Darren Grayson Chng, our Associate Editor for Singapore, outlines proposals to modify their Personal Data Protection Act 2012, which came into operation in 2014.
The Personal Data Protection Act 2012 (“PDPA”) is Singapore’s first omnibus legislation governing the collection, use and disclosure of personal data. It was passed by the Singapore Parliament on 15 October 2012, and was fully implemented by 2 July 2014.
On 27 July 2017, the Personal Data Protection Commission (“PDPC”), a statutory body which administers and enforces the PDPA, launched a public consultation on proposed changes to the PDPA. The PDPC has sought views on: (a) a proposed enhanced framework for the collection, use and disclosure of personal data; and (b) proposed mandatory data breach notification. The closing date for the submission of comments to the PDPC is 21 September 2017.
This article briefly introduces the PDPA before moving on to a summary of the PDPC’s proposals, and comments on it.
Introduction to the PDPA
Singapore’s PDPA can be divided into two general sections: one establishing a framework for the protection of personal data, and the other establishing a Do-No-Call (“DNC”) Registry.
Data Protection Framework
This framework applies to all organisations. It also explicitly excludes:
Data intermediaries are exempted from certain portions of the PDPA if they are processing personal data for another organisation pursuant to a contract evidenced or made in writing.
Under the data protection framework, organisations have ten key obligations. Very briefly, they are:
(1) Consent Obligation: The organisation must not collect, use or disclose personal data about an individual unless the individual gives or is deemed to have given consent.
(2) Purpose Limitation Obligation: The organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances, and only for purposes that the individual was informed of (if applicable).
(3) Notification Obligation: Before collecting personal data, the organisation must notify the individual of the purpose for the collection, use or disclosure of that personal data.
(4) Access Obligation: Upon request by an individual, the organisation must, as soon as reasonably practicable, provide the individual with their personal data, and information on how their personal data has or may have been used or disclosed in the past one year.
(5) Correction Obligation: Upon request by an individual, the organisation must correct the individual’s personal data unless it is satisfied on reasonable grounds that such a correction should not be made.
(6) Accuracy Obligation: The organisation must make a reasonable effort to ensure that the person data is accurate and complete.
(7) Protection Obligation: The organisation must protect personal data in its possession or under its control, by making reasonable security arrangements.
(8) Retention Obligation: The organisation must cease retention of personal data when the purpose for which the personal data was collected is no longer served by retention, and retention is no longer necessary for legal or business purposes.
(9) Transfer Limitation Obligation: The organisation must not transfer personal data out of Singapore except in accordance with the PDPA’s requirements.
(10) Openness Obligation: The organisation must implement the necessary policies and practices to meet its obligations under the PDPA, and must make publicly available information about the policies and practices, and its complaint process.
The DNC provisions of the PDPA apply to “persons”. This term includes individuals, companies, associations, and other bodies of persons.
Persons sending messages to Singapore telephone numbers must comply with two obligations. Briefly, they are:
(a) Duty to check the DNC Register: Before a person sends a “specified message” to a Singapore telephone number, they must check with the DNC Registry that the number is not listed on the DNC Register. It is a defence if the person had obtained clear and unambiguous consent from the subscriber or user of the number.
(b) Duty to identify the person sending the message: When sending a specified message to a Singapore telephone number, the person must include information identifying the sender and how the recipient can contact the person.
For voice calls, the person must not conceal or withhold from the recipient the person’s telephone number (or other information identifying the person).
In Singapore, there are three Registers on the DNC Registry:
Proposed enhanced framework for collection, use and disclosure of personal data
In its public consultation paper, the PDPC notes that devices can seamlessly collect and transmit personal data, and that increasingly, it may not be possible at the outset to anticipate the purposes for using and disclosing personal data.
Where huge volumes of personal data involving large numbers of individuals are collected at high velocities and from a variety of sources, it may not be practical for organisations to seek consent from individuals in every instance of data collection, or to attempt to identify the individual to seek their consent for every new purpose. In some cases, organisations may not even have a means of contacting the individuals to seek consent.
The PDPC notes that the requirement to obtain consent might not be desirable or appropriate in certain situations, such as those involving fraud detection and security threats.
The PDPC was also cautious of consent fatigue, caused by the frequent taking of consent and proliferation of verbose consent clauses.
In the circumstances, the PDPC has proposed dispensing with the need for consent in two situations: (a) where the individual has been notified of the purpose for collection, use or disclosure; and (b) where collection, use and disclosure is necessary for a legal or business purpose.
Where the individual has been notified of the purpose for collection, use or disclosure
In its public consultation paper, the PDPC has proposed that notifying an individual of the purpose can be sufficient for an organisation to collect, use and disclose personal data without first obtaining consent, where:
(a) it is impractical for the organisation to obtain consent, and deemed consent does not apply; and
(b) the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.
Organisations wishing to rely on this approach must provide appropriate notification of the purpose, and where feasible for the organisation to allow individuals to opt out, information about how they may opt out.
The organisations must also conduct a risk and impact assessment, and implement measures to mitigate the risks of relying on this approach.
Where collection, use and disclosure is necessary for a legal or business purpose
At present, the PDPA allows organisations to collect, use or disclose personal data without consent in certain limited circumstances listed in the Second, Third and Fourth Schedules of the PDPA. Examples are where it is necessary in the national interest, for investigation or proceedings, to recover a debt, or for research purposes.
In comparison, the PDPC has proposed that organisations be allowed to collect, use or disclose personal data without consent and notification where it is necessary for a legal or business purpose, provided that:
(a) it is not desirable or appropriate to obtain consent from the individual for the purpose; and
(b) the benefits to the public (or part thereof) clearly outweigh any adverse impact or risks to the individual.
Organisations wishing to rely on this approach must similarly conduct a risk and impact assessment, and implement measures to identify and minimise the risks to individuals from the collection, use or disclosure of their personal data.
Proposed mandatory data breach notification
Currently, the PDPA does not require organisations to notify any party when a data breach has occurred, although organisations are encouraged to notify the PDPC as soon as possible of any data breaches that might cause public concern, or where there is a risk of harm to a group of affected individuals.
Now, the PDPC has proposed a mandatory data breach notification regime.
The regime will require organisations to perform data breach notification in two cases:
(a) Where a data breach poses any risk of impact or harm to the affected individuals: Organisations must notify both the affected individuals and the PDPC.
(b) Where the scale of the data breach is significant: Organisations must notify the PDPC even if the breach does not pose any risk of impact or harm to the affected individuals. The PDPC has proposed that a data breach involving 500 or more affected individuals should be considered significant.
The PDPC has proposed that the data breach notification requirements above apply concurrently with other notification requirements under other laws and sectorial regulations:
(a) Where the data breach meets the criteria for notifying the PDPC, and the organisation is required to notify a sectoral or law enforcement agency of the data breach under other legislation, the PDPC has proposed that the organisation perform notification concurrently, to minimise the effort and cost involved to comply with notification requirements for the same data breach.
(b) Where the data breach meets the criteria for notifying the PDPC, and the organisation is required to notify affected individuals under other legislation, the PDPC has proposed that the organisation will have fulfilled its breach notification obligations under the PDPA if it notifies the affected individuals in accordance with the requirements under that other legislation. The organisation must also notify the PDPC of the data breach.
On the other hand, where the organisation is required to notify both the affected individuals and the PDPC, the PDPC has proposed that the organisation need only notify the affected individuals.
The PDPC has proposed that if a data intermediary experiences a data breach, it must immediately inform the organisation that it processes personal data for, regardless of the risk of harm or scale of impact of the data breach. The organisation will then be responsible for complying with the PDPA’s breach notification requirements.
Timeframe for notification
Where the organisation is required to notify affected individuals, the PDPC has proposed that the organisation be required to perform notification as soon as practicable unless an exception or exemption applies.
Where the organisation is required to notify the PDPC, the PDPC has proposed that the organisable be required to perform notification as soon as practicable, and in any event “no later than 72 hours from the time it is aware of the data breach”.
Mode of notification
In its public consultation paper, the PDPC said that it was not going to prescribe the mode of notification, but would issue advisory guidelines to provide guidance on complying with the data breach notification requirements when introduced.
Comments on the PDPC’s Proposals
Greater clarity is needed on some aspects of PDPC’s Proposals. For example, it is unclear what kind of risk and impact assessments organisations are supposed to conduct when they want to rely on either of the two approaches that dispense with consent.
The PDPC did say in its media release accompanying the public consultation paper (“Media Release”) that in the third quarter of 2017, it would issue a Guide to Data Protection Impact Assessments, and that the Guide would help organisations identify, assess and minimise data protection risks. But it would have been helpful if the Guide had been released before or together with the public consultation paper.
It is also unclear, in respect of the requirement on organisations to notify the PDPC of data breaches, as to when the 72-hour clock starts running. Does it start the very instant the organisation is aware of a breach? Or can it start when the organisation has investigated the breach and determined its extent?
Perhaps the only guidance on this appears in the PDPC’s Media Release. The Media Release says that the mandatory data breach notification regime will allow “affected organisations … to receive guidance from the PDPC on the remedial actions they could take”. So, if the purpose of introducing mandatory breach notification is so that organisations can receive guidance on how to deal with a data breach, then it would make sense to interpret the requirement as saying that the organisation must notify the PDPC of a breach the moment that the organisation is aware of it.
Comments from the public on the PDPC’s proposals, as reported in local media, include comments that it is unclear what constitutes a “risk of impact or harm” to individuals, and whether the notification framework can be abused such that an organisation can overcollect data and then perform notification as a remedy.
In his speech at the Personal Data Protection Seminar 2017 on 27 July 2017, Singapore’s Minister for Communications and Information Mr Yaacob Ibrahim said that “the PDPC is … prepared to work with companies who adopt accountability practices to create regulatory sandboxes to allow us to understand how the proposed changes to the PDPA might work in practice so that we can fine-tune the details before we amend the PDPA”.
The Minister also said that “by supporting data sharing for innovation, strengthening business accountability and facilitating cross-border data flows, we hope to build a trusted, robust and progressive data protection ecosystem in Singapore that allows us to harness the economic opportunities offered by the digital economy”.