Singapore's Data Privacy Updates

On 29th January 2021, the Personal Data Protection Commission (PDPC) announced that there would be amendments to the Singapore Personal Data Protection Act (PDPA). These revised regulations were to come into play on 1st February 2021, just three days after the announcement. Although it seems like schools in Singapore were not given nearly enough time to prepare for these amendments, the PDPC introduced the regulations in phases, giving schools and other organisations the opportunity to uphold their compliance with the regulations. Data privacy laws in different parts of the world often influence others. It is important to discuss the regulations that have been put in place so that international schools in Singapore can ensure that they are following regulations appropriately.

What were the key changes in the PDPA?

The first major point to discuss within Singapore’s PDPA is the mandatory data breach notification. This, in layman’s terms, means that your school must notify the PDPC of any data breach that either results in, or is likely to result in, significant harm to the data subjects that are affected. It also includes the scale of the breach, for instance if there were a significant amount of data subjects who were affected by the breach, your school would also be required to notify the PDPC. This enforces an obligation for schools in Singapore to uphold accountability in their data privacy programmes, being transparent with the personal data that they process.

Authorities present to schools what kind of data is considered to be high priority in protecting. These include:

  • Authentication data relating to an individual’s account with an organisation
  • Credit card information
  • Bank account number
  • Creditworthiness of an individual
  • Salary information

Alongside the obligations for schools to report when there has been a breach in their systems, there is also a timeframe in which they must adhere to when they are doing so. The PDPA amendments state that the breach notification must be reported within three days of the assessment being performed. When faced with a data breach, some schools may not want to release the results of the audit in order to protect their reputation. Where reputational damage is a great fear for nearly all schools, it is exponentially less important than the protection of your data subjects.

Amendments to privacy laws are usually in reaction to other countries’ law changes. For example, the updated provisions for Singapore are already included in the European GDPR, meaning that we can look to European countries and understand what procedures they have in place to take action against the regulations. Hear from Catriona Thompson, Bursar at Kingham Hill school and her journey to compliance in the UK in our Education Privacy Magazine.

Download Full Magazine Now


As mentioned before, schools are being made to hold themselves accountable for when things go wrong. In circumstances where they decide to neglect their obligations to their data subjects and not report breaches, PDPA enforcement will ensure that they are issued penalties for their negligence. These fines can be authorised in the instance that a school presents “(i) knowing or reckless unauthorised disclosure of personal data; (ii) knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and (iii) knowing or reckless unauthorised re-identification of anonymised data.”

In many countries, the only way that you will be penalised for negligence of your obligations is through the use of fines. Under the GDPR for example, these fines can either be EUR 20 million or 4% of the organisation's annual turnover, whichever is higher. However, the PDPA offers a greater deterrent to prevent schools from neglecting their data privacy obligations. In Singapore, schools can be issued a fine of no more than SGD 5,000, however this is expected to be pushed to SGD 1 million or 10% of annual turnover. Furthermore, the organisation can be issued a prison sentence of no longer than two years.

The severity of the consequences for not complying with the PDPA in Singapore amplify how crucial it is that your school ensures its compliance with the data privacy requirements.

Learn how 9ine is working with German European School Singapore to advance their data protection compliance programme in our case study.

Download The Case Study


A substantial part of compliance in schools is centred around understanding of obligations. Whether your school is at the beginning of its data protection compliance programme, or well into it, 9ine’s training services are able to educate at all levels. Alongside this, we understand that there is a lack of applicable and instructional training focussed on data privacy and technology hardening. The 9ine Technical Academy and the 9ine Privacy Academy are designed to give you instructional, applicable, and understandable guidance towards data privacy and system hardening. In utilising this training course, your school will be able to ensure that you are accounting for PDPA requirements and more.

View the Academy Schedules


If you would like to learn more about how 9ine can help your school with its data privacy compliance programme

Book a Consultation

Let’s Stay in Touch

Subscribe to our newsletter to receive product announcements & other updates.