3 new data privacy tools from Singapore’s data regulator

Singapore’s Personal Data Protection Commission (PDPC) has been busy. It has just published a number of new resources to help businesses comply with the Personal Data Protection Act. Here are the three we have identified as having the biggest practical application for companies in Singapore.

1. Sample clauses and guidance for marketing consents.

For companies collecting data for marketing purposes, these standard clauses will help. They cover a broad range of scenarios, including consent in the context of membership applications and lucky draws, and language for the withdrawal of consent. The PDPC has also published some guidance to support the sample clauses.

2. Guide to securing data “in electronic medium”.

For organisations which store data in an electronic format (so, pretty much everyone), these guidelines list certain specific IT security measures that can be implemented to enhance security, split into “good practice” and “enhanced practice”.

3. Guide to managing data breaches.

The PDPC has published a step-by-step guide to managing data breach situations, from development of a data breach management plan through to containing the breach, assessing the risk and impact, reporting the incident (including a requirement that the PDPC should be notified of breaches, particularly those involving sensitive data) and preventing future breaches.

Singapore’s business-friendly approach

Of course, none of the tools above represent an automatic route to compliance and the required approach will differ from one organisation to the next. Nonetheless, the growing pool of resources from the PDPC covers a broad range of practical measures that organisations should now be implementing. It also underlines the PDPC’s strategy of being a business-friendly data protection regulator, in line with Singapore’s mission of becoming the world’s first smart city and the data processing hub for South-East Asia.

Posted in Telecoms | Leave a comment

Korea leads the world with cloud law encouraging cloud use

On 3rd March 2015, Korea passed the world’s first cloud-specific law, with the stated aim of driving the adoption of cloud computing in Korea. But what are the practical implications for cloud customers and cloud services providers in Korea?

Data centre (wikicommons)

 

This guest post is written by Daniel Jung and @matthew1hunter.

When does the Korean Cloud Act come into force?

On 3 March 2015, the Korean National Assembly passed the Act on the Development of Cloud Computing and Protection of Users (Korean Cloud Act).  The bill has been under consideration since October 2013.  The final version of the Korean Cloud Act is available here (currently only available in Korean).

The Korean Cloud Act comes into force on 28th September 2015.  Before the Korean Cloud Act comes into force, the Ministry of Science, ICT and Future Planning (Ministry) will establish additional rules for cloud services (as explained below).

What will the Korean Cloud Act do?

The good news for cloud customers and cloud services providers alike is that the Cloud Act aims to promote the cloud market in Korea.

The Korean government sees cloud computing market as a vital industry for future IT development and intends to build a solid foundation to raise Korea’s global competitiveness in the industry.

The Korean Cloud Act aims to do this by:

  1. boosting investment and support in the cloud market, in particular by the government;
  2. permitting (and encouraging) the use of cloud services (including public cloud services) by public institutions; and
  3. placing appropriate safeguards on cloud services providers (CSPs).

Taking these three points in turn:

1. Korea is going to invest time and effort in enhancing the cloud market.

The Korean government is keen to boost its investment in the cloud market.  In this respect, under the Korean Cloud Act, the Ministry is to establish plans (and update them every three years) to enhance the cloud market.  This will include: setting out plans for the development of the cloud computing market; cloud computing related research and expert training; financial and other support for local SMEs providing cloud services and ancillary services, establishing pilot projects, tax incentives and collaboration with other countries.

2. Public institutions in Korea can and should use cloud services.

The Korean Cloud Act encourages public institutions to implement cloud services as a priority, in order to benefit from cost efficiency, improving productivity and industrial competitiveness.  In order to assist with this encouragement, the Korean Cloud Act permits the use of cloud services by public institutions.

 3. The bar for protecting customers’ information has been raised – and cloud customers should expect their CSPs to comply.

Security and privacy issues have always been perceived as being the main roadblocks to the use of cloud services.  To address this the Korean Cloud Act imposes certain obligations on CSPs to try to remove the roadblocks and drive the use of cloud services in a way that addresses security and privacy concerns. In practical terms, CSPs have some new obligations to comply with, and cloud customers will want to look for CSPs who can meet these requirements. In particular, CSPs should note the following important points (and consider their compliance levels):

  •  CSPs must report information leakage to their customers and the Minister.  An investigation may then follow.
  • CSPs must not provide their customers’ information to a third party or use it for purposes other than the designated purpose without the consent.
  • CSPs must return or delete the relevant customer’s information upon termination of the relevant cloud contract.
  • If a CSP hosts a customer’s information outside of Korea, the customer may request the CSP to disclose the location.
  • If a customer incurs losses due to the deliberate or negligent acts of a CSP which violate the Cloud Act, the customer may bring a claim for compensation against the CSP.  The onus will be on the CSP to prove that the CSP’s act was not deliberate or negligent.
  • The Minister will establish additional obligations that cover the quality/capability of cloud services, appropriate service levels and standards for information protection.  It is anticipated that a cloud services certification system will be implemented.
  • A standardised contract for use when providing cloud services is also anticipated.

The Korean Cloud Act has teeth

Any person who uses or discloses a customer’s information to a third party without consent shall be punished by imprisonment for not more than 5 years or with a fine not exceeding KRW 50 million (about USD 46,500).  Slightly reduced levels of fines will apply to breaches of the other obligations listed above.

Areas not currently addressed by the Korean Cloud Act

The Korean Cloud Act doesn’t deal with data classification.  One of the perceived hurdles, in particular for public institutions, to using cloud services, is the ability to determine what categories of data can be hosted by CSPs.  There are different ways of categorizing data and clear guidelines on the subject help to overcome this hurdle.  This is an area that may be considered in the future. Nonetheless, the clear endorsement of cloud services in the Korean Cloud Act will likely be sufficient evidence for most that the Ministry considers that cloud is appropriate for the vast majority of data held by public institutions.

The Korean Cloud Act doesn’t address the limits imposed by other (quite strict) regulations in Korea.  For example, the financial services sector is subject to strict regulations that are potentially delaying the adoption of cloud services in the sector. CSPs and cloud customers alike will be hoping that this clear endorsement of cloud will drive regulatory change in other sectors.

The Korean Cloud Act states that the Personal Information Protection Act (PIPA) will continue to apply in regard to personal data.  However, as the Ministry develops further plans and regulations, the obligations in the Cloud Act will sit alongside those in the PIPA and will likely add a layer of additional requirements (although the focus of these additional obligations will be CSPs).

The Korean Cloud Act doesn’t, as yet, point to any particular international standards.  In other countries, authorities point to international standards (e.g. ISO/IEC 27001 and ISO/IEC 27018) as appropriate measures to assess CSPs i.e. does the CSP comply with these standards.  It’s interesting to note that the controls in the new international standard for public cloud services, ISO/IEC 27018, appears to meet many of the new requirements included in the Cloud Act (and goes further than many of them), so CSPs who comply with ISO/IEC 27018 will not have any trouble complying with the new Cloud Act requirements.

What next?  

CSPs should consider their levels of compliance and cloud customers in Korea should, as a matter of good practice whenever they procure or use cloud services, ask their CSP how their solution complies with the Korean Cloud Act. Reputable CSPs should have no problems providing a satisfactory response to customer questions about the Korean Cloud Act.

In addition, CSPs and customers alike should wait for further updates from the Ministry on the plans to support the cloud market and the plans for further obligations/requirements in relation to cloud services.

Posted in Cloud computing, Data protection, Government policy, Korea, Outsourcing, Regulatory action, Services, Technology | Tagged , , | Leave a comment

ISO 27018 – the international standard for protecting PII in the public cloud – Where are we now?

Since its release in August 2014, ISO 27018 is becoming well established as the “go to” standard to help cloud customers to comply with their privacy obligations when using public cloud services.  Privacy regulators recognise and refer to the new standard.  Cloud customers are using it in their RFP requirements and in their assessments of CSPs.  And CSPs themselves can and should adopt and commit to the new standard. 

A guest post by Matthew Hunter (@matthew1hunter) and Daniel Jung.

A reminder

We reported last year about the publication of this new standard: “ISO/IEC 27018:2014 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO 27018”).

In a subsequent post, we discussed how ISO 27018 helps cloud customers in Singapore to comply with Singapore’s Personal Data Protection Act (PDPA).  We concluded that if a cloud customer engages a cloud services provider (CSP) that complies with ISO 27018 (e.g. adopts and contractually commits to ISO 27018), then the cloud customer can be confident that the CSP’s solution will help the cloud customer to comply with its key legal obligations under the PDPA relevant to its use of cloud services.  We carried out the same research for other countries and the same conclusion applies: Cloud customers who use CSPs that comply with ISO 27018 will be better able to comply with relevant privacy law obligations in Australia, Hong Kong, Japan Korea, Malaysia, New Zealand and European countries, including the France, Germany, Spain and the UK.

In this post we will look at the latest developments in the market in relation to ISO 27018 and at how ISO 27018 is becoming the “go to” standard to help cloud customers to comply with their privacy obligations.  We will also provide pointers for cloud customers, CSPs and regulators on how to benefit from ISO 27018.

The latest ISO 27018 developments

Regulators

Since August 2014, we have seen regulators around the world recognise and refer to ISO 27018 (and this should come as no surprise as regulators often refer to ISO standards (e.g. ISO 27001).

  • In Australia, the OAIC referred to ISO 27018 in its guide to securing personal information (January, 2015).
  • In Belgium, the privacy commission referred to ISO 27018 in its Guidance on Security & Privacy in the Cloud (December, 2014).
  • In Canada, the OIPC posted on its blog that ISO 27018 allows access the benefits of the cloud whilst keeping control of data (March, 2015).
  • In Germany, a state regulator’s cloud guidance highlights the use of ISO 27018 for cloud (October, 2014).
  • In Slovenia, the Information Commissioner indicated that ISO 27018 is consistent with its requirements and should help to raise the lack of confidence in cloud (January, 2015).

These regulators and others are continuing to consider the use of ISO 27018.  The Belgian authority is also working on an analysis of ISO 27018 to be included in a global recommendation to customers using cloud.  The PDPC in Singapore is also considering the use of ISO 27018.

Cloud customers

Customers in the public and the private sector are looking at including ISO 27018 in their RFP requirements and in their procurement contracts, in the same way they have done with other ISO standards.  These are the kinds of discussions we have been having with, and recommendations we are making to, our clients.

Cloud customers have been, in the past, slow to adopt cloud services.  In part, this has been because of regulatory concerns.  But ISO 27018 has provided cloud customers with a convenient solution to address privacy regulations when using public cloud services.  We have seen that cloud customers who use CSPs that comply with ISO 27081 will be better able to comply with relevant privacy law obligations in many jurisdictions.

Cloud services providers

CSPs can now adopt and commit to ISO 27018.

Earlier this year Microsoft, one of the leading CSPs in the market, became the first CSP to adopt and commit to ISO 27018.  An independent audit confirmed its services incorporate all of the ISO 27018 controls and the ISO 27018 controls will become part of Microsoft’s contractual commitment to its customers.  We expect to see other CSPs follow suit.

No standalone certification is available as yet for ISO 27018.  However, compliance with ISO 27018 is demonstrated through an ISO 27001 certification that incorporates all of the controls from ISO 27018.  By going through this kind of assessment process, CSPs (and their ultimately their customers) can be certain of their ISO 27018 compliance.  To remain compliant, CSPs must undergo yearly independent reviews.  This is what the likes of Microsoft will do.

The more regulators recognise and refer to ISO 27018 and the more customers require compliance with ISO 27018, the more CSPs will need to adopt and commit to ISO 27018.  Like other ISO standards before it, ISO 27018 will become the norm.

What next for ISO 27018?

Regulators are adopting ISO 27018, customers are requiring compliance with ISO 27018 and CSPs are committing to ISO 27018 compliance.  ISO 27018 is already becoming the norm (just like other ISO standards).

We expect this to continue.  The adoption of cloud services is increasing across all sectors: financial services, retail, energy, logistics, manufacturers, travel and all kinds of SMEs.  In the public sector governments have pushed “public cloud first” style policies in the US, Europe, Australia and Singapore.  It is in the interest of governments to allow cloud services to be adopted in the public and private sectors.  The benefits of cloud services are clear.  But at the same time the compliance challenge will not disappear.  The regulation of data is on the rise (and rightly so).  Data should be regulated; it is a valuable and sensitive asset.  This is why ISO 27018 is proving helpful; customers can benefit from cloud services but at the same time ensure compliance with privacy regulations.

Posted in ASEAN, Cloud computing, Data protection, Outsourcing, Services, Software | Tagged , | 1 Comment

Myanmar mobile banking and payment: where to start?

Myanmar is currently largely a cash economy.  In this post we consider the types of mobile banking and payments solutions we predict will first gain traction in the Myanmar market: remittance services and banking the unbanked.

Outside Myanmar, the way people bank and pay has been revolutionised: from the introduction of credit cards, telephone banking and mobile banking to the launch of PayPal and Bitcoin.  The global growth of e-commerce has been accompanied by an increasing demand for online and mobile payments systems.

It is possible to imagine places where the use of cash might disappear entirely in the future.Whilst the rest of the world has still not fully exploited the benefits of mobile banking and payments, Myanmar has yet to start.

Burmese brollies

Mobile banking and payment solutions

What do we mean by mobile banking and mobile payments?

Mobile banking means banking done from a mobile device.  Banks provide a portal to access banking services across mobile platforms, including via its website, apps for tablet and apps for smartphones.  The introduction of mobile banking usually requires banks with legacy systems to re-engineer their delivery methods (i.e. to digitise service delivery).

Mobile payments means using a mobile device for the initiation, authorisation and realisation of a payment transaction.  Mobile payments systems allow payments to be made a mobile device via a proximity payment or via a mobile remote payment.  Depending on the way the solution works, the parties involved can include customers, merchants, mobile payment service providers, telecoms companies and banks.

There has been rapid innovation and disruption globally.  From traditional payment systems (e.g. Visa) and Internet payment systems (e.g. PayPal) to varying mobile payment systems (e.g. M-Pesa, Apple Pay) and retailer-led systems (e.g. integration of customer behavioural data and store-cards).  There’s no winning ‘secret formula’ across global markets.  In some countries there are constrains to potential approaches.  In every market partnerships and alliances have been and are still critical to success (between e.g. telecommunication companies, technology manufacturers, traditional banks, payment companies and retailers).

The market in Myanmar and where to start

Both the telecoms and banking sectors are very underdeveloped in Myanmar.

There are a low number of access points, low customer awareness, a lack of services and a lack of infrastructure and processes.  However, these are focus sectors for investment by the Myanmese government and investors, and by foreign investors.

It is tempting to imagine that Myanmar can leapfrog ahead and adopt sophisticated mobile banking and payments solutions for all because it is unencumbered by legacy IT systems and processes and can dive straight into the deep end.  However, as Myanmar also lacks access points, awareness, services, infrastructure and processes, the starting point must still be basic.

One of the biggest current challenges is the lack of distribution networks for getting cash in/out.  In our view, remittance services will be one of the first services to be developed.

There’s no point developing fancy mobile banking solutions and payments if people can’t get cash in/out.  Providing the most basic banking services for a largely unbanked population will the next major focus followed by basic payment services.

Remittance services  

It is common for Myanmese families to work and live apart, and as economic development and foreign investment drives urbanisation it will only increase.  Domestic remittance services are need to help families to send money to each other.  There are also a large number of overseas Myanmese workers and so international remittance services are needed.

The challenge for this in Myanmar is that there is a bottleneck of cash in/out points.  A secondary challenge is that it is difficult to authenticate parties.  Telcos have the ability to address both of these challenges, because they offer outlets and a means to authenticate users.  One solution therefore is for the banks and the telcos to partner and integrate a basic remittance offering.

Banking  the unbanked  

Most Myanmese citizens have no bank account today.  Experience from Africa shows that a move from a cash system to a banking or quasi-banking system brings widespread benefits.  Again, however, the banks have the enormous challenge of building distribution (i.e. branch access), whereas the telcos are already building distribution and reachBank and telco partnerships are therefore a likely formula to success because the scale of the distribution network is critical.

Structuring and negotiating a successful mobile banking partnership

Banks have a clear role to play to build the banking services in Myanmar.  However, they do not have the networks or the technology to succeed alone.  Partnerships with telcos are most likely to offer success but what do the parties to such a partnership need to consider to make it work?

First, the parties must have a clearly defined idea of what the ‘end to end’ system will look like and which role each of the parties will play.

Second, the parties must consider the regulatory risks.  Do one or both of parties need a licence and can they comply with the licence requirements?

The commercial aspects of the deal will also need to be agreed.  Who is responsible for taking what actions and providing which services?  Can each party fulfill their relevant obligations?  What are the consequences if a party fails to meet its obligations?  And what is the price or reward for each party?

Final tips

Parties involved in these kinds of negotiations should never assume that the other parties know what they are doing.  The mobile payments and mobile banking space can be very complex and parties who are more familiar with in the space will use often use jargon.  You should not be afraid to ask simple and basic questions, especially in a new market.  Finally, don’t be wowed by complex solutions.  It’s definitely better to walk before you can run, so we predict the winners will be those who keep it simple and do the basics first.

This post was co-written with @matthew1hunter.

Posted in ASEAN, Commercial activity, Myanmar, Payment, Telecoms | Tagged , , , | Leave a comment

UK withdraws proposed updates to the Electronic Communications Code

On 22 January 2015, the UK Government withdrew its proposed changes to the Electronic Communications Code.

As the changes were unexpected, more time for consultation is not entirely unwelcome.

However, as the changes in large part were positive, I hope that this is only a delay and the proposals will be brought forward in due course.

Posted in Broadband, Fixed, Government policy, Mobile, Regulatory action, Telecoms, UK | Tagged | Leave a comment