In conjunction with the presidential election on 1 September 2023, the Elections Department (ELD) has updated its “Advisory Guidelines on the Application of the Personal Data Protection Act (PDPA) to Election Activities” on 28 July 2023.
Separately, on 31 July 2023, the ELD issued an advisory to candidates and political parties on potential cyberthreats and the corresponding preventive measures (“Cyberthreats Advisory“).
Political parties and election candidates that conduct election activities will not be treated as carrying out election activities in a personal or domestic capacity and can be held responsible for the actions of their employees, volunteers, and data intermediaries.
As a political party operates as an organisation or data controller, under the PDPA, it must comply with the various obligations under the PDPA.
For example, in relation to the “Consent Obligation” under the PDPA, a political party or election candidate must obtain the consent of the individual before collecting, using, or disclosing their personal data for a purpose, unless the collection, use, or disclosure without consent is required or authorised under the law.
Likewise, under the “Transfer Limitation Obligation”, political parties and candidates must not transfer personal data to a country or territory outside Singapore unless they have ensured that there are legally enforceable obligations that the data will be accorded a standard of protection comparable to the PDPA.
In relation to the Cyberthreats Advisory, as campaign activities have evolved to encompass digital formats — through online rallies on social media platforms or organising Q&A sessions on video conference platforms — the ELD has highlighted some preventative measures for candidates and parties to protect their digital assets, which include smartphones, computers, storage devices, online websites, and accounts.
The ELD has recommended that election candidates and political parties establish strict access control and a whitelist of applications that are allowed to run on devices used for campaign purposes; enforce strong password management and multifactor authentication; perform regular software updates; regularly back up important data; and keep a log of network traffic and security events in the event of a cybersecurity incident.
In addition, the ELD recommended installing technologies such as Endpoint Detection and Response and performing regular security assessments on election-campaign-related websites using tools such as SSL Labs, MxToolbox, or the Cyber Security Agency of Singapore’s Internet Hygiene Portal to detect breaches and identify possible flaws for remediation.
* * * * *
© 2023 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.