The Personal Data Protection Commission (the “PDPC”) published its revised Guide on Active Enforcement on 15 March 2021 (the “Guide”), which elaborates on the recent amendments to the Personal Data Protection Act 2012 (the “PDPA”). This article will detail some of the PDPC’s new powers on alternative dispute resolution and enforcement actions, which includes the PDPC being able to accept an organisation’s voluntary undertaking or come to an expedited breach decision.
(i) Alternative Dispute Resolution
A complaint by an individual against an organisation may be a private matter between parties. The Guide elaborates that the PDPC will aim to resolve such disputes through facilitation, mediation, or other modes of alternative dispute resolution.
In the Guide, the PDPC states that it will first attempt to facilitate communication between parties, with a view to them being able to resolve their dispute.
If the dispute remains unresolved, and if the PDPC believes that such a dispute may be better resolved through mediation, the new section 48G(1) of the PDPA allows the PDPC to refer such matters for mediation under an alternative dispute resolution scheme. The PDPC does not require the consent of the individual complainant or the organisation to refer the matter to mediation.
However, if the PDPC is of the opinion that facilitation and/or mediation is inappropriate in the circumstances of that dispute, it may initiate full investigations early. The Guide highlights instances where full investigations may be initiated early, such as where there is disclosure of personal data on a large scale, and/or scenarios where the disclosure of personal data is likely to cause significant harm to the affected individuals.
(ii) Voluntary Undertaking by an Organisation
Section 48L of the amended PDPA includes a provision for an organisation to make a written voluntary undertaking to the PDPC in lieu of the PDPC conducting a full investigation. The organisation should inform the PDPC in writing either at the commencement of PDPC’s investigations, or in the early stages of such investigations, and is to be accompanied with the organisation’s remediation plan to ensure compliance with the PDPA. However, the PDPC has the final discretion on whether to accept such an undertaking.
The Guide states that the possibility of a voluntary undertaking may arise where:
(a) the organisation is able to show that is has in place accountable policies and practices (for instance, an organisation who possesses the IMDA Data Protection Trustmark); and
(b) the organisation has a remediation plan and is committed to implementing said plan. This plan would detail the likely cause(s) of the incident, the organisation’s proposed steps to address these cause(s), and the targeted completion date to implement the organisation’s proposed steps.
Conversely, the PDPC is unlikely to accept a voluntary undertaking in the following non-exhaustive scenarios:
(a) the organisation denies responsibility for the incident;
(b) the incident is a repeat incident involving similar cause(s) of breach;
(c) the remediation plan does not detail how the organisation can comply with the PDPA in relation to the current incident;
(d) the organisation requests for more time to produce a remediation plan; or
(e) the breach is wilful or egregious.
The PDPC will publish any organisation’s written voluntary undertaking that it has accepted.
If an organisation is subsequently found to have breached the terms of its voluntary undertaking, the PDPC may take further action(s) to ensure compliance to the terms of the voluntary undertaking. The PDPC may also commence a full investigation into the incident and/or impose any other enforcement action(s) as it deems fit.
(iii) Expedited Breach Decision
The PDPC may also now come to an expedited breach decision, where investigations are completed in a significantly shorter timeframe.
Under this process, an organisation would make an upfront voluntary admission of liability for breaching the relevant obligation(s) under the PDPA. The organisation would be required to explain its role in the cause(s) of the breach, and to provide relevant facts of the incident, which may include the remedial factors undertaken by the organisation to prevent recurrence.
The organisation is to make the request for an expedited breach decision to the PDPC soon after the incident is known and should be prepared to admit liability in the breach incident. The Guide details the information the organisation should submit together with such a request.
The Guide further lists instances where the PDPC will consider a request to invoke the expedited breach decision process:-
(a) where the only breach of the PDPA relates to the organisation not having a Data Protection Officer (or its equivalent), and/or Data Protection Policy; or
(b) when the nature of the data breach is similar to previous cases with similar facts. The Guide raises a few categories, such as poor password policy and/or weak password management, ransomware incidents, etc, and further provides examples for some of these categories.
If the PDPC accepts the organisation’s request, there will be a finding of a breach by the PDPC. Thereafter, the PDPC will issue its Decision and set out the relevant action(s) that the organisation is to comply with. If such action(s) include a financial penalty, the PDPC may view the organisation’s admission of liability as a mitigating factor. However, the Guide emphasises that this mitigating factor may not be strong where the organisation has repeated data breaches. The expedited breach decision will also be published by the PDPC.
The recent amendments to the PDPA provides the PDPC with more flexibility in dealing with organisations that fall afoul of the PDPC. This revision to the Guide has therefore shed some clarification on the relevant considerations that the PDPC may consider when determining which of these powers to exercise.