While a lot of emphasis is placed on cyber security controls required by companies to protect personal data, there seems to be less focus on minimising data collection in the first place by organisations.
Any expert in cyber security will tell you that once you have shared personal data with a company, it is only a matter of time before the information is exposed or misused, regardless of the sophistication of security controls.
It is best practice to collect only the absolute minimum data required for the service provider to provide the core service to the customer. The data collected should be only for the exact purpose of the transaction and nothing more.
It is, however, routine to see department stores collecting information such as date of birth, home address and marital status for something as trivial as a loyalty programme; and credit card companies collecting comprehensive personal data for a card application.
All medical touchpoints pull your core personally identifiable information (PII) data when you visit a new doctor or institution. When you rent a flat, details of your IC will likely be shared with at least three parties.
As a result, a copy of a person’s IC is likely being held in dozens of companies’ systems, e-mail boxes, and mobile phones of sales agents.
It takes only one data leak from one of these points to compromise the subject’s details.
Assuming a 10 to 20 per cent chance of exposure for one point, multiplied by a few dozen points, data exposure is a mathematical inevitability.
Most of these points of data collection will likely not have a defined data retention period, which means such data will linger on forever, increasing risk of exposure in unmanaged systems.
As there is already a Singpass system for centralised authentication, it would be optimal to record only the name and last four digits of the IC number at the point of service.
Minimising data collection and limiting the quantum of data for the purpose as legally required, accompanied by an electronic Singpass-based authentication system, can help protect data at the root level.
This is a far more realistic and inexpensive approach than allowing a free-for-all data collection culture and then expecting small companies to protect themselves against ever sophisticated cyber attacks.
Anand Srinivasan
