Clarifying what it means to make business contact information “publicly available”
The first amendment relates to the requirement1 under section 11(5) of the Personal Data Protection Act (“PDPA”) that an organisation make “publicly available” the business contact information (“BCI”) of an individual responsible for ensuring compliance with the PDPA.
A new Part 1A was added to the Personal Data Protection Regulations 2021 (“PDPR”), stating that the organisation will be deemed to have satisfied this requirement if it publishes the BCI in a “readily accessible” part of its “official website”, or on the website of the Accounting and Corporate Regulatory Authority (“ACRA”).2 Accompanying amendments to the Advisory Guidelines on Key Concepts in the PDPA state that the website should be readily accessible from Singapore, operational during Singapore business hours, and that any telephone numbers listed should be Singapore ones.3
These amendments are welcome as they provide some clarity to organisations on what it means to make the BCI “publicly available”. They also inform the general public where they can find the BCI. It is uncertain if companies will satisfy the “readily accessible” requirement if they bury the BCI a few menus deep, or publish the BCI in ant sized font – these scenarios do not come up in the PDPC’s Guidelines – but organisations should bear in mind that the purpose of making the BCI publicly available is so that individuals can directly contact the person who can answer questions relating to the organisation’s collection, use, or disclosure of personal data.4 Organisations should therefore ensure that the BCI on their official website is sufficiently prominent.
Recognising prior consent as defences to unauthorised disclosure and use
The next two amendments fall under a new Part 4A in the PDPR. They recognise prior consent as a defence to the offences of unauthorised disclosure5 and unauthorised use6 of personal data in an organisation’s possession or control.
Further situations in which a data breach will be deemed to result in significant harm to an individual
Under the PDPA, if an organisation assesses that a data breach will result in or is likely to result in significant harm to an affected individual, the organisation must notify the Personal Data Protection Commission (“PDPC”), and potentially the affected individual.7
A list of circumstances under which a data breach would be deemed to result in significant harm, can be found in the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (“NDBR”).8 Amendments were made to the NDBR to add to this list. It is not immediately obvious, but the wording in these amendments align with a part of the Women’s Charter prohibiting the publication of certain information, where a court has ordered that proceedings relating to outrage of modesty or certain sexual offences be dealt with in camera.9
Pursuant to the NDBR amendments, a data breach will be deemed to result in significant harm to an individual if the data relates to:10
- the name or address of a female against which the outrage of modesty or sexual offence is alleged to have been committed;
- particulars given in court proceedings which identify, or are calculated to lead to the identification of, the female;
- the name and address of any witness in the court proceedings, or evidence given by the witness, which may lead to the identification of the female; and
- any picture of the female or witness.
A data breach will also be deemed to result in significant harm if the data identifies, or is likely to lead to the identification of, the individual as a resident of a place of safety, or the location of the place of safety at which the individual is residing.11
New Guide to Data Protection Practices for ICT Systems (DPP Guide)
According to the PDPC’s website, the DPP Guide compiles data protection practices from previous PDPC advisory guidelines and guides, includes lessons learnt from past data breaches, and recommends basic and enhanced practices organisations can incorporate into their ICT policies, systems, and processes.
It discusses:
- Policies and risk management practices for ICT systems e.g., basic practices relating to accountability, risk management, and data minimisation (which appeared in the old Guide).
- ICT controls e.g., relating to authentication, authorisation, and database and website security.
- SOPs and IT operations for each stage of the data lifecycle e.g., relating to security awareness, BYOD, and cloud computing.
Published together with the DPP Guide were:
- An 8-page Handbook on How to Guard Against Common Types of Breaches.
- A checklist of basic practices during application development and support.
- A checklist of basic practices relating to configuration management, malware/phishing protection, security awareness/responsibilities, and account password management.
Revised Guides on Developing a Data Protection Management Programme (DPMP Guide) and Data Protection Impact Assessments (DPIA Guide)
According to the PDPC’s website, the DPMP Guide was updated to incorporate best practices in accountability. The PDPC overhauled its DPMP changing its components of policy, people, and process, to a “four-step programme” comprising:
- Governance and Risk Assessment: Establishment of a governance structure.
- Development of a data protection policy and practices.
- Development of processes to operationalise the policy.
- Maintenance: Steps to keep the policy and processes up-to-date.
The DPMP Guide encourages the adoption of a Data Protection by Design (DPbD) approach, and refers to the PDPC’s Guide to DPbD. However, the Guide to DPbD was replaced by the DPP Guide (discussed in the previous section), which was published at the same time as the DPMP Guide. In the circumstances, it is presumably the principles of the DPP Guide which should now be adopted.
The DPIA Guide outlines key principles and considerations in each phase of the DP lifecycle, and annexes a risk assessment framework and sample DPIA questionnaire.
What’s next?
The PDPC’s Advisory Guidelines on Enforcement of the Data Protection Provisions, state12 that the enhanced financial penalty regime will come into effect no earlier than 1 February 2022. All eyes are on whether it does then, given that many businesses in Singapore have taken a beating due to the Covid-19 pandemic.
Even if it does, organisations might take some comfort from the views expressed by the PDPC in recent decisions, that financial penalties are not meant to impose a crushing burden on the organisation and cause undue hardship.13 With this in mind, in the past four years the PDPC has:
(a) considered the financial circumstances of organisations14 and even the personal circumstances of an organisation’s owner and family,15 in deciding the quantum of financial penalty to be imposed; and
(b) reduced the quantum of financial penalty in at last eight cases, in order to avoid imposing a crushing burden and cause undue hardship.16
Apart from this, we have been waiting for details on the new Data Portability Obligation, which PDPC said will only take effect when the relevant Regulations are issued.
——
Notes & sources
[1] See section 11(5) of the PDPA.
[2] ACRA is the regulator of business registration, financial reporting, public accountants, and corporate service providers.
[3] See paragraph 21.7 of the Advisory Guidelines on Key Concepts in the PDPA (Revised 1 October 2021).
[4] See sections 20(1)(c) and 20(5)(b) of the PDPA.
[5] See section 48D of the PDPA.
[6] See section 48E of the PDPA.
[7] See sections 26B(1)(a) and 26D(1) and (2) of the PDPA.
[8] See the Schedule to the NDBR.
[9] See section 153 of the Women’s Charter.
[10] See section 6A of Part 1 of the Schedule to the NDBR.
[11] See section 6B of Part 1 of the Schedule to the NDBR.
[12] At para 27.3.
[13] See Re Chizzle Pte. Ltd. [2019] SGPDPC 44 at [11]; Re Jigyasa [2021] SGPDPCR 1 at [10].
[14] See O2 Advertising Pte Ltd [2019] SGPDPC 32.
[15] See Re Sharon Assya Qadriyah Tang [2018] SGPDPC 1; Re Jigyasa [2021] SGPDPCR 1.
[16] See Re Sharon Assya Qadriyah Tang [2018] SGPDPC 1; Re Chizzle Pte. Ltd. [2019] SGPDPC 44; O2 Advertising Pte Ltd [2019] SGPDPC 32; Re Advance Home Tutors [2019] SGPDPC 35; Re COURTS (Singapore) Pte Ltd [2020] SGPDPC 17; Re Times Software Pte Ltd and Ors [2020] SGPDPC 18; Re Jigyasa [2021] SGPDPCR 1; Summary of the Decision for Hello Travel Pte. Ltd.
——
