Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Call for mandatory reporting of data breaches in Singapore

Experts have called for mandatory reporting of data breaches in Singapore to bring it in line with "mature jurisdictions" such as the US and Canada, the Straits Times reported28 Aug 2015

Speaking at the Data Privacy Asia conference in Singapore Mikko Hypponen, chief research officer at Finnish security software maker F-Secure, said that it is simply "pragmatism" to require organisations to notify both customers and privacy commissions when personal data is put at risk, the Straits Times said.

"If your credit-card number had been stolen, you would want to know... to look out for (unauthorised) transactions. Similarly, if your password had been stolen, you would want to change it. The United States and Canada are doing the right thing and should be followed by the rest of the world," Hypponen said, according to the newspaper.

Other speakers supported Hypponen's argument, the Straits Times said.

Singapore's Data Protection Act came into force last year. It does not require companies to report breaches.

A guide to managing data breaches was also issued in May by Singapore's privacy watchdog the Personal Data Protection Commission (PDPC). When a data breach occurs, "in general, it is a good practice to notify individuals affected. Not only will this encourage individuals to take preventive measures to reduce the impact of the data breach, it will also help an organisation rebuild consumer trust," the guide says.

"Organisation could also be bound by legal or contractual obligations to notify affected individuals," it says, but does not give instances where this would apply.

The guide advises organisations to notify PDPC of data breaches that might cause public concern or where there is "a risk of harm to a group of affected individuals".

Leong Keng Thai, chairman of PDPC, told the conference that the Act is "still in the early phases of implementation and organisations require more guidance in achieving compliance".

The PDPC published updated regulations governing the appeals process for data protection in February.