8 August, 2017
On 27 July 2017, the Singapore Personal Data Protection Commission (“PDPC”) embarked on a series of initiatives as part of its efforts to develop a trusted data ecosystem in Singapore, namely:
- issuing a public consultation paper seeking the views of the public before 21 September 2017 on two proposed changes to the PDPA;
- issuing a new guide on the appropriate approach for sharing personal data in compliance with the PDPA (“Data Sharing Guide”); and
- submitting a notice of intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system and the APEC Privacy Recognition for Processors System (“PRP”).
Public consultation: Mandatory Data Breach Notification
The current PDPA does not require organisations to notify any party when a data breach occurs, although organisations are encouraged to notify the PDPC where the data breach might cause public concern or where there is a risk of harm to a group of affected individuals. The PDPC is proposing to introduce the following mandatory data breach notification regime.
What is the threshold for notification and who to notify?
Where the data breach poses any risk of impact or harm to the affected individuals, organisations must notify the affected individuals and the PDPC.
Where the scale of data breach is significant (i.e. a data breach involving 500 or more affected individuals), organisations must notify the PDPC, even if the breach does not pose any risk or impact or harm to the affected individuals.
Where the data breach meets the criteria for notification under the PDPA and the organisation is required to notify a sectoral or law enforcement agency (e.g. the Monetary Authority of Singapore) under other legislation, the organisation must notify the PDPC concurrently.
Where the organisation is required to notify the affected individuals under other legislation, the notification made in accordance with the requirements of the other written law is sufficient to meet the PDPA’s requirements; however the organisation must also notify the PDPC of the data breach.
Who else should make the notification?
A data intermediary, which processes personal data on behalf and for the purposes of another organisation, must immediately inform the organisation, if it experiences a data breach (regardless of the risk of harm or size of impact of the data breach). The organisation will also be responsible for complying with the notification requirements under the PDPA.
When should the notification be made?
Organisations are required to notify individuals and the PDPC as soon as practicable, but, in the case of a notification to the PDPC, it must be no later than 72 hours from the time they become aware of the data breach.
How to notify?
There is no prescribed mode of notification. The PDPC will issue advisory guidelines to provide guidance on complying with the notification requirements when introduced.
What are the exceptions and exemptions from notification?
Certain exceptions and exemptions from breach notification will apply. They include the exclusions of application of the PDPA under section 4 of the PDPA (e.g. an individual acting in a personal or domestic capacity, an employee acting in the course of his or her employment, any public agency, any organisation acting on behalf of a public agency, and inconsistency with other written law), where notification is likely to impede law enforcement investigations and where the breached personal data is encrypted to a reasonable standard.
Scope of consultation
The PDPC is seeking the public’s view on the proposed mandatory data breach notification requirements, exceptions and exemptions to notify and time frames for notification.
According to the PDPC, the current voluntary approach to data breach notification has resulted in uneven notification practices across organisations in Singapore. A mandatory data breach notification regime would benefit the public and instil public confidence in the data privacy regime in Singapore. The proposed change if introduced with clear criteria for notification would enable organisations to better manage a data breach and approach notification holistically in view of the proposed Cybersecurity Bill released for public consultation on 10 July 2017.
Data Sharing Guide
The Data Sharing Guide explains how the PDPA applies to the sharing of personal data within and between organisations. The PDPC provides guidance on the factors that an organisation should consider before it decides to share personal data. Organisations may refer to the Data Sharing Guide to understand the various approaches to sharing personal data in compliance with the PDPA and the exceptions where organisations may collect, use or disclose personal data without consent, including an application to the PDPC for its data sharing arrangements to be exempted from one or more obligations under the PDPA.
The Data Sharing Guide is a useful and practical tool for organisations when sharing data internally or with other parties. It contains numerous examples illustrating situations of data sharing where the PDPA may apply, and includes a sample list of questions and workflow process template to assist organisations in making its decisions whether to share personal data.
Notice of intent to join APEC CBPR system and PRP
Singapore submitted its notice of intent to join the APEC CBPR system and the APEC PRP on 27 July. Singapore would be only the sixth member of the CBPR System, joining Canada, Mexico, Japan, South Korea and the United States, and the first from South East Asia.
In his address at the Singapore Personal Data Protection Seminar 2017, Dr. Yaacob Ibrahim, Minister for Communication and Information, said that the direct value added to Singapore’s GDP by data connectivity in trade is around 40%, and that the APEC CBPR system will facilitate cross border exchange of data with Singapore.
The APEC CBPR system is a cross-border data transfer mechanism and enforcement privacy code of conduct developed for the 21 APEC member economies, while the APEC PRP system is designed to help personal information processors assist controllers in complying with relevant privacy obligations, and helps controllers identify qualified and accountable processors.
Singapore’s intent to join both systems signifies a recognition that alignment of data protection systems with other countries is important to facilitate economic growth as the world’s economy becomes increasingly digitised and data-dependent.
For further information, please contact:
Niranjan Arasaratnam, Partner, Linklaters
niranjan.arasaratnam@linklaters.com
