This article is produced by CMS Holborn Asia, a Formal Law Alliance between CMS Singapore and Holborn Law LLC.
On 20 November 2020, the Personal Data Protection Commission (PDPC) issued the Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill (Draft Guidelines). The Draft Guidelines clarifies key provisions introduced under the PDPA (Amendment) Bill (Bill) issued on 5 October 2020. For information on the Bill, please see our earlier Law-Now update available here. The Draft Guidelines will be finalised and issued when the latest Bill comes into effect. The key clarifications included in the Draft Guidelines are set out below:
1. Increase to the cap on financial penalties
Bill:The Bill increased the maximum financial penalty imposed for a breach of a PDPA provision from S$1 million to the higher of either 10% of the offending organisation’s annual turnover in Singapore (if the gross annual turnover in Singapore exceeds S$10 million) or S$1 million.
Draft Guidelines and Commentary:
- The Draft Guidelines clarify the factors the PDPA uses to determine the penalty amount, including: (a) nature, gravity and duration of non-compliance; (b) type and nature of personal data affected by non-compliance; (c) any financial benefit gained or financial loss avoided from non-compliance; (d) mitigation steps (including timeliness and effectiveness); (e) implementation of adequate measures; (f) previous non-compliance records; (g) whether the financial penalty is proportionate and effective; (h) compliance with any directions given to remedy or mitigate non-compliance; and (i) likely impact of financial penalty on organisation.
- It will be useful for organisations’ data protection officers and privacy compliance teams to consider these factors carefully in order to ensure that some of these elements are incorporated into the organisation’s data management strategy.
2. Mandatory data breach notification requirement
Bill:The Bill introduces mandatory notification requirements similar to the GDPR to replace the previously voluntary notification regime recommended in its Guidelines.
Draft Guidelines and Commentary
Data Breach Assessment
- The first step is for the organization to assess whether the breach is notifiable. In doing so, various steps are provided.
- Timeframe: As part of this, an assessment should be made without delay and whilst time may be required to do so, such assessment should generally be completed within 30 calendar days. Once it is determined that a breach is notifiable, the notice should be made no later than 72 hours (or 3 calendar days).
- Criteria: The assessment should determine whether the triggers for notifying a breach are met, namely, (i) the likelihood of significant harm to affected individuals; or (ii) the significant scale of the breach.
- The Draft Guidelines provide that certain classes of data will be prescribed by regulations as likely to cause significant harm to individuals as a result of a data breach. Further, where a data breach affects 500 individuals, it would be considered breach of significant scale.
Notification to PDPC and affected individuals
- Under the Draft Guidelines, the organisation should notify the PDPC as soon as practicable but no later than 72 hours or 3 calendar days and where required, notify affected individuals, at the same time or after notification to the PDPC. The specific details to include in notifications are included in the Draft Guidelines, that can be used as a base for template breach notification forms.
3. Expansion of “deemed consent”
Bill:The Bill expanded on the current deemed consent provisions of the PDPA and extended this to situations (a) where personal data processing is reasonably necessary to conclude or perform a contract; or (b) where reasonable steps are taken to notify the individual of purpose of processing, and the individual is given a reasonable opportunity to opt out.
Draft Guidelines and Commentary:
- Deemed consent for “contractual necessity”: This deemed consent category is especially useful in enabling organisations to allow disclosure to any downstream data processing organisation (e.g. if personal data is provided for a banking transaction, it may be disclosed by the collecting organisation to its payment system providers).
- Deemed consent via “notification”: Reliance on this category requires the organisation to: (a) conduct an assessment to eliminate/mitigate adverse effects; (b) take reasonable steps to adequately notify the individual of new purpose; and (c) provide a reasonable opt-out period. As the PDPC may request for details of the organisation’s assessments under this category, organisations may wish to follow the PDPC’s suggested assessment checklist that can be found in Annex B of the Draft Guidelines.
4. New exceptions to consent for “legitimate interest” and “business improvement”
Bill: The Bill introduces new exceptions to the Consent obligation where personal data is processed for: (a) the organisation’s legitimate interests, which outweigh adverse effect on the individual; and (b) for business improvement purposes (e.g. improving/enhancing goods/services, and understanding the individuals’ behaviour and preferences in relation to goods/services provided).
Draft Guidelines and Commentary:/span>
- “legitimate interests”: To use this exception, organisations must (a) identify and articulate the legitimate interest (including benefits and beneficiaries); (b) conduct an assessment to identify adverse effects and reasonable mitigation measures; and (c) take reasonable steps to notify the individual of the organisation’s reliance on the exception. A clear assessment flowchart and checklist can be found in Annex C of the Draft Guidelines.
- “business improvement”: This exception applies where business improvement purpose cannot reasonably be achieved without using the personal data in an individually identifiable form; and (b) such use is reasonable under the circumstances.
5. New employee offences for mishandling of personal data
Bill: The Bill introduces new offences to hold employees or service providers accountable, namely (a) for the knowing or reckless unauthorised disclosure of personal data or unauthorised re-identification of anonymised data; and (b) use or re-identification of personal data.
Draft Guidelines and Commentary:
- The introduction of offences for employees is intended to criminalize egregious misconduct by employees whose actions are not authorised by their employers.
- Employees or service providers processing personal data and who are authorised to disclose, use or re-identify data under the organisation’s policies or service contracts are not subject to these new offences. The PDPC also does not intend to use the new offences to prosecute private disputes (e.g. an ex-employee disclosing the organisation’s customer lists).
- The Draft Guidelines do not elaborate on the scope of the offences, but elaborates on defences available, especially in relation to activities performed/engaged by the organisation’s IT team, including permitted activities (that do not count as an offence) by data professionals, data recovery teams, researchers, and white-hat hackers.
If you would like to be kept updated on or have any queries in relation to the Draft Guidelines, please do not hesitate to approach the key contacts listed below.