Parliament Sitting on 6 January 2020


45. Mr Chong Kee Hiong:
To ask the Minister for Communications and Information regarding incidents of personal data lost to hackers due to data privacy law breaches (a) what is the number of incidents in the public and private sectors respectively in each of the last three years; (b) what is the number of persons affected annually; and (c) whether the Ministry will consider implementing a registration and licensing scheme for software services providers, similar to the requirements imposed on accounting and legal firms, financial institutions and medical services providers.


Mr Speaker, the Personal Data Protection Commission (“PDPC”) investigated five cases in 2017, 13 cases in 2018 and 16 cases in 2019, involving private sector organisations due to hacking.  In the public sector, four cases of data breaches due to hacking were reported in 2017 and three cases in 2018. No case was reported in 2019.  These numbers include cases where malware was planted, and databases were held ransom or data was exfiltrated.

2. Of these reported cases, in some instances completed investigations have demonstrated that personal data was exfiltrated due to hacking and breach of the PDPA.  These affected 48,000 individuals in 2017 and 1.5 million individuals in 2018.  The number for 2018 comprises primarily the data breach involving Singapore Health Services Pte Ltd and its data intermediary, Integrated Health Information Systems Pte Ltd.  For similar cases involving the public sector, 35,000 individuals were affected in 2017, and 900 individuals were affected in 2018.    

3. Under the Personal Data Protection Act (“PDPA”), organisations are required to put in place security measures to safeguard the personal data in their possession or control.  Data security requirements are also imposed on public agencies through the Public Sector (Governance) Act and the Government’s Instruction Manual on ICT.

4. Both private and public sector organisations have to fulfil their respective obligations regardless of whether they decide to outsource any functions to software services providers.  If they do so, they should carry out due diligence to assess the capability, track record and suitability of software services providers.    

5. The PDPA requires each private sector organisation to appoint a Data Protection Officer (“DPO”) to ensure that the organisation complies with the PDPA.  To better safeguard themselves against data breaches, organisations should firstly ensure that their DPOs are trained to develop and implement policies and practices for the organisations to meet their obligations under the PDPA.  Secondly, they should register their DPOs with PDPC to keep abreast of relevant personal data protection developments.  Thirdly, organisations can also apply for IMDA’s Data Protection Trustmark, to verify that they conform to personal data protection standards and best practices. 

Business Sentiment Poll 2020 Q2 News Others 13 Jul 20
Poll on Budget Measures 2020 News Others 30 Jun 20
Singapore strengthens digital collaboration and linkages with Shenzhen to create new market opportunities Press Releases Infocomm Media 17 Jun 20
New Chief Executive appointed to Infocomm Media Development Authority Press Releases Infocomm Media 15 Jun 20
MCI's response to PQ on Parliament livestream Parliament QAs Others 05 Jun 20
MCI's response to PQ on national data usage volume Parliament QAs Infocomm Media 05 Jun 20