Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation into a proposed revision to the law that would require reporting of certain data breaches. Singapore currently uses a voluntary approach to data breach notifications, but, according to the PDPC, this has resulted in uneven notification practices. Under the proposals, it will be mandatory for organizations to inform customers of personal data breaches that pose any risk of impact or harm to the affected individual as soon as they are discovered. If an incident involves 500 or more individuals, organizations will need to notify the PDPC as soon as possible but no later than 72 hours after discovery of the breach. The proposals aim to allow individuals to take steps to protect their interests in the event of a data breach, for example, by changing their password.
The PDPC also proposes that in cases where it is impractical to get consent from individuals on how their personal data will be used, companies will still be permitted to collect and use the data if there will be no adverse impact on individuals. The rationale is that the growth of Internet of Things devices, machine learning and artificial intelligence — such as security cameras and connected fridges — has altered the data collection process from an active interaction to a passive one, where devices collect and transmit personal data across communications networks at speed. To safeguard individuals’ interests, organizations will have to conduct risk assessments and implement measures to mitigate identified risks.
The consultation period provides an opportunity for organizations to raise any concerns in relation to the mandatory data breach reporting and consent proposals. The consultation will end on September 21, 2017.