In May 2019, the Personal Data Protection Commission (“PDPC”) introduced three new initiatives to strengthen accountability among organisations and encourage data innovation. To facilitate the transfer of personal data, the PDPC issued a public consultation on Data Portability and Data Innovation Provisions as part of its review of the Personal Data Protection Act 2012 (“PDPA”). In addition, the PDPC released an updated Guide to Managing Data Breaches 2.0 and a new Guide on Active Enforcement.
In this update, we set out highlights of the three initiatives.
Public Consultation on the Proposed Data Portability and Data Innovation Provisions
In connection with its ongoing review of the PDPA, the PDPC has launched a public consultation to seek feedback on the proposed introduction of data portability and data innovation provisions. The proposed changes are summarised as follows:
Proposed data portability provisions
- Data portability. An organisation must, at the request of the individual, provide the individual’s data in its possession or under its control, to be transmitted to another organisation in a commonly used machine-readable format. This obligation does not extend to data intermediaries.
- Requesting individual and receiving organisation. Any individual, regardless of whether the individual is in Singapore, may make a data portability request. However, organisations will only be required to transmit data to other organisations that have a presence in Singapore.
- Scope. The proposed data portability obligation only applies to data in the possession or control of organisations held in electronic form, provided by the individual to the organisation, and generated by the individual’s activities in using the organisation’s products or services.
- Exceptions. Exceptions to the data portability obligation are proposed to be aligned with the exceptions to the access obligation under the PDPA, which include, amongst others, data which if disclosed would reveal confidential commercial information that could harm the competitiveness of the organisation.
Proposed data innovation provisions
- Business innovation purposes. Organisations can use personal data for business innovation purposes without needing to notify or seek the consent of individuals if they have no intention of collecting or disclosing such data. Examples of business innovation purposes include service improvements, product development, and knowing customers better.
- Derived data. Organisations may process personal data to derive new insights and information. Further, it is proposed that derived personal data will not be subject to the access obligation, correction obligation, and proposed data portability provisions under the PDPA.
Guide on Active Enforcement
The PDPC’s new Guide on Active Enforcement introduces a new expedited decision process for investigating data breaches. Organisations that are considered for expedited decisions must make a written request to the PDPC when investigations commence. Data breach cases will be eligible for the new expedited process if:
- the organisation admits liability for breaching the PDPA upfront.
Apart from the expedited decision, the PDPC may also take the following enforcement actions against organisations that are investigated:
- suspension or discontinuation of the investigation;
- undertaking, where the organisation voluntarily commits to remedy the breaches and takes steps to prevent recurrence; and
- full investigation process, which may result in a warning, directions, financial penalties, finding of no breach, or directions and financial penalties.
Guide to Managing Data Breaches 2.0
The PDPC’s Guide to Managing Data Breaches has been revised in view that the PDPC is intending to introduce a mandatory data breach notification requirement under the PDPA. Under the Guide to Managing Data Breaches 2.0, organisations should put in place the following:
- Detection measures. Measures to detect potential data breaches which organisations can implement include monitoring inbound and outbound traffic for abnormal network activities, and usage of real-time intrusion detection software or security cameras.
- Data breach management plan. Such a plan should explain what constitutes a suspected and confirmed data breach, how to report data breaches internally, the responsibilities of the data breach management team and how to respond to data breaches.
If you have any questions on the above, please contact Heng Jun Meng of ZICO Insights Law LLC.
This alert is for general information only and is not a substitute for legal advice.