Organisations handling Singapore personal data should re-evaluate their data security compliance programmes in light of recent regulatory scrutiny and enforcement action. This is particularly true for organisations processing more sensitive data categories, notably health data, that should be on high alert given recent widely-reported data incidents (including the now-notorious SingHealth incident, which affected the data of over 1.5 million patients and resulted in substantial fines for SingHealth and its IT vendor).
Singapore's Cybersecurity Act, which came into force last summer, has also increased the spotlight on data security both in the minds of the regulators and the public. Further, according to reports, Southeast Asia is one of the most actively attacked regions in the world, with Singapore high on the attack list.
To help manage these vulnerabilities and compliance risks, and taking into account recommendations from the Personal Data Protection Commission in their published decisions on recent incidents, organisations should consider the following as part of their Singapore data security compliance programmes:
- Having good data protection foundations: It is important to get fundamental data protection practices right, from regularly updating software with security patches to implementing strong passwords, disabling dormant user accounts and implementing more stringent security measures for access if personal data is especially sensitive.
- Policies and procedures, staff training and awareness: Organisations must have functioning incident response policies and establish clear lines of communication if a data security incident arises. Organisations should regularly run data breach exercises and establish a strong data protection awareness culture among their employees.
- Appropriate staffing: Having regard to the size of the organisation and the nature of the personal data in the organisation's possession or under its control, organisations should hire sufficient, and sufficiently qualified, data security resources.
- Vendor contracts: Vendors handling personal data must be contractually bound to comply with data protection and cyber security law and best practices, and be subjected to ongoing monitoring in this regard.
- Data breach handling: While Singapore does not yet have mandatory data breach reporting obligations, incident reporting is encouraged as best practice. The timing of the notifications, as well as ensuring a complete picture of the incident, is important.
- Health data: In light of the SingHealth incident, as well as other significant incidents involving the data of hundreds of thousands of blood donors and HIV positive patients, the data security practices of organisations in the healthcare industry are under heightened scrutiny. As such, health sector organisations must review and enhance their data protection and cybersecurity measures to address patient and regulator concerns.