July 02, 2020
As the ever-present threat of data breaches show no sign of waning, authorities are currently seeking stronger deterrents against breaches in Singapore. Currently, companies are only liable for a fine of up to S$1 million.1 However, under proposed amendments to the Personal Data Protection (Amendment) Bill, organisations are looking to face the possibility of being charged with increased fines of up to 10% of their annual gross turnover, or S$1 million - whichever is higher. This proposed amendment is looking to serve as a hefty reminder to businesses to step up in their efforts against data breaches.
The proposed increase will also bring the provisions in line with data protection rules in other regions. For instance, the European Union’s GDPR prescribes a penalty of four percent of an entity’s global annual turnover or €20 million (S$30.7 million), whichever is higher.
The Personal Data Protection Act (PDPA) is enforced by the Personal Data Protection Commission (PDPC). The PDPC administers and enforces the PDPA and serves as the country’s primary authority in matters relating to personal data protection. The PDPA is essential in order to foster a trusting environment among businesses and consumers in Singapore and also, to contribute to the economy. As large amounts of personal data are continuously collected each day, a data protection regime was initiated to control the collection, usage and disclosure of such information. This includes destruction of data when no longer required.2
A 32-year-old man was found guilty for retaining personal information of more than 200 individuals, including their NRICs. He later used this information to redeem Government-issued reusable face masks at vending machines, which was limited to one per registered NRIC. The misuse came to light after the individuals realised they were not able to redeem their masks. After investigations were conducted, it was found that he had held onto the information from a previous job at a recruitment company.
Such an incident proves that stringent procedures need to be put into place to manage confidential and personal information. This includes ensuring that when a employee leaves the organisation they should no longer be able to access confidential data.
All staff in an organisation, should have to go through training in order to be aware of the standard procedures when handling personal information. To do so, organisations can conduct risk assessments to get to know some of the vulnerable areas where data breaches are likely to occur.
On top of that, organisations can familiarise all staff with the PDPC’s Guide to Data Disposal, such that personal information can be disposed of in an appropriate way and in compliance with the PDPA. This also provides the best practice guidelines on the collection, use, and disclosure of personal data and increases the awareness levels so that data breaches can be avoided.
Contact us for a quote to find out more about how Shred-it can help you prevent further data breaches.
This article is provided for your convenience and does not constitute legal advice. Readers should not take, or refrain from taking, actions based upon the content of this article. Prior results do not guarantee similar outcomes. Please seek professional legal advice.
¹The Straits Times (2020). Proposed changes to Singapore's data protection law seek stiffer penalties for info leaks [ONLINE] Available at: https://www.straitstimes.com/singapore/proposed-changes-to-singapores-data-protection-law-seek-stiffer-penalties [Accessed 15 June 2020]
2Personal Data Protection Commission (2020). PDPA Overview [ONLINE] Available at: https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act [Accessed 15 June 2020]