Genie Sugene Gan, Head of Public Affairs, APAC
The Personal Data Protection Act (PDPA), which was to govern the collection, use and disclosure of personal data, was introduced in the Little Red Dot in October 2012. Prior to that, Singapore had no overarching law that comprehensively governed the protection of personal data.
Equally recognizing (1) the right of individuals to protect their personal data; and (2) the need for organizationsto collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances as defined, the PDPA was implemented in three phases:
Since then, this almost decade-old legislation has gained much traction as it has been enforced widely in enumerable instances. A list of the PDPC’s enforcement decisions to date can be found on its website and accessed by anyone. As of 2019, about 100 grounds for decisions against more than that number of organizations have been issued by the PDPC. These cases stem from violations mostly in terms of disclosure of personal data, poor technical or physical security arrangements, errors in mass emails or postal communications, or insufficient data protection policies. One of the highest profile cases is an unprecedented personal data breach arising from a healthcare organization’s patient database system, which attracted collective financial penalties amounting to a seven-figure SGD sum.
Latest Development in 2020
In a public consultation on the latest proposed set of amendments to the PDPA in May 2020, it was sufficiently clear that among the Singapore government’s objectives are enhancing accountability in personal data protection through a risk-based approach – thereby promoting greater consumer confidence in the use, management and protection of personal data.
As with all things in this imperfect world, there are particular aspects of the proposals that could benefit from further refinement, including:
○ The proposals highlight that a ‘data breach refers to any unauthorized access, collection, use, disclosure, copying, modification, disposal of personal data, or loss of any storage medium or device on which personal data is stored’.
○ There appears a lack of attention in the definition to data ‘in transit’ and data ‘in use’ – widely accepted notions in the industry along with data ‘in rest’ (meaning being stored). From that, a risk of creating legal loopholes when a data breach occurs while the data is being transmitted or actively used or processed may arise.
○ It is therefore recommended that the definition be slightly amended as follows: ‘data breach refers to any unauthorized access, collection, use, disclosure, copying, modification, disposal of personal data, or loss of any storage medium or device on which personal data is stored, used and transmitted’.
○ The proposal to introduce portability presents an important milestone in the personal data protection legal framework, and empowers individuals to have greater control over their personal data in a data-driven economy. Free portability of personal data from one organization to another can be a strong mechanism in fostering digital services and interoperability of platforms. However, the security and privacy risks correspondingly increase when systems are more interconnected given the potentially voluminous data being processed.
○ The liability of organizations in the case of data portability should also be clarified. If an organization provides personal data directly to an individual or another organization in response to a data portability request, there has to be clarity as to who is responsible for further processing of that data. For comparison, the Global Data Protection Regulation has faced criticism for not specifying any obligation, under the right to data portability, to check and verify the quality of the data which an organization transmits, though there is an obligation to ensure the accuracy of the data.
Kaspersky congratulates Singapore on yet another milestone in its journey in building a robust data protection framework in the country and has engaged with the regulators on our support of the Bill and our suggestions for further refinement of the proposed amendments. We look forward to seeing the final Bill passed in the Parliament of Singapore in due course.
 Defined by natural persons, whether living or not
 Includes legally incorporated commercial entities and unincorporated bodies, including those formed or resident outside Singapore
 The existing exception in the PDPA for these organizations creates loopholes and may pose significant risks to individuals and affect their confidence in the data management and protection processes authorized by public agencies, particularly out of fear of abuse.