Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

Singapore’s data protection laws are consistent with international standards, as it is modelled on the data protection regimes of key jurisdictions, including the European Union, the United Kingdom, Canada, Hong Kong, Australia and New Zealand. In addition, the Organisation for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the Asia-Pacific Economic Cooperation Privacy Framework are referenced.

Are any changes to existing data protection legislation proposed or expected in the near future?

Singapore’s data protection legislation was enacted only in 2012. As such, changes in the near future are unlikely.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?
 

The Personal Data Protection Act 2012.

Scope and jurisdiction
Who falls within the scope of the legislation?

Sections 3 and 4(3) of the Personal Data Protection Act provide that private organisations and their data intermediaries fall within its scope. The act has extraterritorial jurisdiction, as organisations include those that have been formed under Singapore law or otherwise.

A data intermediary is an organisation that processes personal data on behalf of another organisation but excludes its employees.

An example of a data intermediary is an events management company that receives personal data from its client. The company processes personal data when it provides event RSVP and registration services, such as recording and organising the personal data of attendees on behalf of the client.

What kind of data falls within the scope of the legislation?

Only personal data falls within the scope of the legislation.

Section 2 of the Personal Data Protection Act defines ‘personal data’ as data, whether true or not, about an individual who can be identified from the data or other information to which the organisation has or is likely to have access.

Examples of personal data include an individual’s name, national registration identity card, passport number, photograph or video image, mobile telephone number, personal email address and thumbprint.

Business contact information is not covered under the Personal Data Protection Act. Such information includes contact information for business purposes, such as an individual’s name, designation, business telephone number, address, email address and fax number.

Are data owners required to register with the relevant authority before processing data?

There is no requirement for registration.

Is information regarding registered data owners publicly available?

As there is no requirement for registration, there is no information about registered data.

Is there a requirement to appoint a data protection officer?

Yes, Section 11(3) of the Personal Data Protection Act requires organisations to designate one or more individuals as data protection officers.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The Personal Data Protection Commission (PDPC) is responsible for enforcing data protection legislation.

Section 29(2) of the Personal Data Protection Act empowers the PDPC to:

  • stop the collection, use or disclosure of personal data in contravention of the act;
  • destroy personal data collected in contravention of the act;
  • require compliance with any direction under Section 28(2) of the act; and
  • impose a financial penalty not exceeding S$1 million, as the commission sees fit.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Section 13 of the Personal Data Protection Act provides that an organisation may collect, use or disclose an individual’s personal data only with an individual’s express or deemed consent.

Section 20 of the Personal Data Protection Act requires organisations to inform individuals of the purposes for which their personal data will be collected, used and disclosed on or before collecting such data.

Section 18 of the Personal Data Protection Act provides that an organisation’s collection, use or disclosure of personal data is limited to purposes:

  • that a reasonable person would consider appropriate in the circumstances; and
  • for which notification has been made to the individual concerned.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Yes, Section 25 of the Personal Data Protection Act provides that an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:

  • the purpose for which that data was collected is no longer being served; and
  • retention is no longer necessary for legal or business purposes.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, individuals have a qualified right to access personal information under Section 21(1) of the Personal Data Protection Act. Access to personal data is limited to:

  • personal data that is within the possession and control of the organisation; and
  • any information about the ways in which such data has been used one year before the request.

Exceptions to the access obligation under Section 21(3) and the Fifth Schedule of the Personal Data Protection Act exist.

Do individuals have a right to request deletion of their data?

Individuals can request deletion of their data if necessary to correct an error or omission in personal data held by or under the control of an organisation (Section 22(1) of the Personal Data Protection Act).

Otherwise, individuals may withdraw their consent to the collection, use and disclosure of their personal data under Section 16 of the act. Under such circumstances, organisations must cease collecting, using or disclosing the personal data but they are not required to delete it.

Consent obligations
Is consent required before processing personal data?

Yes, consent is required under Section 13 of the Personal Data Protection Act.

If consent is not provided, are there other circumstances in which data processing is permitted?

The Second through Fourth Schedules of the Personal Data Protection Act provides for circumstances in which personal data may be collected, used or disclosed. 

What information must be provided to individuals when personal data is collected?

Section 20 of the Personal Data Protection Act provides that an organisation must inform the individual of:

  • the purposes for which the personal data is being collected, used or disclosed when or before it is collected;
  • any other purpose for which the data is being used or disclosed of which an individual has not been informed under Section 20(1)(a), before the use or disclosure of the data for that purpose; and
  • on request by the individual, the business contact information of a person who can answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of personal data. 

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Yes, Section 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Under the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach. However, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.

The PDPC also considers the following as mitigating factors in the event of a breach:

  • whether the organisation informed individuals of the steps they could take to mitigate risk caused by a data breach; and
  • whether the organisation voluntarily disclosed the personal data breach to the PDPC as soon as it learned of the breach and cooperated with the PDPC’s investigation.

Organisations may also be bound by contractual obligations to notify affected individuals.

Are data owners/processors required to notify the regulator in the event of a breach?

No general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hours of their discovery. For further information see the Technology Risk Management Notice and Guidelines.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes, the Spam Control Act 2008 regulates unsolicited electronic marketing. In addition, Section 39 the Personal Data Protection Act provides for the Do Not Call Registry. This allows consumers to opt out of marketing messages addressed to Singapore telephone numbers.

Cookies
Are there rules governing the use of cookies?

Not in general, as not all cookies collect personal data. The PDPC is sufficiently clear on the Personal Data Protection Act’s treatment of cookies that collect personal data. If the use of cookies that collect personal data is indispensable (eg, cookies that help to remember a shopper’s financial details to facilitate an online purchase), consent may be deemed to have been voluntarily given by users. If cookies are created to store personal data without the user’s knowledge or consent for behavioural targeting or profiling purposes, valid and unequivocal consent from must be obtained (see Pages 28 - 29 at www.pdpc.gov.sg/docs/default-source/public-consultation/advisory_guidelines_on_selected_topics.pdf?sfvrsn=2).

Although no specific local regulations govern the use of cookies per se, an organisation may be subject to EU laws on cookies. In the European Union, the EU ePrivacy Directive (2002/58/EC) – more specifically, Article 5(3) – requires prior informed consent to store or access information stored on a user's terminal equipment. The location of the user’s computer in which the cookie is placed and not the location of the host or owner of the website may ultimately decide whether EU cookie laws apply (see http://idpl.oxfordjournals.org/content/1/1/28.full#fn-1).

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Section 26(1) of the Personal Data Protection Act provides that an organisation may not transfer any personal data to a country or territory outside Singapore, except in accordance with requirements prescribed under the Personal Data Protection Act, to ensure that the recipient organisation is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the Personal Data Protection Act.

In other words, if the recipient organisation is not already bound by comparable data privacy laws in their jurisdiction, the transferring organisation may impose these obligations contractually, via any binding corporate rules or any other legally binding instrument.

Are there restrictions on the geographic transfer of data?

No.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Section 26(1) of the Personal Data Protection Act provides that if the third party is in another jurisdiction, it must be able to provide a standard of protection that is comparable to the protection under the Personal Data Protection Act. However, a third party that is a data intermediary which processes personal data on behalf of an organisation is bound only by the obligations set out under Section 24 (protection of personal data) and Section 25 (retention of personal data) of the Personal Data Protection Act.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

Section 56 of the Personal Data Protection Act provides that any person guilty of an offence under the Personal Data Protection Act (for which no penalty is expressly provided) will be subject to a general penalty of a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both. If the offence has been committed more than once, a further fine not exceeding S$1,000 per day will be imposed.

According to Section 51, with respect to access or correction requests under Sections 21 or 22 of the Personal Data Protection Act, it is an offence for organisations or persons to:

  • evade a request by disposing, altering, falsifying, concealing or destroying a record containing personal data – maximum fine of S$5,000 (for an individual) or S$50,000 (for an organisation);
  • obstruct or impede the commission in the exercise of its power or performance of its duties – maximum fine of S$10,000 or imprisonment for a term not exceeding 12 months or both (for an individual) or S$100,000 (for an organisation); or
  • knowingly or recklessly mislead the commission – maximum fine of S$10,000 or imprisonment for a term not exceeding 12 months or both (for an individual) or S$100,000 (for an organisation). 

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

An organisation is liable for civil action if it breaches its obligations under Parts IV (Consent, Notification and Purpose Obligations), V (Access and Correction Obligations) and VI (Accuracy, Protection, Retention and Transfer Obligations) of the Personal Data Protection Act.

If a person suffers loss or damage directly as a result of a contravention of any of the nine obligations by an organisation, he or she can sue the organisation for damages or seek an injunction (to stop the collection, use or disclosure of his personal data) in a civil action. Under Section 32(3), the court is also empowered to grant other relief as it sees fit.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Yes, Singapore has the Computer Misuse and Cybersecurity Act 2007.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

A new Cybersecurity Act will be tabled in Parliament in 2017 (www.channelnewsasia.com/news/singapore/new-cybersecurity-act-to/2685052.html). This is in line with the Singapore Infocomm Development Authority’s National Cybersecurity Masterplan 2018, which seeks to develop Singapore into a trusted and robust infocomm hub.

Which cyber activities are criminalised in your jurisdiction?

The following list details criminalised cyber activities under the Computer Misuse and Cybersecurity Act:

  • unauthorised access to computer material;
  • access with intent to commit or facilitate the commission of offence;
  • unauthorised modification of computer material;
  • unauthorised use or interception of computer material;
  • unauthorised obstruction of use of computer; and
  • unauthorised disclosure of access code.

Which authorities are responsible for enforcing cybersecurity rules?

The Ministry of Home Affairs is responsible for, and may direct entities to take pre-emptive measures to, prevent cybersecurity threats under Section 15A of the Computer Misuse and Cybersecurity Act.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, companies may obtain insurance for cybersecurity breaches. Recently there has been a strong demand for cyber insurance from finance and technology companies. For example, AIG Singapore launched an insurance product for small and medium-sized enterprises in March 2016 to get these enterprises started on cyber protection (see www.straitstimes.com/business/banking/demand-for-cyber-insurance-in-singapore-to-grow-by-50-in-2016-aig). 

Are companies required to keep records of cybercrime threats, attacks and breaches?

No such requirement exists.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

No general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hour of their discovery. For further information, see the Technology Risk Management Notice and Guidelines.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No such requirement exists.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

Individuals are liable to imprisonment, fines or both. It may also be useful to note that offences under the Penal Code that relate to elements of dishonesty, fraud or cheating may be involved in computer misuse and cybercrime cases. In such cases, perpetrators may be exposed to criminal penalties under the Penal Code.

Section of Computer Misuse and Cybersecurity Act Description Penalty
Section 3 – unauthorised access to computer material Section 3(1) – any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer will be considered guilty of an offence

Liable on conviction to a fine not exceeding S$5,000, imprisonment for a term not exceeding two years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

Section 3(2) – if any damage is caused as a result of unauthorised access under Section 3(1) Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or to both
Section 4 – access with intent to commit or facilitate commission of offence Section 4(2) – offences involving property, fraud, dishonesty or which causes bodily harm Liable on conviction to imprisonment for a term of no less than two years
Section 4(3) – any person guilty of an offence under this section Liable on conviction to a fine not exceeding S$50,000, imprisonment for a term not exceeding 10 years or both
Section 5 – unauthorised modification of computer material Section 5(1) – any person who performs any act which he or she knows will cause an unauthorised modification to the content of any computer will be guilty of an offence

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

Section 5(2) – if any damage is caused as a result of an offence under this section Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or both
Section 6 – unauthorised use or interception of computer service

Section 6(1) – any person who knowingly:

  • secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;
  • intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electromagnetic, acoustic, mechanical or other device; or
  • uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under Sections 6(1)(a) or 6(1)(b).

 

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

Section 6(2) – any damage caused as a result of an offence under this section

Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or both

 

Section 7 – unauthorised obstruction of use of computer

Section 7(1) – any person who knowingly and without authority or lawful excuse:

  • interferes with, interrupts or obstructs the lawful use of a computer; or
  • impedes or prevents access to, or impairs the usefulness or effectiveness of, any program or data stored in a computer

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

If any damage is caused as a result of an offence under this section

Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or both
Section 8 – unauthorised disclosure of access code

Section 8(1) – any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer will be guilty of an offence if he or she did so:

  • for any wrongful gain;
  • for any unlawful purpose; or
  • knowing that it is likely to cause wrongful loss.

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

Section 9 – enhanced punishment for offences involving protected computers

Section 9(1) – where access to any protected computer is obtained in the course of the commission of an offence under Sections 3, 5, 6 or 7

Liable to a fine not exceeding S$100,000, imprisonment for a term not exceeding 20 years or both

What penalties may be imposed for failure to comply with cybersecurity regulations?

Where an organisation fails to employ reasonable measures to protect personal data, it will be liable to pay a fine not exceeding S$1 million under Section 29(2)(d) of the Personal Data Protection Act.