Hong Kong, Singapore to Cooperate on CybersecurityAgree to Information Sharing, Joint Research
"The objective is to strengthen cooperation between Hong Kong and Singapore to provide a solid framework for promoting collaborative initiatives and information exchange in personal data protection," says Stephen Kai-yi Wong, Hong Kong's privacy commissioner for personal data.
Tan Kiat How, Singapore's privacy commissioner for personal data, adds: "A strong collaborative effort with our counterparts in Hong Kong and other jurisdictions is needed to advance personal data protection and prepare for a digital economy."
The goals of the agreement, the two leaders say, are:
- Build a solid framework for information sharing on data protection;
- Prepare both countries to face threats in the "post-digital" era;
- Conduct joint research on cybersecurity best practices and breach investigations;
- Adopt data protection by design.
The two countries had initial discussions in September 2018 about exploring opportunities to develop bilateral platforms for the advancement of personal data protection.
As part of the enhanced cooperation, Hong Kong and Singapore are also releasing a jointly developed "Guide to Data Protection by Design for ICT Systems." The guide encourages organizations to proactively incorporate data protection when developing information and communications technology. It provides advice on all phases of software development and spells out good data protection practices.
Earlier, Singapore also signed an agreement on information sharing with India to establish formal cooperation among the two nations' CERTs on building an incident prevention and response mechanism and an information sharing platform to tackle cybersecurity challenges. (See: India & Singapore Agree on Information Sharing)
Hong Kong and Singapore have both recently experience mega-breaches, which have spurred them to collaborate on breach prevention efforts.
Cathay Pacific Airways in Hong Kong was hit by a breach revealed last October that involved unauthorized access to personal details on 9.4 million passengers. (See: Cathay Pacific Breach: What Happened? )
In 2017, a SingHealth data breach affected 1.5 million individuals. The Personal Data Protection Commission imposed financial penalites against both Integrated Health Information Systems Pte.Ltd., or IHiS, and SingHealth totaling 1 million Singapore dollars ($738,000), the highest it has ever levied (see: Staff Disciplined in Wake of Singhealth Breach)
Data Protection by Design
The new jointly developed guide to data protection by design recommends key steps, including:
- Conducting a data protection impact assessment during the systems development life cycle to help identify and assess the gaps and risks in the design of new systems;
- Minimizing collection of personal data unless there is a valid purpose;
- Collecting information on personal identifiers only when absolutely necessary;
- Obtaining individuals' consent for collecting, using and disclosing their personal data;
- Spelling out security requirements to information and communications technology vendors that must be documented as part of the scope of work.
Even if organizations delegate work to vendors, they must ultimately take responsibility for the personal data that they have collected from their customers, the privacy commissioners say.