Last review date: 15 January 2025
☒ omnibus – all personal data
☒ sector-specific — e.g., financial institutions, governmental bodies
Last review date: 15 January 2025
The Cybersecurity Act 2018 (CSA)
Last review date: 15 January 2025
Disclosure of non-personal data is governed by obligations of confidence as imposed by general common law. While Singapore has no general legislation governing non-personal data, sector-specific laws may apply.
Last review date: 15 January 2025
Yes.
Most of the major amendments to the PDPA came into effect in February 2021 and October 2022. The amendment that has yet to come into effect is the right to data portability and there is currently no indication of when this right will come into force.
The Cybersecurity (Amendment) Bill was passed on 7 May 2024 to amend the CSA in a manner that ensures Singapore's cybersecurity laws are able to address challenges in cyberspace and that the laws remain applicable and fit for purpose. Key changes include the expansion of regulated entities beyond Critical Information Infrastructures, the broadening of reporting obligations, and revisions to the penalty regime. The Cybersecurity Agency of Singapore may now impose civil penalties in place of criminal penalties. The maximum amount of penalties that can be imposed has significantly increased to up to 10% of the annual turnover of the entity in Singapore.
The Ministry of Health (MOH) also conducted a public consultation from 11 December 2023 to 11 January 2024 on the proposed Health Information Bill (HIB). Healthcare providers contributing to or accessing the National Electronic Health Record (NEHR) will have to comply with data security and cybersecurity requirements set out in the HIB. These requirements build on existing data security and cybersecurity guidelines and standards, such as the MOH's Healthcare Cybersecurity Essentials Guidelines. The HIB is expected to be passed in Parliament in 2025.