Singapore Score: 80.21 | Rank: 6/24
Total Page:16
File Type:pdf, Size:1020Kb
COUNTRY: SINGAPORE SCORE: 80.21 | RANK: 6/24 Singapore has modern digital economy laws in most areas. For example, the Electronic Transactions Act 2010 implements the United Nations Convention on Electronic Contracting, which Singapore has ratified. Singapore also has up-to-date cybercrime laws and intellectual property laws. Singapore privacy law provides a balanced approach between protecting personal information and facilitating innovation in cloud computing and the digital economy. However, there have been some recent trends suggesting Singapore may be looking to establish unique national standards for the IT sector. For example, Singapore adopted the Singapore-specific Multi-Tier Cloud Security (MTCS) Singapore Standard, which arbitrarily assigns levels to cloud computing services imposing distinct requirements on particular levels. Singapore has some minor Internet censorship in place but generally promotes innovative business practices that are free from tariffs and government intervention. Singapore is generally committed to adopting international standards throughout the IT and security sectors. Singapore has excellent information (IT) infrastructure and is developing a national network to bring high-speed fiber to the home. There were very few changes in Singapore’s results from the previous Scorecard. The minor jump in the rankings — from seventh to sixth — is a result of the rebalancing of the Scorecard methodology. # SINGAPORE RESPONSE EXPLANATORY TEXT DATA PRIVACY (SCORE: 8.3/12.5 | RANK: 13/24) 1. Is a data protection law or 4 Singapore passed the Personal Data Protection Act in October 2012. regulation in place? 2. What is the scope and coverage Sectoral The legislation covers the private sector. It does not cover government agencies. of the data protection law or regulation? 3. Is a data protection authority in 4 The law established the Personal Data Protection Commission (PDPC) <www. place? pdpc.gov.sg>. 4. What is the nature of the data Sole The Personal Data Protection Commission (PDPC) <www.pdpc.gov.sg> is an protection authority? commissioner independent authority, with oversight provided by an appeals tribunal. 5. Is the data protection authority 4 Singapore has an active regulator, and although the legislation is relatively new, enforcing the data protection law there have been a number of high profile cases, including large financial penalties or regulation in an effective and <www.pdpc.gov.sg/commissions-decisions/data-protection-enforcement-cases>. transparent manner? Directions from the Personal Data Protection Commission (PDPC) <www.pdpc. gov.sg> may be registered with and enforced by a District Court in Singapore, and this is likely to be the main avenue for enforcement. 6. Is the data protection law or APEC framework The privacy law appears compatible with the EU Data Protection Directive. regulation compatible with & EU framework Singapore is a member of the Asia Pacific Economic Cooperation (APEC). The globally recognized frameworks law is compatible with the APEC Privacy Framework. In July 2017 Singapore that facilitate international data announced its intent to join the APEC Cross-border Privacy Rules (CBPRs) system. transfers? 7. Are data controllers free from 4 There are no registration requirements in Singapore. registration requirements? 8. Are there cross-border data transfer Detailed Organizations must ensure they have obtained the individual’s consent to transfer requirements in place? requirements personal information internationally, including additional consent if appropriate consent was not obtained at the time of the original collection. A large number of exemptions and additional mechanisms for transferring data internationally apply, including where an organization can ensure comparable protection in the target country (e.g., through the use of standard contractual clauses). The regulator has released additional guidance on compliance with these requirements <www.pdpc.gov.sg/Legislation-and-Guidelines/Guidelines/Main- Advisory-Guidelines>. 2018 BSA Global Cloud Computing Scorecard www.bsa.org/cloudscorecard | 1 COUntry: SINGAPORE # SINGAPORE RESPONSE EXPLANATORY TEXT 9. Are cross-border data transfers 4 The cross-border data transfer requirements in Singapore are transparent, flexible, free from arbitrary, unjustifiable, or and closely aligned with international best practice. disproportionate restrictions, such as national or sector-specific data or server localization requirements? 10. Is there a personal data breach 6 There are no data breach notification requirements in Singapore and the privacy notification law or regulation? law in Singapore is silent on the issue of data breach notification requirements. However, in May 2015, the Personal Data Protection Commission (PDPC) <www. pdpc.gov.sg> published the Guide to Managing Data Breaches, available from <www.pdpc.gov.sg/Legislation-and-Guidelines/Guidelines/Other-Guides>. The guide is a useful representation of voluntary best practice. 11. Are personal data breach Not applicable There are no data breach notification requirements in Singapore, but a voluntary notification requirements guideline is available. In May 2015, the Personal Data Protection Commission transparent, risk-based, and not (PDPC) <www.pdpc.gov.sg> published the Guide to Managing Data Breaches, overly prescriptive? available from <www.pdpc.gov.sg/Legislation-and-Guidelines/Guidelines/Other- Guides>. The guide is a useful representation of voluntary best practice. 12. Is an independent private right of 6 No private right of action is available for privacy breaches in Singapore. action available for breaches of data privacy? SECURITY (SCORE: 9.8/12.5 | RANK: 7/24) 1. Is there a national cybersecurity 4 Singapore’s Cybersecurity Strategy was released in October 2016 strategy in place? <www.csa.gov.sg/news/publications/singapore-cybersecurity-strategy>. 2. Is the national cybersecurity 4 The Cybersecurity Strategy is comprehensive, including expenditure targets and strategy current, comprehensive, implementation plans. It is based on “four pillars”: and inclusive? (1) Strengthen the resilience of Critical Information Infrastructures. (2) Mobilize businesses and the community to make cyberspace safer, by countering cyberthreats, combating cybercrime, and protecting personal data. (3) Develop a vibrant cybersecurity ecosystem comprising a skilled workforce, technologically advanced companies and strong research collaborations. (4) Step up efforts to forge strong international partnerships, given that cyber threats do not respect sovereign boundaries. 3. Are there laws or appropriate 4 The privacy legislation contains broad security requirements and some sector- guidance containing general specific rules are also in place (for example in the financial services sector). security requirements for cloud The security requirements in the privacy legislation are the subject of regular service providers? enforcement actions. Additional guidance on compliance has been published by the Personal Data Protection Commission (PDPC) <www.pdpc.gov.sg>, including the Guide to Securing Personal Data in Electronic Medium (January 2017), available from <www.pdpc.gov.sg/Legislation-and-Guidelines/Guidelines/Other- Guides>. 4. Are laws or guidance on security 4 Cybersecurity measures are promoted as a guide to good practice in Singapore, requirements transparent, risk- and compliance is not mandatory. The recommendations are written in general based, and not overly prescriptive? terms and are not prescriptive. In practice the regulator has been active in enforcing compliance with the broad security principle contained in the privacy legislation, including issuing large fines to organizations for non-compliance. 5. Are there laws or appropriate Guidance on security audits has been published by the Personal Data Protection guidance containing specific Commission (PDPC) <www.pdpc.gov.sg> in the Guide to Securing Personal security audit requirements for Data in Electronic Medium (January 2017), available from <www.pdpc.gov.sg/ cloud service providers that take Legislation-and-Guidelines/Guidelines/Other-Guides>. The Guide recommends account of international practice? that organizations “conduct regular ICT security audits, scans and tests to detect vulnerabilities and non-compliance with organisational standards.” Compliance is not mandatory. In addition, where the retention of electronic records comes under the jurisdiction and supervision of a government agency or statutory organization, it may impose additional requirements to ensure that it can continue to exercise proper supervision over the relevant activities and information that these records capture. The government also requires cloud service providers participating in government bulk procurement exercises for cloud services to comply with the security requirement in the Singapore-specific Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584 <www.imda.gov.sg/industry-development/infrastructure/ict- standards-and-frameworks/mtcs-certification-scheme/multi-tier-cloud-security- certified-cloud-services>. 2018 BSA Global Cloud Computing Scorecard www.bsa.org/cloudscorecard | 2 COUntry: SINGAPORE # SINGAPORE RESPONSE EXPLANATORY TEXT 6. Are international security standards, In 2016, Singapore re-joined the Common Criteria Recognition Agreement (CCRA) certification, and testing recognized as a Certificate Consuming Member <www.commoncriteriaportal.org>. as meeting local requirements? In practice certification is not required