Parliament Sitting on 3 March 2021


12. Mr Shawn Huang Wei Zhong:
To ask the Minister for Communications and Information (a) how do the existing mechanism and enforcement ensure that adequate cybersecurity measures are taken by companies that are in possession of customer data; and (b) what are the follow-up procedures after a loss of data is detected.


The Personal Data Protection Act, or PDPA, requires organisations that collect, use or disclose personal data in Singapore to put in place reasonable measures to protect the personal data in their possession or control.  This includes cybersecurity measures to secure personal data held in IT systems. 

2 To assist organisations, the Personal Data Protection Commission, or PDPC, provides guidance and advice in three areas.  One, adopting a ‘data protection by design’ approach when developing IT systems to ensure appropriate cybersecurity measures.  Two, addressing IT risks and observing good practices through guides such as “Electronic Personal Data Protection for Organisations”.  Three, managing and remediating data breaches effectively, through a guide that sets out breach containment and impact and risk assessment.  The Government also actively supports organisations to strengthen their cybersecurity posture against data breaches.  Organisations can leverage resources developed by Cyber Security Agency, or CSA, such as the Be Safe Online handbook, which details six essential cybersecurity principles for companies to better manage cyber risks.  

3 In event of a data breach, organisations must now notify the PDPC and affected individuals where the data breach affects at least 500 affected individuals, or there is a risk of significant harm such as involving loss of financial information.  Organisations may also seek help from CSA’s Computer Emergency Response Team, which can provide preliminary technical cybersecurity assistance and advice on containment and recovery actions.  The PDPC monitors data breaches closely, and will take appropriate enforcement actions including meting out proportionate financial penalties.  

4 Cybersecurity and data protection are our collective responsibility.  By staying vigilant and adopting the necessary cybersecurity measures, we can safeguard our digital assets and data, ensuring a safer cyberspace for all. 

MCI response to PQ on Take-up Rates for Various Digital Support Programmes and Ensuring Availability of Digital Learning Devices for Students Parliament QAs Infocomm Media, Public Comms, Digital Readiness 04 Jul 22
MCI response to PQ on Steps to Protect Singapore's Critical Infrastructure from Malware Threat Parliament QAs Cyber Security 04 Jul 22
MCI response to PQ on Penalties for Internet Service Providers for Fault Repairs Taking Longer than 24 Hours Parliament QAs Infocomm Media, Public Comms 04 Jul 22
MCI response to PQ on Avenues of Recourse when Social Media Organisations Do Not Comply with Government's Directions Parliament QAs Digital Defence, Public Comms 04 Jul 22
MCI response to PQ on Programmes to Train Seniors to Adopt Digital Services Including Making Online Purchases and Using Digital Banking Services Parliament QAs Digital Readiness, Infocomm Media, Public Comms 04 Jul 22
Speech by Dr Janil Puthucheary, Senior Minister of State, Ministry of Communications and Information, at Singapore Tamil Youth Conference on 2 July 2022 Speeches Public Comms 02 Jul 22