The Personal Data Protection Commission of Singapore (PDPC) has released its response to feedback received from a public consultation launched in July 2017 on Approaches to Managing Personal Data in the Digital Economy.
The PDPC sought views on the relevance of other bases for collecting, using and disclosing personal data under the Personal Data Protection Act 2012 (PDPA), namely the proposed ‘Notification of Purpose’ and ‘Legal or Business Purpose’ approaches. PDPC also proposed a mandatory data breach notification regime for notification of data breaches to PDPC and affected individuals under the PDPA. These proposals are part of the PDPC’s review of the PDPA.
The consultation closed on 5 October 2017 with 68 responses from consumers and organisations (including business associations) representing various sectors. Now the PDPC has released a document providing its responses to the key matters raised by respondents.
New approaches for collection, use and disclosure of personal data
‘Notification of Purpose’ approach
In the public consultation, PDPC considered that notifying individuals of the purpose (“Notification of Purpose”) can be an appropriate basis for an organisation to collect, use and disclose personal data where it is impractical to obtain consent and where the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals. Several respondents raised concerns over the uncertainty of assessing ‘impracticality’ and ‘adverse impact’.
In response, PDPC intends to remove the condition of ‘impractical to obtain consent’, but to retain (and rephrase to similar effect) the condition of ‘not likely to have any adverse impact on the individuals’. PDPC will also issue guidelines as to what would be considered ‘not likely to have any adverse impact’, in order to provide further clarity.
In the public consultation, it was proposed that organisations that wish to rely on ‘Notification of Purpose’ must provide appropriate notification of the purpose of the collection, use or disclosure of the personal data, and information about how individuals may opt out, where applicable. It was proposed that where feasible, organisations must allow individuals to opt out of such collection, use or disclosure.
In line with the current approach for notifications, PDPC has responded that it will not specify how organisations are to notify individuals. The onus would be on the organisations to determine the most appropriate way of doing so based on their specific circumstances, and to ensure they take reasonable steps to inform individuals of the purposes and how they may opt out.
PDPC is going to provide further guidance in the guidelines on circumstances where large volumes of personal data are instantaneously and seamlessly collected (e.g. data collected by sensors), and the inherent challenge in allowing individuals to opt out in such circumstances.
Legal or Business Purpose’ approach
In the public consultation, PDPC recognised that there are circumstances where organisations need to collect, use or disclose personal data without consent for a legitimate purpose, but it is not authorised under the PDPA or other written laws. An example could be the sharing and use of personal data to detect and prevent fraudulent activities.
Hence, PDPC proposed to provide for the collection, use or disclosure of personal data regardless of consent where it is necessary for a ‘Legal or Business Purpose’, subject to two conditions: a) it is not desirable or appropriate to obtain consent from the individual for the purpose; and b) the benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual.
In response to suggestions to use the term ‘Legitimate Interests’ which has been adopted in the European Union General Data Protection Regulation (GDPR), PDPC intends to provide for ‘Legitimate Interests’ as a basis. PDPC views ‘Legitimate Interests’ as an evolution of the ‘Legal or Business Purpose’ approach proposed in the public consultation and will provide clarification in guidelines on the legal or business purposes that come within its ambit. However, the ‘Legitimate Interests’ exception is not intended to cover direct marketing purposes.
PDPC intends to retain (and rephrase to similar effect) the ‘benefits to public’ condition, as part of the accountability measures to be implemented by organisations when relying on this exception. As an additional safeguard, PDPC will provide for an openness requirement to the ‘Legitimate Interests’ exception, similar to the current requirement under the PDPA to inform individuals of the purpose of managing or terminating employment relationship.
In the public consultation, PDPC proposed that organisations must conduct a risk and impact assessment, such as a DPIA, and put in place measures to identify and mitigate the risks when relying on the ‘Notification of Purpose’ or ‘Legal or Business Purpose’ approach.
Responding to clarifications sought, PDPC said that organisations must implement accountability measures when relying on these approaches. They must conduct a risk and impact assessment, such as a DPIA, as an accountability measure when relying on ‘Deemed Consent by Notification’ or ‘Legitimate Interests’. These assessments need not be made available to the public or to individuals on request. However, in the event of complaints, PDPC reserves the right to require organisations to disclose these assessments for PDPC’s consideration.
Mandatory data breach notification
In the public consultation, PDPC proposed that organisations be required to notify affected individuals and the PDPC hen there is a breach that poses any risk of impact or harm to the individuals. Where the breach does not pose any risk of impact or harm to affected individuals but is of a significant scale (e.g. 500 affected individuals), organisations are only required to notify PDPC of the breach. The public consultation sought views on the proposed time frames for data breach notifications to affected individuals and to PDPC.
Feedback was received that PDPC should adopt a consistent risk-based approach, and a higher threshold for notification to avoid imposing overly onerous regulatory burdens. Several respondents also requested for more time than the proposed cap of 72 hours to notify PDPC of a breach. They also asked for clarifications on when the ‘clock’ starts for the 72- hour time frame.
PDPC will retain the criteria for notification of a breach to individuals and DPC. However, it will not prescribe a statutory threshold for number of affected individuals for assessing ‘significant scale’. Further guidance on assessing whether a data breach is likely to result in significant impact or harm and for assessing the scale of impact would be provided in guidelines.
PDPC intends to retain the proposed time frames for notification to affected individuals (i.e. ‘as soon as practicable’) and to PDPC (i.e. ‘as soon as practicable, no later than 72 hours’). But an assessment period of up to 30 days will be permitted, from the day the organisation first becomes aware of a suspected breach, to assess its eligibility for notification. This follows Australia’s notifiable data breaches scheme. The document makes it clear that the organisation must notify all affected individuals as soon as practicable from the time it’s determined that the breach is eligible for reporting, of whether the organisation has fully utilised the 30-day assessment period. If the breach is discovered by a data intermediary (DI) that is processing personal data on behalf and for the purposes of another organisation, the 30-day assessment period for that organisation will commence from the time the DI first becomes aware of the breach. The DI will be required to notify the organisation without undue delay.
The PDPC also sought views on the proposed exceptions to the requirement to notify affected individuals. In view of the responses, PDPC intends to extend the coverage of the law enforcement exception to include investigations carried out by agencies that are authorised by the law. On the technological protection exception, PDPC plans to broaden the exception beyond technological encryption and make it technology neutral. The unauthorised collection, use or disclosure of personal data that has been encrypted may not constitute a data breach unless the data can be decrypted. An exception will also be provided for organisations which have taken remedial actions to reduce the potential harm or impact to the affected individuals. In all these cases, organisations will still be required to notify PDPC of eligible breaches.
Concurrent notification to PDPC and other regulators
Views on the proposed concurrent application of PDPC’s mandatory data breach notification regime with other sectoral breach notification regimes were divided, with some in agreement with the proposed approach, and others proposing that only a single regulator should be notified of a breach.
Where an organisation is required to notify a sectoral or law enforcement agency of a data breach under other written law, and that data breach meets the criteria for notification under the PDPA, the organisation must notify the other sectoral or law enforcement agency, and it must also notify PDPC and affected individuals. In order to minimise the regulatory burden on organisations, they may adopt the same format of notification required for reporting to the other sectoral regulator or law enforcement agency for its breach notifications to PDPC. For breach notifications to affected individuals, PDPC will issue advisory guidelines to provide guidance on the information to be provided in organisations’ communications to ensure clarity and assurance for affected individuals.
PDPC will also explore mechanisms for streamlining notifications to PDPC and the relevant sectoral or law enforcement agencies to help further reduce the compliance efforts and costs for organisations.
Read the complete document here.