Singapore’s Personal Data Protection Commission (PDPC) issued a statement on March 1 announcing its plan to introduce mandatory breach notifications as part of a set of proposed amendments to the country’s Personal Data Protection Act (PDPA). The proposed amendments come in response to the PDPC’s recent review of the PDPA in order “to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals’ interests and enables the legitimate use of personal data by organisations.” The details of the mandatory breach notification have not yet been made public, but the amendment will likely require organizations to notify the PDPC and affected data subjects when a certain level of breach has occurred.
Enacted in 2012, the PDPA governs the “collection, use and disclosure of personal data by organisations in a manner that recognizes both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.” Singapore’s public sector is governed by the Public Sector Governance Act (PSGA), not the PDPA, the PDPC states that the data protection standards in the two regulations are closely aligned. The PSGA was enacted in 2018 to establish accountability and consistency of governance of public entities in Singapore.
Several public and private entities in Singapore have been affected by high-profile data breaches in the past year, including Singapore Health Services (SingHealth), Integrated Health Information Systems (IHIS), Singapore’s Health Sciences Authority, Bud Cosmetics, and AIA Singapore. Financial penalties stemming from cyber breaches in Singapore have varied depending on the severity of the breach and number of data subjects affected. In January 2019, the PDPC fined SingHealth and IHIS $250,000 and $750,000 respectively for what the PDPC called the “worst breach of personal data in Singapore’s history.” That breach resulted in the disclosure of personal data for 1.5 million patients and of outpatient prescription records of approximately 160,000 patients.
The mandatory breach notification and other proposed amendments to the PDPA are expected to be made available to the public in early 2020.