Singapore's legislative and regulatory concerns in cloud computing
December 19, 2012
With more and more sensitive commercial and personal data being stored on the cloud, regulators and authorities around the world have responded to concerns about the security of cloud computing by introducing new laws, regulations and compliance requirements which attempt to mitigate the perceived security and data privacy risks associated with the use of cloud computing.
The stringency of some of these requirements has led to some organizations shunning the adoption of cloud computing solutions, citing the web of legal and regulatory requirements and the costs associated with ensuring compliance as a prohibitive factor.
The Singapore government has chosen to adopt a "cloud friendly" policy as seen by the Singapore government's own adoption of cloud computing for government services and a light-handed approach in terms of legislating the adoption of cloud computing. Therefore, with the right guidance and an understanding of the legal and regulatory framework in relation to cloud computing, organizations operating in Singapore need not avoid adopting cloud computing solutions and the benefits it brings.
The following provides a brief overview of the legal and regulatory landscape in Singapore relevant to cloud computing.
The Singapore government has recently passed the Personal Data Protection Act 2012 (PDPA) which will be a boost to Singapore's ambition of becoming a data center hub for the region. The PDPA is consistent with international standards for data protection and will also see the introduction of a National "Do Not Call" Registry (DNC Registry) which will impact on direct marketing activities to customers.
The PDPA will be implemented in a phased approach after coming into force in January 2013. There will be a transition period of 12 months before the DNC Registry comes into force and a transition period of 18 months before the data protection rules of the PDPA come into force. The data protection rules set out in the PDPA govern the collection, use and disclosure of personal data. In general, organizations are permitted to make use of personal data where there is consent from the data subject for that use. Accordingly, it will be important to ensure that appropriate consents are obtained from data subjects to cover the proposed uses of that data when the data is collected.
Phil Marshall / Tolaga Research
Operational automation, agile development environments and platform strategies are vital to success