Legal Bulletin August 2017

Home : Publications:Legal Bulletin August 2017


Published date: 30 Aug 2017

PDPC conducts public consultation to enable collection, use or disclosure of personal data where consent is not practical or desirable, and introduce mandatory data breach notification regime

The Personal Data Protection Commission (“PDPC”) is reviewing the Personal Data Protection Act (“PDPA”) to keep pace with technology and global developments, especially in view of the growth of Internet of Things devices, machine learning and artificial intelligence.
 
Between 27 July 2017 and 21 September 2017, PDPC is conducting a public consultation to seek feedback on proposals to enable the collection, use or disclosure of personal data where consent is not practical or desirable, and to introduce a mandatory data breach notification regime. Minister for Communications and Information, Dr Yaacob Ibrahim (“Minister”), announced the launch of the public consultation at the 5th Personal Data Protection Seminar on 27 July 2017. He also unveiled several initiatives which PDPC is embarking on as part of its efforts to develop a trusted data ecosystem in Singapore.
 
Key proposals
1.     To enable the collection, use or disclosure of personal data where consent is not practical or desirable
  • Notification of purpose as a basis to collect, use and disclose personal data where impractical to obtain consent
  • Legal or business purpose as a basis to collect, use and disclose personal data without consent
2.     To introduce a mandatory data breach notification regime
  • Criteria for breach notification
  • Concurrent application with other laws and sectoral breach notification regimes
  • Data intermediaries must inform organisation of any data breach immediately
  • Notify all affected individuals as soon as practicable
  • Notify PDPC no later than 72 hours from the time it is aware of the data breach
  • Mode of notification not prescribed
 
 
PDPC is proposing to strengthen the PDPA to enable the collection, use or disclosure of personal data where consent is not practical or desirable as follows:
 
·         Notification of purpose as a basis to collect, use and disclose personal data where impractical to obtain consent: PDPC considers that notifying individuals of the purpose (“Notification of Purpose”) can be an appropriate basis for an organisation to collect, use and disclose personal data where (i) it is impractical to obtain consent (and deemed consent does not apply), and (ii) where such collection, use or disclosure is not expected to have any adverse impact on the individuals.
 
·         Legal or business purpose as a basis to collect, use and disclose personal data without consent: PDPC proposes to allow the collection, use or disclosure of personal data without consent for a legal or business purpose (“Legal or Business Purpose”) where (i) it is not desirable or appropriate to obtain consent from the individual for the purpose, and (ii) where the benefits to the public clearly outweigh any adverse impact to the individual (e.g. for fraud detection and prevention).
 
Mandatory data breach notification regime
 
To strengthen protection for individuals and build confidence in organisations’ management and protection of personal data, PDPC is proposing to introduce a mandatory data breach notification regime under the PDPA with the following key features:
 
·         Criteria for breach notification: Organisations must: (i) notify affected individuals and PDPC of a data breach that poses any risk of impact or harm to the affected individuals; and (ii) notify PDPC where the scale of the data breach is significant, even if the breach does not pose any risk of impact or harm to the affected individuals.
 
·         Concurrent application with other laws and sectoral breach notification regimes: PDPC proposes for the data breach notification requirements under the PDPA to apply concurrently with other notification requirements under other laws and sectoral regulations (e.g. Monetary Authority of Singapore (“MAS”) Notices 127 and 644 on Technology Risk Management).
 
·         Data intermediaries must inform organisation of any data breach immediately: Where the organisation’s data intermediary experiences a data breach, the data intermediary must immediately inform the organisation that it processes the personal data on behalf and for the purposes of, regardless of the risk of harm or scale of impact of the data breach.
 
·         Notify all affected individuals as soon as practicable: Where a data breach meets the criteria for notifying affected individuals under the PDPA, PDPC proposes to require that the organisation notifies all affected individuals as soon as practicable, unless an exception or exemption applies.
 
·         Notify PDPC no later than 72 hours from the time it is aware of the data breach: Where a data breach meets the criteria for notifying PDPC under the PDPA, the organisation must notify PDPC as soon as practicable, no later than 72 hours from the time it is aware of the data breach.
 
·         Mode of notification not prescribed: PDPC does not intend to prescribe the mode of notification to PDPC and affected individuals.
 
PDPC’s initiatives to develop a trusted data ecosystem in Singapore and upcoming resources
 
Set out below are the initiatives announced by the Minister at the 5th Personal Data Protection Seminar on 27 July 2017:
 
·         Publication of a new guide to help organisations adopt best practices when sharing data, including a framework for PDPC to exempt particular data sharing arrangements from specific obligations under the PDPA.
 
·         Plans to introduce a Data Protection Trustmark certification scheme by end 2018.
 
·         Singapore’s Notice of Intent to participate in the APEC Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors System (APEC CBPR and PRP).
 
Organisations may also look forward to upcoming resources which include a “Guide to Developing a Data Protection Management Programme (DPMP)”, “Guide to Data Protect Impact Assessments (DPIAs)”, the free online PDPA Assessment Tool for Organisations, the Data Protection Starter Kit for SMEs and the Data Protection Advisor initiative which will see PDPC appointing a panel of advisors who will provide targeted help for SMEs to comply with the PDPA.
 
Other PDPA related developments
 
On 27 July 2017, PDPC also released revisions to the following advisory guidelines:
 
·         Chapter 5 of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act has been revised to provide further clarity on what constitutes personal data, including the types of data which, on its own, constitutes personal data.
 
·         Chapters 3, 7 and 11 of the Advisory Guidelines on The Do Not Call Provisions have also been revised to provide further clarification on responding to requests for information through a third party, sending specified messages to Singapore telephone numbers obtained through third party sources, and the definition of “ongoing relationship”.
 
Reference materials
 
The following materials are available from the PDPC website www.pdpc.gov.sg:
 
·         Media release
 
·         Consultation paper
 
 
 
·         Guide to Data Sharing
 
 
 
 
For further information, please contact:
 
+65 6890 7883
 
+65 6890 7852
 
+65 6890 7526
 
+65 6890 7627
 
+65 6890 7833
 

<Back to Legal Bulletin August 2017

Find a Publication

For more information on Singapore law, please go to: www.singaporelaw.sg