S'pore sets data protection law for 2012
update SINGAPORE--It took several years in the making but the nation is now ready to take another step closer to introducing a data protection regime, with the Singapore government announcing plans to put forth legislation for debate in parliament early-2012.
The proposed laws will provide a "baseline standard for data protection in Singapore", Lui Tuck Yew, minister for the Information, Communication and the Arts, indicated on Monday in a written response to a parliamentary question.
According to Lui, a review--initiated five years ago--to assess the need for a data protection system and the appropriate model for the country, has now been completed.
The government, he said, "concluded it would be in Singapore's overall interests" to put in place such a regime, designed to "protect individuals' personal data against unauthorized use and disclosure for profit".
"The proposed law is intended to curb excessive and unnecessary collection of individuals' personal data by businesses, and include requirements such as obtaining the consent of individuals to disclose their personal information," the minister said.
"It will also enhance Singapore's overall competitiveness and strengthen our position as a trusted hub for businesses and a choice location for global data management and processing services."
As part of the data protection regime, a Data Protection Council is expected to be established to oversee the implementation of the legislation, Lui added.
Meanwhile, the country's ICT regulator, the Infocomm Development Authority of Singapore (IDA), will engage relevant stakeholders in further consultation and work to address concerns from the "public, private and people sectors".
An IDA spokesperson said in an e-mail to ZDNet Asia that the agency expects to provide more details about the framework for consultation toward the end of this year. "IDA will consider the interests of consumers as well as the impact to businesses to ensure the eventual framework is balanced," she said.
For the time being, data will continue to be protected under sector-specific laws such as the Banking Act, Statistics Act, Official Secrets Act and common law, she added. "The Model Data Protection Code, introduced in 2002 for voluntary adoption by the private sector, will also govern the use of personal information by the government and other companies that have adopted it."
Organizations must act now
Bryan Tan, director at Keystone Law, told ZDNet Asia in a phone interview that he expects the legislation to be in place fairly quickly, given that this is the first time local authorities have "put a date" to introduce the data protection regime.
The impetus for rolling it out may have stemmed from earlier reports that personal and contact information of key government officers here had been leaked, Tan revealed.
The Singapore-based lawyer said he expects compulsory data breach notification to be a component of the new legislation. The requirement for businesses to reveal in the event that customer data has been compromised will be an extension of current laws governing the banking sector, he explained.
In the United Kingdom, a data breach notification law was debated but the idea was eventually dropped in 2008. Over in Australia, businesses report data breaches on a voluntary basis.
According to Tan, "controversial" elements of the upcoming data protection legislation would include the "definition of what is protectable data", as well as how penalties will be imposed.
"Are they [going to be] civil damages, which means you got to go to court and sue, or will they be penal, like Hong Kong's Personal Data and Privacy Ordinance?" he questioned.
With the impending arrival of data protection laws, businesses in Singapore will need to start making preparations, he said. In a circular Tuesday, the lawyer advised enterprises operating here to reexamine their databases and data collection practices.
Tan explained in the phone interview: "[Companies] shouldn't be buying offers for [customer] databases...that's going to be useless in a year's time. You wouldn't have any basis for collecting it...retaining it...[and] using it.
"That particular business model is going out of the window," he said.
Businesses also need to assess what customer and employee data they have and whether they know where the data resides.
"Once the legislation comes in, if you are still holding on to information you shouldn't be holding on to, or worse, are holding on to information that you shouldn't be and don't even know where it is, then you are looking at [trouble]," he warned.