Singapore updates guidelines on data breach notification and accountability

Expected to be included as part of the upcoming amendment to the country's data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.

Organisations in Singapore are now expected to take no more than 30 days to complete an investigation into a suspected data security breach and notify the authorities of the incident 72 hours after completing their assessment. These are part of new guidelines to help companies manage data breaches more effectively and are expected to be included in the upcoming amendment of the country's data protection act. 

In addition, businesses are expected to notify authorities if a breach affects more than 500 individuals or where "significant harm or impact" to the individuals are likely to occur due to the breach, according to the Personal Data Protection Commission (PDPC), which oversees the act. Data intermediaries also should report potential data breaches to their parent organisation within 24 hours from when they first identify a suspected incident. 

With businesses fumbling, Singapore must take more care in data aspirations

Singapore government has been opening up user data access to ease information exchange and business transactions, but it should observe some caution as major organisations continue to slip up over security.

Read More

These guidelines were unveiled on Wednesday and incorporated feedback from previous consultations, said the PDPC, which added that it would review and further update them where necessary. 

While these are just guidelines for now, with no regulatory repercussions, the commission said organisations in Singapore should make the required changes to facilitate detection as breach notification would be made mandatory as part of the upcoming amendments to the Data Protection Act

Such specifics were not stated in the Personal Data Protection Act when it was introduced in 2012 and plans for mandatory breach notification have been in the works for the last couple of years. 

The PDPC also unveiled new guidelines for "active enforcement", which detailed the commission's approach in applying its regulatory powers to respond and act when dealing with data breaches. These included an "expedited decision process" to more quickly conclude investigations of "clear-cut data breaches" -- specifically, incidents that were similar to previous cases and where the organisation provided upfront admission of liability for the breach. 

The commission explained that this move came after evaluating data breach incidents over the last four years and feedback from industry stakeholders. 

The PDPC also announced a public consultation of its proposed inclusion of a data portability law as part of its review of the Data Protection Act. The regulator said such provisions would enable consumers to request for their data to be moved between organisations so data flow and data-sharing could be better supported across and within sectors. 

"Data portability addresses the challenges faced by industries in accessing more diverse data or larger datasets for use in emerging technologies, such as artificial intelligence (AI) or Internet of Things (IoT) solutions, in order to generate better personalised products, services and insights, while creating incentives for competitive services and lowering barriers to entry for new entrants," it said. 

For example, consumers could move profile histories and records such as transaction data and past purchases that impact how services are delivered to them, including credit and loan repayments. 

However, it noted, there have been calls for greater regulatory clarity on whether consumer consent is needed to access personal data for certain business purposes. This prompted PDPC to propose a set of "Data Innovation Provisions" in the act to provide clarity for organisations using personal data for specific, defined business purposes that do not require consent. 

It is now seeking public feedback on several areas regarding its proposed data portability and data innovation provisions, including conditions under which such provisions would apply, scope of data covered and exceptions to such provisions, as well as when organisations would be able to use personal data without consent. 

According to PDPC, its push for data portability is in line with jurisdictions such as Australia, India, Japan, and the European Union, and will be crucial to boosting Singapore's standing as a data protection regime. 

PDPC Deputy Commissioner Yeong Zee Kin said: "Data is a key enabler of digital transformation, but a balance must be achieved between data protection and business innovation. We are taking firm steps to position Singapore as a trusted data hub in the global digital economy by seeking feedback on the proposed data portability and innovation provisions, as well as test-bedding data breach notification measures."

The Singapore government last month said it had assembled a committee to review data security practices in the public sector, following a spate of breaches involving government entities, but remained firm on its decision to exclude such organisations from the PDPA. The new committee had been tasked to assess measures and processes, amongst others, related to the collection and protection of citizens' personal data by government agencies as well as vendors appointed to handle personal data for the government. 

Reiterating the government's stance that the PDPA should not apply to public agencies because of "fundamental differences" in how these organisations operated, the Ministry of Communications and Information had said: "In order to enable a whole-of-government approach to the delivery of public services, personal data has to be managed as a common resource within the public sector.  The considerations are different in the private sector, as there is no such expectation of a holistic approach to the delivery of commercial services across private organisations."

RELATED COVERAGE

Singapore moots inclusion of data portability in data protection law

Government unveils plans to include a framework, as part of a review of the country's Personal Data Protection Act, that aims to ease data flow between service providers while giving consumers "greater control" over their own data.

Singapore sets up committee to review public sector data security, but stands firm on PDPA exemption

Following several breaches involving government entities, Singapore's prime minister has assembled a committee to review data security practices in the public sector, but the government stands firm on excluding these agencies from the country's Personal Data Protection Act.

Singapore touts open platforms in smart nation drive, acknowledges need to do better in security

New pilots including a drowning detection system are in the works, as the government continues to push its smart nation goal alongside an open, API-driven framework. But it stresses the importance of security in rolling out new services and acknowledges the country needs to do better, particularly, following the SingHealth data breach.

Singapore industry needs stronger codes of conduct as consumer data gains value

As businesses capture more information about customers, consumers need to be more informed about such practices and industry guidelines and codes of conduct must evolve to ensure responsible data use.

Singapore opens up access to citizen data to facilitate business transactions

Commercial businesses can now access citizen data, such as mailing address and passport numbers, stored in the national MyInfo database, in a move the Singapore government says is aimed at improving service efficiency.