Hello and greetings from Australia!
What a year 2018 will be for data privacy professionals in the Asia-Pacific region.
In less than two weeks, Australia's new mandatory data breach notification scheme comes into effect. While imminent, the recent HP Australia IT Security Study indicated that nearly half of participating SMBs do not consider themselves prepared for the new scheme. The findings of this study serve as a timely reminder for entities bound by the Australian Privacy Act to review and update their current data security and data privacy practices in light of the new scheme.
In related news, the Personal Data Protection Commission of Singapore has released its response to the public consultation on Approaches to Managing Personal Data in the Digital Economy. Among other findings, the PDPC intends to retain the proposed mandatory data breach notification scheme, which it intends to apply to breaches "likely to result in significant harm or impact to the individuals to whom the information relates" and other significant scale breaches. The PDPC has found that the proposed time frames for notification to the PDPC and (where applicable) affected individuals should remain, but complemented by an initial assessment period for suspected breaches similar to the Australian scheme.
On the subject of data breaches, the Family Planning Association of Hong Kong recently lost 11 days worth of patient data relating to a cervical screening program at one of its clinics. The association informed police and the Office of the Privacy Commissioner for Personal Data.
Also in Hong Kong, the Hospital Authority, which manages the city's public hospitals, has commenced development of a big data system that will be used to identify patterns in anonymized medical records, to aid policy and research work. To reduce re-identification risks, the Hospital Authority intends to make the data accessible only to academia by attendance at a physical site — such that data cannot be removed and will not be made available online. This approach highlights a common issue in releasing seemingly de-identified data, namely how to ensure that such data is not, and continues not to be, re-identifiable.
Consistent with this issue, former Australian Privacy Commissioner Malcolm Crompton, CIPP/US, will provide a health and medical research-focused presentation on "The Power of Patterns in Big Data — How and when can data be repurposed?" at an iappANZ-related event this month. iappANZ will also be holding February events with Sheila Fitzpatrick on getting Australian organizations ready for the EU General Data Protection Regulation, as well as tips and pitfalls for major brands handling data breach crises.
See you next time.
If you want to comment on this post, you need to login.