Data Protection Report - Norton Rose Fulbright

In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant impact on how companies manage personal data and secure their information systems.

This article seeks to summarise the proposed changes to the Singapore cybersecurity and data protection regulatory framework and provide some brief thoughts on how this may impact organisations operating in Singapore.

Draft Singapore Cybersecurity Bill

The draft Cyber Bill was unveiled on 10 July 2017. On the same day, the Cyber Security Agency (CSA) and the Ministry of Communications and Information (MCI) launched a public consultation to seek views and comments from the industry and members of public on the Cyber Bill. Originally scheduled to end on 3 August 2017, the public consultation period was extended due to widespread interest in the legislation. The Cyber Bill comes on the back of various moves by the Singapore Government to strengthen its approach to cybersecurity, starting with the setting up of the CSA in April 2015, the launch of Singapore’s Cybersecurity Strategy in October in 2016, and more recently, the amendments to the Computer Misuse and Cybersecurity Act earlier this year (see our publication on the amendments).

Who is covered – Critical Information Infrastructure

A key thrust of the Cyber Bill is the identification of 11 critical sectors as providing “essential services” and the ability of the CSA to designate as Critical Information Infrastructure (CII) any computer or computer system necessary for the continuous delivery of essential services. Such provision apply to both the public and the private sector.

The 11 critical sectors identified are:

  • Energy
  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media

As mentioned, computers and computer systems that are necessary during times of national emergency may be designated as CIIs – and so such designation could potentially cover any industry.

The CSA may also designate a person as the owner of a CII, which the Cyber Bill proposes to define as a person who has effective control over the operations of the CII and has the ability and right to carry out changes to, or is responsible for, the continuous functioning of the CII. The CSA may require certain information in advance from the owner to determine if a system is a CII. The designation of systems as CII will be treated as an “official secret” under the Official Secrets Act, and will not be divulged to the public.

Duties of CII owners

CII owners are subject to the following statutory duties to:

  • provide information
  • comply with codes and directions
  • report incidents – e., breach notification to the CSA
  • conduct audits by an auditor approved by the Commissioner of Cybersecurity (the Commissioner)
  • conduct risk assessments
  • participate in exercises

In addition, CII owners are required to comply with any code of practice or relevant standard issued under the Cyber Bill. Failure to comply with these duties would be a criminal offence – due to the national security implications of non-compliance.

CSA is the central cybersecurity authority

The Bill proposes to vest the extensive supervisory and regulatory powers on a Commissioner of Cybersecurity (the Cyber Commissioner), which is a position that will be held by the Chief Executive of the CSA.

CSA – extensive enforcement powers

Apart from its supervisory powers over CIIs, the Cyber Bill also confers on the Cyber Commissioner significant powers to respond to, and prevent, Singapore cybersecurity incidents. These powers include the power to examine persons, produce evidence, and where satisfied that the cybersecurity threat meets a certain specified severity threshold, impose measures requiring a person to carry out remedial measures or to cease certain activities, take steps to assist in the investigation and perform a scan of a computer or computer system to detect cybersecurity vulnerabilities. Property may also be seized. These powers apply to all computer or computer systems in Singapore, and are not limited to CIIs.

The Minister has the power to impose extraordinary emergency cybersecurity measures and requirements if the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the essential services or national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. This includes the power to authorize a specified person to direct another person to provide information “relating to the design, configuration or operation of any computer, computer program or computer [service][system]” if it is necessary to identify, detect or counter any such threat.

Companies and institutions should therefore be prepared for such actions, and have the necessary protocols in place to facilitate and respond to these investigations and regulatory actions.

Assistant Cyber Commissioners – from sector leads

The Cyber Bill grants the Minister the power to appoint as Assistant Commissioner public officers from other Ministries or from other regulators. This is an unusual feature as certain public officials would be double-hatting as an Assistant Commissioner of Cybersecurity (Assistant Cyber Commissioner) while being an official from another Ministry or statutory body performing a similar regulatory/supervisory function.

Assistant Cyber Commissioners are, in most cases, “Sector Leads” in the respective sectors, i.e., the lead government agency in charge of each sector. Therefore, CII owners should already know the Assistant Cyber Commissioners from existing regulatory relationships. For example, the Assistant Cyber Commissioner for financial institutions would likely be an officer from the Monetary Authority of Singapore (MAS). Hopefully, this will help cut down the bureaucratic burden on CII owners when dealing with a new regulator for cybersecurity issues by allowing continuity and consistency of established relationships with existing regulators.

Regulating cybersecurity service providers

There is a proposal to license and regulate cybersecurity service providers. It is recognized that since cybersecurity service providers are given access to customer systems and networks, they gain a deep understanding of system vulnerabilities, and that there should be some assurance concerning ethics and standards these providers should meet. The Cyber Bill proposes a licensing framework for cybersecurity service providers for two types of licences – investigative cybersecurity services (penetration testing) and non-investigative cybersecurity services (managed security operations). The list of licensable services is set out in the Second Schedule.

Licensed providers will need to meet certain basic requirements: key executive officers are to be fit and proper; retention of service records for 5 years; compliance with a code of ethics; and ensuring that employees performing the services are fit and proper. These requirements will also apply to overseas providers.

At this stage, it is not clear how the CSA would evaluate applicants for licensing, and the CSA will have a further consultation with industry on detailed requirements before it is implemented.

Comment

Singapore’s strategy of being a smart nation and financial centre has at its core a resilient and strong foundation in cybersecurity. The Cyber Bill helps ensure that this objective is achieved by focusing on the continuity of essential services in Singapore. It also comes at a time when the business world is reeling from the impact of the WannaCry and NotPetya attacks.

The Cyber Bill takes a holistic approach to the regulation of cybersecurity by giving the CSA oversight of the regime and enforcement powers to police the regime; providing a framework for regulation of critical information infrastructure systems, including mandatory breach notification; and establishing a licensing framework for cybersecurity service providers.

The consultation paper notes that the regulatory framework will be flexible to take account of the unique circumstances of each sector. It will also require a proactive approach to enhance cybersecurity before threats and incidents happen – based on the risk profile of the sector. Offences and penalties are to ensure compliance with the Cyber Bill rather than punish those that suffer from cyberattacks.

Proposed changes to the PDPA

Hot on the heels of CSA and MCI’s public consultation on the draft Cyber Bill, the Personal Data Protection Commission (PDPC) announced a public consultation on proposed changes to the PDPA on 27 July 2017.

In summary, the PDPC proposes to make two significant changes to Singapore’s data protection regime:

  1. To relax the requirement for organisations to obtain consent before processing personal data, making it easier for online businesses to collect and share data and encouraging the growth of new technologies such as Internet of Things devices and artificial intelligence; and
  2. To introduce a mandatory breach notification requirement, in response to the increasing frequency of cyberattacks and personal data theft.

The proposed changes reflect the twin challenges Singapore faces in its push to transition to the digital economy.

Proposed Relaxation of the Consent Requirement

Under the current data protection regime, organisations must obtain consent from individuals before collecting, using or disclosing their personal data. Consent is not required in limited circumstances, for example, where consent is deemed, or where it is necessary for any investigation or proceedings.

The PDPC proposes to allow organisations to process personal data without consent:

a. Where it has notified the individual of the purpose for which his personal data was processed. The organisation must meet two conditions to rely on this exception:

  • It is impractical for the organisation to obtain consent; and
  • The collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.

b. Where the processing is necessary for legal or business purposes. An organisation relying on this exception need not notify the individual that his personal data has been processed, if it can meet two conditions:

  • It is not desirable or appropriate to obtain consent from the individual; and
  • The benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual.

While consent is not required in these two exceptions, the organisation still has to conduct a risk and impact assessment of the consequences of processing the data without consent.

Proposed mandatory breach notification

Under the current data-protection regime, organisations are not required to notify any party following a data breach. Instead organisations are encouraged to voluntarily notify the PDPC in the event of a data breach that may cause public concern or where there is a risk of harm to a group of affected individuals (see PDPC’s Guide to Managing Data Breaches). This has led to uneven notification practices across organisations.

In light of Singapore’s smart nation initiative and its push towards a digital economy, the PDPC proposes to introduce a mandatory data breach notification requirement under the amended PDPA. The salient features of the PDPC’s mandatory breach notification are set out as follows:

a. Criteria for notification:

  • Notification to both affected individuals and PDPC if the data breach poses any risk of impact or harm to affected individuals.
  • Notification to the PDPC if the scale of the data breach is significant even if the risk of impact or harm is minimal. In this regard, the PDPC has proposed defining a breach involving 500 or more affected individuals as being of a significant scale so as to require notification to the PDPC.

b. Concurrent notification: For organisations that are currently required to notify their sectoral regulator or a law enforcement agency in the event of a data breach under other written law, the PDPC proposes to require such organisations to concurrently notify the sectoral regulator / law enforcement agency and the PDPC in accordance with the notification requirements under the other written law. As for organisations required to notify affected individuals under other written law, they will be considered to have fulfilled their breach obligations under the PDPA if the affected individuals have been notified according to the requirements under the other written law.

c. Obligations of data intermediary: The PDPC proposes to require data intermediaries (DI) to immediately inform the organisation that it processes the personal data on behalf of in the event the DI suffers a data breach, regardless of the impact or scale of the breach. The organisation will then be responsible for complying the mandatory breach notification requirements under the PDPA.

d . Exception and exemptions from breach notification: The PDPC proposes that the exclusions under section 4 of the PDPA should apply to the proposed breach notification requirement. In addition, the PDPC also proposes two further exemptions for organisations from the requirement to notify affected individual: where notification to affected individuals is likely to impede law enforcement investigations, and where the breached personal data is encrypted to a reasonable standard. Further, the PDPC may also further exempt organisations from the breach notification requirements in order to cater to exceptional circumstances where notification to affected individuals may not be desirable and the PDPA and the other laws do not provide for such notification.

e. Time frame for notification: In respect of affected individuals, the PDPC proposes that organisations notify them “as soon as practicable”, and does not impose any fixed time cap for such breach notification. In respect of breach notification to the PDPC, the “as soon as practicable” standard similarly applies, subject to a time-cap of no later than 72 hours from the time the organisation becomes aware of the data breach.

Comment

In our view, the proposed change to the consent requirement is welcome, albeit somewhat surprising, given the trend of increasing regulation of personal data in recent years. It would give organisations flexibility in deciding whether they wish to obtain consent in any given situation.

However, clarification is needed in respect of several terms used in these exceptions (“impractical”, “desirable”, “benefits to the public”). For instance, an organisation may claim that collecting data is necessary for any “business purpose” (including to lower costs), and to therefore do away with the need to obtain consent. While encouraging for digital businesses, the proposals require refinement by the PDPC in order to avoid tipping the balance against individuals and their ability to control the use of their personal data.

Similarly, refinement by the PDPC is also needed in respect of its proposal to introduce mandatory breach notification.

First, the proposal to require notification to both affected individuals and to the PDPC if the data breach poses any risk of impact or harm to the affected individuals may be too onerous. There are certain situations where the impact or harm of a data breach to affected individuals may be minimal or insignificant, e.g., if the nature of the breach itself is unlikely to result in actual access or use of the data by a third party (e.g., in a ransomware attack) or if the data breach was discovered early and sufficient mitigatory measures had been put in place to minimize such risks. Instead, an approach based on materiality may be more practicable and relevant.

Second, the proposal to designate a breach involving 500 or more individuals as a “significant” breach is arbitrary. The number of individuals affected by a breach may not necessarily be determinative of any systemic issue within any organisation.

Third, the proposed concurrent application of PDPA data breach notification requirements together with similar obligations imposed under other written law is onerous and curiously out of sync with the approach adopted proposed by MCI and the CSA in the draft Cyber Bill, i.e., the appointment of Assistant Cyber Commissioners that are “sector leads” (see above). Organisations that are currently subject to breach notification requirements imposed by other regulators, e.g., the Monetary Authority of Singapore in respect of financial institutions, would already be subject to supervision on such matters. Concurrent breach notification would only serve to increase the compliance burdens of such organisations, even if requirements are harmonized. It should be noted that organisations faced with a data breach would be in crisis-resolution mode; resources should be directed at managing and resolving the breach, rather than managing requests for information from multiple regulators. In our view, the PDPC should consider aligning its approach to concurrent data breach notification with that proposed in the draft Cyber Bill, through the appointment of liaisons that are officers from “sector leads”. This would prevent the wastage of precious resources in a crisis-environment caused by concurrent reporting to various regulators on overlapping matters.

Conclusion – what these legislative changes may mean for your organization

Organizations operating in a critical sector and potentially owning CIIs should put in place an overarching cybersecurity policy tailored to the organization’s needs and the requirements of the regime. This policy should set out the organization’s approach to meeting its legal and regulatory obligations, and specify who is accountable for the CII within the organization. Ideally, this person should be at C-suite level.

As a result of the Cyber Commissioner’s powers to respond to, and prevent, cybersecurity incidents, and the mandatory breach notification requirement proposed by the PDPC, we recommend that all organizations should have in place a comprehensive cyber-response plan that includes protocols for responding to, and cooperating with, requests from the Cyber Commissioner / PDPC on cybersecurity and cyber breaches. This will minimize disruption to operations and ensure compliance with regulatory obligations.

Cost of compliance will undoubtedly increase – in particular with respect to ensuring compliance with the mandatory breach notification requirement and the new licensing regime for cybersecurity service providers that will likely be passed onto customers. However, given the impact of recent cyberattacks on business such as WannaCry and the NotPetya ransomware, this is likely the new reality and cost of doing business in a technology enabled world.

On the data privacy front, while the relaxation of the consent requirement will be a welcome change for businesses, organisations should still be aware that regulatory risks remain and that significant resources are still required to ensure compliance with the PDPA.