"The DP Act requires you to 'reasonably' protect personal data on your Web or cloud portal, so outbound protection is required to pass the 'reasonableness' test," urged Wong Onn Chee, managing director of Infotect Security.
The presentations were followed by a lively panel discussion moderated by T.C. Seow, editor of CIO Asia magazine.
What happens to the personal data collected before the effective date of the Data Protection Act? Tan assured the floor that there was a provision in the act that allowed the continued use of those data for reasonable purposes.
Use of the data for new purposes would require new consent as stipulated in the Act. If the need based on the original purpose expires, there would still be a need to destroy that data. Delegates were apprised that the Do-not-call registry would not cover e-mails and postage mail, as spam was already covered by the SPAM Protection Act.
On exclusions from the new Act, personal data needed for emergencies and investigations would be exempt. The government sector is also excluded from the Bill. The DP Act sits with other laws in Singapore. For instance, where banking regulations require financial data to be kept for seven years, such data should not be destroyed under the DP Act.
Sign up for CIO Asia eNewsletters.