Coming Soon to Singapore: Mandatory Data Breach Notifications


Singapore’s Personal Data Protection Commission (PDPC) issued a statement on March 1 announcing its plan to introduce mandatory breach notifications as part of a set of proposed amendments to the country’s Personal Data Protection Act (PDPA). The proposed amendments come in response to the PDPC’s recent review of the PDPA in order “to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals’ interests and enables the legitimate use of personal data by organisations.” The details of the mandatory breach notification have not yet been made public, but the amendment will likely require organizations to notify the PDPC and affected data subjects when a certain level of breach has occurred.

Continue reading “Coming Soon to Singapore: Mandatory Data Breach Notifications”

Information Governance Gains Traction, Maturity, and Value Proposition: State of IG Report


The Information Governance Initiative (IGI) recently released its third annual “State of Information Governance” report . Highlights include a sharp rise in IG projects underway and a shift toward organizations deriving value out of properly stored data. Indeed, nearly twice as many respondents (176percent of prior-year baseline) indicated that they are extracting business value from their information.

While external factors to include data breaches and data privacy regulations largely drive IG projects, there is mounting internal pressure to reduce storage costs, limit exposure to potential data breaches, and consolidate data. IGI found that respondents overwhelmingly agreed that information governance is an essential component of internal and external cybersecurity.

Below are key takeaways from the report, including respondent results and IGI’s analysis and recommendations.

Continue reading “Information Governance Gains Traction, Maturity, and Value Proposition: State of IG Report”

Recap of Our General Data Protection Regulation Webinar Series


In preparation for the General Data Protection Regulation (GDPR), set to take effect in the EU on May 25, 2018, we have hosted a series of webinars to help attendees navigate the changing data protection landscape. The GDPR is the EU’s most important change in data privacy regulation in 20 years, replacing the 1995 Data Protection Directive, and will affect any company that processes data pertaining to individuals in the EU. Please find more information on the presentations below:

United States Is First Country to Join APEC Privacy Recognition for Processors Program


The United States recently became the first country to participate in the new Asia-Pacific Economic Cooperation (“APEC”) Privacy Recognition for Processors (“PRP”) program.  Finalized in 2016 and designed to certify privacy compliance for personal information processors within the Asia-Pacific region, the PRP program offers a trustmark certification to processors that demonstrate their capacity to assist data controllers in complying with relevant privacy obligations.  According to APEC, the PRP program was created so that (1) data controllers are able to identify qualified data processors to implement data controllers’ data processing obligations, (2) data processors are able to demonstrate their ability to provide effective implementation of a controller’s privacy requirements, and (3) small and medium-sized institutions are able to gain exposure and visibility into a global data processing network.  Continue reading “United States Is First Country to Join APEC Privacy Recognition for Processors Program”

Singapore Addresses Confidentiality of Electronic Patient Records in New Healthcare Services Bill


Singapore’s Ministry of Health (MOH) recently drafted a new Healthcare Services (HCS) Bill aimed to bridge the gap between the country’s changing healthcare needs and technological advances.  According to the MOH, the healthcare landscape in Singapore is undergoing significant changes, including an ageing population, increased chronic disease prevalence, and advancements in medicine and health technologies.  The HCS Bill will “better safeguard the safety and well-being of patients, while enabling new and innovative services that benefit patients to be developed, in the changing healthcare environment.”

Currently, healthcare providers in Singapore are licensed and regulated under the Private Hospitals and Medical Clinics Act (PHMCA), which was designed to protect patient safety through the licensing of physical healthcare premises.  But, brick and mortar locations are quickly becoming a thing of the past as more and more healthcare services are delivered through mobile and online channels.  MOH intends to respond to this shift by repealing the PHMCA and replacing it with this new HCS Bill.

Continue reading “Singapore Addresses Confidentiality of Electronic Patient Records in New Healthcare Services Bill”

Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR


The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency.  Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.

This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here.

Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. Transparency applies in three central areas:

  • The provision of information to data subjects related to the fair processing of their personal data.
  • How data controllers communicate with data subjects in relation to their rights under the GDPR.
  • How data controllers facilitate the exercise by data subjects of their rights.

Continue reading “Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR”