In what way are Singapore residents protected following a data breach in ways that India and Hong Kong residents are not?
In what way are Singapore residents protected following a data breach in ways that India and Hong Kong residents are not?
Singapore laws mandate that affected individuals must be informed when significant harm is likely to occur as a result of a data breach. This requirement offers a level of protection to residents by ensuring they are aware of potential risks to their personal data. In comparison, neither India nor Hong Kong have similar provisions that explicitly require notification to individuals under such specific circumstances of likely significant harm.
Singapore - Under the current Act A data breach constitutes a “notifiable data breach” if: it results in, or is likely to result in, significant harm to the affected individuals (including one that compromises personal data prescribed under the Personal Data Protection (Notification of Data Breaches) Regulations 2021); or it is of a significant scale (i.e. one that affects 500 or more individuals). Hongkong - There is no statutory definition of a data breach under the Ordinance. India - “In the event of an info sec breach, the body corporate … shall be required to demonstrate [to agency] that they have implemented security control measures as per their documented info sec program and policies.” Under the DPDP Act, in the event of a personal data breach, Data Fiduciary is required to inform each affected Data Principal
Section 43A of the Information Technology Act, 2000 ("IT Act") required a body corporate that possesses, deals with or handles any "sensitive personal data or information" in a computer resource which it owns, controls or operates, to maintain "reasonable security practices and procedures". The terms "sensitive personal data or information", and "reasonable security practices and procedures" were not sufficiently defined. Exemption For Outsourcing Entities: The obligations under Rules 5 and 6 of the Data Privacy Rules (i.e., relating to the manner in which companies can collect and disclose "sensitive personal data or information") do not apply to Indian companies which collect, store, deal with or handle "sensitive personal data or information" under a contractual obligation with a legal entity.