Three Data Protection Tips for Organisations during a Pandemic - Case Study from Singapore
By Loke Qian Li, FIP, CIPM, CIPP/A, GRCP
The novel coronavirus, or COVID-19, has been receiving global attention, and consumers and investors have reacted by making more conservative adjustments to their lifestyles. In turn, this has brought about significant impact to organisations across industries.
Hence, it is crucial for organisations to have measures in place to protect against further negative impacts, such as a regulatory fine, remediation costs, loss of reputation and additional strains on manpower and financial resources to handle or cooperate with investigations.
This article highlights THREE Data Protection Tips for organisations during a pandemic.
#1 Keep up to date with Regulatory Advisories
The Singapore Personal Data Protection Commission (PDPC) was swift to react and issued an updated advisory on the collection of NRIC numbers (Singapore National Registration Identity Card) for contact tracing purposes pertaining to the COVID-19. For more information, refer to this link. In fact, you can find a templated notice in the same link as well to inform visitors to your office that personal data will be collected during the outbreak of COVID-19 for contact tracing purposes.
From my experience, I have come across individuals offering misguided or outdated advice and organisations that simply copy what others have done that may also be misguided or outdated. For example, it is not uncommon for organisations to seek consent to collect, use and disclose personal data for contact tracing purposes, even though the PDPC has said that it is not required. The problem? Consent given can be withdrawn.
Hence, I urge everyone to always check the source for such information, and if in doubt, refer to the PDPC’s website for the most accurate and updated situation.
In doing so, you will be well equipped to respond to related enquiries and instill greater confidence in your customers, staff and partners.
#2 Train your staff to identify and respond to scams
A time of panic always seems to bring an opportunity for scammers to pounce. In Singapore, the PDPC has warned of scammers impersonating Ministry of Health (MOH) officers to request for financial information from individuals. There may also be scammers capitalizing on the goodwill of individuals looking to offer aid, such as donations or offering their services as a volunteer. They might, for example, send phishing emails to corporate accounts or to target individuals and ask that they forward the phishing emails to their colleagues and friends, thus introducing malware into IT systems.
Therefore, organisations should consider communicating such risks to their staff and review with their IT department or vendor if the current IT security measures are sufficient.
I would like to highlight that in the case of corporate emails being compromised due to such phishing emails, the eventual damage can be massive - it could lead to a compromise of the organisation’s internal servers and hence compromise the organisation’s entire IT system.
#3 Use technology to respond to new requirements
One of the measures adopted by organisations in the wake of the COVID-19 is to record visitor information via registration forms at the entrances.
I spoke with several officers tasked to oversee this, and observed that there are several consequential personal data risks. The range from the security of storing these physical forms, to deleting the data when it is no longer required - especially since the NRIC number may be collected in these forms - to ensuring these data are not used for other purposes when handed over to another department.
In addition, there may be health risks: an officer told me she would rub her hands with sanitiser gel as she was worried there would be droplets on the pen and even the registration form itself. Putting aside any debate over whether the officer was over-reacting, a quick fix to this would be to adopt QR code-empowered registration forms for more efficient lifecycle management. Another benefit in doing so would be to eliminate the use of logbooks and risk disclosing personal data to visitors when asking them to fill in the logbooks. Organisations that are not sure on how to execute this can source for QR code generators online from reputable sources, which are very affordable or even free.
External influences such as a pandemic may have a low chance of occurring, but due to its large impact, should be sufficiently reviewed and have the corresponding drawer plans put in place.
The tips and measures highlighted in this article are not particularly difficult, but instead require discipline and preparedness. It also highlights the need for a Data Protection Management Programme that is managed by an operational Data Protection Committee and led by a Data Protection Officer. Organisations that fulfil the above conditions are more likely to react fastest to recover from the personal data effects of the pandemic.
I urge everyone to stay calm, stay safe from the virus, and stay protected against opportunists who may look to exploit you in this vulnerable moment.
*Have an idea or opinion? Leave a comment or contact the writer at firstname.lastname@example.org