clawbacks.ai | Blog

← All articles

News · 4 min read · 16 January 2026

Singapore's Public Sector (Governance) Amendment Bill: What Expanded Data-Sharing Means for You

Parliament passed the Public Sector (Governance) (Amendment) Bill 2025 in January 2026, widening how government agencies can share data with external parties. Here's what it means for how you should think about your own data footprint.

What was passed

In January 2026, the Singapore Parliament passed the Public Sector (Governance) (Amendment) Bill 2025, expanding the legal framework under which government agencies can share data with authorised external parties — including social service agencies, community groups, and trade associations. The stated purpose is to enable more coordinated, cross-agency service delivery, particularly for social support programmes that currently require citizens to repeat the same information across multiple touchpoints.

This is a public-sector data-sharing framework, distinct from the Personal Data Protection Act (PDPA), which continues to govern how private-sector organisations — including banks and services like clawbacks.ai — collect, use, and disclose personal data.


Why this is still relevant if you don't interact with these specific agencies

The practical relevance for most cardholders isn't the bill's specific provisions — it's the broader direction it signals. Singapore's data governance landscape is moving toward more interoperability between organisations holding your data, not less. Whether that's government agencies coordinating on your behalf, or private companies you deal with (banks, fintechs, service providers) each holding a piece of your financial picture, the trend is the same: more parties, more sharing, and more reason for individuals to understand exactly what data they've handed over and to whom.

This is a reasonable moment to do a personal audit: which organisations hold your NRIC, your card numbers, your spending data, your contact details — and under what consent basis.


What this means for services that handle sensitive account data

For any service — ours included — that requests access to card details or account information on a customer's behalf, this broader environment raises the bar on being explicit about scope. A service that touches your card data should be able to answer plainly: what data is collected, what it's used for, whether raw card numbers ever touch its own servers, and what happens to your data if you stop using the service.

These aren't new questions raised by this specific bill — they're PDPA-standard questions any private-sector service handling your data should already answer clearly in its Privacy Notice, regardless of what government agencies are doing with their own data-sharing frameworks.


The clawbacks.ai approach

We tokenise your card details at the point of entry using a PCI DSS-certified vault — your raw card number never reaches our servers in a form we can read. Our Privacy Notice sets out exactly what data we collect, why, and how long it's retained. If you're doing a personal data-footprint audit this year, we'd rather you hold us to that standard than take it on faith.

Get your annual fee waived →

Get your annual fee waived →