Forum: Regular review needed on what personal data is collected and what needs to be purged, Forum News & Top Stories


    There have been more reports about data breaches and hacks. There have also been comments that companies should assume responsibility and culpability to their clients, instead of merely blaming their data services vendors (Responsibility for data hack lies not only with the vendor, Oct 30).

    Employment agencies, healthcare groups like Fullerton Health and SingHealth, and telecommunications companies and Internet service providers such as Singtel, StarHub and MyRepublic have had data stolen.

    This shows almost every Singaporean can be affected. But this is hard to mitigate as customers must provide personal data as a condition for many services, surrendering privacy and security in return.

    At a world leaders meeting in Estonia in September, Minister for Communications and Information Josephine Teo said that Singapore was changing its cyber security posture to adopting an “assume breach” mindset.

    The authorities therefore recognise that they cannot depend on just preventive measures.

    When collecting and retaining personal data, businesses should specify which fields are required by their regulating authorities, and the potential customer should have the right to decline providing the rest of the data.

    The authorities should regularly review why they collect specific data and, if the reasons are outdated, stop and delete the historical records.

    For example, older NRICs listed the owner’s blood type. The original intent was apparently to help blood matching in mass emergencies.

    However, doctors were not likely to just depend on the information stated on the IC and transfuse blood without a laboratory cross-match.

    Until this practice of displaying the blood type was stopped, the unintended consequence could have been people questioning their family ties when they realised their genetic linkage was not what they had assumed.

    The collection, display and retention of data should always be restricted to what is absolutely necessary. Whether done by the authorities or by businesses, this should be strictly limited and openly justified, and outdated data must be regularly purged.

    Lee Pheng Soon (Dr)


    Source link

    Recent Articles

    Related Stories

    Stay on op - Ge the daily news in your inbox