Cyber attacks and ransomware have become crimes of modern digital society. Yet, in Thailand what is of new concern is the attack on government database sources — particularly those of state hospitals.
In September last year, Saraburi Hospital’s database was hacked and the attackers gained access to information of patients.
Last month alone there were two cases. In the first hackers managed to crack into the database of a state hospital in Phetchabun and make a profit from selling the information of thousands of patients on the dark web. A week after, another hospital, the Bhumirajnakarin Kidney Institute in Bangkok fell victim, with the hackers demanding a ransom in exchange for the records of 40,000 patients.
The cases again raise a red flag that data breaches can be caused by several factors — from deliberate ransomware attacks by hackers to human error such as failure to update security software or negligence of a personal data officer who may unknowingly open malware-infested emails, links or files. Therefore, even if an organisation has adequate security measures, there can still be the risk of a data breach caused by human error or other mistakes.
Today, government agencies get involved in many aspects of our lives, and they have collected important personal data from the “cradle-to-the-grave” whether it be information on health, social security and education. In other words, the government is one of the institutions that have a lot of our personal data.
The attacks on hospital computer systems affected not only the government but patients whose privacy and crucial personal data have been accessed. Sensitive personal data of individuals as well as staff of state organisations are protected by the Personal Data Protection Act 2019.
However, the real concern is how these state agencies collect and use public information. Many agencies tend to keep more personal information than necessary for performing their official duties or missions. Additionally, some agencies may maintain personal data in a way that does not meet security standards and therefore are exposed to higher risk from data breaches or attacks on computer systems. Another concern is the lack of setting access control measures which leads to unauthorised access to personal information, especially for electronic documents in office computers.
The current law is not of much help. The Personal Data Protection Act 2019 — known as PDPA, is only partially enforced, and is also still unclear on many issues.
In May, the government approved a royal decree to postpone the full enforcement of the law until June 1, 2022, citing concerns about compliance among state and private organisations amid the pandemic.
Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors that use personal data must receive consent from data owners and use it only for express purposes.
Yet, the PDPA is unclear. One of the issues is that it is harder for state agencies to clearly understand their obligations and start implementing necessary measures or policies which are legally compliant with the law. For example, without a clear categorisation of personal data, officials cannot determine correctly what type of information can either be publicly used or transferred to other public agencies or which types of data are sensitive personal information that needs additional care and protection.
When it comes to having security measures, both systemic and technical security depends on the allocation of budget and finding appropriate personnel who can effectively operate and monitor the security systems. In practice, it may be impossible for some organisations to achieve adequate standards immediately because it requires a huge amount of budget and time to recruit personnel to perform such duties.
Therefore, in order for state agencies to have appropriate measures for their collection and use of personal data, the question is: What are the steps for setting up those appropriate measures?
State agencies that possess civilian data must provide appropriate and sufficient security measures. But without skilled and trained personnel with the relevant knowledge, there cannot be a proper security system. Therefore, building a good data protection system can start with creating knowledge and raising awareness about personal information for personnel in the organisation. This can begin with the management issuing policies and clear guidelines for their workforce to strictly follow. The guidelines should cover how personal data should be collected, protected, used, stored and destroyed.
In addition, a great emphasis must be placed on providing the correct knowledge, especially to officers whose primary task involves collecting personal data, such as for civil registration and passport issuance. Therefore, personnel engaged with such tasks must have great understanding and awareness in using the information in their task. For other less data-related tasks, such as disaster prevention and mitigation, and engineering department personnel, basic knowledge of the use of personal data may be sufficient.
Therefore, when designing guidelines and training courses to build a better understanding of personal data protection, it should be considered as creating a culture within the organisation that encourages employees to always treat the personal information of the people like it was their own.
Meanwhile, making employees more conscious and understand fully about personnel data protection may require other tools, such as handbooks for guidance and documents with information about the law, guidelines and cases in other countries. If outside consultants are hired, the organisation must ensure that the staff within the organisation have opportunities to engage and work closely with them. The training staff will benefit from knowledge transfer and be able to continue the data protection duties and operation even when the outsourced services end.
The protection of personal data is not just about the issue of systemic and technical security. It also means raising awareness, understanding, and having the tools for staff to work effectively. Therefore, to create an excellent personal data protection system, the organisation must prepare its personnel to be ready and capable because the “personnel” will be the driving force that allows the organisation to have a good system.