4 July, 2016
FOCUS: Businesses are less likely to be fined for breaching Singapore data protection rules if they can resolve complaints directly with consumers.
That message is clear from recent guidance issued by Singapore's data protection watchdog on enforcement of the country's Personal Data Protection Act (PDPA) (43-page / 406KB PDF) and should encourage companies to improve their complaint handling procedures.
In its guidance the Personal Data Protection Commission stressed that consumers should seek to address data protection issues with companies directly before filing complaints with it. Complaints that are frivolous or vexatious or not made in good faith will be dismissed, whilst the watchdog said that its preferred approach to valid complaints is to "facilitate the resolution of the matters raised in the complaint or application between the individual and the organisation concerned instead of immediately exercising its powers of investigation under the PDPA".
The PDPC said it will consider agreements to resolve complaints when determining whether to take any further enforcement action, although it said that good complaint handling may not help businesses escape investigation and potential fines in cases of "significant non-compliance" or in other "exceptional circumstances". In addition, it confirmed that it does not necessarily require a complaint to be lodged to initiate enforcement action. It said it can open investigations into an organisation's data protection practices on its own terms based on information it receives.
The PDPC has no powers to award damages to people who raise complaint about data protection practices but it can fine companies that breach the PDPA. According to its guidance where the PDPC determines that a fine is justified it will consider both aggravating and mitigating factors when calculating the level of financial penalty to impose.
According to its guidance aggravating factors might include where breaches of the Act are intentional, repeated or ongoing or where a business has failed to "actively take reasonable steps" to resolve matters with affected individuals "in an effective and prompt manner". Disrupting PDPC investigations or failing to act on previous warnings might also lead to fines being increased.
Businesses that voluntarily notify the Commission of any breach of the Act, take steps on their own initiative to prevent or reduce the harm of a breach and that offer remedies to individuals affected by a breach might benefit from a reduced fine, it said.
One area where businesses must be particularly sensitive to the needs of consumers is in how they respond to requests by those customers for access to the personal data they hold about them.
Under the PDPA people have a general but not absolute right to obtain a copy of data about them which organisations have in their possession or control "as soon as reasonably possible" upon request. In addition, people are entitled, upon such request, to be provided with "information about the ways in which the personal data … has been or may have been used or disclosed by the organisation within a year before the date of the request".
The PDPC's guidance confirms the watchdog's powers to review organisations' handling of subject access requests. That should encourage organisations to make sure that they always provide data subjects with reasons why they cannot comply with subject access requests.
A number of exemptions are written into the PDPA to allow organisations to refuse subject access requests, for example if meeting the request would reveal another person's data or be contrary to the national interest. Businesses should be clear with data subjects which exemption they are relying on if they refuse a subject access request.
Businesses are entitled to charge a reasonable fee to people who file subject access requests so as to cover the cost of meeting those requests. The PDPC's guidance explains that businesses should consider looking at the level of fees other organisations within their industry charges to fulfil subject access requests. Carrying out this review can help businesses justify the fees they subsequently charge as being reasonable if they are challenged by data subjects and drawn to the attention of the PDPC.
The PDPC's guide also warns any businesses considering issue public statements on alleged breaches of Singapore data protection laws, such as in the case of data breach incidents, to first consider if the content would hinder on-going investigations. The PDPC urges businesses to share a copy of the statements they intend to release with it before they are made public.
For further information please contact:
Bryan Tan, Partner, Pinsent Masons MPillay