September deadline looms for data protection

Currently, the island state is one of three Southeast Asian countries with comprehensive data protection regulation and a government agency focused on data privacy and protection. The Personal Data Protection Commission (PDPC) was set up in January 2013 to “promote and enforce personal data protection”.

In a speech at the International Conference of Data Protection and Privacy Commissioners, Yeong Zee Kin, PDPC’s Deputy Commissioner said: “Singapore recognises that a robust data protection regime is an important foundation for the digital economy. In the digital economy, data is a strategic asset for companies.”

“数据可以帮助公司优化他们的运作方式，改善现有产品和服务，或创新新的产品。云说，我们必须达到数据保护法，这是一个必要的条件，这是一个必要的条件，但在今天的竞争力和数据驱bob体ob体与软件下载动的景观中不再是充分的条件，“云台说。

法律的变化如何ffect companies

The importance of personal data protection has been in the limelight over the last few years. In November 2017, the PDPC launched a public consultation on advisory guidelines covering national registration identity card (NRIC) numbers. It introduced the Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers on 31 August 2018 and set a compliance deadline of 1 September 2019.

从今年9月1日起，所有公司都是“预计会停止收集或披露客户的题名和其他国家识别号码，在法律或必要的情况下，建立或核实个别到高度保真度的必要条件“。

无论公司是否已收到个人从个人收集，使用或披露其识别号码，新的准则适用。
本指南还将适用于任何其他永久性标识符，如出生证明，外国识别或工作许可证。此更新的指南也涵盖了部分标识符号。虽然每次新护照都是问题时，虽然护照号码是定期更换的，但公司将避免收集全护照号码，除非合理。

PDPC视图认为，不分青红皂白的识别或疏忽处理这些识别号码可能会增加意外披露的风险，甚至可以最终用于非法活动，如身份盗窃或欺诈等非法活动。

According to the 2018 PDP Digest Protection of Sensitive Personal Data , the nature of sensitive personal data is not exhaustively defined – there is no express legislative definition. Rather, the definition incrementally evolves around the potential for harm brought about by improper collection, use or disclosure. The PDPC’s advisory guidelines and decisions also make frequent reference to the concept of sensitivity.

For example, in 2018, PDPC fined three insurance companies – Aviva, NTUC Income and AIF Asia-Pacific Insurance – for leaking personal policyholder data. Policyholders either received inaccurate statements in which their personal data was disclosed to an unrelated party or had a wrong contact number on their policy letter. According to PDPC, sensitive personal data includes names of the policyholder’s dependents or beneficiaries, the sum insured under the insurance policy, the premium amount and type of coverage.

What are the exceptions?

去vernment agencies or any organisation that is acting on its behalf is exempted from this guideline.

在政府发言人向当地报纸，海峡时报响应了这一例外，政府是政府是题为题的发行权，它就定为“将其与公民以安全的方式释放其职能和服务”。

Personal identifiers may also be obtained or shared if required by law such as when subscribing to a new phone line, checking into a phone line or joining an organisation as a new employee.

Are you prepared?

Dell EMC interviewed 2,200 decision-makers around the world, covering the Americas, Europe, Middle East, Africa and Asia Pacific. The subsequent Global Data Protection Index 2018 found that although organisations are managing a greater volume of data, only 16% believe that their current data protection solutions will be able to meet future business challenges.

The survey also found that a surprising 76% of respondents’ organisations have suffered data disruption of some kind in the previous 12 months – from data loss to inability to recover data from their current data protection method or product.

In Singapore, PDPC is expected to enforce stricter rules around data protection and privacy compliance and will increasingly shift their focus from compliance to accountability among companies.

In a speech on October 2018, PDPC commissioner Tan Kiat How said: “accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is a demonstration that an organisation has put in place measures which pre-emptively identifies and addresses personal data risks.”

There is also heightened customer awareness on personal data privacy in Singapore with recent high profile cases such as data theft of 14,000 people diagnosed with HIV and a data breach of 1.5 million SingHealth patient records.

PDPC还开始谈论其他相关问题，例如跨越边界的数据漏洞通知和数据可移植性。

Next Steps

公司需要采取具体步骤以确保将来的数据隐私合规性和减轻潜在的数据泄露。

风险评估，数据保护管理计划和同意书等工具有助于预防和识别数据保护bob体ob体与软件下载风险。

还应该有至少一个被指定为数据保护官（DPO）的个人，以确保合规性，尽管这并未免除公司履行其数据保护义务。bob体ob体与软件下载虽然DPO不需要在新加坡物理上出现，但他/她必须在新加坡营业时间内访问，并且必须能够处理个人数据保护问题的查询和投诉。bob体ob体与软件下载

With the evolving personal data protection landscape and increasing number of legislation in this area, companies may need to rely on industry experts to ensure compliance.