27 February 2018
On 1 February 2018, the Personal Data Protection Commission (“PDPC”) issued its response to the feedback received from a public consultation conducted between 27 July 2017 and 5 October 2017 on approaches to managing personal data in the digital economy. The PDPC had sought feedback on (1) the relevance of other bases for collecting, using and disclosing personal data under the Personal Data Protection Act 2012 (“PDPA”), namely the proposed “Notification of Purpose” and “Legal or Business Purpose” approaches, and (2) a mandatory data breach notification regime.
Legislation in relation to these changes is presently expected to be promulgated only next year (i.e. in 2019).
This article summarises the key matters raised by respondents and PDPC’s response.
Notification of purpose as a basis to collect, use and disclose personal data where impractical to obtain consent
In the public consultation, PDPC proposed that notifying individuals of the purpose (“Notification of Purpose”) can be an appropriate basis for an organisation to collect, use and disclose personal data where (i) it is impractical to obtain consent (and deemed consent does not apply), and (ii) such collection, use or disclosure is not expected to have any adverse impact on the individuals. While most of the respondents were generally supportive, some raised concerns and/or sought clarification on the proposed conditions for the Notification of Purpose approach to apply. PDPC’s response is as follows:
- Remove the condition of “impractical to obtain consent”: PDPC will remove the condition of “impractical to obtain consent” but retain (and rephrase to similar effect) the condition of “not likely to have any adverse impact on the individuals”. The intent is that the use of Notification of Purpose as a basis for collecting, using and disclosing personal data is appropriate in situations where there is no foreseeable adverse impact on the individuals arising from the collection, use and disclosure of their personal data. PDPC will issue guidelines to provide further clarity on what would be considered “not likely to have any adverse impact”.
- Organisations to determine appropriate notification: Respondents had sought clarification on the appropriate notification to be provided for Notification of Purpose. PDPC’s response is that it will not prescribe how organisations are to notify individuals. It is the organisations’ responsibility to determine the most appropriate way of notifying individuals based on the organisations’ specific circumstances. Organisations should ensure that they take reasonable steps to inform individuals of (i) the purpose of the collection, use or disclosure of the personal data, and (ii) information about opting-out. PDPC suggested in its response that there could be certain circumstances (e.g. the organisation has no means of contacting the individuals) where it may be considered appropriate for the organisation to provide a general notification on its website or social media page. PDPC will provide further guidance in guidelines to address circumstances where large volumes of personal data are instantaneously and seamlessly collected (e.g. data collected by sensors).
- Revised consent framework to incorporate Notification of Purpose, new opt-out approach: Presently, the consent framework under the PDPA provides for actual consent and deemed consent. Individuals may at any time withdraw any consent given, or deemed to have been given, under the PDPA in respect of the collection, use or disclosure of their personal data for any purpose. PDPC intends to provide for Notification of Purpose as part of the consent framework under the PDPA.
In addition to the current actual consent and deemed consent under the PDPA, PDPC intends to provide for an opt-out approach as part of the consent framework under the PDPA where the individual is notified of the purposes of the collection, use or disclosure of his personal data, and provided a reasonable time period to opt out (where opt-out is feasible) but does not opt out within the time period (“Deemed Consent by Notification”).
Under this approach, the organisation must conduct a risk and impact assessment, such as a data protection impact assessment, as an accountability measure to ascertain whether the intended collection, use or disclosure is likely to have any adverse impact on the individual. Organisations may not rely on Deemed Consent by Notification for purposes that are likely to have any adverse impact or consequences for the individual. Organisations may also not rely on Deemed Consent by Notification for direct marketing purposes.
Legal or business purpose as a basis to collect, use and disclose personal data without consent
In the public consultation, PDPC proposed to allow organisations to collect, use and disclose personal data without consent for a legal or business purpose (“Legal or Business Purpose”) where (i) it is not desirable or appropriate to obtain consent from the individual for the purpose, and (ii) where the benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual. Although mostly supportive, there were mixed views on the proposed conditions of “not desirable or appropriate to obtain consent” and “benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual”. Respondents also suggested using the term “Legitimate Interests”, and to embody the legitimate interest test adopted in the European Union General Data Protection Regulation (EU GDPR). PDPC responded as follows:
- “Legitimate Interests” as a basis to collect, use or disclose personal data regardless of consent: PDPC intends to provide for Legitimate Interests as a basis to collect, use or disclose personal data regardless of consent and will provide clarification in guidelines on the legal or business purposes that come within its ambit. The Legitimate Interests exception is not intended to cover direct marketing purposes. The intent is to enable organisations to collect, use or disclose personal data in circumstances where there is a need to protect legitimate interests that will have economic, social, security or other benefits for the public, and such processing should not be subject to consent since individuals may not provide consent in such circumstances (e.g. to avoid fraud detection).
- Retain and rephrase condition on “benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual”: PDPC intends to retain (and rephrase to similar effect) this condition as part of the accountability measures to be implemented by organisations when relying on this exception. Organisations that wish to collect, use or disclose personal data regardless of consent for Legitimate Interests will need to conduct a risk and impact assessment to determine whether the benefits outweigh any foreseeable adverse impact to the individual.
- New openness requirement for managing or terminating employment relationship: As an additional safeguard, PDPC intends to provide for an openness requirement to the Legitimate Interests exception, similar to the current requirement under the PDPA to inform individuals of the purpose of managing or terminating employment relationships. An organisation will be required to disclose its reliance on Legitimate Interests as a ground for collection, use or disclosure which could be done through the organisation’s data protection policy that is made available to the public; and make available a document justifying the organisation’s reliance on Legitimate Interests, and the business contact information of the person who is able to answer individuals’ questions about such collection, use or disclosure on behalf of the organisation.
Mandatory data breach notification regime
In the public consultation, PDPC proposed to introduce a new mandatory data breach notification regime under the PDPA. Most of the respondents were supportive of the proposed new regime. PDPC’s response to the feedback received is set out as follows:
- Retain and rephrase criteria for notification: In consideration of the responses provided, PDPC intends to retain and rephrase (to similar effect) the criterion to “likely to result in significant harm or impact to the individuals to whom the information relates” for breach notifications to affected individuals as well as to PDPC. Further guidance on assessing whether a data breach is likely to result in significant impact or harm would be provided in guidelines. PDPC also intends to retain the criterion of significant scale of breach for notification to PDPC, but will not prescribe a statutory threshold for number of affected individuals (e.g. 500 or more). PDPC will provide further guidance on assessing the scale of impact in guidelines.
- Notify PDPC no later than 72 hours from the time it is aware of data breach: PDPC intends to retain the proposed time frames for notification to affected individuals (i.e. “as soon as practicable”) and to PDPC (i.e. “as soon as practicable, no later than 72 hours”).
- 30 days to determine veracity of suspected breaches: The proposed time frames for notifying affected individuals and PDPC will commence from the time the relevant organisation determines that the breach is eligible for reporting. In this regard, PDPC intends to provide for an assessment period of up to 30 days from the day the organisation first becomes aware of a suspected breach, to assess its eligibility for notification. The organisation must document the steps taken in assessing a breach from the time it first becomes aware of it to demonstrate that it has taken all reasonable and expeditious steps to assess the breach.
Organisations may choose to notify PDPC of the suspected breach incident at any time during the assessment period so that they can receive guidance from PDPC where necessary. To be clear, the organisation must notify all affected individuals as soon as practicable from the time the organisation determines that the breach is eligible for reporting, regardless of whether it has fully utilised the 30-day assessment period.
Where a data breach is discovered by a data intermediary (“DI”) that is processing personal data on behalf and for the purposes of another organisation, the 30-day assessment period for that organisation to assess and establish the eligibility of a suspected breach will commence from the time the DI first becomes aware of the breach. The DI will therefore be required to notify the organisation that it processes the personal data on behalf and for the purposes of without undue delay from the time it first becomes aware of the breach.
- Exceptions to notify affected individuals to include investigations: PDPC intends to extend the coverage of the law enforcement exception to include investigations carried out by other agencies authorised by law or investigations conducted by organisations to discharge obligations imposed by law. Organisations will not be required to notify affected individuals of an eligible breach that is the subject of an ongoing or potential investigation under the law if it is assessed that notifying affected individuals will compromise investigations or prejudice enforcement efforts under the law.
On the proposed technological protection exception, PDPC intends to broaden the exception beyond encryption specifically, to be technology-neutral. For example, loss of personal data may not constitute a data breach if the lost data is protected by technological measures such that it cannot be usefully accessed by unauthorised persons (e.g. where the lost data is encrypted to a reasonable standard and cannot be decrypted).
PDPC also intends to provide an exception for organisations which have taken remedial actions to reduce the potential harm or impact to the affected individuals, such that these organisations are only required to notify the PDPC and not the individuals.
- Exclusions under section 4 of PDPA to apply to data breach notification provisions: PDPC intends for the exclusions under section 4 of the PDPA to apply to the data breach notification provisions under the PDPA. For instance, where a data breach is committed by an employee acting in the course of his or her employment with the organisation, the organisation (not the employee) will be liable for the data breach under the PDPA, and the organisation will be responsible for complying with the data breach notification requirements under the PDPA.
- Concurrent notification to PDPC and other regulators: Where an organisation is required to notify a sectoral or law enforcement agency of a data breach under other written law, and that data breach meets the criteria for notifying the PDPC, the organisation must notify the other sectoral or law enforcement agency according to the requirements under the other written law, and it must also notify PDPC and affected individuals according to the time frames for data breach notifications under the PDPA. To minimise the regulatory burden on organisations, an organisation may adopt the same format of notification required for reporting to the other sectoral regulator or law enforcement agency for its breach notifications to PDPC. For breach notifications to affected individuals, PDPC will issue advisory guidelines to provide guidance on the information to be provided in organisations’ communications to ensure clarity and assurance for affected individuals. PDPC will also explore mechanisms for streamlining notifications to PDPC and the relevant sectoral or law enforcement agencies.
The following materials are available from the PDPC website www.pdpc.gov.sg:
- Media release
- Response to feedback on the public consultation on approaches to managing personal data in the digital economy