High profile data breaches seemed to be in the spotlight in the past week. On 15 Sep 2014, M1 had to abruptly suspend the iPhone 6 online pre-order after a customer managed to gain access to forms containing personal data of other customers. One day later, on a separate unrelated incident, hackers breached the database of popular karaoke company K-box, and published more than 317,000 customers’ personal details containing the mobile numbers, identification card numbers and addresses for online download.
Reputational embarrassment notwithstanding, both companies are now answerable to the Personal Data Protection Commission (PDPC) for possible non-compliance to the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA). They could be fined up to S$ 1 million by the PDPC.
Since money changers collect personal data in compliance with MAS Notice 3001, the purpose of this blog is to highlight some of the key regulations in the PDPA which money changers need to be aware of.
What is PDPA?
PDPA is not just about preventing unsolicited calls or SMS from being sent to individuals. The PDPA is a data protection law governing the collection, use, disclosure and care of personal data collected by relevant organizations during the course of their business. In this respect, personal data refers to any data (digital or otherwise), whether true or not, about an individual who can be identified from that data. More details on the PDPA can be found here.
How are Money Changers affected?
As part of Customer Due Diligence (CDD) required by MAS Notice 3001, money changers are to collect customers’ and beneficiaries’ identification details (minimally name, unique identification number, date of birth, address and nationality) for all relevant business transactions. In addition, copies of the identification documents are to be retained. If the customer is a company, details of the directors of the company are to be recorded. These records are deemed personal data under the PDPA, and hence governed by the Act for the use, disclosure and care of these personal data by the money changers. Furthermore, MAS Notice 3001 requires money changers to keep such records for at least 5 years after the transaction.
Compliance, Policies and Practices
Section 12 of the PDPA requires that organizations develop and implement policies and processes to meet the organizations’ obligations under this Act. Such policies and processes shall also address possible queries or complaints that may arise from the use of personal data. A person has to be appointed, with business contact information publicly provided, to answer any personal data protection policies and practices. For money changers, whether you are a one-man shop or a currency notes wholesaler, having such policies in place are good for the business as it gives confidence to the customers that the business is serious in protecting their personal data.
Section 24 of PDPA requires organizations in possession of personal data to make reasonable security arrangements to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use or similar risks.
From data security perspective, this requires that the organization ensures that the data is secured when it is physically stored (data at rest), when it is being moved (data in transit) and when it is being processed (data in use).
Data at rest
For money changers, once the customers’ personal details are recorded, it is important that these are securely stored. In paper form, the bare minimum is to have a locked cabinet. In digital form, this means that industry standard encryption or equivalent is used to protect the personal data in its original form, and equally important (but often neglected) its backup copies.
Data in transit
If the customers’ personal details are recorded on paper within the money changer’s premise, this is usually less of an issue, since the paper records are physically moved. Some common sense approaches (like keeping a register of document movement) in handling documents should be in place to keep track of the document movement. In digital form, data in transit is relatively more complex. At the minimum, the money changer should implement industry standard technologies (like SSL or PGP) to secure the network channel between the source and destination endpoints, even within the money changer premise. If the money changer’s premise is networked with wireless network, special care should be taken to encrypt the data transmission. Beyond the money changer’s network, all transmission of personal data (e.g. when submitting Suspicious Transaction Report) should be encrypted (including when sending through the email).
Data in use
In paper form, once the details of customers are recorded, the data is seldom used for processing since it is just not efficient manually. In digital form, customer details may be retrieved for processing, for instance, for Anti-Money Laundering/ Counter Terrorism Financing (AML/CFT) purposes. In this regard, the money changers have to ensure that only authenticated and authorised staff is able to access the customers’ personal data. For AML/ CFT purposes, if third party vendors are involved, the money changers have to ensure that these vendors comply with PDPA as “data intermediaries”.
Section 25 of the PDPA requires that an organization shall not keep personal data longer than necessary for business and legal purposes. For money changers, this means a period of at least 5 years or longer (if the records are needed by the authorities for investigation). In paper form, not keeping a customers’ personal data is just a matter of shredding the paper information (and its photo-copies). In digital form, this is more challenging, since the data may leave many footprints during its life. These include the data stored in the source disks, the backups (or mirrored disks), the synchronized copies (for remote data), and in emails (if it had been transmitted in emails).
PDPA came into force on 2 Jul 2014. Over time, more and more consumers will be aware of their rights with regards to personal data. It is imperative that money changers equip themselves with the systems, processes and knowledge to handle personal data securely and in compliance with both MAS Notice 3001 and PDPA. Some of the planned actions that money changers should take now are:
a. Establish policies and practices with regards to the use and protection of personal data.
b. Educate employees and vendors of the policies and practices.
c. Conduct audits on existing IT systems on personal data storage, data transfer and data processing.
d. Ensure that computers for personal use are not used to collect or store customers’ personal data, and preferably not be connected the internet.
Ingenique Solutions’ MoneyConnect point of sales system is designed with industry standard security for data in storage, data in transit and data in use, which is in compliance with the PDPA.
With our experience, we can also provide consulting services to assist you meet the requirements of PDPA