The Personal Data Protection Commission (“PDPC”) has updated the Frequently Asked Questions section on its website www.pdpc.gov.sg with a new sub-section titled “Enhanced PDPA” following the passing of the Personal Data Protection (Amendment) Bill (“Bill”) in Parliament on 2 November 2020.
Among other things, the new sub-section sets out that the Bill (which will be the Personal Data Protection (Amendment) Act 2020) will likely come into force in early 2021. However we expect different dates of commencement for different sections of the Bill, for example in relation to the increased financial penalties as described below.
A summary of key changes under the Bill was covered in our article titled “Personal Data Protection (Amendment) Bill passed to introduce mandatory data breach notification, data portability requirement and increased financial penalty cap”.
Our recommendations on immediate steps to take
Section 12 of the Personal Data Protection Act 2012 (“PDPA”) requires organisations to develop and implement policies and practices to meet their obligations under the PDPA.
It would be appropriate to start the process of updating existing data protection policies and practices, which will involve organisations considering at least the following:
1. Formalising data breach procedures, undertaking security reviews
Under the Bill, organisations are required to assess whether a data breach incident is notifiable, and if so, to notify PDPC and affected individuals.
In view of the voluntary data breach notification regime currently in place, and general increased awareness of cybersecurity threats, organisations may already have implemented relevant procedures.
These procedures should be updated to include the additional requirements under the Bill, and either formally included within existing data protection policies, or simply referred to in such documents if these procedures have already been formalised within a separate policy.
Organisations may also wish to carry out a security review. In our experience, PDPC generally requests information on, and considers the scale and scope of security practices which were in place, when considering whether organisations had in place reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (section 24 of the PDPA).
Both physical security and cybersecurity measures should be examined as part of this security review, taking into consideration the following changes under the Bill:
- the Bill will expand the protection obligation under the PDPA (section 24 of the PDPA) to include a requirement for organisations to make reasonable security arrangements “to prevent … loss of any storage medium or device on which personal data is stored”; and
- the Bill also creates a new section 26(D)(5)(b) which reduces data breach notification obligations where personal data has been subject to: “any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual.” One example of such a technological measure might be where the lost data is encrypted to a reasonable standard and cannot be decrypted.
2. Preparing for new data portability obligation
The new data portability obligation under the Bill will require organisations to transmit an individual’s personal data to another organisation if requested by that individual.
This may be of particular concern to organisations who are not already familiar with similar obligations under foreign data protection laws, such as Article 20 of the European Union General Data Protection Regulation.
Organisations should be aware that new regulations under the PDPA will be issued in the coming months, on the categories of data that should be portable, and other technical and consumer protection details.
Since the Minister for Communications and Information S Iswaran mentioned in his opening speech at the second reading of the Bill in Parliament that there will be a phased implementation, an extended timeline may be allowed to provide time for compliance. However we note that no explicit minimum period of delayed implementation has been mentioned for the data portability obligation (compared to the mention of a delay of no less than one year after the Bill comes into force, in respect of the potential increased maximum financial penalty (i.e. 10% of the organisation’s annual turnover in Singapore or S$1 million, whichever is higher)).
As such, all organisations should consider if they reasonably might expect any data portability requests from individuals, taking into account factors such as their use of personal data, and whether they are part of sectors such as banking and telecommunications which, in foreign jurisdictions, have been reported to be sectors where there has been effective use of the right to data portability.
3. Considering impact of new categories of deemed consent and exceptions to the consent requirement
Organisations will continue to be well served by having in place robust procedures and practices in relation to the management of consents obtained from individuals, including by developing and maintaining mechanisms to procure fresh consents.
However, organisations in Singapore may wish to consider reliance on the new categories of deemed consent and/or the new exceptions under which an organisation may collect, use and disclose personal data about an individual without the individual’s consent, to enable secondary uses in respect of particular data sets or in certain situations.
Of particular interest may be situations where the purpose of use of personal data by an organisation is for any of the following purposes (but always excluding direct marketing):
- improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation;
- improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation;
- learning about and understanding the behaviour and preferences of the relevant individual, or another individual in relation to the goods or services provided by the organisation; or
- identifying any goods or services provided by the organisation that may be suitable for the relevant individual or another individual, or personalising or customising any such goods or services for the relevant individual or another individual.