First Grounds of Decision on Data Protection Breaches in Singapore issued by the Personal Data Protection Commission
|
|
- Sheena Holmes
- 7 years ago
- Views:
Transcription
1 MAY First Grounds of Decision on Data Protection Breaches in Singapore issued by the Personal Data Protection Commission On 21 April 2016, the Personal Data Protection Commission ( PDPC ) issued its first Grounds of Decisions interpreting the scope of various obligations under the Personal Data Protection Act ( PDPA ). The Grounds of Decision are the first rulings by the PDPC on various issues under PDPA, including: breaches of the obligation to protect personal data generally; what constitutes reasonable security arrangements ; who is a data intermediary; what is personal data; the scope of deemed consent; application of the necessary for the individual exception; and factors affecting the PDPC s enforcement action. The Grounds of Decision accordingly merit careful review. This Update will examine the key findings set out in the Grounds of Decisions. Breaches of Protection Obligation Generally Section 24 of the PDPA (the Protection Obligation ) requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Examples of breaches of the Protection Obligation In its decisions, the PDPC highlighted that failure to effectively manage an IT service provider was evidence of a breach of the Protection Obligation. For example: In the decision against Challenger Technologies Limited ( Challenger ) and Xirlynx Innovations (Case No: DP A103, [2016] SGPDPC 6), Challenger was held to have breached the Protection Obligation because it had neglected to exercise control over [its IT service provider s] workflow in the processing of Challenger s ValueClub membership database and the sending of communications to ValueClub members. Challenger had left it to the IT service provider (its data intermediary) to implement security measures and had not considered what requirements it would want to implement to fulfil
2 MAY its data protection obligations. In the decision against K Box Entertainment Group Pte. Ltd. ( K Box ) and Finantech Holdings Pte. Ltd. ( Finantech ) (Case No: DP-1409-A100, [2016] SGPDPC 1), K Box was held to have failed to effectively manage its data intermediary to protect personal data. K Box had never emphasised the need for data protection and [Finantech s] obligation towards K Box under the PDPA or informed Finantech of its data protection obligation after September 2014, and did not include any contractual clauses that required Finantech to comply with a standard of protection in relation to the personal data transferred to it that is at least comparable to industry standards. These findings indicate that to comply with the Protection Obligation, an organisation cannot delegate all responsibility for protection of personal data to its vendors without actively managing them as data intermediaries. Examples of poor data handling practices Other decisions highlighted poor data handling practices which organisations should steer away from: The Singapore Computer Society was given a warning (Case No: DP-1504-A390, [2016] SGPDPC 9) for poor data handling practices of (i) not protecting its registration list with a password, and (ii) sending such a registration list in the same as a draft invite to the public (such that there was a high risk of an employee inadvertently forwarding the entire registration list outside the organisation). In the decision against K Box, personal data of over 90,000 members was sent via an unencrypted Excel file through Gmail; In the decision against Full House Communications Pte Ltd ( Full House ) (Case No: DP-1503-A368, [2016] SGPDPC 8), a warning was issued for failure to protect personal data by enabling the auto-fill function for drop-down boxes, for a lucky draw form which was to be filled up on the spot using the organisation s laptop; and In the decision against Fei Fah Medical Manufacturing Pte. Ltd. ( Fei Fah ) (Case No: DP-1409-A145, [2016] SGPDPC 3), the PDPC cautioned against encryption of passwords using a common MD5 hash.
3 MAY What Constitutes Reasonable Security Arrangements? The PDPC also gave examples of failures to make reasonable security arrangements as part of the Protection Obligation, such as: In the decision against Metro Pte Ltd (Case No: DP-1504-A421, [2016] SGPDPC 7), not addressing SQL injection vulnerabilities which had been highlighted in earlier IT security audits; In the decision against the Institution of Engineers Singapore ( IES ) (Case No: DP-1411-A213, [2016] SGPDPC 2), vulnerabilities such as cross site scripting and SQL injections were not addressed, and IES did not take reasonable security arrangements such as storing passwords in encrypted form, conducting audits on outsourcing vendors and conducting penetration testing; In the decision against Challenger, the failure to sample and proof read e-statements before they were sent out; and In the decision against K Box, the failure to enforce the password policy, not removing unused accounts, failure to utilise newer versions of software libraries, and failure to conduct audits on database security. Who is a Data Intermediary? Determination whether organisation is a data intermediary by PDPC Organisation responsible for data processed by data intermediary The decisions shed some light on how the PDPC determines whether an organisation is a data intermediary for another. Notably, in the K Box decision, notwithstanding that contracts between K Box and Finantech (its IT service provider) were only quotations which were confirmed and accepted by K Box, the PDPC held Finantech to be K Box s data intermediary. This serves as a warning to organisations that they may ultimately be held responsible for the personal data processed by their service providers. Under the PDPA, an organisation has the same obligations in respect of the personal data processed on its behalf and for its purpose by its data intermediary as if the personal data were processed by the organisation itself. Organisations should therefore be careful to clearly set out each party s rights and obligations when contracting with vendors. On the facts of the Challenger decision, Xirlynx, an IT services provider, was also found to be a data intermediary because it handled marketing blasts for Challenger pursuant to a contract between them.
4 MAY What is Personal Data? Wide reading of what constitutes "personal data" The decisions show that the PDPC generally takes a wide reading of what information can constitute personal data under the PDPA. In the decision against IES, user IDs and passwords of members of the IES site were found to constitute personal data, because a person having access to a user ID and password could log in to the account and access the profile of the person registered under that user ID. In the decision against Full House, the respondent had argued that no links could be drawn between information contained in different auto-fill drop-down fields in an electronic lucky draw form to identify an individual, because the information in each field was not arranged in chronological order. It argued that the information in each field by itself would only be generic information and not personal data. The PDPC rejected this argument, noting that the information in certain fields e.g. a person s full name, address or identity card number could be enough in itself to identify an individual. Scope of Deemed Consent Narrow scope of deemed consent? One decision highlights that PDPC views deemed consent to be narrow and limited to the purposes for which the data subject actually provided consent for on the facts. In the decision against Universal Travel Corporation Pte Ltd ( UTC ) (Case No: DP-1508-A496, [2016] SGPDPC 4), 4 customers requested formal documentation to confirm cancellation of their flights. UTC sent them a list containing the unredacted personal data of all 37 passengers on the same tour. On the facts the PDPC found that UTC had not sought consent for such disclosure from the 37 passengers. The PDPC also found that deemed consent was also not applicable in this decision, because the purposes for which the passengers submitted the data did not include the purpose of allowing another passengers to process his/her insurance claim. Application of the Necessary for the Individual Exception Rejection of argument that consent not required In the decision against UTC, the PDPC rejected UTC s arguments that the disclosure of personal data without consent was permitted under the first exception under the Fourth Schedule of the PDPA, which states that consent is not required where the disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way.
5 MAY The PDPC clarified that interests of the individual in the exception refers to the interests of the data subject. On the facts, it was not in the interest of the other customers for their personal data to be disclosed to the 4 customers. The PDPC also noted that the data disclosure was not necessary, because there was no need to disclose the entire list as-is (the list could have been redacted before release), and finally that there was no urgency involved such that consent for disclosure could be obtained in a timely way. Factors Affecting PDPC s Enforcement Action Stricter penalties as a result of delay in cooperating with PDPC From the decisions it is apparent that delays in cooperating with the PDPC may result in the PDPC imposing a stricter penalty on the organisation. For example: In the decision against Fei Fah, a financial penalty was issued, and the PDPC noted among other things that Fei Fah had provided incomplete and delayed responses and was generally uncooperative in investigations. Further, there were also undue delays in implementing remedial actions to address its data breach - more than 10 months after the discovery of the data leak. The PDPC noted in the decision against K Box and Finantech (where a financial penalty was issued) that there was a 7 month delay in complying with requests for information by the PDPC during investigations. New Advisory Guidelines on the Enforcement of the Data Protection Provision Advisory guidelines on powers and procedures of PDPC issued The PDPC also issued a set of Advisory Guidelines on the Enforcement of the Data Protection Provisions on 21 April. These guidelines generally elaborate on the PDPC s powers and procedures in enforcing the PDPA, including: The main objectives and considerations the PDPC takes into account when exercising its enforcement powers under the PDPA; and Its approach in exercising its powers to issue financial penalties on organizations who have breached the PDPA, including the factors to be considered in deciding whether a financial penalty is to be issued, and aggravating and mitigating factors in calculating the financial penalty.
6 MAY Impact on organisations Given the recent PDPC enforcement decisions, organisations may wish to exercise prudence in the handling of personal data, and when conducting outsourcing involving the transfer of personal data, to ensure that such outsourced vendors comply with the relevant requirements under the PDPA and extend appropriate protection over the personal data. Organisations should also be aware that the PDPC has wide enforcement powers in relation to breaches of the PDPA, including the power to conduct investigations, issue directions and warnings, and impose financial penalties of up to S$1 million. Data subjects also have rights of private action against an organisation for losses arising from the organisation s breach of its data protection obligations. If you would like information on this or any other area of law, you may wish to contact the partner at WongPartnership that you normally deal with or any of the following partners: Lam Chung Nian Partner Head Intellectual Property Practice Head Technology & Media Practice Head Telecommunications Practice Head Data Protection Practice DID: Click here to see Chung Nian s CV. Jeffrey Lim Partner DID: Click here to see Jeffrey s CV.
7 MAY WONGPARTNERSHIP OFFICES SINGAPORE WongPartnership LLP 12 Marina Boulevard Level 28 Marina Bay Financial Centre Tower 3 Singapore Tel: Fax: /5722 CHINA WongPartnership LLP Beijing Representative Office Unit 3111 China World Office 2 1 Jianguomenwai Avenue, Chaoyang District Beijing , PRC Tel: Fax: INDONESIA WongPartnership LLP Shanghai Representative Office Unit 1015 Corporate Avenue Hubin Road Shanghai , PRC Tel: Fax: Makes & Partners Law Firm Menara Batavia, 7th Floor Jl. KH. Mas Mansyur Kav. 126 Jakarta 10220, Indonesia Tel: Fax: Website: makeslaw.com MALAYSIA Foong & Partners Advocates & Solicitors 13-1, Menara 1MK, Kompleks 1 Mont' Kiara No 1 Jalan Kiara, Mont' Kiara Kuala Lumpur, Malaysia Tel: Fax: Website: foongpartners.com MIDDLE EAST Al Aidarous International Legal Practice Abdullah Al Mulla Building, Mezzanine Suite Hameem Street Al Nahyan Camp Area P.O. Box No Abu Dhabi, UAE Tel: Fax: Website: aidarous.com MYANMAR Al Aidarous International Legal Practice Zalfa Building, Suite Sh. Rashid Road Garhoud P.O. Box No Dubai, UAE Tel: Fax: WongPartnership Myanmar Ltd. No. 1, Kaba Aye Pagoda Road Business Suite #03-02, Yankin Township Yangon, Myanmar Tel: Fax: contactus@wongpartnership.com wongpartnership.com
PERSONAL DATA PROTECTION CHECKLIST FOR ORGANISATIONS
PERSONAL DATA PROTECTION CHECKLIST FOR ORGANISATIONS How well does your organisation protect personal data? This self-assessment checklist is based on the nine personal data protection obligations underlying
More informationConditions for transfer of personal data overseas
19 The Transfer Limitation Obligation 19.1 Section 26 of the PDPA limits the ability of an organisation to transfer personal data outside Singapore. In particular, section 26(1) provides that an organisation
More informationSubmission of feedback should reach LIA via email at lia@lia.org.sg by 4 October 2014
PUBLIC CONSULTATION DRAFT OF PROPOSED LIA CODE OF CONDUCT FOR AGENTS OF LIFE INSURERS ON THE SINGAPORE PERSONAL DATA PROTECTION ACT 2012 (NO. 26 OF 2012) Submission of feedback should reach LIA via email
More informationNOMURA SINGAPORE LIMITED
NOMURA SINGAPORE LIMITED Key Events in Nomura's History 1925 Nomura Holdings, Inc. (formerly known as The Nomura Securities Co., Ltd.) founded in Osaka by Tokushichi Nomura II 1927 Nomura opens an office
More informationDATA PROTECTION CORPORATE POLICY
DATA PROTECTION CORPORATE POLICY Information Management V1.1 03 July 2012 Not protectively marked This policy must be complied with fully by all Members, Officers Agents and Contractors of Plymouth City
More informationRestrictive Covenants Considered in Two Recent High Court Cases
Restrictive Covenants Considered in Two Recent High Court Cases Recently, the Singapore High Court had to consider two cases where former employees that had set up competing businesses with their former
More informationThis TEPL Data Protection Policy is effective from 2 July 2014. Updated on 31 Jul 2015
Telecom Equipment Pte Ltd ( TEPL ) Data Protection Policy Dash is a mobile money service created by Singtel and Standard Chartered. Payment services are provided by Telecom Equipment Pte Ltd ( TEPL ) and
More informationInvestigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud
Published under Section 48(2) of the Personal Data (Privacy) Ordinance (Cap. 486) Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud Report
More informationFeatures of Design and Build Contracts
CONSTRUCTION & PROJECTS Features of Design and Build Contracts Introduction Design and build contracts are fairly common in the construction industry. They involve the consolidation of both the design
More informationHow To Comply With The New Ppa
www.hrboss.com PDPA Singapore: What Recruiters Need To Know Singapore Japan Vietnam Indonesia China Malaysia Hong Kong CONTENT Introduction Page 1 1 2 Understanding the PDPA 1.1 1.2 1.3 1.4 What is Personal
More informationPROPOSED ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR SELECTED TOPICS PHOTOGRAPHY 16 MAY 2014
PROPOSED ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR SELECTED TOPICS PHOTOGRAPHY 16 MAY 2014 PART I: INTRODUCTION... 3 1 Introduction... 3 PART II: SELECTED TOPICS... 4 2 Photography...
More informationWhen Is A Statutory Demand Deemed Invalid?
When Is A Statutory Demand Deemed Invalid? Introduction A statutory demand is an important step in the bankruptcy process, as it allows the creditor to initiate a bankruptcy application against the debtor.
More informationDoug Kerr Insurance Consultants P/L ABN AFSL Tel: Fax:
PRIVACY POLICY Doug Kerr Insurance Consultants P/L ABN 67 078 679 071 AFSL 246366 Shop33/ 1 st Floor, 15-23 Langhorne Street DANDENONG VIC 3175 P.O Box 7031 DANDENONG VIC 3175 Tel: (03) 9791 6688 Fax:
More informationATMD Bird & Bird. Singapore Personal Data Protection Policy
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationBANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994
BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 Ref: BR/14/2009 OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 INTRODUCTION
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationSouth East Asia: Data Protection Update
Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how
More informationBarnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule
HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA
More informationPrivacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information
Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information Safeguarding personal data and customer information and using it in a lawful manner, consistent
More informationExamining the Parity Principle in Criminal Sentencing
Examining the Parity Principle in Criminal Sentencing Introduction Under the parity principle, offenders participating in the same offence should generally incur similar criminal sentences. In the case
More informationAL RAJHI SAVINGS ACCOUNT-i AGREEMENT - QARD
Original Bank Copy Duplicate Customer Copy BETWEEN AL RAJHI BANKING & INVESTMENT CORPORATION (MALAYSIA) BHD (719057-X) AND CUSTOMER S NAME: REGISTRATION NO./NRIC NO./PASSPORT NO.: DATE: 1 DATE: BETWEEN
More informationCoffey International Limited Privacy Policy. July 2014
Coffey International Limited Privacy Policy July 2014 Privacy Policy 1. Introduction Coffey International Limited and its related bodies corporate (we, our, us) recognise your rights under the Privacy
More informationTPS Corporate Services Personal Data Protection Policy
TPS Corporate Services Personal Data Protection Policy In this policy, we, us, our means and all its related companies (collectively known as TPS ), you, your or yours means the persons to whom this policy
More informationTo this end ERCI fully endorses and adheres to the Principles of Personal Data Protection Act (2012). 1. The Purpose:
Data Protection Policy: Policy Statement: ERC Institute (ERCI) collects and uses information about people with whom it communicates. As stipulated by the Personal Data Protection Act (2012) (hereinafter
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationCloud Computing Legal Considerations for Data Controllers
Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationGuidance for Data Users on the Collection and Use of Personal Data through the Internet 1
Guidance for Data Users on the Collection and Use of Personal Data through the Internet Introduction Operating online businesses or services, whether by commercial enterprises, non-government organisations
More informationPACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )
PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,
More informationProject Management Managing successful PCI DSS project
Project Management Managing successful PCI DSS project INTRODUCTION PCI-DSS is Payment Card Industry Data Security Standard, one of the fastest growing compliance currently affecting banks, payment service
More informationTable of Contents. Introduction 3 What is Title Insurance? What are mortgage processing and loan servicing services? 3 This Privacy Policy 3
Privacy Policy First American Title Insurance Company of Australia Pty Ltd First Mortgage Services Pty Ltd First Mortgage Services Australia Pty Ltd 1 P a g e Table of Contents Page Introduction 3 What
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationPrivacy Policy. Federal Insurance Company, Singapore Branch Singapore Personal Data Protection Privacy Policy. 1. Introduction
Privacy Policy 1. Introduction Federal Insurance Company, Singapore Branch ( we, our or us ) recognise the importance of protecting the privacy and the rights of individuals in relation to their personal
More informationDeclaration Form for EP Online/ WP Online User Agreement
Work Pass Division 18 Havelock Road Singapore 059764 Tel: 6438 5122 www.mom.gov.sg mom_wpd@mom.gov.sg Declaration Form for EP Online/ WP Online User Agreement You may need about 2 minutes to complete this
More informationSecurity breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison
Security breaches: A regulatory overview Jonathan Bamford Head of Strategic Liaison Security breaches and the DPA Data controllers security obligation - principle 7 of the DPA o Appropriate technical and
More informationDRIVER ADDENDUM TO SERVICES AGREEMENT. Last update: October 20, 2015
DRIVER ADDENDUM TO SERVICES AGREEMENT Last update: October 20, 2015 This Driver Addendum to Services Agreement ( Addendum ) constitutes a legal agreement between an independent company in the business
More informationInsolvency Practitioners Fees A New System for Approval
RESTRUCTURING & INSOLVENCY Insolvency Practitioners Fees A New System for Approval Introduction The fees charged by insolvency practitioners can sometimes be a matter of contention, with different interested
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationGlobal Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister
2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York
More informationRecognition of Foreign Liquidators - Universalism in Singapore Insolvency Law
RESTRUCTURING & INSOLVENCY Recognition of Foreign Liquidators - Universalism in Singapore Insolvency Law Introduction In the modern commercial setting, insolvency has taken on an increasingly cross-border
More informationPMA MODELS PTY LTD CONTRACTOR OFFER LETTER
PMA MODELS PTY LTD CONTRACTOR OFFER LETTER We are pleased to engage you ( the Contractor ) to provide services to PMA Models Pty Ltd A.C.N. 137 597 829 ( the Company ) on the terms set out in this agreement.
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationTerms and conditions of investment service
1 Terms and conditions of investment service May 2014 2 Contents 1. Purpose and scope of application of the terms and conditions of agreement... 4 2. Definitions... 4 Client... 4 Client s Representative...
More informationBriefing Note UAE Corporate Governance Regime
February 2010 Briefing Note UAE Corporate Governance Regime At a Glance > Corporate governance is the system by which companies are directed and controlled. It deals largely with the relationship between
More informationthe Financing of Terrorism
CONSULTATION PAPER Obligations of Financial Institutions under the Personal Data Protection Act 2012 - P005-2014 June 2014 Amendments to Notices on Prevention of Money Laundering and Countering the Financing
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationPERSONAL DATA PROTECTION POLICY RELATING TO CIGNA EUROPE INSURANCE COMPANY S.A.-N.V. SINGAPORE BRANCH
PERSONAL DATA PROTECTION POLICY RELATING TO CIGNA EUROPE INSURANCE COMPANY S.A.-N.V. SINGAPORE BRANCH Personal data protection in Singapore is regulated by the Personal Data Protection Act 2012 (the PDPA
More informationCompliance guide for companies listed on the Hong Kong Stock Exchange
Compliance guide for companies listed on the Hong Kong Stock Exchange 2009 Compliance Guide Compliance Guide Corporate governance provides the institutional and policy framework for companies. The integrity
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationQUOTATION DOCUMENTS TERMS AND CONDITIONS OF AGREEMENT
Page 1 of 5 INTERPRETATION QUOTATION DOCUMENTS TERMS AND CONDITIONS OF AGREEMENT FOR THE SUPPLY AND DELIVERY OF FOODSTUFF OR AMENITIES ITEM(S) FOR THE PERIOD SPECIFIED IN THE AWARD LETTER In these Terms
More informationThe impact of the personal data security breach notification law
ICTRECHT The impact of the personal data security breach notification law On 1 January 2016 legislation will enter into force in The Netherlands requiring organisations to report personal data security
More informationEstablishing a business
Establishing a business in Singapore legal guide Published November 2012 HERBERT SMITH FREEHILLS Establishing a business in Singapore 03 Introduction This guide provides an overview of common issues encountered
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY The Hollandse School Limited (hereinafter HSL ) is an educational institution with a history of over 93 years, and is one of the largest Dutch language schools abroad where the International
More informationThe Business Enablers Macau
The Business Enablers Macau Member of The Bank of East Asia Group 1 About Tricor 2 Macau Services 4 Tricor Offices Tricor Group (Tricor), a member of The Bank of East Asia Group, is a global provider of
More informationVodafone Group Certification Authority Test House Subscriber Agreement
Vodafone Group Certification Authority Test House Subscriber Agreement Publication Date: 12/05/09 Copyright 2009 Vodafone Group Table of Contents Vodafone Group Certification Authority Test House Subscriber
More informationGUIDE TO MANAGING DATA BREACHES
8 MAY 2015 CONTENT PURPOSE OF THE GUIDE 3 INTRODUCTION 4 HOW DATA BREACHES COULD OCCUR 5 RESPONDING TO A DATA BREACH 6 i. DATA BREACH MANAGEMENT PLAN 6 ii. CONTAINING THE BREACH 7 iii. ASSESSING RISK AND
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationSAMPLE CLAUSES FOR OBTAINING AND WITHDRAWING CONSENT 08 MAY 2015
SAMPLE CLAUSES FOR OBTAINING AND WITHDRAWING CONSENT 08 MAY 2015 INTRODUCTION 1. The purpose of this guide is to set out sample clauses for obtaining an individual s consent to collect, use or disclose
More informationPENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009
PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009 Current Laws: A person commits the offense of identity theft
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationChina pushes change in IT infrastructure by strengthening regulation of cyber security
April 2015 China pushes change in IT infrastructure by strengthening regulation of cyber security China pushes change in IT infrastructure by strengthening regulation of cyber security The CBRC s recent
More informationIMAS Regulatory Roundup - Outsourcing, Technology and Data Protection How does it impact fund management companies?
IMAS Regulatory Roundup - Outsourcing, Technology and Data Protection How does it impact fund management companies? IMAS Seminar 20 January 2015 Ken Chia Baker & McKenzie.Wong & Leow is incorporated with
More informationIMPLEMENTATION DETAILS
Policy: Title: Status: 1. Introduction ISP-I11 Software License Regulations Approved Information Security Policy Documentation IMPLEMENTATION DETAILS 1.1. The Software Management Policy (ISP-S13) makes
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationTerms of business agreement - Commercial clients
Terms of business agreement - Commercial clients Please read this document carefully. It sets out the terms on which Finch Insurance Brokers Ltd agree to act for clients and contains details of our responsibilities
More informationMalaysia Takeover Guide
Malaysia Takeover Guide Contact Lee Won Chen Rahmat Lim & Partners chen.leewon@rahmatlim.com Contents Page THE REGULATION OF TAKEOVERS 1 THE REGULATORY MAZE BROAD CONCEPTS 1 MANDATORY OFFERS 4 VOLUNTARY
More informationWidePoint Solutions Corp. SAFE HARBOR PRIVACY POLICY
WidePoint Solutions Corp. SAFE HARBOR PRIVACY POLICY Your privacy is important to us. At WidePoint Solutions Corp. we value your trust. We want you to know how we collect, use, and share and protect information
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationPersonal Information Protection and Electronic Documents Act
PIPEDA Self-Assessment Tool Personal Information Protection and Electronic Documents Act table of contents Why this tool is needed... 3 How to use this tool... 4 PART 1: Compliance Assessment Guide Principle
More informationHello Finance lead generation agreement. Helloleads.co.uk. Agreement number. This agreement is between
Hello Finance lead generation agreement. Helloleads.co.uk Agreement number This agreement is between Hello Finance Limited, 7 Fidlas Road, Llanishen Cardiff CF14 0LW here in after called the company and
More informationADVISORY GUIDELINES FOR THE HEALTHCARE SECTOR 11 SEPTEMBER 2014
ADVISORY GUIDELINES FOR THE HEALTHCARE SECTOR 11 SEPTEMBER 2014 1 PART I... 4 1 Introduction... 4 PART II: APPLICATION OF THE DATA PROTECTION PROVISIONS TO SCENARIOS FACED IN THE HEALTHCARE SECTOR... 5
More informationWHEN BUSINESS GETS PERSONAL A QUICK GUIDE TO THE PERSONAL DATA PROTECTION ACT 2012 FOR ORGANISATIONS PERSONAL DATA PROTECTION COMMISSION
WHEN BUSINESS GETS PERSONAL A QUICK GUIDE TO THE PERSONAL DATA PROTECTION ACT 2012 FOR ORGANISATIONS PERSONAL DATA PROTECTION COMMISSION S I N G A P O R E www.pdpc.gov.sg Introduction Organisations today
More informationHHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationBeacon Financial Group - Privacy Policy
Beacon Financial Group - Privacy Policy Including: Beacon Financial Group Pty Ltd ABN 33 162 734 152, The FinancialLink Group Pty Ltd ABN 12 055 622 967 and Interactive Mortgage and Finance Pty Ltd ABN
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationVIETNAM LAWS ONLINE DATABASE License Agreement Multi-user Subscription
VIETNAM LAWS ONLINE DATABASE License Agreement Multi-user Subscription A multi-user subscription to the Vietnam Laws Online Database is governed by the terms and conditions of this License Agreement. If
More informationDASHBOARD CONFIGURATION SOFTWARE
DASHBOARD CONFIGURATION SOFTWARE RECITALS: The Contractor has designed and a web site for Client, and has agreed to maintain the said web site upon the terms and conditions hereinafter contained.] NOW
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationWhat to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Table of Contents What is a privacy breach?...1
More informationCOLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010
---------------------------------------------------------------------------------------------- COLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010 ----------------------------------------------------------------------------------------------
More informationPrivacy Policy Statement
Privacy Policy Statement Our Commitment While information is the foundation for providing you with superior service, protecting the privacy of your personal information is of the highest importance to
More informationPrivacy & Data Security: The Future of the US-EU Safe Harbor
Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT
More informationGUIDELINES FOR INVESTMENT ADVISERS AND INVESTMENT REPRESENTATIVES UNDER THE SECURITIES INDUSTRY ACT 1983
GUIDELINES FOR INVESTMENT ADVISERS AND INVESTMENT REPRESENTATIVES UNDER THE SECURITIES INDUSTRY ACT 1983 Date Issued: 4 March 2004 1 GUIDELINES FOR INVESTMENT ADVISERS AND INVESTMENT REPRESENTATIVES UNDER
More informationSecurity Posture Assessment(SPA)
Security Posture Assessment(SPA) Headquarters: Ofisgate Sdn Bhd (610820-A), 2-15 Jalan Jalil Perkasa 13 Aked Esplanad, Bukit Jalil, 57000 Kuala Lumpur, Malaysia Regional Office: Ofisgate (s) Pte Ltd, 205B
More informationProtection and Security of your Personal Information
Protection and Security of your Personal Information Please read the following information carefully to understand how Travelex will manage your personal information. By creating a profile and saving and
More informationPRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;
PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal
More informationCONTENT OF THE AUDIT LAW
CONTENT OF THE AUDIT LAW I. GENERAL PROVISIONS Article 1 This Law shall regulate the conditions for conducting an audit of legal entities which perform activities, seated in the Republic of Macedonia.
More informationGuidance on the Use of Portable Storage Devices 1
Guidance on the Use of Portable Storage Devices Introduction Portable storage devices ( PSDs ) such as USB flash memories or drives, notebook computers or backup tapes provide a convenient means to store
More informationProfessional Trainers, Licensing Assessment and Consultancy Services Professional Indemnity and Public Liability Insurance Proposal Form
Tranznet Association Inc Arranges the insurance IMPORTANT INFORMATION Professional Trainers, Licensing Assessment and Consultancy Services Professional Indemnity and Public Liability Insurance Proposal
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationASX Announcement. Amendment to Share Trading Policy
ASX Announcement 14 September 2015 Amendment to Share Trading Policy IPH announces that it has amended its Share Trading Policy by adding a new Clause 5 which introduces an additional trading window, being
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationBusiness Services Hong Kong
Business Services Hong Kong Gain peace of mind Leave your back office issues with us Tricor Business Services partner with you to enhance your competitiveness and generate business value. Leveraging our
More informationGeneral Terms and Conditions Regarding Accepting Ticket solutions for Meal and/or Sports and Cultural Services
General Terms and Conditions Regarding Accepting Ticket solutions for Meal and/or Sports and Cultural Services 1. Purpose and Scope 1.1 The General Terms and Conditions shall be applicable to a contractual
More informationHow To Write A Professional Liability Insurance Proposal Form
Statement Pursuant to Schedule 9 of the Financial Services Act 2013: The Policyholder is to disclose in this proposal form, fully and faithfully, all the facts which you know or ought to know, which are
More informationDISCLOSURE AND ADVISORY PROCESS REQUIREMENTS FOR ACCIDENT AND HEALTH INSURANCE PRODUCTS
Notice No : MAS 120 Issue Date : 30 January 2004 Last revised on 30 October 2015* DISCLOSURE AND ADVISORY PROCESS REQUIREMENTS FOR ACCIDENT AND HEALTH INSURANCE PRODUCTS Introduction 1. This Notice is
More informationHow To Use Grand Lexis Port Dickson Website
TERMS AND CONDITIONS OF USE Welcome to Grand Lexis Port Dickson website. If you continue to browse and use this website you are agreeing to comply with and be bound by the terms and conditions of use set
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More information