PDPA Section 24 Protection Obligation: What "Reasonable Security Arrangements" Actually Means

The Answer in 60 Seconds

Section 24 of the Personal Data Protection Act 2012 requires every organisation to "make reasonable security arrangements to prevent: (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored." This is the Protection Obligation — one of the nine PDPA obligations and the most-enforced. The Personal Data Protection Commission (PDPC) interprets "reasonable security arrangements" through its Advisory Guidelines on Key Concepts in the PDPA and through enforcement decisions. Failure can result in financial penalty up to 10% of annual Singapore turnover (organisations with turnover above S$10 million) or S$1 million, whichever higher (effective 1 October 2022). Most PDPC enforcement actions historically have been Section 24 (Protection Obligation) breaches rather than Section 26D (breach notification) failures.

The Sourced Detail

Section 24 is the heart of PDPA compliance. Most enforcement actions and most insurance-relevant exposures arise here. Understanding what "reasonable security arrangements" actually means in practice — through PDPC guidance, enforcement decisions, and industry practice — is essential for any Singapore SME handling personal data.

What Section 24 actually says

Per Section 24 of the PDPA:

"An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored."

The obligation applies to:

• Personal data in possession — data the organisation holds directly
• Personal data under control — data processed by service providers/vendors on the organisation's behalf

The "reasonable security arrangements" test

PDPC's Advisory Guidelines on Key Concepts in the PDPA interpret "reasonable security arrangements" as a context-dependent standard considering:

• Nature of the personal data — sensitive personal data (NRIC, financial, health) requires stronger protection than less sensitive data
• Form of the personal data — physical (paper records) vs electronic (databases, files); digital handling vs physical storage
• Possible impact of unauthorised access or disclosure on individuals
• Likely security risks based on threat landscape and organisation profile
• Cost and feasibility of security measures
• Industry practice for similar organisations

The test is not absolute security — that's impossible. It's reasonable security proportionate to risk and feasibility.

Categories of security arrangements PDPC examines

In enforcement decisions and guidance, PDPC has emphasised security arrangements across categories:

1. Administrative measures:

• Policies, procedures, and standards
• Staff training and awareness
• Access control and authorisation
• Vendor management
• Incident response procedures
• Periodic audits and reviews
• Roles and responsibilities (including DPO designation)

2. Physical measures:

• Secure physical access to premises and rooms holding data
• Locked filing cabinets for paper records
• Secure disposal (shredding for paper, certified destruction for digital media)
• Visitor management
• CCTV where appropriate

3. Technical measures:

• Access controls (passwords, multi-factor authentication, role-based access)
• Encryption (in transit and at rest)
• Network security (firewalls, intrusion detection, monitoring)
• Endpoint security (anti-malware, device management)
• Backup and recovery
• Patch management and vulnerability management
• Logging and monitoring

What PDPC enforcement teaches

PDPC publishes enforcement decisions — these are practical guides to what "reasonable" means in specific scenarios. Recurring themes:

Common failures triggering Section 24 enforcement:

• Misconfigured cloud storage (publicly accessible buckets, databases with default credentials)
• Phishing-induced credential compromise without MFA in place
• Stolen or lost devices without encryption
• Disposal failures (records found in dumpsters, hard drives sold without wiping)
• Vendor failures where the organisation didn't adequately oversee the vendor
• Excess data retention beyond the purpose for which collected
• Inadequate access controls allowing former employees or unauthorised staff to access data
• Email mishaps (data sent to wrong recipient, BCC vs CC errors)
• Outdated systems with known vulnerabilities not patched

Common outcomes in PDPC decisions:

• Financial penalties (varying significantly based on circumstances)
• Directions for remediation
• Public publication of decisions (reputational consequence)
• Sometimes: directions for specific compliance measures (DPO appointment, training, audit)

Vendor management — Section 24 doesn't transfer

A common misconception: outsourcing personal data processing transfers PDPA obligations to the vendor.

It does not. Per Section 24, the organisation that controls the personal data (the "data controller" in international terminology) remains responsible for the protection obligation. The vendor (the "data processor") may be contractually obligated to maintain certain standards, but the organisation faces PDPC enforcement if those standards fail.

This means:

• Data Processing Agreements with vendors are essential
• Vendor due diligence at engagement matters
• Ongoing vendor oversight required
• Vendor breach is the organisation's regulatory issue too
• Contractual indemnities from vendors help commercially but don't transfer regulatory liability

For SMEs using cloud services, third-party SaaS, payment processors, marketing platforms — the vendor management component of Section 24 compliance is usually substantial.

The "appropriate to the risk" calibration

PDPC emphasises that security arrangements should be appropriate to the specific risk profile:

• A single-employee Singapore SME holding 100 customer records with basic contact information has different obligations than a regional SaaS holding 500,000 customer records with payment data
• Health data triggers higher expectations than basic contact data
• Financial data triggers high expectations
• Children's data triggers high expectations
• Sensitive personal data (race, religion, political opinion, health, sexual orientation) triggers heightened expectations

The risk-proportionate standard means SMEs cannot defend by pointing to limited resources alone — but reasonable proportionality is recognised.

Insurance implications

Cyber Liability insurance responds to:

1. PDPC investigation and defence costs:

• Legal costs to respond to PDPC inquiries
• Document production and analysis
• Representation in PDPC proceedings

2. Section 24 financial penalties:

• Penalties imposed by PDPC
• Subject to insurability under Singapore law
• Subject to policy wording (some policies specifically include, some exclude)
• Limit considerations matter — penalties up to 10% turnover can be substantial

3. Third-party claims by affected individuals:

• Civil claims by individuals affected by Section 24 breaches
• Section 32 of the PDPA provides private right of action — see below

4. Breach response costs:

• Forensic investigation
• Legal advice
• Notification (if Section 26D triggered)
• PR
• Credit monitoring (where applicable)

5. Business interruption from the cyber event:

• Lost revenue during system disruption
• Increased operating costs

Section 48O private right of action (formerly Section 32):

Per Section 48O of the PDPA:

"Any person who suffers loss or damage directly as a result of a contravention by an organisation of any provision in Part 4, 5, 6, 6A, 6B or 7 has a right of action for relief in civil proceedings in a court."

This means individuals affected by Section 24 breaches can sue the organisation directly for damages. The provision was originally Section 32 of the PDPA and was renumbered to Section 48O when the Personal Data Protection (Amendment) Act 2020 restructured the enforcement framework. The Court of Appeal's 2022 decision in Reed v Bellingham clarified that emotional distress can constitute "loss or damage" for purposes of the private right of action.

For SMEs, the Section 32 exposure is increasing — class-action-style mechanisms are evolving and individual claims are more accessible. Cyber Liability with third-party privacy liability cover responds to this exposure.

Operational risk management

Singapore SMEs implementing Section 24 compliance typically:

Foundation:

• Designate Data Protection Officer (mandatory under PDPA Section 11)
• Document personal data inventory (what is held, where, who has access)
• Develop personal data protection policy
• Train all staff on PDPA basics
• Establish incident response procedure

Technical:

• Multi-factor authentication on all systems holding personal data
• Encryption at rest and in transit
• Access controls based on role (least privilege principle)
• Regular patching and vulnerability management
• Endpoint protection
• Backup and recovery
• Logging and monitoring

Vendor management:

• DPAs with all data-processing vendors
• Due diligence at engagement
• Periodic reviews
• Termination procedures for vendor changes

Operational:

• Periodic data protection risk assessments
• Annual policy review
• Tabletop exercises for breach response
• Audit / review (internal or external) periodically

Documentation:

• Records of processing activities
• Records of consent obtained
• Records of staff training
• Records of incidents (notifiable and non-notifiable)
• Records of vendor agreements

Insurers underwriting Cyber Liability examine these elements; SMEs with stronger documentation receive better terms.

How Section 24 interacts with other PDPA obligations

The nine PDPA obligations work together:

• Consent (Section 13–15) — basis for collection
• Purpose Limitation (Section 18) — only for stated purpose
• Notification (Section 20) — informing individuals of collection
• Access and Correction (Section 21–22) — individual rights
• Accuracy (Section 23) — keeping data accurate
• Protection (Section 24) — the security obligation (this article)
• Retention Limitation (Section 25) — not keeping longer than necessary
• Transfer Limitation (Section 26) — limits on cross-border transfer
• Accountability (Section 11–12) — DPO, internal compliance

A Section 24 breach often co-exists with breaches of other obligations (excess retention, unauthorised disclosure, lack of accountability framework). PDPC enforcement typically addresses multiple obligations simultaneously.

Comparison with other jurisdictions

EU GDPR Article 32 (Security of processing) requires "appropriate technical and organisational measures" considering risk and impact. Conceptually similar to PDPA Section 24 but with different penalty structures and broader extraterritorial application — see Article 97.

California Consumer Privacy Act / California Privacy Rights Act has security requirements with private right of action for breach.

Multiple other jurisdictions in ASEAN and globally have similar protection obligations. For Singapore SMEs operating regionally, multiple compliance regimes may apply simultaneously.

Specific scenarios

Scenario A: Single-employee Singapore consultancy, customer email list of 200 names

• Section 24 applies but proportionate
• Reasonable: password protection, secure email, basic training
• PDPC would not expect enterprise-grade security
• Cyber Liability sub-limit on PAR may be sufficient

Scenario B: Singapore F&B chain with loyalty programme, 10,000 customer records with contact and purchase history

• Section 24 applies with elevated expectations
• Reasonable: dedicated systems, access controls, MFA, regular review
• Standalone Cyber Liability typically appropriate
• DPO designation important

Scenario C: Singapore SaaS with 500,000 user records including payment data

• Section 24 applies with high expectations
• Comprehensive technical controls expected
• DPO with specialist expertise
• Cyber Liability with strong limits and panel
• PCI-DSS compliance also relevant

Scenario D: Singapore healthcare provider with patient records

• Section 24 applies with highest expectations
• Health data is significant-harm category
• Specialised security framework
• Cyber Liability with healthcare-aware panel

Common Mistakes / What Goes Wrong

1. Treating Section 24 compliance as one-time setup. It's continuous risk management.
2. Outsourcing to vendor without DPA or oversight. Vendor breach is your regulatory issue.
3. Standard Cyber sub-limit on PAR. Inadequate for material personal data exposure.
4. No DPO designation. Mandatory regardless of size.
5. Weak access controls. "Everyone has access to everything" is a Section 24 failure.
6. Disposal failures. Old records, decommissioned devices, departing staff — all create breach risk.
7. No breach response plan. Section 26D 3-day clock requires preparation.
8. No tabletop exercise. First-time response is first-time-mistakes-prone.
9. Phishing without MFA. Most SME breaches start with credential compromise.

What This Means for Your Business

For Singapore SMEs handling personal data, Section 24 compliance is the foundational regulatory obligation:

1. Map your personal data. What you hold, where, who has access, why.

2. Designate DPO. PDPA mandatory; the role makes the rest possible.

3. Implement risk-proportionate security. Technical, administrative, physical — appropriate to your scale and data sensitivity.

4. Manage vendors. DPAs, due diligence, ongoing oversight.

5. Hold appropriate Cyber Liability. Standalone with adequate limits and panel — see Article 72.

6. Document everything. Records of processing, consent, training, incidents — all support compliance and defence.

7. Run tabletop exercises. Test the response infrastructure before incident time.

8. Review annually. Standards evolve, threats evolve, business changes — compliance is not static.

The cost of Section 24 compliance is meaningful — DPO time or external services, technical controls, training, periodic review, Cyber insurance premium. The cost of failure — penalty up to 10% turnover, third-party claims, reputation, customer trust — is asymmetric. Compliance is foundation work, not optional.

Questions to Ask Your Adviser

1. For my Cyber Liability, does the policy specifically cover Section 24 PDPC penalties (subject to insurability)?
2. How does the policy respond to Section 32 third-party claims by affected individuals?
3. What technical controls does the insurer expect (MFA, encryption, backup, etc.) for my premium tier?
4. Does my policy provide pre-incident services (vulnerability scanning, training, tabletop) that support Section 24 compliance?
5. As personal data volumes grow, what insurance limit increases should I plan for?

Related Information

• PDPA Section 26D Mandatory Data Breach Notification: The 3-Day Clock Explained
• Standalone Cyber Insurance vs Cyber Sub-Limit Under PAR: What's the Difference?
• How to File a Cyber Insurance Claim After a Ransomware Attack

Published 4 May 2026. Source verified 4 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.