Skip to main content
You are here: News

News

The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.

Array

Notifiable Data Breaches scheme resources finalised

Following consultation, the Notifiable Data Breaches (NDB) scheme resources have been finalised. You can view all of the resources on our NDB webpage.

Office of the Australian Information Commissioner
Source: News - OAIC
15 Dec 2017, 2:59am AEDT

Statement by Federal Trade Commission Acting Bureau of Competition Director Bruce Hoffman on the Court Ruling Granting a Preliminary Injunction in the Sanford Health/Mid Dakota Clinic Matter

Federal Trade Commission Acting Bureau of Competition Director Bruce Hoffman issued the following statement regarding the U.S. District Court ruling yesterday that granted the request of the FTC and the Attorney General’s Office of North Dakota for a preliminary injunction in the proposed merger of Sanford Health and Mid Dakota Clinic in the Bismarck-Mandan region of North Dakota:

“The Court's Dec. 13 ruling temporarily blocking Sanford Health’s proposed acquisition of Mid Dakota Clinic is good news for patients and their families in the Bismarck and Mandan metropolitan area. We look forward to proving at trial that this merger would likely reduce competition, resulting in higher prices and lower quality of adult primary care physician services, pediatric services, obstetrics and gynecology services, and general surgery physician services in that area of North Dakota.”

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
14 Dec 2017, 11:00pm AEDT

FTC Obtains Court Order Banning Work-at-Home Operators from Selling Business Opportunities and Business Coaching Services

Defendants must give up $1.5 million under settlement with FTC

The operators of a work-at-home scheme the Federal Trade Commission sued earlier this year for deceptive practices are banned from selling business opportunities and business coaching services under a settlement with the Commission.

The settlement order resolves an FTC case brought in August 2017, alleging that the scheme lured consumers into buying an online system, falsely promising they would earn thousands of dollars working from home. Operating as Work At Home EDU, Work At Home Program, Work At Home Ecademy, Work At Home University, Work At Home Revenue, and Work at Home Institute, the defendants used online “native” advertising – promotional content that resembles the non-advertising material beside it – to reach consumers who were researching work-at-home opportunities on the internet. For example, they placed a link to their Work At Home EDU website near an article about working from home on the website Forbes.com.

The defendants – Bobby J. Robinson, Michael Sirois, Bob Robinson LLC, Mega Export 2005 Inc., Mega Export USA Inc., and Netcore Solutions LLC – were charged with violating the FTC Act and the FTC’s Business Opportunity Rule. The Rule requires business opportunity sellers to make certain disclosures to help consumers evaluate the opportunity, and prohibits such sellers from making earnings claims without adequate substantiation. For instance, a business opportunity seller is required to provide consumers with a written statement that explains how many other consumers actually achieved the earnings the seller claimed are possible, among other things.

The settlement order also prohibits the defendants from misrepresenting material facts about any product or service, imposes a partially suspended judgment of $35.1 million, and requires the defendants to turn over funds and assets valued at approximately $1.5 million.

The Commission vote approving the stipulated final order was 2-0. The U.S. District Court for the Southern District of Texas, Houston Division, entered the order on December 7, 2017.

NOTE: Stipulated final orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
14 Dec 2017, 11:00pm AEDT

Statement from Acting FTC Chairman Maureen K. Ohlhausen on the FCC’s Approval of the Restoring Internet Freedom Order

Federal Trade Commission Acting Chairman Maureen K. Ohlhausen issued the following statement in response to today’s vote by the Federal Communications Commission (FCC) on the Restoring Internet Freedom Order:

“The FCC’s action today restored the FTC’s ability to protect consumers and competition throughout the Internet ecosystem. The FTC is ready to resume its role as the cop on the broadband beat, where it has vigorously protected the privacy and security of consumer data and challenged broadband providers who failed to live up to their promises to consumers. In addition, the FCC’s new transparency rules provide additional tools to help ensure that consumers get what they expect from their broadband providers, who will be required to disclose their traffic management practices. The Memorandum of Understanding establishes a framework for FTC-FCC cooperation. Together we will move ahead to protect consumers and help ensure they enjoy the many benefits of online innovation.”

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).  Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resource.

Federal Trade Commission, United States
Source: Press Release Feed
14 Dec 2017, 11:00pm AEDT

What the Notifiable Data Breaches scheme means for schools

The Notifiable Data Breaches (NDB) scheme comes into effect on 22 February 2018, and private schools and private tertiary educational institutions across Australia will be required to comply.

Office of the Australian Information Commissioner
Source: News - OAIC
6 Dec 2017, 3:43am AEDT

Speech to the IoT/Big Data Healthcare Summit, Western Canada

I’m here today as BC’s Acting Information and Privacy Commissioner to offer my perspective on Big Data and the Internet of Things…. well, let’s be honest and call it what it really is - the Internet of EVERYthing. From the rubber ducky in your child’s bathtub to your smart tea kettle, connected devices truly are everywhere.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
30 Nov 2017, 7:00am AEDT

New guidance available to physicians on privacy and security of patient records

The Office of the Information and Privacy Commissioner for BC, the BC College of Physicians and Surgeons, and Doctors of BC have released a joint guidance document to assist physicians who work in private practice. The BC Physician Privacy Toolkit describes the privacy issues associated with the collection, use, disclosure, retention, and protection of personal information.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
29 Nov 2017, 7:00am AEDT

PDPC Investigating Complaints Against School

Forum reply on The Straits Times, 27 November 2017

The Personal Data Protection Commission (PDPC) takes all alleged violations of the Personal Data Protection Act (PDPA) very seriously and will look into such feedback (Little action taken against flouting of data protection rules, by Mr Terence Lim; Nov 23).

We will not hesitate to take the necessary regulatory action if we ascertain that a breach had occurred.

Mr Lim first came to the PDPC in May to complain about receiving unsolicited marketing e-mails from Aventis School of Management (ASM).

The PDPC resolved Mr Lim's initial complaint immediately by taking up the issue with ASM's data protection officer, and getting ASM to remove Mr Lim's e-mail address from its marketing list.

Mr Lim then furnished the PDPC with more information about ASM's data collection practices which may have breached the PDPA.

The PDPC is currently investigating these additional complaints.

Contrary to Mr Lim's claim, our officers have been corresponding with him to keep him updated on the outcome of our investigations.

We seek his patience on the matter.

Evelyn Goh (Ms)
Director, Communications & Policy
Personal Data Protection Commission

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
27 Nov 2017, 12:00pm AEDT

GPs, gyms, and childcare centres may have obligations under the Notifiable Data Breaches scheme — will your organisation?

Private sector health service providers will be required to notify affected individuals and the Australian Information Commissioner of data breaches that are likely to cause serious harm under the Notifiable Data Breaches (NDB) scheme.

Office of the Australian Information Commissioner
Source: News - OAIC
13 Nov 2017, 11:37pm AEDT

Chicken catching organization not authorized to surveil employees, Commissioner finds

In an investigation report released today, Acting Information and Privacy Commissioner Drew McArthur found a BC chicken catching organization was not authorized by the Personal Information Protection Act (PIPA) to collect the personal information of employees, farmers and other contractors via video and audio surveillance.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
9 Nov 2017, 7:00am AEDT

Public Consultation on Proposed Revised Advisory Guidelines on NRIC Numbers

The PDPC has launched a public consultation to seek feedback on the proposed revisions to the chapter on NRIC numbers in the Advisory Guidelines on the PDPA for Selected Topics, as well as the proposed accompanying technical guide. 

Please download the media documents here:

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
7 Nov 2017, 5:00pm AEDT

Keynote Speech by Mr Yeong Zee Kin, Deputy Commissioner of PDPC, at the 39th International Conference of Data Protection and Privacy Commissioners on Thursday, 28 September 2017, at the Kowloon Shangri-La Hotel, Hong Kong

Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong,
Distinguished Guests,
Ladies and Gentlemen,

Singapore’s Personal Data Protection Philosophies – Pivoting from Compliance to Accountability to Support Innovation

1. The ICDPPC is the premier forum to discuss data protection and privacy issues bringing together regulators, policy makers and industry. It is a privilege for me to address you today on the topic of “Data Protection in Asia”. There is no better place than Hong Kong for us to juxtapose the data protection philosophies of the Eastern and Western hemispheres. I am delighted to be able to share Singapore’s perspectives with this august audience.

2. Briefly, there is a bundle of common law rights and statutory torts that collectively form an incipient branch of law on privacy in Singapore. For example, the right to seclusion is probably covered by the statutory tort in our Prevention of Harassment Act; and the right to prevent publication of private communication is likely to be a common law tort. A key feature of privacy law in Singapore is that it is enforceable by private civil action in the courts. The Commission administers and enforces our data protection law and it is to this topic that I devote the bulk of my speech to.

Personal Data Protection Built on Economic Fundamentals

3. Economies in Asia have diverse cultural, political and legal traditions. But even in the midst of diversity, there is a significant degree of similarities. One that comes immediately to mind is our drive for advancement in the economic sphere. Another is that our students always seem to do well in mathematics and science.

4. It is important to integrate our pursuit of personal data protection into our national economic agenda. This provides the impetus for consumers and businesses to start a dialogue about the expected standards for personal data protection. This dialogue should be constructive; data protection authorities have a role to play in facilitating the conversation and contributing to building a positive reinforcement loop. The ultimate goal is often the same with other economies that have different privacy traditions. We all strive to permit the innovative use of data that leads to better products and services for customers, while concomitantly providing assurance to consumers that their personal data are handled with utmost care and respect.

5. Singapore recognises that a robust data protection regime is an important foundation for the Digital Economy. In the Digital Economy, data is a strategic asset for companies. Data can help companies optimise the way they operate, improve existing products and services, or to innovate new ones. We believe that amplifying the level of trust between consumers and businesses is crucial for promoting innovation. In order to build an ecosystem of trust, we must reach beyond pro forma compliance with data protection laws, which is a necessary condition but no longer a sufficient condition in today’s competitive and data-driven landscape.

Pivoting from Compliance to Accountability  

6. We have started our pivot from compliance to accountability. In our view, accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is about being able to demonstrate to customers that measures which pre-emptively identify and address risks to personal data have been put in place. We see our pivot from compliance to accountability to encompass the following:

  • We have to move towards a regime that places paramount emphasis on the integration and observance of data protection standards as part of its business-as-usual processes and practices. This requires a fundamental shift in corporate cultural. 
  • To provide practical assistance to businesses and non-profit organisations, we will promote the adoption of accountability tools like risk assessments, data protection management programmes and consent registers. These tools will assist in the translation of concept to practice.
  • We see the corporate-and-consumer dialogue to be an important component of accountability. Businesses can communicate with their customers through multiple channels. We believe that a data protection trust mark is both a statement and a promise to customers. When data breaches happen, we view consumer breach notifications as a way that businesses can speak directly to their customers. In addition to email, online forum and chat bots, we believe that online dispute resolution can be an effective way of neutral-assisted dialogue to resolve customer dissatisfaction.
  • Prevention is better than cure, as the saying goes. Thus, we will be promoting and encouraging the adoption of data protection by design practices and privacy enhancing technologies in system and process design.
  • Ours is a system that relies on consent as the basis for processing. This has resulted in some less than ideal practices. In cases we have investigated, we have come across broad consent clauses. In one published decision, we did not allow a company to hide behind a broadly drafted consent clause. We need to de-emphasise and discourage reliance on broad ex-ante consent and provide parallel bases for the collection, use and disclosure of personal data.

7. In July 2017, Singapore’s Minister of Communications and Information, Dr Yaacob Ibrahim, announced a three-stage process to help companies along this journey from compliance to accountability.

First stage – Guides and Tools on Data Protection Management Programme and Data Protection Impact Assessments

8. In the first stage of the pivot towards accountability, the Commission will be producing guides and an online assessment tool to assist companies. We are finalising our guides to assist companies to put in place Data Protection Management Programmes and to help businesses conduct Data Protection Impact Assessments.

9. These are accountability and data protection by design tools. But it is equally important for organisations to discover where the gaps are before they start using these tools. To assist with the gap analysis, we are making available a PDPA Assessment Tool for Organisations. This is a free online resource that organisations may use to identify gaps in their data protection management. The Assessment Tool will provide suggestions and recommend resources, such as our advisory guidelines and other guides, that Data Protection Officers may refer to. When used in conjunction with the DPMP guide, a DPO will be able to make strategic decisions about what interventions are necessary to bridge the gaps that have been identified.

Second stage – Data Protection Trust Mark

10. In the second stage, we will launch a Data Protection Trust Mark certification scheme by the end of 2018. In a survey conducted last year, we found that 4 in 5 consumers would be more confident transacting with an organisation that holds an accreditation for meeting personal data protection standards. The Trust Mark can be seen as a recognition that an organisation has put in place accountability practices that go beyond a checklist approach to compliance. We will also recognise adoption of DP by Design practices. We have plans to integrate the APEC CBPR and PRP registrations into the Trust Mark application. We hope that this will encourage and assure the flow of data between trusted companies, both domestically and globally, thereby creating a network of trust.

Third stage – PDPA Review

11. In the third and final stage of our journey to accountability, the Commission plans to allow for a more progressive approach to collecting, using and disclosing personal data, while also providing greater transparency when data breaches occur. We have recently initiated the first phase of the review of our Act, to ensure that the regulatory environment remains relevant as technological developments have significantly changed how personal data is generated and collected today. When we first started to put our Act together, user-provided personal data formed the majority; today, user-provided data forms a diminishing set that sits alongside data generated by user activity and observable data, both of which are growing at an increasing pace.

12. Our ongoing public consultation solicits feedback on proposed enhancements to our framework for the collection, use and disclosure of personal data, and a mandatory data breach notification framework. There will be other consultations as we work towards the amendment.

Regulatory sandbox

13. I have shared that our view of accountability encourages dialogue between business and consumers. It will be hypocritical if we do not also engage in conversation. Therefore, the Commission is prepared to work with companies who have adopted accountability practices to create regulatory sandboxes so that they are not held back from deploying technological and business innovations. Working with consumers, stakeholders and businesses to construct sandboxes will allow us to understand how our proposed changes to the Act might work in practice. This in turn informs us as we fine-tune the details before the Act is amended. This should help us craft a set of amendments to our Act that will be relevant in the Digital Economy.

14. Details of the regulatory sandbox may be found in a recently released guide to data sharing. This guide sought to debunk the myth that the Act prohibits data sharing and also provided a framework for applications to the PDPC to exempt data sharing arrangements from specific obligations under the Act.

Conclusion

15. The ultimate goal of our shift from compliance to accountability is to establish a high level of consumer trust as the bedrock of our data protection regime, thereby enabling data innovation in Singapore’s Digital Economy. We look forward to working with businesses to build a trusted ecosystem to optimise the opportunities and rewards of data innovation.

16. On this note, I would like to thank the ICDPPC and the Government of the Hong Kong Special Administrative Region, China for the opportunity to speak, and for the successful organisation of the 39th Conference. I wish you all a most thought provoking conference ahead.

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
28 Sep 2017, 8:00pm AEST

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST