S'pore data protection enforcement needs bite

The Singapore government needs to appoint an agency with adequate authority and funds to effectively enforce its data protection guidelines, says consultant.

As it puts together its data protection framework, Singapore can learn from economies such as Hong Kong, such as appointing an official or agency for enforcement, according to a Singapore-based consultant.

Last month, Minister for Information, Communication and the Arts Lee Boon Yang said in Parliament that the work of an inter-ministry committee formed to review Singapore's data protection regime, is still ongoing.

"We're currently looking into developing a data protection model that can best address Singapore's privacy concerns, commercial requirements and national interest," he said. "As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time."

In response to queries from ZDNet Asia, a spokesperson from the Ministry of Information, Communication and the Arts (Mica), said the inter-ministry committee involves public sector agencies including the Infocomm Development Authority, the Ministry of Trade and Industry, the Ministry of Finance, the Ministry of Home Affairs and the Attorney-General's Chambers.

According to him, the committee is reviewing various approaches including those of the United States, the European Union and Canada, as there currently is no established, uniform method to deal with data protection. "In shaping Singapore's own data protection regime, we will take into account such international perspectives, where relevant, as well as views from the public.

"Mica will share the details of the proposed framework at the appropriate juncture," the spokesperson added.

Joshua Chua, Deloitte & Touche's security and privacy leader for risk consulting in Southeast Asia, concurred. "As countries like the United Kingdom, the European Union and Hong Kong have already adopted such comprehensive laws, there are lessons that Singapore can learn from their experience," he pointed out.

According to Chua, there is currently no specific data breach notification legislation in Singapore, which mandates that companies notify regulators and the public in the event of a privacy breach, or leakage of personal customer information.

UK, Australia ponder data breach notification

Last year in the United Kingdom and Australia, there were some debate and momentum in handling data breaches.
News of an impending data breach notification law surfaced in July when the Information Commissioner's Office said that the European Union's ePrivacy Directive would be a catalyst for such legislation in the country.
A study, released in September 2008, underscored the importance of data breach regulations when it revealed that over half of U.K. organizations did not realize the potential impact of a security breach on their business, and only about one in four were compliant to data handling regulations set by the E.U.
In November, however, the U.K. government announced it would not implement a data breach notification law.
Australian Privacy Commissioner Karen Curtis said in her overview of the 2007-2008 Annual Report of the Office of the Privacy Commissioner, that voluntary breach notification was an "important issue" that would occupy the Office in the 2008-2009 financial year, which commenced Jul. 1, 2008.
The Office also released a guide on handling information security breaches (PDF) last August to help organizations prepare for and respond effectively to data breaches, as well as determine when it is appropriate to notify affected individuals.

Data breach notification laws typically require companies to establish procedures for handling data losses or leakages, he explained. Such a requirement can help companies be better prepared to handle data breaches.

"Companies become aware of when and how they need to notify the regulators and the public, and would also ensure certain mechanisms to be in place for restitution to their customers--typically in the form of free account monitoring for a certain period of time," said Chua. "This helps to preserve the trust of their customers, the regulators and the general public in the event of data loss incidents."

The Hong Kong Monetary Authority, for example, issued a customer data protection circular to all authorized financial institutions on Jul. 10, 2008, he noted. The document contained guidelines requiring banks in the Special Administrative Region to have specific data breach management procedures in place, and also to appoint a senior official responsible for incident management.

Appointed overseer needs bite
Adopting data protection practices and regulations is not without its challenges, noted Chua. First, unlike markets such as Hong Kong, Japan and the United States, Singapore does not have an overarching data protection or privacy law, nor is privacy protected under the constitution or general law. Instead, data protection and privacy is regulated via industry-specific laws and enforced by industry regulatory bodies, he explained.

"If a data breach notification law were to be introduced in Singapore without overarching data protection [or] privacy legislation in place, the companies would...need some time to interpret and understand which data would be specifically affected," Chua pointed out. "Since different industries interpret different data as 'customer' data, they would need to understand which data requires monitoring and notification in the event of a breach."

Another challenge is in identifying where the data resides, he said. For instance, if a data processing services provider were to suffer data loss or leakage, who should be held responsible for the breach or misuse of data--the service provider or its client which submitted the information for processing?

Ultimately, Chua noted, the challenges lay not so much in the development of the data protection law, but in ensuring its effectiveness. A country that enacts a comprehensive privacy law would appoint an official or agency responsible for ensuring compliance and overseeing the enforcement, such as the Office of the Privacy Commissioner for Personal Data in Hong Kong.

Such agencies need to have the necessary enforcement power and funding in order to be truly effective, he added. "Singapore can learn from Hong Kong's example, where data breaches were occurring in spite of the existence of a data protection law and the Privacy Commissioner's Office.

"It was only after several serious data breaches that the Office finally got to receive the necessary funding and enforcement power to do its job, and this subsequently led to a safer environment in terms of data privacy and protection," Chua said, adding that the Office not only issued specific guidelines for incident management but also conducted inspections of companies that had breached data security regulations, scrutinizing their incident management and reporting procedures.

Companies, on the other hand, need to ensure they have incident response procedures in place, as poor handling of data breaches can cause further damage. The affected company also needs to understand how to respond to a particular incident--not every breach requires the notification process to be kicked in. "Sometimes, it is sufficient just to strengthen the internal controls, while in other instances, the regulators and specific customers would need to be notified. Knowing which data is lost and what measures are necessary to address the data loss is very important," said Chua.

And while fines and jail terms are common deterrents, the framework should take on a "more holistic" approach to inculcate data security and privacy consciousness in people, he added, noting that education and training programs ought to be introduced at all levels.