If you handle Singapore personal data - whether inside or outside of Singapore - you need to review and update your data protection compliance programme in light of recent developments and imminent changes.
Mandatory data breach notification
Data incident policies and processes must now be updated to reflect the introduction of mandatory breach notification obligations. IT/cyber incidents should be reported to the authorities and individuals as follows:
- Critical Information Infrastructure (CII): under the Cybersecurity Act 2018 (implementation date yet to be announced), organisations designated as owning CII will (amongst other cybersecurity obligations) be subject to mandatory cyber incident reporting. CII means systems “necessary for the continuous delivery of an essential service” where the loss or compromise of that system “will have a debilitating effect on the availability of the essential service in Singapore”. Specific organisations will be designated as CII owners by a new Commissioner of Cyber Security in due course. It is anticipated that utility companies and organisations in the health, banking, transport and media industries may well be affected; and reports suggest the rules will only affect CII wholly or partly located in Singapore.
- Personal data: proposed changes to the Personal Data Protection Act (PDPA), announced by Singapore's Personal Data Protection Commission (PDPC), (implementation date yet to be announced) will introduce mandatory breach notification obligations to individuals (“as soon as practicable”) and to the PDPC (“as soon as practicable, no later than 72 hours”), with a 30-day assessment period for suspected breaches (the 30 days running from when the organisation or its data intermediary (i.e. data processor) becomes aware of the incident), subject to certain exemptions.
Organisations must ensure they put/have in place both external and internal privacy policies/guidelines, to ensure and effective data protection compliance programmes. In three recent cases the PDPC has emphasised that internal data protection policies and processes are needed to set minimum data protection standards across an organisation and help employees' understanding of the organisation's data protection obligations under the PDPA. Importantly, the PDPC noted that without such written policies it would be difficult for an organisation to evidence that it had met its transparency and accountability requirements under the PDPA.
Organisations operating IoT devices and apps should also review and update their privacy policies in light of guidance given in another recent decision. In this case, the PDPC considered the sufficiency of IoT privacy policies, and recommended specific reference to the IoT device and details of the personal data to be collected, used and disclosed by the IoT device. As regards mobile apps more generally, the PDPC encouraged app privacy policies to explain to users why personal data is being collected, used and disclosed; use clear language (avoiding technical terms), be easily readable, understandable and an appropriate length; be prominently located on the app; and be tailored to the specific app. The PDPC also suggested considering using icons and/or just-in-time notifications to obtain specific consent dynamically.
A move away from strict consent requirements for personal data handling
The PDPC has announced (following a public consultation in 2017; implementation date yet to be announced) that the general requirement for deemed/express consent to collect, use and disclose personal data will be relaxed in the following situations:
- "Notification of Purpose Approach": notifying individuals of the purpose of data handling can be an appropriate basis for an organisation to collect, use and disclose personal data - i.e. consent is not required - if the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.
- "Legitimate Purpose Approach": consent will not be required where there is a legitimate interest in collection, use or disclosure of personal data without consent, subject to the following two conditions: (i) it is not desirable or appropriate to obtain consent from the individual for the purpose; and (ii) the benefits to the public (or a section of it) clearly outweigh any adverse impact or risks to the individual.
If implemented, these changes would bring Singapore closer (but would not be identical) to the GDPR position for data protection notices. For now organisations should monitor developments and consider their data protection notices/consents in anticipation of further announcement from the PDPC.
Data retention and deletion policies should be reviewed and updated in light of new anonymisation guidelines published by the PDPC, the "Guide to Basic Data Anonymisation Techniques", available on the PDPC's website.