Amendments to Singapore’s data protection legislation in force

The amendments that take effect from 1 February include rules on mandatory data breach notification, introduction of offences concerning mishandling of personal data by individuals, and an expansion of the consent framework.

Organisations must notify the Personal Data Protection Commission (PDPC) about a data breach if it poses a risk of significant harm, or the breach relates to the personal data of 500 or more people. A data breach much be notified to an involved person if it has severed impact to the person.

The amendments provide a list of personal data or classes of personal data that will result in significant harm to affected individuals if compromised in a data breach.

Organisations that experience a data breach must notify the PDPC no later than three days after the breach happened. Notifications to individuals must happen at the same time or right after notifying the PDPC.

Individuals will be accountable for serious breaches including knowing or reckless unauthorised disclosing personal data, disclosing personal data for wrongful gain, and re-identifying anonymised data without authorisation. Individuals could be fined up to S$5000 and imprisoned for up to two years.  

Deemed consent for contractual necessity and notification are introduced to allow organisations to collect, use and disclose personal data.

The PDPC has updated the advisory guidelines to provide guidance on the PDPA Amendments that came into force on 1 February 2021.

Nathanael Lim of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law, said: “The current round of amendments should not be a surprise to organisations, as they are generally in line with best practices guidelines previously published by the PDPC. As the digitalisation of information becomes more and more prevalent, organisations will need to step up their game in managing personal data, and the amendments introduce certain features in our data protection regime which is already in practice in other countries.“