Singapore privacy watchdog proposes mandatory reporting of data breaches

It will soon be mandatory for organisations to report personal data breaches to the privacy commission and inform customers.
It will soon be mandatory for organisations to report personal data breaches to the privacy commission and inform customers.PHOTO: AFP

SINGAPORE - It will soon be mandatory for organisations to inform customers of personal data breaches as soon as they are discovered - if a proposed revision to the law gets the green light.

Organisations must also report the breach to the privacy commission within 72 hours.

The move by the Personal Data Protection Commission (PDPC) follows the lead of mature jurisdictions in the United States, Canada and Australia. The revision comes three years after Singapore's Personal Data Protection Act came fully into force in July 2014.

It is also part of Singapore's concerted push to deepen trust to grow its digital economy, and will work  with existing laws and a newly-proposed Cybersecurity Act to protect critical systems from cyber attacks.

Minister for Communications and Information Yaacob Ibrahim said: "In the event of data loss or breaches, it is important that individuals' interests are protected."

He was speaking at Singapore's fifth annual Personal Data Protection Seminar on Thursday (July 27) to launch a public consultation on the proposed changes.

He added that notifying consumers would allow them to take steps such as change a leaked password or cancel a compromised credit card to protect themselves. Notification must be done as soon as the breach is discovered.

Similarly, organisations must notify the PDPC within 72 hours of discovering a personal data breach if the incident involves 500 or more individuals. This is to allow PDPC to better ascertain the level of risk and manage data breaches at the national level.

If the breach involves critical infrastructures such as those in the energy, telcommunications or transport sectors, organisations must also notify the Cyber Security Agency - as proposed in the new Cyber Security Bill expected to be tabled in Parliament later this year.

Said PDPC in the consultation document: "The current voluntary approach to notification has resulted in uneven notification practices across organisations."

Mr Tan Kiat How, Singapore's privacy commissioner, told an audience of 800 people that the PDPC has taken enforcement action against 300 organisations to date with most of them receiving an advisory notice. Over 30 of them were serious cases, however, with organisations fined or rapped for lax security.

A notable case is the September 2014 leak of the personal data of 317,000 customers of karaoke bar chain K Box, for which the firm was later fined $50,000 for lax security measures.

Under the proposed changes to the Personal Data Protection Act was also a concession for organisations to share blacklists for fraud detection and abuse prevention.

In anticipation of the growth of Internet of Things (IoT) devices - a term referring to home objects that have Web connections such as a security camera or connected fridge - PDPC also wanted organisations to be exempt from seeking individuals' consent to collect and analyse their data including images, addresses, names and e-mails.  This applies only when consumers do not experience, say, an increase in unsolicited calls. 

"Ubiquitous computing has changed the nature of data collection from active interaction to a passive one where devices seamlessly collect and transmit personal data across communications networks," according to the consultation document.

Because of the vast amount of information collected at Internet speeds, it may not be practical for organisations to seek the consent of individuals every time data is collected. Facilitating withdrawals of consent may also be challenging.

Dr Yaacob said the proposed legislation update reflects Singapore's ambition to become a trusted global hub for innovative uses of data.

"The most important determinant of whether we can realise the potential of data is not technology, but trust - trust that companies collect data sensibly, use them responsibly, and protect them well," he said.

The consultation will end on Sept 21.