Photo of Charmian Aw

Since coming into effect in 2014, Singapore’s personal data protection law has been active enforcing the law since its passing. The law applies to all organizations operating in Singapore, regardless of their size and the nature of their business. Companies that employ personnel in Singapore must take note of how Singapore data protection law applies

On January 30, 2020, The World Health Organization (WHO) declared that the outbreak of novel coronavirus (COVID-19) is a “public health emergency of international concern.” This was, in part, an acknowledgement of the geographic spread of the virus and the need for intensified support for preparation and response, especially in vulnerable countries and regions. Further

The World Health Organization (WHO) declared on January 30, 2020, that the outbreak of 2019 nCoV (novel coronavirus) is a “Public Health Emergency of International Concern.” Further information is available in the WHO statement. On January 31, 2020, the Centers for Disease Control and Prevention (CDC) in the United States also declared a public

Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.

As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.

What is a data breach?

 A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.Continue Reading An FAQ guide to data breach notifications in Singapore

Increasingly, businesses are looking to adopt data protection certifications and standards for myriad reasons, including enhancing consumer trust, demonstrating compliance when contracting with partners and managing regulatory risk.

We have prepared a high-level comparison to guide Singapore businesses in determining which certification or certifications could be the best fit.

ISO/IEC 27701:2019

Who can apply: All organisations, private or public, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.

Features: The ISO/IEC 27701:2019 standard provides a data privacy extension to ISO/IEC 27001:2013 Information Security Management and ISO/IEC 27002:2013 Security Controls. It extends their requirements to take into account, in addition to information security, the protection of privacy of individual consumers as potentially affected by the processing of personal data.

The annexes to the standard list the applicable controls for data controllers and processors, and map the provisions of the standard against the EU General Data Protection Regulation (GDPR), amongst other things.Continue Reading A snapshot comparison of data protection certifications in Singapore

On 4 November 2019, Singapore’s Parliament published a draft amendment to the Banking Act.

Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to:

(a) safeguard the confidentiality and integrity, and ensure the availability, of the banks’ information; and

(b) protect all customer information against unauthorised disclosure, retention, or use.

Where the service provider is a branch or office of the bank, specific provisions covering the above must be included in the branch or office’s policies and procedures.

Where the service provider is an external party, however, then the relevant provisions must be included in the contract between the bank and the provider.

Such policies and procedures, or contract, as the case may be, must also confer on the bank, the regulator (the Monetary Authority of Singapore or MAS), or an auditor appointed by the bank, the right to audit the books of the service provider to ensure that the above requirements have been complied with.Continue Reading New requirements for Singapore banks to include provisions in service contracts on protection of customer data

In Singapore, private sector organisations must generally comply with the transfer limitation obligation in the Personal Data Protection Act (the Act). Any transfer of personal data outside Singapore must be in accordance with the Act’s requirements, to ensure that a comparable standard of protection is accorded to that data.

However, where an organisation is a data intermediary, i.e., it processes personal data on behalf of and for the purposes of another pursuant to a written contract, that intermediary is not subject to the transfer limitation obligation, as specified in section 4(2) of the Act.Continue Reading Guidance given on Singapore cross-border data transfer obligation for intermediaries and cloud providers

On May 22, 2019, Singapore’s Personal Data Protection Commission introduced three new initiatives:

a)   A public consultation on data portability. The corresponding consultation paper also proposes to introduce data innovation provisions as part of the ongoing review of the Personal Data Protection Act (PDPA). The consultation is open for six weeks and will close on

On 23 April 2019, Singapore’s Personal Data Protection Commission (commission) issued two separate grounds of decision against PAP Community Foundation and Tutor City.

In both cases, the commission issued warnings to the organisations for breaching the protection obligation under section 24 of the Personal Data Protection Act (PDPA), but no financial penalty was imposed.

PAP Community Foundation (PCF)

The facts of this case were as follows:

  • PCF provides kindergarten services, and organises various school trips.
  • In connection with a particular school trip, a teacher at PCF sent a photograph of a consolidated attendance list to a WhatsApp chat group comprising parents of students of the school. The attendance list contained the personal data of 15 students and their parents, including the contact and National Registration Identity Card (NRIC) numbers of five of the parents.
  • A parent alerted the teacher of this unauthorised disclosure and the teacher quickly deleted the message within the group chat. The same parent lodged a complaint with the commission.

The commission’s findings were as follows:

  • It was evident that PCF did not have specific policies or procedures to guide its employees (including its teachers) on the use and disclosure of personal data in their communications with parents of students who were enrolled at the preschools.
  • Given the frequency of interaction between PCF’s staff and the parents, such policies and training should reasonably be expected to be put in place to guide the staff on how to comply with PCF’s data protection obligations.
  • While PCF had provided data protection training to its staff, mere training alone cannot be a substitute for data protection policies and procedures.
  • To its credit, however, PCF had acted swiftly to address their inadequate policies. This carried mitigating value. In particular, the commission noted that PCF had taken the following remedial measures:
    • Immediate suspension of all WhatsApp chat groups following the disclosure;
    • Expedited implementation of rules pertaining to the use of social media and WhatsApp chat groups;
    • Roll-out of data protection policies including document retention and information security policies; and
    • Development of a practical employee handbook and conducting refresher training for its employees.

Continue Reading Warnings issued against two organisations for breaching Singapore data protection law

On 1 April 2019, the Protection from Online Falsehoods and Manipulation Bill was tabled in Singapore’s Parliament.

The bill aims to stem the communication of false statements of fact, enable the detection and control of information manipulation, and promote the transparency of online political advertisements.

Any person or organisation that spreads online falsehoods with malicious intent to harm the public interest in Singapore could face a fine of up to SGD 500,000 or, in the case of an individual, a five-year imprisonment term.

Such a statement would be considered harm to the public interest if its communication is likely to prejudice Singapore’s security, public health and safety, or foreign relations or to influence election results, incite hatred, or diminish public confidence in the performance of any public function.Continue Reading Singapore introduces new law to combat the spread of fake news