Singapore has passed the Personal Data Protection Bill after its second reading in Parliament on 15 October. The Bill applies to all organisations across the private sector.
In his speeches to Parliament, Yaacob Ibrahim, the Minister for Information, Communications and the Arts (MICA), said that in an era of exponential data growth, there was a need for a move away from the original sectoral approach to a general data protection framework, to ensure a baseline standard of protection for personal data across the country that will operate concurrently with other legislative and regulatory frameworks.
To allow businesses time to adjust their data management policies and procedures, Singapore will adopt a phased approach to implementing the personal data protection law. The transition-period schedule stipulates that DNC registry provisions will come into force in 12 months, and the data protection rules will come into force in 18 months.
Of particular note, and different from the European definition of ‘personal data’, the scope of the new law covers not just living individuals, but also deceased persons for a period of 20 years following their deaths. International transfers are less prescriptive than that of Europe and will be allowed after an organisation has ensured that appropriate measures are in place to protect data.
A Personal Data Protection Commission (PDPC) will be set up to function as the country's main authority to administer and enforce the data protection rules. If an organisation is non-compliant, the PDPC may impose a maximum financial penalty of S$1 million (USD $819,000). A National Do-Not-Call (DNC) Registry will be created by early 2014.
The minister extolled the virtues of the Personal Data Protection Bill, stating that it will strengthen Singapore’s overall competitiveness, and will enhance its status as a global data hub by providing a conducive environment for global data management industries, such as cloud computing and business analytics, to operate in Singapore.