At its Annual Seminar on 27 July 2017, the Personal Data Protection Commission (PDPC), announced that it is considering changes to the law for the first time since 2012. These proposed changes include:
- introduction of a mandatory breach notification requirement under the law for the first time; and
- alternative options to the requirement for consent
A public consultation of these proposed changes is being conducted and feedback and submissions can be provided to the PDPC by 21 September 2017. Further details of the consultation may be found at https://www.pdpc.gov.sg/legislation-and-guidelines/public-consultations
In addition, the PDPC announced two other important initiatives:
- Singapore has submitted its notice of intent to participate in the APEC Cross Border Privacy Rules system (CBPR) and Privacy Recognition for Processors system (PRP).
- The development of a privacy Trustmark certification scheme for organizations to be certified under by the end of 2018.
I. Mandatory Breach Notification
The proposal by the PDPC is to mandate breach notification to both individuals and the PDPC under certain circumstances.
In cases where there is a risk of impact or harm to the affected individuals, organizations should notify both the individuals and the PDPC.
However, even when there is no risk of impact or harm to the affected individuals but where the scale of the breach is significant, because it involves 500 or more individuals, then the PDPC only must be notified.
The proposed timeframe for breach notification to the PDPC is 72 hours. For notification to individuals, no specific time frame is provided but they should be notified as soon as practicable.
In the case of a data intermediary, there will be a requirement to immediately notify the organization on whose behalf it is processing the personal data the event of a breach.
These notification obligations will sit alongside other laws which apply to organizations such as financial institutions and critical infrastructure providers who have obligations to notify regulators under those laws.
II. Consent not always required
Although the PDPC recognizes the need for consent to remain the key basis for processing of personal data, the PDPC understands that where it is impracticable to obtain consent and where it is not expected to have any adverse impact on individuals, there may be situations where consent is not required. In particular, the PDPC suggests that notifying individuals of the purpose of the processing of personal data can be an appropriate basis for collection of personal data where it is impractical to obtain consent.
In addition, the PDPC proposes to provide for processing of personal data without consent where it is necessary for a Legal or Business Purpose. This exception would be subject to the following conditions:
- It is not desirable or appropriate to obtain consent, and
- The benefits to the public clearly outweigh any adverse impact or risks to the individual.
The PDPC also proposes that organizations relying on these alternatives should conduct a risk assessment in the form of a data protection impact assessment to assess the risks and impact to identify and mitigate these risks.
III. Singapore to join APEC CBPR and
The APEC CBPR regime has been gaining traction with more APEC member countries signaling their intention to participate. Taiwan and Hong Kong are expected to follow suit. The CBPR system requires participating businesses to develop and implement privacy policies and procedures consistent with the APEC Privacy Framework.
The United States, Canada, Mexico and Japan are all members of the CBPR system and Singapore's notice of intent to participate will lend further weight to the system as a means of enabling cross-border data flows in the Asia Pacific region.
IV. Privacy Trustmark Scheme
The introduction of a privacy Trustmark scheme is likely intended to help small and medium enterprises to meet the requirement of the PDPA and provide consumers with a visible means of assurance that businesses are compliant with the PDPA.
Although details are scant, it is expected that the Trust mark system will not be dissimilar to that of Japan and will provide a platform for businesses to meet the PDPA requirements whilst also providing consumers with a greater expectation of accountability.
This flurry of activity clearly demonstrates the importance of the data driven economy to the future of Singapore and how privacy and data innovation underpin the digital economy. The proposed changes seek to strike a balance between the rights of the individual, the public interest and the drive for companies to maximize their use of data.