Data protection on the blockchain: Singapore’s Privacy Commission weighs in | Fox Rothschild LLP

by · July 21, 2022

The Singapore Personal Data Protection Commission (PDPC) has published guidance on data protection in the blockchain.

Some key points:

Permissionless Blockchain:

  • All personal information that is published in an unclear manner is a form of public disclosure. Personal information must only be written if consent to publication has been obtained from the persons concerned, or if the personal information is already publicly available.
  • ASPs that build applications should design their applications so that no personal data controlled by participating organizations is written on-chain, either in plaintext, encrypted or anonymized form.
  • Organizations should avoid business use cases that require uploading personal data onto the chain in clear, encrypted or anonymized forms.

Permission:

Operators should:

  • Adapt participation in the network to only authorized organizations and impose binding requirements on them via the consortium agreement (e.g. restrictions on what kind of data can be written on the network, further supported with technical controls and restrictions on the behavior of participants.)
  • Allow the participation of organizations that can ensure adequate protection of personal data in all their nodes and data centers or sub-processors to which the data is transferred and stored. For example, they may do so by: (1) Allowing entrants only from jurisdictions with comparable standards of protection; (2) Secure binding contractual obligations for comparable protection through consortium agreements between the operator and participants; or (3) require participants to obtain specified certification.
  • Require participants to encrypt or anonymize personal data on-chain using industry-standard algorithms or practices so that only authorized participants can access the data with the decryption keys or identity matching tables provided through off-chain channels.
  • Monitor and enforce against any perpetrators of personal data breaches on the network.
  • Review these technical measures regularly (e.g. encryption or other privacy-preserving technology)

Off-chain approach:

  • Design your applications so that personal data is stored in an off-chain database or data warehouse, where traditional access control mechanisms can be implemented
  • Only a reasonably strong hash of the personal data or a hash of the link to the off-chain database should be written on the chain. Any change in the underlying data will generate a completely different hash

Data protection processing program for Blockchain:

  • Establish an oversight committee for the blockchain consortium, where relevant.
  • Ensure that the Data Protection Officer (DPO) of each participating organization in the blockchain consortium oversees proper PDPA compliance through the policies and processes of the blockchain application in his or her own organization and the consortium.
  • Set guidelines and rules to determine the roles, responsibilities and rights of each participant in the blockchain application. Where possible, use legally binding mechanisms.
  • Conduct a Data Protection Assessment (DPIA) to identify and assess potential risks to personal data in the blockchain network and application.
  • Regularly review data protection and cyber security policies and processes in place to ensure continued relevance in light of changes in technology, industry regulations and regulations.

[View source.]

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *