The Singapore Personal Data Protection Commission (PDPC) has had a busy year and shows no signs of slowing down. In January 2019, the PDPC handed down a record SGD 1 million enforcement related to the SingHealth data breach – a breach that resulted from a cyber attack of unprecedented scale in Singapore, which saw the theft of 1.5 million personal and medical records from an electronic medical records system. Following that, the PDPC has levied financial penalties against companies small and large, posted new regulatory guidelines on breach notice timing and enforcement, and proposed key changes to data subject rights under Singapore’s Personal Data Protection Act (PDPA). We urge any company doing business in Singapore to familiarize themselves with the latest PDPC developments laid out below.
1. Singapore Data Protection Enforcement in 2019
In January 2019, the PDPC fined two government-owned healthcare companies – SingHealth and its IT vendor, Integrated Health Information Systems (IHiS) – for their failure to reasonably protect the patient data housed in an electronic medical records system. A sophisticated attacker infiltrated the medical records system and stole personal and medical records relating to 1.5 million individuals, including 159,000 treatment records concerning dispensed medication. The PDPC and Parliamentary investigation into the breach revealed, among many other issues, that SingHealth failed to properly oversee its IT vendor, and that SingHealth had ineffective cyber risk management processes, culture, and staff training. The Parliamentary report scathingly stated that despite lower-level staff working hard to remediate the incident, it was “a shame that such initiative was then smothered by a blanket of middle management mistakes.” The Minister-in-Charge of Cybersecurity, S. Iswaran, announced that the SingHealth breach “was not inevitable,” and that the victim companies “should have been better prepared and more robust in their actions” to respond to the attack.
The PDPC fined IHiS to the tune of SGD 750,000, and SingHealth a sum of SGD 250,000, for failure to take reasonable and appropriate measures to protect personal data under Section 24 of the PDPA. The fines were only mitigated by the fact that the companies were victims of a “skilled and sophisticated” nation state linked attack and took immediate effective remedial action, and because they cooperated fully in the investigation. The PDPC warned that absent such circumstances, it would have issued the “maximum financial penalty allowed” against IHiS and a significantly higher penalty against SingHealth. Since January 2019, the most frequent area of PDPC enforcement has been actions against companies that failed to take reasonable actions to secure personal data from unauthorized access.
Given the PDPC’s enforcement focus on cyber risk management and safeguarding personal data, companies doing business in Singapore would do well to carefully review their incident response processes and cyber risk management programs.
2. New Guidance on Breach Notice Timing
While breach notification is still not technically mandatory under Singapore law, the PDPC has repeatedly signaled its intent to make breach notice mandatory in the future. Ahead of any changes to the law, just this past month, the PDPC issued new guidance tightening the breach notice window.
The PDPC now advises that businesses report data breaches to the PDPC within 72 hours, so long as the breach is either likely to result in significant harm or impact to individuals, or if the breach is of “significant scale” (i.e., the data breach involves personal data of 500 or more individuals). Businesses are also advised to notify affected individuals of such confirmed breaches “as soon as practicable.”
Organizations are advised to assess whether a potential breach meets the reporting threshold “expeditiously,” but within 30 days from learning of a potential data breach. Service providers (data intermediaries) are now advised to inform their business customers of suspected or confirmed data breaches involving their customer’s personal data within 24 hours.
While not mandatory, non-compliance with the new breach guidelines may affect how the PDPC approaches enforcement against a company after a data breach. Those seeking to comply with the new guidance should revisit their incident response plans and ensure that cross-functional data breach drills are carried out periodically to test such procedures. Companies should also consider revisiting their service provider relationships to ensure that vendors are under appropriate obligations to safeguard personal data and provide notice of potential breaches.
3. New Guidance on Cyber Risk Management
Possibly following the numerous institutional failures identified in the SingHealth breach, the PDPC has issued new guidance on the role of leadership in cyber risk management and oversight. The PDPC now states that senior management should be “specifying the organization’s approach and responsibilities over the handling of personal data and communicating that throughout the organization.” The PDPC calls for leadership to be involved in approving security policies, appointing and managing a data protection officer, advocating for data protection training, allocating budgetary and staffing resources for data protection, monitoring and managing cyber risks, and reporting cyber risks to the board.
While the PDPC guidance in this area is not binding, we note that mismanagement of cybersecurity risks was found to be one of the root causes of the SingHealth breach. Companies would do well to revisit their risk governance programs to ensure that cybersecurity and risks to personal data are appropriately addressed and managed.
4. New Guide on PDPC Enforcement
The PDPC has published the new “Guide on Active Enforcement,” which articulates the PDPC’s novel approach of using its enforcement powers to shift organizations from “compliance to accountability.” Notable takeaways from the Guide include the description of the PDPC mediation process for complaints and a description of the “expedited decision” process, whereby an organization can admit liability in exchange for potentially mitigated financial penalties. The Guide also describes the factors that the PDPC considers when issuing financial penalties. The PDPC states that financial penalties will be reserved only for breaches of the law which the PDPC views as particularly serious in nature. In assessing the severity of the breach, some of the factors the PDPC considers include the impact of the violation, the organization’s intent, the organization’s extent of non-compliance with PDPA obligations, the number of individuals whose personal data were affected, the types of personal data involved, and whether there have been repeat violations.
5. Other Changes: Data Portability and Innovation
Finally, in addition to future changes to breach notification requirements under the Singapore privacy law, the PDPC has announced its intent to add a new data portability right for individuals under the PDPA. Under this proposal, an organization must, at the request of the individual, provide the individual’s data that is in the organization’s possession or under its control, for transmission to another organization in a commonly used machine-readable format. The right to data portability will apply to user-provided data and user activity data only, and exclude “derived data” which is created with specific processes that may reveal confidential business information (for example, lists of suggested friends created on a social media platform based on user activity data). Organizations may be permitted to charge reasonable fees for providing portability services to individuals.
The PDPC also proposed how organizations may use or create personal data, including derived data, for “business innovation purposes” without providing notice or obtaining the consent of individuals. Such purposes include operational efficiency and service improvements, product development, and knowing customers better.
6. Key Takeaways
Given the scope of recent data protection enforcement activity in Singapore, any company that does business in Singapore should take appropriate steps to safeguard its personal data, to support and train its workforce to comply with the PDPA, and to ensure that management is setting the right tone from the top on cybersecurity.