SINGAPORE Law and Practice Contributed by: Lim Chong Kin, Drew & Napier LLC
curity (Amendment) Bill was passed in Singa - pore Parliament on 7 May 2024 to expand the Cybersecurity Agency of Singapore’s oversight beyond owners of CII to: • essential service providers that use CII owned by a third party; • major foundational digital infrastructure ser - vice providers; • entities of special cybersecurity interest; and • owners of systems of temporary cybersecu - rity concern. As of 1 January 2025, the amendments have yet to come into force. With the increasing adoption of IoT solutions amongst various stakeholder groups, includ - ing consumers, enterprises and governments, organisations that deploy IoT projects or solu - tions in the essential sectors discussed above may wish to pay particular attention to the pos - sibility of their systems being designated as CII and subjected to the obligations under the Cybersecurity Act. 4.2 Compliance and Governance Organisations intending to implement IoT solu - tions can refer to the following standards pub - lished by the IMDA: • IoT Cyber Security Guide, which provides baseline recommendations, foundational con - cepts and checklists relating to the security aspects of IoT systems; • Singapore Standard 695:2023, which identi - fies common requirements for the interoper - ability of IoT systems to support a variety of use cases and their integration; and • Technical Reference 64:2018, which intro - duces the foundational security concepts and terminology for IoT systems and demon -
strates their applications (please note that this Guideline is currently under revision). While compliance with these standards is not mandatory for organisations implementing IoT solutions, the IMDA encourages organisations to comply with these standards in order to enable an ecosystem of interoperable sensor network devices and systems, reduce deployment costs, and support Singapore's enterprises. 4.3 Data Sharing Key Legal Requirements There are no data sharing requirements specifi - cally targeted at organisations implementing IoT solutions. However, where personal data is col - lected by the IoT devices before being trans - ferred wirelessly through the network, organi - sations that employ IoT solutions will have to comply with the following obligations under the PDPA (among others). • Consent Obligation: Section 13 of the PDPA prohibits the collection, use or disclosure of personal data unless the individual gives or is deemed to have given his or her consent, or unless the collection, use or disclosure without the individual’s consent is required or authorised under the PDPA or any other written law. In the second instance, the PDPA sets out the circumstances or purposes (in its First and Second Schedules) where the consent of an individual is not required for the processing of his or her personal data. • Protection Obligation: Section 24 of the PDPA requires organisations to make reasonable security arrangements to protect personal data in their possession or under their control in order to prevent: (a) unauthorised access, collection, use, disclosure, copying, modification or dis - posal, or similar risks; and
414 CHAMBERS.COM
Powered by FlippingBook