Singapore: Data Protection in the Financial Sector
1. Governing Texts
The Personal Data Protection Act 2012 ('PDPA') establishes a general data protection law that governs the collection, use and disclosure of individuals' personal data by organisations. The PDPA recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA has recently undergone its first comprehensive revision since its enactment in 2012 under the Personal Data Protection (Amendment) Bill 2020 ('the Amendment Bill') which was passed on 2 November 2020 and which was formally enacted as the Personal Data Protection (Amendment) Act 2020 ('the Amendment Act'). Most provisions under the Amendment Act came into effect on 1 February 2021. Most prominently, a mandatory data breach notification regime was introduced, which requires organisations which suffer a notifiable data breach to notify the PDPC and affected individuals of that data breach unless an exception applies.
The term 'personal data' is defined in the PDPA as data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access. This definition covers all types of data, whether true or false, and whether in electronic or other forms. As for the term 'individual,' it means a natural person whether living or deceased, i.e. a human being. Accordingly, only personal data of natural persons are protected under the PDPA, whereas data relating to corporate bodies and other legal entities is not covered.
Data protection obligations
Organisations are to comply with ten data protection obligations ('Data Protection Obligations'), which are set out in the Data Protection Provisions of the PDPA ('the DPPs') if they undertake activities relating to the collection, use and disclosure of personal data. The term 'organisation' broadly covers natural persons, corporate bodies (e.g. companies), unincorporated bodies of persons (e.g. associations), regardless of whether they are formed or recognised under the laws of Singapore or whether they are resident or have an office or place of business in Singapore. As organisations, financial institutions ('FIs') would be required to comply with the DPPs.
The exception to this rule is if an organisation falls within a category of organisations that is expressly excluded from the application of the DPPs, for example. an individual acting in a personal or domestic capacity, an employee acting in the course of his/her employment with an organisation, any public agency (e.g. statutory body, tribunal, etc).
The ten Data Protection Obligations, which are set out in Parts 3 to 6A of the PDPA, are briefly summarised below:
- Consent: subject to certain exceptions, an individual’s consent is required before an organisation is allowed to collect, use or disclose his/her personal data for a specific purpose (Sections 13 to 17 of the PDPA);
- Purpose limitation: an organisation may only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances, and if applicable, provide notification to the individual concerned (Section 18 of the PDPA);
- Notification: an organisation is required to notify the individual of the purpose(s) for which it intends to collect, use or disclose his/her personal data on or before such collection, use or disclosure (Section 20 of the PDPA);
- Access and correction: subject to certain exceptions, an organisation must allow an individual to access and correct his/her personal data in the organisation's possession or under its control upon request by the individual. In addition, it is also obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year (Sections 21 and 22 of the PDPA);
- Accuracy: an organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation (Section 23 of the PDPA);
- Protection: an organisation will be required to protect personal data in its possession or under its control by making reasonable security arrangements to prevent (Section 24 of the PDPA):
- unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and
- the loss of any storage medium or device on which personal data is stored;
- Retention limitation: An organisation is required to cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose(s) for which it was collected, and is no longer necessary for legal or business purposes (Section 25 of the PDPA);
- Transfer limitation: an organisation must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA which ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA (Section 26 of the PDPA);
- Accountability: an organisation must develop and implement policies and practices that are necessary for it to meet its key obligations under the PDPA, and to make information about such policies and practices publicly available, such as via an online data protection policy. The organisation is also required to designate one or more individuals to be responsible for ensuring that it complies with the PDPA. These individuals are typically known as data protection officers ('DPOs') (Sections 11 and 12 of the PDPA); and
- Data breach notification: organisations are required in the event of a data breach to assess whether a data breach is notifiable and, if so, to notify the PDPC and, in certain circumstances, the affected individuals, within the specified timeframe (Sections 26A to 26E of the PDPA).
In addition, the Amendment Act will also further introduce one more data protection obligation in Part 6B of the PDPA (which has yet to come into effect):
- Data portability obligation: Upon an organisation's receipt of a data porting request from an individual, the porting organisation must transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any prescribed requirements, such as those relating to technical, user experience, and consumer protection matters.
Some of the Data Protection Obligations may have other related requirements which organisations must comply with. For example, an organisation that intends to transfer personal data outside of Singapore must not only comply with the Transfer Limitation Obligation in the PDPA but also comply with the requirements for cross-border transfer in Part 3 of the Personal Data Protection Regulations 2021 ('the PDPA Regulations'). Other Data Protection Obligations are subject to exceptions or limitations specified in the PDPA. For example, an organisation may collect, use and disclose personal data about an individual or from a source other than the individual without that individual's consent in any of the circumstances listed in the First and Second Schedules to the PDPA.
The DPPs do not apply to business contact information (Section 4(5) of the PDPA). Organisations are not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other DPPs in relation to business contact information. 'Business contact information' is defined as an individual's name, position name or title, business telephone number, business address, business email, business fax number and any other similar information about the individual, not provided solely for his personal purposes. The definition of business contact information is dependent on the purposes for which such contact information may be provided by an individual as it recognises that an individual may provide certain work-related contact information solely for personal purposes.
PDPA and interaction with other laws
Under Section 4(6) of the PDPA, the DPPs do not affect any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, and should any of the Data Protection Provisions come into conflict with provisions of other written law, the latter shall prevail. Other written law includes the Constitution of the Republic of Singapore, acts of Parliament and subsidiary legislation such as regulations. In other words, in the event that a particular provision under the PDPA is inconsistent with a provision in any other written law in some way, then the provision in that other written law will prevail to the extent of the inconsistency. For the avoidance of doubt, other provisions in the PDPA which are not inconsistent with the other written law will continue to apply.
For example, the banking secrecy laws under the Banking Act 1970 ('the Banking Act') still govern customer information obtained by a bank. Section 47 of the Banking Act permits a bank to disclose customer information for such purposes and to such persons as are specified in the Third Schedule to the Banking Act (subject to the conditions specified). To the extent that any of the Data Protection Provisions is inconsistent with a provision in the Third Schedule to the Banking Act, e.g. in relation to obtaining consent for disclosure of personal data for a purpose specified in the Third Schedule to the Banking Act, the provisions in the Third Schedule shall prevail. However, the Data Protection Provisions will continue to apply in respect of other purposes which are not specified in the Third Schedule to the Banking Act and also to the extent that they are not inconsistent with the provisions of the Third Schedule to the Banking Act.
Personal data protection framework
Prior to the enactment of the PDPA in 2012, Singapore did not have an overarching law governing the protection of personal data. The collection, use, disclosure and care of personal data in Singapore were regulated to a certain extent by a patchwork of laws including common law, sector-specific legislation and various self-regulatory or co-regulatory codes. As set out above, these existing sector-specific data protection frameworks continue to operate alongside the PDPA. The PDPA was implemented in three phases. On 2 January 2013, selected provisions of the PDPA came into operation. These included provisions that:
- set out the scope and interpretation of the PDPA;
- provide for the establishment of the Personal Data Protection Commission ('PDPC') and the Data Protection Advisory Committee; and
- provide for the establishment of Do Not Call ('DNC') registers, and other general provisions of the PDPA.
On 2 January 2014, provisions relating to the DNC registers came into force, whilst the main Data Protection Provisions under Parts 3 to 6 of the PDPA came into effect on 2 July 2014. The main Data Protection Provisions set out the obligations of organisations with respect to the collection, use, disclosure, access to, correction and care of personal data. The PDP Regulations supplement the PDPA in three key areas:
- the requirements for transfers of personal data out of Singapore;
- the form, manner and procedures for making and responding to requests for access to or correction of personal data; and
- persons who may exercise rights in relation to the disclosure of personal data of deceased individuals.
The regulations issued under the PDPA are:
- the PDPA Regulations;
- Personal Data Protection (Composition of Offences) Regulations 2021;
- Personal Data Protection (Notification of Data Breaches) Regulations 2021
- Personal Data Protection (Do Not Call Registry) Regulations 2013;
- Personal Data Protection (Enforcement) Regulations 2021; and
- Personal Data Protection (Appeal) Regulations 2021.
The PDPC formulates and implements policies relating to the protection of personal data, including regulations and guidelines to help organisations understand and comply with the PDPA. To this end, the PDPC has issued a series of non-legally binding guidelines, general guides and technical guides that elaborate upon and provide clarification on provisions in the PDPA. A non-exhaustive list of some of the guidelines which may be relevant to FIs include:
- Advisory Guidelines on Key Concepts in the PDPA ('the Key Concepts Guidelines');
- Advisory Guidelines on the PDPA for Selected Topics ('Selected Topics Guidelines');
- Advisory Guidelines on the Enforcement of Data Protection Provisions ('the Enforcement Guidelines');
- Advisory Guidelines on Requiring Consent for Marketing Purposes;
- Advisory Guidelines on the Do Not Call Provisions;
- Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers;
- Guide on Active Enforcement;
- Guide to Managing Data Intermediaries;
- Guide to Accountability under the PDPA;
- Guide to Basic Data Anonymisation Techniques;
- Guide on the Practice of Passing Magnetic Stripes of Payment Cards Through a Reader;
- Guide to Securing Personal Data in Electronic Medium ('the Electronic Medium Guide');
- Guide to Managing and Notifying Data Breaches;
- Guide to Notification;
- Guide to Handling Access Requests;
- Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data;
- Guide to Printing Processes for Organisations;
- Guide to Disposal of Personal Data on Physical Medium;
- Guide to Data Protection Impact Assessments;
- Guide to Developing a Data Protection Management Programme; and
- Guide to Data Protection by Design for ICT Systems.
In addition, the PDPC also issues enforcement decisions pursuant to the investigations it conducts on organisations that may not have complied with the Data Protection Obligations under the PDPA. Some decisions involving FIs include:
- AIA Singapore Private Limited (U.E.N. 201106386R)  SGPDPC 10;
- Central Depository (PTE) Ltd. and Toh-shi Printing Singapore Pte Ltd  SGPDPC 11;
- Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd  SGPDPC 15;
- Re Aviva Ltd  SGPDPC 14 ('Re Aviva');
- Re AIG Asia Pacific Insurance Pte. Ltd.  SGPDPC 8;
- Re Funding Societies Pte. Ltd.  SGPDPC 29;
- Re AIA Singapore Private Limited  SGPDPC 20;
- Re Friends Provident International Limited  SGPDPC 29;
- Re Amicus Solutions Pte. Ltd. & Anor.  SGPDPC 33; and
- Re The Central Depository (Pte) Limited  SGPDPC 12.
The PDPC also publishes an annual compendium, the Personal Data Protection Digest, comprising the grounds of decision, summaries of unpublished cases, and a collection of data protection-related articles contributed by data protection practitioners. The PDPC most recently published the Personal Data Protection Digest 2021.
In the financial sector, the relevant regulatory authority is the Monetary Authority of Singapore ('MAS'), constituted under the Monetary Authority of Singapore Act 1970 ('MAS Act'). The MAS is charged with the responsibility of oversight and regulation of the financial sector. Separate laws govern each sub-sector of the financial industry.
For example, the Banking Act is the primary piece of legislation governing the banking industry (including commercial and merchant banks), and contains provisions on banking secrecy, while the Securities and Futures Act 2001 ('SFA') is the primary piece of legislation regulating activities and institutions in the securities and derivatives industry, including leveraged foreign exchange trading, of financial benchmarks and of clearing facilities, and other related matters.
The Schedule to the MAS Act, sets out the list of written laws which come under the MAS' purview:
- Banking Act;
- Bills of Exchange Act 1949;
- Bretton Woods Agreements Act 1966;
- Business Trusts Act 2004;
- Chit Funds Act 1971;
- Credit Bureau Act 2016;
- Currency Act 1967;
- Deposit Insurance and Policy Owners' Protection Schemes Act 2011 ;
- Exchange Control Act 1953;
- Exchanges (Demutualisation and Merger) Act 1999;
- Finance Companies Act 1967;
- Financial Advisers Act 2001 ('FAA');
- Government Securities (Debt Market and Investment) Act 1992;
- Insurance Act 1966;
- Payment and Settlement Systems (Finality and Netting) Act 2002;
- Payment Services Act 2019 ('PS Act');
- Significant Infrastructure Government Loan Act 2021; and
- Trust Companies Act 2005.
MAS is empowered under the various sectoral acts to issue notices with which FIs are legally required to comply. In addition, MAS may also issue non-legally binding guidelines on certain matters, which set out principles or 'best practice standards.' Failure to comply with MAS guidelines does not, in and of itself, result in penalties, although how well an institution or person observes the guidelines may have an impact on MAS' overall risk assessment of that institution or person.
While there are no MAS notices or guidelines which specifically address data protection, the following MAS notices and guidelines which may apply to different regulated FIs and issued under the relevant sectoral legislation address aspects related to data protection and privacy:
- MAS Notices on Technology Risk Management ('TRM Notice') and the Guidelines on Risk Management Practices – Technology Risk (January 2021) ('TRM Guidelines'), which provide comprehensive guidance on the establishment of sound TRM and security practices to address existing and emerging technology risks within the financial industry. In particular, the TRM Guidelines include requirements for a high level of reliability, availability and recoverability of critical IT systems, and for FIs to implement IT controls to protect customer information from unauthorised access or disclosure.
- MAS notices and guidelines on prevention of money laundering and countering the financing of terrorism ('AML/CFT'), which set out the obligations of FIs to perform due diligence and transaction monitoring on customers (available to access here).
- MAS Guidelines on Outsourcing ('Outsourcing Guidelines') which promote sound risk management practices for the outsourcing arrangements of FIs. It also sets out practical measures for FIs to undertake to ensure that their service provider's security policies, procedures and controls protect the confidentiality and security of the FI's customer information.
- MAS Notice on Cyber Hygiene which sets out cybersecurity requirements that FIs must implement to mitigate the growing risks of cyber threats.
- MAS Guidelines for E-Payments User Protection which sets out the expectations of the MAS of any responsible financial institution that issues or operates a protected account, as well as duties of account holders and account users of protected accounts, and provides guidance on the liability for losses arising from unauthorised and erroneous transactions.
Other relevant legislation
Other relevant legislation includes the Cybersecurity Act 2018 ('the Cybersecurity Act'), which came into operation (in part) on 31 August 2018. The Cybersecurity Act seeks to establish a framework for:
- the protection of critical information infrastructure ('CII'), which are computer systems directly involved in the provision of essential services, against cybersecurity threats;
- the designation and regulation of CII owners;
- the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore; and
- the regulation of providers of licensable cybersecurity services.
The Cyber Security Agency of Singapore ('CSA') has identified a total of 11 sectors with CII. For each of these 11 sectors, CSA works with the relevant Sector Lead to identify their essential services based on criteria such as impact to Singapore's economy. The critical sectors are energy, water, banking & finance, healthcare, transport (which includes land, maritime, and aviation), government, infocommunications, media, and security & emergency services. The list of essential services in these sectors is published in the First Schedule to the Cybersecurity Act.
Finally, there are various other sectoral codes of practice applicable to certain FIs, e.g. the non-legally binding ABS Code of Banking Practices - The Personal Data Protection Act, issued by the Association of Banks in Singapore ('the ABS') on 8 August 2015 (and subsequently updated on 17 June 2021), which clarifies the practices for banks in Singapore in respect of the PDPA and its regulations, where applicable.
1.2. Supervisory authorities
The regulators and supervisory authorities responsible for enforcing and implementing the above regulatory framework are:
- MAS, Singapore's central bank and an integrated supervisor overseeing all FIs in Singapore, including but not limited to banks, insurers, capital market intermediaries, financial advisors, and the stock exchange;
- PDPC, the main authority in matters relating to personal data protection, charged with administering and enforcing the PDPA. The PDPC was originally established as a statutory body under the PDPA on 2 January 2013 and was under the purview of the Ministry of Communications and Information ('MCI'). With effect from 1 October 2016, the PDPC has been subsumed as a department/division under the Info-communications Media Development Authority ('IMDA'); and
- CSA, the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development, which administers and enforces the Cybersecurity Act. It is part of the Prime Minister's Office and is managed by the MCI.
PDPC's enforcement powers
The PDPC may initiate an investigation to determine whether an organisation is compliant with the PDPA, upon receipt of a complaint or of its own motion. As set out in the PDPC’s Enforcement Guidelines, the factors that the PDPC may consider in deciding whether to commence an investigation include:
- whether the organisation may have failed to comply with all or a significant part of its obligations under the PDPA;
- whether the organisation's conduct indicates a systemic failure by the organisation to comply with the PDPA or to establish and maintain the necessary policies and procedures to ensure its compliance;
- the number of individuals who are, or may be, affected by the organisation's conduct;
- the impact of the organisation's conduct on the complainant or any individual who may be affected;
- whether the organisation had previously contravened the PDPA or may have failed to implement the necessary corrective measures to prevent the recurrence of a previous contravention;
- whether the complainant had previously approached the organisation to seek a resolution of the issues in the complainant but failed to reach a resolution;
- where the PDPC has sought to facilitate dispute resolution between the complainant and the organisation, whether the complainant and the organisation agreed to participate in the dispute resolution process and their conduct during the dispute resolution process and the outcome of the dispute resolution process;
- where the PDPC has commenced a review, whether the organisation has complied with its obligations under the Personal Data Protection (Enforcement) Regulations 2021 in relation to a review, the organisation’s conduct during the review and the outcome of the review;
- public interest considerations; and
- any other factor that, in the PDPC's view, indicates that an investigation should or should not be commenced.
In the course of its investigation, the PDPC’s powers include:
- by notice in writing, require any organisation to produce any specified document or to provide any specified information or require a person within the limits of Singapore to attend before the PDPC;
- by giving at least two working days' advance notice of intended entry, enter an organisation's premises without a warrant; and
- obtain a search warrant to enter an organisation's premises, and search the premises or any person on the premises (the latter, if there are reasonable grounds for believing that he or she has in his or her possession any document, equipment or article relevant to the investigation), and take possession of, or remove, any document and equipment or article relevant to an investigation.
Where the PDPC is satisfied that an organisation has breached the Data Protection Provisions under the PDPA, it is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:
- stop collecting, using or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to or correct personal data, or reduce or make a refund of any fee charged for any access or correction request; or
- if it is satisfied that the organisation has intentionally or negligently contravened the Data Protection Provision, pay a financial penalty of up to SGD 200,000 (approx. €137,220) in case of an individual or in any other case, SGD 1 million (approx. €650,000).
Please see our comment at section on enforcement below on the upcoming enhanced financial penalty provisions.
The PDPC has been very active in its enforcement of the PDPA. A total of 29 enforcement decisions were published by the PDPC in 2021. 47 enforcement decisions were published by the PDPC in 2020, and 49 enforcement decisions were published in 2019, which was a sharp rise from a total of 29 decisions in 2018 and 19 decisions in 2017.
MAS' enforcement powers
For the MAS, enforcement actions are not just about taking FIs and individuals to task for breaches of law and misconduct, but can also be used to shape the behaviour of stakeholders and participants in the financial industry by deterring others from engaging in similar misconduct. The MAS Enforcement Department is responsible for enforcement actions arising from breaches of laws and regulations administered by the MAS. It works with the supervisory departments within the MAS as well as key external stakeholders to manage three main elements of enforcement work, namely detection, investigation, and taking of enforcement action (where appropriate) for these breaches. The MAS works closely with other law enforcement agencies and stakeholders, including the Commercial Affairs Department ('CAD'), the Attorney-General’s Chambers ('AGC') and self-regulatory organisations ('SROs'), to ensure that breaches of MAS-administered laws and regulations are swiftly detected, thoroughly investigated and effectively addressed:
- CAD is the principal law enforcement agency for the criminal investigation of financial crimes and money laundering offences in Singapore. CAD's remit includes investigating criminal offences under MAS-administered laws and regulations. Under the MAS-CAD joint investigation arrangement, MAS and CAD jointly investigate offences under the SFA and the FAA.
- As the Public Prosecutor, the Attorney-General has the discretionary power to institute criminal proceedings for any offence, including offences under MAS-administered laws and regulations. AGC also maintains oversight of the MAS' exercise of its power to compound offences under the Acts that it administers.
- SROs are organisations that perform some regulatory functions. For example, in the area of securities and derivatives trading, the approved exchanges are SROs, with rules governing both its members (business rules) and listed companies (listing rules). The International Organization of Securities Commissions ('IOSCO') has recognised that self-regulation may be a valuable complement to the regulator in achieving the objectives of securities regulation.
MAS published an enforcement monograph ('the Monograph') on 24 September 2018 to provide greater clarity and transparency into how MAS deters, detects, investigates and takes action against breaches of the rules and regulations it administers. The Monograph outlines how the MAS Enforcement Department works together with the other financial sector oversight functions in MAS to uphold Singapore's reputation as a clean and trusted financial centre. When assessing the type and the extent of the enforcement action to impose, MAS' primary objective is to achieve deterrence and prevent future harm. The enforcement action must be adequate to deter the offender from re-offending, and also deter others from engaging in similar violations and misconduct. According to the Monograph, there are several types of enforcement actions that MAS may take, including:
- criminal prosecutions;
- civil penalties;
- revocation or suspension of regulatory status;
- removals from office;
- prohibition orders;
- reprimands; and
- warnings/letters of advice.
CSA's Enforcement Powers
The Cybersecurity Act empowers the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents to determine their impact and prevent further harm or cybersecurity incidents from arising. The CSA works with sector regulators to coordinate cybersecurity efforts to protect CII within their own sectors. The sectors have varying levels of cybersecurity readiness, and sector regulators have varying powers under their respective legislation and regulations to regulate CII on cybersecurity matters. The Cybersecurity Act also allows the Minister to appoint Assistant Commissioners ('ACs') to assist the Commissioner to oversee and enforce cybersecurity requirements on the owners of CII, and the intention is to appoint officers from sector regulators as ACs to perform this role. This is because sector regulators are expected to understand the unique contexts and complexities in their sectors, and will therefore be best-placed to advise on the necessary requirements so as to strike a balance between their sector's cybersecurity needs and operational considerations.
2. Personal and Financial Data Management
Depending on the context, FIs may be under two or more sets of obligations in relation to the collection, processing and transfer of personal data: the general Data Protection Obligations under the PDPA, and sector-specific information protection obligations in various scenarios or situations as the MAS or other regulatory authorities may prescribe.
General data protection obligations under the PDPA
In the Key Concepts Guidelines, the PDPC defines 'collection' broadly to mean any act or set of acts through which an organisation obtains control over or possession of personal data. Generally, an FI may collect personal data about an individual or from a source other than the individual without that individual's consent in any of the circumstances listed in the First or Second Schedule to the PDPA. For example, in circumstances where an individual's personal data is collected for the FI to recover a debt owed to the FI by the individual or for the FI to pay to the individual a debt owed by the FI, the FI in question may collect that individual's personal data without consent. Moreover, an FI, in providing a product or service to an individual, must not, as a condition of providing the product or service, require the individual to consent to the collection, use or disclosure of his personal data beyond what is reasonable to provide the product or service.
With regard to the processing of personal data, the PDPA defines it as the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following: recording, holding, organisation, adaptation or alteration, retrieval, combination, transmission, erasure or destruction. These represent a non-exhaustive list of activities which could be considered processing.
Organisations that process personal data for or on behalf of other organisations pursuant to a contract in writing, i.e. data intermediaries, are required to comply with the Protection and Retention Limitation Obligations under Sections 24 and 25 of the PDPA in respect of the personal data in their possession or control. In addition, under the new Data Breach Notification Obligation, data intermediaries are also required to notify the organisation, for which it is processing personal data on behalf of and for the purposes of, of a data breach that has occurred in relation to such personal data.
That said, Section 4(3) of the PDPA provides that an organisation has the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself. As such, insofar as an FI engages a data intermediary to process personal data on its behalf, the FI will remain responsible for complying with all of the obligations under the PDPA. In this regard, it is good practice for the FI to undertake an appropriate level of due diligence to assure itself that a potential data intermediary is capable of complying with the PDPA.
With regard to the transfer of personal data, Section 26 of the PDPA limits the ability of an organisation to transfer personal data outside Singapore by providing that an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA. This is to ensure that organisations provide a standard of protection that is comparable to the protection under the PDPA. Insofar as an FI wishes to transfer the personal data of its customers or users to another country or territory outside Singapore, the FI must ensure that the transfer is done in accordance with requirements prescribed under the PDPA and the Personal Data Protection Regulations 2021.
Sector-specific information protection obligations
In the sector-specific context, there may be additional rules imposed on FIs with regard to the collection, processing or transfer of personal data. For example, Section 47 of the Banking Act has provisions on the privacy of customer information, which provides that customer information shall not, in any way, be disclosed by a bank in Singapore or any of its officers to any other person except as expressly provided in the Banking Act.
As a result, many FIs may be subject to a higher degree of confidentiality as they not only need to protect the personal data of a customer or user, but also comply with the rules surrounding the disclosure of customer information. Under the Banking Act, 'customer information,' in relation to a bank, is defined in Section 40A as deposit information or any information relating to, or any particulars of, an account of a customer of the bank, whether the account is in respect of a loan, investment or any other type of transaction, but does not include any information that is not referable to any named customer or group of named customers.
The Third Schedule of the Banking Act sets out purposes for disclosure in Part I (Further Disclosure Not Prohibited) and Part II (Further Disclosure Prohibited), and expressly lists out:
- the purposes for which customer information may be disclosed (e.g. disclosure is solely in connection with the performance of duties as an officer or a professional adviser of the bank);
- the persons to whom the information may be disclosed to (e.g. any other bank or merchant bank in Singapore); and
- any applicable conditions (e.g. no customer information, other than information of a general nature and not related to the details of the customer's account with the bank, shall be disclosed).
In addition, there may be specific instances where consent does not need to be sought. For example, in MAS Notice 626 on the Prevention of Money Laundering and Countering the Financing of Terrorism - Banks, MAS provides that for the purposes of complying with the Notice, a bank may, whether directly or through a third party, collect, use, and disclose personal data of an individual customer, an individual beneficiary of a life insurance policy, an individual appointed to act on behalf of a customer, an individual connected party of a customer or an individual beneficial owner of a customer, without the respective individual's consent.
MAS TRM Notices also require FIs to implement IT controls to protect customer information from unauthorised access or disclosure, and to notify the MAS in the event of a security breach of a system which compromises the security, integrity or confidentiality of customer information. MAS Cyber Hygiene Notices further sets out cyber security requirements on, e.g. securing administrative accounts, applying security patching, establishing baseline security standards, deploying network security devices, implementing anti-malware measures and strengthening user authentication.
MAS TRM Guidelines also sets out guidance for FIs to implement robust security measures to ensure that their systems and customer data are well protected against any breach or loss.
With regard to transfers of customer information, according to the Outsourcing Guidelines, FIs remain responsible for the protection and security of the relevant information and data (which includes customers' financial information) notwithstanding that such data has been transferred to another service provider located in another jurisdiction.
2.1. Legal basis for processing
The processing of personal data is expressed in terms of 'collection, use and disclosure' of the same under the PDPA. An individual's consent is required before an organisation can collect, use or disclose the individual's personal data, unless an exception under the PDPA applies or otherwise required or authorised by law. Such consent must be validly obtained and may be either expressly given or deemed to have been given.
For consent to be considered validly given, the organisation must first inform the individual of the purposes for which his or her personal data will be collected, used or disclosed. These purposes have to be what a reasonable person would consider appropriate in the circumstances. Fresh consent would need to be obtained where personal data collected is to be used for a different purpose than that to which the individual originally consented.
In addition, organisations should note that consent obtained via the following ways does not constitute valid consent for the purpose of the PDPA:
- where consent is obtained as a condition of providing a product or service, and such consent is beyond what is reasonably required to provide the product or service to the individual; and
- where false or misleading information is provided, or deceptive or misleading practices are used, in order to obtain or attempt to obtain the individual's consent for collecting, using or disclosing personal data.
The PDPA stipulates that consent is deemed to have been given in certain specified scenarios, including:
- where an individual voluntarily provides his or her personal data to the organisation for a particular purpose; and it is reasonable that the individual would voluntarily provide his or her personal data;
- where an individual provides personal data to an organisation with a view to the individual entering into a contract with the organisation, the individual is deemed to consent to the following where reasonably necessary for the conclusion of the contract between the individual and the organisation; and
- subject to conditions such as the conducting of a prescribed assessment, where organisations notify their customers of the new purpose and provide a reasonable period for them to opt out.
There are no sector-specific requirements for FIs to provide customers with notice of the FI's privacy policies and practices. However, as FIs are organisations subject to the PDPA, they are required to comply with the Notification and Accountability Obligations under the PDPA.
Under the Notification Obligation, an FI is required to provide customers with notice of its privacy policies and practices in order to obtain valid consent from its customers in relation to the collection, use and disclosure of personal data. While the PDPA does not prescribe or specify a specific manner or form in which an organisation is to inform an individual of the purposes for which it is collecting, using or disclosing the individual's personal data, FIs may wish to have regard to the PDPA's Guide to Notification when considering how best to provide customers with the necessary notice.
Under the Accountability Obligation, an FI is required to develop and implement policies and practices that are necessary for it to meet its obligations under the PDPA and to make information about the same available on request (Section 12 of the PDPA). To ensure compliance with the Accountability Obligation, an FI is also required to designate an individual to be the DPO, who is to be the main point of contact from both within and outside the organisation in relation to these data protection policies and practices (Section 11 of the PDPA). As a good practice, the business contact information of the DPO should be readily accessible from Singapore, operational during Singapore business hours and, in the case of telephone numbers, be Singapore telephone numbers.
In relation to sector-specific regulations, as stated above, there are various sectoral legislation and MAS regulatory instruments issued under those legislation which may pertain to data security and risk management.
An example of such a regulatory instrument is MAS Cyber Hygiene Notices, which makes it mandatory for regulated FIs to implement certain cyber hygiene practices, e.g.:
- ensure that every administrative account is secured;
- ensure that security patches are applied to address vulnerabilities, the timeframe should be commensurate with the risk posed, and where no patch is available, controls are instituted;
- ensure that there is a written set of security standards for every system and such standards are complied with, and in the case of non-conformity, controls are instituted;
- implement controls at its network perimeter to restrict all unauthorised network traffic;
- ensure that one or more malware protection measures are implemented on every system, where such measures are available and can be implemented; and
- ensure that multi-factor authentication is implemented for all administrative accounts of a critical system, and all accounts on any system used to access customer information through the internet.
The TRM Notices also contains certain data security and technology risk management related requirements. Its contents include:
- certain critical systems availability requirements on FIs (relating to e.g. unscheduled downtime and recovery time objective);
- a requirement to 'implement IT controls to protect customer information from unauthorised access or disclosure'; or
- requiring FIs to notify 'relevant incidents' to the MAS within one hour upon discovery of the same, and to submit a root cause and impact analysis report (containing the prescribed information) to the MAS, within 14 days or such longer period as the MAS may allow. Furthermore, a relevant incident is defined as a system malfunction or IT security incident (i.e. 'an event that involves a security breach, such as hacking of, intrusion into, or denial of service attack on, a critical system, or a system which compromises the security, integrity or confidentiality of customer information'), which has a severe and widespread impact on the FI's operations or materially impacts its service to its customers.
The TRM Notices are also accompanied by guidelines (i.e. the TRM Guidelines), which sets out technology risk management principles and best practices for the financial sector. The MAS has stated that these guidelines are not intended to be exhaustive as FIs should also take into account applicable industry standards such as those set by the Basel Committee on Banking Supervision, where appropriate.
The above regulatory instruments pertain to technology risk management only, and sits alongside other MAS instruments and guidelines relating to the management of different types of risks such as environmental, enterprise, liquidity, market, and credit risks.
In addition to the MAS requirements, FIs are also subject to the Protection Obligation under the PDPA. According to the Protection Obligation, an FI would be required to make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent:
- unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and
- the loss of any storage medium or device on which personal data is stored.
The standard of protection required for organisations to comply with the Protection Obligation depends on what is reasonable and appropriate in the circumstances, taking into consideration the nature of the personal data, the form in which the personal data has been collected (e.g. physical or electronic) and the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data. The PDPC considers the financial information of an individual to be sensitive personal data, which should be accorded a commensurate level of protection, and documents that contain sensitive personal data should be processed with particular care (see Re Aviva at ).
The PDPC has also issued additional guidelines like the Electronic Medium Guide, which provides information related to the security and protection of personal data stored in an electronic medium, good practices that organisations should undertake to protect electronic personal data, and enhanced practices that organisations may consider adopting to further improve protection of electronic personal data.
The Cybersecurity Act permits the designation of certain computer systems crucial to providing essential services, in key fields including banking and finance, as CII. If FIs are owners of CII, they are also under additional duties imposed by the Cybersecurity Act in respect of the CII, including duties to comply with codes of practice or standards of performance that the Commissioner of Cybersecurity may issue, or to conduct audits and risk assessments on a regular basis.
The Cybersecurity Code of Practice for Critical Information Infrastructure requires CII owners to establish and approve policies, standards and guidelines for managing cybersecurity risks and protecting CII against cybersecurity threats, and to review the policies, standards and guidelines against the current CII cyber operating environment and cybersecurity threat landscape at least once a year.
In relation to personal data, the Retention Limitation Obligation under Section 25 of the PDPA provides that an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:
- the purpose for which the personal data was collected is no longer being served by retention of the personal data; and
- retention is no longer necessary for legal or business purposes.
Such legal or business purposes may include situations where the personal data is required for an ongoing legal action involving the organisation, where retention of the personal data is necessary in order to comply with the organisation's obligations under other applicable laws, or where the personal data is required for an organisation to carry out its business operations, such as to generate annual reports or performance forecasts.
Although the PDPA does not prescribe a specific retention period for personal data, organisations would need to comply with any legal or specific industry standard requirements that may apply.
Generally, FIs in Singapore are required under both the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 ('CDSA') and the MAS AML/CFT notices to retain documents for five years after the document ceases to relate to a live matter. For example, documents relating to an account opening should be retained for five years after the account is closed, and data and documents relating to a transaction should be retained for five years after the transaction takes place. The documents retained must be sufficient to explain and reconstruct the matter to which they relate.
Furthermore, FIs are subject to other record retention requirements under different legislation, such as those under the Goods and Services Tax Act 1993, Income Tax Act 1947 and Companies Act 1967. These retention requirements relate to, among others, records relating to the business, accounts and/or financial position of the FI and those required to evidence transactions relating to the FI's income and allowable deductions.
In brief, the collection, use, and disclosure of personal data by FIs is governed by the MAS AML/CFT Notices, the CDSA, and the Terrorism (Suppression of Financing) Act 2002 ('TSOFA'). These laws and regulations would be considered 'other written law' which will prevail over the provisions of the PDPA in accordance with Section 4(6) of the PDPA. Insofar as the AML/CFT notices, CDSA, and TSOFA impose a separate standard for the collection, use, disclosure, processing, storage and transfer of personal data, and that standard is inconsistent with the PDPA, that separate standard would prevail to the extent of the inconsistency.
Broadly, the MAS AML/CFT notices provide that FIs should perform customer due diligence as required in certain prescribed situations, such as when the FI establishes business relations with the customer, when there is a suspicion of money laundering or terrorism financing, or when the FI has doubts about the veracity or adequacy of any information previously obtained.
Even prior to establishing business relations, where an FI has any reasonable grounds to suspect that the assets or funds of a customer are proceeds of drug dealing or criminal conduct as defined in the CDSA, or are property related to the facilitation or carrying out of any terrorism financing offence as defined in the TSOFA, the FI shall not establish business relations.
Moreover, FIs are required to file Suspicious Transaction Reports ('STR') with the Suspicious Transaction Reporting Office, a department of the CAD of the Singapore Police Force. STRs are to be filed when FIs have reason to believe that a transaction involves money laundering or terrorist financing. Insofar as STRs contain personal data, FIs are exempted from their PDPA obligations in relation to the filing of an STR, to the extent that such obligations conflict with requirements of other such laws.
The MAS AML/CFT notices state that FIs may, whether directly or through a third party, collect, use, and disclose personal data of a customer or parties related to the customer without consent, for the purpose of complying with the MAS AML/CFT notices. In any case, if FIs are unable to complete their customer due diligence process due to an inability to collect sufficient personal data for whatever reason, they would not be allowed to establish business relations with the given customer. The personal data which an FI is required to collect pursuant to the MAS AML/CFT notices may include but are not limited to the relevant individual's full name (including any aliases), unique identification number (such as identity card number, birth certificate number or passport number), residential address, date of birth, nationality, etc.
The MAS AML/CFT notices recognise that unfettered rights to access and correct errors or omissions of all types of personal data, especially those data relied upon by FIs to conduct customer due diligence, may have an adverse effect on the quality of FIs' customer due diligence information.
Whilst customers are permitted to request access to their personal data held by FIs, as well as request information on how such data has been used or disclosed within the past year, the MAS AML/CFT notices restrict such access requests to only the name, unique identification number, residential address, date of birth, nationality, and other types of personal data that the customers themselves have provided to the FIs. Further requests from customers to correct errors or omissions are also restricted to the above types of personal data, provided that the FI is satisfied that there are reasonable grounds for such a request.
The relevant provisions on banking secrecy are provided in Section 47 of the Banking Act. This provision, which is applicable to licensed commercial and merchant banks in Singapore, states that 'customer information shall not, in any way, be disclosed by a bank in Singapore or any of its officers to any other person except as expressly provided in the Banking Act'.
'Customer information' under the Banking Act is defined as any information relating to, or any particulars of, an account of a customer of the bank (whether the account is in respect of a loan, investment or any other type of transaction), including information relating to deposit accounts, funds under management by the bank, and information relating to any safe deposit box or safe custody arrangement. However, it excludes information that is not referable to any named customer or group of named customers. The courts have previously held that disclosure of records, in which the names of customers have been replaced with Client A, Client B, etc., will not constitute a breach of Section 47 of the Banking Act (see Teo Wai Cheong v. Credit Industriel et Commercial  SGCA 13 at ). This is because, on a plain reading of Section 47 of the Banking Act, the disclosure in this case would merely be of 'any information that is not referable to any named customer or group of named customers' and would therefore not constitute a disclosure of 'customer information'.
The general rule in Section 47 of the Banking Act is subject to various exceptions, which are set out in the Third Schedule of the Banking Act. Disclosure of information under the exceptions in the Third Schedule may be subject to further conditions. The Third Schedule is divided into two parts; Part I consists of exceptions where further disclosure of information is permitted, while Part II consists of exceptions where further disclosure is not permitted. The prohibition against further disclosure of information otherwise permitted to be disclosed in Part II applies to all persons who receive that information and continues even after the person ceases to be employed in the capacity in which they received the information.
In relation to outsourcing, if an outsourced function is to be performed outside of Singapore, the bank must comply with the MAS Notices on Banking Secrecy – Conditions for Outsourcing (see, MAS Notice 634 for commercial banks and MAS Notice 1108 for merchant banks) that requires banks to notify the MAS of all outsourcing arrangements involving the disclosure of customer information upon entering into the relevant outsourcing agreement.
In addition to the statutory requirements of the Banking Act, bankers also have a common law duty of confidentiality. This duty requires bankers to keep information concerning the affairs of their customers confidential by virtue of the banker-customer relationship. In contrast to the Banking Act, the contravention of which results in criminal liability, the contravention of the common law duty of confidentiality exposes the bank to a civil action for damages against the FI. The Singapore Court of Appeal has held that the banking secrecy provisions in the Banking Act apply to the common law duty of confidentiality as well, overriding any previous case law on the scope of the common law duty of confidentiality (see Susilawati v. American Express Bank Ltd  SGCA 8 at -).
Notwithstanding the above, banks are permitted under Section 47(8) of the Banking Act to enter into an express agreement with their customers 'for a higher degree of confidentiality' than that otherwise prescribed under the Banking Act. Recourse for any contraventions of that higher degree of confidentiality, which are not also contraventions of the banking secrecy provisions under the Banking Act, will be for breach of contract only.
Furthermore, the Banking (Amendment) Act 2020 ('the Banking Amendment Act') was passed by Parliament on 6 January 2020 and assented to by the President on 29 January 2020. Certain amendments came into effect on 1 October 2020. The Banking Amendment Act contains provisions which will give the MAS additional powers to strengthen its supervisory oversight of banks' outsourcing arrangements. A new Section 47A provides that banks in Singapore must comply with certain requirements before obtaining any relevant service from a person or its branch / office located outside Singapore.
The MAS has also conducted a public consultation from 18 December 2020 to 29 January 2021 seeking feedback on the proposed Notice to Banks on Management of Outsourced Relevant Services, which set out the proposed requirements in relation to the management of outsourced relevant services by banks and Merchant Banks in Singapore. Once they take effect, the current MAS Notices 634 and 1108 would be repealed.
As stated above, there are various sectoral legislation and MAS regulatory instruments issued under those legislation which may pertain to the data collection and processing of FIs in the insurance industry. For example, MAS Notice 506 on TRM and MAS Notice 507 on Cyber Hygiene both apply to insurance brokers.
Furthermore, the PDPC has provided comments and suggestions to the following industry-led guidelines on the PDPA that were developed by the Life Insurance Association of Singapore ('LIA') and published on 1 April 2015:
- LIA Code of Practice for Life Insurers on the Singapore Personal Data Protection Act; and
- LIA Code of Conduct for Tied Agents of Life Insurers of the Singapore Personal Data Protection Act 2012.
These two LIA codes of practice serve to contextualise the PDPA in the insurance industry in terms of what insurers or their agents may do in day-to-day business, and do not constitute additional obligations on the insurance industry beyond the expectations of the PDPA.
The PS Act is the main legislative framework for the regulation of payment systems and payment service providers in Singapore. The PS Act provides regulatory certainty and consumer safeguards while encouraging innovation and the growth of new payment business models and Fintech.
The PS Act came into effect on 28 January 2020. Prior to 28 January 2020, payment services were regulated under two separate acts: the Payment Systems (Oversight) Act (Cap. 222A) ('PS(O)A') and the Money-Changing and Remittance Businesses Act (Cap. 187) ('MCRBA').
The PS Act consolidates the PS(O)A and MCRBA, and provides an activity-based and risk-specific regulation for all types of payment services in Singapore.
The PS Act covers the following seven types of payment services:
- account issuance;
- domestic money transfer;
- cross-border money transfer;
- merchant acquisition;
- e-money issuance;
- digital payment token; and
Under the PS Act, in order for payment services to be provided by non-banks, a licence must be obtained by the provider of such services. There are a total of three types of licences, depending on the type of payment service offered and the amount transacted:
- a money-changing licence;
- a standard payment institution licence; and
- a major payment institution licence.
Money-changing licences will cover businesses conducting money-changing services only. The standard payment institution licence will cover institutions that transact:
- SGD 3 million (approx. €1.94 million) or less of any activity type monthly, or
- SGD 6 million (approx. €3.87 million) or less of two or more activity types monthly; or
- hold SGD 5 million (approx. €3.23 million) or less of daily outstanding e-money on average.
The MAS may designate payment systems under the PS Act. Payment systems that fall under one of the following categories may be designated under the PS Act where:
- the operations of the payment system could trigger, cause or transmit further disruption to participants or systemic disruption to the financial system of Singapore, i.e. its operations pose financial stability risks;
- a disruption in the operations of the payment system could affect public confidence in payment systems or the financial system of Singapore, and the designation is necessary to ensure efficiency of competitiveness in any of the services provided by the operator of the payment system; or
- MAS is satisfied that it is otherwise in the interests of the public to do so.
Designated payment services will be subject to the provisions under Part 3 of the PS Act, including being subject to conditions or restrictions as MAS thinks fit.
Depending on the type of licensee under the PS Act, different MAS regulatory instruments may apply. Nonetheless, the MAS TRM Guidelines, as well as the MAS Notice PSN06 on Cyber Hygiene, applies to all licensees under the PSA. Moreover, under the PS Act, the MAS is able to direct a licensee to review and strengthen their technology controls and process.
The MAS Notice PSN05 on TRM applies to all operators and settlement institutions of designated payment systems. This ensures that licensees which are operating at a certain scale are subject to availability and recoverability requirements.
On 4 January 2021, the Payment Services (Amendment) Bill was passed in Parliament, and the Bill makes amendments to the PS Act in areas such as expanding the scope of digital payment tokens services regulated under the PS Act, and broadening the scope of cross-border money transfer services to mitigate ML/TF risks.
Transfer of Personal Data
In relation to sector-specific regulations and guidelines on data transfers, the Outsourcing Guidelines states that the engagement of a service provider in a foreign country, or an outsourcing arrangement whereby the outsourced function is performed in a foreign country, may expose an FI to country risk, i.e. economic, social and political conditions and events in a foreign country that may adversely affect the FI. Such conditions and events could prevent the service provider from carrying out the terms of its agreement with the FI.
The Outsourcing Guidelines further note that FIs should be proactive in identifying and specifying requirements for confidentiality and security in the outsourcing arrangement, and suggests steps that FIs may take to ensure the confidentiality and security of customer information, including setting out clearly the responsibilities and liabilities of each party in the event of a breach.
With respect to banks and merchant banks, the MAS has oversight over and imposes additional requirements in relation to specific outsourcing arrangements. For more details, see above.
Aside from sector-specific requirements, the PDPA contemplates that organisations may engage other organisations, known as data intermediaries, to process personal data on its behalf. However, the PDPA is clear that even though an organisation may have a data intermediary process personal data on its behalf, the organisation still has the responsibility of complying with the PDPA obligations in relation to that personal data. The PDPC has further stated that it is good practice for an organisation to undertake an appropriate level of due diligence to assure itself that a potential data intermediary is capable of complying with the PDPA. In this regard, the Guide to Managing Data Intermediaries issued by the PDPC provides further guidance to organisations.
In relation to the transfer of personal data out of Singapore, Section 26 of the PDPA read with Part 3 of the Personal Data Protection Regulations 2021 states that an organisation may not transfer personal data to a recipient in a country or territory outside Singapore unless:
- it has taken appropriate steps to ensure that it will comply with the data protection provisions in respect of the transferred personal data while such personal data remains in its possession or under its control; and
- the recipient is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to that under the PDPA.
'Legally enforceable obligations' include obligations imposed on the recipient under law, Binding Corporate Rules ('BCRs') or contracts meeting the specifications under the Personal Data Protection Regulations 2021, or any other legally binding instrument. Furthermore, organisations that hold a 'specified certification' that is granted or recognised under the law of the country or territory to which personal data is transferred will be taken to be bound by such legally enforceable obligations. Under the Personal Data Protection Regulations 2021, a 'specified certification' refers to certifications under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') System, and the Asia Pacific Economic Cooperation Privacy Recognition for Processors ('APEC PRP') System.
In certain prescribed situations, a transferring organisation is taken to have satisfied the requirement to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to that under the PDPA, e.g. if the personal data is data in transit or the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA.
The PDPA does not explicitly require transferring organisations to ensure that the 'legally enforceable obligations' imposed on recipients apply to onward transfers of personal data to third-party organisations. However, to the extent that recipients are bound by legally enforceable obligations to provide a PDPA-comparable standard of protection in respect of the transferred personal data, recipients would similarly be obliged to ensure that any onward transfers of personal data are conducted in accordance with the requirements of the PDPA.
Cloud computing is considered by the MAS to be a form of an outsourcing arrangement. According to the Outsourcing Guidelines, cloud computing services are a combination of a business and delivery model that enables on-demand access to a shared pool of resources such as applications, servers, storage and network security. The service is typically delivered in the form of Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
In particular, FIs should be aware of the typical characteristics of cloud computing services such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations. FIs should take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing, and ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls.
Industry guidelines on specific topics relating to outsourcing and transfer of personal data have also been published. For instance the ABS has released the ABS Cloud Computing Implementation Guide with recommendations that have been discussed and agreed by members of the ABS Standing Committee for Cyber Security ('SCCS') with the intent to assist FIs in understanding approaches to due diligence, vendor management and key controls that should be implemented on an on-going basis in Cloud outsourcing arrangements. FIs should also note that the MAS has published a revised version of the Outsourcing Guidelines on 5 October 2018, which recognises that CCSPs can enhance the operations of FIs, and that FIs may leverage on such a service to enhance their operations and service efficiency. The Outsourcing Guidelines also emphasises the protection of customer data, by requiring FIs to implement certain safeguards such as ensuring that the CCSPs have in place robust access controls to protect customer information.
Generally, any FI providing cloud computing services, referred to as cloud computing service providers ('CCSPs'), are required to comply with the PDPA (in particular, the obligation to implement reasonable security arrangements to protect personal data in their possession or under their control), as well as any applicable subsidiary legislation that may be enacted from time to time, and any applicable sector-specific data protection frameworks to the extent that CCSPs provide cloud services to customers operating in these sectors.
As for other organisations, according to the new chapter on cloud services in the Selected Topics Guidelines, organisations should ensure that the CCSPs engaged by the organisation will only transfer data to locations with comparable data protection regimes to Singapore, or has legally enforceable obligations to ensure a comparable standard of protection for the transferred personal data. This should be provided for in the written contracts between an organisation and its CCSPs. An organisation may be considered to have taken appropriate measures to comply with the Transfer Limitation Obligation by ensuring that personal data may only be transferred to overseas locations with comparable data protection laws, or that the recipients (e.g. data centres or sub-processors) in these locations are legally bound by similar contractual standards. However, the onus nonetheless remains on the organisation to ensure compliance with the Transfer Limitation Obligation.
Furthermore, according to the Selected Topics Guidelines, industry standards like ISO-27001 and Tier 3 of the Multi-Tiered Cloud Security Certification Scheme could provide organisations with the assurance of the CCSP's ability to comply with the Protection Obligation of the PDPA. If a contract between an organisation and its CCSP does not specify the locations to which a CCSP may transfer the personal data processed, the organisation may be considered to have taken appropriate steps to comply with the Transfer Limitation Obligation by ensuring that the CCSP based in Singapore is certified or accredited as meeting relevant industry standards, and the CCSP provides assurances that all the data centres or sub-processors in overseas locations that the personal data is transferred to comply with these standards.
Notably, CCSPs are required to make reasonable security arrangements to protect personal data in their possession or under their control. While there is no one-size-fits-all approach in complying with this obligation, the guidance issued by the PDPC may be relevant in assessing whether a CCSP has fulfilled its obligation. For instance, the PDPC's Data Breach Guide sets out broad steps that organisations may consider taking in planning for and responding to data breaches as well as the Electronic Medium Guide which sets out several practices for organisations to take to protect electronic personal data.
In addition, while the following standards and guidelines are not legally binding per se, these standards and guidelines may also be relevant in assessing whether a CCSP has met the obligation to implement reasonable security arrangements to protect personal data in its possession or under its control under the PDPA:
- Multi-Tier Cloud Security Standard for Singapore 584, a set of security standards issued by the Singapore Information Technology (IT) Standards Committee for voluntary adoption by CCSPs, which provides for three tiers of security certification (tier 1 being the base level and tier 3 being the most stringent).
- Cloud Outage Incident Response Guidelines ('COIR'), issued by the Info-communications Development Authority of Singapore (as the IMDA was previously known) on 26 February 2016 for voluntary adoption by CCSPs, which guides CCSPs in planning for and responding to cloud outages. The main objective of the COIR is to provide a tiered framework for transparency in cloud service providers' cloud outage incident response for cloud users. Under the COIR, cloud users would be able to opt for the appropriate tier of outage protection and data breaches notification so as to complement their own business continuity and IT disaster recovery capabilities, including fulfilling any legal and regulatory duties.
In terms of sector-specific requirements, where data breaches occur as a result of an IT security incident within the ambit of the TRM, FIs are required to inform the MAS within one hour of discovering the incident. Within a further 14 days, they are also required to submit a root cause and impact analysis report to the MAS, consisting of an analysis of the root cause of the incident, descriptions of the impact on the bank's compliance, operations, and service obligations, and a description of the remedial measures taken to address the root cause and consequences of the relevant incident.
Where such an IT security incident has occurred, FIs are also advised in the MAS TRM Guidelines that it is good practice to 'address public relations issues' in handling an IT incident, and hence to keep customers informed of any such incident. However, FIs are not required to notify the MAS or its customers in the event of a data breach that is not the result of an IT security incident.
As stated above, Part 6A of the PDPA provides for a Data Breach Notification Obligation. Section 26C provides for a duty to assess, which requires organisations to conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach, if it has reason to believe that a data breach has occurred affecting personal data in its possession or under its control. Where a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach.
Under Section 26D, where an organisation assesses that a data breach is a notifiable data breach, i.e. where the data breach:
- results in, or is likely to result in, significant harm to an affected individual; or
- is, or is likely to be, of a significant scale,
the organisation must notify the PDPC as soon as is practicable, but in any case no later than three calendar days after it makes the assessment.
Furthermore, unless an exception applies, organisations must, on or after notifying the PDPC, notify the individuals affected by a notifiable data breach, if the data breach results in, or is likely to result in, significant harm to an affected individual. The notification should be in the form and manner as prescribed and contain information to the best of the knowledge and belief of the organisation at the time.
The Personal Data Protection (Data Breach Notification) Regulations 2021 sets out further implementing details relating to, for instance, the definition of a data breach resulting in significant harm to individuals (i.e. if the breach relates to prescribed types of data or circumstances), and a data breach of significant scale (i.e. if the number affected individuals is 500 or more), and requirements of a notification to the PDPC affected individuals.
The Guide on Managing and Notifying Data Breaches provides further guidance to help organisations to identify, prepare for, and manage data breaches.
In addition, if the FI is the owner of a CII, designated as such by the Commissioner of Cybersecurity, Section 14 of the Cybersecurity Act, read together with the Cybersecurity (Critical Information Infrastructure) Regulations 2018 ('CII Regulations'), provides that the owner of a CII must notify the Commissioner when a cybersecurity incident has occurred in relation to a CII or a system connected to a CII. Such cybersecurity incidents include, but are not limited to, unauthorised hacking, installation or execution of unauthorised software or code, man-in-the-middle attacks, session hijacks, or other unauthorised interceptions of communications between the CII and authorised users, and denial of service attacks. A CII owner must notify the Commissioner of the occurrence of a prescribed cybersecurity incident within two hours after becoming aware of the occurrence, and provide, within 14 days of the initial submission, the following supplementary details:
- the cause of the cybersecurity incident;
- its impact on the CII, or any interconnected computer or computer system; and
- what remedial measures have been taken.
The collection or processing of personal data by Fintech businesses are regulated by the PDPA, which is the general baseline personal data protection law that applies to all private sector organisations.
Depending on the type of activity the Fintech business undertakes, there may be certain laws and regulations that apply. For example, under the FAA, a person advising others by issuing or promulgating research analyses or research reports, whether in electronic, print or other form, concerning any investment product, is required to either be authorised to do so under a financial adviser's licence issued under the FAA, or be an exempt financial adviser. To this end, MAS has indicated that regulation should not 'front-run' innovation, but that it would monitor new Fintech offerings, and would evaluate if there is a need to step in and regulate.
Furthermore, the MAS implemented a Fintech Regulatory Sandbox in 2016 in order to encourage Fintech innovation. The MAS subsequently introduced the Fintech Regulatory Sandbox Express in 2018. These are both special licensing regimes for Fintech entities. In essence, the Fintech Regulatory Sandbox and the Fintech Regulatory Sandbox Express will enable FIs to operate with relaxed legal and regulatory requirements for the duration of the sandbox. With effect from 1 January 2022, the MAS has introduced the FinTech Regulatory Sandbox Plus, which includes three enhancements to provide more effective one-stop assistance for firms looking to introduce innovative products and services that are regulated by MAS, such as:
- expansion of eligibility criteria to include early adopters of technology innovation;
- streamlined application with financial grant for first movers of technology innovation; and
- eligible applicants may participate in Deal Fridays programme, a platform for deal-making opportunities.
Separately, the MAS also issues regulatory instruments from time to time such as guidelines, which provide interpretative guidance on the application of existing legislation. These include, for example, the MAS' Guide to Digital Token Offerings.
Penalties issued by the PDPC
As stated above, the PDPC may, if it is satisfied that an organisation is not complying with any of the Data Protection Provisions, give the organisation such directions as the PDPC thinks fit in the circumstances to ensure the organisation's compliance with that provision, which may include any or all of the following directions:
- stop collecting, using or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to or correct personal data, or reduce or make a refund of any fee charged for any access or correction request; or
- if it is satisfied that the organisation has intentionally or negligently contravened the Data Protection Provision, pay a financial penalty of up to SGD 200,000 (approx. €137,030) in case of an individual or in any other case, SGD 1 million (approx. €685,180).
The Amendment Act will empower the PDPC to impose higher financial penalties. In particular, the PDPC will be empowered to impose a financial penalty on organisations in breach of the Data Protection Provisions in the PDPA, of up to a maximum of 10% of the organisation's annual turnover in Singapore (if its annual turnover in Singapore exceeds SGD 10 million (approx. € 6.85 million) or up to SGD 1 million (approx. €685,180) in any other case. An organisation's annual turnover in Singapore will be ascertained from the most recent audited accounts of the organisation that is available at the time the financial penalty is imposed. The Ministry of Communications and Information has indicated has indicated that the enhanced financial penalty provisions will take effect from 1 October 2022.
Penalties issued by the MAS
As part of its licensing powers over the various classes of FIs in Singapore, the MAS also retains the power to revoke any licenses issued to FIs. Grounds of revocation include, but are not limited to, contraventions of the provisions of the MAS Act. As each of the governing acts contains provisions permitting the MAS to issue notices regulating the operation or activities of the class of FIs concerned, and require FIs to comply with said notices, failure to comply constitutes grounds for the MAS to consider revoking the license of the FI concerned.
The penalties for violation of banking secrecy are a fine of up to SGD 250,000 (approx. €170,250) for entities, and a fine of up to SGD 125,000 (approx. €85,690) and/or imprisonment of up to three years for individuals. In addition, directors or executive officers of banks who fail to take reasonable steps to secure the bank's compliance with the provisions of the Banking Act, including those on banking secrecy, may also be liable for a fine of SGD 125,000 (approx. €85,690) and/or imprisonment of up to three years.
FIs are under at least three distinct obligations in relation to AML/CFT requirements, as governed by the CDSA and the TSOFA, as well as the MAS' requirements.
Firstly, the CDSA and the TSOFA contain mandatory reporting obligations for FIs when they suspect that money laundering or terrorist financing is taking place. Failure to report such transactions currently incurs a fine of up to SGD 20,000 (approx. €13,710) under the CDSA, or SGD 50,000 (pprox.. €34,270) under the TSOFA.
Secondly, the CDSA and TSOFA also contain prohibitions against tipping-off, or the disclosure of information in such a way as to prejudice a proposed or ongoing investigation. Tipping off under both the CDSA and the TSOFA is punishable with a fine of up to SGD 250,000 (€171,420) and/or imprisonement (up to three years under the CDSA / five years under the TSOFA).
Thirdly, the MAS Act specifically empowers the MAS to issue directions relating to AML/CFT obligations, and failure by a FI to comply with these directions is liable for a fine of up to SGD 1 million (pprox.. €685,700), and in the case of a continuing offence, to a further fine of SGD 100,000 (pprox.. €68,570) for every day or part thereof for which the offence continues. The MAS is also empowered to compound offences under the MAS Act, for a maximum sum of half the maximum fine prescribed.
These obligations are in addition to the penalties for actually participating in money laundering and terrorist financing by dealing with the property concerned in criminal conduct or which is connected to terrorist activity.
An example of the penalties incurred for AML/CFT breaches may be found in the case study of BSI Bank Limited. The MAS announced in May 2016 that it would withdraw the merchant bank status of BSI Bank (i.e. revoke its license) for serious breaches of AML requirements, poor management oversight of the bank's operations, and gross misconduct by some of the bank's staff.
The MAS also imposed on BSI Bank financial penalties amounting to SGD 13.3 million (pprox.. €9.12 million) for 41 breaches of MAS Notice 1014 relating to AML/CFT requirements. The breaches include failure to perform enhanced customer due diligence on high-risk accounts, and to monitor for suspicious customer transactions on an ongoing basis. Lastly, the MAS also referred to the AGC the names of six members of BSI Bank's senior management and staff to evaluate whether they have committed criminal offences.
Fis should note that the Serious Crimes and Counter-Terrorism (Miscellaneous Amendments) Act 2018 ('SCCT Act') severely increases the penalties for money laundering and terrorist financing under the CDSA and TSOFA, although it does not otherwise substantively modify the AML/CFT obligations on Fis. The SCCT Act commenced on 1 April 2019.
Under the PS Act, the MAS has the broad power to revoke or suspend a licensee's licence if, amongst others, it appears to the MAS that the financial standing of the licensee and/or the manner in which the licensee's business is being conducted is not satisfactory, or if an individual fails to comply with provisions in the PS Act or in any notice in writing issued by the MAS under the PS Act.
In addition, it is an offence under the PS Act for an individual who, with the intent to prevent, delay or obstruct an audit or examination, to:
- destroy, conceal or alter any book relating to the business of a licensee; or
- send, or conspire with any other person to sent, out of Singapore any book or asset of any description belonging to, in the possession of or under the control of the licensee.
11. Additional Areas of Interest
ChongKin Lim Managing Director
Drew & Napier, Singapore