2012 - Apac data-protection-laws by McAfee

1 – McAfee Asia Pacific Data Protection Laws

ASIA PACIFIC DATA PROTECTION LAWS.

By Gary E. Clayton, Privacy Compliance Group, McAfee Inc.

Joel Camissar,Practice Head, Data Protection,McAfee Asia Pacific

TABLE OF CONTENTS

Executive Summary 3

International Privacy and Data Protection Laws 4

Australia 5

New South Wales 7

Australian Capital Territory 9

Northern Territory 10

Queensland 11

South Australia 12

Tasmania 13

Victoria 14

Hong Kong SAR 15

India 17

Indonesia 18

Japan 19

Malaysia 21

New Zealand 22

Pakistan 24

Philippines 25

Singapore 26

Republic of Korea 27

Taiwan 28

Thailand 30

Vietnam 31

Data Loss Prevention – The Key Challenges 33

The Typical Industry Approach 34

The McAfee Approach to Rapidly Solving the DLP Problem 36

Benefits of the McAfee Approach 37

Solution Services Proposed 38

Key McAfee DLP consultants 39

The objective of this paper is to help organisations achieve rapid success with a data loss prevention (DLP) project. This document details how the unique aspects of our solution, in tandem with our consulting approach, lead to rapid deployment and faster return on investment, while facilitating the creation of effective information protection policies.



Today, we choose where we shop, bank and who we do business with on the basis of trust. We invest our money with a bank because we trust that the physical vault will protect our funds. We do business online because we trust that the services purchased will be fulfilled and our account information protected.

In a recent Norton Rose Global Survey on Cloud Services, “suppliers and customers both thought the greatest risk associated with the cloud was a security breach”. The top three perceived risks in order of importance are listed as: security breach, compliance and loss of data.

But what happens when a data breach occurs and this trust is broken?

One only has to open the paper – on an almost daily basis – to see the organisations that have suffered data breaches due to malicious activities of external hackers or internal abuse by rogue employees.

It is in this environment that governments (and occasionally Industry Bodies) around the world and specifically in this region, are tightening corporate regulations to protect the theft, loss and misuse of personal identifiable information. Some of the more widely known regulations include SOX, GLBA, JSOX, PCI-DSS and require organisations to demonstrate a range of controls to protect personally identifiable information to achieve and maintain compliance.

It is important to safeguard more than just regulated data. Sensitive data, critical to a organisation’s very existence, must also be protected. From the ‘secret sauce’ upon which a business is built, to intellectual property (IP) that has been developed at great expense, organisations can’t afford to leave data unprotected.

Data Loss or Leakage Prevention (DLP) has been a buzzword in the IT industry for the last few years. IT security professionals are increasingly being asked by the business to find out what controls they have/need in place to comply with local or global regulations, protect the organisation’s intellectual property and what their current exposure is.

In the Asia Pacific region, countries have a variety of laws and regulations governing the collection and processing of personal information. In other cases, they may not have enacted general privacy legislation. Accordingly it is important to understand how these laws may impact an organisation’s ability to implement data loss prevention.

We hope this guide serves as a compact resource that you can refer to with a dedicated focus on compliance regulations in Asia Pacific. There is also a practical section on page 33 which will assist you in translating the relevant regulations into a data protection program for your organisation.

Enjoy!

Joel CamissarPractice Head, Data Protection, McAfee Asia Pacific

White Paper Asia Pacific Data Protection Laws

EXECUTIVE SUMMARY

INTERNATIONAL PRIVACY AND DATA PROTECTION LAWS

Over the last two decades, a growing number of countries have enacted comprehensive privacy and data protection legislation. Many of these countries have modelled their laws on the European Union’s Data Protection Directive. The European Union’s Member States have enacted their own laws with specific requirements for processing and transferring personal data. Additionally, many of these laws specifically regulate the gathering of information in the workplace. The ability to monitor in the workplace may depend upon a number of laws, not just privacy and data protection legislations.

The following section examines the laws of a number of countries around the globe. In many instances, a country may not have enacted general privacy legislation. In other cases, there may be numerous laws and regulations governing the collection and processing of personal information. Accordingly, it is important to understand how these laws may impact an organisation’s ability to implement data loss prevention.

The following section provides an overview of the state laws on interception of communications and their requirements. Links are provided to the relevant laws. Additionally, the following topics are covered:

Title: This is the name given to the legislation at the time of enactment or how it is currently referred to in the relevant state.

Citation: This is the formal citation to the specific law and a hyperlink.

Summary: This provides a brief overview of the legislation.

Data covered: This identifies the specific data covered by the legislation.

Industry: This identifies the specific industries or sectors that are covered by the legislation.

Penalties: This identifies the sanctions provided for failure to comply with the law’s requirements.



Overview The Privacy Law in Australia regulates “information privacy” and personal information. The primary privacy law in Australia is the Privacy Act of 1998.

Enacted1998 with amendments in 2000.

General Privacy LawsNeither the Australian Federal Constitution nor the Constitutions of the six States and two Territories contain any express provisions relating to privacy.

The Australian Capital Territory adopted a bill of rights in 2004. Section 12 of the Human Rights Act of 2004 creates a right of “privacy and reputation”.

Personal Data Protection Laws and RegulationsPrinciple federal statute on privacy is the Privacy Act of 1998, which is based in part upon the Organisation for Economic Cooperation and Development (OECD) Guidelines and the International Covenant on Civil and Political Rights.

Controls on the transfer of personal information out of the country are limited, requiring only that the data controller take “reasonable steps” to ensure personal information will be protected or “reasonably believe” that the information will be subject to similar protection as applied in the Australian law.

The Office of the Australian Information Commissioner enforces the Privacy Act. This office has a wide range of functions, including handling complaints, auditing compliance, promoting awareness and advising the government on privacy matters.

There are numerous sector laws that regulate the use of personal information in special categories, such as health care, telecommunications, etc.

In March 2001, the European Union’s Article 29 Working Party declined to find that Australia met the requirements for providing “adequate protection” under the EU Data Protection Directive.

The Federal Privacy Act does not regulate state or territory agencies, except for the Australian Capital Territory (ACT).

Type of Data ProtectedPersonal information which is information that identifies an individual or could identify the individual. The Privacy Act defines personal information as:

“... Information or an opinion (including information or an opinion forming part of a database), whether true or not and whether recorded in a material form or not, about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion.”

Workplace Privacy LawsThe Privacy Amendment Act of 2000 contains eleven Information Privacy Principles that require organisations to observe the National Privacy Principles (NPPs) for Fair Handling of Personal Information.

The Privacy Amendment (Private Sector) Act 2000 provides two important exemptions in its provisions that heavily impact the regulation of employment data protection. The first is the exemption for “small businesses” and the second is the exemption of certain “acts and practices”, including those related to employment records. Combined, these exemptions removed most employment data from the jurisdiction of the Privacy Act. It is important to note, however, that the Act contains exceptions for what qualifies as a “small business”. Also, the Act authorises small businesses to opt-in to be covered by the Act. As of 2007, almost 70 small businesses had opted to be covered by the Act.

Employee records are defined broadly and include records that contain the types of personal information about employees typically held by employers on personnel and similar files. For example, a record containing information about the engagement, training, disciplining or resignation of an employee; the terms and conditions of employment of an employee; or an employee’s performance or conduct would be considered to be an employee record for purposes of the legislation.

The exemption applies to acts or practices directly related to an employee record and a current or former employment relationship. This dual requirement is designed to ensure that employers do not take commercial advantage of the exemption.

Transborder TransfersThe Privacy Act regulates handling of personal information in Australia and originating from Australia. Under Australian law, specifically National Privacy Principle 9, if an organisation’s overseas activity is required by the law of a foreign country, then it does not interfere with the privacy of an individual under Australian Law.

An organisation may transfer personal information overseas provided that one of the following conditions is satisfied:

1. The organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the NPPs

2. The individual consents to the transfer

3. The transfer is for the benefit of the individual and it is impracticable to obtain consent, but it’s likely consent would be given

4. The transfer is required by a contract between the individual and the organisation or a contract between the organisation and a third party in the interests of the individual or

5. The organisation has taken reasonable steps to ensure the information will not be held, used or disclosed by its recipient inconsistently with the National Privacy Principles.

AUSTRALIA


AUSTRALIA (CONTINUED)

Fines and SanctionsPursuant to Section 52 of the Privacy Act, there are a number of sanctions, including:

After investigating a complaint, the Commissioner may:

• Make a determination dismissing the complaint or

• Find the complaint substantiated and make a determination that includes one or more of the following:

– A declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant

– A declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.

Other Privacy Laws and RegulationsTelecommunications Act 1997 has a number of provisions that deal with privacy of personal information held by carriers, carriage service providers and others. Part six provides for the development of industry codes and standards for the protection and privacy of consumer information. Part 13 sets out strict rules for carriers, carriage service providers and others in their use and disclosure of personal information.

The Privacy Act (and specific secrecy provisions in other legislation) protects information collected by the government through the Medicare and Pharmaceutical Benefit schemes. Due to its sensitivity, the handling of MBS and PBS information is also regulated by legally binding guidelines issued by the Information Commissioner. The guidelines:

1. Require that claims information from the MBS and PBS is not stored together

2. Specify when claims information from the two programs may be linked

3. Prohibit claims information over five years old from including information that could identify an individual

4. Specify the circumstances in which old information may be re-linked.

The Data-Matching Program (Assistance and Tax) Act 1990 regulates the use of the tax file number in comparing personal information held by the Australian Taxation Office and by assistance agencies.

Crimes Act 1914 contains Part VIICX, which limits the use of old criminal convictions and provides protection against unauthorised use and disclosure of this information.

Anti-Money Laundering and Counter-Terrorism Financing Act 2006 amends the Privacy Act so that small businesses are reporting entities for the purposes of the Act and have reporting responsibilities to AUSTRAC.

The Healthcare Identifiers Act 2010 (the HI Act) establishes the Healthcare Identifiers Service (the HI Service) and prescribes how healthcare identifiers will be assigned, how they can be used and disclosed. There are also Healthcare Identifier Regulations that expand on the requirements in the HI Act. Healthcare providers can only access, use or disclose healthcare identifiers for the limited purposes set out in the HI Act.

NEWSFLASHJust as this Book was going to press, The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill) was introduced into the Australian Parliament on 23 May 2012. The Bill implements the major legislative elements of the Australian Government’s first-stage response to the Australian Law Reform Commission report, For Your Information: Australian Privacy Law and Practice.

The key amendments the Bill introduces to the Privacy Act 1988 (Cth) (Privacy Act) are as follows:

• Repeal of the National Privacy Principles for the private sector and Information Privacy Principles for the public sector. These are replaced by a single set of 13 Australian Privacy Principles (APPs) that will be applicable to both Commonwealth agencies and private sector organisations (known as APP entities). The APPs broadly follow the form and content of the exposure draft APPs, but contain a number of changes;

• Expanding the powers of the Commissioner with respect to investigations, resolution of complaints and increased powers regarding the assessment of an APP entity’s privacy compliance;

• More comprehensive credit reporting with improved privacy protections for individuals. The existing credit reporting provisions in Part IIIA of the Privacy Act 1988 will be repealed and replaced by an updated, modernised and more comprehensive credit reporting framework;

• Introducing new provisions on privacy codes and the credit reporting code, including powers for the Commissioner to develop and register codes in the public interest that are binding on specified agencies and organisations.


NEW SOUTH WALES

OverviewNew South Wales has adopted its own privacy and data protection legislation, including the Workplace Surveillance Act 2005 which is one of the more stringent and well-written laws on privacy in the workplace.

Enacted2005

General Privacy LawsThe Privacy and Personal Information Protection Act 1998 No. 133 (NSW) (PPIP Act) deals with how all New South Wales’ public sector agencies manage personal information. The Act sets out the role of the Office of the New South Wales Privacy Commissioner.

While the PPIP applies primarily to the New South Wales public sector, it also gives the New South Wales Privacy Commissioner the power to investigate and conciliate privacy breaches by organisations and individuals who are not public sector agencies.

Personal Data Protection Laws and RegulationsPrivacy and Personal Information Protection Act 1998 No. 133 (NSW).

Type of Data ProtectedThe PPIP protects “personal information” which means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

Workplace Privacy LawsThe Workplace Surveillance Act 2005 No. 47 became effective in the State of New South Wales, Australia on 1 February 2007. This legislation permits an employer to monitor employees’ activities overtly, where the employees are given written notice of the manner, nature and duration of the surveillance. Covert surveillance may also take place where the employer has first obtained the necessary legal approval to do so. Surveillance will lawful and overt where an employer gives employees at least 14 days written notice of the surveillance before it begins. The notice must specify the following:

• The type of surveillance that will be carried out (e.g., computer, camera, etc.)

• How the surveillance will be carried out

• When the surveillance will start

• Whether the surveillance will be continuous or intermittent and

• Whether the surveillance will be for a specified limit period or ongoing.

Notice to new employees: Section 10 of the Workplace Surveillance Act states that notice must be given at least 14 days before the surveillance commences, unless an employee agrees to a lesser period of notice. Section 10 also sets out the requirements for providing notice to new employees. Section 10 (3) provides: “If surveillance of employees at work for an employer has already commenced when an employee is first employed, the notice to that employee must be given before the employee starts work.”

Computer surveillance: Section 12 of the Workplace Surveillance Act states that computer surveillance must not be carried out unless:

• The surveillance is carried out in accordance with a policy of the employer on computer surveillance of employees at work and

• The employee has been notified in advance of that policy in such a way that it is reasonable to assume that the employee is aware of and understands the policy.

Blocking emails or internet access: Section 17 provides that an employer: “Must not prevent or cause to be prevented, delivery of an email sent to or by or access to an Internet website by, an employee of the employer, unless:

• The employer is acting in accordance with a policy on email and Internet access that has been notified in advance to the employee in such a way that it is reasonable to assume that the employee is aware of and understands the policy and

• In addition, in the case of preventing of delivery of an email, the employee is given notice (a prevented delivery notice) as soon as practicable by the employer, by email or otherwise, that delivery of the email has been prevented, unless this section provides a prevented delivery notice is not required.” The Act provides several practical exceptions to the requirements for the prevented delivery notice.

Use limitations: The information captured as a result of surveillance can only be used or disclosed if:

• The use of disclosure is for a legitimate purpose related to the employment of employees of the employer or the legitimate business activities or functions of the employer

• Disclosure is to a member or officer of a law enforcement agency for use in connection with the detection, investigation or prosecution of a offense

• The use of disclosure is for a purpose that is directly or indirectly related to the taking of civil or criminal proceedings

• The use or disclosure is reasonably believed to be necessary to avert imminent threat of serious violence to persons or of substantial damage to property.

Overt video surveillance: In New South Wales, overt video surveillance is regulated by the Code of Practice for the use of Overt Video Surveillance in the Workplace, issued by the New South Wales Department of Industrial Relations. Surveillance is “overt” if it is clearly visible to a person in the surveillance area.


NEW SOUTH WALES (CONTINUED)

Transborder TransferPPIP allows transfer if there is a reasonable belief that the data will be subject to a “law, binding scheme or contract” that “effectively” imposes fair processing obligations similar to those in the Australian Act.

Section 5B of the Federal Privacy Act sets the standard for the extra-territorial reach of Australian privacy law.

National Privacy Principle 9 applies to transfers of information outside of Australia and ensures that any information transferred will not be held, used or disclosed inconsistently with the NPPs.

Fines and SanctionsN/A

Other Privacy Laws and Regulations

• Health Records and Information Privacy Act 2002

• Freedom of Information Act 1989

• State Records Act 1998

• Criminal Records Act 1991 (Spent Convictions)

• Listening Devices Act 1984

• Workplace Surveillance Act 2005

• Telecommunications (Interception and Access) (New South Wales) Act 1987

• Access to Neighbouring Land Act 2000, esp. §16 and §26.

• Crimes (Forensic Procedures) Act 2000.


AUSTRALIAN CAPITAL TERRITORY

OverviewThe Federal Privacy Act in a slightly amended version applies to Australian Capital Territory government agencies and is administered by the Privacy Commissioner on behalf of the ACT government.

EnactedThe Australian Capital Territory (ACT) has enacted a slightly amended version of the Federal Privacy Act. The Australian Capital Territory Government Services Consequential Provision Act 1994 92 (Cth) applies to Australian Capital Territory governmental agencies and is administered by the Privacy Commissioner on behalf of the ACT government.

ACT has also enacted a number of laws regulating the privacy of health information.

General Privacy LawsPrivacy Act (1988)

The ACT has also enacted the Human Rights Act 2004 which incorporates a right for an individual not to have their privacy, family, home or correspondence interfered with unlawfully or arbitrarily.

Personal Data Protection Laws and RegulationsThe Act applies to “personal information” which is information that identifies an individual or could identify the individual.

Type of Data ProtectedThe Federal Privacy Act in a slightly amended version applies to Australian Capital Territory government agencies and is administered by the Privacy Commissioner on behalf of the ACT government.

In 1992, the Australian Capital Territory enacted the Listening Devices Act, which applies to “listening devices” and the interception of “conversations”. There are a number of exceptions to this act, however, which allow parties with legitimate reasons to record private conversations.

In 2004, the Australian Capital Territory (ACT) became the first Australian jurisdiction to incorporate a bill of rights when it passed the Human Rights Act of 2004 (HRA). Section 12 provides that everyone has the right: “not to have his or her privacy, family, home or correspondence interfered with unlawfully or arbitrarily.” HRA specifically incorporates international law and international human rights standards into local ACT law by requiring all ACT laws to be interpreted consistently with human rights, “as far as possible”. It is likely that this new law will have an impact on all areas of privacy, including workplace monitoring. Pending further clarification organisations should follow the recommendations of the Australian Privacy Commissioner.

Workplace Privacy LawsLaw allows transfer if there is a reasonable belief that the data will be subject to a “law, binding scheme or contract” that “effectively” imposes fair processing obligations similar to those in the Australian Act.

• Section 5B of the Federal Privacy Act.

• National Privacy Principle 9.

Transborder TransfersThe Privacy Act regulates handling of personal information in Australia and originating from Australia. Under Australian Law, specifically National Privacy Principle (NPP) 9, if an organisation’s overseas activity is required by the law of a foreign country, then it does not interfere with the privacy of an individual under Australian Law. An organisation may transfer personal information overseas provided that one of the following conditions is satisfied:

1. The organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the NPPs

2. The individual consents to the transfer

3. The transfer is for the benefit of the individual and it is impracticable to obtain consent, but it’s likely consent would be given

4. The transfer is required by a contract between the individual and the organisation or a contract between the organisation and a third party in the interests of the individual or

5. The organisation has taken reasonable steps to ensure the information will not be held, used or disclosed by its recipient inconsistently with the National Privacy Principles.

Fines and Sanctions N/A

Other Privacy Laws and RegulationsThe Federal Privacy Act in a slightly amended version applies to Australian Capital Territory government agencies and is administered by the Privacy Commissioner on behalf of the ACT government.

• Australian Capital Territory Government Service (Consequential Provisions) Act 1994

• Health Records (Privacy and Access) Act 1997

• Human Rights Act 2004


• Territory Records Act 2002 (public records)

• Human Rights Act 2004 (right to privacy)

• Spent Convictions Act 2000

• Listening Devices Act 1992.

NORTHERN TERRITORY

OverviewLimited privacy legislation.

Enacted2002

General Privacy LawsThe Information Act 2002 No. 62 (NT) contains certain privacy provisions that are overseen by the Information Commissioner for the Northern Territory. The Information Commissioner is the independent authority and is also responsible for overseeing the Information Act. The Act applies to the public sector.

Personal Data Protection Laws and RegulationsNorthern Territory Information Act 2002 (Information Act). The Information Act which covers the protection of personal information, record keeping and archive management of information held in the public sector.

Type of Data ProtectedPersonal information means government information from which a person’s identity is apparent or is reasonably able to be ascertained.

Workplace Privacy LawsN/A

Transborder TransfersN/A

Fines and SanctionsThe law provides for civil and criminal sanctions for violations. Conviction of a criminal act can result in imprisonment from six months to two years.


• Criminal Records (Spent Convictions) Act 1992

• Surveillance Devices Act 2007

• Telecommunications (Interception) Northern Territory Act 2001.



QUEENSLAND

OverviewState laws are similar to those of the federal government.

EnactedNo comprehensive privacy law regulating the private sector.

The Information Privacy Act 2009 regulates the handling of personal information by Queensland government agencies. It contains 11 Information Privacy Principles which set out the way that all Queensland government agencies except Queensland Health are to handle personal information.

General Privacy LawsNo comprehensive privacy law regulating the private sector.

The Information Privacy Act 2009 regulates the handling of personal information by Queensland government agencies. It contains 11 Information Privacy Principles, which set out the way that all Queensland government agencies except Queensland Health are to handle personal information. It also contains nine National Privacy Principles, which set out the way that Queensland Health is to handle personal information.

Personal Data Protection Laws and RegulationsPersonal information is information or an opinion, including information or an opinion forming part of a database, whether true or not and whether recorded in a material form or not, about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion.

Type of Data ProtectedNo legislation relevant to workplace monitoring.

Workplace Privacy LawsNo legislation relevant to transborder transfers of personal data.

Transborder TransfersProvides for limited penalties for sanctions.

Fines and Sanctions

• Right to Information Act 2009

• Public Records Act 2002

• Criminal Law (Rehabilitation of Offenders) Act 1986 (spent convictions)

• Invasion of Privacy Act 1971 (listening devices, invasion of privacy of the home)

• Whistleblowers Protection Act 1994

• Police Powers and Responsibilities Act 2000 (Chapter 4 deals with covert evidence-gathering powers)

• Private Employment Agents (Code of Conduct) Regulation 2005 (provisions 14 and 15 deal with work seekers’ information and the need to ensure it is not disclosed or improperly used).

Other Privacy Laws and RegulationsState laws are similar to those of the federal government.


SOUTH AUSTRALIA

OverviewLimited privacy legislation.

EnactedN/A

General Privacy LawsNo comprehensive privacy law regulating the private sector.

Personal Data Protection Laws and RegulationsSouth Australia has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles and has established a Privacy Committee.

South Australia also has a Code of Fair Information Practice based on the National Privacy Principles. This Code applies to the South Australian Department of Health and its funded service providers and to others with access to the Department’s personal information.

Type of Data ProtectedPersonal information.

Workplace Privacy LawsNo legislation relevant to workplace monitoring.

Transborder TransfersNo legislation relevant to transborder transfers of personal data.





• Listening and Surveillance Devices Act 1972

• Telecommunications (Interception) Act 1988.


TASMANIA

OverviewLimited legislation regulating privacy in the private sector.

Enacted2004

General Privacy LawsPersonal Information and Protection Act 2004 which came into effect on 5 September 2005. It applies to the public and local government sectors and the University of Tasmania.

Personal Data Protection Laws and RegulationsPersonal Information and Protection Act 2004 regulates the collection, maintenance, use and disclosure of personal information by personal information custodians (the Tasmanian public sector, local government authorities in Tasmania and the University of Tasmania.


Workplace Privacy LawsNo legislation relevant to workplace monitoring.

Transborder TransfersNo legislation relevant to transborder transfers of personal data.





• Listening and Surveillance Devices Act 1972

• Telecommunications (Interception) Act 1988.


VICTORIA

OverviewWell-developed privacy laws and enforcement. Modelled after the privacy laws of the federal government.

Enacted2000

General Privacy LawsThe Information Privacy Act 2000 No. 98 (Vic) came into effect on 1 September 2002. The Act covers the handling of all personal information except health information in the public sector in Victoria. This Act adopts the Information Privacy Principles, which are similar to the NPPs set out in the Federal Privacy Act.

Personal Data Protection Laws and RegulationsVictoria’s Information Privacy Act 2000 applies where personal information is recorded. This will include personal information in almost any format, including computer records, email and other electronic communications.

Type of Data ProtectedVictoria’s Information Privacy Act 2000 applies where personal information is recorded.

Workplace Privacy LawsThe Office of the Victorian Privacy Commissioner has provided guidance on workplace monitoring. Entitled “Workplace Privacy: April 2003”, the Victorian Privacy Commissioner lists the laws and principles that employers must consider before engaging in monitoring. Among the laws that must be considered are the Surveillance Devices Act 1999 that controls the use of surveillance technology and restricts the communication and publication of private conversations and activities. In addition, Victoria’s Information Privacy Act 2000 applies where personal information is recorded. This will include personal information in almost any format, including computer records, email and other electronic communications. In the Privacy Commissioner’s Annual Report for 2006-2007, it is noted that a large number of complaints received by the Privacy Commissioner’s Office related to monitoring in the workplace. The Privacy Commissioner’s response is as follows: “For such enquiries, Privacy Victoria staff inform enquirers that even if the private sector employer does not fall within the small business exemption of the Privacy Act and is bound by it, the Act nevertheless contains an exemption in relation to personal information of employees. This is to ensure that the enquirer understands the limits of jurisdiction before being referred.”

On July 25, 2006, Victoria became the first Australian State to enact a Bill of Rights when the Victorian Parliament Passed the Victorian Charter of Human Rights and Responsibilities 2006. The Charter took legal effect on 1 January 2007. Section 13 of the Victorian Charter provides that a person has the right “not to have his or her privacy, family, home or correspondence unlawfully or arbitrarily interfered with”.

It is likely that this Bill of Rights will have an impact on all areas of privacy, including workplace monitoring. In light of the exemption employee information from privacy legislation, it is not yet clear how the new Victorian law may impact the overall privacy rights of individuals if monitoring is lawful and not conducted arbitrarily.

Transborder TransfersGoverned by Principle 9 of the Information Privacy Act which allows an organisation to transfer personal data to someone outside of Victoria only if:

1. The organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of information that are substantially similar to the Information Privacy Principles or

2. The individual consents to the transfer or

3. The transfer is necessary for the performance of a contract between the individual and the organisation or for the implementation of pre-contractual measures taken in response to the individual’s request or

4. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party or

5. All of the following apply: i. The transfer is for the benefit of the individual

ii. It is impracticable to obtain the consent of the individual to that transfer

iii. If it were practicable to obtain that consent, the individual would be likely to give it or

6. The organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles.

Fines and SanctionsCompliance Notice can be issued to defendant. Privacy Commissioner can issue notice requiring the production of documents and information.


• Health Records Act 2000

• Charter of Human Rights and Responsibilities Act 2006


• Public Records Act 1973

• Surveillance Devices Act 1999

• Telecommunications (Interception) (State Provisions) Act 1988.


HONG KONG SAR

OverviewWell-developed privacy laws. Active privacy commissioner; however, limited authority and limited basis for privacy enforcement.

Enacted19961

General Privacy LawsArticle 29 of the Basic Law establishes the basic principle that homes of Hong Kong citizens are “inviolable”.

Article 30 of the Basic Law established the basic principle that the freedom and privacy of communication of Hong Kong residents is protected by law. No one shall infringe on the rights and freedom of privacy in communication except in accordance with legal requirements for protection of public security and the investigation of criminal offenses.

Personal Data Protection Laws and RegulationsPersonal Data (Privacy) Ordinance (PDPO) came into effect in 1996, with the exception of the provisions concerning the transfer of data outside of Hong Kong and data matching.

PDPO adopted six fair information practices to regulate notice, collection, accuracy, use, security and access regarding personal data which is defined as “any representation of information (including an expression of opinion) in any document and includes a personal identifier”. The ordinance applies to public and private “data users” and to manual and electronic records.

Violations of the Ordinance can be either civil or criminal offenses.

The Office of the Privacy Commission has issued a number of codes of conduct, including the Privacy Guidelines: Monitoring and Personal Data Privacy at Work (The Guidelines).

Type of Data ProtectedPersonal Information.

Workplace Privacy Laws

The Privacy Guidelines: Monitoring and Personal Data Privacy at Work provide guidance for assessing whether employee monitoring is appropriate and to determine how employers can develop privacy compliant practices in the management of personal data obtained form employee monitoring.

The Office of the Privacy Commissioner initially planned on releasing a statutory code of practice. However, strong opposition to the draft by employers made the PCO proceed with non-binding guidelines.

1. In July 2011, a Personal Data (Privacy) (Amendment) Bill 2011 was put forward and it would create more than a dozen new criminal offences for privacy violations. The Bill makes a number of other changes, including creating an offence for wrongfully disclosing personal information without permission.

The Guidelines verify that the PDPO applies to employee monitoring activities whereby personal data of employees is collected in recorded form.

Guidelines seek to offer practical guidance on the steps that should be taken by employers when they monitor employees using the following methods: telephone monitoring, Internet monitoring, video monitoring and email monitoring.

Guidelines recognize that an employer has the right to direct employees’ work activities and to reasonably monitor such activities; however, monitoring should be balanced against the employees’ right to privacy.

Guidelines provide that monitoring should take into account the following:

• Legitimate purpose: Monitoring should serve a legitimate purpose that relates to a given function and should be confined to include only the activities of the employees at work

• Least intrusive method: Monitoring should be carried out by the least intrusive means and with the least harm to the privacy interests of employees

• Transparency: Employers are encouraged to document the evaluation process they have undertaken and share it with their employees, in order to indicate transparency and inform employees of the rationale behind the monitoring

• Targeted: Monitoring should be confined as much as possible to include only high risk areas of the business and conducted selectively at certain times (rather than on a perpetual basis)

• Stated purpose: Monitoring should be conducted in an overt manner and for reasons identified in advance of monitoring

• Limitations: Monitoring should not take place in areas that contain a reasonable expectation of privacy (i.e., bathroom).

Employers who monitor are accountable for properly conducting their monitoring activities, including the creation of a privacy policy pertaining to employee monitoring. The policy should be given to employees before monitoring is introduced.

Employers are liable for the provisions of the PDPO for the proper management of personal data collected while conducting employee monitoring. The legal obligation extends to acts and practices undertaken by a third party acting on behalf of the employer.

Employers should be aware that their employee monitoring practices may be subject to investigation by the Commissioner in any alleged breach of the PDPO. Investigation would ask employer to provide evidence of the following:

Monitoring is only carried out to the extent necessary to deal with the legitimate business purpose of the employer.


HONG KONG SAR (CONTINUED)

Personal data collected in the course of monitoring is kept to an absolute minimum and is collected by means that are fair in the circumstances.

A written policy showing that employee monitoring has been implemented and that steps have been taken to communicate that policy to employees in advance of monitoring.

Additional best practices, including designation of personnel authorised to conduct monitoring, criteria for accessing monitoring records, retention period for holding recorded information, security measures regarding storage of records and the location and effective times associated with how the monitoring will occur.

Employees should be informed of the consequences associated with any breach of the employer’s policy.

Employers should ensure that their employees are able to exercise their right to access their own personal data collected in the course of employee monitoring, subject to the provisions of the PDPO.

Personal data should not be used for any purpose other than the purpose identified at the time of collection.

All practical steps should be taken to ensure that personal data held is protected against unauthorised access.

Transborder TransfersSection 33 of the Ordinance prohibits the transfer of personal data to places outside of Hong Kong unless one of a number of conditions is met. Section 33 covers two situations, namely transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user. The place to which the data are transferred has in force “any law which is substantially similar to or serves the same purposes as, this Ordinance”.

The Privacy Commissioner may specify a place satisfying this requirement by publishing notice in Hong Kong’s gazette.

The data subject has consented in writing to the transfer.

The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; if it is not practicable to obtain the data subject’s consent, but if practicable, such consent would be given.

The data are exempt from the data protection principle 3 by virtue of an exemption under “Part VII-Exemptions” of the Ordinance.

The data user has taken “all reasonable precautions and exercised all due diligence to ensure” that the data will not be dealt with in a manner that would constitute a contravention of the Ordinance.

The Commissioner has also prepared a Model Contract for use in transferring personal data out of Hong Kong.

Fines and SanctionsThe sanctions for breaches of privacy law in Hong Kong are contained in the Personal Data Privacy Ordinance (PDPO). Schedule 1 of the PDPO incorporates six data protection principles (DPPs) to which users of personal data must comply.

Where there is a contravention of a DPP, the Privacy Commissioner can, if it deems appropriate, issue an enforcement notice to the user of the personal data, requiring them to take specific action in order to ensure future compliance with the DPP. Failure to comply with this enforcement notice does constitute a criminal offence which will render the non-compliant party liable to two years imprisonment and a HKD 50,000 fine (USD 6,500). If the offence is of a continuing nature an additional fine of HKD 1,000 (USD 130) per day will also apply.

Section 66 of the PDPO provides that an individual who suffers damage, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.

Other Privacy Laws and RegulationsThere are numerous sector-specific laws regulating privacy, secrecy and confidentiality.


INDIA

OverviewUntil recently, India had limited development of privacy laws and regulations. In April 2011, the Government of India issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules) that were issued under the Information Technology Act 2000.

The Privacy Rules are primarily focused on the protection of “sensitive personal data or information” which is defined to mean personal information that contains information relating to passwords; financial information; physical, physiological and mental health condition; sexual orientation; medical history and records; and biometric information. Sensitive information can be collected and processed only for a lawful purpose and only after obtaining consent.

Because the Privacy Rules immediately drew significant criticism from around the globe, the Indian Government has stated that it will clarify the rules.

EnactedPrivacy Rules were released April 2011.

General Privacy LawsThe Constitution of 1950 does not specifically recognize the right to privacy. In 1964, however, the Supreme Court of India noted that there is a right of privacy implicit in the Constitution, which provides: “No person shall be deprived of his life or personal liberty except according to procedure established by law.”

Indian law recognizes a general right of privacy. This has been made clearer with the release of the Privacy Rules.

In Kharak Singh v. State of Uttar Pradesh, the Supreme Court of India held that the right to privacy was an “essential ingredient of personal liberty” which is “a right to be free from restrictions or encroachments”.

In Gobind v. State of Madhya Pradesh, the Indian Supreme Court recognized a right to privacy derived from the constitutional rights to free speech, to personal liberty and to move freely within the country.

Personal Data Protection Laws and RegulationsIn 2000, the Indian Information Technology Act went into effect. This law makes punishable cyber crimes like hacking, damage to computer source code and breaches of confidentiality and privacy. This law is unlikely to be applied to workplace monitoring, as it has no direct application to such monitoring. Instead, the Act is intended to provide a comprehensive regulatory environment for electronic commerce. The Privacy Rules do not specifically address workplace monitoring.

Type of Data ProtectedSensitive personal data.

Workplace Privacy LawsIndia has no legislation or regulations concerning monitoring in the workplace.

Due to growing concerns about employee theft of data and/or misuse of information, there has been an effort to curb em-ployee fraud. In the BPO sector, a central employee database has been created by the National Association of Software and Service Companies (NASSCOM). This registry endeavours to house updated information on employees working in the IT and BPO sector. The media has reported that this employees in the IT and BPO industries will be required to join this registry.

Transborder TransfersThe Privacy Rules prescribe restrictions on the transfer of data. Any such transfer must be undertaken only with the consent of the data subject and only if necessary for the performance of a contract. At all times, sensitive personal data or information must be transferred only to another corporate entity that ensures the same level of data protection as that provided under the Privacy Rules.

Fines and SanctionsIf an organisation has agreed to practices and procedures for the protection of data and then violates those, the violator is liable for damages to those affected by the violation.

Other Privacy Laws and RegulationsN/A


INDONESIA

OverviewThere is no comprehensive legal framework for privacy and data protection in the private sector.

Enacted2008

General Privacy LawsNo constitutional or other legal protections related to personal data privacy.

Personal Data Protection Laws and RegulationsNo general personal data protection laws have been enacted.

Law No. 11/2008 regarding electronic transactions and information pertains to information and transactions in electronic form. Under this law, any use of private or personal information through electronic media can only be carried out with the prior consent of the individual concerned, unless the law stipulates otherwise.


Workplace Privacy LawsNo workplace privacy laws, regulations or guidelines have been enacted.

Transborder TransfersNo specific legislation regarding transborder transfers of personal information.


Other Privacy Laws and RegulationsN/A


JAPAN

OverviewJapan has become much more active in the privacy arena over the last decade.

Enacted2003

General Privacy LawsArticle 13 of the Japanese Constitution provides that: “The right to life, liberty and the pursuit of happiness shall ...be the supreme consideration in legislation and in other government affairs.”

In 1963, the Japanese Supreme Court first recognized a substantial right to privacy based on Article 13. Court precedent has established a general right to privacy.

Personal Data Protection Laws and RegulationsOn May 30, 2003, the Act Concerning the Protection of Personal Information (also called the Personal Information Protection Act) (PIPA) was enacted after almost five years of debate in the Diet (the Japanese Parliament). The Act has an important exemption from its coverage: organisations that hold personal data relating to 5,000 people or less and ordinary private use of personal information are exempt from the requirements of the law.

PIPA has two main parts:

• Basic Ideals and Principles: This part covers both the public and private sector and was created as a guideline for the framework for future privacy protections

• General Provisions: Sets up guidelines for the protection of personal information in the private sector, outlining how organisations must handle personal data.

PIPA adopts a self-regulatory approach to managing privacy in the public sector and allows agency ministers to mediate complain settlement regarding personal data usage disputes. Failure to abide by a minister’s decision could result in prison terms or fines. Ministers’ authority does not extend to information provided by the media.

Four personal information protection bills were enacted along with PIPA and cover: private business, government organisations and independent administrative agencies.

The Cabinet Office directed each Ministry to create its own guidelines concerning personal information protection. Each Ministry has published individual guidelines aimed at regulating use of personal information in the private sector.

Various Japanese ministries have issued guidelines on the use of personal information pursuant to the Law on the Protection of Personal Information. In the last three years since the Act went into effect, Japanese ministries have developed new guidelines and amended existing guidelines regarding the protection of personal information. The activities of a majority of businesses are covered by the guidelines promulgated by one of the following agencies: the Ministry of Economy, Trade and Industry (METI); the Ministry of Health, Labour and Welfare, the Financial Services Agency, the Ministry of Internal Affairs and communications and the Ministry of Land. As of 1 September 2007, these ministries have established 35 sets of guidelines, covering 22 business areas.

There is no specific legislation related to registration of data processing.


Workplace Privacy LawsThere are currently no laws or regulations regarding workplace monitoring in Japan.

Organisations wishing to monitor in Japan should look at the METI Guidelines. The guidelines provide that an employer should:

1. Specify the purposes of monitoring

2. Create a privacy policy that incorporates specifics relating to monitoring

3. Designate a person responsible for monitoring and

4. Perform audits and confirm that monitoring is being conducted fairly.

Culturally, workplace monitoring has not been as prevalent in Japan as in the United States, Britain and other trading partners.

Private surveillance in the workplace is on the rise in Japan. The Japanese Institute of Labour reports that 35% of Japanese organisations are monitoring their employees’ email and web use, citing fear of viruses, sexual harassment and other concerns.

According to a 2006 survey of 139 organisations conducted by the Institute of Labour Administration, 17.4% of employers monitor their employees’ incoming and outgoing emails and 42% keep a record of the emails.

On September 13, 2004, the Tokyo District court decided a case on the investigation of computer use of employees by employers. The court stated: “Whether or not the employers’ act is an invasion of privacy rights of employees that goes against public policy depends on whether, balanced against the drawbacks suffered by the employees, the purpose or manner of the investigation goes beyond the bounds of socially acceptable limits. If there are acts that violate the corporate order, employers may investigate the factual relationships regarding the content, manner and degree of the violating acts and employees must cooperate with the employer pursuant to their employment contract, but it is sufficient for such cooperation to be within the range necessary and rational in order for the employer to smoothly conduct operations.”

Transborder TransfersAlthough there is a general restriction on transfers to third parties, there is no separate restriction on the transborder transfers of personal data from Japan to a third country.

Fines and SanctionsThe sanctions for breaches of privacy law in Japan are contained in Chapter six of the Act on the Protection of Personal Information 2003. Pursuant to Article 34, where a data user is in contravention of certain provisions of the Act, the competent Minister may issue a recommendation that the contravention be ceased and take necessary measures to correct the violation. If the Minister considers that the infringement is imminent or considers it necessary to take measures urgently, the Minister may order that the contravention be ceased. Article 56 contains the sanction for non-compliance with these orders: An entity that violates orders issued under Paragraph 2 or 3 of Article 34 shall be sentenced to imprisonment of not more than six months or to a fine of not more than JPY 300,000 (USD 2,500).

Other Privacy Laws and RegulationsJapan has a number of sector-specific privacy, secrecy and confidentiality laws.

JAPAN (CONTINUED)



MALAYSIA

OverviewMalaysia recently passed the Personal Data Protection Act (PDPA).

Enacted2010

General Privacy LawsThe Constitution of Malaysia does not specifically recognize a right to privacy.

Personal Data Protection Laws and RegulationsPersonal Data Protection Act.

The PDPA applies only to personal data processed in Malaysia. Federal and State governments are excluded from complying, whereas credit reporting or referencing agencies will be separately regulated by another law.

Type of Data ProtectedThe Act protects “personal data”. In order to qualify as “personal data”, the data must relate, either directly or indirectly, to a data subject who can be identified from the data. The data must also be capable of being recorded and be capable of automatic or manual processing. “Sensitive personal data”, which requires explicit data subject consent, includes medical history, religious beliefs, political opinions and the commission or alleged commission of any offence.

Workplace Privacy LawsThere are no laws or regulations regarding workplace monitoring.

Transborder TransfersThe PDPA specifies that no personal data may be transferred outside Malaysia unless the place has been specified by the Minister. Notwithstanding, such transfer may take place if, among others, the data subject has given consent, the transfer is necessary for the performance of a contract with the data user, the data user has taken reasonable steps to ensure that the data will not be processed in a manner which would contravene the PDPA or the transfer is necessary to protect the data subject’s vital interests.

Fines and SanctionsThe penalties for breaching the PDPA include the imposition of fines and/or a term of imprisonment not exceeding two years. Directors, CEOs, COOS, managers or other similar officers have joint and several liability for non-compliance by the body corporate, subject to the due diligence defence. The Commissioner is not empowered to order compensation for damage and there is no express right to pursue a civil claim for non-compliance.

Other Privacy Laws and RegulationsA number of internal security laws raise implications for privacy. These include laws regarding surveillance, identity cards and the Internal Security Act.


NEW ZEALAND

OverviewNew Zealand has well-developed privacy and data protection legislation. The Privacy Act was passed in April 1993. The Act applies to almost every person, business or organisation in New Zealand. It sets out 12 information privacy principles, which guide how personal information can be collected, used, stored and disclosed.

Enacted1993

General Privacy LawsThe New Zealand Court of Appeals has interpreted Article 21 of the New Zealand Bill of Rights Act of 1990 as protecting the right to privacy. Article 21 provides: “Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property or correspondence or otherwise.”

Personal Data Protection Laws and RegulationsNew Zealand’s Privacy Act of 1993.

Regulates the collection, use and dissemination of personal information in both public and private sectors.

Grants individuals the right to have access to their personally identifiable information held by any agency.

Creates 12 Information Privacy Principles (IPP) based on the 1980 Organisation of Economic and Cooperation Development (OECD) and the information privacy principles in Australia’s Privacy Act of 1988.

Authority concerning data protection rights is granted to the Office of the Privacy Commissioner, an independent oversight authority that was created in 1991 as part of the Privacy Commissioner Act.

Type of Data ProtectedPersonal data.

Workplace Privacy LawsEmployers must obtain the consent of the employees and have the appropriate policies in place for such monitoring. Otherwise, any workplace monitoring must be done in accordance with the Privacy Act of 1993.

It has been widely reported by commentators in New Zealand that it is widely accepted for employers to monitor employees’ email sent from work computers.

The New Zealand Privacy Commissioner has provided a “how-to-guide” for employers and gives the following steps for conducting workplace monitoring:

Determine legitimate justification for monitoring.

• Develop a draft policy setting out why monitoring will take place and when it will occur (e.g., on a regular basis, only on suspicion that something inappropriate has happened, etc.)

• Circulate the draft policy to employees and discuss it with them or their union

• Remind everyone why monitoring is necessary

• Listen to feedback

• Make any necessary adjustment to the policy and issue it.

The Employment Court was unsympathetic to the claims by three employees who were fired for exchanging offensive emails. In Clarke v. Attorney General [1997] ERNZ 600.

Under the Privacy Act, employers may undertake monitoring in the workplace under certain conditions: there must be a lawful purpose and the information collected must be necessary to achieve that purpose. Employers must ensure that unfair or reasonably intrusive means are not used during monitoring.

Covert monitoring in the workplace is permitted if open monitoring would prejudice the purpose for which emails are to be monitored. In such cases, employee consent is not required.

Transborder TransfersThere are no provisions in the Privacy Act related to data registration.

Part 11A regulates the transfer of personal information outside of New Zealand. The law authorises the Commissioner to prohibit the transfer of personal information outside of New Zealand to a country where the data will not be protected or where its processing would violate the privacy principles under the Act.

NEW ZEALAND (CONTINUED)

Fines and SanctionsThere are numerous enforcement mechanisms under the Act, including proceedings before the Human Rights Commission, the Privacy Commissioner and the courts. Successful plaintiffs can recover damages, costs and attorneys’ fees.

Other Privacy Laws and RegulationsThere are numerous privacy codes that have been recognized by the Privacy Commissioner. These codes of practice include the following:

• Credit Reporting Privacy Code

• Expired and Revoked Codes of Practice

• Health Information Privacy Code

• Justice Sector Unique Identifier Code

• Superannuation Schemes Unique Identifier Code

• Telecommunications Information Privacy Code.

There are also numerous sector-specific laws regulating privacy and data protection.



PAKISTAN

OverviewPakistan is not a member of APEC nor is it currently involved in the development of the Privacy Framework.

There has been discussion in the Pakistan government regarding the need for privacy legislation. There has also been a draft of proposed privacy legislation circulated for public comment, but no further action has been taken.

EnactedN/A

General Privacy LawsN/A

Personal Data Protection Laws and RegulationsN/A

Type of Data ProtectedN/A

Workplace TransfersN/A




Other Privacy Laws and RegulationsElectronic Data Protection and Safety Act 2005 is only draft legislation.

No laws relating to data registration.

A spam law was enacted in 2005.


PHILIPPINES

OverviewOn 22 January 2008, the Philippines Supreme Court issued a “Resolution” on the Writ of Habeas Data and how it can be used.

Enacted22 January 2008 – Supreme Court Issues Resolution.

General Privacy LawsConstitution Sections 2 and 3 recognize the right of privacy, including the privacy of communications and correspondence.

No general laws regarding data protection and privacy. However, the general right to privacy is recognized by the Philippine Civil Code. In addition, there are data privacy obligations scattered throughout various pieces of legislation, such as the Philippines Electronic Commerce Act. Furthermore, the Philippine legal system recognizes the validity of confidentiality or non-disclosure clauses in contracts.

In January 2008, the Supreme Court of the Philippines issued a new Rule on the Writ of Habeas Data. This rule provides individuals with the legal right and ability to obtain access to his or her personal data.

The E-Commerce Law – Republic Act No. 8792 provides for the confidentiality of electronic communications.

Personal Data Protection Laws and RegulationsWrit of Habeas Data – is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party.


Workplace TransfersNo relevant laws on workplace monitoring.

Workplace Privacy LawsNo law relating to the transborder transfer of personal information.

Transborder TransfersNo law relating to the transborder transfer of personal information.

Fines and SanctionsThe laws on the Writ of Habeas Data provide for sanctions for government officials and others who refuse to comply with a writ. Violators can be held in contempt of court.

Other Privacy Laws and RegulationsLaw on Secrecy of Bank Deposits, Republic Act 1405 prohibits the disclosure of or inquiry into deposits with the financial institution. Penalties are provided.


SINGAPORE

OverviewThere is no general data protection or privacy law in Singapore.

EnactedThe Singapore Constitution’s Bill of Rights grants individuals the right to privacy.

General Privacy LawsSingapore has no over arching legislation for the protection of personal data. The Ministry of Finance has a small department handling privacy and data protection matters, primarily under banking specific legislation.

Under Singapore’s common law, confidential information may be protected under a duty of confidence, which usually arises under a contractual obligation.

Personal information is also protected under sector-specific laws such as the Banking Act, Statistics Act, the Official Secrets Act and the Statutory Bodies and Government Companies (Protection of Secrecy Act). None of these regulate workplace monitoring, however.

In February 2002, the National Internet Advisory Committee of Singapore released a “Model Data Protection Code for the Private Sector”. The Draft Code is modelled on the principles previously adopted by the EU Data Protection Directive (1995), the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the 1996 Canadian Standards Association Model Code for the Protection of Personal Information. The Model Data Protection Code is voluntary and does not specifically address issues of workplace monitoring.

Personal Data Protection Laws and RegulationsPersonal Information.

Type of Data ProtectedEmployer monitoring of employee phone calls, emails and Internet usage is permissible under Singapore law. Under Singapore property law, workplace email, telephone and computer equipment is the property of the employer. As a result, if an employee loses his job based on communications at work, he has no ground for defence based on an invasion of privacy.



Fines and Sanctions

• Spam Control Act of 2007

• Law on Bank Secrecy

• E-Commerce Act

• The Banking Act prohibits disclosure of financial information without the permission of the customer

• There are numerous internal security laws that have implications for privacy.

Other Privacy Laws and RegulationsThere is no general data protection or privacy law in Singapore.

NEWSFLASHFollowing on from a public consultation last year, the Singapore government released its draft Personal Data Protection Bill and a further public consultation paper on 19 March 2012. The Bill is the first of its kind in Singapore and is intended to cover all private sector organisations (but not the public sector), including small businesses. An organisation will be required to obtain an individual’s consent for the collection, use or disclosure of personal data and the collection must be for reasonable purposes which the organisation discloses.

An individual in each organisation is to be nominated to ensure compliance with the Personal Data Protection Act. Ultimately the organisation remains responsible for complying with the Act.

The Data Protection Commissioner will have the power to direct a non-complying organisation to pay a financial penalty of up to $1M. For the purposes of enforcement, an application may be made to the District Court to register this direction.

The Singapore Government is aiming to introduce the Bill to Parliament by the third quarter of 2012.


REPUBLIC OF KOREA

OverviewOn 29 March 2011, South Korea adopted a new comprehensive privacy law (Act on the Protection of Personal Data, Law No. 10465) applies to businesses and government agencies. Indeed, the Government estimates that the new law will apply data protection requirements to some 3.5 million public and private sector businesses and organisations. The law came into effect on 30 September 2011.

Enacted29 March 2011.

General Privacy LawsArticle 16 of the Korean Constitution.

Personal Data Protection Laws and RegulationsAct on Promotion of Information and Communications Network Utilization and Information Protection.

Type of Data ProtectedPersonal Information which means the information concerning anyone living that contains the code, letter, voice, sound and/or image, which allows for the possibility for that individual to be identified by name and resident registration number (including information which, if not by itself, allow for the possibility of identification when combined with other information).

Workplace Privacy LawsThe Act on Promotion of Information and Communications Network Utilization and Information Protection (APICNU) and the Protection of Communications Secret Law of 1993 both govern the monitoring of work emails.

Under the APICNU, Article 48, any person is prohibited from infiltrating information and communications networks without any justifiable access right or beyond the permitted access right.

Unless notice and express consent are obtained from the employees, monitoring of employee emails is likely to be viewed as a violation of Article 48 of APICNU. Even if the computers are owned by the employer, without notice and consent the employer is likely to be deemed to have gone beyond the permitted access right and to be in violation of Article 48.

Article 3 prohibits any person from censoring any mail, wiretapping any telecommunications, providing communication confirmation data or recording or listening to conversations between others that are not made public. Emails are considered to be “telecommunications” under the Secrecy Act. Monitoring of emails under the Secrecy Act is permitted only if:

1. The sender and receiver consent

2. Monitoring is protected under the Secrecy Act or

3. Monitoring is done pursuant to the Criminal Procedure Act or Military Court Act.

NOTE: The consent of the sender of the email received by the employee or the receiver of the email sent by the employee will not likely be required as the consent will likely be presumed in case of work emails as these emails are usually viewed as emails exchanged on behalf of the employer.

Employers should disclose how the monitoring will be done, the scope of the monitoring, etc.

Transborder TransfersNo legislation specifically requiring the registration of transborder transfers of personal data.

Fines and SanctionsThe Act contains some severe sanctions for privacy breaches:

Article 62 (Penal Provisions)“... Shall be punished by imprisonment with prison labour for not more than 5 years or by a fine not exceeding KRW 50 million (USD 53,837):

• A person who has used or provided personal information it to any third person beyond the scope of the notification or the limit specified in a standardized contract under Article 22 (2) in breach of Article 24 (1);

• A person who has used user personal information for a purpose other than the purpose for which such personal information has been provided or provided said personal information to any other person in breach of Article 24 (2).”

Other Privacy Laws and RegulationsActs governing the collection, use and disclosure of personal information in the private sector include:

• Protection of Communications Secrets Act (1993) (a.k.a., “Anti-Wiretap Law”)

• Telecommunications Business Act (1991)

• Medical Service Act (1973)

• Real Name Financial Transactions and Secrecy Act (1997)

• Use and Protection of Credit Information Act (1995)

• Framework Act on Electronic Commerce (1999)

• Digital Signatures Act (1999).


TAIWAN

OverviewTaiwan has complex privacy legislation in place – the Computer-Processed Personal Data Protection Law 1995 regulates the “computerised processing of personal data”. On 27 April 2010, the Taiwan Legislature passed an amendment to the CPPDPA titled the Personal Data Protection Act which applies to all individuals, legal entities and enterprises that collect personal data. It came into effect in 2011.

Enacted27 April 2010.

General Privacy LawsArticle 12 of the Republic of China Constitution of 1946 states that citizens should have freedom concerning correspondence.

An infringement of the right to privacy may be subject to civil liabilities under the Civil Code. Authorities on the country’s legal system ask whether or not the employees had a reasonable expectation of privacy in order to determine if the monitoring were proper.

Personal Data Protection Laws and RegulationsTaiwan has had detailed data privacy legislation since 1995; however, this applied only to public sector entities. On 27 April 2010, the Taiwan legislature passed the Personal Data Protection Act, which applies to all individuals, legal entities and enterprises that collect personal data.

The Computer-Processed Personal Data Protection Law of 1995 governs the collection and use of personally identifiable information by government agencies.


Workplace Privacy LawsTaiwan has no legislation specifically regulating workplace monitoring.

A district court case from 2003 adopted the “reasonable expectation” test for workplace monitoring. Under this test organisations can only monitor employee emails if they do not have a reasonable expectation of privacy of their work emails. The opinion of the district court judge was that the ability of an employer to monitor its employees’ work emails depended on whether or not the employees had a reasonable expectation of privacy for their work emails.

Implied Consent: The court stated that an employer may announce its email monitoring policy to the employees. If the employees do not object to such a policy, the employees should be deemed as having given implied consent. The district court also concluded that there are no other laws and regulations explicitly prohibiting employers from monitoring employees’ work emails.

Statute Governing the Protection and Monitoring of Communications governs the interception and monitoring of private communications by the policy. Certain civil and criminal liabilities, however, apply to all persons. For an employer to be exempt from liabilities under this law, he/she must obtain consent of its employees and the employer’s monitoring cannot be for illegal purpose.

The Criminal Code prohibits individuals from intercepting or monitoring “non-public” speeches or activities of others unless there is a legal justification.

It is not yet clear how the Personal Data Protection Act will impact workplace monitoring. It is also unclear under the new Act how an employer should collect consent if that is required from workers.

Transborder TransfersNo law specifically related to the transborder transfer of personal data.

Fines and SanctionsThe compensation arrangements are contained in Article 28:A non-government agency which infringes upon the rights and interests of a principal as a result of its violation of this law shall be liable for the damages arising therefrom, provided, however, that these provisions do not apply to the situation where the non-government agency can prove that the damages are not caused by its wilful conduct or negligence.

The total amount of compensation for the damages referred to in the two preceding paragraphs shall not be less than TWD 20,000 (USD 614) but not more than TWD 100,000 (USD 3,068) for each case of damages per person, provided, however, that the above provisions do not apply to the situation where the injured party can prove that the damages sustained by it are more than the aforesaid prescribed amount.

With regard to damages caused to the principal by the same cause and fact, the total amount of compensation shall not be more than TWD 20 million (USD 613,638).

The criminal sanctions are contained in Articles 33 and 34:

Article 33A person with an intention to seek profits, who violates Articles 7, 8, 18 and 19, Paragraph 1 and 2, Article 23 or a restriction order to issued under Article 24 of this Law and thereby causing damages to others, shall be punished with imprisonment for not more than five years, detention or in addition there to a fine of not more than TWD 1,000,000 (USD 30,000).

Article 34A person with an intention to acquire illegal interests for its personal or third party’s benefit or damage other’s interests, who makes illegal output, interference, alteration and deletion of a personal data file of impedes the accuracy of a personal data file causing damages to others shall be punished with imprisonment for not more than five years, detention or a fine of not more than TWD 1,000,000 (USD 30,000).

Under the new Act, penalties for the unlawful disclosure of personal data are increased. Individuals or enterprises who profit from the collection, processing or use of personal data will be fined no more than NT$1 million (up from the current TWD 40,000) or face a term of imprisonment of up to five years (up from the current two years). Finally, the filing of class action legal proceedings against parties who violate the law is permissible under the new Act.

Other Privacy Laws and RegulationsThere are numerous laws that have implications for privacy and data protection. A number of these laws relate to internal security.


TAIWAN (CONTINUED)


THAILAND

OverviewThailand has limited legislation that is primarily intended to protect “confidentiality” of financial information.

EnactedN/A

General Privacy LawsThe 1997 Thai Constitution provides privacy rights. Section 37 allows an individual to “enjoy the liberty of communications by lawful means”. The law applies to the collection and use of personal information by the government.

Personal Data Protection Laws and RegulationsThailand has no applicable law regarding general data protection.

Type of Data ProtectedN/A

Workplace Privacy LawsNo Laws relevant to workplace monitoring.

Transborder TransferNo Laws relevant to transborder transfers.


Other Privacy Laws and RegulationsFinancial Institutions Business Act B.E. 2551.

Financial Institutions Business Act B.E. 2551, Section 154, makes it illegal to disclose confidential customer financial information.

No laws relevant to data registration.


VIETNAM

OverviewVietnam has little legislation related to privacy or confidentiality of personal information.

EnactedN/A

General Privacy LawsVietnam’s constitution does not provide a right to privacy.

Personal Data Protection Laws and RegulationsVietnam has no comprehensive personal data protection laws. On 11 November 2010, it passed the Consumer Protection Law, which became effective on 1 July 2011.

Under the new law, consumers have the right to have their information protected and kept secret when they participate in business transactions or use goods and services. Consumer information can be disclosed only at the request of competent authorities.

If business entities want to collect, use and transfer information about consumers, they must:

• Expressly and publicly inform consumers about the purpose of the collection and use of their information before actually collecting, using and transferring such information

• Use information about consumers only for the stated purpose;

• Obtain consent from consumers before using their information

• Ensure the secrecy, accuracy and completeness of consumer information during collection, use and transfer

• Update and correct information or have a mechanism allowing consumers to update and correct information when it is discovered that such information is not accurate and

• Obtain consumers’ consent before transferring their information to a third party, except in cases where the law provides otherwise.

The new law does not define consent, consumer information or personal information.

Type of Data Protected“Consumer information” and “personal information” are not defined in the new law.

Personal information from websites: the receipt and use of personal information on e-commerce websites must comply with the following requirements:

There must be clearly publicized or supplied on the homepage a mechanism for customers to access and inquire into policies on the protection of personal information on such websites.The receipt and use of each customer’s personal information must be consented to by each customer, unless otherwise provided for by law.

A customer’s consent must be obtained through a separate step so that the customer may opt to accept or refuse (an opt-out mechanism is not sufficient). A definitive consent mechanism must not be established for customers.

Workplace Privacy LawsVietnam has no legislation specifically regulating workplace monitoring.

Transborder TransferNo applicable laws related to transborder transfers of personal data.


Other Privacy Laws and RegulationsLaw on the State Bank of Vietnam, 1997 mandates that the financial information of transactions with the State Bank is confidential.

Chapter VI of Law on Credit Institutions mandates that the financial information of transactions with banks is confidential.

Decree 22/2006 on Foreign Banks in Vietnam, Article 26, mandates that the financial information of transactions involving foreign banks is confidential.


McAFEE DATA

PROTECTION METHODOLOGY

FOR RAPID CUSTOMER

SUCCESS.By Joel Camissar,

Practice Head, Data Protection, McAfee Asia Pacific

There are typically two main drivers for any DLP project – compliance and IP protection. All organisations embarking on such a project will have key business drivers from either or both of these areas.

Globally, organisations are subject to a myriad of existing and ever-proliferating regulations (HIPAA/HITECH, PCI-DSS, SOX, GLBA, JSOX, ICO DPA) that require data to be protected to achieve and maintain compliance. Additionally, sensitive data critical to the very existence of an organisation must also be protected. From the “secret sauce” that is the foundation of a business, to intellectual property (IP), organisations cannot afford to leave data unprotected

Once funding for a DLP project reaches the business level, often the core business stakeholders will add their priorities to what IT perceives as a compliance problem and elevate their IP protection needs.

As an example, one large telecommunications company in Asia Pacific commenced a DLP project with PCI compliance in mind. Once it reached the funding stage, the CEO changed the priorities of the project. Instead of compliance being the budgetary driver, a DLP solution was extremely effective in protecting the company’s competitive edge in the market. As a result, compliance was pushed aside in favor of an elevated business need.

This brings us to the question: How can the IT team deal with the conflicting needs of an agenda driving business outcomes in compliance and IP protection?

DATA LOSS PREVENTION – THE KEY CHALLENGES



Phase 1: Consulting (one month)Most DLP vendors have a similar approach to solving an organisation’s data protection problems. Typically, a consulting exercise is undertaken by interviewing stakeholders to identify core priorities. This process usually uncovers multiple objectives that span IP protection and compliance initiatives. Then, a technical toolset is normally implemented so that policies can be created to address the organisation’s core drivers. To maximise policy success, IT needs to answer the following three questions:

• Where does your data reside?

• What does your data look like?

• Where is your data going?

The challenge with this approach lies in having visibility. In reality, it is nearly impossible for IT to know the answers to these questions. This is because, IT is not the custodian of the data – the business is and it rarely has visibility of the organisation’s business processes.

Phase 2: Implementation of a DLP architecture (two months)Most DLP solutions are software based. Typically, an organisation would commence the process of procuring hardware, software licenses, provisioning and change control to deploy the solution.Multiple teams would be involved, as the architecture touches upon web and email gateways, database architecture (if using a SAN environment), patch management and anti-virus updates. Following the change control processes for the implementation of new servers in the environment and the usual testing processes, most organisations would take anywhere from six to 12 weeks to test the architecture and commission it in production.

Phase 3: Implementation of simple rule set for compliance (three months)The organisation will start the project in earnest by turning on a selection of rules in an ad hoc way. First, the rule sets that relate to common compliance standards will be activated and may need to be customised.

THE TYPICAL INDUSTRY APPROACH


A typical workflow for a compliance rule validation exercise would comprise:

Timeframe Task

Weeks 1 to 2 Activation of simple rules for compliance. Collection of incident data.

Week 3 Review the sample incident data for false positives and false negatives. Tweak the rule set to increase the effectiveness. Collection of incident data.

Weeks 5 to 11 Review the sample incident data for false positives and false negatives. Tweak the rule set to increase the effectiveness. Collection of incident data. This process typically goes on for several cycles until the rule has been proven effective.

Week 12 The rule is turned on and the workflow optimised around incident management.

To complete the above workflow, an organisation would need to allocate 50 percent of a full-time employee resource* to the task, which would require the services of an experienced DLP operator. This process would need to be completed for every new rule that requires validation.

Phase 4: Implementation of a rule set for IP protection (six months)The challenge becomes even harder for rule creation and validation across the largely unstructured data that comprises an organisation’s IP. These are usually the high payoff use cases for which stakeholders want to see rapid returns. As the business is funding the project, it becomes critical to demonstrate value, in the form of quick wins to the key stakeholders.

Organisations typically follow a similar approach to the workflow shown above. However, without comprehensive knowledge of what your data looks like, where it is stored, who has access to it and what uses are legitimate, it becomes nearly impossible to undertake this exercise with such limited visibility over the data flow. As a result, another consulting exercise is often undertaken to delve right into these processes by speaking to key individuals.

Finally, this feedback is used to attempt to set rules looking for data that matches. For every rule that identifies unstructured data, we recommend you allow two to three months for the rule to be validated before it can be turned on as part of the incident workflow.

Phase 5: Toward a level of effectiveness for compliance and IP protection (six months)Following the first 12 months of a DLP deployment using traditional toolsets, an organisation would have validated a basic rule set covering regulatory compliance. It may have also implemented some basic rules to address IP protection. By now, the understanding of the data flow within the organisation would be improved, but many gaps in knowledge would still exist. In the second year, a more comprehensive set of policies would need to be established.

During this phase, we find that organisations are still battling with two core problems:

• How do we get visibility over the data flow without a rule in place?

• How do we tune a rule to identify requirements without having to interview multiple stakeholders?

The question is: How does the McAfee approach differ and help organisations overcome these challenges?

*This information was collected from customer conversations and third-party security forums where customers shared their experiences with deploying DLP solutions. Rule tuning was one of the greatest challenges.

THE TYPICAL INDUSTRY APPROACH(CONTINUED)


When it comes to DLP, McAfee breaks new ground. Quite simply, our approach is data-centric in that it delivers actionable insights about your data flow without IT having to engage with stakeholders or spend time on rule refinement. The advantage of a search engine like Google is to help users find contextually correct information rapidly. This is done by applying complex techniques that classify and index billions of pages of content on the web. Yet the real value is Google’s ability to give users rapid visibility over the data they are looking for.

Similarly, the McAfee DLP approach is to classify and index all of the information flow for: data at rest, data in motion and data at use in one unified policy framework. McAfee gives you 100 percent visibility over all of your data flow so you can understand your intellectual property and regulatory exposure and decide on the biggest challenges that should be tackled first. McAfee doesn’t rely on you having to undertake a significant consulting engagement or a lengthy process of rule validation. We create rapid value for an organisation in the same way that Google does – by giving you the data transparency you need.

Here is how the McAfee approach would differ from the typical industry method detailed above:

Phase 1: Consulting (one week)A McAfee consultant will run a half-day DLP workshop aimed at key business and IT stakeholders. The objective is to achieve alignment among stakeholders’ competing priorities. Deliverables presented back to the business would include those priorities that need to be tackled and the resulting risk reduction. A program of work would then be identified using a workshop format to aid IT in prioritising all activities, including those that have high payoffs.

Phase 2: Implementation of DLP architecture and risk assessment (two weeks)The McAfee architecture consists of a range of hardened Linux-based appliances with self-contained storage. No integration with third-party storage area network (SAN) infrastructure or database architecture (DBA) expertise is required. No pre-conditioning is needed, other than IP address information.Following the change control processes, the self-contained appliances are typically racked and connected to the infrastructure within the first week.

Once the solution is operational, no policies are set for the first week. McAfee capture technology will classify and index all of the data flowing through the appliances. This provides 100 percent visibility of the entire data flow. This contrasts with the traditional DLP vendors’ approach, which only reports information if a policy has been set. In capturing all of the traffic, we can go back in time to mine further and prepare a risk assessment over typical compliance requirements. This also allows us to investigate potential IP leakage and recommend a program to rapidly mitigate these risks.

McAfee Professional Services will then present the results of the risk assessment to the original stakeholders as part of Phase 1.

The objective is to align business issues with the risk they carry. The risk assessment gives the organisation complete visibility over the data flow and enables prioritisation of rules to address the high payoff activities first.

Phase 3: Implementation of rule set for compliance (one week)The McAfee workflow for policy validation is simple and effective. Since all of your data has been captured and indexed, the McAfee toolset enables the validation of preconfigured compliance policies against the offline captured data. Within hours, a policy can be validated and tuned offline against the captured data set. This compares remarkably well against the traditional DLP vendors’ two- to three-month-long process of validating a rule without the benefit of capture.

Phase 4: Implementation of a rule set for IP protection (one week)Using the same workflow for policy validation and with the results from the risk assessment at hand, McAfee will establish the first set of rules for identification of high payoff IP protection rules.

Phase 5: Towards a level of effectiveness for compliance and IP protectionIn the last week of on-site engagement, McAfee will deliver a three-day operational course on managing the DLP solution. This involves sharing knowledge on the methodology: taking a business requirement, using the capture technology to validate the rule set and operationalising the workflow. Customers become truly successful when they can now follow the same methodology to refine their use of the DLP solution. In doing so, McAfee eliminates the need for costly consulting resources to be deployed by empowering the customer to follow the same approach to success.

Now, let’s compare the two approaches discussed:

PhaseThe McAfee approach

Traditional DLP vendors’ approach

Phase 1: Consulting 1 week 1 month

Phase 2: Implementation of DLP architecture and risk assessment

2 weeks 2 months

Phase 3: Implementation of rule set for compliance (1 week)

1 week 3 months

Phase 4: Implementation of a rule set for IP protection (1 week)

1 week 6 months

Phase 5: Towards a level of effectiveness for compliance and IP protection (6 weeks to 3 months)

6 weeks (1 week on site)

6 months

Total 3 months 18 months

THE McAFEE APPROACH TO RAPIDLY SOLVING THE DLP PROBLEM


With the wealth of real-world data that McAfee DLP capture technology provides, it is easy for customers to gain real insight into how data flows around the organisation. This helps eliminate threats created by data that would otherwise go unknown or unseen.

Here is a range of other use cases that can be achieved with the McAfee approach:

Use Case McAfee ApproachTraditional DLP Vendor Approach

An employee has just left the organisation. He/she is suspected of leaking information. No policy was set up to capture traffic sent out by this employee. How can I do a forensic query to find out the information this employee has sent out?

Using the capture database functionality, conduct a forensic query to detail everything the employee has sent out over the last few days. This data provides an evidence trail and can be further mined to identify all potential leaks.

No information is available on this user’s actions unless a prior rule was configured to monitor all communication from this employee.

A confidential executive memo has been leaked to the press. How did this occur?

Using the capture database functionality, conduct a forensic query to see if this memo was leaked through any network protocol. Identify the source of the leak.

It’s not possible to fulfill this use case unless a rule was configured in advance to classify and monitor all executive communications.

A business unit wants to learn about the data flow and business processes without conducting a large-scale consulting exercise. How can this be achieved?

Mine the data captured in the solution in the same way that you would use a search engine to present the information back to the business. This way, you can learn about the information flow and use it to make appropriate policy decisions.

Conduct interviews across key stakeholders. Then switch on several rules to identify potential violations. The rule sets will partially work and present an incomplete picture of what the rules capture. The issue with this approach is that it may only identify a very small percentage of the actual data flow.

A business unit wants to rapidly turn on a new policy for a newly identified risk without generating significant negative feedback.

Validate the policy using the captured historical data. Within hours a new policy can be validated and a workflow created to go live.

Create a policy that best fits the scenario. The challenge is that this policy cannot be validated and it will take two to three months until the policy can been demonstrated to be effective (using the trial and error method of policy validation).

BENEFITS OF THE McAFEE APPROACH


The McAfee Data Protection business unit is led by a cross-functional team working together to ensure customer success. Joel Camissar is the Practice Lead and is responsible for McAfee DLP business in Asia Pacific. Manjula Kularathne manages the consulting team and acts as the principal consultant on enterprise DLP Implementations and has significant experience in solving complicated business problems around this solution set.

Once McAfee is engaged, a detailed scope of work is prepared to make sure that the organisation’s use cases can be achieved in an efficient timeframe to ensure a successful outcome to the business.

McAfee will follow a five-phased approach. We will have a consultant on site for the term of the engagement to achieve the described outcomes. This entails training your staff to follow the McAfee methodology so that you can be empowered to operationalise and develop this service after the initial six-week engagement. In the event that you would still like McAfee involvement, a further engagement can be scoped on a fixed time and materials basis or purchased as a block of time.

SOLUTION SERVICES PROPOSED


Joel Camissar – Practice Head, Data Protection, Asia PacificJoel Camissar manages McAfee’s data protection business – the company’s fastest growing practice – across Asia Pacific. He leads a cross-functional team and works with some of the largest companies in the region to translate business requirements into technical solutions that deliver rapid time to value.

With McAfee since August 2009, Camissar has more than 15 years of experience in the IT industry covering roles such as Regional Management & Senior Business Development for global organisations in the software security market. Prior to McAfee, Camissar established the ArcSight business in Australia as Regional Director, where he was responsible for the development of the marketplace and consulting to enterprise organisations in the information and event management arena. Before this, he held senior roles with Websense, Trend Micro, MIMEsweeper, and Gateway.

Camissar holds Bachelor of Arts in International Relations and Political Science from the Hebrew University of Jerusalem and lives in Sydney with his wife and children.

Manjula Kularathne – Principal Consulting Manager, Asia PacificManjula Kularathne specialises in providing technical leadership, consultancy and project management in security strategy, assessment, processes, implementations and incident response. He has more than 10 years of security architecture experience in network defence, data protection, risk and compliance and endpoint security. Manjula has personally implemented McAfee Data Protection solutions in the following organisations: MindRay, China; UAES (SAIC), China; Deloitte; Australia Post; OCBC Singapore; South Australia Police; Bank Tabungan Negara Indonesia; Telstra. Manjula is a Certified Information Security Auditor (CISA) and a Certified Information Systems Security Professional (CISSP). He has a bachelor’s degree in sciences with honours from the University of Ireland and a master’s of business administration from the University of Western Sydney.

KEY McAFEE DLP CONSULTANTS


ABOUT McAFEE

McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the web more securely. Backed by its unrivalled global threat intelligence, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe.

www.mcafee.com

McAfee Asia Pacific | Level 20 | 201 Miller Street | North Sydney | NSW 2060 | Australia, www.mcafee.com

McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc.


2012 - Apac data-protection-laws by McAfee

Technology

Transcript of 2012 - Apac data-protection-laws by McAfee