New bill will force data handlers to report breaches

Singapore plans to introduce a mandatory data breach notification regime to protect its industry and citizens from high-risk information leaks, according to local reports.

The city-state’s Personal Data Protection Commission (PDPC) has reportedly announced that as part of a review of the Personal Data Protection Act, a new law will force companies to disclose data breaches.

A date has not yet been set for the introduction of the regime, but a spokeswoman for the PDPC has confirmed to local media that the bill will go ahead.

Writing in the Straits Times, director of corporate communications Karen Low noted that “a robust and trusted data protection ecosystem is crucial to Singapore’s economic competitiveness”.

She wrote: “It is why we are reviewing the Personal Data Protection Act (PDPA) to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals’ interests and enables the legitimate use of personal data by organisations.

“As part of this review, the PDPC held two rounds of public consultations over the last two years. We intend to introduce a mandatory data breach notification regime as part of the proposed amendments to the PDPA.”

Private sector companies that process personal data are currently ruled by the PDPA, whereas organizations in the public sector are governed by the Public Sector (Governance) Act (PSGA).

Low said that although the two regimes are “broadly aligned”, data control protections under the PSGA are held to an even higher standard.

Current rules state that non-compliance with data protection laws could result in a fine of up to S$10,000 ($7,366) and imprisonment for up to three years.

Singapore citizens have fallen victim numerous high-profile data breaches, including a breach at government healthcare organization SingHealth in July 2018, that leaked the medical records of 1.5 million individuals, including those of Prime Minister Lee Hsien Loong,

It came months after the government passed a bill in February 2018 aimed at establishing a framework for the legal oversight and maintenance of national cybersecurity.

The Cybersecurity Bill places strong emphasis on protecting the island nation, by authorizing the Cyber Security Agency of Singapore to prevent and respond to cybersecurity threats and incidents, while also establishing a licensing framework for cybersecurity providers.

Organizations will be required to complete security audits and to report any incidents. Failure to comply could result in a maximum S$100,000 ($74,0000) fine, two years’ imprisonment, or both.

In November that year, Singapore strengthened ties with Canada following the signing of the Memorandum of Understanding, which will see the two nations sharing information, lending support to one another, and collaborating on cybersecurity issues.

And in December, the government partnered with HackerOne to open its second public bug bounty program, after a successful program with MINDEF.