Complying with the Singapore Personal Data Protection Act
A Practical Guide March 2014
1 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Synopsis
The Singapore Personal Data Protection Act (PDPA), effective January 2013, obliges organizations to take specific responsibilities regarding the protection of personal information. These responsibilities concern the collection, accuracy, protection and disclosure of personal information and can significantly impact organization’s handling of personal information and data. This white paper outlines the data protection requirements under the PDPA, and provides information on available solutions to address the requirements, with a focus on Microsoft-specific security and privacy technologies. We also discuss several process-driven and technology-enabled approaches that emphasize the importance of IT management in supporting organizations to comply their PDPA obligations.
The views discussed in this white paper are jointly presented by Protiviti and Microsoft. The focus is on management awareness, roles and responsibilities, data mapping, data flow, personal data management processes, and, risk assessment and analysis to implement an organization’s compliance program. We will present a Microsoft data governance and access control framework that includes five key elements for the management and
protection of personal data Secure Infrastructure; Identity and Access Control; Data Encryption; Document Protection; and Auditing and Reporting. For each of these five elements, we discuss appropriate tools and technologies developed by Microsoft and applicable to Microsoft systems.
We conclude by encouraging organizations seeking to comply with the PDPA to engage their IT departments actively in the process and to partner with external experts where applicable to develop a process that would address the risks inherent in compliance-related implementation. Organizations should also deploy relevant tools, technologies, and products to automate control over private information as much as possible and ensure organization-wide consistency in how personal information is handled and managed.
Disclaimer
All rights, products, company names, brand names, trademarks and logos are the property of their respective owners. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any product. You may copy and use this document for your internal, reference purposes.
2 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Overview
The nature of technology today allows for an increasing volume of personal data to be captured, stored, and processed with great ease. The wide availability of personal information – whether employee, visitor, customer or contractor – provides opportunities for companies to increase productivity and improve their marketing. At the same time, the advancement of technology also calls for greater responsibility in managing and protecting personal information.
The enactment of the PDPA in January 2013 tasks organizations that process personal data with new responsibilities for protecting personal information. Because of the technology-driven nature of businesses, IT management will be required to play an important role and support the efforts by organizations to meet their obligations under the PDPA.
The PDPA governs the consent, purpose, reasonableness of collection, use, disclosure and care of individuals’ personal data by organizations. Figure 1 summarizes both data protection and Do-Not-Call (DNC) provisions of the PDPA. DNC is already in force since January 2014, and the deadline for complying with the data protection provisions is July 2, 2014.
Figure 1: The Data Protection and DNC Provisions of PDPA
3 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Data Protection Provisions – Nine Obligations
Figure 2 below outlines the PDPA’s nine obligations for organizations that own and process personal data. The obligations apply to data stored in both electronic and physical forms.
Figure 2: The Nine Obligations of PDPA
Impact of PDPA on Organizations
Complying with the PDPA is a legal requirement for organizations. In January 2013, the Personal Data Protection Commission (PDPC) was set up to administer and enforce the PDPA. Apart from undertaking promotional and outreach activities, the PDPC is empowered to conduct investigations – upon complaint or on its own accord – to establish whether an organization is complying with all nine PDPA obligations.
If the PDPC finds that an organization is in breach of any of the data protection provisions of the PDPA, it can direct the organization to rectify the breach with a specific action such as ceasing to collect, correcting, or removing the affected personal data, and it can also impose a financial penalty on the organization of up to S$1 million. Any person found to have violated the provisions, knowingly or otherwise, may be subject to a fine not exceeding S$5,000 or to imprisonment for up to 12 months or both.
If the breach consists of authorizing sales and marketing messages to individuals on the Singapore Do Not Call registry, in the form of voice calls, text or fax, the organization can be found to have contravened the DNC (Do Not Call) provisions of the PDPA and can be liable, upon conviction, for fines of up to S$10,000 for each offense.
4 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
How IT Management Can Support the PDPA Obligations
Some organizations may act quickly to address personal data protection at the operational level but have a limited idea on how to engage with IT management to meet the PDPA obligations. IT management needs to engage and support the data protection officer (DPO) and business users in achieving, maintaining and monitoring for PDPA compliance.
To do so, IT management first needs to understand the key data protection program milestones and devise the correct engagement strategy. The following sections discuss these milestones in detail.
Milestone 1: Management Awareness and Support for Data Protection
Leading practices for Personal Data Protection (PDP) programs initially involve the awareness-creation session for the organization’s senior management. Once the awareness is created, management should decide on the roles and responsibilities of the DPO necessary to support the organization in its compliance with the PDPA. The DPO may establish a task force to enable effective execution of the PDP program. For the program to be successful, it is imperative that IT management be involved as a member of this task force.
Milestone 2: Identify Different Roles and Responsibilities in Data Protection
IT management should understand the roles and responsibilities of the various parties in the task force. Table 1 below suggests how IT could involve the various roles and responsibilities for data protection. Microsoft has developed a technology framework for data governance and access control which provides a flexible and comprehensive approach to managing and protecting personal data. It consists of five key elements, all of which are necessary to protect and manage personal data responsibly in a distributed device and computing infrastructure. The five key elements are: Secure Infrastructure, Identity and Access Control, Data Encryption, Document Protection, Auditing and Reporting. These elements will be further explained in the later sections of this paper. The data protection roles and responsibilities to be considered for each of the five key elements in this framework are presented in Table 1 below.
The roles and responsibilities are initiated following these definitions:
Responsible – Party responsible for performing the process
Accountable – Party accountable and contactable regarding the decision and process effectiveness
Contributing (or Consulted) – Party providing information and/or advice needed to make the process
successful
Informed – Party concerned or dependent upon the information that is managed by this process
5 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 1: The Data Protection Roles & Responsibilities Mapping To Microsoft Technology Framework
Data Protection Roles and Responsibilities
Microsoft Technology
Framework for Data
Governance and Access
Control
Roles Responsibilities
Se
cu
re
Infr
as
tru
ctu
re
Ide
nti
ty a
nd
Ac
ce
ss
Co
ntr
ol
Da
ta E
nc
ryp
tio
n
Do
cu
me
nt
Pro
tec
tio
n
Au
dit
ing
an
d
Re
po
rtin
g
Management and
Sponsor
Refers to an organization's management (person
or team) that is accountable to comply with the
PDPA obligations over personal data.
A A A A A
Data Protection
Officer
A Data Protection Officer is an individual or
individuals responsible for ensuring that the
organization complies with the PDPA, including
the implementation of personal data protection
policies within the organization. The business
contact information of at least one DPO should be
made available to the public. Compliance with the
PDPA remains the responsibility of the
organization's management.
I R C I R
Data Controller A Data Controller is the person who determines
(alone or jointly with others) the purpose and
manner in which any personal data is, or is going
to be, processed.
I R I R I
Data Processor A Data Processor, in relation to personal data, is
any person (other than an employee of the Data
Controller) who processes personal data on
behalf of the Data Controller.
I R R R I
Data Subject A Data Subject is an individual whose personal
data is in the control of the organization. - - I I I
Data Intermediary A Data Intermediary is a person or persons who
may be contracted to use or process personal
data on behalf of the organization. A Data
Intermediary is any person/organization other
than the Data Subject, the Data Controller, Data
Processor or any other person authorized to use
and/or process data for the Data Controller or
Processor.
I R R R I
6 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Milestone 3: Complete Personal Data Inventory Map and Data Flow Diagrams
After understanding the roles and responsibilities of the different parties involved in data protection, the next step is to create a personal data inventory map. The data inventory map includes possible record classifications and record types organized by business function. The DPO will work with the respective data controllers to determine which record types are in-scope for PDPA purposes and should be included in the company’s PDP program. IT management should be instrumental in defining and completing the data inventory map. IT should work with the DPO and other task force members to develop an in-depth understanding of the organization’s personal data and corresponding application architecture.
A personal data inventory map may include the attributes highlighted in Table 2:
Table 2: Personal Data Inventory Map Attributes
Data Inventory Attributes Description
Record Class Record Class classifies data by the business function. ADM
(Administration), HUM (Human Resource), and FIN (Finance) are
possible examples of Record Classes.
Record Class Name A Record Class Name indicates the specific information type that
belongs to the record class. For example, the record class ADM would
have a record class name “Internal Services” that could be described as:
“Records related to internal support provided to the organization’s
personnel, including services and products. Also includes records related
to the procurement of travel services, transportation, and lodging. These
records document the extent and purpose of travel undertaken by
employees on Company business, and include trip itineraries and copies
of tickets.”
Content Type The Content Type provides the specific document name or attributes.
The record class name “Internal Services” may include:
Transport Ticket Copies
Travel Itineraries
Traveler Profiles
PDPA In-Scope (Y/N) Content type is either PDPA in-scope or not in-scope. The Data
Controller would determine this.
The data inventory map could be further customized for those records indicated as PDPA in-scope. For instance, the DPO and Data Controller could identify and document the associated purpose, policies, guidelines, and even retention requirements for each of the PDPA in-scope records.
Leading practices in the area of data protection also recommend the use of a data flow diagram for each of the PDPA in-scope content types. Data flow diagrams give DPOs and the data controller better visibility of the personal data source, points of collection, the data owners, controllers and processors, as well as how the data is kept and secured on which IT server/application. A sample data flow diagram may involve the details presented in Figure 3. Similar tools and references are available to Protiviti KnowledgeLeader® subscribers.
7 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Figure 3: Sample Personal Data Flow Diagram
Upon understanding the data inventory map and data flow diagram, IT management could assist the DPO and data controller to classify personal data that resides in the identified IT servers and applications. The Microsoft five elements of technology framework for data governance and access control provided in this paper could be considered for each of the IT servers and applications identified.
IT management could consider established IT security standards and leading practices such as the ISO 27001 over the use of data classification. Table 3 provides extracts from ISO 27001 specific to data classification controls that the DPO and IT could evaluate across ISO 27001 suggested elements: Business Policies; Business Processes; People and Organization; Management Reports; Methodologies; Systems and Data.
Table 3: ISO 27001 Control Objectives and Control Attributes
ISO 27001 Control Objectives
Section 7.2: Information
Classification
Suggested Control Attributes
To ensure that information receives
an appropriate level of protection.
Classification Guidelines Information shall be classified in terms of
its value, legal requirements, sensitivity, and criticality to the
organization. Control attributes include:
A security classification scheme for major assets
Security classification scheme is formalized
Security classification includes value, legal requirements,
sensitivity and criticality to the organization
8 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
ISO 27001 Control Objectives
Section 7.2: Information
Classification
Suggested Control Attributes
Information Labeling and Handling An appropriate set of
procedures for information labeling and handling shall be developed
and implemented in accordance with the classification scheme
adopted by the organization. Control attributes include:
Procedures are implemented for the labeling and handling
of information/assets that require security protection
Procedures are regularly reviewed and updated
Procedures consider identification (labeling) of electronic
and physical sensitive/critical assets
Milestone 4: Establish the Personal Data Management Process
The DPO is also required to establish a set of procedures to support the PDPA obligations. To facilitate the personal data management process, Protiviti developed the Personal Data Protection (PDP) Process Classification Scheme (PCS). This scheme helps organize required PDP practices according to relevant processes, and defines the areas that should be addressed for each of the nine obligations. Identifying each PDP practice as a set of defined processes or sub-processes helps promote a common language and provides a “roadmap” to help identify process-related risks and potential controls that may be applicable in compliance with the PDPA. A sample of the Protiviti PCS meeting the Consent, Purpose, Notification and Protect obligations of the PDPA is illustrated in Figure 4.
Figure 4: Sample of Personal Data Management Process Classification Scheme
The PCS is not an all-inclusive list of existing PDP processes. The Protiviti PCS (processes and associated sub-processes) needs to be customized to fit the facts, circumstances and culture of the organization. IT management could, however, understand the major process activities and areas to identify necessary IT platform attributes for personal data protection and management.
9 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Milestone 5: Assessment and Gap Analysis
With the data inventory map, data flow diagrams and processes designed, it is necessary to conduct an initial assessment over these areas to identify gaps and improvement opportunities. Protiviti’s assessment approach considers the PDPA requirements in the context of the Generally Accepted Privacy Principles (GAPP). The objective is to enable the Management/Sponsor to determine whether the company has defined and is managing personal data following the PDPA guidelines. As part of this assessment (see Figure 5), interviews with staff in different data protection roles and responsibilities are conducted to identify improvement opportunities.
Figure 5: Sample of Assessment and Gap Analysis Report
Each of the milestones discussed above concerns specific IT platforms and management considerations to support the protection and management of personal data. However, attempting to address every IT platform with its own unique attributes can be expensive and time-consuming. A more effective approach is to complement the program with a technology framework in managing and protecting personal data. The Microsoft five elements of technology framework for data governance and access control discussed in the next section could be considered to support the improvement opportunities and action plans.
10 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
A Technology Framework for Data Governance and Access Control
Microsoft has developed a technology framework for data governance and access control that provides a flexible and comprehensive approach to managing and protecting personal data. It consists of five key elements, all of which are necessary to protect and manage personal data responsibly in a distributed device and computing infrastructure. The five elements are described in Table 4.
Table 4: Microsoft Technology Framework for Data Governance and Access Control
Key Elements Description
Secure Infrastructure Safeguards that help protect against malware, intrusions and
unauthorized access to personal information, and protect systems from
evolving threats.
Identity and Access Control Systems that help protect personal information from unauthorized
access or use, and provide management controls for identity access
and provisioning.
Data Encryption Safeguards that help protect sensitive personal information by
converting data into incomprehensible code that requires a “key” for
decoding, with the key held by an authorized recipient.
Document Protection Protection of personal information stored in a document throughout its
entire life cycle via digital signature, encryption, and file validation.
Auditing and Reporting Monitoring the integrity of systems and data in compliance with
business policies.
The following sections describe some of products and technologies Microsoft provides relative to each of the five elements of the technology framework listed above.
Secure Infrastructure
The growing importance of information technologies to the way we work underscores the need of securing the underlying infrastructure as much as possible. Fundamentally, safeguarding and managing personal identifiable information (PII) depends on a secure infrastructure that protects against malicious software and hacker intrusions. Table 5 describes a number of Microsoft products and technologies which could help provide a secure infrastructure.
11 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 5: Secure Infrastructure - Products and Technologies
Product or Technology Description
Windows Client Security Technologies
Windows Firewall A host-based firewall controls access to inbound and outbound
communications.
Automatic Updates This feature enables Windows computers to automatically update the
operating system with the latest security updates.
User Account Control (UAC)
This technology allows users to run with the least-required privilege and help
prevent malware from installing in the background without the user’s
knowledge. UAC presents an obstacle to non-UAC aware malware.
Service Hardening Windows services are designed and configured to run with the least-required
privilege, reducing the harm that can be done by a compromised service.
Kernel Patch Protection
This technology helps prevent malware from making alterations to the
operating system kernel, which helps prevent installation and execution of
root kits.
Windows Defender
An anti-malware, anti-virus application in Windows 8/8.1 that helps prevent
the installation and execution of spyware and other unwanted software.
Windows Security Essential was the equivalent software for earlier versions
of Windows.
Network Access Protection A network-access control solution which helps prevent unapproved client and
server systems from connecting to network resources.
USB and Removable
Device Control
A hardware control system enables administrators to block access to USBs
and other removable devices.
AppLocker
A flexible, easy-to-administer mechanism that allows IT to specify what is
allowed to run in the desktop infrastructure and gives users the ability to run
applications, installation programs, and scripts that they require to be
productive.
BitLocker
A technology that helps prevent a thief who boots another operating system
or runs a software hacking tool from breaking Windows 7/8 file and system
protections or performing offline viewing of the files stored on the
safeguarded drive.
Secure Boot
A security standard developed by members of the PC industry to help make
sure that PC/server boots using only firmware that is trusted by the PC
manufacturer. Windows 8.1, Windows Server 2012 R2, Windows RT 8.1,
Windows 8, and Windows Server 2012 support this technology.
System Center Endpoint
Protection
A technology that uses the monitoring and deployment capabilities of System
Center Configuration Manager (SCCM) to streamline the deployment of
antimalware definitions and uses SCCM to provide an in-console monitoring
solution. You can also use Endpoint Protection to configure Windows Firewall
settings on computers in the enterprise.
12 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Product or Technology Description
Microsoft Server Security Technologies
Fundamental Server Security
These fundamental security elements work together to define trusted users, servers, connections, and operations to help provide a secure foundation for Microsoft server products such as Windows Server, SQL Server, SharePoint, Dynamics CRM/AX, Lync, etc.
Active Directory Domain Services integration
Role-based access control
Public Key Infrastructure
TLS, HTTPS, MTLS support
Industry standard protocol for authentication
Security features provided by Windows PowerShell that are enabled
by default so that users cannot easily or unknowingly run scripts
Exchange Server 2013 Data
Loss Prevention
Performs deep content analysis through keyword matches, dictionary
matches, regular expression evaluation, and other content examination to
help detect content that violates organizational DLP policies.
SQL Server Security Labeling Provides fine-grained access control at the row and cell level of database
tables.
System Center Data
Protection Manager (DPM)
Enables disk-based and tape-based data protection and recovery for servers
such as SQL Server, Exchange Server, SharePoint, virtual servers, file
servers, and support for Windows desktops and laptops. DPM can also
centrally manage system state and Bare Metal Recovery (BMR).
Credential Protection
Features and methods introduced in Windows Server 2012 R2 and Windows
8.1 for credential protection and domain authentication controls to reduce
credential theft.
Windows Phone Security Technologies
Embedded Trusted Platform
Module (TPM) 2.0 Chip
The TPM chip protects encryption keys, contains a crypto processing engine,
and is a foundational element of a secure boot chain.
Unified Extensible Firmware
Interface (UEFI) Secure Boot
In a UEFI Secure Boot process the firmware, the bootloader, the kernel and
kernel extensions, are all cryptographically signed. This makes it easy to
detect when any of these layers has been tampered with.
Integrated Information Rights
Management (IRM)
The built-in IRM could help prevent authenticated users on a trusted device
from sharing data with unintended parties, willingly or unwillingly.
Device locking and BitLocker
Support
Windows Phone supports alpha-numeric and complex passwords for device-
locking. It also supports the same BitLocker technology used in Windows 7/8
client to encrypt the data on the phone.
Crypto signing from OS kernel
to the apps
The entire OS and every app on the system are code-signed to establish a
chain of trust from the hardware all the way up.
Local/Remote device wipe Local device wipe occurs after a specified number of incorrect login attempts.
Remote device wipe erases data and helps to prevent unauthorized use.
13 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Identity and Access Control
To reduce the risk of a deliberate or accidental data breach, and to help organizations comply with PDPA compliance requirements, Microsoft offers identity and access control technologies that help protect PII from unauthorized access, while facilitating its availability to legitimate users.
Table 6 describes a number of Microsoft products and technologies that could help meet identity and access control challenges in a distributed computing environment.
Table 6: Identity and Access Control - Products and Technologies
Product or Technology Description
Active Directory A centralized database of user and machine accounts enables centralized
management of machines and users within the organization.
Active Directory Federation
Services
This technology enables federation of multiple Windows domains, which
streamlines management and control of partner access to corporate
resources.
Forefront Identity Manager
The technology provides self-service identity management for users,
automated lifecycle management across heterogeneous platforms for
administrators, and a rich policy framework for enforcing corporate security
policies and detailed audit capabilities.
Windows Smart Card Support This technology enables two-factor authentication for user logon and data
access for Windows clients.
Exchange Server support for
two-factor authentication
Two-factor authentication requires two methods to gain access to
resources. Typically users provide a physical card or token and a PIN to
access authorized resources.
Dynamic Access Control
In Windows Server 2012, you can apply data governance across your file
servers to control who can access information and to audit who has
accessed information. It enables data classification, central access policy
definition and auditing, and automatic rights management protection.
14 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Data Encryption
Supported by strong identity and access controls, data encryption can help safeguard information that is stored in databases, on mobile devices, laptops and desktop computers, or transferred via email, across the Internet or other non-trusted networks. Encryption used to secure storage, transmission and disposal of sensitive information greatly reduces the risk of a harmful data breach by an intruder or hacker break-in, or from a lost or stolen computer or mobile device. Table 7 describes a number of Microsoft products and technologies that support data encryption in a distributed computing scenario.
Table 7: Data Encryption - Products and Technologies
Product or Technology Description
Encrypting File System (EFS) EFS encrypts disk data on a per-file or per-folder basis.
BitLocker Encryption This technology helps prevent offline and other attacks against the disk data
by encrypting all data on the system disk volume.
Virtual Private Networking
and IPSec
This encryption and network access control technology can be used to
control access to servers and encrypt data over the network.
Exchange Server support for
encrypted email
Encrypted email helps prevent unauthorized persons from reading or
capturing email in transit.
SQL Server Transparent Data
Encryption
TDE causes the data and log files (and full-text catalogs, if present) to be
encrypted on disk. The encryption occurs transparently as data moves
through the SQL Server’s IO buffers, so no complicated setup is required
and the encryption is all-encompassing for the encrypted database.
Document Protection
Rights Management tools help assure document protection. These technologies can be applied to desktop productivity, email and line-of-business applications to help safeguard information and control how information is used, through “persistent protection” that extends throughout the life of the document. They also help prevent sensitive data such as PII or confidential email messages from getting into the wrong hands, intentionally or accidentally.
Table 8 describes a number of Microsoft products and technologies that could help protect documents in a distributed environment.
15 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 8: Document Protection - Products and Technologies
Product or Technology Description
Rights Management Services
A collection of technologies controls which users can access documents
and what they can do with those documents. They can be integrated with
SharePoint and Exchange servers for strong document/mail access
control and auditing.
Support for XrML/XPS
XrML is a technology that enables rights management controls for virtually
any type of document. XPS is a document format that enables strong
access controls based on Rights Management Services.
Exchange Server Ethical
Firewall
This policy-based solution enables organizations to control what content is
allowed through the email channel. It can be implemented via transport
rules on Hub Transport servers.
Office file encryption
Office 2013, in addition to maintaining support for Cryptography API
(CryptoAPI), also includes support for CNG (CryptoAPI: Next Generation).
CNG allows for more agile encryption, where encryption and hashing
algorithms that are supported on the host computer can be specified for
use during the document encryption process. CNG also allows for better
extensibility encryption, where third-party encryption modules can be
used.
Office file digital signature
Users can digitally sign an Office 2013 Excel, PowerPoint, or Word
document for many of the same reasons that they might place a
handwritten signature on a paper document. A digital signature is used to
help authenticate the identity of the creator of digital information, such as
documents, email messages, and macros, by using cryptographic
algorithms.
Office file validation
A security feature in Office 2013 that helps prevent file format attacks by
scanning Office binary file formats before they are opened in Excel 2013,
PowerPoint 2013, or Word 2013.
Auditing and Reporting
Compliance with internal policies, government regulations, and consumer demands for better control over PII requires the use of monitoring technologies to assist organizations with audit and reporting related to data, systems and applications. Systems management and monitoring technologies can help verify that system and data access controls are operating effectively, and identify suspicious or noncompliant activities.
Table 9 describes a number of Microsoft products and technologies that could help audit and report tasks for data protection and incident investigation.
16 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Table 9: Auditing and Reporting - Products and Technologies
Product or Technology Description
System Center Operations Manager
An enterprise-ready network and server management solution enables centralized reporting and management of all computing devices on the network. Operations Manager also provides strong Audit Collections functionality (through Audit Collections Services) and provides data segregation, thus providing separation of duties and non-repudiation.
System Center Configuration Manager
An enterprise-ready systems management solution enabling centralized software deployment and management throughout the organization.
SharePoint eDiscovery and Compliance
The SharePoint 2013 eDiscovery and Compliance features allow enterprises to manage and recover evidence used in civil litigation, and manage the records for the whole organization. A central SharePoint site is used to manage preservation (in-place hold), search, and export of content stored across SharePoint farms and Exchange servers.
SQL Server Audit
The Audit feature allows fine-grained, secure auditing of any access to objects in a database. In particular, it is an excellent tool for rigorously tracking changes to the metadata tables and role memberships in the label policy.
Personal Data Protection Considerations Using Cloud Services
Cloud computing has become an important part of corporate IT strategy for many companies in recent years because of its merits such as readily expandable resources, a pay-as-you-go charge model, and faster time-to-market, which traditional on-premises technology deployment model can hardly match. Unlike conventional IT outsourcing and hosting arrangements where service providers supplies IT infrastructure and services to customers through dedicated environment and staff resources, cloud service providers deliver IT infrastructure and services to customers through a multi-tenant, shared environment from data centers around the world. Because of that, many market studies and the dialogues among prospective customers and service providers show that certain themes have emerged as potential barriers to rapid adoption of cloud services, where security, privacy, reliability, and operational control are top concerns.
Whether a consumer’s personal information is stored on their own computer or in an online setting, or whether an organization’s mission-critical data is stored on premises or is on a hosted server and cloud, Microsoft recognizes that all of these environments must provide the trustworthy computing experience through focus on three areas:
Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business;
Maintaining and updating a detailed set of security controls that mitigate risk;
Operating a compliance framework that ensures controls are designed appropriately and are operating effectively;
Based on these trustworthy computing principles, we illustrated in previous sections the Microsoft technology framework for data governance and access control which Microsoft has developed through years of experience managing security risks in traditional development and operating environments. Since the launch of MSN® in 1994, Microsoft has also been building and running cloud services at the global scale based on the same security and governance framework. Global Foundation Services (GFS) division of Microsoft delivers the core infrastructure and foundational technologies for the company’s over 200 online businesses including Bing, MSN, Office 365, Xbox Live, Skype, SkyDrive and the Windows
17 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Azure platform. The infrastructure is comprised of a large global portfolio of data centers, servers, content distribution networks, edge computing nodes, and fiber optic networks. The portfolio is built and managed by a team of subject matter experts working 24x7x365 to support services for more than 1 billion customers and 20 million businesses in over 89 countries worldwide. Microsoft’s Online Information Security Program defines how Online Services Security and Compliance (OSSC) team operates in GFS. The program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005.
To help customers avoid financial loss and other consequences of opportunistic and targeted online attacks, and as part of a steadfast commitment to trustworthy computing, Microsoft employs people, processes, and technologies leveraging its broad experience and deep expertise to provide a safer digital experience for consumer and a more secure global operating environment for businesses, be it on premises or in the cloud.
Some companies in Singapore are also concerned about how or where their data would be stored and processed if they were to use cloud services for their business. Besides general concerns about data security and privacy in the cloud, Clause 26 of PDPA also states that personal data may only be transferred to a country or territory outside of Singapore in compliance with requirements prescribed under the PDPA to ensure that organizations provide a standard of protection that is comparable to the protection under PDPA. The implementing regulations which will prescribe these requirements in Clause 26 have yet to be finalized. Microsoft is monitoring this closely and will put in place the necessary arrangements to ensure compliance. Customers using Microsoft cloud services such Office 365 and Windows Azure may specify the geographic area(s) ("geos" and "regions") of the Microsoft data centers in which customer data will be stored. For example, customers can choose “Southeast Asia” as the “Region” to specify that their data should reside in Microsoft Singapore data center. Information on available geos and regions of Microsoft data centers are available at the Trust Center websites listed in References section of this white paper.
Microsoft may transfer customer data within a geo (e.g., within Europe) for data redundancy or other purposes. For example, Windows Azure replicates Blob and Table data between two regions within the same geo for enhanced data durability in case of a major data center disaster, however, customer can choose to disable the geo-redundancy to avoid data being transferred out of Singapore. Microsoft will not transfer customer data outside the geo(s) the customer specifies (for example, from Europe to the United States or from the United States to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where the customer configures the account to enable such transfer of customer data, including through the use of:
Features that do not enable geo selection, such as Content Delivery Network (CDN), which provides a global caching service;
Web and Worker Roles, which back-up software deployment packages to the United States regardless of deployment geo;
Preview, beta, or other pre-release features that may store or transfer customer data to the United States regardless of deployment geo;
Windows Azure Active Directory (except for Access Control), which may transfer Active Directory Customer Data to the United States for European customers, or to the United States or Europe for Asian customers;
However, Microsoft does not control or limit the geos from which customers or their end users may access customer data. For more information on how Microsoft online services address security, privacy and compliance issues, please refer to the Trust Center websites in the Reference section of this white paper.
18 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
Conclusion
Organizations seeking to comply with the PDPA should engage their IT departments actively in the process, and partner with external experts to develop a process that will take full consideration of the requirements and also address the risks inherent in compliance-related implementations. Organizations should also deploy relevant tools, technologies and products to automate control over personal information as much as possible, and ensure organization wide consistency in how personal data is handled and managed.
Call to Action
In this white paper, we propose a general approach and framework to guide organizations in addressing PDPA compliance requirements from people, process, and technology perspectives. The journey toward compliance is likely to be a continuous process as the regulation adjusts to meet the changing landscape of international business practices and the legal environment. Protiviti and Microsoft can provide further assistance to help our clients kick-start this journey by identifying capability gaps, prioritizing initiatives, and developing an organization and architecture blueprint, which could help set the foundation for a sustainable culture transformation and technical enablement for PDPA compliance in the long run. For inquiries about topics in this white paper, or to find out more about our offerings, products and services, please approach your Microsoft or Protiviti representatives, or contact the following:
Ivan Leong Protiviti Singapore +65 6220-6066 [email protected]
Daniel Li Microsoft Singapore +65 6888-7409 [email protected]
19 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
References
Generally Accepted Privacy Principles: http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/default.aspx
Protiviti KnowledgeLeader: http://www.knowledgeleader.com
“Information Protection Strategies for Financial Services,” Microsoft U.S. National Security Team, Co-authored by Thomas W. Shinder and Norm Barber, Sept 2007
“Microsoft’s Compliance Framework for Online Services,” Microsoft Global Foundation Services, Oct 2009
“Information Security Management System for Microsoft Cloud Infrastructure,” Microsoft Corporation, Nov 2010
“Securing Microsoft’s Cloud Infrastructure,” Microsoft Corporation, May 2009
Global Foundation Service Security & Compliance: http://www.globalfoundationservices.com/security-and-compliance.aspx
O365 Trust Center: http://office.microsoft.com/en-us/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx \
Windows Azure Trust Center: http://www.windowsazure.com/en-us/support/trust-center/
Dynamics CRM Online Trust Center: http://www.microsoft.com/en-us/dynamics/crm-trust-center.aspx
Microsoft Windows Safety & Security Center: http://www.microsoft.com/security/default.aspx
Active Directory Rights Management Services: http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx
Windows Phone Security: http://www.windowsphone.com/en-US/business/security
Secure Windows Server 2012: http://technet.microsoft.com/en-us/library/hh831360.aspx
SQL Server 2012 Security & Compliance: http://www.microsoft.com/en-us/sqlserver/solutions-technologies/mission-critical-operations/security-and-compliance.aspx
The Security Model of Microsoft Dynamics CRM: http://msdn.microsoft.com/en-us/library/gg309524.aspx
Authentication, Authorization, and Security in SharePoint 2013: http://msdn.microsoft.com/en-us/library/office/ms457529.aspx
Microsoft Lync Server 2010 Security Guide: http://www.microsoft.com/en-us/download/details.aspx?id=2729
System Center 2012 Configuration Manager, Operations Manager, Endpoint Protection, and Data Protection: http://technet.microsoft.com/en-us/library/hh546785.aspx
Exchange Server Data Loss Prevention: http://technet.microsoft.com/library/jj150527(EXCHG.150)
20 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014
About Microsoft
Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential. To know more, please visit www.microsoft.com/en-sg
Microsoft, Office, Windows, Windows XP, Windows Vista, Windows 8, Windows Server, Visual Studios, SharePoint, Dynamics CRM/AX, and SQL Server are either registered trademarks or trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
© 2014 Microsoft. All rights reserved
About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000
® and
FORTUNE Global 500® companies. Protiviti and its
independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.