July 4, 2020

Volume X, Number 186

July 03, 2020

Subscribe to Latest Legal News and Analysis

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

Coming Soon to Singapore: Mandatory Data Breach Notifications

Singapore’s Personal Data Protection Commission (PDPC) issued a statement on March 1 announcing its plan to introduce mandatory breach notifications as part of a set of proposed amendments to the country’s Personal Data Protection Act (PDPA). The proposed amendments come in response to the PDPC’s recent review of the PDPA in order “to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals’ interests and enables the legitimate use of personal data by organisations.” The details of the mandatory breach notification have not yet been made public, but the amendment will likely require organizations to notify the PDPC and affected data subjects when a certain level of breach has occurred.

Enacted in 2012, the PDPA governs the “collection, use and disclosure of personal data by organisations in a manner that recognizes both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.” Singapore’s public sector is governed by the Public Sector Governance Act (PSGA), not the PDPA, the PDPC states that the data protection standards in the two regulations are closely aligned. The PSGA was enacted in 2018 to establish accountability and consistency of governance of public entities in Singapore.

Several public and private entities in Singapore have been affected by high-profile data breaches in the past year, including Singapore Health Services (SingHealth), Integrated Health Information Systems (IHIS), Singapore’s Health Sciences Authority, Bud Cosmetics, and AIA Singapore. Financial penalties stemming from cyber breaches in Singapore have varied depending on the severity of the breach and number of data subjects affected. In January 2019, the PDPC fined SingHealth and IHIS $250,000 and $750,000 respectively for what the PDPC called the “worst breach of personal data in Singapore’s history.” That breach resulted in the disclosure of personal data for 1.5 million patients and of outpatient prescription records of approximately 160,000 patients.

The mandatory breach notification and other proposed amendments to the PDPA are expected to be made available to the public in early 2020.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume IX, Number 86


About this Author

Yodi Hailemariam, Drinker Biddle Law Firm, Washington DC, Cybersecurity Law Attorney

Yodi S. Hailemariam focuses her practice on U.S. and cross-border information governance, data privacy, cybersecurity, electronic discovery, legal analytics and the Internet of Things. Yodi has experience in a wide range of industries, including health care, pharmaceuticals and life sciences, intellectual property, insurance and financial services.

A frequent author, speaker and panelist on “all things data,” Yodi advises companies regarding electronic discovery in complex civil litigations, white collar defense, and corporate...