Plan to Make Data Breach Notification Regime Mandatory

01 Mar 2019

Forum reply on The Straits Times, 1 March 2019

We thank Mr Edward Tay Wee Meng for his feedback (Time to update the PDPA, Feb 22).

The Personal Data Protection Commission (PDPC) agrees that a robust and trusted data protection ecosystem is crucial to Singapore's economic competitiveness.

It is why we are reviewing the Personal Data Protection Act (PDPA) to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals' interests and enables the legitimate use of personal data by organisations.

As part of this review, the PDPC held two rounds of public consultations over the last two years.

We intend to introduce a mandatory breach notification regime as part of the proposed amendments to the PDPA.

We also agree with Mr Tay that it is important to keep abreast if international best practices. The PDPC has been doing this. It participated in the meetings of the International Conference of Data Protection and Privacy Commissioners, as well as other key international for a such as the Asia Pacific Privacy Authorities Forum and the Asia-Pacific Economic Cooperation.

Mr Tay's letter seems to suggest that the public sector is governed by the PDPA. It is not. Different approaches are taken to protecting personal data in the public and private sectors.

The public sector functions as one entity to deliver public service to citizens, and is governed by the Public Sector (Governance) Act (PSGA).

This allows personal data to be managed as a common resource within the pub lic sector for better policy-making and delivery of public services.

The data protection standards in the PDPA and the PSGA are broadly aligned.

Public sector agencies are also subject to similar, if not higher, standards as the private sector, as they are covered not only by the PSGA but also other specific legislation and detailed rulesin the instruction manuals, which are reviewed regularly to ensure they remain effective.

For the private sector, organisations' ability to use personal data for reasonable purposes is balanced against the need to protect personal data under the PDPA.

Each organisation is accountable for personal data in its possession or control and, unlike the public sector, there is no expectation of a similar integrate delivery of services across different private sector organisations.

The commissioner of the PDPC is responsible for administering and enforcing the PDPA to uphold data protection standards for the private sector.

Karen Low (Ms)
Director, Corporate Communications
Personal Data Protection Commission