Singapore Privacy Office Calls for Mandatory Data Breach Notice

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Companies doing business in Singapore should be required to provide notice of data breaches to regulators and affected individuals, the country’s privacy office proposed July 27 in a public consultation notice.

The privacy office also sought comment on a proposal to loosen consent rules for digital economy companies engaged in cutting edge big data or artificial intelligence data analytics for which the potential uses for information aren’t always known when data is being initially requested.

Replacing the current voluntary notification scheme with mandatory breach notice will bring new compliance costs and enforcement risks for companies. They would face new risk assessment and accountability obligations under the consent rules.

The public consultation period provides an opportunity for companies to make any concerns known about the breach notice and consent proposals. Comments are due by Sept. 21. The commission will review the comments before making any formal proposals.

Notice to the Personal Data Protection Commission and to individuals would be required where there is risk of harm to the individuals or where 500 or more individuals are affected. Companies would be required to notify the commission as soon as practicable, but not later than 72 hours after discovering a breach. Existing sectoral breach notice requirements, primarily the rules requiring banks to notify regulators of data breaches, would remain in place.

A breach notice requirement would better allow individuals to protect themselves after a breach and bring Singapore in line with other countries that are moving to make breach notice mandatory—such as Australia and the European Union—the commission said. The solicitation for public comments on possible changes to the Singapore Personal Data Protection Act 2012. The commission is reviewing Singapore’s framework privacy statute in light of the technological changes that have occurred and the digital economy’s rise since the law took effect in 2014.

Risky, ‘Significant’ Breaches

Singapore currently employs a voluntary approach to data breach notification that encourages organizations to notify the commission of breaches that might cause public concern or risk harm to individuals. This voluntary approach has resulted in uneven notification practices, the commission said.

The privacy office proposed mandatory notification to the commission and affected individuals for data breaches that pose “any risk of impact or harm to the affected individuals,” and for data breaches of significant scale involving 500 or more individuals, even if the breach doesn’t pose a risk of harm.

The proposal “embraces the realities of today’s digital world,” Steve Tan, data protection and cybersecurity partner at Rajah & Tann Asia in Singapore, told Bloomberg BNA July 27. “It will significantly bring about greater accountability in organizations with respect to personal data of individuals that they are processing,” he said.

The commission specifically solicited views on the number of individuals that would need to be affected for a breach to be considered significant.

The data breach requirement should be welcomed as a means to allow individuals “to take any appropriate action to mitigate the effects of the breach,” Chia Ling Koh, director of Singapore law practice at Osborne Clarke Verein in Singapore, told Bloomberg BNA July 27.

Alternative Consent

In addition to moving from a voluntary breach notice model, the commission is proposing allowing for relaxing the requirements to gain consent from individuals to process their personal information.

The privacy office suggests that parallel methods of consent and new accountability requirements for companies should be adopted to take into account big data and AI analytics where the exact uses for the information may not be known before its collection, it is impractical to obtain consent, and no adverse impact on individuals is anticipated.

The commission suggested moving to a “notification of purpose” consent model, where the organization must show that its impractical to obtain consent, and the collection and use of the personal data isn’t expected to have any adverse impact on the individuals. The commission would not define “appropriate notification,” instead leaving it to companies to decide on a case-by-case basis.

Under the commission proposal, companies using the notification of purpose would have to conduct risk assessments and implement measures to mitigate identified risks.

The consultation document would create an exemption from the new notification scheme to allow companies to process personal data for a “legal or business purpose.”

The proposed shift from a strict consent basis to an accountability-based model is “commendable,” Tan said. The change will ensure that companies will be held more responsible for their internal personal data-handling processes, he said.

Koh said relaxation of the strict requirement to obtain consent for collecting, using, and disclosing personal data would be a welcome change. “A notification of purpose should be sufficient to protect the interests of the individual, provided the notice is clear and reasonably brought to the attention of the individual,” Koh said.

To contact the reporter on this story: George Lynch in Washington at glynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The public consultation document is available at http://src.bna.com/q8H.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security