Singapore Data Protection and Cyber Security Regulations and Compliance Solutions
Personal Data Protection Act (PDPA) 2012
The Personal Data Protection Act (PDPA) 2012 governs ‘the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances’.
Every organisation that collects, uses or discloses personal data in Singapore – unless explicitly excluded by the Act – is required to comply with the PDPA. (The PDPA only concerns individuals’ data; data relating to corporate bodies is not covered.)
- Personal data is defined as ‘data, whether true or not, about an individual who can be identified – (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access’. (The PDPA does not apply to business contact information.)
- An individual is defined as ‘a natural person, whether living or deceased’ – as opposed to a juridical person. (The PDPA does not apply to the data of individuals who have been deceased for over ten years.)
- An organisation is defined as ‘any individual, company, association or body of persons, corporate or unincorporated whether or not formed or recognised under the law of Singapore, or resident, or having an office or a place of business, in Singapore’.
- The terms ‘collection’, ‘use’ and ‘disclosure’ are not defined.
Data Protection Provisions
Parts III to VI of the PDPA set out Data Protection Provisions, which cover nine main obligations for organisations that collect, use or disclose personal data:
- The Consent Obligation (Sections 13 to 17): Organisations must obtain individuals’ consent before collecting, using or disclosing their personal data.
- The Purpose Limitation Obligation (Section 18): Organisations may only collect, use or disclose individuals’ personal data for purposes that a reasonable person would deem appropriate, and must notify the individuals concerned when appropriate.
- The Notification Obligation (Section 20): Organisations must notify individuals of the purpose for which they intend to collect, use or disclose their personal data.
- The Access and Correction Obligation (Sections 21 and 22): Organisations must, when requested, provide individuals whose personal information they possess, or which is under their control, with that information and inform them of how that information has been used in the last year. Errors and omissions in that personal information must be corrected.
- The Accuracy Obligation (Section 23): Organisations must make a reasonable effort to ensure that the personal information they collect, or which is collected on their behalf, is accurate and complete if it is likely to be used by the organisation to make a decision that affects the individual concerned, or is likely to be disclosed to another organisation.
- The Protection Obligation (Section 24): Organisations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
- The Retention Limitation Obligation (Section 25): Organisations must cease to retain or must anonymize documents containing personal information, as soon as it is reasonable to assume that the purpose for which the personal information was collected is no longer being served by its retention and that its retention is no longer necessary for legal or business purposes.
- The Transfer Limitation Obligation (Section 26): Organisations must not transfer personal information outside Singapore except in accordance with certain requirements.
- The Openness Obligation (Sections 11 and 12): Organisations must develop and implement policies and practices to comply with the PDPA and make information about those policies and practices publicly available. They must also develop processes to receive and respond to complaints relating to their application of the PDPA.
The PDPC and the DNC Registry
As well as setting out Data Protection Provisions, the Act established the Personal Data Protection Commission (PDPC) to administer and enforce the Act, and the Do Not Call (DNC) Registry to limit unsolicited marketing messaging. (The DNC Registry does not cover spam emails, which are covered by the Spam Control Act.)
The Act’s implementation was phased to allow organisations time to comply: provisions relating to the Personal Data Protection Commission have been effective since 2 January 2013, those relating to the Do Not Call Registry have been effective since 2 January 2014, and the Data Protection Rules have been effective since 2 July 2014.
Offences and penalties
- Making a request under Sections 21 or 22 (see The Access and Correction Obligation above) to obtain access to, or change the personal data relating to, another individual without the authority of that individual is an offence punishable by a fine of up to $5,000 and/or up to a year’s imprisonment.
- Disposal, alteration, falsification, concealment or destruction of a record containing personal data by an organisation or person in order to evade a request under Sections 21 or 22 (see The Access and Correction Obligation above) is an offence punishable by a fine of up to $5,000 in the case of an individual and up to $50,000 in any other case.
- The obstruction, impediment or misleading of the PDPC or an authorised officer in the exercise of their powers or performance of duties under the Act is an offence punishable by a fine of up to $10,000 and/or up to a year’s imprisonment in the case of an individual and a fine of up to $100,000 in any other case.
- Other offences under the Act are punishable by up to three years’ imprisonment and/or a fine of up to $10,000 and, in the case of a continuing offence, to a further fine of up to $1,000 for every day the offence continues after conviction.
National Cyber Security Masterplan 2018
Singapore’s five-year National Cyber Security Masterplan 2018 (NCSM2018) was launched by the Minister for Communications and Information, Yaacob Ibrahim, in 2013, and succeeds the two Infocomm Security Masterplans implemented from 2005 to 2012. According to Dr Yaacob, NCSM2018 ‘aims to develop Singapore as a trusted and robust infocomm hub by 2018’.
It focuses on three key areas:
- Enhancing the security and resilience of critical infocomm infrastructure (CII). A CII Protection Assessment Programme will strengthen Singaporean CII against complex cyber threats, national cyber security exercises for critical industry sectors will continue and, for the public sector, the detection and analytical capabilities of the existing Cyber Watch Centre and Threat Assessment Centre will be increased.
- Increasing efforts to promote the adoption of appropriate infocomm security measures among individuals and businesses. The Infocomm Development Authority of Singapore (IDA) will continue its educational programmes to reinforce cyber security awareness. Collaborations with industry and trade associations will also take place to promote cyber security and share cyber threat information.
- Growing Singapore’s pool of infocomm experts. As of 2011, there were only 1,500 IT security specialists in Singapore, representing just one percent of the total infocomm industry manpower. In response to this skills shortage and the expected growth in demand for cyber security expertise, the IDA will work with Singapore’s Institutes of Higher Learning to incorporate infocomm security courses and degree programmes into the curriculum. The IDA will also work with industry partners to attract and retain skilled professionals in Singapore.
Computer Misuse and Cybersecurity Act 1993 (Amended 2013)
The Computer Misuse and Cybersecurity Act (Chapter 50A) was originally enacted as the Computer Misuse Act in 1993. It has been revised several times since then, most recently by the Computer Misuse (Amendment) Act of 2013.
The Act exists ‘to make provision for securing computer material against unauthorised access or modification, to require or authorise the taking of measures to ensure cybersecurity, and for matters related thereto.’
The Act applies outside as well as within Singapore to persons of any nationality if they or the affected computer, program or data were in Singapore at the time of the offence.
Offences and penalties
Under the Act:
- Unauthorised access to computer material is an offence punishable by up to two years’ imprisonment and/or a fine of up to $5,000. Repeat offences are punishable by up to three years’ imprisonment and/or a fine of up to $10,000. Offences that cause damage are punishable by up to seven years’ imprisonment and/or a fine of up to £50,000.
- Access with intent to commit an offence is an offence punishable by up to ten years’ imprisonment and/or a fine of up to $50,000.
- Unauthorised modification of computer material is an offence punishable by up to three years’ imprisonment and/or a fine of up to $10,000. Repeat offences are punishable by up to five years’ imprisonment and/or a fine of up to $20,000. Offences that cause damage are punishable by up to seven years’ imprisonment and/or a fine of up to £50,000.
- Unauthorised use or interception of computer service is an offence punishable by up to three years’ imprisonment and/or a fine of up to $10,000. Repeat offences are punishable by up to five years’ imprisonment and/or a fine of up to $20,000. Offences that cause damage are punishable by up to seven years’ imprisonment and/or a fine of up to $50,000.
- Unauthorised obstruction of the use of computers is an offence punishable by up to three years’ imprisonment and/or a fine of up to $10,000. Repeat offences are punishable by up to five years’ imprisonment and/or a fine or up to $20,000. Offences that cause damage are punishable by up to seven years’ imprisonment and/or a fine of up to $50,000.
- The unauthorised disclosure of access codes is an offence punishable by up to three years’ imprisonment and/or a fine of up to $10,000. Repeat offences are punishable by up to five years’ imprisonment and/or a fine of up to $20,000.
All fines are in Singapore dollars (SGD).
Cyber security measures and requirements
Under the Act, the Minister of Home Affairs may, by means of a certificate naming a specified person, ‘authorise or direct’ them to take measures to prevent, detect or counter any computer-related threat to national security, essential services or the defence of Singapore or its foreign relations.
These measures may include:
- Accessing computers and decryption information suspected of being used in connection with an offence, according to Sections 39 and 40 of the Criminal Procedure Code (Chapter 68).
- Directing ‘another person to provide any information that is necessary to identify, detect or counter’ a cyber threat, including information relating to the design, configuration, operation and security of any computer or computer service.
- Providing the Minister or an authorised public officer with information obtained from a computer controlled, operated by, or obtained by the specified person that is necessary to identify, detect or counter a cyber threat.
- Providing the Minister or an authorised public officer with a report of a security breach or attempted security breach relating to a computer controlled or operated by the specified person.
Specified persons who fail to ‘take any measure or comply with any requirement directed by the Minister’ and people who obstruct a specified person in the course of their duties under the Act are guilty of an offence punishable by up to ten years’ imprisonment and/or a fine of up to $50,000.
Cyber security, compliance and ISO27001
Despite having absorbed many of the measures normally associated with information security, cyber security really only addresses the security of digital information. Information security is a broader approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.
In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.
ISO27001 is the internationally recognised best-practice Standard that lays out the requirements of an Information Security Management System (ISMS) and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.
Organisations with multiple compliance requirements often seek certification to ISO27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO27001 certification.
The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonise with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Further, the additional external validation offered by ISO27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
Why IT Governance?
IT Governance is a specialist in the field of information security and IT Governance, and has led more than 140 successful certifications to ISO27001 around the world.
IT Governance has created ISO 27001 packaged solutions to give Asia Pacific organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.
Get started today >>