Plan to make data breach notification regime mandatory

The public sector functions as one entity to deliver public service to citizens, and is governed by the Public Sector (Governance) Act (PSGA).
The public sector functions as one entity to deliver public service to citizens, and is governed by the Public Sector (Governance) Act (PSGA).PHOTO: ST FILE

We thank Mr Edward Tay Wee Meng for his feedback (Time to update PDPA, Feb 22).

The Personal Data Protection Commission (PDPC) agrees that a robust and trusted data protection ecosystem is crucial to Singapore's economic competitiveness.

It is why we are reviewing the Personal Data Protection Act (PDPA) to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals' interests and enables the legitimate use of personal data by organisations.

As part of this review, the PDPC held two rounds of public consultations over the last two years.

We intend to introduce a mandatory data breach notification regime as part of the proposed amendments to the PDPA.

We also agree with Mr Tay that it is important to keep abreast of international best practices. The PDPC has been doing this. It participated in the meetings of the International Conference of Data Protection and Privacy Commissioners, as well as other key international fora such as the Asia Pacific Privacy Authorities Forum and the Asia-Pacific Economic Cooperation.

Mr Tay's letter seems to suggest that the public sector is governed by the PDPA. It is not. Different approaches are taken to protecting personal data in the public and private sectors.

The public sector functions as one entity to deliver public service to citizens, and is governed by the Public Sector (Governance) Act (PSGA).

This allows personal data to be managed as a common resource within the public sector for better policy-making and delivery of public services.

The data protection standards in the PDPA and the PSGA are broadly aligned.

Public agencies are also subject to similar, if not higher, standards as the private sector, as they are covered not only by the PSGA but also other specific legislation and detailed rules in the instruction manuals, which are reviewed regularly to ensure that they remain effective.

For the private sector, organisations' ability to use personal data for reasonable purposes is balanced against the need to protect personal data under the PDPA.

Each organisation is accountable for personal data in its possession or control and, unlike the public sector, there is no expectation of a similar integrated delivery of services across different private sector organisations.

The commissioner of the PDPC is responsible for administering and enforcing the PDPA to uphold data protection standards for the private sector.

Karen Low (Ms)

Director, Corporate Communications

Personal Data Protection Commission

A version of this article appeared in the print edition of The Straits Times on March 01, 2019, with the headline 'Plan to make data breach notification regime mandatory'. Print Edition | Subscribe