11 August, 2017
On 27 July 2017, Singapore's Personal Data Protection Commission (PDPC) launched the first ever public consultation on the review of the Personal Data Protection Act (PDPA).
The public consultation addresses the following two areas: (i) an enhanced framework for collection, use and disclosure of personal data; and (ii) proposed mandatory data breach notification.
An aim of the first public consultation paper is to allow for a more progressive approach to collecting and using personal data, and to provide greater transparency when data breaches occur.
Dr Yaacob Ibrahim, Minister for Communications and Information (Minister) also announced that the PDPC is adopting a regulatory sandbox, a Trust Mark Certification Scheme and that Singapore has submitted its Notice of Intent to participate in the APEC Cross Border Privacy Rules System and the APEC Privacy Recognition for Processors System.
Enhanced Framework for Collection, Use and Disclosure of Personal Data
Given the rise of the Digital Economy and the sheer volume of data transactions, it may not be practical or possible for businesses to seek consent at every instance of data collection or use.
In this regard, the PDPC proposes to provide for the collection, use or disclosure of personal data without consent, in two situations where it is necessary for a legal or business purposes, and where an individual has been notified of the purposes of the collection, use and disclosure of personal data (subject to certain conditions).
Necessary for a legal or business purpose
This would encompass situations where it is not desirable to obtain consent from the individual, and where the benefit to the public would clearly outweigh any adverse impact to the individual.
For example, it would apply to situations where a group of organisations in a particular sector needs to share customer information in order to prevent potential fraudulent activities.
Consent not required where individual has been notified of purpose
The PDPC envisages that, subject to certain conditions, notification of purpose is sufficient to collect, use and disclose personal data.
The PDPC proposes that such notification will occur in the situations where it is impractical for the organisation to obtain consent (and deemed consent does not apply); and the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.
The PDPC does not intend to prescribe how organisations are to notify individuals. Further, the PDPC has not provided any guidance around the level of adverse impact that must impact on individuals to render the notification of purpose invalid.
Mandatory Breach Notification
Next, in light of the heightened risks and impact of data breaches, the PDPC is proposing to introduce a mandatory breach notification regime.
In this regard, organisations must notify affected individuals and the PDPC of a data breach that poses any risk of impact or harm to the affected individuals. This would include a data breach involving personal data, such as one's personal identification number, health information, financial information or passwords.
In addition, organisations must notify the PDPC where the scale of the data breach is significant, even if the breach does not pose any risk of impact or harm to the affected individuals. The PDPC is proposing for a data breach involving 500 or more affected individuals to be considered of a significant scale that would warrant notification.
The PDPC's announcement follows the Government's release of a public consultation paper on the draft Cybersecurity Bill. While the mandatory reporting obligations under the draft Bill are limited to critical information infrastructure owners, the proposed mandatory breach notification regime under the PDPA applies to all organisations. In fact, the PDPC acknowledges that the breach notification requirements under the PDPA should apply concurrently with notification regimes under other laws.
Public Consultation Timeframe
The public consultation exercise will close on 21 September 2017. Going forward, it will be interesting to see if the PDPC provides further guidance on the proposed amendments, including the criteria for assessing the risk of impact or harm to affected individuals.
Regulatory Sandbox
On 27 July 2017, the Minister at the Personal Data Protection Seminar announced that the PDPC is "prepared to work with companies who adopt accountability practices to create regulatory sandboxes" – the aim being to allow the PDPC to understand how the enhanced framework for the collection, use and disclosure of personal data is to work in practice, prior to the PDPA being amended.
The regulatory sandbox is intended to cover the period until the PDPA is amended. If your company is interested in participating in the PDPA regulatory sandbox, please let us know.
Data Protection Trust Mark Certification Scheme and Intention to Participate in APEC Cross-Border Privacy Rules System
The Minster also announced that the PDPA will launch a Data Protection Trust Mark Certification scheme by the end of 2018. A "DP Trustmark" will be a visible indicator that a business adopts sound practices and keeps its processes updated regularly.
Further, the Minister announced that Singapore has submitted its Notice of Intent to Participate in the APEC Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors System (CBPR and PRP System). The APAC CBPR and PRP System facilitates the cross border transfer of personal data.
The intention is that the DP Trustmark will be aligned with the CBPR and PRP System.
For further information, please contact:
Andy Leck, Principal, Baker & McKenzie.Wong & Leow
andy.leck@bakermckenzie.com
