Organisations have to ensure they secure consent from individuals whose data is being collected; use the data only for the purposes stated at the time the consent was sought; and destroy the data when the need for the original purpose for the data has ended.
While the data is stored and processed, organisations have to ensure the data is correct and accurate, and is secured from leakage to unauthorised parties. Tan cautioned that organisations could be fined up to S$1 million (US$784,000) by a Data Protection Commission for breaches of the DP law, and that both the organisation and the person responsible for data protection in the organisation would be held accountable.
Tan also briefed attendees on the "Do-Not-Call Registry" which is to be set up by end 2013. It is intended to allow individuals to opt out of receiving marketing messages by registering their Singapore phone numbers.
The registry rules cover marketing messages sent via telephone calls, SMS/MMS and faxes, with penalties amounting to S$10,000 (US$7,800) per breach, and up to S$1,000 (US$780) in composition fines.
An organisational perspective
Lim Shih Hsien, Executive Manager, Information Security, Hong Kong Jockey Club, presented an organisational perspective to data protection. He briefed on the key elements of data confidentiality and information security framework from a Hong Kong perspective, and provided some practical steps for organisations to manage the risks.
Lim Shih Hsien
Lim revealed that personal data access was the top concern of Hong Kong residents. "Eighty-four percent of Hong Kong residents are very or extremely concerned about unauthorised access to or misuse of their personal information," he shared.
Lim explained the Personal Data (Privacy) Ordinance (PDPO) that was introduced in 1995, which comprised six data protection principles (DPPs) to cover the various aspects of data protection in Hong Kong. The six DPPs govern what organisations in Hong Kong should observe in the areas of data collection, storage and disposal.
One difference with the Singapore's DP law is that the PDPO deals with data related to living individuals. "Understand your obligations and risks; start simple, mind your outsourcing arrangements; and push awareness relentlessly," concluded Lim when summarising how an organisation should approach implementing data protection.
With tighter data privacy laws, many organisations are risking hefty legal penalties if they neglect the outbound risks of their cloud and enterprise e-services, which are accessible round-the-clock, by anyone worldwide, especially via mobile devices. A lack of outbound protection can lead to the leakage of private data, infection of visitors with malware, as well as defacement of Web pages, which damages reputation and customer confidence.
Wong Onn Chee
Sign up for CIO Asia eNewsletters.