Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Singapore’s data protection laws are consistent with international standards, as it is modelled on the data protection regimes of key jurisdictions, including the European Union, the United Kingdom, Canada, Hong Kong, Australia and New Zealand. In addition, the Organisation for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the Asia-Pacific Economic Cooperation Privacy Framework are referenced.

Singapore has also submitted its intent to join the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system and the APEC Privacy Recognition for Processors System (PRP) in July 2017. Singapore will also align its DP Trustmark standards with the APEC CBPR and PRP systems, and companies that obtain the Data Protection Trustmark certification will concurrently be certified under the APEC CBPR system.

Are any changes to existing data protection legislation proposed or expected in the near future?

There are ongoing consultations on the existing Personal Data Protection Act 2012 that are expected to be introduced in Parliament in 2019. Thus far, the proposed amendments will include the introduction of a mandatory data breach notification regime and amendments to the existing framework for collection, use and disclosure of personal data to encourage data sharing.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The Personal Data Protection Act 2012.

Scope and jurisdiction

Who falls within the scope of the legislation?

Sections 3 and 4(3) of the Personal Data Protection Act provide that private organisations and their data intermediaries fall within its scope. The act has extraterritorial jurisdiction, as organisations include those that have been formed under Singapore law or otherwise.

A data intermediary is an organisation that processes personal data on behalf of another organisation but excludes its employees.

An example of a data intermediary is an events management company that receives personal data from its client. The company processes personal data when it provides event RSVP and registration services, such as recording and organising the personal data of attendees on behalf of the client.

What kind of data falls within the scope of the legislation?

Only personal data falls within the scope of the legislation.

Section 2 of the Personal Data Protection Act defines ‘personal data’ as data, whether true or not, about an individual who can be identified from the data or other information to which the organisation has or is likely to have access.

Examples of personal data include an individual’s name, national registration identity card, passport number, photograph or video image, mobile telephone number, personal email address and thumbprint.

Business contact information is not covered under the Personal Data Protection Act. Such information includes contact information for business purposes, such as an individual’s name, designation, business telephone number, address, email address and fax number.

Are data owners required to register with the relevant authority before processing data?

There is no requirement for registration.

Is information regarding registered data owners publicly available?

As there is no requirement for registration, there is no information about registered data.

Is there a requirement to appoint a data protection officer?

Yes, Section 11(3) of the Personal Data Protection Act requires organisations to designate one or more individuals as data protection officers.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The Personal Data Protection Commission (PDPC) is responsible for enforcing data protection legislation.

Section 29(2) of the Personal Data Protection Act empowers the PDPC to direct organisations to:

  • stop the collection, use or disclosure of personal data in contravention of the act;
  • destroy personal data collected in contravention of the act;
  • require compliance with any direction under Section 28(2) of the act; and
  • impose a financial penalty not exceeding S$1 million, as the PDCP sees fit.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Section 13 of the Personal Data Protection Act provides that an organisation may collect, use or disclose an individual’s personal data only with an individual’s express or deemed consent.

Section 20 of the Personal Data Protection Act requires organisations to inform individuals of the purposes for which their personal data will be collected, used and disclosed on or before collecting such data.

Section 18 of the Personal Data Protection Act provides that an organisation’s collection, use or disclosure of personal data is limited to purposes:

  • that a reasonable person would consider appropriate in the circumstances; and
  • for which notification has been made to the individual concerned.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Yes, Section 25 of the Personal Data Protection Act provides that an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:

  • the purpose for which that data was collected is no longer being served; and
  • retention is no longer necessary for legal or business purposes.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, individuals have a qualified right to access personal information under Section 21(1) of the Personal Data Protection Act. Access to personal data is limited to:

  • personal data that is within the possession and control of the organisation; and
  • any information about the ways in which such data has been used one year before the request.

Exceptions to the access obligation under Section 21(3) and the Fifth Schedule of the Personal Data Protection Act exist.

Do individuals have a right to request deletion of their data?

Individuals can request deletion of their data if necessary to correct an error or omission in personal data held by or under the control of an organisation (Section 22(1) of the Personal Data Protection Act).

Otherwise, individuals may withdraw their consent to the collection, use and disclosure of their personal data under Section 16 of the act. Under such circumstances, organisations must cease collecting, using or disclosing the personal data but they are not required to delete it.

Consent obligations

Is consent required before processing personal data?

Yes, consent is required under Section 13 of the Personal Data Protection Act.

If consent is not provided, are there other circumstances in which data processing is permitted?

The Second through Fourth Schedules of the Personal Data Protection Act provides for circumstances in which personal data may be collected, used or disclosed without consent. 

What information must be provided to individuals when personal data is collected?

Section 20 of the Personal Data Protection Act provides that an organisation must inform the individual of:

  • the purposes for which the personal data is being collected, used or disclosed when or before it is collected;
  • any other purpose for which the data is being used or disclosed of which an individual has not been informed under Section 20(1)(a), before the use or disclosure of the data for that purpose; and
  • on request by the individual, the business contact information of a person who can answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of personal data. 

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes, Section 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Under the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach. However, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.

The PDPC also considers the following as mitigating factors in the event of a breach:

  • whether the organisation informed individuals of the steps they could take to mitigate risk caused by a data breach; and
  • whether the organisation voluntarily disclosed the personal data breach to the PDPC as soon as it learned of the breach and cooperated with the PDPC’s investigation.

Organisations may also be bound by contractual obligations to notify affected individuals.

However, Singapore is planning on introducing a mandatory data breach notification regime in a couple of years. Under the proposed regime, data owners will be required to notify individuals where there is a risk of impact or harm to affected individuals. Data processers will not be required to notify individuals but will be required to notify the data owners of all data beaches.

Are data owners/processors required to notify the regulator in the event of a breach?

Currently, there are no general requirements for organisations to notify the regulator in the event of a breach exist. Data organisations are encouraged to voluntarily notify the Personal Data Protection Commission (PDPC) especially if a data beach involves sensitive personal data.

However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hour of their discovery. For further information see the Technology Risk Management Notice and Guidelines.

Nonetheless, Singapore is planning on introducing a mandatory data breach notification regime in a couple of years. Under the proposed regime, data owners will be required to notify the PDPC where there is a risk of impact of harm to affected individuals and/or where there is a significant scale of breach. Data processers will not be required to notify the PDPC but will be required to notify the data owners of all data beaches. 

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes, the Spam Control Act 2008 regulates unsolicited electronic marketing. In addition, Section 39 the Personal Data Protection Act provides for the Do Not Call Registry. This allows consumers to opt out of marketing messages addressed to Singapore telephone numbers.

Cookies

Are there rules governing the use of cookies?

Not in general, as not all cookies collect personal data. The PDPC is sufficiently clear on the Personal Data Protection Act’s treatment of cookies that collect personal data. If the use of cookies that collect personal data is indispensable (eg, cookies that help to remember a shopper’s financial details to facilitate an online purchase), consent may be deemed to have been voluntarily given by users. If cookies are created to store personal data without the user’s knowledge or consent for behavioural targeting or profiling purposes, valid and unequivocal consent from must be obtained (see Pages 28 - 29 at www.pdpc.gov.sg/docs/default-source/public-consultation/advisory_guidelines_on_selected_topics.pdf?sfvrsn=2).

Although no specific local regulations govern the use of cookies per se, an organisation may be subject to EU laws on cookies. In the European Union, the EU ePrivacy Directive (2002/58/EC) – more specifically, Article 5(3) – requires prior informed consent to store or access information stored on a user's terminal equipment. The location of the user’s computer in which the cookie is placed and not the location of the host or owner of the website may ultimately decide whether EU cookie laws apply (see http://idpl.oxfordjournals.org/content/1/1/28.full#fn-1).

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Section 26(1) of the Personal Data Protection Act provides that an organisation may not transfer any personal data to a country or territory outside Singapore, except in accordance with requirements prescribed under the Personal Data Protection Act, to ensure that the recipient organisation is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the Personal Data Protection Act.

In other words, if the recipient organisation is not already bound by comparable data privacy laws in their jurisdiction, the transferring organisation may impose these obligations contractually, via any binding corporate rules or any other legally binding instrument.

Are there restrictions on the geographic transfer of data?

No.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Section 26(1) of the Personal Data Protection Act provides that if the third party is in another jurisdiction, it must be able to provide a standard of protection that is comparable to the protection under the Personal Data Protection Act. However, a third party that is a data intermediary which processes personal data on behalf of an organisation is bound only by the obligations set out under Section 24 (protection of personal data) and Section 25 (retention of personal data) of the Personal Data Protection Act.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

Section 56 of the Personal Data Protection Act provides that any person guilty of an offence under the Personal Data Protection Act (for which no penalty is expressly provided) will be subject to a general penalty of a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both. If the offence has been committed more than once, a further fine not exceeding S$1,000 per day will be imposed.

According to Section 51, with respect to access or correction requests under Sections 21 or 22 of the Personal Data Protection Act, it is an offence for organisations or persons to:

  • evade a request by disposing, altering, falsifying, concealing or destroying a record containing personal data – maximum fine of S$5,000 (for an individual) or S$50,000 (for an organisation);
  • obstruct or impede the commission in the exercise of its power or performance of its duties – maximum fine of S$10,000 or imprisonment for a term not exceeding 12 months or both (for an individual) or S$100,000 (for an organisation); or
  • knowingly or recklessly mislead the commission – maximum fine of S$10,000 or imprisonment for a term not exceeding 12 months or both (for an individual) or S$100,000 (for an organisation). 

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

An organisation is liable for civil action if it breaches its obligations under Parts IV (Consent, Notification and Purpose Obligations), V (Access and Correction Obligations) and VI (Accuracy, Protection, Retention and Transfer Obligations) of the Personal Data Protection Act.

If a person suffers loss or damage directly as a result of a contravention of any of the nine obligations by an organisation, he or she can sue the organisation for damages or seek an injunction (to stop the collection, use or disclosure of his personal data) in a civil action. Under Section 32(3), the court is also empowered to grant other relief as it sees fit.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Yes, Singapore has the Computer Misuse and Cybersecurity Act 2007.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

A new Cybersecurity Act will be tabled in Parliament in 2018 (www.mci.gov.sg/pressroom/news-and-stories/pressroom/2017/9/the-opening-ceremony-of-asean-ministerial-conference-on-cybersecurity). This is in line with the Singapore Infocomm Development Authority’s National Cybersecurity Masterplan 2018, which seeks to develop Singapore into a trusted and robust infocomm hub.

Which cyber activities are criminalised in your jurisdiction?

The following list details criminalised cyber activities under the Computer Misuse and Cybersecurity Act:

  • unauthorised access to computer material;
  • access with intent to commit or facilitate the commission of offence;
  • unauthorised modification of computer material;
  • unauthorised use or interception of computer material;
  • unauthorised obstruction of use of computer; and
  • unauthorised disclosure of access code.

Which authorities are responsible for enforcing cybersecurity rules?

The Ministry of Home Affairs is responsible for, and may direct entities to take pre-emptive measures to, prevent cybersecurity threats under Section 15A of the Computer Misuse and Cybersecurity Act.

The Cybersecurity Agency of Singapore is the central agency to oversee and coordinate all aspects of cybersecurity for the nation. Once the Cybersecurity Bill comes into force, it will empower the agency to manage, respond to and investigate cybersecurity threats and incidents.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, companies may obtain insurance for cybersecurity breaches. Recently there has been a strong demand for cyber insurance from finance and technology companies. For example, AIG Singapore launched an insurance product for small and medium-sized enterprises in March 2016 to get these enterprises started on cyber protection (see www.straitstimes.com/business/banking/demand-for-cyber-insurance-in-singapore-to-grow-by-50-in-2016-aig). 

Are companies required to keep records of cybercrime threats, attacks and breaches?

No such requirement exists.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Currently, there are no general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hour of their discovery. For further information, see the Technology Risk Management Notice and Guidelines.

However, under the proposed Cybersecurity Bill, owners of critical information infrastructure will be required to notify the commissioner of the Cybersecurity Agency of Singapore of:

  • any cybersecurity incident that occurs in respect of the critical information infrastructure;
  • any computer or computer system under the owner’s control that is interconnected with or communicates with the critical information infrastructure; or
  • any cybersecurity incident of a type as prescribed by notification or as specified by the commissioner of the agency.  

Are companies required to report cybercrime threats, attacks and breaches publicly?

No such requirement exists.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Individuals are liable to imprisonment, fines or both. It may also be useful to note that offences under the Penal Code that relate to elements of dishonesty, fraud or cheating may be involved in computer misuse and cybercrime cases. In such cases, perpetrators may be exposed to criminal penalties under the Penal Code.

Section of Computer Misuse and Cybersecurity Act

Description

Penalty

Section 3 – unauthorised access to computer material

Section 3(1) – any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer will be considered guilty of an offence

 

Liable on conviction to a fine not exceeding S$5,000, imprisonment for a term not exceeding two years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

Section 3(2) – if any damage is caused as a result of unauthorised access under Section 3(1)

 

Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or to both

 

Section 4 – access with intent to commit or facilitate commission of offence

 

Section 4(2) – offences involving property, fraud, dishonesty or which causes bodily harm

 

 

Liable on conviction to imprisonment for a term of no less than two years

Section 4(3) – any person guilty of an offence under this section

Liable on conviction to a fine not exceeding S$50,000, imprisonment for a term not exceeding 10 years or both

Section 5 – unauthorised modification of computer material

Section 5(1) – any person who performs any act which he or she knows will cause an unauthorised modification to the content of any computer will be guilty of an offence

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

 

Section 5(2) – if any damage is caused as a result of an offence under this section

Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or both

 

Section 6 – unauthorised use or interception of computer service

Section 6(1) – any person who knowingly:

  • secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;
  • intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electromagnetic, acoustic, mechanical or other device; or
  • uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under Sections 6(1)(a) or 6(1)(b).

 

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

Section 6(2) – any damage caused as a result of an offence under this section

 

Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or both

 

Section 7 – unauthorised obstruction of use of computer

Section 7(1) – any person who knowingly and without authority or lawful excuse:

  • interferes with, interrupts or obstructs the lawful use of a computer; or
  • impedes or prevents access to, or impairs the usefulness or effectiveness of, any program or data stored in a computer

 

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

If any damage is caused as a result of an offence under this section

 

Liable to a fine not exceeding S$50,000, imprisonment for a term not exceeding seven years or both

 

Section 8 – unauthorised disclosure of access code

Section 8(1) – any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer will be guilty of an offence if he or she did so:

 

  • for any wrongful gain;
  • for any unlawful purpose; or
  • knowing that it is likely to cause wrongful loss.

 

Liable on conviction to a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both

 

In the case of a second or subsequent conviction, liable to a fine not exceeding S$20,000, imprisonment for a term not exceeding five years or both

Section 9 – enhanced punishment for offences involving protected computers

Section 9(1) – where access to any protected computer is obtained in the course of the commission of an offence under Sections 3, 5, 6 or 7

 

Liable to a fine not exceeding S$100,000, imprisonment for a term not exceeding 20 years or both

 

What penalties may be imposed for failure to comply with cybersecurity regulations?

Where an organisation fails to employ reasonable measures to protect personal data, it will be liable to pay a fine not exceeding S$1 million under Section 29(2)(d) of the Personal Data Protection Act.

Under the proposed Cybersecurity Bill, the owner of critical information infrastructure may be liable for a fine and imprisonment for failing to comply with the Cybersecurity Act or directions of the Commissioner of the Cybersecurity Agency.