Singapore's Personal Data Protection Commission (PDPC) has just published its first enforcement decisions regarding the data protection obligations set out in the Personal Data Protection Act 2012 (PDPA) since they came into force in July 2014. While decisions have previously been published in relation to the "do not call' register rules in the PDPA, these nine decisions - together with new advisory guidelines on enforcement - represent the first clear indications of how in practice the PDPC expects organisations to comply with the PDPA when collecting, using and disclosing personal data, and provide an indication of how the PDPC will approach future investigations and enforcement action.
The first nine cases cover a range of breaches of the PDPA across different industries. The decisions are available on the PDPC's website. Some of the key trends and issues to note:
- The highest of the fines amounted to SG $50,000 (approx. US$ 37,000) for a data security breach involving unauthorised disclosure of over 300,000 individuals' personal data. The scale of this penalty seems to have been aggravated as a result of: the absence of a Data Protection Officer and adequate data protection policies and practices within the organisation; the large number of individuals affected; the nature of the data disclosed (which could, in the PDPC's view, have led to identity theft); and the fact the organisation was not forthcoming in providing information during the investigation. The PDPC also ordered the organisation to put in place a Data Protection Officer within 30 days.
- That same case also saw a data intermediary (akin to a "data processor" in other jurisdictions) being fined for its role in the data breach in question. The PDPC ordered it to pay a fine of SG $10,000 (approx. US $7,500) for failing to comply with the "Protection Obligation" under the PDPA. Unlike other jurisdictions, in Singapore data intermediaries are directly liable to comply with some of the data protection obligations in the PDPA. Of note in this decision, the PDPC found that the data intermediary (in this case, an outsourced IT service provider) should have pro-actively notified its customer of failings in the data security arrangements.
- The majority of the first nine cases concerned data security breaches. The decisions focused on the organisations' failure to implement proper and adequate measures to protect the personal data, and interestingly it appears that the PDPC has not just focused on the breaches that affected large numbers of individuals. A couple of the other cases concerned use and disclosure of personal data without the relevant consents. Therefore, these should be seen as areas of heightened regulatory focus, and so close attention should be paid to compliance with the Consent Obligation and Protection Obligation in the PDPA.
- Five of the nine decisions resulted in warnings and one in a directions order, in each case with no accompanying fine. From these decisions, it can be seen that the PDPC will take into account the level of the organisation's initial response to the breach and co-operation throughout the investigation process when deciding upon an appropriate penalty, alongside other aggravating and mitigating factors (see below).
New advisory guidelines
To accompany these decisions, the Commission has published advisory guidelines on enforcement of the data protection provisions in the PDPA and associated regulations ("Guidelines"). The Guidelines are non-binding, but indicate how in practice the PDPC proposes to handle complaints, reviews and investigations of breaches of the data protection rules, and to approach enforcement and sanctions. Crucially, the Guidelines point to the PDPC's overall enforcement objectives: first, to facilitate the resolution of complaints (and to require organisations to develop their own processes to respond to complaints); and second, to encourage organisations to comply with the PDPA and to take appropriate corrective measures in a timely manner in the event of a breach or complaint. The Guidelines also reiterate the PDPC's power to review, investigate and issue directions at its own discretion (for example, if it is in the public interest).
The Guidelines point to the PDPC's powers in relation to alternative dispute resolution and the encouragement of self-resolution, remedial action and mediation at first instance where appropriate to resolve a complaint, failing which the Guidelines outline the procedures for (and gives some practical guidance on the PDPC's approach to) reviews, investigations, issuing of decisions/directions, reconsiderations and appeals. The Guidelines also remind affected individuals of their right to bring civil actions against non-compliant organisations.
Perhaps of most significance is guidance in the Guidelines regarding the aggravating factors that the PDPC will take into account when issuing directions, including: the time taken for the organisation to attempt to resolve a matter; whether the breach was intentional, repeated or ongoing; any obstruction or concealment of information; failure to comply with previous warnings; and the nature and volume of sensitive personal data held by the organisation (and the corresponding impact of the breach on affected individuals). Conversely, mitigating factors include: active and prompt resolution and steps to prevent recurrence; voluntary engagement and remedy with affected individuals; taking immediate steps to notify affected individuals and mitigate the damage caused; and voluntary and immediate breach notification to the PDPC followed by co-operation.
Elsewhere, the Guidelines urge organisations to provide a copy of proposed breach notification announcements to the public to the PDPC before release. It is clear that breach notification is encouraged by the PDPC as a matter of best practice.
Impact on Singapore compliance programmes
These latest developments serve as a reminder of the consequences of failing to comply with Singapore's data protection law: not just the potential fines, but the cost of dealing with a complaint or investigation and the negative publicity if the PDPC decides against your organisation. The Guidelines encourage organisations to act pre-emptively in using published decisions to ensure compliance and to prevent the necessity for future enforcement action. Therefore, these first nine published cases, and the Guidelines, should be carefully considered by those handling personal data in Singapore, and compliance programmes updated accordingly: particularly in relation to data security, obtaining consents, and data breach notifications.