Security of Personal Data

Section 20 of the Personal Data Protection and Privacy Act (2019) requires a data collector, processor or controller to secure the integrity of personal data in their possession or control. This should be done by adopting appropriate, reasonable, technical and organizational measures to prevent loss, damage, or unauthorized destruction and unlawful access to or unauthorized processing of the personal data.

In practice, data controllers, processors or collectors should take measures to:

  1. identify reasonably foreseeable internal and external risks to personal data under that person’s possession or control;
  2. establish and maintain appropriate safeguards against the identified risks;
  3. regularly verify that the safeguards are effectively implemented; and
  4. ensure that the safeguards are continually updated in response to new risks or deficiencies.

The Act further stresses the need for data controllers to ensure that their data processor also complies with the required security measures in order to maintain the confidentiality, integrity of personal data.

Where a data collector, data processor or data controller believes that the personal data of a data subject has been accessed or acquired by an unauthorized person, the data collector, data processor or data controller, shall immediately notify the Office of the unauthorized access or acquisition and the remedial action taken.