The Personal Data Protection Commission (PDPC) recently released the following new guidance:
- A new edition of the Guide to Data Protection Practices for ICT Systems (“Guide“), containing data protection practices drawn from past PDPC advisory guidelines and guides. The Guide also includes lessons learnt from past data breaches, and recommends basic and enhanced practices that organisations can incorporate into their infocomm technology (ICT) policies, systems and processes.
- Based on past data breach cases handled by the PDPC, the Handbook on How to Guard Against Common Types of Data Breaches (“Handbook“) identifies the five most common gaps in ICT system management and processes that may lead to data breaches. The Handbook provides examples and recommendations on good practices that organisations can adopt to plug the gaps and guard against these common data breaches.
- Two Checklists to Guard Against Common Types of Data Breaches (“Checklists“) to assist organisations to put in place and review existing policies, technology controls and processes to avoid common mistakes that often result in data breaches.
Businesses should take steps to consider how to integrate the PDPC’s Guide, Handbook and Checklists in practice, e.g., implementation of an internal FAQ for employees and implementation of internal policies for the app developer/engineering team.
All organisations are required under the Personal Data Protection Act 2012 to safeguard personal data that it possesses or has under its control.
To achieve this safeguard, and to ensure robust and resilient ICT systems, organisations should:
- Ensure their ICT policies, systems and processes adopt the Guide as a minimum level of data protection.
- Avoid the common gaps in ICT system management identified in the Handbook and have in place corresponding ICT good practices to prevent common data breaches.
- Review existing policies, technology controls and processes against the Checklists, tailored to the organisation’s business and operations.
In more detail: the Guide, Handbook and Checklists
To allow easy reference by ICT personnel in an organisation, as well as its vendors, the latest Guide groups data protection practices for ICT systems into three main sections and recommends the basic and enhanced ICT practices that organisations can put in place to support each stage of the data lifecycle:
- Policies and risk management practices, covering governance; collection of personal data; notification of purpose; managing consent; access; correction and accuracy of personal data; housekeeping of personal data; and retention of personal data
- ICT control measures, covering authentication, authorisation and passwords; computer networks; database security; web applications and website security; and ICT security and testing
- Standard operating procedures and ICT operations, covering security awareness; personal computers and other computing devices; portable computing devices and removable storage media; compliance, monitoring, alerts, testing and audits; and cloud computing
The Guide also provides a checklist of good practices that organisations should include in the development of their data breach management plan.
The Handbook identifies the following five most common gaps in ICT system management and processes based on case studies, with corresponding ICT preventative good practices:
- Coding issues: Mistakes made during the programming phase of software development can lead to application errors that result in disclosure of personal data. These mistakes can be avoided by designing before coding and performing a thorough impact analysis; investing effort to document all software, functional and technical specifications; and ensuring that the application is thoroughly tested and performing code reviews.
- Configuration issues (including issues in code management and deployment): Many of the ICT system components (e.g., application/web server, database, operating system, firewall) have configurable settings and parameters. Unsecured settings, including leaving settings in their default, can result in unintended disclosure of personal data. Vulnerabilities in configuration issues can be prevented by hardening system configuration by making appropriate changes to settings instead of relying on default settings to be sufficiently secure, automating build and deployment processes, and managing configuration settings systematically.
- Malware and phishing: Phishing email attacks are often used on employees with unrestricted access to the internet to trick them into revealing their login credentials or other sensitive information, or downloading attachments containing malware. To counteract such threat actors, organisations should conduct regular phishing simulation exercises, educate employees to be alert to phishing and other forms of social engineering, consider restricting internet access, install endpoint security solutions, and ensure personal data is automatically and regularly backed up.
- Security and responsibility issues: The ICT system design and development phases must take into account security, and thereafter as part of system maintenance as well. To avoid systems becoming more vulnerable over time, as well as the risk of data breach in a test environment, organisations should create synthetic data (i.e., fake personal data or data anonymised from real data) for development and testing purposes in non-production environments; protect personal data through access control; and establish clear responsibility for ICT security to an assigned person or team.
- Accounts and passwords: Accounts and passwords must be managed securely; otherwise weak passwords or accounts falling into the wrong hands will enable unauthorised access to ICT systems without requiring sophisticated attacks at the server end. Organisations should periodically review user accounts and remove unneeded accounts, ensure that passwords are not exposed in code or configuration files, minimise the risk of brute force attacks, adopt and implement a strong password policy, and require complex passwords or multi-factor authentication for administrative accounts.
The Checklists complement the Handbook, and aim to help organisations:
- Prevent coding issues by having in place good practices during their application development phase and support process, and so avoid resultant application errors leading to the subsequent disclosure of personal data.
- Enhance security awareness and responsibilities during coding.
Organisations that handle personal data (e.g., names and email addresses) for generic communication purposes such as direct marketing or customer support should adopt the recommended basic practices. Where organisations hold large quantities of different types of personal data or data that might be more sensitive in nature to the individuals or the organisations, the PDPC expects these organisations to implement the relevant enhanced practices suggested in each section additionally.
Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.