Singapore has unveiled a competency framework and training roadmap to highlight core competencies it thinks data protection officers need to better support a digital economy. Its efforts here will include a year-long pilot training programme, based on the new framework, to train more than 500 such officers in its first intake.
The Personal Data Protection Commission (PDPC), which oversees the country's Personal Data Protection Act (PDPA), said its competency framework and training roadmap would provide "clarity" on the types of competencies and proficiencies data protection officers needed.
Under the PDPA, organisations in Singapore are required to appoint at least one individual as their data protection officer to ensure their organisation's compliance with the legislation.
Noting that data was a critical resource for enterprises, the PDPC said the establishment of robust data protection practices would support business innovation and growth, with data protection officers playing an integral role in ensuring the responsible use of data and to drive data innovation.
The PDPC hoped that the framework would serve as a resource to support organisations in the hiring and training of these officers, using competencies and proficiency levels identified in the framework as a basis.
Alongside the National Trades Union Congress (NTUC), and its subsidiaries Employment and Employability Institute (e2i) and NTUC LearningHub, the PDPC planned to launch a 12-month pilot programme comprising data protection-related modules in the fourth quarter of 2019.
The commission said it also would be working with other training partners, including the Institute of Singapore Chartered Accountants, National University of Singapore Law Academy, Singapore Management University Academy, and Singapore Polytechnic. More details of these courses would be released at a later date, said the PDPC, adding that least 500 data protection officers were expected to undergo the training programme in the first year.
NTUC's e2i CEO Gilbert Tan said: "Data is an increasingly vital resource needed for timely business decisions and this creates demand for emerging job roles and functions to manage data well. e2i, together with NTUC, will help to operationalise the new framework by reaching out to working professionals, whose job function includes data protection, and equipping them with relevant skillsets to manage, protect, and govern data."
Tan added that the vendor would work with the PDPC to curate content to support the training programmes, spanning entry-level professionals to regional senior management roles.
NTUC LearningHub CEO Kwek Kok Kwong noted: "As we leverage data to propel businesses forward, we must strike a balance and ensure data security and data privacy. This is where this framework comes into play and businesses must have data protection officers to advise them and help them enforce data protection."
Citing findings from its industry survey, the PDPC said 72% of companies in Singapore had acknowledged that good data protection practices could support business growth, but 39% were concerned whether their data privacy officers had the knowledge and skillsets to mitigate risks and recover from data breaches.
IMDA to oversee APEC cross-border privacy certification
Data protection officers also would have to manage cross-border data flows, which was increasingly complex as regional and global data regulatory environments were inconsistent. This underscored the need for mechanisms to help ensure trust that the data organisations received and shared were secured.
In this aspect, the Infocomm Media Development Authority (IMDA) has been appointed as Singapore's Accountability Agent for the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) as well as Privacy Recognition for Processors (PRP) Systems certifications. This meant that companies looking to be APEC CBPR and PRP certified could apply to IMDA to do so.
Once certified, these organisations would be able to exchange data with other certified organisations in participating APEC economies, such as Japan and the US.
In a bid to drive certification efforts amongst local small and midsize businesses, IMDA would waive application fees for both APEC CBPR and PRP for these companies until June 30 next year.
Following a "stocktake" of the public sector's security practices, Singapore's government agencies will roll out "technical measures" for existing as well as new systems to beef up data security standards, including automated detection of emails containing sensitive information and stronger encryption for files.
Following several breaches involving government entities, Singapore's prime minister has assembled a committee to review data security practices in the public sector, but the government stands firm on excluding these agencies from the country's Personal Data Protection Act.
Government unveils plans to include a framework, as part of a review of the country's Personal Data Protection Act, that aims to ease data flow between service providers while giving consumers "greater control" over their own data.
Expected to be included as part of the upcoming amendment to the country's data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.
Now a certificate authorising nation for the Common Criteria, Singapore is one of 18 countries that can assess and certify cybersecurity products under the technical standard, which it says will enable local developers to attain the certification more quickly and at a lower cost.