On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA). The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.
We set out below a summary of the key points that you should know about the public feedback and PDPC’s response.
Relaxation of the requirement to gather consent at data collection
The PDPC has proposed two significant changes to the requirements when gathering personal information from Singapore individuals. If adopted, these two changes will make it easier for Singapore businesses to make use of the data they collect without materially changing the protections afforded to individuals.
Proposed “Notification of Purpose” approach
The first change is to the requirement to notify individuals of the purpose for collecting data at the time of collection. Under Singapore’s current data protection regime, organisations must obtain consent from individuals before collecting, using or disclosing their personal data. In the Public Consultation, the PDPC has proposed allowing business to simply notify the individual of the purpose of collection at the time of collection (without the need to gather specific consent) if:
- it is impractical for the organisation to obtain consent; and
- the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.
Several respondents raised concerns about the ambiguous and uncertain nature of the conditions, as assessments of impracticability or whether an act is expected to have an adverse impact require subjective value judgments.
Recognising such concerns, the PDPC clarified that it intends to remove the condition of “impractical to obtain consent” and only retain the “not expected to have an adverse impact” condition. As for the application of this condition, the PDPC indicated that it would be releasing guidelines to provide further clarity.
Proposed “Legal or Business Purpose” approach
The second change is to permit businesses to make use of personal information of an individual without obtaining specific consent if that use is necessary for legal or business purposes, provided the organisation can show that:
- it is not desirable or appropriate to obtain consent from the individual; and
- the benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual.
Respondents were generally supportive of the proposal to allow the collecting, using or disclosing of personal data for a “Legal or Business Purpose”, although clarifications on the conditions were sought. In addition, some respondents suggested that the PDPC utilise the term “Legitimate Interests” and embody the legitimate interest test found in the European Union’s General Data Protection Regulation (GDPR).
In response, the PDPC agreed to utilise “Legitimate Interests” as a basis to collect, use or disclose personal data regardless of consent, instead of “Legal or Business Purpose”. The PDPC would provide further clarity on the activities that would fall within this basis, which may include preventing fraud. It was also clarified that this exception is not intended to cover direct marketing purposes.
With respect to the conditions to be satisfied before an organisation is able to rely on “Legitimate Interests”, the PDPC stated that it intends to retain the condition that the “benefits to the public (or a section thereof) must outweigh any adverse impact to the individual” as a part of the accountability measures to be implemented for organisations seeking to rely on this exception. However, no mention was made of the requirement for the obtaining of consent from the individual to be “not desirable or appropriate ”.
The PDPC also indicated that it would provide a further safeguard for individuals in the form of an openness requirement, requiring organisations seeking to rely on this exception to:
- disclose its reliance on “legitimate Interests” as a ground for collecting, using or disclosing personal data; and
- make available a document justifying the organisation’s reliance on “legitimate Interests”, and the business contact information of the persons who are able to answer individuals’ questions about such collection, use or disclosure on behalf of the organisation.
As a safeguard to the relaxation of the consent requirement, the PDPC proposed in the Public Consultation that organisations must conduct a risk and impact assessment and put in place measures to identify and mitigate the risks when relying on the “Notification of Purpose” or “Legitimate Interests” approach to collect, use or disclose personal data.
The PDPC noted that respondents sought clarification on whether such risk and impact assessments need to be documented, and whether they would be subject to PDPC’s pre-approval or review. Respondents also sought to clarify whether individuals could request a copy of such assessments.
In response, the PDPC clarified that such risk and impact assessments should be documented and that they would not be considered as personal data protection policies and need not be made available to the public or to individuals on request. In addition, the PDPC indicated that it would reserve the right to require disclosure of such assessments for PDPC’s consideration in the event of a complaint, in order to determine whether there is any contravention of the PDPA.
Mandatory data breach notification
The other significant change proposed by the PDPC is to require businesses to notify the PDPC and the affected individuals if there has been an unauthorised disclosure of the personal information that the business has collected, subject to certain criteria.
Criteria for breach notification
In the Public Consultation, the PDPC proposed the following criteria for breach notification:
- Notification to both affected individuals and PDPC if the data breach poses any risk of impact or harm to affected individuals.
- Notification to the PDPC if the scale of the data breach is significant even if the risk of impact or harm is minimal. The PDPC proposed that a breach involving 500 or more affected individuals would be of “significant scale” and require notification.
The majority of the respondents proposed that PDPC adopt a consistent risk-based approach to breach notification, and a higher threshold for notification to affected individuals as well as the PDPC. In addition, the majority of the respondents disagreed with the proposed threshold of 500 individuals as a criterion for scale of breach.
Having considered the responses, the PDPC indicated that it intends to maintain the notification criteria to both affected individuals and PDPC, but rephrase the requirement for notification if the data breach is “likely to result in significant harm or impact to the individuals to whom the information relates”. The rephrasing is important, as it raises the threshold for reporting. The PDPC also indicated that it intends to retain the criterion relating to significant scale of breach for notification to the PDPC alone where the impact on individuals is low. The PDPC explained that it needed this broader notification requirement in order to monitor the “market” for large scale data breaches. The PDPC indicated that it would also provide further guidance on assessing the scale of impact of data breaches.
Time frame for notification
In the Public Consultation, it was proposed that organisations notify individuals “as soon as practicable”, without any fixed time cap for such breach notification. With respect to breach notification to the PDPC, the “as soon as practicable” standard similarly applies, subject to a time-cap of no later than 72 hours from the time the organisation becomes aware of the data breach.
The PDPC noted that the respondents generally agreed with the proposal for notification to individuals. As for notification to the PDPC, some respondents sought clarifications as to when the “clock” starts for the 72-hour time frame.
In light of the responses, the PDPC indicated that it intends to keep the proposed time frames for data breach notification. The PDPC also clarified that the time-frame commences from the time the organisation determines that the breach is eligible for reporting. In this regard, the PDPC has provided a further 30-day assessment period, from the day the organisation first becomes aware of a suspected breach, to assess its eligibility for notification. The relevant time-frames (i.e. 72 hours / “as soon as practicable”) therefore commence after the organisation has determined that the breach is eligible for reporting.
It was proposed in the Public Consultation that the mandatory data breach notification requirements under the PDPA should concurrently apply with data breach notification requirements under other laws or sectoral regulation.
While some respondents have proposed that only a single regulator should be notified of a breach or that a harmonized notification platform across government agencies and overseas jurisdictions be put in place, the PDPC indicated that it intends for the PDPA’s mandatory data breach notification requirements to apply concurrently with data breach notification requirements under other written law. This means that organisations are required to notify both the PDPC and the sectoral regulator / law enforcement agency (where applicable) in accordance with the notification requirements under the other written law. To mitigate the burden of concurrent application of data breach notification requirements, the PDPC indicated that an organisation may adopt the same format of notification for reporting to the other sectoral regulator or law enforcement agency for its breach notifications to the PDPC. The PDPC also stated that it would also explore mechanisms for streamlining notifications to the PDPC and other sectoral or law enforcement agencies.
The PDPC’s response provides useful insight into likely changes that we can expect to be made the PDPA and such changes will have a significant positive impact on organisations engaged in the data-driven disruptive digital economy.
The proposed exemptions from the consent requirements in the PDPA will allow businesses to make use of personal information to the benefit of consumers will still retaining the important safeguards to protect an individual’s privacy Once the amendments to the PDPA are confirmed, organisations should review their existing data protection policies and procedures and conduct a data protection impact assessment.
The likely introduction of mandatory data breach will mean organisations need to pay closer attention to how they manage data / cybersecurity breaches, which are becoming increasingly common
In order to ensure compliance with regulatory obligations, all organisations should have in place a comprehensive cyber breach-response plan that includes protocols for responding to, and cooperating with, requests from regulators such as the PDPC on cyber incidents. In the event of a cyber incident, this will minimise disruption to business operations and ensure compliance with regulatory obligations.