The Personal Data Protection (Amendment) Bill ("Bill") was passed in Parliament on 2 November 2020. The Bill was the result of a series of public consultations and will introduce changes to the Personal Data Protection Act 2012 ("PDPA"), representing the first comprehensive review of the PDPA since its initial enactment.
On 20 November 2020, the Personal Data Protection Commission ("PDPC") issued the Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill ("Draft Guidelines"), available here. The Draft Guidelines provide further clarification on certain key amendments introduced in the Bill as well as the steps that organisations or individuals should take in order to comply with the new provisions.
The topics covered in the Draft Guidelines include:
- The operation of the enhanced framework for the collection, use and disclosure of personal data;
- The requirements of the mandatory breach notification regime;
- Guidance on the financial penalties for breach of the PDPA provisions; and
- The new offences for the mishandling of personal data.
In this Update, we highlight some of the key clarifications set out in the Draft Guidelines. For more information on the notable amendments introduced in the Bill, please see our earlier Client Update on "Amendments to the Personal Data Protection Act – Key Implications for Organisations in Singapore", available here.
Collection, Use and Disclosure of Personal Data
The Bill introduces an enhanced framework for the collection, use and disclosure of personal data. The PDPA currently requires consent from an individual before an organisation may collect, use or disclose their personal data, subject to certain exceptions. The Bill sets out new forms of deemed consent, as well as new exceptions to the consent obligation.
Deemed consent by contractual necessity
The Bill introduces the concept of deemed consent where the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction.
The Draft Guidelines clarify that this form of deemed consent covers not only a situation where an individual provides his personal data to organisation A for the purpose of a transaction (and it is reasonably necessary for organisation A to disclose the personal data to organisation B for the performance of the transaction), it also covers disclosure by organisation B to another downstream organisation C (where the disclosure is reasonably necessary to fulfil the contract between the individual and organisation A).
Deemed consent by notification
The Bill provides that an individual may be deemed to have consented to the collection, use or disclosure of personal data for a purpose that he had been notified of, and he has not taken any action to opt out of the collection, use or disclosure of his personal data.
The Draft Guidelines provide that an organisation relying on such deemed consent must assess and determine that the following conditions are met:
a. Assessment – The organisation must conduct an assessment to eliminate or mitigate adverse effects on the individual of collecting, using or disclosing the information. PDPC has provided an "Assessment Checklist for Deemed Consent by Notification" (available here) which organisations should rely on to conduct such assessment.
It should be noted that where it is assessed that there are likely residual adverse effects to the individual after implementing the mitigation measures, organisations will not be able to rely on deemed consent by notification.
b. Notification – The organisation must take reasonable steps to ensure that the notification provided to individual is adequate and effective in making the individual aware of the proposed collection, use or disclosure of their personal data. The Draft Guidelines provide some considerations for determining the appropriate mode of communication, including:
- The usual mode of communication between the individual and the organisation;
- Whether direct communication channels are available; and
- The number of individuals to be notified.
c. Opting out – The organisation must provide a reasonable period for the individual to opt out before it proceeds to collect, use or disclose the personal data. The Draft Guidelines set out some considerations for determining the reasonableness of the opt-out period, including:
- The nature and frequency of interaction with the individual; and
- The communications and opt-out channels used.
The Draft Guidelines also highlight that, when requested by PDPC, the organisation must provide its assessment for collecting, using or disclosing personal data based on deemed consent by notification.
Legitimate interests exception
One of the exceptions to the consent requirement introduced in the Bill allows organisations to use personal data without consent where there are larger public or systemic benefits and/or where obtaining individuals' consent may not be appropriate.
The Draft Guidelines provide that organisations seeking to rely on this exception must assess that they satisfy the following requirements:
a. Identifying legitimate interest – The organisations must identify and clearly articulate the situation that qualifies as a legitimate interest, including:
- What the benefits and who the beneficiaries are; and
- Whether the benefits are real and present.
b. Assessment – The organisations must conduct an assessment to identify any adverse effect on the individual and to identify and implement reasonable measures to eliminate, reduce the likelihood of or mitigate such adverse effect. PDPC has provided an "Assessment Checklist for Legitimate Interests Exception" (available here) which organisations may use to conduct such assessment.
It should be noted that where it is assessed that there are likely residual adverse effects to the individual after implementing the measures, organisations may rely on the legitimate interests exception only if the legitimate interests outweigh any likely residual adverse effect.
c. Disclosure – The organisations must take reasonable steps to provide the individual with reasonable access to information that they are relying on the exception. They must also provide the business contact information of a person who is able to address individuals' queries about the organisations' reliance on the legitimate interests exception.
Organisations are reminded to document their assessments and steps taken to mitigate residual risks, as they may have to provide justification to PDPC on their reliance on the legitimate interests exception upon PDPC's request.
The Bill allows for the use and disclosure of personal data for research purposes without consent, subject to certain conditions. For the disclosure of personal data, one of the conditions is that it would be "impracticable" for the organisation to seek consent of the individual.
The Draft Guidelines highlight that mere inconvenience does not amount to "impracticability", and set out some factors that PDPC considers relevant in assessing whether it is "impracticable" to seek consent, including:
- Whether the organisation has current contact information of the potential research subject or sufficient information to seek up-to-date contact information;
- Whether the costs of attempting to seek consent from each potential research subject would impose disproportionate resource demands on the organisation or take up so much time that carrying out the research is no longer viable; and
- Whether there are exceptional circumstances where seeking the research subject's consent would affect the validity or defeat the purposes of the research.
Mandatory breach notification
The Bill introduces a new mandatory notification regime for data breaches. This requires organisations to assess whether a data breach is notifiable, and to notify the affected individuals and/or PDPC where the breach is assessed to be notifiable.
Once an organisation has credible grounds to believe that a data breach has occurred, it must take reasonable and expeditious steps to assess whether the breach is notifiable. The Draft Guidelines provide that organisations should generally complete their assessment within 30 calendar days, and if unable to do so, should be prepared to provide an explanation to PDPC. Organisations must also document all steps taken in assessing the data breach.
The Draft Guidelines clarify that for data breaches involving more than one organisation, each organisation is individually responsible for complying with the assessment and notification requirements. Organisations may agree that one of the organisations takes the lead in conducting the assessment. Nonetheless, where a data breach is notifiable, each organisation has to notify PDPC.
Notifiable data breaches
The PDPA provides that a data breach is notifiable if:
- It is likely to result in significant harm to the individuals whose personal data is affected; or
- It is of a significant scale (500 or more affected individuals).
PDPC has stated that it will prescribe in Regulations, the personal data (or classes of personal data) that is considered likely to result in significant harm to affected individuals. The Draft Guidelines state that the personal data to be prescribed include:
a. Individual's full name or full national identification number in combination with any of the following personal data:
- Financial information which is not publicly disclosed;
- Life/health insurance information which is not publicly disclosed;
- Specified medical information;
- Information leading to identification of a vulnerable adult, child or young person who is the subject of an investigation or relating to court proceedings involving a child and young person; and
- Private key used to authenticate or sign an electronic record or transaction.
b. Individual's account information in combination with any required biometric data, security code, access code, password or answer to security question used to permit access to or use of the account, where the account can be subsequently misused for fraudulent transactions or to access any of the information above.
As for data breaches of a significant scale, the Draft Guidelines clarify that if an organisation is unable to determine the actual number of affected individuals, it should notify PDPC when it has reason to believe that the number of affected individuals is at least 500. This may be based on the estimated number from a preliminary assessment of the data breach.
The Draft Guidelines set out the relevant information that should be included in a data breach notification to PDPC or an affected individual.
For notifications to PDPC, the following information should be included:
- Facts of the data breach, including the approximate number of individuals and types of personal data affected;
- How the date breach is handled, including a chronology of how the organisation became aware of the incident and the plan to manage the incident; and
- Contact details of persons whom PDPC may contact for further information or clarification.
For notifications to the affected individual, the Draft Guidelines highlight that such notification should be clear and easily understood. The information should include:
- Facts of the breach, including how and when it occurred and the types of personal data involved;
- Data breach management and remediation plan, including what the organisation has done or will be doing in response to the resultant risks, the potential harm arising from the data breach, and the steps that the individual may take to prevent any potential misuse of their personal data; and
- Contact details of the organisation's representative whom the affected individual can contact for further information or assistance.
The Bill introduces enhanced financial penalties for breaches of the PDPA. The PDPA also sets out factors which PDPC will take into account in determining the amount of financial penalty to be imposed.
To provide a measure of guidance as to the financial penalty which may be imposed in a given scenario, the Draft Guidelines set out a table of past Commission Decisions where PDPC had taken these factors into account in determining the financial penalty. Organisations may refer to these Commission Decisions to see how these factors have been applied in practice.
The Bill introduces new offences to hold individuals (who may be employees and service providers) accountable for the knowing or reckless unauthorised disclosure, use or re-identification of personal data, subject to certain defences and safeguards.
The Draft Guidelines clarify that the new offences are not intended to cover instances where the individuals are authorised to handle the data. It also sets out instances where individuals are considered to be acting under authorisation, including:
- Employees acting in the course of their employment, in accordance with their employers' policies and practices, or whose actions are authorised by their employers; and
- Service providers engaged and authorised by organisations through service contracts to carry out the disclosure, use or re-identification of data.
The Bill sets out certain specific defences for the knowing or reckless unauthorised re-identification of anonymised data. The Draft Guidelines clarify that these defences may be applicable to the following individuals:
- Data professionals whose work involves the re-identification of anonymised data;
- Service providers engaged and authorised by organisations to recover data from anonymised dataset;
- Researchers, teachers and academics who need to re-identify anonymised data as part of their research work or for teaching; and
- White-hat hackers who independently carry out effectiveness testing of organisations' information security systems.
The amendments to the PDPA have been much anticipated, representing changes to keep up with developments in technology and to establish a higher standard of accountability for organisations holding personal data. However, how these amendments will operate and the details of their implementation remain to be clarified under subsidiary legislation and guidelines.
The present Draft Guidelines thus provide vital insights and directions on the new provisions introduced pursuant to the Bill. Organisations should take note of the details relating to compliance with the PDPA obligations and ensure that their policies and procedures are in keeping with the guidance provided.
The Draft Guidelines will be finalised and issued when the amendments to the PDPA come into effect. If you or your organisation have any feedback or concerns on the Draft Guidelines, we will be happy to assist in providing feedback to the Infocomm Media Development Authority. For further queries, please feel free to contact our team below.