Jurisdiction
snapshot
Trends and
climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
Would you consider your national data protection laws to be ahead or behind of the international curve?
Singapore’s data protection laws are consistent with international standards,
as it is modelled on the data protection regimes of key jurisdictions,
including the European Union, the United Kingdom, Canada, Hong Kong, Australia
and New Zealand. In addition, the Organisation for Economic Cooperation and
Development Guidelines on the Protection of Privacy and Transborder Flow of
Personal Data, and the Asia-Pacific Economic Cooperation Privacy Framework are
referenced.
Are any changes
to existing data protection legislation proposed or expected in the near
future?
Singapore’s data protection legislation was enacted only in 2012. As such, changes in the near future are unlikely.
Singapore’s data protection legislation was enacted only in 2012. As such, changes in the near future are unlikely.
Legal framework
Legislation
What legislation governs the collection, storage and use of personal data?
What legislation governs the collection, storage and use of personal data?
The Personal
Data Protection Act 2012.
Scope and
jurisdiction
Who falls within the scope of the legislation?
Sections 3 and 4(3) of the Personal Data Protection Act provide that private organisations and their data intermediaries fall within its scope. The act has extraterritorial jurisdiction, as organisations include those that have been formed under Singapore law or otherwise.
Who falls within the scope of the legislation?
Sections 3 and 4(3) of the Personal Data Protection Act provide that private organisations and their data intermediaries fall within its scope. The act has extraterritorial jurisdiction, as organisations include those that have been formed under Singapore law or otherwise.
A data
intermediary is an organisation that processes personal data on behalf of
another organisation but excludes its employees.
An example of a
data intermediary is an events management company that receives personal data
from its client. The company processes personal data when it provides event
RSVP and registration services, such as recording and organising the personal
data of attendees on behalf of the client.
What kind of
data falls within the scope of the legislation?
Only personal data falls within the scope of the legislation.
Only personal data falls within the scope of the legislation.
Section 2 of the
Personal Data Protection Act defines ‘personal data’ as data, whether true or
not, about an individual who can be identified from the data or other
information to which the organisation has or is likely to have access.
Examples of
personal data include an individual’s name, national registration identity
card, passport number, photograph or video image, mobile telephone number,
personal email address and thumbprint.
Business contact
information is not covered under the Personal Data Protection Act. Such
information includes contact information for business purposes, such as an
individual’s name, designation, business telephone number, address, email
address and fax number.
Are data owners
required to register with the relevant authority before processing data?
There is no requirement for registration.
There is no requirement for registration.
Is information
regarding registered data owners publicly available?
As there is no requirement for registration, there is no information about registered data.
As there is no requirement for registration, there is no information about registered data.
Is there a
requirement to appoint a data protection officer?
Yes, Section 11(3) of the Personal Data Protection Act requires organisations to designate one or more individuals as data protection officers.
Yes, Section 11(3) of the Personal Data Protection Act requires organisations to designate one or more individuals as data protection officers.
Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?
The Personal Data Protection Commission (PDPC) is responsible for enforcing data protection legislation.
Which body is responsible for enforcing data protection legislation and what are its powers?
The Personal Data Protection Commission (PDPC) is responsible for enforcing data protection legislation.
Section 29(2) of
the Personal Data Protection Act empowers the PDPC to:
- stop
the collection, use or disclosure of personal data in contravention
of the act;
- destroy
personal data collected in contravention of the act;
- require
compliance with any direction under Section 28(2) of the act; and
- impose
a financial penalty not exceeding S$1 million, as the commission sees
fit.
Collection and
storage of data
Collection and
management
In what circumstances can personal data be collected, stored and processed?
Section 13 of the Personal Data Protection Act provides that an organisation may collect, use or disclose an individual’s personal data only with an individual’s express or deemed consent.
In what circumstances can personal data be collected, stored and processed?
Section 13 of the Personal Data Protection Act provides that an organisation may collect, use or disclose an individual’s personal data only with an individual’s express or deemed consent.
Section 20 of
the Personal Data Protection Act requires organisations to inform individuals
of the purposes for which their personal data will be collected, used and
disclosed on or before collecting such data.
Section 18 of
the Personal Data Protection Act provides that an organisation’s collection,
use or disclosure of personal data is limited to purposes:
- that a
reasonable person would consider appropriate in the circumstances; and
- for
which notification has been made to the individual concerned.
Are there any
limitations or restrictions on the period for which an organisation may (or
must) retain records?
Yes, Section 25 of the Personal Data Protection Act provides that an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:
Yes, Section 25 of the Personal Data Protection Act provides that an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:
- the
purpose for which that data was collected is no longer being served; and
- retention
is no longer necessary for legal or business purposes.
Do individuals
have a right to access personal information about them that is held by an
organisation?
Yes, individuals have a qualified right to access personal information under Section 21(1) of the Personal Data Protection Act. Access to personal data is limited to:
Yes, individuals have a qualified right to access personal information under Section 21(1) of the Personal Data Protection Act. Access to personal data is limited to:
- personal
data that is within the possession and control of the organisation; and
- any
information about the ways in which such data has been used one year
before the request.
Exceptions to
the access obligation under Section 21(3) and the Fifth Schedule of the
Personal Data Protection Act exist.
Do individuals
have a right to request deletion of their data?
Individuals can request deletion of their data if necessary to correct an error or omission in personal data held by or under the control of an organisation (Section 22(1) of the Personal Data Protection Act).
Individuals can request deletion of their data if necessary to correct an error or omission in personal data held by or under the control of an organisation (Section 22(1) of the Personal Data Protection Act).
Otherwise,
individuals may withdraw their consent to the collection, use and disclosure of
their personal data under Section 16 of the act. Under such circumstances,
organisations must cease collecting, using or disclosing the personal data but
they are not required to delete it.
Consent
obligations
Is consent required before processing personal data?
Yes, consent is required under Section 13 of the Personal Data Protection Act.
Is consent required before processing personal data?
Yes, consent is required under Section 13 of the Personal Data Protection Act.
If consent is
not provided, are there other circumstances in which data processing is
permitted?
The Second through Fourth Schedules of the Personal Data Protection Act provides for circumstances in which personal data may be collected, used or disclosed.
The Second through Fourth Schedules of the Personal Data Protection Act provides for circumstances in which personal data may be collected, used or disclosed.
What information
must be provided to individuals when personal data is collected?
Section 20 of the Personal Data Protection Act provides that an organisation must inform the individual of:
Section 20 of the Personal Data Protection Act provides that an organisation must inform the individual of:
- the
purposes for which the personal data is being collected, used or disclosed
when or before it is collected;
- any
other purpose for which the data is being used or disclosed of which an
individual has not been informed under Section 20(1)(a), before the use or
disclosure of the data for that purpose; and
- on
request by the individual, the business contact information of a person
who can answer on behalf of the organisation the individual’s questions
about the collection, use or disclosure of personal data.
Data security
and breach notification
Security
obligations
Are there specific security obligations that must be complied with?
Yes, Section 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Are there specific security obligations that must be complied with?
Yes, Section 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Breach
notification
Are data owners/processors required to notify individuals in the event of a breach?
Under the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach. However, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.
Are data owners/processors required to notify individuals in the event of a breach?
Under the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach. However, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.
The PDPC also
considers the following as mitigating factors in the event of a breach:
- whether
the organisation informed individuals of the steps they could take to
mitigate risk caused by a data breach; and
- whether
the organisation voluntarily disclosed the personal data breach to the
PDPC as soon as it learned of the breach and cooperated with the PDPC’s
investigation.
Organisations
may also be bound by contractual obligations to notify affected individuals.
Are data
owners/processors required to notify the regulator in the event of a breach?
No general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hours of their discovery. For further information see the Technology Risk Management Notice and Guidelines.
No general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hours of their discovery. For further information see the Technology Risk Management Notice and Guidelines.
Electronic
marketing and internet use
Electronic
marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?
Yes, the Spam Control Act 2008 regulates unsolicited electronic marketing. In addition, Section 39 the Personal Data Protection Act provides for the Do Not Call Registry. This allows consumers to opt out of marketing messages addressed to Singapore telephone numbers.
Are there rules specifically governing unsolicited electronic marketing (spam)?
Yes, the Spam Control Act 2008 regulates unsolicited electronic marketing. In addition, Section 39 the Personal Data Protection Act provides for the Do Not Call Registry. This allows consumers to opt out of marketing messages addressed to Singapore telephone numbers.
Cookies
Are there rules governing the use of cookies?
Not in general, as not all cookies collect personal data. The PDPC is sufficiently clear on the Personal Data Protection Act’s treatment of cookies that collect personal data. If the use of cookies that collect personal data is indispensable (eg, cookies that help to remember a shopper’s financial details to facilitate an online purchase), consent may be deemed to have been voluntarily given by users. If cookies are created to store personal data without the user’s knowledge or consent for behavioural targeting or profiling purposes, valid and unequivocal consent from must be obtained (see Pages 28 - 29 at www.pdpc.gov.sg/docs/default-source/public-consultation/advisory_guidelines_on_selected_topics.pdf?sfvrsn=2).
Are there rules governing the use of cookies?
Not in general, as not all cookies collect personal data. The PDPC is sufficiently clear on the Personal Data Protection Act’s treatment of cookies that collect personal data. If the use of cookies that collect personal data is indispensable (eg, cookies that help to remember a shopper’s financial details to facilitate an online purchase), consent may be deemed to have been voluntarily given by users. If cookies are created to store personal data without the user’s knowledge or consent for behavioural targeting or profiling purposes, valid and unequivocal consent from must be obtained (see Pages 28 - 29 at www.pdpc.gov.sg/docs/default-source/public-consultation/advisory_guidelines_on_selected_topics.pdf?sfvrsn=2).
Although no
specific local regulations govern the use of cookies per se, an
organisation may be subject to EU laws on cookies. In the European Union, the
EU ePrivacy Directive (2002/58/EC) – more specifically,
Article 5(3) – requires prior informed consent to store or access
information stored on a user's terminal equipment. The location of the user’s
computer in which the cookie is placed and not the location of the host or
owner of the website may ultimately decide whether EU cookie laws apply (seehttp://idpl.oxfordjournals.org/content/1/1/28.full#fn-1).
Data transfer
and third parties
Cross-border
data transfer
What rules govern the transfer of data outside your jurisdiction?
Section 26(1) of the Personal Data Protection Act provides that an organisation may not transfer any personal data to a country or territory outside Singapore, except in accordance with requirements prescribed under the Personal Data Protection Act, to ensure that the recipient organisation is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the Personal Data Protection Act.
What rules govern the transfer of data outside your jurisdiction?
Section 26(1) of the Personal Data Protection Act provides that an organisation may not transfer any personal data to a country or territory outside Singapore, except in accordance with requirements prescribed under the Personal Data Protection Act, to ensure that the recipient organisation is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the Personal Data Protection Act.
In other words,
if the recipient organisation is not already bound by comparable data privacy
laws in their jurisdiction, the transferring organisation may impose these
obligations contractually, via any binding corporate rules or any other legally
binding instrument.
Are there
restrictions on the geographic transfer of data?
No.
No.
Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Section 26(1) of the Personal Data Protection Act provides that if the third party is in another jurisdiction, it must be able to provide a standard of protection that is comparable to the protection under the Personal Data Protection Act. However, a third party that is a data intermediary which processes personal data on behalf of an organisation is bound only by the obligations set out under Section 24 (protection of personal data) and Section 25 (retention of personal data) of the Personal Data Protection Act.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Section 26(1) of the Personal Data Protection Act provides that if the third party is in another jurisdiction, it must be able to provide a standard of protection that is comparable to the protection under the Personal Data Protection Act. However, a third party that is a data intermediary which processes personal data on behalf of an organisation is bound only by the obligations set out under Section 24 (protection of personal data) and Section 25 (retention of personal data) of the Personal Data Protection Act.
Penalties and
compensation
Penalties
What are the potential penalties for non-compliance with data protection provisions?
Section 56 of the Personal Data Protection Act provides that any person guilty of an offence under the Personal Data Protection Act (for which no penalty is expressly provided) will be subject to a general penalty of a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both. If the offence has been committed more than once, a further fine not exceeding S$1,000 per day will be imposed.
What are the potential penalties for non-compliance with data protection provisions?
Section 56 of the Personal Data Protection Act provides that any person guilty of an offence under the Personal Data Protection Act (for which no penalty is expressly provided) will be subject to a general penalty of a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both. If the offence has been committed more than once, a further fine not exceeding S$1,000 per day will be imposed.
According to
Section 51, with respect to access or correction requests under Sections 21 or
22 of the Personal Data Protection Act, it is an offence for organisations or
persons to:
- evade a
request by disposing, altering, falsifying, concealing or destroying a
record containing personal data – maximum fine of S$5,000 (for an
individual) or S$50,000 (for an organisation);
- obstruct
or impede the commission in the exercise of its power or performance of
its duties – maximum fine of S$10,000 or imprisonment for a term not
exceeding 12 months or both (for an individual) or S$100,000 (for an
organisation); or
- knowingly
or recklessly mislead the commission – maximum fine of S$10,000 or
imprisonment for a term not exceeding 12 months or both (for an
individual) or S$100,000 (for an organisation).
Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
An organisation is liable for civil action if it breaches its obligations under Parts IV (Consent, Notification and Purpose Obligations), V (Access and Correction Obligations) and VI (Accuracy, Protection, Retention and Transfer Obligations) of the Personal Data Protection Act.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
An organisation is liable for civil action if it breaches its obligations under Parts IV (Consent, Notification and Purpose Obligations), V (Access and Correction Obligations) and VI (Accuracy, Protection, Retention and Transfer Obligations) of the Personal Data Protection Act.
If a person
suffers loss or damage directly as a result of a contravention of any of the
nine obligations by an organisation, he or she can sue the organisation for
damages or seek an injunction (to stop the collection, use or disclosure of his
personal data) in a civil action. Under Section 32(3), the court is also
empowered to grant other relief as it sees fit.
Cybersecurity
Cybersecurity
legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
Yes, Singapore has the Computer Misuse and Cybersecurity Act 2007.
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
Yes, Singapore has the Computer Misuse and Cybersecurity Act 2007.
What are the
other significant regulatory considerations regarding cybersecurity in your
jurisdiction (including any international standards that have been adopted)?
A new Cybersecurity Act will be tabled in Parliament in 2017 (www.channelnewsasia.com/news/singapore/new-cybersecurity-act-to/2685052.html). This is in line with the Singapore Infocomm Development Authority’s National Cybersecurity Masterplan 2018, which seeks to develop Singapore into a trusted and robust infocomm hub.
A new Cybersecurity Act will be tabled in Parliament in 2017 (www.channelnewsasia.com/news/singapore/new-cybersecurity-act-to/2685052.html). This is in line with the Singapore Infocomm Development Authority’s National Cybersecurity Masterplan 2018, which seeks to develop Singapore into a trusted and robust infocomm hub.
Which cyber
activities are criminalised in your jurisdiction?
The following list details criminalised cyber activities under the Computer Misuse and Cybersecurity Act:
The following list details criminalised cyber activities under the Computer Misuse and Cybersecurity Act:
- unauthorised
access to computer material;
- access
with intent to commit or facilitate the commission of offence;
- unauthorised
modification of computer material;
- unauthorised
use or interception of computer material;
- unauthorised
obstruction of use of computer; and
- unauthorised
disclosure of access code.
Which
authorities are responsible for enforcing cybersecurity rules?
The Ministry of Home Affairs is responsible for, and may direct entities to take pre-emptive measures to, prevent cybersecurity threats under Section 15A of the Computer Misuse and Cybersecurity Act.
The Ministry of Home Affairs is responsible for, and may direct entities to take pre-emptive measures to, prevent cybersecurity threats under Section 15A of the Computer Misuse and Cybersecurity Act.
Cybersecurity
best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes, companies may obtain insurance for cybersecurity breaches. Recently there has been a strong demand for cyber insurance from finance and technology companies. For example, AIG Singapore launched an insurance product for small and medium-sized enterprises in March 2016 to get these enterprises started on cyber protection (see www.straitstimes.com/business/banking/demand-for-cyber-insurance-in-singapore-to-grow-by-50-in-2016-aig).
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes, companies may obtain insurance for cybersecurity breaches. Recently there has been a strong demand for cyber insurance from finance and technology companies. For example, AIG Singapore launched an insurance product for small and medium-sized enterprises in March 2016 to get these enterprises started on cyber protection (see www.straitstimes.com/business/banking/demand-for-cyber-insurance-in-singapore-to-grow-by-50-in-2016-aig).
Are companies
required to keep records of cybercrime threats, attacks and breaches?
No such requirement exists.
No such requirement exists.
Are companies
required to report cybercrime threats, attacks and breaches to the relevant
authorities?
No general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hour of their discovery. For further information, see the Technology Risk Management Notice and Guidelines.
No general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hour of their discovery. For further information, see the Technology Risk Management Notice and Guidelines.
Are companies
required to report cybercrime threats, attacks and breaches publicly?
No such requirement exists.
No such requirement exists.
Criminal
sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Individuals are liable to imprisonment, fines or both. It may also be useful to note that offences under the Penal Code that relate to elements of dishonesty, fraud or cheating may be involved in computer misuse and cybercrime cases. In such cases, perpetrators may be exposed to criminal penalties under the Penal Code.
What are the potential criminal sanctions for cybercrime?
Individuals are liable to imprisonment, fines or both. It may also be useful to note that offences under the Penal Code that relate to elements of dishonesty, fraud or cheating may be involved in computer misuse and cybercrime cases. In such cases, perpetrators may be exposed to criminal penalties under the Penal Code.
No comments:
Post a Comment