Coming Soon to Singapore: Mandatory Data Breach Notifications
Wednesday, March 27, 2019
Singapore personal data protection, data breach notification
Print Mail Download i

Singapore’s Personal Data Protection Commission (PDPC) issued a statement on March 1 announcing its plan to introduce mandatory breach notifications as part of a set of proposed amendments to the country’s Personal Data Protection Act (PDPA). The proposed amendments come in response to the PDPC’s recent review of the PDPA in order “to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals’ interests and enables the legitimate use of personal data by organisations.” The details of the mandatory breach notification have not yet been made public, but the amendment will likely require organizations to notify the PDPC and affected data subjects when a certain level of breach has occurred.

Enacted in 2012, the PDPA governs the “collection, use and disclosure of personal data by organisations in a manner that recognizes both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.” Singapore’s public sector is governed by the Public Sector Governance Act (PSGA), not the PDPA, the PDPC states that the data protection standards in the two regulations are closely aligned. The PSGA was enacted in 2018 to establish accountability and consistency of governance of public entities in Singapore.

Several public and private entities in Singapore have been affected by high-profile data breaches in the past year, including Singapore Health Services (SingHealth), Integrated Health Information Systems (IHIS), Singapore’s Health Sciences Authority, Bud Cosmetics, and AIA Singapore. Financial penalties stemming from cyber breaches in Singapore have varied depending on the severity of the breach and number of data subjects affected. In January 2019, the PDPC fined SingHealth and IHIS $250,000 and $750,000 respectively for what the PDPC called the “worst breach of personal data in Singapore’s history.” That breach resulted in the disclosure of personal data for 1.5 million patients and of outpatient prescription records of approximately 160,000 patients.

The mandatory breach notification and other proposed amendments to the PDPA are expected to be made available to the public in early 2020.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins