Friday, 14 February 2020

Singapore continues to clamp down on PDPA breaches

While the Personal Data Protection Act (PDPA) had come into effect in phases from 2013 to 2014, effectively at least 5 years ago, it is quite alarming to find that the number of breaches reached an all time high in 2019.

41 organisations were slapped with fines in 2019, while plenty more were given directions and warnings to put necessary policies and practices in place. The total penalties appear to have reached more than $1.6m for 2019. Arguably, this was skewed by the $1m penalty dished out in respect of the incredible medical record data breach that occurred last year.

Nevertheless, for the start of 2020, at the time of this article, a total of 14 organisations were found in breach of the PDPA, with a total of $150,000 penalties already dished out! Unless Singapore organisations take the regulations more seriously, we could see the amount of breaches for 2020 overtake 2019.



When it comes to the make of the organisations breaching the PDPA, the guilty parties are not limited to big companies but even SMEs and non-profit organisations have fallen afoul. As such, it is extremely important for any Singaporean organisation to understand the PDPA, and put the necessary processes and guidelines in place.

The PDPA is not a stagnant law, and it continues to change. The most recent change made by the Personal Data Protection Commission (PDPC) was made on 1 September 2019 where it became illegal for any organisation other than Government bodies to keep hold of or collect the number of the following documents:
  •  NRICs
  •  Birth certificate numbers
  •  Foreign identification numbers
  •  Work permit numbers

Organisations will only be able to do so if the collection is required by law or there is a need to verify identities to a high degree of accuracy. A financial penalty of up to $1m awaits for those who flout this and other provisions of the PDPA.

The next big change will be the proposed mandatory data breach notification requirements. While not yet effectively mandatory, guidance has already been issued on this in 2019.

One thing's for sure: The Singapore government is taking the PDPA very seriously. As the PDPA continues to evolve, organisations must do the same and update themselves of ongoing changes of the PDPA and be clear of how the PDPA law works and its coverage.


Author: Azmin Mohd Khalib, Research and Learning, Wolters Kluwer SEA

No comments:

Post a Comment

Singapore continues to clamp down on PDPA breaches

While the Personal Data Protection Act (PDPA) had come into effect in phases from 2013 to 2014, effectively at least 5 years ago, it is qui...