Assessing Singapore’s data breaches

Singapore’s public agencies will access data breaches on a case-by-case basis

Dr Janil Puthucheary, a senior minister of state for communications and information and transport, states that there’s a need to look at every case, a need to look at the issue at hand as to what has been accessed, what are the circumstances and the potential impact it may have on the affected citizen involved.

Some Members of Parliament have expressed their concerned and raised questions on whether affected citizens have the right to know, and in a timely manner, if their data is compromised while in the care of public agencies. As of right now, there is no mandatory reporting requirement, only general guidelines on how citizens should be approached, but each case will be analysed on its own and all relevant factors will be taken into account.

The government has increased the number and types of internal IT audits  as a measures implemented to protect information, but should citizens suspect that their data have been misused or hacked, they can complain to GovTech or make a police report if a crime is suspected.

Dr Bostjan Makarovic, Aphaia Managing Partner, “Singapore has so far not been endorsed by the European Commission as a jurisdiction that has a comparable level of protection of personal data to GDPR but that could change in the future.”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

5G expansion privacy risks

The expansion of 5G mobile technology around the world promises to bring faster downloads and quicker network response times. But also a lot more concerns about privacy.

In the USA 5G will allow for the possibility of more-precise location tracking, as well as the opportunity to collect vast amounts of additional personal data.

Unfortunately, due to the short range, more cell towers will need to be built, meaning that new towers will cover much smaller areas and give more precise location data.

The European 5G Action Plan’s main goal is to make 5G a reality for all citizens and businesses by 2020. 5G will provide virtually ubiquitous, ultra-high bandwidth, and low latency “connectivity” not only to individual users but also to connected objects. It will also be the “eyes and ears” of Artificial Intelligence systems as it will provide real-time data collection and analysis.

A digital European single market, which is what is being envisioned will also enable remote collaboration using VR, online health monitoring, connected and self-driving cars and drone deliveries are all cited as potential new markets enabled by 5G.

Privacy risk and 5G

In the USA, 5G will entail more indoor towers as it doesn’t penetrate walls very well. Towers in shopping malls, big office buildings, hotels and so on, will become a normal thing and will allow for more precise location data. Location is extremely sensitive. It reveals a tremendous amount about data subjects and telecom companies need to be regulated to make sure that they are not using the data as they wish.

It also may be that 5G will make widespread sensor networks possible, on every telephone pole or street corner. Those might detect people doing things.  5G can also be used to track people and if it is not regulated, the selling of location data can become the biggest issues in our generation.

Dr Bellovin advocates for clearer regulation of what carriers can do with location data, which in his opinion should be nothing.

Dr Bostjan Makarovic, Aphaia Managing Partner, believes that European users are generally well-protected by the ePrivacy Directive when it comes to their location data. “5G might not be unique compared to 4G or even widespread wifi networks. But together with IoT sensors, for example, privacy issues are expected to be amplified in the age of 5G.”

At the same time, the European Commission is racing to make 5G available quickly, and pushing for investment in the sector for new tech, but at what cost? Cybersecurity agency such as ENISA, have stated that 5G connections come with a medium to high risk of cybersecurity attacks because there are not enough safeguards in place to make sure the new networks will be secure.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

GDPR and email: minimise the transfers!

A ‘human error’ was the blame for Kent Council’s email breach. Such a situation may involve penalties ranging from a simple warning by the control authority, the ICO in this case, to fines of 20 million euros.

E-mail including contact details of more than 300 adoptive parents and some support workers were shared mistakenly by an employee. That’s not to say that the right procedures weren’t taken by Kent Council. Following the aftermath, the mistake was identified and reported to a manager, who immediately took the relevant steps according to the internal procedures. Also, an attempt was made to try and recall the email that disclosed contact details of the adoptive parents.

A lot of parents are worried and angry because of the negative impact this accidental disclosure of their confidential personal details might have if the birth families were to come across the information.

“We are all looking after vulnerable children, and many of us have concerns over birth families tracking down our children. The implications of such a data breach could be very serious.” A parent stated.

Data protection breaches are terrifying and very disruptive to the lives of adoptive parents. Not only do they put the parents’ safety at risk, but also the safety of their children.

The council has apologised to parents and pledged to improve security procedures. Good risk management will also ensure that checks and controls are in place to limit the chance for these mistakes to happen in the first place.

But, in the case of a human error such as this one, the council must go over how the breach occurred and ensure through an extensive staff training, that additional steps be taken to prevent a similar mishandling of data.

There doesn’t seem to have been any action taken by the ICO yet regarding the breach but the council said it was investigating whether the breach met the threshold required for reporting to the ICO, which in this case it clearly does.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Data protection and Brexit

A ‘no deal’ Brexit is looking like a real possibility the closer we get to March 29th. So what would a  ‘no deal’ Brexit mean for data protection?

Summary of the situation:
On June 23rd 2016, a referendum was held to decide whether the UK should leave or remain in the European Union. The Leave camp took the victory and won by 51.9% to 48.1%.
Thus, the Brexit process was triggered on March 29th 2017, giving the UK a two-year window to agree on separation terms. However, the UK still has a chance to curb Brexit, by deciding to stay in the EU at any time up to the deadline of March 29th 2019, thanks to a European court ruling.

With less than a month left to go, the probability that Brexit will occur is very likely, whether there is a deal or ‘no deal’ in place.

Today

There is currently free movement of data between the United Kingdom and the European Union, but that might not be the case for much longer. Or is that so?
According to the British government, data transfers from the UK to the EU will remain in the existing practice, even after Brexit, due to the UK Data Protection Act 2018. The DPA 2018 mirrors GDPR to the point that we shouldn’t expect a big shift in the conditions in place, as it is designed to allow a free flow of data into the EU.

Here are a few more facts from Elizabeth Denham – UK Information Commissioner:
⁃ In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected.”
⁃ Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action.
⁃ ‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy an uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months. Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.

 

As Brexit is soon approaching, at Aphaia we are here to help with any related aspect.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.