The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>
Last updated April 2020
The Personal Data Protection Act 2012 ( PDPA) is the data protection law that governs the collection, use, disclosure and handling of personal data in Singapore. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA also provides for the establishment of a national Do Not Call ( DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.
Some key subsidiary legislation which operate alongside the PDPA include the Personal Data Protection Regulations 2014, the Personal Data Protection (Do Not Call Registry) Regulations 2013 and the Personal Data Protection (Exemption from section 43) Order 2013.
The Personal Data Protection Commission (PDPC)
The Personal Data Protection Commission
10 Pasir Panjang Road #03-01
Mapletree Business City
Main Line: +65 6377 3131
Fax: +65 6577 3888
Anticipated changes to law
The PDPC has proposed the following changes to the PDPA:
- mandatory data breach notification obligations where organisations must notify affected individuals and the PDPC of data breaches as soon as practical if: (i) the breach poses significant risk of impact to the affected individuals; and (ii) the scale of the breach is significant (i.e. involves 500 or more individuals);
- merger of the DNC provisions under the PDPA and the Spam Control Act into a single legislation to govern all unsolicited commercial messages;
- mandatory obligation for organisations to provide an individual’s data, at the individual’s request, to another organisation in a commonly used machine-readable format (i.e. data portability obligation);
- provisions which exempt organisations from the obligation to obtain consent for use of personal data when personal data is used for “business improvement” purposes, namely for the purposes of (a) operational efficiency and service improvements; (b) product or service development; or (c) knowing customers better; and
- provisions which exempt organisations from the proposed data portability obligation and the obligations to provide an individual with access to or to correct personal data at the individual’s request in respect of “derived personal data” (i.e. new data that is created through the processing of other data by applying business-specific logic or rules).
- The PDPA applies to personal data which is data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.
- The data protection provisions in the PDPA do not apply to:
- any individual acting in a personal or domestic basis;
- any employee acting in the course of his or her employment with an organisation;
- any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data (refer to this list here for specific public agencies); or
- business contact information (this refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes).
- In addition, there are broad exceptions (in the Schedules of the PDPA) to the provisions in the PDPA relating to the collection, use, disclosure of personal data. For example, organisations are allowed to collect data without consent if this is necessary to respond to a life-threatening emergency or if the data is publicly available.
- The PDPA applies to any organisation, whether or not incorporated or having a place of business in Singapore, which carries out activities involving personal data in Singapore.
- In practice, organisations would require a Singapore nexus (e.g. incorporated in or having a presence in Singapore) in order for the PDPA to be enforceable against them.
The PDPC has various powers including the ability to issue an enforcement notice and the discretion to impose fines and imprisonment.
What are the sanctions for non-compliance with data protection laws?
- Fines of up to S$1 million or imprisonment for a term not exceeding 12 months.
- In relation to the enforcement of the DNC Registry Provisions, the PDPC may issue a fine up to an amount not exceeding S$10,000.
Is this a criminal or administrative procedure?
- It is an administrative procedure generally.
Examples of recent sanctions:
- February 2020: A major media outlet was fined S$26,000 for failing to put in place reasonable security arrangements to prevent the unauthorised access of personal data of members of its online forum site. The account of a senior moderator of the forum site was accessed by an unknown hacker who used the senior moderator’s credentials to retrieve personal data of members of the forum site.
- January 2020: A service provider which runs and hosts an email marketing platform was fined S$34,000 for failing to put in place reasonable security arrangements to protect the personal data supplied by its clients. The mass emailing system of the service provider was accessed without authorisation and used to send spam emails to 149,172 email addresses. The service provider was also found to be holding personal data which was no longer necessary for legal or business purposes, by failing to delete email addresses provided by its client once the relevant marketing campaigns were completed.
- January 2019: Singapore's largest healthcare cluster and its data intermediary was fined for a combined total of S$1 million for failing to take adequate security arrangements to protect personal data and allowing a cyber-attacker to exfiltrate the personal data of almost 1.5 million individuals in the patient database system. This is the largest fine imposed by the PDPC so far.
There is no requirement for organisations to register with the PDPC.
Main obligations and processing requirements
Organisations in general are required to comply with the PDPA.
The PDPA sets out 9 main data protection principles which are to be complied with when processing personal data.
Under the PDPA, to collect and process personal data lawfully, organisations have to comply with the following obligations:
- obtain the consent of the individual;
- collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent;
- notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data;
- upon request, provide information in which the individual’s personal data has been or may have been used or disclosed and to correct any error or omission in an individual’s personal data;
- make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete;
- make reasonable security arrangements to protect the personal data that the organisation possesses or controls;
- cease retention of personal data or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose;
- ensure that the standard of protection provided to the personal data transferred to another country will be comparable to the protection under the PDPA; and
- implement policies and procedures to meet its obligations under the PDPA, and make information about its policies and practices publicly available.
Organisations that have contracted to process personal data on behalf of another organisation may be considered a “data intermediary”. A data intermediary that processes personal data pursuant to a written contract will only be responsible for protecting the personal data in its care and ensuring that the personal data is not retained by the data intermediary when there is no longer a business or legal need to do so.
Data Subject Rights
Under the PDPA, individuals have the following rights:
- ask the organisation to provide the contact of a person who can answer, on behalf of the organisation, their questions about the collection, use or disclosure of the personal data;
- withdraw their consent for the collection, use or disclosure of their personal data by an organisation at any time, with reasonable notice;
- request to access their personal data that an organisation possesses or controls, including to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request;
- request an organisation to correct an error or omission in their personal data; and
- contact the person designated by the organisation with the responsibility for ensuring its compliance with the PDPA to find out more about its data protection practices, and clarify their doubts on whether their personal data has been misused.
Processing by third parties
An organisation has to observe the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself.
Data intermediaries that process personal data on behalf of and for the purposes of another organisation pursuant to a written contract will only be subject to PDPA provisions relating to protection of personal data and retention of personal data.
Transfers out of Country
There is a limitation on transfers of personal data outside Singapore. The transfers of personal data outside of Singapore requires the recipient of the personal data to provide safeguards equivalent to or greater than the requirements under the PDPA. The PDPA does not provide a white-list of countries that are deemed to have equivalent protection.
As such, organisations may transfer personal data overseas if they have taken appropriate steps to comply with the data protection provisions in respect of the transferred personal data while such personal data remains in their possession or control. When the personal data is transferred to a recipient outside of Singapore, organisations need to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA. Such legally enforceable obligations include obligations imposed under law, any contract or binding corporate rules.
Data Protection Officer
Organisations are required to designate at least one individual, known as the data protection officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA.
The business contact information (BCI) of the DPO must be made available to the public. Although not a legal requirement, in practice, the PDPC does request for the information of the DPO to be registered with it.
Organisations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
There is currently no obligation under the PDPA to notify the PDPC of a personal data breach. However, the PDPC has released guidance (Guide to Managing Data Breaches 2.0) suggesting that where there are serious security breaches, the PDPC should be informed, especially when a large number of people are affected. In addition, according to the PDPC’s Advisory Guidelines on Enforcement of Data Protection Provisions, the fact that an organisation voluntarily discloses a data breach to the PDPC as soon as it learned of the breach, and co-operates with the PDPC in its investigations may be a mitigating factor when PDPC calculates a financial penalty.
The suggested amendments to the PDPA will likely make notification to the PDPC in the event of a data breach mandatory, especially if the scale of data breach is significant (affects the data of 500 people or more).
Sector specific regulation, such as the Notices and Guidelines on Technology Risk Management issued by the Monetary Authority of Singapore, may also require breach notification.
The DNC provisions of the PDPA generally prohibit organisations from sending certain marketing messages (in the form of voice calls, text or fax messages) to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers, registered with the DNC Registry unless the consumer has provided their clear and unambiguous consent in written or other accessible form for sending the marketing message to the Singapore telephone number.
The organisation may still send a text or fax message (but not voice call) on related products, services and memberships (including information on opting out of such messages) to individuals with whom it has an ongoing relationship, containing clear identification and accurate information identifying the organisation as well as contact details within the message.
Upon receiving an individual’s opt-out request, the organisation must stop sending such messages to that individual's telephone number 30 days after the opt-out.
Under the Spam Control Act, organisations are prohibited to send, cause to be sent or authorise to send: (i) any electronic message to electronic addresses generated or obtained through the use of a dictionary attack or address harvesting software; or (ii) any unsolicited commercial electronic messages in bulk if they do not comply with the statutory conditions (e.g. the message needs to include an electronic mail address to which the recipient may submit an unsubscribe request).
The PDPA applies to the collection, use or disclosure of personal data using cookies.
However, consent is not required for cookies that:
- do not collect personal data; and
- for internet activities clearly requested by the user where the individual is aware of the purposes of such collection, use and disclosure and has voluntarily provided his personal data for such purposes.
If the individual configures his browser to accept certain cookies but rejects other, he may be found to have consented to the collection, use and disclosure of his personal data by the cookies he has chosen to accept. In such a circumstance, the PDPC has confirmed that consent can be implied. However, the failure of an individual to actively manage his browser settings does not imply that he has consented to the collection, use and disclosure of his personal data.
Please see links above.
Last updated April 2020
Laws and Regulations
- Cybersecurity Act 2018 and related regulations and code of practice, namely:
- Cybersecurity (Critical Information Infrastructure) Regulations 2018
- Cybersecurity (Confidential Treatment of Information) Regulations 2018
- Cybersecurity Code of Practice for Critical Information Infrastructure
- Computer Misuse Act (CMA)
- Sector-specific rules, such as guidelines and notices issued by the Monetary Authority of Singapore for the financial sector (MAS rules)
Anticipated Changes to Law
Cybersecurity Act 2018: Provisions relating to the licensing of cybersecurity service providers are not yet in effect. The Cyber Security Agency of Singapore has stated that the implementation of the licensing framework will be communicated at a later date.
- Cybersecurity Act 2018: The Cybersecurity Act 2018 requires and authorises the taking of measures to prevent, manage and respond to cybersecurity threats and incidents; regulates owners of critical information infrastructures (CIIs); establishes the framework for the sharing of cybersecurity information; and regulates cybersecurity service providers. It also provides the regulator with the power to investigate cybersecurity threats or incidents in order to determine their impact, prevent further harm and future incidents. These investigative powers can be delegated to authorised persons, and can be exercised in respect of any computer or computer system in Singapore; not only CIIs. The level of intrusiveness of such powers that can be exercised will depend on the severity of the situation.
- CMA: The CMA makes provision for securing computer material against unauthorised access or modification, and to require or authorise the taking of measures to ensure cybersecurity. In particular, the CMA criminalises cybercrime such as e-commerce scams and hacking, and also makes it illegal for: (a) any person to provide or receive personal information which he suspects was obtained through unauthorised means; and (b) any person to deal with items designed for, adapted to and used to commit computer crimes, including hardware and software (e.g. computer programs, passwords or access codes).
- MAS Rules: The MAS Rules, amongst other things, require regulated entities to: (a) conduct system and penetration testing; (b) continuously monitor and detect network and other types of cyber intrusions; and (c) require the board and senior management of the regulated entities to effectively implement that entity’s cyber resilience programme.
The Cyber Security Agency of Singapore (CSA), which is the national agency overseeing cybersecurity strategy, operations, education, outreach and ecosystem development in Singapore – please see more here.
Cyber Security Agency of Singapore
5 Maxwell Road
#03-00 Tower Block, MND Complex
Contact email: [email protected]
Cybersecurity Act 2018
- Owners of critical information infrastructures must: (a) comply with codes and directions; (b) conduct audits and risk assessments; (c) report cybersecurity incidents; and (d) participate in cybersecurity exercises; and
- Certain cybersecurity service providers will need to be licensed.
- The following activities are prohibited: (a) unauthorised access or modification of computer material; (b) unauthorised use or intercept of computer services; (c) obstructing the use of computers; (d) unauthorised disclosure of computer access codes; (e) providing, receiving or supplying personal information which the person knows or suspects was obtained through unauthorised means; and (f) dealing with items designed for, adapted to and used to commit computer crimes.
- Establish methodologies for system testing, conduct penetration testing and source code review, and enable recovery measures and user access controls;
- Board and senior management of regulated entities are obliged to: (a) ensure appropriate accountability structure and organisational risk culture is in place, and (b) be trained in technology risk and cybersecurity;
- Notify the MAS of breaches of security and confidentiality of financial institutions’ customer information (MAS Notices and Guidelines on Technology Risk Management and the MAS Guidelines on Outsourcing); and
- Implement cybersecurity measures to protect IT systems, and prevent and mitigate against cyberattacks (MAS Notices on Cyber Hygiene).
Cybersecurity Act 2018
- Varies depending on the specific offence, although in general a criminal fine not exceeding S$100,000 or imprisonment for a term not exceeding 2 to 10 years or both.
- A criminal fine not exceeding S$50,000 or imprisonment for a term not exceeding 10 years or both; and
- In respect of protected computers, a criminal fine not exceeding S$100,000 or imprisonment for a term not exceeding 20 years or both.
- Varies depending on the type of regulatory instrument that sets out the specific rules (e.g. directives, guidelines, notices or circulars). For example, the contravention of guidelines is not a criminal offence and does not attract civil penalties but may have an impact on the regulator's overall risk assessment of that entity and renewal of licences issued by the regulator. Circulars, on the other hand, are documents sent for the relevant entities’ information have no legal effect. Notices primarily impose legally binding requirements on a specified class of financial institutions or persons.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes, the Singapore Computer Emergency Response Team (SingCERT) responds to cybersecurity incidents for its Singapore constituents. It was set up to facilitate the detection, resolution and prevention of cybersecurity related incidents on the Internet.
Is there a national incident management structure for responding to cybersecurity incidents?
According to Singapore’s Cybersecurity Strategy, the National Cyber Security Centre (part of the CSA), will coordinate with sector regulators to provide a national level response and facilitate quick alerts to cross-sector threats.
Other cybersecurity initiatives
Singapore’s Cybersecurity Strategy sets out Singapore’s vision, goals and priorities for cybersecurity. It engenders coordinated action and facilitates international partnerships for a resilient and trusted cyber environment - see more here.
Please see links above.