Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, February 02, 2009

S’pore data protection enforcement needs bite

As it puts together its data protection framework, Singapore can learn from economies such as Hong Kong, such as appointing an official or agency for enforcement, according to a Singapore-based consultant.  Last month, Minister for Information, Communication and the Arts Lee Boon Yang said in Parliament that the work of an inter-ministry committee formed to review Singapore’s data protection regime, is still ongoing.  “We’re currently looking into developing a data protection model that can best address Singapore’s privacy concerns, commercial requirements and national interest,” he said.  As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time.”

In response to queries from ZDNet Asia, a spokesperson from the Ministry of Information, Communication and the Arts (Mica), said the inter-ministry committee involves public sector agencies including the Infocomm Development Authority, the Ministry of Trade and Industry, the Ministry of Finance, the Ministry of Home Affairs and the Attorney-General’s Chambers.

According to him, the committee is reviewing various approaches including those of the United States, the European Union and Canada, as there currently is no established, uniform method to deal with data protection.

“In shaping Singapore’s own data protection regime, we will take into account such international perspectives, where relevant, as well as views from the public.  “Mica will share the details of the proposed framework at the appropriate juncture,” the spokesperson added.

Joshua Chua, Deloitte & Touche’s security and privacy leader for risk consulting in Southeast Asia, concurred.  According to Chua, there is currently no specific data breach notification legislation in Singapore, which mandates that companies notify regulators and the public in the event of a privacy breach, or leakage of personal customer information.

Last year in the United Kingdom and Australia, there were some debate and momentum in handling data breaches.  News of an impending data breach notification law surfaced in July when the Information Commissioner’s Office said that the European Union’s ePrivacy Directive would be a catalyst for such legislation in the country.  The Hong Kong Monetary Authority, for example, issued a customer data protection circular to all authorized financial institutions on Jul. 10, 2008, he noted.  The document contained guidelines requiring banks in the Special Administrative Region to have specific data breach management procedures in place, and also to appoint a senior official responsible for incident management.  Instead, data protection and privacy is regulated via industry-specific laws and enforced by industry regulatory bodies, he explained.

Companies, on the other hand, need to ensure they have incident response procedures in place, as poor handling of data breaches can cause further damage.,39044215,62050547,00.htm

Posted on 02/02