.jpg)
20 July, 2017
Introduction
The Personal Data Protection Act 2012 ("PDPA") established a general data protection law in Singapore that regulates the collection, use and disclosure of individuals' personal data by organisations.
On 21 April 2016, the Personal Data Protection Commission (“PDPC”) issued an additional set of advisory guidelines relating to the enforcement of the data protection obligations in the PDPA. While not legally binding, the guidelines complement the PDPC’s existing set of published advisory guidelines, and deal with issues relating to the PDPC’s enforcement of the PDPA.
Issues that are discussed in the Guidelines include how the PDPC will address, investigate, and resolve complaints of data protection breaches that it receives, the directions and penalties the PDPC can impose following the conclusion of an investigation, as well as the rights of review and appeal available to parties who are aggrieved by a decision of the PDPC.
Enforcement Framework
The PDPA empowers the PDPC to enforce the Data Protection Provisions by conducting investigations into reported non-compliance with the PDPA, reviewing an individual's request to an organization for disclosure or correction of personal data in the organisation's possession and to direct parties to opt for alternative dispute resolution mechanisms like mediation.
Key cases
In relation to enforcement of the PDPA, there have been numerous successful investigations and prosecutions.
One notable case involved K Box Entertainment Group Pte Ltd ("K-Box"). K Box faced complaints for breach of the PDPA as a result of its failure to develop an adequate secure and safe IT security system or appoint a Data Protection Officer to develop data protection policies, which resulted in the breach of personal data of its members via malware that was installed in its systems. A $50,000 financial penalty was imposed on K Box.
In a separate but related case, Finatech Holdings, which had been engaged to develop and manage a Content Management System for K Box, was also found to have failed to fix the weaknesses inherent in K Box's IT security system. Although Finatech Holdings was merely the data intermediary, the PDPC still imposed a financial penalty of $10,000.
In the Guidelines, the PDPC highlighted that a key aggravating factor in determining whether to take enforcement action against an infringer is the severity of the infringement.
Factors determining the severity of the infringement include: intentional, repeated breaches of the Data Protection Provisions, obstruction of investigations, failure to comply with previous warnings and the volume of sensitive personal data the organisation handles.
Comments
These cases highlight the importance for corporations to navigate the requirements of the PDPA lest they face adverse publicity and financial penalties – as organisations that fail to protect personal data can be fined up to $1 million per breach under the PDPA.
One way of ensuring compliance is to appoint a Data Protection Officer. Under the PDPA, this is mandatory. Despite this, however, only 40% of organisations surveyed have a Data Protection Officer based on the PDPC's survey of 1,513 organisations between March and June 2016.
Organisations' appointed data protection officers should ensure they are equipped with the necessary skills to scrutinize and implement the companies' data collection, use and disclosure policies. To acquire these skills (or upgrade their existing skills), data protection officers should consider participating in the local certification programme that was recently announced by the PDPC on 13 March 2017.
For further information, please contact:
Andy Leck, Principal, Baker & McKenzie.Wong & Leow
andy.leck@bakermckenzie.com
