Watchdog eyes timeframe for reporting data breach

Revisions to Personal Data Protection Act likely to be tabled in Parliament next year

Revisions to the Personal Data Protection Act are expected to be tabled in Parliament next year. PHOTO: ST FILE
Irene Tham
Tech Editor
Updated
Feb 02, 2018, 06:30 AM
Published
Feb 02, 2018, 05:00 AM

Singapore's privacy watchdog will soon mandate that organisations here report any breach of personal data, following a general consensus during a recent public consultation.

Revisions to the Personal Data Protection Act (PDPA) are expected to be tabled in Parliament next year, the Personal Data Protection Commission (PDPC) said yesterday.

The need for tougher breach reporting rules became more apparent after it was discovered late last year that Uber had covered up a massive breach involving the personal details of about 57 million passengers and drivers.

The revised law will require individuals affected by a breach to be notified "as soon as practicable", and the PDPC to be notified no later than 72 hours after a breach is identified.

"Prescribing a cap of 72 hours provides clarity for organisations as to the definitive time by which they would have to notify the PDPC," said the privacy watchdog.

But several organisations had asked for more time.

Claiming that the 72-hour timeframe is not realistic, AsiaDPO president Huey Tan said during the consultation: "It adds unnecessary pressure to the incident management team (including data protection officers), and diverts time and resources away from the important task of identifying the facts and containing the incident."

AsiaDPO, a Singapore-based society comprising data protection officers, was one of the 62 organisations which participated in the consultation that concluded last October. The consultation also attracted responses from six individuals.

Recognising that organisations may need time to determine the veracity of suspected breaches, the PDPC will give them up to 30 days to assess if the breaches are eligible for reporting - similar to what is in place in Australia. The 72-hour notification criterion will kick in only after this.

Initially it had been proposed that at least 500 individuals must be affected by a breach before it becomes mandatory for an organisation to report it. The PDPC has removed the threshold and promised to provide a guide to help organisations assess the scale of breaches.

TOUGHER RULES

Prescribing a cap of 72 hours provides clarity for organisations as to the definitive time by which they would have to notify the PDPC.

PERSONAL DATA PROTECTION COMMISSION

It has also approved a proposal for organisations to share blacklists for fraud detection and abuse prevention - which most of the respondents supported.

For example, if financial or telecommunication firms want to share data among themselves of customers with bad payment track records, they will not be required to seek customers' consent.

Firms will also be allowed to collect and analyse the vast amount of data from Internet of Things (IoT) devices without the consumers' go-ahead, if they need this to improve services or user experience.

In all such cases, the businesses must prove that the consumers are not harmed in any way and the data is not abused.

Internet giants Google and Amazon Web Services, which participated in the public consultation, had welcomed the concession for IoT devices.

The move to implement these changes follows the lead of mature jurisdictions in the United States, Canada and Australia.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on February 02, 2018, with the headline Watchdog eyes timeframe for reporting data breach. Subscribe

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top