Submitted by Anonymous on Mon, 05/19/2014 - 04:07 The Straits TimesPublished on Mar 15, 2015
Firms throw out documents with personal data without shredding
By Grace Chng Senior Corresondent
Personal information is still being improperly collected, used and disposed of, even though there is a
new law to protect personal data. Seventy organisations especially
those in retail, healthcare and property are under investigation
following complaints that they used email addresses and other personal information for marketing
purposes or collected identity card and other personal details without prior consent.
If found guilty under the Personal Data Protection Act, which came into effect last July, they can be
fined up to $1 million. Another 70 complaints against retailers, property companies and various other organisations were
resolved after the authorities brought together the parties and complainants to discuss the matter.
The Personal Data Protection Commission (PDPC) which enforces the Act said no financial penalties
were imposed in the cases resolved. The investigations were conducted under the Act which has two pillars: the Do Not Call (DNC) Registry
and personal data protection.
Much of the initial attention was focused on the DNC Registry which was implemented in January last
year and lets people opt out of having telemarketing messages sent to their mobile phones.
The personal data protection part of the Act makes it necessary for organisations to take measures to
protect names, IC and passport numbers, addresses and other personal data in their possession.
This is to prevent the unauthorised collection, use and disclosure of such information.
That means these organisations must ensure that such information is properly disposed of as well.
But a recent check by The Sunday Times in the Raffles Place area found that documents containing
personal information are still being thrown out in the trash from offices in highrise
Among other things, The Sunday Times found photocopies of passports, resumes of various
professionals and details of commissions paid to property agents.
Most of the documents had the names and logos of local and foreign banks and other companies, and
they included reports on industrial projects in Japan and Indonesia and project progress reports.
All were marked confidential or strictly confidential.
There were also printouts of email with addresses, names and telephone numbers. The documents
were dated from 2013 to this year. Access to the rubbish bins was easy. One karung guni man, who was seen sorting out the documents
into neat piles, said he would sell them to recycling companies. Corporate information does not come under the purview of the commission, which is concerned only
with personal data protection. When told of The Sunday Times' findings, PDPC chairman Leong Keng Thai said he was very concerned.
"Organisations are strongly advised to put in place processes to ensure the proper disposal of
documents containing personal data," he said. The commission has helped to raise awareness of the requirements of the new law by working with
industry groups to run briefings, workshops and seminars. So far, more than 18,000 people from over 3,400 organisations have attended these events.
Another 7,500 people have attended workskills qualification courses or accessed elearning courses
on the Act's requirements. In May, the commission will conduct a personal data protection seminar, called Securing Personal Data
for a Competitive Edge, aimed at organisations and companies. Guidelines on ways to keep personal data secure and manage data breaches will be issued later this
year. Sample templates will be provided for organisations to seek consent from individuals for the collection, use or disclosure of their personal data.
Experts on personal data protection say many organisations think their job is done when they appoint a
data protection officer as required by the law. Lawyer Toh See Kiat, who has consulted for companies, charities and educational institutions on the
Act, said legal compliance is only the first step. "You need to have the tools and systems running properly in the background so that this new personal
data protection policy becomes the new organisational culture," he said. "Then, and only then, is it sustainable."
Organisations have also not gone to the root of privacy breaches. Instead, they continue to have "a deepset
resistance to changing the ways they have been collecting, using, storing and processing data", he added.
Mr Kevin Shepherdson, cofounder of personal data protection specialist Straits Interactive which
provides training in compliance with the Act, said many organisations comply with the law by having data protection officers, for example.
However, these organisations do not know how to implement the Act in daily operations.
"They have to understand the data workflow, how personal data is collected, used, disclosed and then
destroyed," said Mr Shepherdson.
Documents for disposal, for example, should be shredded and not tossed out with the rubbish, he said.
Mr Neil Percy, vicepresident of market development of document destruction firm Shredit,
said that while many companies shred documents on their premises using their own shredding machines, the
documents for disposal are not kept securely. Instead, they are sometimes left next to the shredder or piled on desks, accessible to any passerby,
including those not authorised to view their contents.
Shredding should be done by someone authorised to see the information, he added.
PDPC's Mr Leong stressed that keeping personal data is a responsibility and may, in some cases,
become a liability.
"If they don't need the information, they should dispose of it properly."
Copyright © 2015 Singapore Press Holdings