Your Right To Knowledge for Personal Data Protection & Destruction
7 numbers and 2 alphabets – this simple series of characters defines you and is all it takes to rob someone of their identity. With International Right to Know Day just around the corner, we are reminded of our entitlements, as democratic citizens, to know what others know about us. Originating in Bulgaria from 2002 and held every year on 28th September since then, International Right to Know Day (IRTKD) celebrates the importance of openness and accountability in democratic governance and promotes individuals’ right to access information held by public bodies. Today, IRTKD is celebrated by over 60 countries around the world and has the support of the World Bank.
We need to exercise our right to knowledge
The truth is that we give away our personal data very often, usually without thinking about what happens to it. But do we ever stop and think about what an organisation does with the personal information we provided, for example, through a job application? Do we freely give away your NRIC number in exchange for basic services like free Wifi access over public networks? How do we really know if organisations are taking good care of the personal data we provide to them? Do we consider that when our precious information is mismanaged, we are subjected to great risk and inconvenience, such as identity theft.
Although IRTKD is not widely celebrated in Singapore, we are protected by the Personal Data Protection Act (PDPA) and reminded that we need to exercise our right to knowledge. We should know where our data goes, how it is handled, where it is stored and how it is shared. We have the right to question why organisations require our information in the first place. According to the PDPA, if an organisation doesn’t need our information to provide their service, they shouldn’t be asking for it and we have a right to refuse to share it.
Responsibility of Organisation to Secure & Protect our Personal Data
As an organisation, what are you doing to protect your customers’ personal data? Do you have guidelines, processes and procedures on how data can be used? If not, you might be in breach of the PDPA. For instance, you might unknowingly be using personal information for purposes that individuals did not consent to.
Guidelines laid out by the Personal Data Protection Commission (PDPC) state that individuals have full autonomy over consent to the collection, use and disclosure of their personal data. Organisations in turn, are obliged to seek individual consent by:
- Considering whether it is necessary to request for personal data
- Notifying customers of the purpose of collecting, using and disclosing personal data
- Explicitly seeking individual consent
- Allowing consent withdrawal from individuals at any point in time.
Organisations should take their role seriously and protect their customers’ personal data at all costs in order to prevent a data breach from happening. Non-compliance with PDPC regulations can result in a fine of up to S$1 million.
Preventative measures can include the adoption of a Shred-it All Policy to destroy any data no longer required for legal or business purposes. This reduces the amount of data that the organisation stores and minimises the chances of a data breach occurring, thereby protecting the organisation and customers at the same time.
In addition, adopting daily data protection practices, such as implementing a Clean Desk Policy, can reduce the chance of a data breach. A Clean Desk Policy is essentially mandating keeping a clean and clear desk and encouraging employees to store all sensitive data away securely out of sight and under lock and key.
Start Protecting Your Business
Learn more about how Shred-it can safeguard your unwanted documents and hard drives by contacting us for a free quote and security risk assessment.