Singapore Updates Guidelines On Data Breach Notification, Accountability
Organisations in Singapore now are expected to take no more than 30 days to complete an investigation into a suspected data security breach and notify the authorities of the incident 72 hours after completing their assessment. These are part of new guidelines to help companies manage data breaches more effectively and are expected to be included in the upcoming amendment of the country's data protection act.
In addition, businesses are expected to notify authorities if a breach affects more than 500 individuals or where "significant harm or impact" to the individuals are likely to occur due to the breach, according to the Personal Data Protection Commission (PDPC), which oversees the act. Data intermediaries also should report potential data breaches to their parent organisation within 24 hours from when they first identify a suspected incident.
These guidelines were unveiled on Wednesday and incorporated feedback from previous consultations. said the PDPC, which added that it would review and further update them where necessary.
While just guidelines for now, with no regulatory repercussions, the commission said organisations in Singapore should make the required changes to facilitate detection as breach notification would be made mandatory as part of the upcoming amendments to the data protection act.
Such specifics were not stated in the Personal Data Protection Act when it was introduced in 2012 and plans for mandatory breach notification had been in the works for the last couple of years.
The PDPC also unveiled new guidelines for "active enforcement", which detailed the commission's approach in applying its regulatory powers to respond and act when dealing with data breaches. These included an "expedited decision process" to more quickly conclude investigations of "clear-cut data breaches"--specifically, incidents that were similar to previous cases with similar elements and where the organisation provided upfront admission of liability for the breach.
The commission explained that this move came after evaluating data breach incidents over the last four years and feedback from industry stakeholders.
The PDPC also announced a third public consultation of its proposed inclusion of a data portability law as part of its review of the data protection act. The regulator said such provisions would enable consumers to request for their data to be moved between organisations, so data flow and data-sharing could be better supported across and within sectors.
"Data portability addresses the challenges faced by industries in accessing more diverse data or larger datasets for use in emerging technologies, such as artificial intelligence (AI) or Internet of Things (IoT) solutions, in order to generate better personalised products, services and insights, while creating incentives for competitive services and lowering barriers to entry for new entrants," it said.
For example, consumers could move profile histories and records such as transaction data and past purchases that impacted how services were delivered to them, including credit and loan repayments.
However, it noted, there had been calls for greater regulatory clarity on whether consumer consent was needed to access personal data for certain business purposes. This prompted PDPC to propose a set of "Data Innovation Provisions" in the act to provide clarity for organisations using personal data for specific, defined business purposes without the need to consent.
It now was seeking public feedback on several areas regarding its proposed data portability and data innovation provisions, including conditions under which such provisions would apply, scope of data covered and exceptions to such provisions, as well as when organisations would be able to use personal data without consent for what business purposes.
According to PDPC, its push for data portability was in line with jurisdictions such as Australia, India, Japan, and the European Union, and crucial in boosting Singapore's standing as a data protection regime.
PDPC Deputy Commissioner Yeong Zee Kin said: "Data is a key enabler of digital transformation, but a balance must be achieved between data protection and business innovation. We are taking firm steps to position Singapore as a trusted data hub in the global digital economy by seeking feedback on the proposed data portability and innovation provisions, as well as test-bedding data breach notification measures."
The Singapore government last month said it had assembled a committee to review data security practices in the public sector, following a spate of breaches involving government entities, but remained firm on its decision to exclude such organisations from the PDPA. The new committee had been tasked to assess measures and processes, amongst others, related to the collection and protection of citizens' personal data by government agencies as well as vendors appointed to handle personal data for the government.
Reiterating the government's stance that the PDPA should not apply to public agencies because of "fundamental differences" in how these organisations operated, the Ministry of Communications and Information had said: "In order to enable a whole-of-government approach to the delivery of public services, personal data has to be managed as a common resource within the public sector. The considerations are different in the private sector, as there is no such expectation of a holistic approach to the delivery of commercial services across private organisations," the ministry said.
RELATED COVERAGE
Singapore moots inclusion of data portability in data protection law
Government unveils plans to include a framework, as part of a review of the country's Personal Data Protection Act, that aims to ease data flow between service providers while giving consumers "greater control" over their own data.
Singapore sets up committee to review public sector data security, but stands firm on PDPA exemption
Following several breaches involving government entities, Singapore's prime minister has assembled a committee to review data security practices in the public sector, but the government stands firm on excluding these agencies from the country's Personal Data Protection Act.
Singapore touts open platforms in smart nation drive, acknowledges need to do better in security
New pilots including a drowning detection system are in the works, as the government continues to push its smart nation goal alongside an open, API-driven framework. But it stresses the importance of security in rolling out new services and acknowledges the country needs to do better, particularly, following the SingHealth data breach.
Singapore industry needs stronger codes of conduct as consumer data gains value
As businesses capture more information about customers, consumers need to be more informed about such practices and industry guidelines and codes of conduct must evolve to ensure responsible data use.
Singapore opens up access to citizen data to facilitate business transactions
Commercial businesses can now access citizen data, such as mailing address and passport numbers, stored in the national MyInfo database, in a move the Singapore government says is aimed at improving service efficiency.
Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals
The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more
AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments
Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more
Technology Sector Fuels U.S. Economic Growth In Q2
The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more
Tech Start-Ups Advised To Guard Against Foreign Investment Risks
The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more
Global IT Outage Threatens To Cost Insurers Billions
Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more
Global IT Outage Disrupts Airlines, Financial Services, And Media Groups
On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more