S'pore data protection bill must continue to evolve

Singapore's data protection act needs to be in line with similar legislation around the world, especially with the growing adoption of cloud services and use of data to improve business processes.
Written by Eileen Yu, Senior Contributing Editor

Singapore is expected to soon enact its first data protection act after the bill was read in parliament earlier this month.

The Personal Data Protection Act has been brewing for a long, long time. I remember covering news about it as early as 2000, and the Law Reform Committee of the Singapore Academy of Law had recommended the need for data protection legislation way back in 1989.

A point to note is that the proposed act contains a new section governing the flow of data outside Singapore. It states: "An organization shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this act, to ensure organizations provide a standard of protection to personal data so transferred that is comparable to the protection under this act."

It would be interesting to see how this applies to cloud services since the data centers which support the delivery of such services may not necessarily be located in Singapore. Businesses will likely need to include clauses in their contracts to ensure their cloud service providers retain data created here remain in the country.

A ZDNet Asia report this week also highlighted future amendments to the act should look at mandating the notification of security breaches. Ilias Chantzos, Symantec's senior director of government affairs, said data protection bills in Europe and the U.S. already have provisions for to ensure organizations publish notifications for data breaches. This is necessary to provide better protection of citizens' information, Chantzos said, noting that data protection laws are designed to address the lifecycle of information, from the point it is created to its deletion. This should include how information is retained, used and destroyed, and what happens if the information is lost.

"Since security breaches leads to loss of information, it's only a matter of time before discussions of cybersecurity incident disclosure will start," he said.

I'm hoping the Singapore government also realizes this as well as the need to tweak the data protection act so it's in line with similar legislation around the world. This is especially critical with the growing adoption of cloud services and use of data to improve business processes and operational efficiencies.

Editorial standards