The consultation paper is a step in the right direction for Singapore on its Smart Nation journey given the importance of data analytics in the digital economy, whilst the mandatory breach notification provisions align the Singapore data protection regime with that of Singapore’s draft Cybersecurity Bill which was recently introduced.
The consultation paper demonstrates that the PDPC recognises the importance of data for innovation and growth, and has proposed changes to ensure the regulatory environment keeps pace with evolving technology in enabling innovation, while ensuring effective protection for individuals’ personal data in the changing landscape.
The following are the 3 key things you need to know about the PDPC’s proposed changes:
1. Notification of purpose can be sufficient. Although the PDPC proposes that organisations should still seek consent for collecting, using and disclosing personal data where practicable, it recognises the need to cater to circumstances where consent is not feasible or desirable, and where the collection, use or disclosure would benefit the public. The PDPC recommends that notifying individuals of the purpose can be sufficient where: (i) it is impractical to obtain consent (and deemed consent does not apply); and (ii) the collection, use or disclosure of personal data is not expected to have any adverse impact on individuals. However, when using this exception, organisations have to conduct a risk and impact assessment and put in place measures to identify and mitigate the risks that may arise.
2. Consent (or notification) not needed where it is for a legitimate purpose. Under the current personal data protection regime, except for where an exemption applies, organisations are not allowed to collect, use or disclose personal data without consent even for a legitimate purpose if this is not expressly provided for or required under any written law (e.g. the sharing and use of personal data to detect and prevent fraudulent activities). As such, the PDPC proposes to update the law so that organisations will be able to collect, use or disclose personal data without consent where: (i) it is not desirable or appropriate to obtain consent; and (ii) the benefits to the public clearly outweigh any adverse or risks to the individual. Again, when relying on this exception, organisations have to conduct a risk and impact assessment and put in place measures to identify and mitigate the risks that may arise.
3. Mandatory data breach notifications. Currently, there are no mandatory requirements to notify an individual when a data breach has occurred, and this approach has resulted in uneven notification practices across organisations. In order to strengthen protection for individuals, the PDPC proposes to introduce mandatory data breach notification obligations where organisations must notify affected individuals and the PDPC of data breaches as soon as practical if: (i) the breach poses any risk of impact to the affected individuals; and (ii) the scale of the breach is significant (i.e. involves 500 or more individuals). These obligations will apply concurrently with existing sectoral notification requirements (e.g. MAS rules), although they will not be applicable if the notification to affected individuals will impede law enforcement investigations or the breached personal data is encrypted to a reasonable standard. Where the organisation’s data intermediary (DI) experiences a data breach, the PDPC also proposes that the DI immediately inform the relevant organisation, and the organisation will be responsible for complying with these breach notification obligations.
With Singapore’s Smart Nation initiative and push towards a digital economy, our current consent-based approach to personal data protection in certain circumstances is becoming increasingly impractical and we are becoming more vulnerable to data breaches. As such, PDPC’s proposals to update the personal data protection regime to reflect the changing technological landscape is necessary and timely.
The public consultation on the above PDPC proposals closes on 21 September 2017.