Breach reporting part of revised data privacy laws to be tabled in Parliament

The revised law will require individuals affected by a breach to be notified "as soon as practicable" and for the Personal Data Protection Commission to be notified no later than 72 hours after a breach is identified.
The revised law will require individuals affected by a breach to be notified "as soon as practicable" and for the Personal Data Protection Commission to be notified no later than 72 hours after a breach is identified.PHOTO: ST FILE

SINGAPORE - Singapore's privacy watchdog will soon mandate that organisations here report any breach of personal data, following a general consensus during a recent public consultation.

Revisions to the Personal Data Protection Act (PDPA) are expected to be tabled in Parliament next year, the Personal Data Protection Commission (PDPC) said on Thursday (Feb 1).

The need for tougher breach reporting rules became more apparent after it was discovered late last year that Uber had covered up a massive breach involving the personal details of about 57 million passengers and drivers.

Specifically, the revised law will require individuals affected by a breach to be notified "as soon as practicable" and for the PDPC to be notified no later than 72 hours after a breach is identified. Several organisations had asked for more time.

"Prescribing a cap of 72 hours provides clarity for organisations as to the definitive time by which they would have to notify the PDPC," said the privacy watchdog.

Claiming that the 72-hour timeframe is not realistic, Mr Huey Tan, president of AsiaDPO, said during the consultation: "It adds unnecessary pressure to the incident management team (including data protection officers), and diverts time and resources away from the important task of identifying the facts and containing the incident."

AsiaDPO, a Singapore-based society comprising data protection officers, was one of the 62 organisations to participate in the consultation that concluded last October.

The consultation also attracted responses from six individuals.

Recognising that organisations may need time to determine the veracity of suspected breaches, the PDPC will give them up to 30 days to assess if the breaches are eligible for reporting - similar to what is in place in Australia. The 72-hour notification criteria will only kick in after this.

Initially it had been proposed that at least 500 individuals had to be affected by a breach before it became mandatory for it to be reported. However the PDPC has removed the threshold and promised to provide a guide to help organisations assess the scale of breaches.

However, the PDPC did approve a proposal for organisations to share blacklists for fraud detection and abuse prevention - which most of the respondents supported.

For example, if financial or telecommunication firms want to share data among themselves of customers with bad payment track records, they will not be required to seek customers' consent.

Firms will also be allowed to collect and analyse the vast amount of data that flows from Internet of Things (IOT) devices without the consumers' go-ahead, if they need this to improve services or the user experience.

In all such cases, the businesses must be able to prove that the consumer is not harmed in any way and the data is not abused.

Internet giants Google and Amazon Web Services, which participated in the public consultation, had given the concession for IOT devices the thumbs-up.

The move to implement these changes follows the lead of mature jurisdictions in the United States, Canada and Australia.