fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Stricter PDPA NRIC guidelines for organisations: What you should know

PDPA NRIC guidelines
Stricter PDPA NRIC guidelines that organisations in Singapore must observe and follow.

Stricter PDPA NRIC guidelines for organisations: What you should know

Whether we like it or not, we are being watched as prey, and this has never changed since the dawn of the internet. With the sophistication of methodologies that bad actors use to try and pry our private lives and information, a much more robust policy is needed to compensate for the risk involved in the unavoidable handling of personal data, which, in this case, includes NRIC numbers. 

When NRIC numbers are handled carelessly or without thought, the risk of accidental disclosure goes up.

The NRIC numbers and the risk in handling them

The Singapore National Registration Identification Card (NRIC) number is a unique number that is given to Singapore citizens and permanent residents of registering age by the Singapore government. It is often used for business transactions and dealings with the government and is considered personal information because of the unique set of numbers and letters that can be used to find out who the person is. 

As the NRIC number is a permanent and unchangeable identifier that could be used to access a lot of information about a person, it is especially important to be careful about how it is collected, used, and shared. When NRIC numbers are handled carelessly or without thought, the risk of accidental disclosure goes up. This means that NRIC numbers could be stolen and used for illegal activities such as identity theft and fraud. 

With this, under the updated Advisory Guidelines on the Personal Data Protection Act for NRIC, organisations are generally not allowed to collect, use, or disclose NRIC numbers (or their copies), with the exception of the following:

  1. Collection, use, or disclosure of NRIC numbers (or their copies) is required under the law (or an exception under the PDPA applies); or 
  2. Collection, use, or disclosure of NRIC numbers (or copies of NRIC) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity. 

Thus, when the collection, use, and disclosure of the NRIC numbers are not for the requirement under the law or to establish or verify the identities of the individuals to a high degree of fidelity, the organisation is prohibited from handling them or else risk a financial penalty from the Personal Data Protection Commission (PDPC) such as in the case of Singapore Taekwondo Federation, a national governing body for taekwondo.

As the NRIC number is a permanent and unchangeable identifier that could be used to access a lot of information about a person, it is especially important to be careful about how it is collected, used, and shared.

Singapore Taekwondo Federation’s NRIC mishap 

In this case, the organisation was fined a hefty financial penalty of S30,000 after it was found out that the NRIC number of 782 students was set out in public and was accessible to everyone. This was due to the human error committed by the organisation’s head of the tournament department. 

Moreover, it was found out that Singapore Taekwondo Federation did not have any policy implemented but only left the manner of handling the students’ personal data to an “unwritten SOP.” With this, these leaked NRIC numbers could be used by a potential bad actor to unlock the vast database of information relating to the individual. 

The takeaway for this case is the importance of having a concrete policy covering every nook and cranny regarding cybersecurity. Employees are considered the weakest point when it comes to an organisation’s cybersecurity. If there are no written policies that they can follow or were made aware of, then they can be prone to risking your organisation’s healthy cybersecurity posture. 

How a DPO can help

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

With a DPO, the organisation can ensure that the handling of any NRIC numbers is within the ambit of the PDPA and nothing more. Moreover, part of its tasks is to ensure that there are policies in play so that human error is unlikely.

DPOs complement the efforts of organizations in making sure that the personal data collected, used, and disclosed by the organisation is safe. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.

As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is safe, as it affects me whenever a decision is made.

Also Read: 5 Ransomware Singapore facts: What your organisation should know

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us