Upload
pasocopteltd
View
217
Download
6
Tags:
Embed Size (px)
DESCRIPTION
A presentation to the Singapore chapters of PMI and ITSMF on the PDPA.
Citation preview
Page: 1
Presentation Notes
Paul Southern, Pasoco Pte Ltd
Paul Southern
Speaker:
Content Manager:
Title of presentation:
Name of Event:
Location of Event:
Presentation date/time:
Length of presentation
Audience:
Thursday 26 June 2014, 7pm
90 (plus Q&A)
ITSMF Singapore Chapter
Singapore Management University, Administration Building, Function Room 4.1 - 4.2, 81 Victoria Street, Singapore 188065
Singapore Personal Data Protection Act (PDPA): What you cannot miss in your IT systems and projects?
Public, non NDA. ITSMF members, SPMI members, public.
Press Announcement: http://itsmf.org.sg/events/index.jsp
Host: Rashid Mohiuddin <[email protected]>
Page: 4
Paul Southern
• Nortel & Microsoft
• Startups: cloud, fintech, CDN, consulting
• PMP, IAPP
• Singapore PR, married, 2 children
Page: 5
Agenda
• An overview of the PDPA and the requirements it places on businesses • Behavioral changes
• What it means for IT and PM
• Sample risk evaluation criteria & example compliance plans
• Where to get more info
• An opportunity for Q&A and knowledge sharing
Page: 6
Disclaimer, no warranty
The information contained in this presentation and statements are for general guidance and of interest only. There may be errors or omissions in information contained. All information is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied. The information is provided with the understanding that Pasoco are not herein engaged in rendering legal advice and services. While Pasoco has made every attempt to ensure that the information is reliable, Pasoco is not responsible for any errors or omissions, or for the results obtained from the use of this information. In no event will Pasoco be liable to you or anyone else for any decision made or action taken in reliance on the information or for any consequential, special or similar damages, even if advised of the possibility of such damages.
Page: 8
Super high-level
• Personal Data Protection Act• B2C, not B2B, C2C, G2x
• Places obligations/limitations on Organizations (B)
• Empowers Individuals (C) with limited rights
• Protects Individual’s personal data from disclosure
• Is fully in-force on Wed July 2, 00:00hrs
• Fines up to S$1 million !
Page: 11
The criminal world exploits PD
• Robust black market of• Email address
• Spam-as-a-service, DIY botnets
• Credit card, debit card info
• Cyber-crimes• Identity theft, cyber-stalking
• Attack all, weakest succumb, eg: phishing
• Many x small amounts
Page: 12
Overview, Background
• PDPA = Personal Data Protection Act, Singapore, 2012• Includes a DNC / Do not call provision
• Law, enacted 2012, effective 2014: 2 Jan (DNC, PDPC), 2 July (all)
• Overseen by the PDPC/Commission, under IDA
• Breach could result in fine and civil proceedings
• Is all-covering, complements sectorial legislations
• Purpose is (1) expected / required, (2) Singapore as a trusted business locale.
Page: 13
Overview, Background
• Approach: lite, pragmatic, business friendly, business-only
• Similar to other law, eg: OECD, Malaysia, EU, Japan, Philippines, etc…
• Article 29 WG endorsement, soon?
Page: 14
The parties
• Organization• Individual, company, association or body of persons (eg:
MCST)• Singaporean or doing business here• Corporate or unincorporated• Staffed by employees or volunteers• Excludes government
• Person “Individual”• Everyone: citizen, PR, visitor, all persons in the world• Living or dead, any age• Prior to employment
• The Commission PDPC (Government)
Page: 15
PD (personal data)
• Anything about someone. When in doubt, it’s data!• Eg: name, gender, address, eddress, telephone, NRIC,
attendance, loyalty card info, history, photograph, family, financial info, health info, biodata, preferences, employment info, CCTV capture, whereabouts, gamertag, IP address, etc….
• Needn’t be true data, eg: aliases are PD
• Can be in paper or electronic form
• NOT business contact information (BCI)
• Discrete/obfuscated but re-identifiable / aggregatable
Page: 17
9+1 key areas:
• Organizations:• Consent obligation (to collect, use, disclose)• Purpose limitation• Accuracy obligation• Retention limitation• Transfer limitation• Protection obligation• Openness obligation
• Individuals:• ‘Not consent’ right• Access, correction, withdrawal rights
• +1... The DNC• Organization’s DNC (do not call) obligation• Individual’s DNC (do not call me) right
Page: 18
1. Consent obligation
• Organization must obtain consent from Individual before collect, use, disclose PD
• Concomitant with Purpose Notification
• Also ‘Deemed Consent’
• Minors by parent
• Third party consent
• Inbound datasets: due diligence
• Some exceptions, eg: in emergency, publicly-available
Page: 19
2,3. Purpose limitation
• Concomitant with Consent
• Notified
• Must be sufficiently specified
• New purpose requires new consent
Page: 20
4. Access, Correction and Withdrawal rights• Organization must provide an Individual access to
his PD
• Includes what PD was used for (and who it was disclosed to) in last 12 months
• If Individual notifies his PD is incorrect, Organization must correct it
• Organization can exclude certain data, eg:• Staff management data
• Evaluative data
• Investigation data
Page: 21
5. Accuracy obligation
• Organization must ensure its data is accurate
• Individual can request access, correction
Page: 22
6. Protection obligation
• Protection against disclosure
• Reasonable security arrangements• By administrative, physical, technical measures
• Databases/XLSs, BYODs
• Paper records
• “24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.”
• Extends to Data Intermediaries
Page: 23
7. Retention Limitation
• When purpose completed (or not needed for legal/business purposes), cease to retain
• Archive, “just in case”, “for our history” is not ok
Page: 24
8. Transfer Limitation
• Transfer is about PD being sent to other countries.• Corporate server
• SaaS applications
• Googledocs, Dropbox, Skype, etc…
• Entity caring for PD must do so as well as the PDPA obligates (protection from disclosure).
Page: 25
9. Openness Obligation
• “Organisations are required to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA and to make information about their data protection policies and practices available”.
• Appoint a DPO (data protection officer)• BCI readily available
• Committee
Page: 26
10. Do Not Call (DNC)
• In-force since Jan 2014
• Higher level of consent required (explicit)
• Contact via phone, text (SMS, Whatsapp, etc), fax –anything based on phone number
• Searchable, ie: check if number is registered, if not can call
• Excludes email
Page: 28
Existing Data
• Existing PD = collected before 2 July 2014• If collected after, it’s new PD
• Collect: PDPA rules apply to new data
• Use:• Existing PD – can be used for “reasonable existing uses”
• New – Consent required
• Disclose: PDPA applies to ALL data
• Access & Correction, Care: PDPA applies to ALL data
Page: 29
Publically available data
• Using reasonable means
• Publically available at collection… so if made private later it’s still ‘public’
• Data not intended to be made public
• Special considerations for photo/videography
• Eg: Facebook closed group that readily allows joiners
Page: 30
“Reasonable”
• Used 31 times in the Act !• 3. The purpose of this Act is to govern the collection, use and
disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
• (2) An organisation shall not (a) as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or…
• Subjective / Advisory Guidelines
Page: 31
Data Intermediaries
• An entity an Organization disclose PD to• “an [3rd party] organisation which processes personal data on
behalf of another organisation…;”
• Closely related to Transfer Limitation• The Organization is responsible for the DI to meet PDPA
requirements• For example:
• Social Networks, Cloud computing systems, Ecommerce tools, SaaS applications, Content Delivery Networks, Payment gateway, CRM systems
• Outsourced services: Recruitment, Payroll, Accounting, taxation, Market research, Warranty, Logistics, Billing, Event management
Page: 32
Transfer limitation
• Out of Singapore
• Requires contractual safeguards
• Required legal & technical diligence• Is other country’s PDP regime sufficient?
• Is other party’s PDP policy/procedures sufficient?
• Some cloud-based SaaS apps claim PDPA compliance
• AWS, Azure, Google, Salesforce not explicit
Page: 33
Cookies
• PDPA not as strong as the EU’s Cookie Law (Consent required for Cookie use/storage)
• Cookies collecting (storing) data require Consent• Can be part of a Privacy Statement that is agreed to
• Deemed, eg: form filling, session cookie
• Not given when Cookies blocked. Eg: Persistent / 3rd
Party Cookies
• Just because the user doesn’t block Cookies doesn’t mean they Consent !
Page: 34
Encryption, Anonymization
• Encrypted (or tokenized) data still protected even if breached (unless keys/tokens also breached)• Some of the most egregious breaches were unencrypted
password
• Encryption on-the-wire or just in database?
• Anonymization keeps data in the clear but sterilized• Useful for analytics
• Primary purpose irrelevant, since has no useful PD
• Be careful of reconstitution
• PDPC’s recommendation for NRIC: S0XXXX45A
Page: 44
Change management
• Policy and procedure… but deeply rooted in culture and behaviour
• Levers: law, impacts, “do unto others…”
• Primes in departments, eg: cascaded DPO
• Data stewards, Data custodians
Page: 45
Data Steward
• Responsible for lifecycle
• Understanding governance policy, legal frameworks, 3rd
party contracts
• Assigning data classification
• Assigning Data Custodian
• Approving standards and procedures related to day-to-day administrative and operational management
• Determining access criteria
• Oversight of Data Custodians
• Approving how data is stored, processed and transmitted
• Approving Data Intermediaries
• Defining risk tolerance and accepting or rejecting risk
Page: 46
Data Custodian
• Responsible for specific parts of lifecycle
• Documenting & reporting on day-to-day administrative and operational management
• Implementing appropriate physical and technical safeguards
• Provisioning and deprovisioning access
• Understanding how data is stored, processed and transmitted
• Oversight of Data Intermediaries
• Understanding & reporting risk
Page: 48
To IT in general:
• Privacy (Law) is about governance and use, eg: policy & rules re collect/not, consent, retention, handling requests, etc...
• IT Security (Good practice) is about protection. Part of Data Privacy. Eg: the PDPA has one section on ‘protection’.
• Can have high security and no privacy.• Must think not in tech terms but in behavior/people
terms, individuals' rights, organizations' responsibilities.• Security normally about IT systems, digital data. Privacy
covers paper also.• A good privacy team needs CISSP, CISM, CISA, etc
Page: 49
To Product managers & devs:
• Privacy by Design, www.privacybydesign.ca
• Similar to Microsoft’s TWC initiative
• 7 Foundational Principles• Proactive not Reactive; Preventative not Remedial: Anticipate
and prevent• Privacy as the Default Setting • Privacy Embedded into Design: Core not add-on• Full Functionality: privacy AND security, not privacy OR
security• End-to-End Security: Full Lifecycle Protection • Visibility and Transparency: verifiable, audited• Respect for User Privacy: Keep it User-Centric
Page: 51
To Big Data:
• Big data’s treasure is in correlation, secondary use
• Consent is for primary use
• Obfuscation / anonymization important• Case: Netflix Prize’s data + IMDB ratings• Case: Massachusetts GIC + voter roles
• 3rd party sources vetted?
• Growing push for ‘forward thinking’ PDP• Less focus on notice and nhoice, regulate use• Assessments of risks and harms• Oversight of user (Organization)• Ref Viktor Mayer-Schönberger, Oxford
Page: 52
To CIO:
• Risk of BYOD/CYOD
• Risk of BYOA
• MDM and group policy are required, kill switch
Page: 53
To PMs – managing projects
• DPO is a stakeholder
• Starting stage: GRC business processes
• Implementation stage:• Collect less PD
• PDPA applies: Consent required for CUD, etc…
• Staff candidate data is PD and/or Evaluative
• Closing stage: cleansing, anonymizing, destroying
Page: 54
To PMs – PDP is the project
• It’s a GRC program• Multiple projects, eg: risk evaluation, training material
development
• Change management
• Multiple parties:• IT• HR, HRD• Procurement• Business operations• Legal• Custcare
• Insurance
Page: 56
1. Governance
• Policy & Procedure
• Establish the DPO
• Complaint handling, whistleblower
• Audit powers
• Measurement
• Sectorial legislation
• Data Stewards, Data Custodians
Page: 57
2. Audit / inventory
• Who holds what PD?
• Why collected? Purpose
• How used? Consistent with Purpose?
• Protection, storage
• Sharing, transfer
Page: 58
3. Gap assessment
• Staff awareness
• Purpose notification
• Data intermediaries & Transfer
• Access and Correction
• Protection
• Retention and/or disposal
Page: 59
4. Staff / people
• Change of culture?
• Policies & Procedures
• Awareness & communications
• Training & support
• Workplace contracts, eg: Consent, background checks, NDA, discipline, rights to inspect
• Monitor, Audit & Report
Page: 61
PDPC documents
• The Act (statutes online)
• Advisory Guidelines www.pdpc.gov• Key Concepts
• Sectorial advice• Telecoms
• Real estate
• VWO
• Healthcare
• Education
• Professional Photography
Page: 65
You as an Individual
• Register on DNC• Who has (had) my PD?
• Why? (Purpose limitation)• Do I want them to have it? Withdraw it!• What key do they use? My NRIC?• NRIC copy? Address or everything?
• My business card is BCI not PD• Even if it has PD on it, eg: Skypename• Unless it’s obviously not
• Unless it’s collected at a business function
• Children & cyber-stalking/bullying• Social networks, pleaserobme
Page: 66
Future of PDP
• Poster boy culprits
• Insurance
• Harmonization of law
• Move to regulate use
Page: 67
Final thoughts
• Thank you Sing.gov & IDA
• "You have zero privacy anyway. Get over it.”
• Privacy assists security of our nation