From the local papers:

An unprecedented cyber-attack on Singapore’s largest healthcare group SingHealth saw the personal data of 1.5 million patients stolen, including that of Prime Minister Lee Hsien Loong… The hackers stole personal records such as the names, national registration identification card numbers, addresses, genders, race and dates of birth of 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015 to July 4 this year.

By way of high scores, this does appear to be the most significant data breach in Singapore, in terms of how many people are affected and the sensitivity of the data stolen. It is repeatedly emphasized in local media that this is likely to be a ‘state-sponsored attack’. A Committee of Inquiry will be convened to “look into the matter and recommend measures to better secure public-sector IT systems against similar attacks”.

Am I the only one who thinks this is not just a cybersecurity but also a data protection issue?

Maybe, because there has been radio silence from the Personal Data Protection Commission thus far.

There’s very little doubt that if there is an investigation and a decision by the PDPC on this data breach, this would be of a scale that the PDPC has never faced before. To give a sense of this, in the K-Box decision (which remains the high score winner of a penalty of $50,000), the data breach numbered over 400,000 K-Box members. Singhealth’s breach is nearly four times that.

So what are the possible explanations for the non-applicability of the PDPA? Could it be that such informaton is collected “on behalf of a public agency” (given the repeated references to the “public” healthcare system)? Could it be that the provisions of other laws relating to the healthcare sector have overwritten the PDPA? I am really speculating here, but I do think that it would shock the man on the street to realise how easily the PDPA could be ousted from application.

In any case, while cyber security is relevant, there is clearly scope for data protection here. Cyber security may dictate measures that protect systems from users such as changing passwords, cutting off internet access and spotting spear-phishing emails, data protection principles will focus on transparency and placing emphasis on the data subjects. Data protection by design would seriously consider whether the data collected is really necessary for the operations — who should get access? What about retention?

In a world where the PDPC courageously forges ahead with professionalising the “profession” of a data protection officer, it is important to recognise that the legitimacy of the PDPA and the PDPC regulators is affected by such high profile events. The PDPC cannot turn away from this just because of legalese.