1 August, 2017
Businesses in Singapore could soon be given new rights to process personal data without the consent of the people to whom the information relates, under proposals outlined by the government in the city state.
New data breach notification rules could also be implemented as part of reforms to the Personal Data Protection Act (PDPA) being considered.
The measures were announced by Singapore's minister for communications and information, Dr Yaacob Ibrahim. The proposals for reform are being consulted on by the Personal Data Protection Commission (PDPC) up until 21 September.
The PDPC said mandating consent be obtained for data processing in Singapore was not always effective or appropriate for the digital age.
According to its new proposals, businesses could be given qualified rights to collect, use and disclose personal data without consent as long as they notify the data subject of their purpose for such processing.
The 'notification of purpose' basis would only be able to be relied upon by organisations if "it is impractical for the organisation to obtain consent (and deemed consent does not apply); and the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals", the proposals said.
The PDPC said that businesses looking to rely on the 'notification of purpose' basis for processing personal data should "provide appropriate notification of the purpose of the collection, use or disclosure of the personal data, and where it is feasible … allow individuals to opt out of the collection, use or disclosure", and provide information on how they can do that.
A further right to process personal data without consent – where it is necessary for a legal or business purpose – has also been proposed. Businesses would not have to notify individuals about these processing activities, under the plans.
However, the 'legal or business purpose' basis for processing would also be subject to certain conditions. It could only be relied upon if "it is not desirable or appropriate to obtain consent from the individual for the purpose; and the benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual".
The PDPC proposed that businesses that want to collect, use or disclose personal data without consent and notification for a legal or business purpose should "undertake measures to identify and minimise the risks to the individual from the collection, use or disclosure of personal data". To do this, they should carry out a "risk and impact assessment", such as a data protection impact assessment, "to assess the risks and impact of the intended collection, use or disclosure of personal data to the individual".
Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law.com, said the reforms, if introduced, would be welcomed by businesses operating in Singapore.
Practical examples of where the proposed new rules could apply include where organisations wish to warn others about persons who are not authorised to collect money on their behalf, where they want to use data analytics to match people to missing or unclaimed items or to identify fraud, or share information with regulators or consultants, Tan said.
The PDPC's consultation paper also contained plans for a new mandatory data breach notification regime to be introduced in Singapore. It said the current voluntary system "has resulted in uneven notification practices across organisations". The proposals seek to bring Singapore into line with other jurisdictions where mandatory data breach notification has been or is being introduced, such as under the EU's General Data Protection Regulation (GDPR).
To avoid placing "overly onerous regulatory burdens on businesses", notification of data breaches would only be required if certain thresholds are met, the PDPC said.
Under the plans, data breaches would need to be reported to the both the PDPC and "affected individuals" if the breach "poses any risk of impact or harm to the affected individuals". This will be the case where a breach "involves personal data such as NRIC number, health information, financial information or passwords", it said.
Data breaches would also need to be reported to the PDPC if the breach involves data about 500 or more "affected individuals", even if there is no risk of impact or harm to the affected individuals, it said.
Notification of data breaches to the PDPC must take place "as soon as practicable" and no later than 72 hours from the time the organisation becomes aware of the breach. All affected individuals will need to be informed of such breaches "as soon as practicable", according to the proposed new rules.
A number of exemptions to the data breach notification rules were set out by the PDPC. Among them, it said that businesses would not need to inform "affected individuals" of data breaches if doing so "is likely to impede law enforcement investigations", or if "the breached personal data is encrypted to a reasonable standard".
The new data breach notification rules will apply to cases where businesses outsource the processing of personal data to other organisations. In those circumstances, the data intermediaries will be obliged to "immediately inform the organisation that it processes the personal data on behalf and for the purposes of, regardless of the risk of harm or scale of impact of the data breach" when they experience a data breach. It will then be up to the contracting business to adhere to its notification duties.
Some businesses, such as financial firms, already face a duty to report data breaches in Singapore. The PDPC said those organisations should "notify PDPC concurrently" when reporting data breaches to sector regulators or law enforcement agencies. They should follow the specific "notification requirements" they are subject to, and not those that will be introduced under the PDPA reforms, it said.
Tan said the existing voluntary regime for reporting data breaches had caused uncertainty within the business community, particularly whether they would face consequences from not reporting a data breach to a regulator in one jurisdiction if they had notified the breach to a regulator in another.
"In order to report a data breach, organisations need to be prepared to assess the breach, take mitigating steps, and report the breach," Tan said. "If they are not familiar how to do it themselves, then they should consider engaging professionals to help."
"The plans for mandatory data breach notification must also be viewed in the context of the forthcoming Cybersecurity Act in Singapore, where critical information infrastructure operators will be obliged to report security incidents. Data breaches, once reported, may therefore attract the attention of the cybersecurity authorities under this future framework, even for non-critical information infrastructure operators," he said.
In his announcement of the reforms, Ibrahim also said that Singapore has applied to participate in two frameworks that exist to support cross border data transfers among Asia Pacific Economic Cooperation (APEC) countries – the APEC Cross-Border Privacy Rules system (CBPR), and the APEC Privacy Recognition for Processors system. The APEC is a group of 21 countries that includes Australia, China, Hong Kong, Japan and the US.
A new data protection certification scheme will also be implemented by the end of 2018 which will allow businesses to display a 'trustmark' to demonstrate that they adopt "sound practices" and keep their processes "updated regularly", Ibrahim said.
The trustmark initiative will be aligned with the two APEC data transfer frameworks so that businesses certified under the new trustmark scheme "will concurrently be certified under the APEC CBPR", he said.
The PDPC has also published a new guide to help businesses comply with data protection rules when sharing personal information outside their organisation.
For further information please contact:
Bryan Tan, Partner, Pinsent Masons MPillay
bryan.tan@pinsentmasons.com