Proposed amendments to the PDPA

1. an enhanced framework for the collection, use and disclosure of personal data; and
2. mandatory data breach notification.

These proposals were initiated in view of the increasing complexity of the data protection landscape due to technological advances, as well as keeping the PDPA regime relevant with current trends and developments. In developing these proposed amendments, the PDPC had also considered the data protection regimes of key jurisdictions such as the EU, UK, Hong Kong, Canada, Australia and New Zealand.

Enhanced framework for collection, use and disclosure

In light of the increasing challenges to obtaining consent, the PDPC is proposing to introduce two new parallel bases for collecting, using and disclosing personal data under the PDPA to cater to circumstances where consent is not feasible or desirable, and where the collection, use or disclosure would benefit the public. 

Notification of purpose

The first proposed basis allows for an organisation to collect, use or disclose personal data as long as the affected individuals have been notified of the purpose for such collection, use or disclosure, subject to the following conditions being met:

1. it is impractical for the organisation to obtain consent (and deemed consent is inapplicable); and
2. the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.

An organisation that wishes to utilise this approach should provide appropriate notification of the purposes of the collection, use or disclosure of personal data and, where feasible, information about how individuals may opt out.

Legal or business purpose

Similar to the "legitimate interests" basis for processing personal data under the new EU General Data Protection Regulation, the second proposed basis allows for the collection, use or disclosure of personal data without consent where it is necessary for a legal or business purpose, subject to the following conditions being met:

1. it is not desirable or appropriate to obtain consent from the individual for the purpose; and
2. the benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual.

When relying on this basis, the organisation will not be subject to the requirement to notify individuals of the purposes when collecting, using or disclosing personal data in these circumstances.

In addition, before an organisation may rely on any of the two bases stated above, it will need to conduct a risk and impact assessment, such as a data protection impact assessment, and implement measures to mitigate the risks when relying on these bases to collect, use or disclose personal data of individuals.

Mandatory data breach notification

The other key proposal set out in the Consultation Paper is the adoption of a data breach notification framework in Singapore. The table below sets out a summary of the proposed criteria under the data breach notification framework.

Notification of affected individuals

Where a data breach meets the criteria for notifying affected individuals under the PDPA, the organisation would have to notify all affected individuals as soon as practicable, unless an exception or exemption applies. The organisation should determine the appropriate time frame that constitutes "as soon as practicable" based on the given circumstances. Where there is a concurrent requirement to notify affected individuals under other written law, the organisation only has to notify the affected individuals according to the requirements under the other written law and it would be deemed to have fulfilled its breach notification obligations under the PDPA. The organisation would also have to notify PDPC of that data breach.

Notification of PDPC

Where a data breach meets the criteria for notifying PDPC under the PDPA, the organisation would have to notify the PDPC as soon as practicable and no later than 72 hours from the time it is aware of the data breach. Where there is a concurrent requirement to notify a sectoral regulator or law enforcement agency of the data breach under other written law (for example, Notice 644 on Technology Risk Management issued by the Monetary Authority of Singapore), the organisation has to notify the PDPC concurrently with the sectoral regulator or law enforcement agency in accordance with the notification requirements under the other written law.

Other obligations and exemptions

Where an organisation's data intermediary encounters a data breach, the PDPC proposes that it be required to immediately inform the organisation regardless of the risk of harm or scale of impact of the data breach. The organisation will then be responsible for complying with the data breach notification requirements under the PDPA. The Consultation Paper is silent on the mode of notification required as the PDPC intends to allow the organisation to determine the most effective mode of notification to comply with the breach notification requirement.

Finally, the PDPC proposes for the exclusions set out in Section 4 of the PDPA to apply to the proposed breach notification provisions. In addition, the organisation may also be exempted from the requirement to notify affected individuals where such notification is likely to impede law enforcement investigations and the breached personal data is encrypted to a reasonable standard.

Conclusion

This public consultation exercise will end on 21 September 2017. Given the additional data protection obligations being imposed on the organisation, any further details provided (whether in the finalised amendments or in subsequent guidelines) on aspects such as the risk and impact assessment obligations would be largely useful in helping organisations comply with the PDPA.