The Personal Data Protection Commission (PDPC) is conducting a Public Consultation to review the Personal Data Protection Act. The key issues covered in the consultation are as follows:

  • To expand the bases on which organisations can collect, use and disclose personal data without obtaining the individual’s consent: The consultation proposes the following two circumstances under which organisations may be allowed to collect, use and disclose personal data without obtaining consent:
    • If they notify the individual before doing so subject to the following conditions:
      • The collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.
      • It is impractical for the organisation to obtain consent (and deemed consent does not apply); and
    • If it is necessary for a legal or business purpose, subject to the following conditions:
      • It is not desirable or appropriate to obtain consent from the individual for the purpose; and
      • The benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual.

In both cases, organisations must conduct a risk and impact assessment, such as a data protection impact assessment, and put in place measures to mitigate the risks.

  • To mandate notification of data breaches: The PDPC proposes to adopt the following criteria for notification to affected individuals and/or PDPC of a data breach:
    • Risk of impact or harm to affected individuals – Organisations must notify affected individuals and PDPC of a data breach that poses any risk of impact or harm to the affected individuals. The organisation must notify all affected individuals as soon as practicable.
    • Significant scale of breach – Organisations must notify PDPC where the scale of the data breach is significant, even if the breach does not pose any risk of impact or harm to the affected individuals. The organisation must notify the PDPC as soon as practicable, and in any event no later than 72 hours from the time it is aware of the data breach.