Singapore’s Personal Data Protection Act: A review of the major changes ahead (Part 1)

Darren Grayson Chng, in the first of a series, explores the background to forthcoming changes to the Singapore Personal Data Protection Act

Singapore’s Personal Data Protection Act (“PDPA”) is slated for major changes, many are guessing by end-2020. This is the first of a four-part series that will touch on the events leading to the passing of the Personal Data Protection (Amendment) Bill (“Bill”) in Parliament, then go into the details of the amendments.

Public consultation on proposed amendments

Earlier this year in May, Singapore’s Ministry of Communications and Information (MCI) and Personal Data Protection Commission (“PDPC”) launched an online public consultation on proposed amendments to the PDPA.1  The proposed amendments were the culmination of public consultations on proposals for the review of the PDPA, held between 2017 and 2019.

In their Public Consultation Paper (“PCP”), MCI and PDPC said that they were proposing four key areas of amendments:2 

  1. Strengthening the accountability of organisations, and individuals who handle or have access to personal data. 
  2. Enhancing the PDPA’s framework for the collection, use, and disclosure of personal data to enable meaningful consent where necessary.
  3. Providing for greater consumer autonomy over their personal data.
  4. Increasing deterrence and strengthening the effectiveness of PDPC’s enforcement efforts.

MCI and PDPC explained in their joint press release that the proposed amendments sought to strengthen public trust, enhance business competitiveness and provide greater organisational accountability and assurance to consumers in support of Singapore’s Digital Economy.

The public consultation was open from 14 to 27 May 2020,  an unusually short period of only 14 days. This left many organisations scrambling to analyse the proposed amendments and to draft their feedback to PDPC. By way of comparison, the public consultation for Singapore’s Cybersecurity Bill was open for about 6 weeks.

Aftermath of the public consultation

Soon after the public consultation closed, MCI and PDPC published, in early June, 87 responses to the public consultation. 

On 5 October 2020, the Bill was introduced to Parliament.

In their Closing Note to the public consultation published on 5 October, MCI and PDPC said that the scope and operational details of the draft amendments would be addressed in Regulations and Advisory Guidelines after the PDPA was amended, and PDPC would continue soliciting views and feedback in developing them.3 

On 2 November 2020, the Bill was passed in Parliament.

Strengthening the accountability of organisations

In the PCP, MCI and PDPC said that accountability would be reflected as a key principle of the PDPA. To this end, the Bill will insert an explicit reference to accountability in the title of Part III of the PDPA: “General Rules With Respect To Protection Of And Accountability For Personal Data [underline added]”.4  

MCI and PDPC said that this would make it clearer that organisations are accountable for personal data in their possession or control, and are expected to be able to demonstrate compliance.5 

Assessment of data breaches

The current version of the PDPA does not require notification to the PDPC, or anyone for that matter, if a personal data breach has occurred. Notification is voluntary and PDPC decisions have shown that PDPC considers voluntary notifications to them to be a mitigating factor.

What the Bill does  is to insert into the PDPA a new Part VIA titled “Notification Of Data Breaches”.6  Section 26C of this Part provides that:

  • If an organisation has reason to believe that a data breach affecting personal data in its possession or control has occurred, the organisation must conduct “in a reasonable and expeditious manner” an assessment of whether the data breach is a “notifiable data breach”. 
  • If a data intermediary (“DI”) has reason to believe that a data breach has occurred in relation to personal data that the DI is processing on behalf of, and for the purposes of, another organisation (that is not a public agency), the DI must “without undue delay” notify that organisation of the occurrence of the data breach.
  • Upon the DI’s notification, the organisation must conduct an assessment of whether the data breach is notifiable.

There is a lot in section 26C to unpack, but first, to complete the picture, if the DI is processing personal data on behalf of and for the purposes of a public agency, section 26E requires the DI to notify the public agency “without undue delay” of the occurrence of the data breach. The Bill does not go on to talk about what the public agency would be required to do, but the Singapore government will probably proscribe in its policies the actions which the public agency is to take upon a data breach.

What is a notifiable data breach?

Turning back to what the different components of section 26C mean, section 26B of the Bill says that a data breach is notifiable if:7 

(a) it results in, or is likely to result in, significant harm to an “affected individual”; or 

(b) is, or is likely to be, of a significant scale. 

The Bill also explicitly says that what be deemed not to be a notifiable data breach, is a data breach that relates to the unauthorised access, collection, use, disclosure, copying, or modification of personal data only within an organisation.8 This exclusion was not present in the public consultation version of the Bill, so it is not known what precipitated the inclusion of it.

What is an “affected individual”, and a “data breach”?

Section 26A defines “affected individual” as “any individual to whom any personal data affected by a data breach relates”.9  

The Bill will also introduce the defined term “data breach”. Section 26A provides that in relation to personal data, it is:10 

(a) the unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data; or 

(b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collect, use, disclosure, copying, modification or disposal of the personal data is likely to occur.

What does “significant harm” mean? 

Under the Bill, a data breach will be deemed to result in significant harm to an individual if it is in relation to any “prescribed personal data or class of personal data” relating to the individual, or “in other prescribed circumstances”.11 

It is not yet known what will fall under “prescribed” personal data, though there have been hints of what might be coming our way:

  • The PCP noted that many jurisdictions had adopted a “whitelist” approach for data breach notification to affected individuals and the authorities.12  
  • The PCP gave examples of data categories prescribed by those jurisdictions: social security numbers, drivers’ licence numbers, state identification numbers, credit / debit card numbers, health insurance information, and medical history information.13 

Separately, in assessing whether a data breach is likely to result in significant harm to affected individuals, PDPC’s Guide to Managing Data Breaches 2.0, released in May 2019, suggested that organisations consider:14 

(a) factors such as the types of personal data involved, the individuals whose personal data have been compromised (e.g. whether they are minors or vulnerable individuals such as victims of abuse), and other contextual factors such as whether the personal data was publicly available before the data breach;

(b) the ease with which an affected individual can be identified from the compromised data;

(c) the circumstances surrounding the data breach, such as whether the data was illegally accessed and stolen by persons with a malicious intent; and

(d) how long the personal data was exposed. 

What does “significant scale” mean?

Under the Bill, a data breach will be deemed to be of a significant scale if the data breach affects not fewer than the “prescribed” number of affected individuals, or in other “prescribed” circumstances.15 

Giving a hint, the PCP stated that data breaches affecting 500 or more individuals would be an appropriate threshold for the data breach to be considered “a significant scale”.16 

Mandatory notification of “notifiable” data breaches

Section 26D of the Bill provides that if an organisation assesses that the data breach is notifiable, the organisation must notify PDPC as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment.17  

Subject to four exceptions, on or after notifying PDPC, the organisation must also notify each affected individual “in any manner that is reasonable in the circumstances”.18  PDPC’s Guide to Managing Data Breaches 2.0 provides some guidance on what this means: organisations should adopt the most effective way to reach affected individuals, taking into consideration the urgency of the situation, and the number of individuals affected.19 

The Bill does not prescribe a timeline by which the organisation should notify affected individuals. However, the PCP says that upon determining that the data breach meets the criteria for notifying them, the organisation must do so as soon as practicable.20  

Commenting generally on the attitude and speed at which parties should move, the PCP said that once an organisation has credible grounds to believe that a data breach has occurred, it must take reasonable and expeditious steps to assess whether the data breach is notifiable.21  It should document its steps for the purpose of demonstrating that it acted reasonably and expeditiously, and carried out the assessment in good faith.22 The PCP said that unreasonable delay in assessing or notification of data breaches would be a breach of section 26D.23 

The four exceptions to the requirement to notify affected individuals are: 

(a) if the organisation has taken action that renders it unlikely that the data breach will result in significant harm to the affected individual;24 

(b) prior to the occurrence of the data breach the organisation had implemented any technological measure (e.g. encryption of a reasonable security standard) that renders it unlikely that the data breach will result in significant harm to the affected individual;25 

(c) if a prescribed law enforcement agency instructs the organisation not to notify (e.g. where notification may compromise investigations or prejudice law enforcement efforts), or PDPC so directs (e.g. where there are overriding national security or national interests);26 and

(d) if the organisation had applied to PDPC requesting for a waiver to notify, and PDPC approves the application.27  

Explaining the rationale behind section 26D, the PCP said that notifying PDPC would allow organisations to receive guidance from PDPC on post-breach remedial actions where necessary.28 Notifying affected individuals would allow them to take steps to protect themselves by, for example, changing passwords and cancelling credit cards.29 It would also ensure that organisations are accountable to individuals for the proper handling and safekeeping of their personal data.30 

The case of a data intermediary daisy chain

To recap, section 26C(3) of the Bill says: 

Where a data intermediary (other than a data intermediary [of a public agency]) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation – 

(a) the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and

(b) that other organisation must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach.

This process seems well and good if there is only the data controller and one data intermediary in the picture. It starts making less sense where there is a daisy chain of data intermediaries. 

Take for example the scenario where the data intermediary (X) engaged by the data controller has subcontracted some processing work to a third party (Y), and the third party has subcontracted some of that processing work to a fourth party (Z). 

If one were to interpret the word “organisation” as also referring  to the engaged data intermediary, it could mean that practically, under sections 26C(3) and 26D(1) and (2):

  • If Z believes that a data breach has occurred, Z must without undue delay notify Y of the data breach.
  • Upon receiving Z’s notification, Y should without undue delay notify X of the data breach. Y must also conduct an assessment of whether the data breach is a notifiable data breach, and if so, notify PDPC and/or affected individuals.
  • Upon receiving Y’s notification, X should without undue delay notify the data controller of the data breach. X must also conduct an assessment of whether the data breach is a notifiable data breach, and if so, notify PDPC and/or affected individuals. 
  • Upon receiving X’s notification, the data controller must conduct an assessment of whether the data breach is a notifiable data breach, and if so, notify PDPC and/or affected individuals.

It would make more sense to interpret the word “organisation” to refer to the data controller only. And in previous PDPC cases involving subcontractor-processors, that appears to be how PDPC interpreted the word. In such a case, the process under sections s26C(3) and 26D(1) and (2) would be:

  • If Z believes that a data breach has occurred, Z must without undue delay notify the data controller.
  • Upon receiving Z’s notification, the data controller must conduct an assessment of whether the data breach if a notifiable data breach, and if so, notify PDPC and/or affected individuals.

Yet, in practice, it is unlikely that Z would have a direct channel of communication to the data controller or that the data controller would want to deal directly with Z. After all, Z’s contract would be with Y and not the data controller; and the data controller would expect X to manage its subcontractors. 

So placing an obligation on Z to notify the data controller directly seems a little strange. It is  a matter which could do with some clarification from PDPC.

Darren Grayson Chng is our International Associate Editor for Singapore

----------------------------------

Sources

1 See para 7 of the PCP.  

2 See para 7 of the PCP.

3 See para 28 of the Closing Note.

4 See clause 4 of the Bill.

5 Para 10 of the PCP.

6 See clause 13 of the Bill.

7 See pp 13 – 14 of the Bill.

8 See the new section 26B(4) at p 14 of the Bill.

9 See p 13 of the Bill.

10 See p 13 of the Bill.

11 See section 26B(2) at p 14 of the Bill.

12 See para 18 of the PCP.

13 See para 18 of the PCP.

14 See p 15 of the Guide.

15 See section 26B(3) at p 14 of the Bill.

16 See para 17 of the PCP.

17 See section 26D(1) at p 15 of the Bill.

18 Section 26D(2) at p 15 of the Bill.

19 See p 19 of the Guide.

20 See para 20 of the PCP.

21 See para 19 of the PCP.

22 See para 19 of the PCP.

23 See para 19 of the PCP.

24 Section 26D(5)(a) at p 15 of the Bill.

25 Section 26D(5)(b) at pp 15 – 16 of the Bill.

26 Section 26D(6) at p 16 of the Bill.

27 Section 26D(7) at p 16 of the Bill.

28 See para 16 of the PCP.

29 See para 16 of the PCP.

30 See para 16 of the PCP.

Published: 2020-11-18T11:00:00

    Please wait...