On November 20, 2020, the Singapore Personal Data Protection Commission (PDPC) published a set of draft advisory guidelines (the Advisory Guidelines) to provide clarification on recent amendments to the Personal Data Protection Act (the PDPA Amendments). We have summarized the PDPA Amendments in our previous client Update. The Advisory Guidelines address operational details on key amendments, as summarized below.
Mandatory data breach notification (the DBN Obligation)
- Generally, an organization should assess whether a data breach is notifiable within 30 calendar days once it has credible grounds to believe that a data breach has occurred, or it should be prepared to provide an explanation to the PDPC.
- Regarding data breaches resulting in significant harm: the Advisory Guidelines1 have prescribed the following classes of personal data that are considered likely to result in significant harm if compromised:
(i) Individual’s full name or full national ID number in combination with
- financial information,
- life/health insurance information,
- specified medical information,
- information leading to identification of a vulnerable adult, child, or young person who is the subject of an investigation or relating to court proceedings involving a child and young person, or
- private key used to authenticate or sign an electronic record or transaction.
(ii) Individual’s account information in combination with any required biometric data, security code, access code, password, or answer to security question used to permit access to or use of the account where the account can be subsequently misused for fraudulent transactions or to access any information under section (i) above.
- Regarding data breaches of a significant scale: It is confirmed that breaches affecting 500 or more individuals would meet the criteria for data breach notification.
Expanded scope of deemed consent: notification and opt-out
- On how companies should determine the reasonable period for individuals to opt out, the Advisory Guidelines provide the following guidance: (i) Where a company interacts with individuals on a regular basis (e.g., via push notifications on a mobile application monthly), the opt-out period should not be shorter than that; (ii) direct communications channels (as opposed to mass communication channels) may justify a shorter opt-out period; (iii) easily accessible opt-out methods (e.g., via email or hyperlink) may justify a shorter opt-out period.
- Note that consent is deemed to be given only after the opt-out period has lapsed — organizations should ensure that any collection, use, or disclosure of personal data commence after the expiration of the opt-out period.
- An assessment checklist for Deemed Consent by Notification (Annex B to the Advisory Guidelines)2 is provided for organizations to conduct a risk and impact assessment before they can rely on deemed consent by notification.
NEW consent exceptions
1. New: “Legitimate interests” exception
- In identifying the legitimate interests of collecting, using, or disclosing the personal data for a purpose, organizations should be able to articulate what the benefits are and who the beneficiaries are. The identified benefits should not be purely speculative.
- An assessment checklist for legitimate interest exception (Annex C to the Advisory Guidelines)3 is provided for organizations to conduct a risk and impact assessment before they can rely on this exception.
2. New: “Business improvements” exception
- Business insights and predictions generated about a specific individual will be considered personal data if an individual can be identified from that data. Organizations may rely on this new exception to use, without consent, and share such data between group companies for business improvement purposes.
- While the business improvements exception cannot be relied on for sending direct marketing messages, the usage of existing customers’ personal data for data analytics and market research are considered preparatory activities for marketing purposes and hence are permitted.
Once the amendments come into effect, the Advisory Guidelines will be finalized and issued. Apart from the Advisory Guidelines, we await the PDPC to publish regulations to supplement further operational details. By the time the draft regulations are published, it is expected that the amendments would come into force fairly soon.
If you operate in Singapore, handle Singapore data, or maintain a server in Singapore, it is crucial that you have protocols in place to guide employees on what to do when a data breach occurs and consider doing a data breach tabletop exercise. Data privacy policies and procedures need to be reviewed, aligned, and revised as soon as possible to ensure compliance.