The Personal Data Protection Act (PDPA) states that companies have to properly dispose of documents containing personal data. Failing which they may be penalised.
Personal data refers to data from which an individual can be identified. Any data such as a person’s name (or part thereof), identification number, passport details, height, weight, gender, bank details and all related data are classified as personal data under the PDPA.
Personal data can be stored in two forms:
- Physical documents: Hard copies of forms and documents
- Electronic form: Hard disk, in cloud storage (e.g. Dropbox and Google Drive)
Under the PDPA, companies must make reasonable security arrangements to protect such personal data in their possession from unauthorised access and use, collection, disclosure, modification, disposal and/ or similar risks.
Thus the method of disposal of documents with personal data is also covered in the PDPA.
Most companies will dispose of documents merely by throwing them in the bin. Unaware to them, this constitutes a breach of the PDPA.
The Personal Data Protection Commission (PDPC) recommends that the disposal of physical documents be done through these methods.
- Shredding: The most commonly used method by most companies. It is considered as a fast and cost-effective method which is sufficiently secure where there is ‘reasonable difficulty’ in reconstructing the document.
- Incineration: Burning of documents which reduces paper to ashes.
- Pulping: Mixing of paper with water and chemicals to break down paper fibres. The mixture is then processed into recycled paper.
The Personal Data Protection Commission (PDPC) recommends that the disposal of data stored in electronic form be done through these methods.
- Destroying the media: Cutting or crushing CDs, DVDs and hard disks.
- Disposal of personal data: Special effort must be taken to ensure that personal data contained in the media is properly deleted. Moving the data into the recycle bin of the computer is not sufficient.
When in doubt, seek legal advice or consult an experienced ACRA Filing Agent.
Yours Sincerely,
The editorial team at Singapore Secretary Services
For more useful articles and videos, visit the Singapore Secretary Services resource page.
Related articles:
What is a Data Protection Officer?
Important compliance requirements for Singapore companies
Key proposed changes to the Personal Data Protection Act (PDPA)
[…] Security: Organisations must implement appropriate security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. […]