In the last post, I complained that the PDPC was conspicuously missing from action in the Singhealth Data Breach.

Well, there is something now:

The spokesman said that SingHealth and the Integrated Health Information Systems, the technology outsourcing arm of public hospitals here, are corporate entities.

This means that they are bound by the Personal Data Protection Act, which requires organisations to put in place adequate security measures to protect consumers’ personal data. Organisations flouting the Act, in force since July 2014, can be fined up to $1 million.

“The PDPC will take into account the Committee of Inquiry’s report in its determination and assessment of any appropriate action to be taken,” said the MCI spokesman.

It sounds pretty passive, but I reckon that this is the first step.