Firms to get legal help in personal data protection

AS COMPANIES work towards developing a "smart nation" in a government push, they must also protect the personal data they collect at the same time.

Towards this end, Singapore's privacy watchdog will be beefing up its assistance to help them comply with the Personal Data Protection Act.

Dr Yaacob Ibrahim, Minister for Communications and Information, announced this yesterday at Singapore's second annual Personal Data Protection Seminar.

A legal advice scheme will help companies assess their level of compliance and determine what else they can do for a fixed fee of $500 for the first hour.

Typical fees for such a service can reach up to $1,000.

The Personal Data Protection Commission, which enforces the Act, is working with the Law Society of Singapore to launch the service next month.

"Personal data protection and cyber security are key factors to the success of Singapore's smart nation vision," Dr Yaacob said.

Urging the private sector and society to do their part to promote Singapore as a trusted data hub, he added: "If we don't do it right, people will not have the confidence to work with and engage our companies."

Fully enforced in July last year, the Act has provisions on how organisations may collect, use and disclose personal data.

The Act also requires organisations to take "reasonable measures" to protect personal data in their possession.

Help has also come in the form of two guides released yesterday.

The Guide To Securing Personal Data In Electronic Medium contains good cyber-security practices such as how sensitive data in unwanted electronic devices can be wiped out.

The Guide To Managing Data Breaches gives advice such as when end-users must be notified if their confidential information is leaked.

The commission developed the guides with the Government's high-level Cyber Security Agency, which was launched last month.

From next month, organisations can also check up to 1,000 numbers against the Do Not Call Registry free each year. This is double the number they are allowed to check free of charge today.

Such checks ensure that marketers do not call or text consumers who have opted out of receiving marketing messages.

The commission said 80 per cent of the 5,000 organisations to have set up accounts with it check fewer than 500 numbers a year.

Ms Tang Yock Miin, general manager at healthcare service provider Eu Yan Sang, said the newly announced legal scheme will come in handy for small and medium-sized enterprises as many do not have legal departments.

Mr Tan Kiah Hui, information privacy manager at childcare service provider Carpe Diem, agreed: "Legal fees are one of the biggest challenges for small and medium-sized enterprises."

His group has spent up to $7,000 for four to five hours of legal help with its data-protection readiness.

Merits of mandatory reporting of data breaches

Organisations in Singapore are still not required to report their data breaches although mature jurisdictions in Australia and New Zealand are pushing for such a law to be passed.

A data breach is when sensitive information, like consumers' personal details, is leaked or stolen.

Mandatory data-breach notification laws originating in the United States force companies to notify customers as well as the privacy commission when personal information is compromised.

Singapore privacy commissioner Leong Keng Thai said the Personal Data Protection Commission does not want to be "prescriptive" as "there is no one-size-fits-all approach".

"Organisations should assess the seriousness of the data breach and determine if they should notify the commission and affected individuals," he said, while noting that prompt notification can be a mitigating factor for companies being investigated for data breaches. The commission is investigating 140 complaints, of which fewer than 10 are related to unauthorised data disclosure.

Last September, two months after the Personal Data Protection Act was fully enforced, Singapore witnessed its biggest breach of personal data yet when the names, addresses as well as phone and identity-card numbers of local karaoke chain K Box's 300,000 members were posted online.

New Zealand privacy commissioner John Edwards said it is important to make reporting of data breaches mandatory "to even the playing field" so that it is not only the good and responsible companies that are reporting.

"If they do that, they look bad, whereas the companies that are not reporting might look like they have got better security," said Mr Edwards, who delivered the keynote address at the Personal Data Protection Seminar 2015.

Mr Edwards added: "If people don't know that their data has gone missing, they cannot do anything to avoid the harm of identity theft."


This article was first published on May 9, 2015.
Get a copy of The Straits Times or go to for more stories.