Admit data breaches, get lower fines: PDPC comes up with initiatives to strengthen data accountability
Privacy watchdog tells organisations what they must do to avoid full investigations and heavy penalties
A digital marketing agency was hit with a financial penalty of $18,000 in 2017 for disclosing the personal data of individuals, including 155 children, online after the information was collected for social media contests.
The agency had created nine webpages for internal use containing the particulars of these individuals, such as names, contact numbers, occupations and e-mail addresses.
Two of the nine pages contained the names and ages of 155 children.
These pages were taken down two months after the agency was informed about the disclosure, and some information could have been left online for more than two years.
This was one of the many cases the Personal Data Protection Commission (PDPC) referenced before coming up with initiatives to encourage organisations to be responsible about their data.
These initiatives will strengthen data accountability and facilitate movement and use of data to support innovation, the PDPC said in a press release yesterday.
In a new expedited process, organisations that admit their role in data breaches may not be subjected to a full investigation.
Examples of such breaches include URL manipulation, poor password management or printing errors resulting in incorrect recipients.
The admission can also be taken as a mitigating factor and result in lighter penalties.
Alternatively, the PDPC will not investigate companies and allow them to resolve their data breach if these organisations can show they have proper accountability practices, monitoring and remediation plans during a data breach.
Under the Personal Data Protection Act (PDPA), organisations can be given a financial penalty of $1 million for their role in breaches.
Such measures will allow the PDPC to conclude investigations on clear-cut breaches quickly, as a full investigation can last for more than a year.
The PDPC also introduced recommendations on how organisations should respond to a data breach and when and if the PDPC needs to be notified about the breach. For example, the PDPC should be informed if more than 500 people are affected, or if significant harm or impact is likely to occur.
The organisations' internal investigations should take no more than 30 days, and if the thresholds are met, they should inform the PDPC no later than 72 hours after the investigations are completed.
A public consultation has also been started to seek views on introducing data portability and data innovation provisions into Singapore's data privacy laws.
It is part of the ongoing review of the PDPA. Data portability provisions will allow consumers to request that their data be moved across organisations.For example, consumers could move records such as transactional data of loan or credit repayments and potentially reduce the costs in switching service providers.
Feedback and views will be sought on key areas such as making clear when organisations may use such personal data without consent for appropriate business purposes, as well as the impact of data portability on the consumers, the market, and the economy.
The consultation started yesterday and will end on July 3.
PDPC's deputy commissioner Yeong Zee Kin said that while data is important in digital transformation, a balance must be struck between data protection and business innovation.
"We are taking firm steps to position Singapore as a trusted data hub in the global digital economy by seeking feedback on the proposed data portability and innovation provisions, as well as test-bedding data breach notification measures," he added.
Welcoming the initiatives, cyber security expert Jonathan Phua said the guide sets out what constitutes good cyber security, which not all companies know how to practise.
He said: "Many think that having good cyber security is just about having the appropriate technology to guard your data, but it is more than that.
"Companies also need to have proper processes like conducting internal audits and ensuring their staff is aware of cyber hygiene."