Does IS0 27018 help organization comply with Singapore Personal Data Protection Act?
In July 2014, Singapore’s Personal Data Protection Act (PDPA) came into effect. This brought increasing pressure to organizations that operate in Singapore. Coincidentally, International Standards Organization (ISO) recently adopted a new standard governing the processing of personal data in the cloud — ISO 27018. Some would ask, does this ISO 27018 standard, help organizations in Singapore to overcome the data protection challenge specifically addressing the PDPA compliance?
My conclusion is yes. If an organization engages a cloud service provider (CSP) that complies with ISO 27018, the organization can be confident that the CSP’s cloud solution will help them to comply its key legal obligations under the PDPA relevant to the use of cloud services. Similarly, if a CSP complies with ISO 27018, the CSP can be confident that it can offer a cloud solution that will help the organization comply with its key legal obligations under the PDPA.
One of the main intentions of ISO 27018 is to help public CSPs to comply with applicable obligations when holding personal data for their customers.
So, how do the key legal obligations in the PDPA compare to the requirements of ISO 27018? Can ISO 27018 help organization and CSPs alike to ensure compliance with PDPA requirements? In this blog we compare the key legal obligations in the PDPA relevant to the use of cloud services to the requirements in ISO 27018.
PDPA Obligations vs ISO 27018 Standard
- PDPA Consent Obligation – You must get the consent of the person whose data you’re collecting, using or disclosing.
Does ISO 27018 help? Yes. ISO 27018 requires the CSP to process personal data in accordance with the organization’s instructions and bars processing for any other purposes hence providing assurance to the organization.
- PDPA Purpose Limitation – You can only use the data in way that a reasonable person finds appropriate, and if applicable, have notified that person.
Does ISO 27018 help? Yes. ISO requires the CSP to process personal data in accordance with the organization’s instructions and it requires the CSP to disclose information about sub-processors and data location to the organization. These requirements will help the organization because it will provide assurance to the organization that the CPS will not use its personal data for purposes that have not been notified to individuals.
- PDPA Retention Limitation – If the purpose you collected the data for is no longer valid, or if retention of the data is no longer necessary for legal or business purposes, then you will have to cease to retain documents containing that data.
Does ISO 27018 help? Yes. ISO 27018 requires the CSP to implement a policy under which the CSP ensures that personal data is erased as soon as it is no longer necessary for the specific purposes of the organization.
- PDPA Access and Correction Obligation – If the person requests so, you will need to provide her with access to her personal data and inform them how you have been using that data over the past year. You will also allow that person to correct any mistakes or omissions found in that data.
Does ISO 27018 help? Yes. ISO 27018 requires the CSP to assist the organization to comply with a data subject’s access requests and correction requests.
- PDPA Protection Obligation – An organisation has the same obligations in respect of personal data processed on its behalf and for its purposes by a third-party, as if the personal data is processed by the organisation itself.
Does ISO 27018 help? Yes. An organisation must establish and implement a security system to prevent any unauthorised access or abuse of the personal data in its possession or under its control. It should provide for regular audit of the security system. It must establish contingent plans and remedial measures in the event there is a breach of the security system. If the security system is outsourced to a third party, its contract must contain contractual binding provisions to ensure the outsourced party is able to comply with the Protection Obligations.
- PDPA Transfer Limitation – You cannot transfer personal data to a country or territory outside Singapore unless it follows the guidelines prescribed by PDPA.
Does ISO 27018 help? Yes. ISO 27018 requires the CSP to specify and document the countries in which the personal data may be processed and, no matter where the personal data is located, all of the other requirements in ISO 27018 will apply to the Personal Data.
- PDPA Openness Obligation – You must implement the necessary procedures and policies and make sure that these are accessible to the public.
Does ISO 27018 help? Yes. ISO 27018 requires the CSP to execute a contract with the organization to ensure that data is processed in accordance with the organization’s instructions (including instructions as to policies and procedures that are adopted by the organization).
Put simply, the comparison shows that the key legal obligations are matched by the standard’s requirements. ISO 27018 is a welcome step towards ensuring that cloud solutions are compliant with relevant privacy law obligations, including those in Singapore’s PDPA, and thereby further boosting confidence in cloud solutions. Organization should check that their CSPs (existing or potential) comply with ISO 27018. This will help organization to be confident that the cloud solutions comply with the relevant obligations under the PDPA (or the relevant laws in other countries).