Abstract
Singapore’s data protection regime is an evolving one. Its Personal Data Protection Act (PDPA), which applies to both electronic and non-electronic data, recognises the need to strike a reasonable balance between the need for organisations to collect, use and disclose personal data, with individuals’ right to protection of their personal data. As such, the data protection authorities are constantly reviewing the PDPA and its impact, with the results seen through new or updated advisory guidelines, and potentially even changes to the PDPA itself. Other laws, such as the Computer Misuse Act and the Criminal Procedure Code, also affect Singapore’s data protection regime in significant ways.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
No. 26 of 2012. The data protection provisions came into full effect on 2 July 2014: Personal Data Protection Act 2012 (Commencement) Notification 2014 (S 361 of 2014).
- 2.
PDPA s 5, 6(g).
- 3.
Singapore Parliamentary Debates, Official Report (15 October 2012) vol 89. See also Chesterman (2018), para 2.30.
- 4.
Chesterman (2018), para 2.30.
- 5.
Cap 19, 2008 Rev Ed at s 47(1).
- 6.
Ter (2013), p. 265.
- 7.
Singapore Parliamentary Debates, Official Report (15 October 2012) vol 89. See also Chesterman (2018), para 2.47.
- 8.
Chik (2013), p. 558 (discussing PDPA s 4(6)).
- 9.
Chik (2013), p. 558 (discussing PDPA s 4(6)).
- 10.
Cap 50A, 2007 Rev Ed.
- 11.
Cap 68, 2012 Rev Ed.
- 12.
No 9 of 2018.
- 13.
Cap 88, 2011 Rev Ed.
- 14.
Cap 256A, 2015 Rev Ed.
- 15.
No 18 of 2019.
- 16.
No 5 of 2018.
- 17.
Cap 311A, 2008 Rev Ed.
- 18.
Cap 323, 2000 Rev Ed.
- 19.
PDPA s 3. There is no specific right of privacy in Singapore, although the usual common law protections for privacy apply, e.g. the law of confidence and defamation. See Chan and Lee (2016). Certain privacy-related rights also exist under other legislation such as the Protection from Harassment Act (Cap 256A, 2015 Rev Ed) and the Copyright Act (Cap 63, 2006 Rev Ed). See Goh and Aw (2018).
- 20.
PDPC Advisory Guidelines on Key Concepts paras 5.2, 5.30.
- 21.
PDPA s 2(1).
- 22.
PDPA s 4(4)(a).
- 23.
PDPA s 4(4)(b). The individual must have been deceased for more than 10 years.
- 24.
PDPA s 4(5).
- 25.
PDPC Advisory Guidelines on Key Concepts para 5.3; Advisory Guidelines for Selected Topics chapter 3.
- 26.
PDPA s 2(1).
- 27.
The Singapore Government and governmental organisations (and employees thereof) are prohibited from disclosing confidential information obtained in the course of their work by, among others, the Statutory Bodies and Government Companies (Protection of Secrecy) Act (Cap 319, 2004 Rev Ed) and the Official Secrets Act (Cap 213, 2012 Rev Ed). See also discussion on the Public Sector (Governance) Act 2018.
- 28.
PDPA s 4(1)(b).
- 29.
PDPA s 2(1). Data intermediaries are discussed elsewhere in this report.
- 30.
PDPA ss 13–16.
- 31.
PDPA s 18.
- 32.
PDPA s 20(1).
- 33.
PDPA s 21(1).
- 34.
PDPA s 22.
- 35.
PDPA s 23.
- 36.
PDPA s 24.
- 37.
PDPA s 25.
- 38.
PDPA s 26.
- 39.
PDPA ss 11–12, PDPC Advisory Guidelines on Key Concepts para 10.2.
- 40.
PDPC Advisory Guidelines on Key Concepts para 9.3. See, e.g., PDPA ss 11(1), 18, 24, 25.
- 41.
PDPC Advisory Guidelines on Key Concepts para 9.5.
- 42.
See n 16. The PSG(A) will likely be administered by the Prime Minister’s Office. See Public Consultation on the Public Sector (Governance) Bill. https://www.reach.gov.sg/participate/public-consultation/prime-ministers-office/public-service-division/public-consultation-on-the-public-sector-governance-bill. Accessed 30 August 2019. Media Factsheet On The Public Sector (Governance) Bill. http://www.nas.gov.sg/archivesonline/data/pdfdoc/20180108011/Media%20factsheet%20on%20the%20Public%20Sector%20-%20Governance-%20Bill.pdf. Accessed 30 August 2019.
- 43.
Singapore Parliamentary Debates, Official Report (8 January 2018) vol 94.
- 44.
“Data sharing direction” means a direction issued under the PS(G)A regarding “sharing of information or re-identification of anonymised information under the control of a Singapore public sector agency”. PS(G)A s 2(1).
- 45.
PS(G)A s 6(1).
- 46.
PS(G)A s 11(1).
- 47.
- 48.
PDPA s 13.
- 49.
PDPA s 14(1) read with s 20(1).
- 50.
PDPA s 20(2).
- 51.
PDPC Advisory Guidelines on Key Concepts para 12.5.
- 52.
PDPA s 14(2).
- 53.
PDPA ss 14(2)-(3).
- 54.
PDPC Advisory Guidelines on Requiring Consent for Marketing Purposes para 5.2. For example, “organisations may provide offers, discounts or lucky draw opportunities to individuals that are conditional on the collection, use or disclosure of their personal data for specified purposes”. PDPC Advisory Guidelines on Requiring Consent for Marketing Purposes para 7.2.
- 55.
PDPA s 13.
- 56.
PDPA s 15(1).
- 57.
PDPA s 15(2). For instance, if an individual booking a taxicab is asked for his/her name and telephone number in order to inform him/her of the taxicab number, and the individual voluntarily provides such information, then the individual is deemed to have consented to the taxicab company using his/her name and number to notify him/her when the taxicab arrives. However, the individual is not deemed to have consented to the use of his/her name and number for other purposes, e.g. the marketing of a limousine service run by the cab company. PDPC Advisory Guidelines on Key Concepts para 12.24.
- 58.
Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy Part II.
- 59.
Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy Part II.
- 60.
Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy para 4.2.
- 61.
PDPA Second Schedule s 1(a), Third Schedule s 1(a), Fourth Schedule s 1(a) (save that there is no requirement for disclosure that the individual not reasonably be expected to withhold consent).
- 62.
PDPA Second Schedule s 1(b), Third Schedule s 1(b), Fourth Schedule ss 1(b)-(c).
- 63.
PDPA Second Schedule s 1(c), Third Schedule s 1(c), Fourth Schedule s 1(d).
- 64.
PDPA Second Schedule s 1(d), Third Schedule s 1(d), Fourth Schedule s 1(e).
- 65.
PDPA Second Schedule s 1(e), Third Schedule s 1(e), Fourth Schedule s 1(f).
- 66.
PDPA Second Schedule s 1(f), Third Schedule s 1(f), Fourth Schedule s 1(h).
- 67.
PDPA Second Schedule s 1(i), Third Schedule s 1(g), Fourth Schedule s 1(i).
- 68.
PDPA Second Schedule s 1(j), Third Schedule s 1(h), Fourth Schedule s 1(j).
- 69.
PDPA Second Schedule s 1(p), Third Schedule 1(j), Fourth Schedule s 1(p).
- 70.
PDPA Second Schedule s 1(k), Third Schedule 1(j), Fourth Schedule s 1(k).
- 71.
PDPA Second Schedule s 1(o), Third Schedule 1(j), Fourth Schedule s 1(s). See also Sect. 3.5.
- 72.
PDPA Second Schedule s 1(h), Third Schedule s 1(j), Fourth Schedule s 1(s).
- 73.
PDPA Third Schedule s 1(i), Third Schedule s 1(j), Fourth Schedule s 1(s).
- 74.
Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy Part II.
- 75.
Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy Part II.
- 76.
Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy Part II.
- 77.
Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy (para 5.6).
- 78.
PDPA s 16(1).
- 79.
PDPA ss 16(2)-(3). For example, a telecoms service provider provides subscriber services requiring the collection, use and disclosure of personal data. The subscriber provides consent to the above but subsequently withdraws it. Such withdrawal will result in the operator being unable to provide said services, i.e. early termination of the service contract; thus the operator should inform the individual of the consequences, i.e. incurrence of early termination charges. PDPC Advisory Guidelines on Key Concepts para 12.45. Additionally, where an organisation provides a facility for individuals to withdraw consent, e.g. by clicking on an “unsubscribe” link within an e-mail, the organisation should indicate the scope of such withdrawal. For instance, a statement that “[y]ou have unsubscribed successfully from e-mail marketing messages from ABC” means that the individual has only withdrawn consent to marketing messages sent by e-mail, and not by fax. PDPC Advisory Guidelines on Key Concepts para 12.48.
- 80.
PDPA s 16(4).
- 81.
PDPA s 16(4); PDPC Advisory Guidelines on Key Concepts para 12.55.
- 82.
PDPA s 18 read with s 20.
- 83.
PDPC Advisory Guidelines on Key Concepts para 13.4.
- 84.
PDPA s 21(1).
- 85.
Personal Data Protection Regulations 2014 (S 362 of 2014) s 7(1). See also PDPC Advisory Guidelines on Key Concepts para 15.19.
- 86.
PDPA s 21(3).
- 87.
PDPA s 21(4).
- 88.
PDPA Fifth Schedule s 1.
- 89.
PDPA s 21(5).
- 90.
PDPA s 22(1).
- 91.
PDPA s 22(2) read with s 22(5).
- 92.
PDPA s 22(2).
- 93.
PDPC Advisory Guidelines on Key Concepts para 15.39.
- 94.
PDPA s 22(6).
- 95.
PDPA Sixth Schedule s 1.
- 96.
PDPA s 25.
- 97.
PDPC Advisory Guidelines on Key Concepts para 18.4.
- 98.
PDPC Advisory Guidelines on Key Concepts para 18.10.
- 99.
PDPC Advisory Guidelines on Key Concepts para 18.12.
- 100.
PDPC Advisory Guidelines on Key Concepts para 18.11.
- 101.
PDPC Advisory Guidelines on Key Concepts para 18.13. See, e.g., Orchard Turn Developments Pte. Ltd. [2017] SGPDPC 12 (failure to purge personal data from server led to data breach; retention of data was also unnecessary); Social Metric Pte Ltd [2017] SGPDPC 17 (company penalised for, in part, failure to cease retaining personal data); Jade E-Services Singapore Pte. Ltd. [2018] SGPDPC 21 (company should not have taken the risk of allowing webpages with personal data to be cached for display).
- 102.
PDPC Advisory Guidelines on Key Concepts para 20.1.
- 103.
PDPC Guide to Accountability under the PDPA.
- 104.
MCI (2019) Agencies. https://www.mci.gov.sg/agencies. Accessed 30 August 2019.
- 105.
PDPA s 50.
- 106.
PDPA Ninth Schedule.
- 107.
PDPA s 29. See also Sect. 3.10.
- 108.
PDPA s 6.
- 109.
PDPC Guidelines.
- 110.
PDPC Advisory Guidelines for the Healthcare Sector.
- 111.
PDPC Advisory Guidelines for the Education Sector.
- 112.
PDPC Advisory Guidelines for the Social Service Sector.
- 113.
PDPC Advisory Guidelines for the Real Estate Agency Sector.
- 114.
PDPC Guide to Managing Data Breaches 2.0.
- 115.
PDPC Guide to Securing Personal Data in Electronic Medium.
- 116.
PDPC Introduction to the Guidelines para 3.1.
- 117.
See e.g., Cyber Security Agency of Singapore “PDPC Guides” https://www.csa.gov.sg/gosafeonline/resources/pdpc-guides. Accessed 30 August 2019.
- 118.
See e.g., Hogan Lovells’ report “New PDPC guidance on data management practices in Singapore”. https://www.hoganlovells.com/en/publications/new-pdpc-guidance-on-data-management-practices-in-singapore. Accessed 30 August 2019. CNP Law’s report on “Personal Data Protection Committee issues sector specific advisory guidelines”. https://www.cnplaw.com/personal-data-protection-committee-issues-sector-specific-advisory-guidelines/. Accessed 30 August 2019.
- 119.
See e.g., the Singapore Council for Estate Agencies’ website which contains links to the relevant advisory guidelines, and which encourages property agencies and agents to familiarise themselves with these and other PDPC advisory guidelines. https://www.cea.gov.sg/legislation-guidelines/practice-guidelines-circulars/personal-data-protection. Accessed 30 August 2019. “Singapore: PDPC data management guides ‘emphasize accountability’”. https://www.dataguidance.com/singapore-pdpc-issues-guides-emphasising-accountability-data-management/. Accessed 30 August 2019. “Personal Data Protection Commission issues advisory guidelines on in-vehicle recording”. https://www.opengovasia.com/articles/personal-data-protection-commission-issues-advisory-guidelines-on-in-vehicle-recording. Accessed 30 August 2019.
- 120.
PDPC Public Consultation for Approaches to Managing Personal Data in the Digital Economy; PDPC Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy.
- 121.
Life Insurance Association Singapore (2015) MU61/15—LIA Code of Practice for Life Insurers on the Singapore Personal Data Protection Act (No. 26 of 2012). https://www.lia.org.sg/media/1229/mu-6115-code-of-practice-on-pdpa.pdf. Accessed 30 August 2019. Life Insurance Association Singapore (2015) MU 62/15—LIA Code Of Conduct For Tied Agents Of Life Insurers On The Singapore Personal Data Protection Act (No. 26 of 2012). https://www.lia.org.sg/media/1230/mu-6215-code-of-conduct-on-pdpa.pdf. Accessed 30 August 2019.
- 122.
The Association of Banks in Singapore (2015) Code of Banking Practices – The Personal Data Protection Act (“PDPA”). https://abs.org.sg/docs/library/abs-code-banking-practices-pdpa.pdf. Accessed 30 August 2019.
- 123.
PDPC Advisory Guidelines on Key Concepts paras 5.2, 5.30.
- 124.
PDPA s 24.
- 125.
PDPC Advisory Guidelines on Key Concepts para 17.2.
- 126.
PDPC Advisory Guidelines on Key Concepts para 17.3.
- 127.
[2016] SGPDPC 20 at [25].
- 128.
PDPC Guide to Securing Personal Data in Electronic Medium para 2.3.
- 129.
PDPC Guide to Securing Personal Data in Electronic Medium paras 9.1, 10.3.
- 130.
PDPC Guide to Securing Personal Data in Electronic Medium para 4.1.
- 131.
PDPC Guide to Securing Personal Data in Electronic Medium paras 5.1–5.2.
- 132.
PDPC (2017) Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data pp. 3–4.
- 133.
Guide to Preventing Accidental Disclosure p. 5.
- 134.
[2016] SGPDPC 02.
- 135.
[2016] SGPDPC 02 at [29]-[30], [33].
- 136.
[2016] SGPDPC 02 at [31]-[32].
- 137.
See Woon CY (2016) Personal Data Protection Act – Obligation to Protect and Secure Data, and What to Do in Case of Breach. https://dentons.rodyk.com/en/insights/alerts/2016/november/8/personal-data-protection-act-obligations-to-protect-and-secure-data-and-what-to-do-in-case-of-breach. Accessed 30 August 2019.
- 138.
See K Box Entertainment Group Pte. Ltd. [2016] SGPDPC 01.
- 139.
See K Box Entertainment Group Pte. Ltd. [2016] SGPDPC 01; Institution of Engineers [2016] SGPDPC 02.
- 140.
See Metro Pte Ltd [2016] SGPDPC 07.
- 141.
See Institution of Engineers [2016] SGPDPC 02.
- 142.
See Full House Communications Pte Ltd [2016] SGPDPC 08.
- 143.
See K Box Entertainment Group Pte. Ltd. [2016] SGPDPC 01; Fei Fah Medical Manufacturing Pte. Ltd. [2016] SGPDPC 03; Social Metric Pte Ltd [2017] SGPDPC 17.
- 144.
See K Box Entertainment Group Pte. Ltd. [2016] SGPDPC 01; Institution of Engineers [2016] SGPDPC 02; My Digital Lock Pte Ltd [2016] SGPDPC 20; Fu Kwee Kitchen Catering Services [2016] SGPDPC 14; Smiling Orchid [2016] SGPDPC 19; The Cellar Door Pte Ltd [2016] SGPDPC 22.
- 145.
Watami Food Service Singapore Pte Ltd [2018] SGPDPC [12].
- 146.
See K Box Entertainment Group Pte. Ltd. [2016] SGPDPC 01; Institution of Engineers [2016] SGPDPC 02; Aviva Ltd [2016] SGPDPC 15; Comfort Transportation Pte Ltd [2016] SGPDPC 17.
- 147.
See Aviva Ltd [2016] SGPDPC 15; Central Depository (Pte) Limited [2016] SGPDPC 11; Challenger Technologies Limited [2016] SGPDPC 06.
- 148.
See, e.g., K Box Entertainment Group Pte. Ltd. [2016] SGPDPC 01; Fu Kwee Kitchen Catering Services [2016] SGPDPC 14; National University of Singapore [2017] SGPDPC 05; Tiger Airways Singapore Pte Ltd [2017] SGPDPC 06; M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15.
- 149.
See Central Depository (Pte) Limited [2016] SGPDPC 11; Challenger Technologies Limited [2016] SGPDPC 06; Spear Security Force Pte. Ltd. [2016] SGPDPC 12; ABR Holdings Limited [2016] SGPDPC 16.
- 150.
See Institution of Engineers [2016] SGPDPC 02.
- 151.
See Institution of Engineers [2016] SGPDPC 02; Fei Fah Medical Manufacturing Pte. Ltd. [2016] SGPDPC 03; Yes Tuition Agency [2016] SGPDPC 05; Singapore Computer Society [2016] SGPDPC 09; Central Depository (Pte) Limited [2016] SGPDPC 11; Singapore Management University Alumni Association [2018] SGPDPC 6.
- 152.
Tham I (2018). Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore’s worst cyberattack. In: The Straits Times. https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most. Accessed 30 August 2019.
- 153.
Singapore Health Services Pte Ltd [2019] SGPDPC 03. Tham I (2018). Hearings on SingHealth cyber breach from Sept 21. In: The Straits Times. https://www.straitstimes.com/singapore/hearings-on-singhealth-cyber-breach-from-sept-21. Accessed 30 August 2019.
- 154.
Singapore Health Services Pte Ltd [2019] SGPDPC 03. The financial penalties imposed against the two organisations involved are, individually, the highest ($750,000 SGD) and second highest ($250,000 SGD) financial penalty amounts imposed by the Commission to date.
- 155.
Singapore Health Services Pte Ltd [2019] SGPDPC 03.
- 156.
Singapore Parliamentary Debates, Official Report (8 January 2018) vol 94.
- 157.
Singapore Parliamentary Debates, Official Report (8 January 2018) vol 94.
- 158.
Singapore Parliamentary Debates, Official Report (8 January 2018) vol 94.
- 159.
Singapore Parliamentary Debates, Official Report (8 January 2018) vol 94.
- 160.
PS(G)A s 7.
- 161.
PS(G)A s 8.
- 162.
Singapore Parliamentary Debates, Official Report (8 January 2018) vol 94. Seow J (2018) New law on data sharing among govt agencies. In: The Straits Times. http://www.straitstimes.com/singapore/new-law-on-data-sharingamong-govt-agencies. Accessed 30 August 2019.
- 163.
See n 11.
- 164.
CPC s 39(1). See also Singapore Parliamentary Debates, Official Report (19 March 2018) vol 94: “Many people now use web-based email accounts or web storage accounts. Technically, such data may reside in computers outside Singapore, even if the data is accessed from within Singapore. Applicable laws in other countries will be duly considered when such powers are exercised”.
- 165.
See n 10.
- 166.
CMA s 8A(1). Offences include: causing a computer to perform any function to secure unauthorised access to computer material (CMA s 3); causing a computer to perform any function to secure access to computer material with intent to commit a CMA offence (CMA s 4); unauthorised modification of computer material (CMA s 5); and unauthorised access, use or interception of computer services (CMA s 6).
- 167.
CMA s 8A(7).
- 168.
See n 12.
- 169.
Cybersecurity Act ss 7–16.
- 170.
Cybersecurity Act s 19.
- 171.
Cybersecurity Act ss 20(2)(b)-(f).
- 172.
Cybersecurity Act s 8.
- 173.
Cybersecurity Act s 20.
- 174.
Singapore Parliamentary Debates, Official Report (19 March 2018) vol 94.
- 175.
Singapore Parliamentary Debates, Official Report (3 April 2017) vol 94.
- 176.
CSA Singapore: Who We Are. https://www.csa.gov.sg/who-we-are/our-organisation. Accessed 30 August 2019.
- 177.
PDPC Advisory Guidelines for Selected Topics para 7.1.
- 178.
PDPC Advisory Guidelines for Selected Topics para 7.7.
- 179.
PDPC Advisory Guidelines for Selected Topics para 7.1 (discussing PDPA s 4(6)(a)), para 8.7.
- 180.
PDPC Advisory Guidelines for Selected Topics paras 7.1–7.13.
- 181.
PDPC Advisory Guidelines for Selected Topics para 7.6.
- 182.
15 USC Chapter 91.
- 183.
Cap 91, 2009 Rev Ed.
- 184.
PDPC Advisory Guidelines for Selected Topics paras 7.3–7.6.
- 185.
PDPC Advisory Guidelines for Selected Topics paras 7.6, 7.9. The PDPC has also decided a number of cases where minors’ personal data were involved. See e.g., Singapore Taekwondo Federation [2018] SGPDPC 17 (unauthorized disclosure of minor’s national identification numbers via the organisation’s website); Spring College International Pte. Ltd. [2018] SGPDPC 15 (school posted, without permission, personal data about its minor students on a public social media page to promote its courses).
- 186.
PDPC Advisory Guidelines for Selected Topics para 7.11.
- 187.
PDPC Advisory Guidelines for Selected Topics para 7.11.
- 188.
PDPC Protecting the Personal Data of Job Applicants and Employees p. 1.
- 189.
PDPC Protecting the Personal Data of Job Applicants and Employees p. 1.
- 190.
[2016] SGPDPC 05.
- 191.
[2016] SGPDPC 05 at [1].
- 192.
[2016] SGPDPC 05 at [15].
- 193.
[2016] SGPDPC 21.
- 194.
[2016] SGPDPC 21 at [10].
- 195.
[2016] SGPDPC 21 at [12].
- 196.
PDPA Second Schedule s 1(o), Third Schedule s 1(j), Fourth Schedule s 1(s).
- 197.
PDPA Second Schedule s 1(f), Third Schedule s 1(f), Fourth Schedule s 1(h).
- 198.
PDPA Second Schedule s 1(n), Third Schedule s 1(j), Fourth Schedule s 1(s).
- 199.
PDPC Advisory Guidelines for Selected Topics para 5.21.
- 200.
PDPC Advisory Guidelines for Selected Topics para 5.18.
- 201.
PDPC Advisory Guidelines for Selected Topics para 5.24.
- 202.
PDPA s 20(4).
- 203.
PDPC Advisory Guidelines for Selected Topics para 5.20.
- 204.
PDPC Advisory Guidelines for Selected Topics para 5.26.
- 205.
PDPA ss 23–25; Protecting the Personal Data of Job Applicants and Employees p. 3.
- 206.
PDPA s 21.
- 207.
PDPA s 22.
- 208.
PDPA s 16(1). See also Sect. 2.2.1.
- 209.
PDPA Fifth Schedule s 1(a).
- 210.
PDPA Fifth Schedule s 1(g).
- 211.
PDPA Sixth Schedule s 1(a).
- 212.
PDPC Advisory Guidelines for Selected Topics para 4.34.
- 213.
PDPC Advisory Guidelines for Selected Topics para 4.36.
- 214.
PDPC Advisory Guidelines for Selected Topics para 4.38.
- 215.
PDPC Advisory Guidelines for Selected Topics paras 4.42–4.43 (discussing PDPA s 21(3)(c)).
- 216.
PDPC Advisory Guidelines for Selected Topics para 4.43(c).
- 217.
PDPR s 7; PDPC Advisory Guidelines for Selected Topics para 4.46.
- 218.
PDPA s 21(2) read with Fifth Schedule ss 1(j)(ii), (v).
- 219.
[2016] SGPDPC 20.
- 220.
[2016] SGPDPC 20 at [4], [13].
- 221.
[2016] SGPDPC 20 at [21].
- 222.
[2016] SGPDPC 20 at [21], [25].
- 223.
[2016] SGPDPC 20 at [25].
- 224.
[2016] SGPDPC 20 at [14], [24]-[26].
- 225.
Penal Code (Cap 224, 200 Rev Ed) s 499.
- 226.
See, e.g., Golden Season Pte Ltd v Kairos Singapore Holdings Pte Ltd [2015] SGHC 38 (involving claims of defamation and malicious falsehood through an employee’s statements regarding another entity, made via Facebook, emails and text messages).
- 227.
See Golden Season Pte Ltd v Kairos Singapore Holdings Pte Ltd [2015] SGHC 38.
- 228.
See Chan and Lee (2016) paras 16.020–16.027.
- 229.
See Golden Season Pte Ltd v Kairos Singapore Holdings Pte Ltd [2015] SGHC 38. See also Tan B (2011) Social Media in the Workplace: Challenges and Implications. http://www.lawgazette.com.sg/2011-06/131.htm. Accessed 30 August 2019. Sedition Act (Cap 290, 2013 Rev Ed); Public Order Act (Chapter 257A); and the Penal Code (Cap 224, 2008 Rev Ed).
- 230.
See, e.g., Lai L (2016) Aussie expat fired after offensive Facebook rant. In: The Straits Times. http://www.straitstimes.com/singapore/aussie-expat-fired-after-offensive-facebook-rant. Accessed 30 August 2019.
- 231.
PDPA s 53(1).
- 232.
See Chan and Lee (2016), paras 19.001 et seq.
- 233.
PDPC Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy Part III.
- 234.
Tham I (2018) Breach reporting part of revised data privacy laws to be tabled in Parliament. In: The Straits Times. https://www.straitstimes.com/tech/breach-reporting-part-of-revised-data-privacy-laws-to-be-tabled-in-parliament. Accessed 30 August 2019.
- 235.
PDPC Guide to Managing Data Breaches 2.0. Issued in May 2019, these guidelines appear to supersede the directions given in the PDPC Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy (issued in February 2018).
- 236.
PDPC Guide to Managing Data Breaches 2.0, p. 18.
- 237.
PDPC Guide to Managing Data Breaches 2.0, pp. 18, 32. In the PDPC Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy, it was also stated that an organisation will not have to notify affected individuals of an breach which is the subject of an ongoing or potential investigation under the law, if such notification will: compromise investigations or prejudice enforcement efforts (“law-enforcement exception”); a breach of data which has been encrypted to a reasonable standard, unless the data can be decrypted (“technological protection exception”); and/or an eligible breach if the organisation has taken actions to reduce the potential harm or impact to affected individuals, if the organisation demonstrates that as a result of its actions the breach is not likely to have any significant harm or impact to such individuals. However, as exceptions to notification were not addressed in the PDPC Guide to Managing Data Breaches 2.0, it is unclear whether these exceptions still apply.
- 238.
Monetary Authority of Singapore (MAS) (2013) Technology Risk Management Guidelines.
- 239.
MAS Technology Risk Management Guideline para 4.0.2.
- 240.
MAS Technology Risk Management Guidelines para 5.1.4.
- 241.
MAS Technology Risk Management Guidelines para 7.3.9.
- 242.
MAS Technology Risk Management Guidelines para 1.0.5.
- 243.
This was in reference to an incident where reporters found, in a public area, a trash bag containing “several corporate statements, loan applications, and internal reports from [a] bank”. Lee J (2016) MAS probes case of UOB’s unshredded client data. In: The Straits Times. http://www.straitstimes.com/business/companies-markets/mas-probes-case-of-uobs-unshredded-client-data. Accessed 30 August 2019. The outcome of the investigation remains unclear: Koh WT (2016) UOB under MAS probe for failing to protect clients’ privacy. In: The Straits Times. http://themiddleground.sg/2016/07/19/uob-mas-probe-failing-protect-client-privacy. Accessed 30 August 2019.
- 244.
No 11/2019, which will amend POHA.
- 245.
No 11/2019 s 4.
- 246.
No 11/2019 s 3.
- 247.
No 11/2019 s 16.
- 248.
POFMA s 7(1).
- 249.
POFMA s 7(3).
- 250.
PDPC Advisory Guidelines for Selected Topics paras 6.1–6.3, 6.6.
- 251.
PDPC Advisory Guidelines for Selected Topics para 6.8.
- 252.
PDPC Advisory Guidelines for Selected Topics para 6.8.
- 253.
PDPC Advisory Guidelines for Selected Topics para 6.9.
- 254.
PDPC Advisory Guidelines for Selected Topics para 6.9.
- 255.
PDPC Advisory Guidelines for Selected Topics para 6.10.
- 256.
PDPC Advisory Guidelines on the Do Not Call Provisions para 1.8. The DNCR provisions came into effect on 2 January 2014: Personal Data Protection Act 2012 (Commencement) Notification 2013 (S 708 of 2013).
- 257.
PDPA ss 39–40; PDPC Advisory Guidelines on Key Concepts para 2.7.
- 258.
PDPA s 37; PDPC Advisory Guidelines on DNCR Provisions para 1.8.
- 259.
PDPA s 43(1). There are at present three DNCRs: for voice calls, text messages, and fax messages. Advisory Guidelines on DNCR Provisions para 1.8.
- 260.
PDPA s 44(1).
- 261.
PDPA s 45(1). This provision applies to voice calls only.
- 262.
PDPA s 46(1).
- 263.
PDPA s 46(2).
- 264.
PDPA s 47(6).
- 265.
PDPA s 38.
- 266.
PDPC Advisory Guidelines on Key Concepts para 2.7.
- 267.
See n 17. The SCA is administered by the IMDA.
- 268.
SCA s 11 read with Second Schedule s 2(8).
- 269.
PDPC Combined Regime Proposal 2018.
- 270.
PDPC Combined Regime Proposal 2018.
- 271.
See n 18.
- 272.
See n 13.
- 273.
PDPC Advisory Guidelines for the Telecommunication Sector.
- 274.
PDPC Advisory Guidelines for the Telecommunication Sector paras 2.4–2.5. Thus, when a Singapore telecommunications operator provider exchanges personal data with a foreign telecommunications operator to allow the latter to provide mobile services to outbound roamers who are subscribers of the Singapore operator, the Singapore operator will need to comply with the Notification, Consent and Limited Transfer Obligations. PDPC Advisory Guidelines for the Telecommunication Sector para 3.7. See also Sects. 2 and 4.2.
- 275.
Telecommunications Act s 70(d).
- 276.
PDPC Advisory Guidelines for the Telecommunication Sector para 4.3.
- 277.
IMDA (2014) Code Of Practice For Competition In The Provision Of Telecommunication Services 2012 para 3.2.6.2. https://www.imda.gov.sg/~/media/imda/files/regulation%20licensing%20and%20consultations/frameworks%20and%20policies/competition%20management/telecom%20competition%20code/02%202012tccwef2july2014.pdf?la=en. Accessed 30 August 2019.
- 278.
PDPA s 36(2).
- 279.
ETA s 2(1).
- 280.
Personal Data Protection Bill (No 24 of 2012) s 67(2); ETA s 26(1A).
- 281.
PDPC Advisory Guidelines for the Telecommunication Sector para 4.2.
- 282.
See, e.g., Telecommunications Act Part II. This includes suspending or cancelling telecommunications licenses.
- 283.
Telecommunications Act Part VIII. It may also arrest certain wrongdoers thereunder.
- 284.
ETA s 3.
- 285.
ETA s 24.
- 286.
ETA s 36(1).
- 287.
PDPA s 2(1).
- 288.
PDPA Second Schedule s 1(e).
- 289.
PDPA Third Schedule s 1(e), Fourth Schedule s 1(f).
- 290.
PDPA Fourth Schedule s 1(n).
- 291.
PDPA Fifth Schedule ss 1(e), (f), (h).
- 292.
PDPA s 21(4).
- 293.
PDPA Sixth Schedule s 1(e).
- 294.
CPC ss 39–40, read with CMA s 2(1).
- 295.
PDPA s 21(3)(e).
- 296.
PDPA Second Schedule s 1(d), Third Schedule s 1(d), Fourth Schedule s 1(e).
- 297.
PDPA s 2(1).
- 298.
CMA s 11.
- 299.
CMA s 11(4).
- 300.
CMA s 11.
- 301.
Cybersecurity Act s 23(1).
- 302.
Cybersecurity Act s 23(2).
- 303.
Cybersecurity Act (long title). See also Sect. 3.2.
- 304.
Cybersecurity Act ss 7–10.
- 305.
Cybersecurity Act ss 19–23.
- 306.
Telecommunications Act s 58. See also Tan KB (2016) Security and privacy must not be traded off against each other. In: Today Online. https://www.todayonline.com/commentary/security-and-privacy-must-not-be-traded-against-each-other. Accessed 18 June 2018.
- 307.
POFMA s 7(1).
- 308.
POFMA s 7(3).
- 309.
Chesterman (2018), para 2.103; PDPA s 50(1).
- 310.
PDPA s 50(1).
- 311.
PDPA s 27.
- 312.
PDPA s 28.
- 313.
PDPA s 29.
- 314.
PDPA s 30.
- 315.
Singapore Health Services Pte Ltd [2019] SGPDPC 03. The financial penalties imposed against the two organisations involved are, individually, the highest ($750,000 SGD) and second highest ($250,000 SGD) financial penalty amounts imposed by the Commission to date.
- 316.
See, e.g., Singapore Computer Society [2016] SGPDPC 09; Jump Rope (Singapore) [2016] SGPDPC 21.
- 317.
PDPA ss 51(1)-(2).
- 318.
PDPA s 51(3).
- 319.
PDPA s 51(4).
- 320.
PDPA s 51(5).
- 321.
PDPA s 43(2).
- 322.
PDPA s 44(2).
- 323.
PDPA s 45(2).
- 324.
PDPA s 42(2).
- 325.
PDPA s 56.
- 326.
PDPA s 56.
- 327.
PDPA ss 52(1)-(2). This also applies to partnerships and unincorporated associations. PDPA ss 52(3)-(4).
- 328.
PDPA s 53(1).
- 329.
PDPA s 53(2).
- 330.
PDPA s 54.
- 331.
PDPA s 55; Personal Data Protection (Composition of Offences) Regulations 2013 (S 759 of 2013).
- 332.
PDPA s 31(1).
- 333.
PDPA s 33 read with ss 34(1)-(2). If an application for reconsideration is made, an appeal on the same matter shall be deemed to be withdrawn: PDPA s 34(2).
- 334.
PDPA s 35(1).
- 335.
PDPA s 35(4).
- 336.
PDPA s 32(1).
- 337.
PDPA s 32(3).
- 338.
PDPA s 32(2).
- 339.
CPC s 39(3).
- 340.
CPC s 39(3).
- 341.
CPC s 39(3).
- 342.
CMA ss 3–6.
- 343.
CMA s 8A.
- 344.
CMA s 9.
- 345.
CMA ss 3, 5–7.
- 346.
CMA ss 9(1)-(2).
- 347.
CMA s 9(1).
- 348.
CMA s 12.
- 349.
CMA s 12A.
- 350.
CMA s 13(1).
- 351.
CMA s 13(2).
- 352.
Cybersecurity Act ss 23(4)-(5).
- 353.
Cybersecurity Act ss 23(8)-(9).
- 354.
PS(G)A ss 7(1), (3).
- 355.
PS(G)A s 8.
- 356.
POFMA s 7(2). See Sect. 3.7.1.
- 357.
POFMA s 7(3).
- 358.
No 11/2019 s 13. See Sect. 3.7.1.
- 359.
PDPC Advisory Guidelines on Key Concepts para 11.1.
- 360.
PDPC Advisory Guidelines on Key Concepts para 11.2. See also Lim (2018), para 8.9: “[t]he reach of the PDPA [was] explicitly extended to those organisations that may not have any presence in Singapore, or which may not even be recognised under the law of Singapore”.
- 361.
PDPA s 2(1).
- 362.
PDPA s 4(2). See, e.g., K Box Entertainment Group Pte. Ltd. [2016] SGPDPC 01; Challenger Technologies Limited [2016] SGPDPC 06.
- 363.
Greenleaf (2018), para 8.55.
- 364.
PDPA s 4(3). Indeed, it has been said that “Singapore has enacted a form of vicarious liability on Singaporean data controllers for overseas processing”. Greenleaf (2018), para 8.55.
- 365.
CMA s 11.
- 366.
CPC s 39(1).
- 367.
Cybersecurity Act s 7(1)(b).
- 368.
PS(G)A s 6(1).
- 369.
PDPA s 26(1); PDPR s 9(1).
- 370.
PDPR s 10; PDPC Advisory Guidelines on Key Concepts para 19.2.
- 371.
PDPR s 9(3).
- 372.
PDPA s 26(2). There are also specific requirements for certain sectors. For instance, a specific data protection regime applies to cross-border transfers of data in the banking industry, as enforced by MAS. Chia (2018), p. 321.
- 373.
For instance, Singapore has free-trade agreements which include provisions relating to data protection. However, these provisions (if they exist) are generally not specific enough to override the restrictions on cross-border data transfers in the national laws of the parties to these agreements Chia (2018), p. 324. More recently in March 2018, Singapore joined the APEC Cross-Border Privacy Rules (“CBPR”) system. This is a framework for the exchange of personal data among participating APEC economies. The Commission is working on a scheme for organisations to be certified under this system, and will likely provide guidance in due course on the operation of the CBPR system in the context of the PDPA’s requirements for cross-border transfers of personal data Alfred and Goh (2018) paras 12.42–12.44.
References
Alfred D, Goh L (2018) Cross-border issues in data protection. In: Chesterman S (ed) Data protection law in Singapore: privacy and sovereignty in an interconnected world. Academy Publishing, Singapore
Chan G, Lee PW (2016) The law of torts in Singapore. Academy Publishing, Singapore
Chesterman S (2018) Introduction. In: Chesterman S (ed) Data protection law in Singapore: privacy and sovereignty in an interconnected world. Academy Publishing, Singapore
Chia K (2018) Jurisdictional report – Singapore. In: Regulation of cross-border transfers of personal data in Asia. Asian Business Law Institute, Singapore. http://abli.asia/PUBLICATIONS/Regulation_of_Cross-border_Transfers_of_Personal_Data_in_Asia. Accessed 13 Sept 2018
Chik W (2013) The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform. Comput Law Secur Rev 29:554–575
Goh L, Aw J (2018) Data protection law and privacy in Singapore. In: Chesterman S (ed) Data protection law in Singapore: privacy and sovereignty in an interconnected world. Academy Publishing, Singapore
Greenleaf G (2018) Comparisons with other Asian jurisdictions. In: Chesterman S (ed) Data protection law in Singapore: privacy and sovereignty in an interconnected world. Academy Publishing, Singapore
Lim HYF (2018) Data protection in the employment setting. In: Chesterman S (ed) Data protection law in Singapore: privacy and sovereignty in an interconnected world. Academy Publishing, Singapore
Monetary Authority of Singapore (MAS) (2013) Technology risk management guidelines. http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/TRM%20Guidelines%20%2021%20June%202013.pdf. Accessed 12 May 2017
Personal Data Protection Commission Guidelines: Advisory Guidelines on the Do Not Call Provisions. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/advisory-guidelines-on-the-dnc-provisions-(270717).pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines for the Education Sector. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Legislation-and-Guidelines/Finalised-Education-Guidelines_31Aug2018.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines for the Healthcare Sector. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Sector-Specific-Advisory/advisoryguidelinesforthehealthcaresector28mar2017.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines on Key Concepts in the Personal Data Protection Act. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts-in-the-PDPA-Revised-15-July-2019.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines on the Personal Data Protection Act for Selected Topics. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/FINAL-Advisory-Guidelines-on-PDPA-for-Selected-Topics-2-Jan-2019.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines for the Real Estate Agency Sector. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Sector-Specific-Advisory/real-estate.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines on Requiring Consent for Marketing Purposes. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/advisoryguidelinesonrequiringconsentformarketing8may2015.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines for the Social Service Sector. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Legislation-and-Guidelines/Finalised-Social-Service-Guidelines_31Aug2018-v2.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Advisory Guidelines for the Telecommunication Sector. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Sector-Specific-Advisory/finalised-advisory-guidelines-on-application-of-pdpa-to-telecom-sector.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Combined Regime Proposal 2018. (PDPC Proposes Combined Regime to Regulate Telemarketing and Spam Messages and Enhanced Guidance to Provide Regulatory Certainty). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Press-Room/2018/Factsheet-on-PDPA-Public-Consult-2-(270418).pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Guide to Accountability under the Personal Data Protection Act. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Accountability.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Guide to Managing Data Breaches 2.0. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Breaches-2-0.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/guidetopreventingaccidentaldisclosurewhenprocessingandsendingpersonaldata200117eb6b44c8844062038829f.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Guide to Securing Personal Data in Electronic Medium. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/guidetosecuringpersonaldatainelectronicmedium0903178d4749c8844062038829ff0000d98b0f.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Introduction to the Guidelines. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/introduction-to-the-guidelines.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Protecting the Personal Data of Job Applicants and Employees. https://www.pdpc.gov.sg/resource/DPO-Connect/March-16/pdf/ProtectingthePersonalDataOfJobApplicants_and_Employees.pdf. Accessed 12 May 2017
Personal Data Protection Commission Guidelines: Public Consultation for Approaches to Managing Personal Data in the Digital Economy. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Legislation-and-Guidelines/publicconsultationapproachestomanagingpersonaldatainthedigitaleconomy270717f95e65c8844062038829ff000.pdf. Accessed 30 Aug 2019
Personal Data Protection Commission Guidelines: Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Legislation-and-Guidelines/PDPC-Response-to-Feedback-for-Public-Consultation-on-Approaches-to-Managing-Personal-Data-in-the-Dig.pdf. Accessed 30 Aug 2019
Tan S (2018) Data protection and new technologies. In: Chesterman S (ed) Data protection law in Singapore: privacy and sovereignty in an interconnected world. Academy Publishing, Singapore
Ter KL (2013) Singapore’s personal data protection legislation: business perspectives. Comput Law Secur Rev 29:264–273
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Ong, EI. (2020). Singapore Report: Data Protection in the Internet. In: Moura Vicente, D., de Vasconcelos Casimiro, S. (eds) Data Protection in the Internet. Ius Comparatum - Global Studies in Comparative Law, vol 38. Springer, Cham. https://doi.org/10.1007/978-3-030-28049-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-28049-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28048-2
Online ISBN: 978-3-030-28049-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)