Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
Companies doing business in Singapore should be required to provide notice of data breaches to regulators and affected individuals, the country’s privacy office proposed July 27 in a public consultation notice.
The privacy office also sought comment on a proposal to loosen consent rules for digital economy companies engaged in cutting edge big data or artificial intelligence data analytics for which the potential uses for information aren’t always known when data is being initially requested.
Replacing the current voluntary notification scheme with mandatory breach notice will bring new compliance costs and enforcement risks for companies. They would face new risk assessment and accountability obligations under the consent rules.
The public consultation period provides an opportunity for companies to make any concerns known about the breach notice and consent proposals. Comments are due by Sept. 21. The commission will review the comments before making any formal proposals.
Notice to the Personal Data Protection Commission and to individuals would be required where there is risk of harm to the individuals or where 500 or more individuals are affected. Companies would be required to notify the commission as soon as practicable, but not later than 72 hours after discovering a breach. Existing sectoral breach notice requirements, primarily the rules requiring banks to notify regulators of data breaches, would remain in place.
A breach notice requirement would better allow individuals to protect themselves after a breach and bring Singapore in line with other countries that are moving to make breach notice mandatory—such as Australia and the European Union—the commission said. The solicitation for public comments on possible changes to the Singapore Personal Data Protection Act 2012. The commission is reviewing Singapore’s framework privacy statute in light of the technological changes that have occurred and the digital economy’s rise since the law took effect in 2014.
Singapore currently employs a voluntary approach to data breach notification that encourages organizations to notify the commission of breaches that might cause public concern or risk harm to individuals. This voluntary approach has resulted in uneven notification practices, the commission said.
The privacy office proposed mandatory notification to the commission and affected individuals for data breaches that pose “any risk of impact or harm to the affected individuals,” and for data breaches of significant scale involving 500 or more individuals, even if the breach doesn’t pose a risk of harm.
The proposal “embraces the realities of today’s digital world,” Steve Tan, data protection and cybersecurity partner at Rajah & Tann Asia in Singapore, told Bloomberg BNA July 27. “It will significantly bring about greater accountability in organizations with respect to personal data of individuals that they are processing,” he said.
The commission specifically solicited views on the number of individuals that would need to be affected for a breach to be considered significant.
The data breach requirement should be welcomed as a means to allow individuals “to take any appropriate action to mitigate the effects of the breach,” Chia Ling Koh, director of Singapore law practice at Osborne Clarke Verein in Singapore, told Bloomberg BNA July 27.
In addition to moving from a voluntary breach notice model, the commission is proposing allowing for relaxing the requirements to gain consent from individuals to process their personal information.
The privacy office suggests that parallel methods of consent and new accountability requirements for companies should be adopted to take into account big data and AI analytics where the exact uses for the information may not be known before its collection, it is impractical to obtain consent, and no adverse impact on individuals is anticipated.
The commission suggested moving to a “notification of purpose” consent model, where the organization must show that its impractical to obtain consent, and the collection and use of the personal data isn’t expected to have any adverse impact on the individuals. The commission would not define “appropriate notification,” instead leaving it to companies to decide on a case-by-case basis.
Under the commission proposal, companies using the notification of purpose would have to conduct risk assessments and implement measures to mitigate identified risks.
The consultation document would create an exemption from the new notification scheme to allow companies to process personal data for a “legal or business purpose.”
The proposed shift from a strict consent basis to an accountability-based model is “commendable,” Tan said. The change will ensure that companies will be held more responsible for their internal personal data-handling processes, he said.
Koh said relaxation of the strict requirement to obtain consent for collecting, using, and disclosing personal data would be a welcome change. “A notification of purpose should be sufficient to protect the interests of the individual, provided the notice is clear and reasonably brought to the attention of the individual,” Koh said.
To contact the reporter on this story: George Lynch in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
The public consultation document is available at http://src.bna.com/q8H.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)