27 February 2020
On 20 January 2020, the Personal Data Protection Commission (“PDPC”) issued its response to feedback received from a public consultation on the proposal to introduce provisions on data portability and data innovation under Singapore’s Personal Data Protection Act 2012 (“PDPA”). PDPC conducted the public consultation from 22 May 2019 to 17 July 2019.
In the public consultation, PDPC had proposed a data portability obligation in the PDPA which would require an organisation to transmit, at the request of an individual, the individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format. As for the proposed data innovation provisions, PDPC intends to make clear in the PDPA how organisations may use personal data without having to obtain consent for the “business innovation” (which PDPC now refers to as “business improvement”) purposes of (i) operational efficiency and service improvements; (ii) product or service development; or (iii) knowing customers better.
In general, the majority of respondents are supportive of PDPC’s proposals, and PDPC intends to introduce the data portability and data innovation provisions into the PDPA.
Proposed data portability obligation
PDPC will retain a number of the recommendations set out in the public consultation such as those relating to the scope of application of the data portability obligation, the exceptions (including the exceptions for confidential commercial information and derived data), preservation of requested data and PDPC’s power to review organisations’ (i) refusal to port data, (ii) failure to port data within a reasonable period, and (iii) fees for porting data. Set out below are some of the other issues raised in PDPC’s response with regard to the proposed data portability obligations which may be of interest:
- Phased implementation through Codes of Practice: The data portability obligation will come into effect in phases through the issuance of Codes of Practice or similarly suitable regulatory instruments (collectively termed “Regulatory Instruments”).
- Applicable to white-listed data sets: PDPC intends for the data portability obligation to apply only to white-listed datasets (fixed, standard set of data categories) covered under the Regulatory Instruments. White-listed datasets will be identified jointly with industry stakeholders and any relevant sectoral regulators. The Regulatory Instruments are not intended to be sector-specific but to apply to any organisations that have the white-listed dataset in their possession or under their control.
- Scope of data covered to be reduced, business information to be covered: PDPC intends to reduce the scope of data covered by the data portability obligation to user provided (provided by the individual to the organisation) and user activity (generated by the individual’s activities in using the organisation’s product or service) data of individuals with whom the porting organisation has a direct and existing relationship. PDPC also intends to cover business contact information, as there is value for both individuals and receiving organisations for such data to be portable.
- Third party consent not required with safeguards included: Organisations need not obtain consent from the third party whose personal data is to be ported as a result of an individual’s data porting request but PDPC intends to include some safeguards.
- Requesting individual should be authorised party to contract: To address concerns over complications arising from requests made on behalf of another individual, PDPC clarifies that the requesting individual should be the authorised party to the contract for the provision of the product or service (e.g. main account holder, insurance policy owner).
- No additional steps required to verify accuracy of data: PDPC will not require porting organisations to introduce an additional step for the purpose of allowing individuals to verify the data before it is ported. Porting organisations will not need to take additional steps to verify the accuracy of data before it is ported. Receiving organisations will need to have policies and practices to ensure accuracy of the ported data they are likely to use to make decisions that affect the individuals.
- Fee amount not prescribed, guidance to be in Advisory Guidelines: PDPC does not intend to prescribe the fees that organisations may charge for data porting, but will provide guidance in Advisory Guidelines.
- No need to provide copy of data to requesting individual: PDPC clarifies that under the proposed obligation, organisations are only required to transmit the data to the receiving organisation, and are not required to provide a copy of the data to the individual. PDPC will be issuing Advisory Guidelines on how individuals may request for a copy of their personal data in commonly used machine-readable format under the PDPA.
Proposed data innovation provisions
PDPC intends to retain the proposal to provide for use of personal data without consent for “business improvement” purposes as outlined in the public consultation, and provide for this as an exception to the consent requirement under the PDPA. PDPC will provide further clarification on the scope of the proposed “business improvement” exception and how it will operate with the existing exception for research purposes and the proposed “legitimate interests” exception through Advisory Guidelines.
In view of the feedback received, PDPC intends to retain its proposal to exclude derived personal data from the requirement under the access and correction obligations to provide the individual with access to or to correct derived personal data at the individual’s request.
The following materials are available on the PDPC website www.pdpc.gov.sg:
- Response to feedback on the public consultation on proposed data portability and data innovation provisions
A number of organisations provided feedback to the public consultation. For a list of the organisations and the feedback provided, please click here.