Share this: 

Singapore Data Privacy Laws

Cloud Governance: Data Residency/Sovereignty

Privacy Legislation in Singapore

Cloud Governance Data Residency and Sovereignty Singapore Data Privacy LawsPersonal data refers to data about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access. Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).

The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry will allow individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organizations.

Today, vast amounts of personal data are collected, used and even transferred to third party organizations for a variety of reasons. This trend is expected to grow exponentially as the processing and analysis of large amounts of personal data becomes possible with increasingly sophisticated technology.

Cloud Governance Data Residency and Sovereignty Singapore Data Privacy LawsWith such a trend comes growing concerns from individuals about how their personal data is being used.  Hence, a data protection regime to govern the collection, use and disclosure of personal data is necessary to address these concerns and to maintain individuals’ trust in organizations that manage data.  By  regulating the flow of personal data among organizations, the PDPA also aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.

The PDPA will ensure a baseline standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks.  This means that organizations will have to comply with the PDPA as well as the common law and other relevant laws that are applied to the specific industry that they belong to, when handling personal data in their possession.

The PDPA takes into account the following concepts:

  • Consent – Organizations may collect, use or disclose personal data only with the individual’s knowledge and consent (with some exceptions);

  • Purpose – Organizations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and

  • Reasonableness – Organizations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

The PDPA covers personal data stored in electronic and non-electronic forms.  The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

  • Any individual acting in a personal or domestic basis.

  • Any employee acting in the course of his or her employment with an organization.

  • Any public agency or an organization in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.

  • Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

  • These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statues, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.

The PDPA takes effect in phases starting with the provisions relating to the formation of the Personal Data Protection Commission (PDPC) on 2 January 2013.  Provisions relating to the DNC Registry came into effect on 2 January 2014 and the main data protection rules will come into force on 2 July 2014.  This allows time for organizations to review and adopt internal personal data protection policies and practices, to help them comply with the PDPA.

During this transition period, the PDPC will undertake educational and outreach activities to aid public understanding of and organizations’ compliance with the PDPA.

In the development of this law, references were made to the data protection regimes of key jurisdictions that have established comprehensive data protection laws, including the EU, UK, Canada, Hong Kong, Australia and New Zealand, as well as the OECD Guidelines on the Protection of Privacy and Trans-border Flow of Personal Data, and the APEC Privacy Framework.  These references are helpful for the formulation of a regime for Singapore that is relevant to the needs of individuals and organizations, and takes into account international best practices on data protection.

The PDPA applies to private sector organizations whether or not formed, resident or having an office or place of business in Singapore. It also applies to individuals who are using the data other than for domestic or personal use.  The PDPA would therefore apply to cloud service providers (CSPs) and users, whether they are companies or individuals.

If the personal data is transferred outside Singapore, enterprises must ensure that organizations receiving this data provide a standard of protection to personal data comparable to that under the PDPA. This may have an impact on the choice of an overseas 3rd party cloud vendor or server company, if data is transferred to them. Low cost cloud storage solutions provided by companies with poor data protection standards or using servers based in countries with comparatively weaker data protection regimes may be a risk factor.

If personal data is collected from Singapore, including from individuals in Singapore, the Act will bite.  Organizations should consider putting in place a compliance plan for data protection, conducting privacy audits or ensuring an CSP’s privacy policy is complaint with the PDPA.  The Personal Data Protection Commission is empowered to impose financial penalties of up to $1 million for non-compliance with the PDPA.

Courtesy of the Personal Data Protection Commission Singapore (PDPC)

Satisfying Singapore Data Privacy Requirements via a Cloud Data Protection Gateway

The Blue Coat Cloud Data Protection Gateway lets Singapore enterprises define their data protection policies to ensure that sensitive data is appropriately secured and protected in cloud applications.  Authorized data security administrators can select, on a field-by-field basis, whether to allow a data going to the cloud to remain in clear text, to be encrypted, or to be replaced with a token. When using tokens as a surrogate value, sensitive data never leaves the organization’s control in any format – making it particularly useful for organizations that need to adhere with Singapore’s National Privacy Legislation.

The data in the cloud is either tokenized or encrypted so it is meaningless when viewed in the cloud, and organizations can be confident that their sensitive data is within their full control at all times.