PDPC Singapore responds to feedback received in public consultation regarding personal data management

PDPC Singapore responds to feedback received in public consultation regarding personal data management

The Personal Data Protection Commission of Singapore (PDPC)
has released its response to feedback received from a public consultation launched
in July 2017 on Approaches to Managing Personal Data in the Digital Economy.

The PDPC sought views on the relevance of other bases for
collecting, using and disclosing personal data under the Personal Data Protection
Act 2012 (PDPA), namely the proposed ‘Notification of Purpose’ and ‘Legal or
Business Purpose’ approaches. PDPC also proposed a mandatory data breach
notification regime for notification of data breaches to PDPC and affected
individuals under the PDPA. These proposals are part of the PDPC’s review of
the PDPA.

The consultation closed on 5 October 2017 with 68 responses
from consumers and organisations (including business associations) representing
various sectors. Now the PDPC has released a document providing its responses to
the key matters raised by respondents.

New approaches for
collection, use and disclosure of personal data

‘Notification of
Purpose’ approach

In the public consultation, PDPC considered that notifying
individuals of the purpose (“Notification of Purpose”) can be an appropriate
basis for an organisation to collect, use and disclose personal data where it
is impractical to obtain consent and where the collection, use or disclosure of
personal data is not expected to have any adverse impact on the individuals. Several
respondents raised concerns over the uncertainty of assessing ‘impracticality’ and
‘adverse impact’.

In response, PDPC intends to remove the condition of
‘impractical to obtain consent’, but to retain (and rephrase to similar effect)
the condition of ‘not likely to have any adverse impact on the individuals’.
PDPC will also issue guidelines as to what would be considered ‘not likely to
have any adverse impact’, in order to provide further clarity.

In the public consultation, it was proposed that
organisations that wish to rely on ‘Notification of Purpose’ must provide
appropriate notification of the purpose of the collection, use or disclosure of
the personal data, and information about how individuals may opt out, where applicable.
It was proposed that where feasible, organisations must allow individuals to
opt out of such collection, use or disclosure.

Respondents sought clarifications on whether posting a
general notification on organisations’ website or privacy policy would suffice.
They also asked for clarifications on the thresholds for cost and difficulty
that would be considered not ‘feasible’ to allow individuals to opt out.
Suggestions were received for suggestions for organisations to provide a
mechanism and reasonable period for individuals to opt out before collecting,
using or disclosing the personal data for the purpose.

In line with the current approach for notifications, PDPC has
responded that it will not specify how organisations are to notify individuals.
The onus would be on the organisations to determine the most appropriate way of
doing so based on their specific circumstances, and to ensure they take
reasonable steps to inform individuals of the purposes and how they may opt out.

PDPC is going to provide further guidance in the guidelines
on circumstances where large volumes of personal data are instantaneously and
seamlessly collected (e.g. data collected by sensors), and the inherent
challenge in allowing individuals to opt out in such circumstances.

Legal or Business
Purpose’ approach

In the public consultation, PDPC recognised that there are
circumstances where organisations need to collect, use or disclose personal
data without consent for a legitimate purpose, but it is not authorised under
the PDPA or other written laws. An example could be the sharing and use of
personal data to detect and prevent fraudulent activities.

Hence, PDPC proposed to provide for the collection, use or
disclosure of personal data regardless of consent where it is necessary for a
‘Legal or Business Purpose’, subject to two conditions: a) it is not desirable
or appropriate to obtain consent from the individual for the purpose; and b)
the benefits to the public (or a section thereof) clearly outweigh any adverse
impact or risks to the individual.

In response to suggestions to use the term ‘Legitimate
Interests’ which has been adopted in the European Union General Data Protection
Regulation (GDPR), PDPC intends to provide for ‘Legitimate Interests’ as a
basis. PDPC views ‘Legitimate Interests’ as an evolution of the ‘Legal or
Business Purpose’ approach proposed in the public consultation and will provide
clarification in guidelines on the legal or business purposes that come within
its ambit. However, the ‘Legitimate Interests’ exception is not intended to
cover direct marketing purposes.

PDPC intends to retain (and rephrase to similar effect) the ‘benefits
to public’ condition, as part of the accountability measures to be implemented
by organisations when relying on this exception. As an additional safeguard,
PDPC will provide for an openness requirement to the ‘Legitimate Interests’
exception, similar to the current requirement under the PDPA to inform
individuals of the purpose of managing or terminating employment relationship.


In the public consultation, PDPC proposed that organisations
must conduct a risk and impact assessment, such as a DPIA, and put in place
measures to identify and mitigate the risks when relying on the ‘Notification
of Purpose’ or ‘Legal or Business Purpose’ approach.

Responding to clarifications sought, PDPC said that organisations
must implement accountability measures when relying on these approaches. They must
conduct a risk and impact assessment, such as a DPIA, as an accountability
measure when relying on ‘Deemed Consent by Notification’ or ‘Legitimate
Interests’. These assessments need not be made available to the public or to
individuals on request. However, in the event of complaints, PDPC reserves the
right to require organisations to disclose these assessments for PDPC’s

Mandatory data breach

In the public consultation, PDPC proposed that organisations
be required to notify affected individuals and the PDPC hen there is a breach
that poses any risk of impact or harm to the individuals. Where the breach does
not pose any risk of impact or harm to affected individuals but is of a
significant scale (e.g. 500 affected individuals), organisations are only
required to notify PDPC of the breach. The public consultation sought views on
the proposed time frames for data breach notifications to affected individuals
and to PDPC.

Feedback was received that PDPC should adopt a consistent
risk-based approach, and a higher threshold for notification to avoid imposing
overly onerous regulatory burdens. Several respondents also requested for more
time than the proposed cap of 72 hours to notify PDPC of a breach. They also
asked for clarifications on when the ‘clock’ starts for the 72- hour time frame.

PDPC will retain the criteria for notification of a breach
to individuals and DPC. However, it will not prescribe a statutory threshold
for number of affected individuals for assessing ‘significant scale’. Further
guidance on assessing whether a data breach is likely to result in significant
impact or harm and for assessing the scale of impact would be provided in

PDPC intends to retain the proposed time frames for
notification to affected individuals (i.e. ‘as soon as practicable’) and to
PDPC (i.e. ‘as soon as practicable, no later than 72 hours’). But an assessment
period of up to 30 days will be permitted, from the day the organisation first
becomes aware of a suspected breach, to assess its eligibility for
notification. This follows Australia’s
notifiable data breaches scheme
. The document makes it clear that the
organisation must notify all affected individuals as soon as practicable from
the time it’s determined that the breach is eligible for reporting, regardless
of whether the organisation has fully utilised the 30-day assessment period. If
the breach is discovered by a data intermediary (DI) that is processing
personal data on behalf and for the purposes of another organisation, the
30-day assessment period for that organisation will commence from the time the
DI first becomes aware of the breach. The DI will be required to notify the
organisation without undue delay.

The PDPC also sought views on the proposed exceptions to the
requirement to notify affected individuals. In view of the responses, PDPC
intends to extend the coverage of the law enforcement exception to include
investigations carried out by agencies that are authorised by the law. On the
technological protection exception, PDPC plans to broaden the exception beyond
technological encryption and make it technology neutral. The unauthorised
collection, use or disclosure of personal data that has been encrypted may not
constitute a data breach unless the data can be decrypted. An exception will
also be provided for organisations which have taken remedial actions to reduce
the potential harm or impact to the affected individuals. In all these cases, organisations
will still be required to notify PDPC of eligible breaches.

notification to PDPC and other regulators

Views on the proposed concurrent application of PDPC’s
mandatory data breach notification regime with other sectoral breach
notification regimes were divided, with some in agreement with the proposed
approach, and others proposing that only a single regulator should be notified
of a breach.

Where an organisation is required to notify a sectoral or
law enforcement agency of a data breach under other written law, and that data
breach meets the criteria for notification under the PDPA, the organisation
must notify the other sectoral or law enforcement agency, and it must also
notify PDPC and affected individuals. In order to minimise the regulatory
burden on organisations, they may adopt the same format of notification
required for reporting to the other sectoral regulator or law enforcement
agency for its breach notifications to PDPC. For breach notifications to
affected individuals, PDPC will issue advisory guidelines to provide guidance
on the information to be provided in organisations’ communications to ensure
clarity and assurance for affected individuals.

PDPC will also explore mechanisms for streamlining
notifications to PDPC and the relevant sectoral or law enforcement agencies to
help further reduce the compliance efforts and costs for organisations.

Read the complete document here.