Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Yes. Under the Personal Data Protection Act 2012 (PDPA), it is an offence to collect personal data without the data subject’s consent, unless an exception applies. It is also an offence under the PDPA for a person to make a request to obtain access to or to change the personal data about another individual, which is in the possession or under control of an organisation, without the authority of that individual. Under the Computer Misuse and Cybersecurity Act (CMCA), it is an offence to knowingly cause a computer to perform any function for the purpose of securing access without authority to any data held in any computer. Further, a plaintiff may make a claim under tort for, amongst others, conversion or breach of a duty of confidentiality. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? There are various possible mechanisms, depending on the circumstances:
- The matter may be referred to the police for criminal prosecution via a complaint. While the assistance of the police may be sought, the complainant strictly has no control over the conduct of the matter by the police and has no right to request information or documents from the police. It is within the police’s discretion whether it chooses to reveal anything to the complainant.
- Civil proceedings for, amongst others, breach of confidence may also be commenced. As part of the final relief in such civil proceedings, the complainant may seek an injunction for the delivery up, return and/or deletion of the data which has been accessed without authority, damages and/or an account of profits. There are also various interim measures or forms of injunctive relief available, for example:
- an application for a search and seizure order, for permission to search, inspect and either copy or remove documents in the possession of the defendant(s), when there is (amongst other requirements) a grave danger that the defendant(s) will dispose of or destroy incriminating evidence in his/her possession. These documents which are seized are not ordinarily provided to the plaintiff immediately, but an order may be made for inspection by the plaintiff of those documents;
- an application for interim injunction to, amongst other things, restrain the defendant(s) from using and/or disclosing such data pending the final resolution of the civil proceeding;
- the process of general and/or specific discovery, interrogatories and/or further and better particulars of pleadings, may be applicable.
- If the identity of the person who either committed the data breach or is storing or has stored the data at some point in time is unknown and/or civil proceedings have not been commenced, the complainant may make an application for pre-action discovery or pre-action interrogatories against known parties who may be involved. Such applications, if successful, may require an individual or company to produce documents or answer questions so that either the identity of the potential defendant(s) may be determined or the plaintiff can assess whether there is a case to be made.
Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? Yes. There is a general rule that a party who obtains documents from the other party under compulsion (for example in discovery of documents in Court proceedings) may only use such documents for the conduct of his/her case, and that party is under an implied undertaking that he/she will not use the documents for any other purpose. In Singapore, there is some uncertainty about whether this implied undertaking ceases to apply once the document has been used in open court. In a recent High Court decision, the Court held that this is the case, but the party who discloses the document or the party who owns the document may apply to the court for the implied undertaking to continue. It remains to be seen whether this decision will be upheld by the Singapore Court of Appeal. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? Ordinarily no, but in some narrow circumstances a party may apply to the Court to seal the file or hold proceedings in private in order to keep the proceedings or their subject matter confidential. The Court’s jurisdiction to seal the file or hold proceedings in private arises out of its inherent jurisdiction, and the Court will only exercise such jurisdiction in exceptional cases. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? Withdrawing, discontinuing or staying Singapore proceedings before the final determination of the action generally does not prevent a plaintiff from commencing subsequent proceedings either in Singapore again, or in another jurisdiction, for the same or substantially the same cause of action, unless the Court orders otherwise. However, if a particular issue has been heard and determined before such withdrawal, discontinuance or stay (for example, an issue in a preliminary determination), an argument may be raised that the parties are estopped from reopening that issue in Singapore or in another jurisdiction. Further, there may also be an issue if proceedings are actively occurring in two jurisdictions at the same time which cover the same issue(s). Whether the withdrawal, discontinuance or staying of the Singapore proceeding(s) has the effect of preventing one of the parties from commencing subsequent proceedings on the same issue will also depend on the laws of the other jurisdiction where the proceeding(s) may subsequently be commenced. Is there an obligation in your jurisdiction to hold personal information securely? Yes. Organisations must ensure that they protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? Yes. Organisations must not transfer personal data outside of Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to the transferred personal data that is comparable to the protection under the PDPA. This would include entering into binding corporate rules or intercompany agreements. Further, banking secrecy laws place certain restrictions on the disclosure of customer information by licensed banks in Singapore. Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? No. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? No. Are there sector specific mandatory data breach notification obligations in your jurisdiction? Yes, regulated financial institutions must notify the Monetary Authority of Singapore as soon as possible, but not later than one hour, upon the discovery of a “relevant incident”, which includes IT security incidents which have a severe and widespread impact on the financial institution’s operations or materially impacts the financial institution’s service to its customers.