Privacy watchdog wants timeframe for reporting data breach

This article is more than 12 months old

Singapore's privacy watchdog will soon mandate that organisations here report any breach of personal data, following a general consensus during a recent public consultation.

Revisions to the Personal Data Protection Act (PDPA) are expected to be tabled in Parliament next year, the Personal Data Protection Commission (PDPC) said yesterday.

The need for tougher breach reporting rules became more apparent after it was discovered last year that Uber had covered up a massive breach involving the personal details of about 57 million passengers and drivers.

The revised law will require individuals affected by a breach to be notified "as soon as practicable", and the PDPC to be notified no later than 72 hours after a breach is identified.

"Prescribing a cap of 72 hours provides clarity for organisations as to the definitive time by which they would have to notify the PDPC," said the privacy watchdog.

But several organisations had asked for more time.

Claiming that the 72-hour timeframe is not realistic, AsiaDPO president Huey Tan said during the consultation: "It adds unnecessary pressure to the incident management team (including data protection officers), and diverts time and resources away from the important task of identifying the facts and containing the incident."

AsiaDPO, a Singapore-based society comprising data protection officers, was one of the 62 organisations which participated in the consultation that concluded last October.

Recognising that organisations may need time to determine the veracity of suspected breaches, the PDPC will give them up to 30 days to assess if the breaches are eligible for reporting - similar to what is in place in Australia.

The 72-hour notification criterion will kick in only after this.

Initially, it had been proposed that at least 500 individuals must be affected by a breach before it becomes mandatory for an organisation to report it. The PDPC has removed the threshold and promised to provide a guide to help organisations assess the scale of breaches.

Google and Amazon Web Services, which participated in the public consultation, had welcomed the concession for Internet of Things devices.