Governance & Risk Management , Incident & Breach Response , Security Operations
Singapore: Data Protection Group FormedAdvisory on Nation's Data Protection Commission
The Singapore-based Personal Data Protection Commission has formed a new data protection advisory committee, which counsels on matters of policy guidance and reviews key policy and enforcement issues under the Personal Data Protection Act 2012.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The 12-member committee represents members from different sectors - banking, healthcare, IT, public, social services and academia.
In a statement released to the media, Liew Woon Yin, chairman of Data Protection Advisory Committee says, "As we began to implement Singapore's Personal Data Protection Act, different policy and business issues were surfaced to DPAC members for advice in their domains. The new members will assist in the further development of Singapore's data protection framework."
The new committee members who will serve two-year terms are:
- Effendy Ibrahim, senior director, RTM & channel marketing, Asia-Pacific & Japan, Symantec Corp.;
- Hui Choon Kuen, deputy chief counsel advisory (Civil Division), attorney general chambers and dean, the AGC Academy;
- Lam Chee Kin, group head of compliance, DBS;
- Low Cheng Ooi, associate professor, chief medical informatics officer, Ministry of Health and Ministry of Health Holdings;
- Professor Steven Miller, vice provost and dean of School of Information Systems, Singapore Management University;
- Tina Hung, deputy chief executive officer and group director, service planning and development, National Council of Social Service.
The committee will soon convene to prepare its advice to the commission.
Leong Keng Thai, chairman of PDPC, says: "The data protection landscape continues to evolve. Recent global incidents of data breaches have heightened the need for organizations to improve their information security practices and be vigilant against cyberthreats.
"Individuals are more aware of how their data is used and managed. The DPAC plays an important role by providing perspectives of different business sectors and consumers so that PDPC can develop policies and effective and relevant frameworks."
Industry expert John Lim, president of the Sinapore chapter of ISACA, says that the current challenge is to provide protection to personally identifiable information while not placing too much of a burden on businesses through operating costs. "The commission is taking sufficient action in leveraging technology to protect the data," Lim says.
Singapore's Personal Data Protection Act was enacted in October 2012, with provisions relating to the Do Not Call Registry coming into effect in January 2014, and those relating to data protection in July 2014. The Act includes chapters, such as photography, analytics, anonymisation, online activities, National Registration Identity Card numbers and CCTVs, which are part of the Commission's advisory guidelines that are meant to clarify and advice on ow the law should be interpreted related to the mentioned aspects.
Data Protection Challenges
The PDPA establishes a data protection law with rules governing collection, use, disclosure and care of personal data. It recognizes both individual rights to protect personal data, including rights of access and correction, and organizational needs to collect, use or disclose personal data for legitimate and reasonable purposes.
However, security experts do not rule out challenges inherent in the protection of the data. For instance, Robert Sin Hock Poh, director of Singapore Programme at Financial Services Information Sharing and Analysis Center, observes that this is an evolving concept, requiring public awareness, especially among corporations, SMEs and individuals.
"The policing of compliance policies and the cost are a challenge," Poh says.
Against this backdrop, the leaders have set expectations for the committee. Considering the committee's diversity, Poh suggests establishing a balanced framework and policies to improve the adoption and practices desired by PDPC.
"This could include taking account of the data protection methods and techniques by different industries and ensuring individuals are aware of their rights regarding protection of their privacy," Poh says.
Lim expects the committee to harness the diverse experiences and backgrounds to address concerns of PII in various sectors of society and industries.
ISACA's Lim believes businesses must take a comprehensive approach not to flout the law regarding PIL.
"For companies with an effective information policy, it is easy to address PII protection," Lim says. "For those without, it is time to adopt one."
PDPA will ensure a baseline standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks. Organizations must comply with the PDPA, the common law and other laws specific to their industry when handling personal data.
However, FS-ISAC's Poh underscores education, awareness-building and protecting data against misuse. "It's important to be educated and informed of the need to protect individual private information and the impact of not doing so."