Data Breach Issues and How Singapore Enforces Its PDPA
Singapore maintained its data protection, cybercrime and cyber-security regimes in 2018 and 2019. In 2018 and 2019, Singapore continued to develop its frameworks for data protection, cybercrime, and cybersecurity.
As outlined in the 2018 Singapore Cyber Landscape Report, the government concentrated on four pillars of the country’s cyber threats strategy. It aimed to:
(1) Build a reliable network;
(2) Build a more safe cyberspace environment;
(3) Developing a dynamic environment for cybersecurity;
(4) Reinforce foreign collaborations.
The main legislative components of this policy are the Human Data Protection Act (PDPA), Singapore’s first comprehensive data protection system, the Computer Misuse and Cybersecurity Act (C MCA) against cybercrime and other cyber threats and Singapore’s Critical Information Infrastructure (CII) Act in 1 (Cybersecurity Act).
The PDPA and the Personal Data Protection Commission (PDPC – the agency set up to manage and implement the PDPA) in 10 months from August 2018 to June 2019 have experienced a number of significant changes.
PDPC concluded on 31 August 2018 a public consultation on proposed National Registration Identity Card No. Advisory Guidelines (NRIC) Proposed PDPA and released revised NRIC and Other National Identification Numbers PDPAs. The guidelines aim to improve consumer protection against indiscriminate collection, usage, and disclosure of NRIC and the retention of physical NRICs by individuals.
The first version of the draft Artificial Intelligence (AI) Governance Framework for public consultation and pilot implementation was published by the PDPC on 23 January 2019. The accountability system promotes the responsible use of AI through the creation of guidelines through which companies are able to deploy AI solutions responsibly.
The PDPC published a discussion paper on the advantages of data portability by the end of February 2019, which confirmed its intention in potential amendments to the PDPA to tackle data portability. Data portability allows people to have more control over their personal data by asking for backups of their data held by an entity, as well as demanding that the company forward the data to another organisation. Between 22 May 2019 to 3 July 2019, the PDPC then launched a public consultation on the proposed provision on data portability and technology creativity.
The proposed portable data provision would give individuals increased control over their personal information and allow companies to access additional data to promote the flow of data and increase innovation, whilst the proposed provision of data innovation clarifies that companies that, without individual consent, use personal data for business purposes.
On 1 March 2019, the PDPC issued a statement stating its intention to implement a compulsory notice of breaches as part of its proposed changes to the PDPA. The new notification requirement would allow organisations to alert both the individuals affected and the PDPC when an infringement of data becomes unsafe for individuals involved in an infringement and warn the PDPC, regardless of the potential effects of any substantial infringement of information (i.e., more than 500 personal data are affected). In recent public consultations from July to October 2017, this initiative received widespread public support.
The PDPC released on 22 May 2019 (collectively, the Guidelines for Effective Compliance and Management Data Breaches 2.0), which outlined the PDPC’s approach to enforcing the Singapore Data Protection Regimes.
The Guides provide a guide for organisations in creating data breach management strategies that will recognize data protection issues early, raise awareness of data protection across the whole enterprise as well as comply with Singapore’s standards for data protection. Significantly, the Data Management Guide 2.0 specifies that businesses will notify the PDPC of certain data infringements, within 72 hours of the infringement. This timeline is in line with the mandatory notification required by the General Data Protection Regulation (GDPR) of the European Union.
At the 51st Asia Pacific Privacy Authorities Forum, Singapore and Hong Kong signed a memorandum of understanding (MOU) to improve cooperation on personal data security. Based on this cooperative MOU, on 31 May 2019, Hong Kong and Singapore published a Guide to the Security of Data by Design for ICT Systems.
CMCA Developments and the Cybersecurity Act
The CMCA is closely connected to the Cybersecurity Act. In the cybersecurity strategy study of Singapore in October 2016, the state highlighted the need for a robust system to avoid and resolve the more complex threats to cybersecurity in Singapore. The report states that this structure would be laid down by the Cybersecurity Act and supplement the current cybercrime initiatives laid down in the CMCA.
In 2013, the government revised the current Computer Misuse Act, renaming it the Computer Misuse and Cybersecurity Act, to improve the national response to cyber threats. In 2017, the CMCA was amended by the Government, which entered into force on 1 June 2017.
The law expanded the scope of the CMCA by criminalizing certain activities not already protected by the current legislation and by those punishments in certain cases. In the current CMCA rules, for example, the use of stolen data to carry out a crime is criminalized, even though the perpetrator has not robbed them and forbids the use of computer crime-friendly applications or tools such as malware or code cracker. The amendments further expanded the extraterritorial scope of the CMCA by covering acts by people targeting systems that lead to or create a serious risk of harm in Singapore, even if both individuals and systems are located outside Singapore.
Singapore adopted on 5 February 2018 the Cybersecurity Bill No. 2/2018 (the Cybersecurity Act), which was previously issued for public consultation on 10 July 2017, in line with the government focus on safeguarding key information infrastructure.
Finally, the Cybersecurity Act came into force on 31 August 2018. Cybersecurity Act provides a structure for CII safety from cyberthreats, creates the Cyber-Security Commissioner with broad powers to enforce the Cybersecurity Act, develops a licensing scheme for cyber-security service providers and authorizes prevention, monitoring and response mechanisms for cyber-security incidents in Singapore.