Hong Kong and Singapore sign memo on personal data protection
The Hong Kong Privacy Commissioner for Personal Data and Singaporean Personal Data Protection Commission has signed a memorandum of understanding that will see the pair cooperate on protecting personal data.
According to the agreement, the two commissions will exchange information on potential or ongoing data breaches, conduct joint research projects, and share best practices and “experiences”.
“A strong collaborative effort with our counterparts in Hong Kong and other jurisdictions is needed to advance personal data protection and prepare for a digital economy,” Commissioner of the PDPC Tan Kiat How said in a statement.
“We look forward to strengthening our working relations to enable all parties to collectively benefit from best practices, research and the sharing of information.”
Discussions that led to the memo began in September.
In the past year, both jurisdictions have seen significant data breaches.
For Hong Kong, its flag carrier Cathay Pacific disclosed a data breach that hit 9.4 million people in October.
Cathay Pacific said that passenger details including name, nationality, date of birth, phone number, email address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information could have been accessed.
The airline added 860,000 passport numbers and approximately 245,000 Hong Kong identity card numbers were accessed.
A small number of credit card numbers, 403 in total, were also accessed, as well as 27 cards with no CVV.
The company said it had discovered suspicious activity on its network in March 2018 and took “immediate action”, with the breach confirmed in May.
“Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed,” it said.
While for Singapore, the city-state handed out SG$1 million in fines following the SingHealth data breach that impacted over 1.5 million individuals.
“SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHIS [Integrated Health Information Systems], and failed to understand and take further steps to understand the significance of the information provided by IHIS after it was surfaced,” the Personal Data Protection Commission said in January as the fines were handed down.
“Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers.
“These financial penalties are the highest ever imposed by PDPC, to date.”
The SingHealth breach was the largest in Singaporean history, and the attack was carried out over a period that spanned more than 10 months from August 2017.