3 Things you need to know about Singapore’s proposed changes to Data Protection
Jul31

3 Things you need to know about Singapore’s proposed changes to Data Protection

On 27 July 2017, the Personal Data Protection Commission of Singapore (PDPC) issued a public consultation paper on managing personal data in the digital economy. The consultation paper seeks to greater facilitate the use of personal data in the digital economy through changes to the consent requirements and at the same time seeks to ensure that security standards are uplifted through the introduction of mandatory breach notification. The consultation paper is a step in the right direction for Singapore on its Smart Nation journey given the importance of data analytics in the digital economy, whilst the mandatory breach notification provisions align the Singapore data protection regime with that of Singapore’s draft Cybersecurity Bill which was recently introduced. The consultation paper demonstrates that the PDPC recognises the importance of data for innovation and growth, and has proposed changes to ensure the regulatory environment keeps pace with evolving technology in enabling innovation, while ensuring effective protection for individuals’ personal data in the changing landscape. The following are the 3 key things you need to know about the PDPC’s proposed changes: Notification of purpose can be sufficient. Although the PDPC proposes that organisations should still seek consent for collecting, using and disclosing personal data where practicable, it recognises the need to cater to circumstances where consent is not feasible or desirable, and where the collection, use or disclosure would benefit the public. The PDPC recommends that notifying individuals of the purpose can be sufficient where: (i) it is impractical to obtain consent (and deemed consent does not apply); and (ii) the collection, use or disclosure of personal data is not expected to have any adverse impact on individuals. However, when using this exception, organisations have to conduct a risk and impact assessment and put in place measures to identify and mitigate the risks that may arise. Consent (or notification) not needed where it is for a legitimate purpose. Under the current personal data protection regime, except for where an exemption applies, organisations are not allowed to collect, use or disclose personal data without consent even for a legitimate purpose if this is not expressly provided for or required under any written law (e.g. the sharing and use of personal data to detect and prevent fraudulent activities). As such, the PDPC proposes to update the law so that organisations will be able to collect, use or disclose personal data without consent where: (i) it is not desirable or appropriate to obtain consent; and (ii) the benefits to the public clearly outweigh any adverse or risks to the individual. Again, when relying on this exception, organisations have to conduct a risk and impact assessment...

Read More
Singapore cracks down on privacy breaches
Apr25

Singapore cracks down on privacy breaches

Singapore’s data protection regulator, the Personal Data Protection Commission (PDPC), has been cracking down on breaches of the Personal Data Protection Act (PDPA). It has just released a set of Data Protection Enforcement Cases, which includes a list of enforcement actions taken against 11 organisations for breaching the PDPA. This provides an insight into the approach the authorities will take to enforcing what is still a relatively new law. According to the reported enforcement cases, four organisations were fined, ranging from S$5,000 to S$50,000 (about USD 3,700 to USD 37,000), and seven others were issued warnings or directions.  The PDPC looked at various factors when determining severity of breaches, such as to what extent the organisations had data protection policies and processes in place, the time taken to remedy the breach, the number of affected individuals and the type of personal data involved.  The highest fine of S$50,000 (about USD 37,000) was imposed on K Box Entertainment Group for failing to have in place adequate security measures to protect its members’ personal data, resulting in details of 317,000 members being leaked online in September 2014.  An IT vendor, Finantech Holdings, which was engaged by K Box to develop and manage K Box’s Content Management System, was also found liable and fined S$10,000 (about USD 7,400), as a data intermediary for K Box.  As with all published enforcement actions, the reputational implications tend to be at least as significant as any other penalties. Since the PDPA came into force in July 2014, the PDPC has received 667 complaints in total, of which 92% were resolved by investigation and facilitation between the respective complainants and organisations. Common issue with these complaints involved unauthorised personal data processing and lack of data protection measures in place. So what does this mean for organisations in Singapore? These enforcement cases confirm that although the PDPA is generally regarded a “business-friendly” regulation which is not intended to stifle data innovation, the PDPA is clearly willing to intervene when organisations fall short of the required standards. Given the reputational and financial implications of these high-profile enforcement actions, organisations will need to look carefully at their processes and policies to ensure they are...

Read More