposes. For example, Windows Azure replicates Blob and Table data between two regions within the same geo for enhanced data durability in case of a major data center disaster, however, customer can choose to disable the geo-redundancy to avoid data being transferred out of Singapore. Microsoft will not transfer customer data outside the geo(s) the customer specifies (for example, from Europe to the United States or from the United States to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where the customer configures the account to enable such transfer of customer data, including through the use of:  Features that do not enable geo selection, such as Content Delivery Network (CDN), which provides a global caching service;  Web and Worker Roles, which back-up software deployment packages to the United States regardless of deployment geo;  Preview, beta, or other pre-release features that may store or transfer customer data to the United States regardless of deployment geo;  Windows Azure Active Directory (except for Access Control), which may transfer Active Directory Customer Data to the United States for European customers, or to the United States or Europe for Asian customers; However, Microsoft does not control or limit the geos from which customers or their end users may access customer data. For more information on how Microsoft online services address security, privacy and compliance issues, please refer to the Trust Center websites in the Reference section of this white paper.
  19. 19. 18 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 Conclusion Organizations seeking to comply with the PDPA should engage their IT departments actively in the process, and partner with external experts to develop a process that will take full consideration of the requirements and also address the risks inherent in compliance-related implementations. Organizations should also deploy relevant tools, technologies and products to automate control over personal information as much as possible, and ensure organization wide consistency in how personal data is handled and managed. Call to Action In this white paper, we propose a general approach and framework to guide organizations in addressing PDPA compliance requirements from people, process, and technology perspectives. The journey toward compliance is likely to be a continuous process as the regulation adjusts to meet the changing landscape of international business practices and the legal environment. Protiviti and Microsoft can provide further assistance to help our clients kick-start this journey by identifying capability gaps, prioritizing initiatives, and developing an organization and architecture blueprint, which could help set the foundation for a sustainable culture transformation and technical enablement for PDPA compliance in the long run. For inquiries about topics in this white paper, or to find out more about our offerings, products and services, please approach your Microsoft or Protiviti representatives, or contact the following: Ivan Leong Protiviti Singapore +65 6220-6066 Daniel Li Microsoft Singapore +65 6888-7409
  20. 20. 19 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 References Generally Accepted Privacy Principles: acyPrinciples/Pages/default.aspx Protiviti KnowledgeLeader: “Information Protection Strategies for Financial Services,” Microsoft U.S. National Security Team, Co- authored by Thomas W. Shinder and Norm Barber, Sept 2007 “Microsoft’s Compliance Framework for Online Services,” Microsoft Global Foundation Services, Oct 2009 “Information Security Management System for Microsoft Cloud Infrastructure,” Microsoft Corporation, Nov 2010 “Securing Microsoft’s Cloud Infrastructure,” Microsoft Corporation, May 2009 Global Foundation Service Security & Compliance: O365 Trust Center: FX103030390.aspx Windows Azure Trust Center: Dynamics CRM Online Trust Center: Microsoft Windows Safety & Security Center: Active Directory Rights Management Services: Windows Phone Security: Secure Windows Server 2012: SQL Server 2012 Security & Compliance: and-compliance.aspx The Security Model of Microsoft Dynamics CRM: Authentication, Authorization, and Security in SharePoint 2013: Microsoft Lync Server 2010 Security Guide: System Center 2012 Configuration Manager, Operations Manager, Endpoint Protection, and Data Protection: Exchange Server Data Loss Prevention:
  21. 21. 20 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014 About Microsoft Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential. To know more, please visit Microsoft, Office, Windows, Windows XP, Windows Vista, Windows 8, Windows Server, Visual Studios, SharePoint, Dynamics CRM/AX, and SQL Server are either registered trademarks or trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. © 2014 Microsoft. All rights reserved About Protiviti Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000 ® and FORTUNE Global 500 ® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.