Singapore’s Personal Data Protection Commission (PDPC) issued a statement on March 1 announcing its plan to introduce mandatory breach notifications as part of a set of proposed amendments to the country’s Personal Data Protection Act (PDPA). The proposed amendments come in response to the PDPC’s recent review of the PDPA in order “to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals’ interests and enables the legitimate use of personal data by organisations.” The details of the mandatory breach notification have not yet been made public, but the amendment will likely require organizations to notify the PDPC and affected data subjects when a certain level of breach has occurred.
Enacted in 2012, the PDPA governs the “collection, use and disclosure of personal data by organisations in a manner that recognizes both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.” Singapore’s public sector is governed by the Public Sector Governance Act (PSGA), not the PDPA, the PDPC states that the data protection standards in the two regulations are closely aligned. The PSGA was enacted in 2018 to establish accountability and consistency of governance of public entities in Singapore.
Several public and private entities in Singapore have been affected by high-profile data breaches in the past year, including Singapore Health Services (SingHealth), Integrated Health Information Systems (IHIS), Singapore’s Health Sciences Authority, Bud Cosmetics, and AIA Singapore. Financial penalties stemming from cyber breaches in Singapore have varied depending on the severity of the breach and number of data subjects affected. In January 2019, the PDPC fined SingHealth and IHIS $250,000 and $750,000 respectively for what the PDPC called the “worst breach of personal data in Singapore’s history.” That breach resulted in the disclosure of personal data for 1.5 million patients and of outpatient prescription records of approximately 160,000 patients.
The mandatory breach notification and other proposed amendments to the PDPA are expected to be made available to the public in early 2020.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.