Even as a company outsources its IT operations, it is still liable for the security and accuracy of information. The Model Data Protection Code adopted by the National Trust Council becomes a useful consideration for businesses.

The Model Code is Useful For Businesses Involved in Infocomm Outsourcing and Personal Data Transfer

As infocomm outsourcing gains traction, the issue of data protection comes to the fore. With outsourcing, a business may transfer the processing of the personal data of customers and employees of business entities to a third party. However, it retains liability for the security and accuracy of information and full control over how the personal information is used. This means that the business remains liable for any breaches. Thus, this is an area that all businesses involved in infocomm outsourcing need to pay attention to.

Infocomm outsourcing typically involves the transfer of a business's infocomm and related services functions to an external service provider. It can be onshore, nearshore, offshore or a combination of these. It takes two main forms - a so-called 'pure' infocomm outsourcing arrangement, such as network outsourcing, and infocomm-enabled services outsourcing, also known as business process outsourcing (BPO). An example of BPO is the supply chain management.

As businesses embark on BPO, there is a trend towards tighter integration of their systems with those of their partners - both vertically (supplier/client) and horizontally (peer/partner) - in order to achieve greater efficiency and higher profit margins. Such multi-party integration, particularly those involving cross-border business entities, raise legal implications in data protection.

Where data protection is concerned, the Model Data Protection Code for the Private Sector, adopted by the National Trust Council (NTC) through its TrustSg programme, would be specifically relevant to private sector businesses.

The Model Code establishes minimum standards for electronic data protection across industries in Singapore. It is based on 10 principles that guide on issues of use, collection, accuracy and dissemination of personal data. It incorporates international standards of data protection regimes within its guidelines. Under this data protection regime, the flow of personal data to countries without adequate data protection schemes is restricted.

While the Model Code is not a compulsory compliance requirement for businesses, it is especially useful for businesses that are expanding their international outsourcing activities.

A short description of each of the 10 principles is presented below: Accountability:

• An organisation is responsible for personal data in its possession and custody.
  
  
• Specifying purposes: The purposes for which personal data are collected shall be specified by the organisation.
  
  
• Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal data to a third party.
  
  
• Limiting collection: The collection of personal data shall be limited to that which is necessary for the purposes specified by the organisation. Data shall be collected by fair and lawful means.
  
  
• Limiting use, disclosure and retention: Personal data shall not be used or disclosed to a third party for purposes other than those for which it was collected, unless the individual consents to such use or disclosure.
  
  
• Accuracy: Personal data shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  
  
• Safeguards: Personal data shall be protected by appropriate security safeguards.
  
  
• Openness: An organisation shall make readily available information about its policies and procedures for handling personal data.
  
  
• Individual access and correction: An individual shall upon his request be informed of the existence, use, and disclosure of his personal data and shall be given access to that data.
  
  
• Challenging compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for the organisation's compliance.

One of the ways for businesses to adopt the Model Code is through the TrustSg's accreditation. TrustSg is a nationwide trust mark initiative by NTC and supported by the Infocomm Development Authority of Singapore (IDA). It aims to build confidence in electronic transactions, especially in the area of privacy and security. By acquiring the TrustSg seal, the business would have complied with a stringent code of conduct for electronic business practice set by the NTC.

The code covers the area of disclosure, privacy, fulfillment, best business practices and protection of minors and the elderly. Consumers would, in turn, recognise the business as trustworthy and carry out business transactions with more confidence.

Businesses should also consider the following good practice recommendations before embarking on infocomm outsourcing.

• Select a reputable service provider that offers suitable guarantees about their ability to ensure the security of personal data, e.g. not using the personal data collected in other ways as specified in the contract.
  
  
• Ensure that the contract with the provider is enforceable.
  
  
• Ensure that the provider has appropriate security measures in place.
  
  
• Audit the provider regularly to make sure it is up to the mark.

With the adoption of the Model Code and the above-mentioned good practice recommendations, businesses would now be able to minimise data privacy and security breaches and focus on their infocomm outsourcing projects.

Note: The above discussion is not a substitute for professional legal advice on specific cases The writer is an infocomm committee member of the Law Society of Singapore, who practises at Messrs Amy Ang.

Mark Of Trustworthiness In E-Commerce Dealings

TRUSTSG is a nationwide trust mark initiative to boost the electronic commerce environment in Singapore. This is to help build confidence in e-commerce transactions, especially in the area of privacy and security.

Depending on the sectors businesses operate in, they may choose to be accredited the TrustSg status by any of the following authorised code owners:

1. For business-to-consumer sectors:

• Consumers Association of Singapore (under the CaseTrust programme); and
  
  
• CommerceNet Singapore Ltd (under the ConsumerTrust Global Reliability Programme).

2. For business-to-business sectors:

• CommerceNet Singapore Ltd (under the BusinessTrust Global Reliability Programme).

For more information on the TrustSg accreditation and the Model Code, please visit www.trustsg.com.sg/for_merchants.

Notes:

• TrustSg is a national trust mark initiative by the National Trust Council and supported by IDA.
  
  
• This article first appeared in The Business Times on 26 August 2008 and information is correct at the time of publication.

Back to SMEs' Spotlight