Fines higher than ever under Singapore’s Personal Data Protection Act

Singapore’s privacy regulator, the Personal Data Protection Commission (PDPC), has issued over SG $1.29 million in data breach fines so far in 2019.

This running total exceeds the cumulative amount for the past three years.

A significant portion of the $1.29 million comes from the fines imposed on Integrated Health Systems (IHS) and SingHealth for their failure to adequately secure patient data which lead to the nation’s worst ever data breach.

The PDPC enforces the Personal Data Protection Act (PDPA), which sets out rules for what private organisations in Singapore can and cannot do with personal data. These rules include procedures for collecting personal data; prohibitions on disclosing personal data to third parties except when certain conditions have been fulfilled and requiring organisations to have certain standards of data security.

The PDPA was amended earlier in September to prevent entities from making copies of National Registration Identity Cards (NRICs) or collecting, using or disclosing NRIC numbers.

Organisations that have breached the PDPA face penalties of up to $1 million. Individuals who have breached the PDPA also face fines and imprisonment.

Many Singaporean businesses are also subject to other data protection laws, such as the EU’s General Data Protection Regulation (GDPR). Companies that breach the GDPR can be fined up to four percent of their annual global revenue or €20 million, whichever is higher.

According to the PDPC, it has already issued fines or warnings to 29 Singaporean entities this year, most of them as a result of complaints or notifications received from the public.

GRC Solutions offers off-the-shelf and bespoke privacy and data protection compliance training for businesses in Singapore. Our courses include the PDPA, the EU General Data Protection Regulation (GDPR), privacy training for Australia, New Zealand and the state of California and more. Contact us today for more information.