Singapore Personal Data Protection Commission (PDPC) has published a guide on data protection in the blockchain.
Some key points:
Permissionless blockchain:
- Any personal data published in-clear is a form of public disclosure. Personal data should only be written if consent for public disclosure has been obtained from the concerned individuals, or if the personal data is already available publicly.
- ASPs building applications should design their applications such that no personal data controlled by participating organizations is written on-chain either in cleartext, encrypted or anonymized forms.
- Organizations should avoid business use cases that require uploading any personal data on-chain in cleartext, encrypted or anonymized forms.
Permissioned:
Operators should:
- Curate participation in the network to only authorized organizations and impose binding requirements on them via the consortium agreement (e.g. restrictions on the kind of data that can be written on the network, further backed with technical controls, and restrictions on the behaviors of participants.)
- Admit participation by organizations that can ensure adequate protection to personal data in all their nodes and data centers or sub-processors to which the data is transmitted to and stored on. For example, they can do so by: (1) Admitting participants only from jurisdictions with comparable standards of protection; (2) Ensuring binding contractual obligations for comparable protection through consortium agreements between the operator and participants; or (3) Requiring participants to obtain specified certification.
- Require participants to encrypt or anonymize personal data on-chain using industry standard algorithms or practices, so that only authorized participants are able to access the data with the decryption keys or identity matching tables provided through off-chain channels.
- Monitor and enforce against any perpetrators of personal data breaches on the network.
- Regularly review these technical measures (e.g. encryption or other privacy preserving technologies)
Off-Chain Approach:
- Design their applications such that personal data is stored in an off-chain database or data repository, where traditional access control mechanisms can be instituted
- Only a reasonably strong hash of the personal data or a hash of the link to the off-chain database should be written on-chain. Any change in the underlying data will generate a completely different hash
Data Protection Management Program for Blockchain:
- Establish an oversight committee for the blockchain consortium, where relevant.
- Ensure that the data protection officer (DPO) of each participating organization of the blockchain consortium oversees proper PDPA compliance through the policies and processes of the blockchain application within his or her own organization and the consortium.
- Set policies and rules to determine the roles, responsibilities and rights of each participant in the blockchain application. Where possible, use legally binding mechanisms.
- Conduct a Data Protection Impact Assessment (DPIA) to identify and assess potential risks to personal data in the blockchain network and application.
- Regularly review the data protection and cybersecurity policies and processes put in place to ensure continued relevance in view of changes to technology, industry best practices and regulations.