We are creating some awesome events for you. Kindly bear with us.

PDPC Singapore responds to feedback received in public consultation regarding personal data management

The Personal Data Protection Commission of Singapore (PDPC) has released its response to feedback received from a public consultation launched in July 2017 on Approaches to Managing Personal Data in the Digital Economy.

The PDPC sought views on the relevance of other bases for collecting, using and disclosing personal data under the Personal Data Protection Act 2012 (PDPA), namely the proposed ‘Notification of Purpose’ and ‘Legal or Business Purpose’ approaches. PDPC also proposed a mandatory data breach notification regime for notification of data breaches to PDPC and affected individuals under the PDPA. These proposals are part of the PDPC’s review of the PDPA.

The consultation closed on 5 October 2017 with 68 responses from consumers and organisations (including business associations) representing various sectors. Now the PDPC has released a document providing its responses to the key matters raised by respondents.

New approaches for collection, use and disclosure of personal data

‘Notification of Purpose’ approach

In the public consultation, PDPC considered that notifying individuals of the purpose (“Notification of Purpose”) can be an appropriate basis for an organisation to collect, use and disclose personal data where it is impractical to obtain consent and where the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals. Several respondents raised concerns over the uncertainty of assessing ‘impracticality’ and ‘adverse impact’.

In response, PDPC intends to remove the condition of ‘impractical to obtain consent’, but to retain (and rephrase to similar effect) the condition of ‘not likely to have any adverse impact on the individuals’. PDPC will also issue guidelines as to what would be considered ‘not likely to have any adverse impact’, in order to provide further clarity.

In the public consultation, it was proposed that organisations that wish to rely on ‘Notification of Purpose’ must provide appropriate notification of the purpose of the collection, use or disclosure of the personal data, and information about how individuals may opt out, where applicable. It was proposed that where feasible, organisations must allow individuals to opt out of such collection, use or disclosure.

Respondents sought clarifications on whether posting a general notification on organisations’ website or privacy policy would suffice. They also asked for clarifications on the thresholds for cost and difficulty that would be considered not ‘feasible’ to allow individuals to opt out. Suggestions were received for suggestions for organisations to provide a mechanism and reasonable period for individuals to opt out before collecting, using or disclosing the personal data for the purpose.

In line with the current approach for notifications, PDPC has responded that it will not specify how organisations are to notify individuals. The onus would be on the organisations to determine the most appropriate way of doing so based on their specific circumstances, and to ensure they take reasonable steps to inform individuals of the purposes and how they may opt out.

PDPC is going to provide further guidance in the guidelines on circumstances where large volumes of personal data are instantaneously and seamlessly collected (e.g. data collected by sensors), and the inherent challenge in allowing individuals to opt out in such circumstances.

Legal or Business Purpose’ approach

In the public consultation, PDPC recognised that there are circumstances where organisations need to collect, use or disclose personal data without consent for a legitimate purpose, but it is not authorised under the PDPA or other written laws. An example could be the sharing and use of personal data to detect and prevent fraudulent activities.

Hence, PDPC proposed to provide for the collection, use or disclosure of personal data regardless of consent where it is necessary for a ‘Legal or Business Purpose’, subject to two conditions: a) it is not desirable or appropriate to obtain consent from the individual for the purpose; and b) the benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual.

In response to suggestions to use the term ‘Legitimate Interests’ which has been adopted in the European Union General Data Protection Regulation (GDPR), PDPC intends to provide for ‘Legitimate Interests’ as a basis. PDPC views ‘Legitimate Interests’ as an evolution of the ‘Legal or Business Purpose’ approach proposed in the public consultation and will provide clarification in guidelines on the legal or business purposes that come within its ambit. However, the ‘Legitimate Interests’ exception is not intended to cover direct marketing purposes.

PDPC intends to retain (and rephrase to similar effect) the ‘benefits to public’ condition, as part of the accountability measures to be implemented by organisations when relying on this exception. As an additional safeguard, PDPC will provide for an openness requirement to the ‘Legitimate Interests’ exception, similar to the current requirement under the PDPA to inform individuals of the purpose of managing or terminating employment relationship.

Accountability measures

In the public consultation, PDPC proposed that organisations must conduct a risk and impact assessment, such as a DPIA, and put in place measures to identify and mitigate the risks when relying on the ‘Notification of Purpose’ or ‘Legal or Business Purpose’ approach.

Responding to clarifications sought, PDPC said that organisations must implement accountability measures when relying on these approaches. They must conduct a risk and impact assessment, such as a DPIA, as an accountability measure when relying on ‘Deemed Consent by Notification’ or ‘Legitimate Interests’. These assessments need not be made available to the public or to individuals on request. However, in the event of complaints, PDPC reserves the right to require organisations to disclose these assessments for PDPC’s consideration.

Mandatory data breach notification

In the public consultation, PDPC proposed that organisations be required to notify affected individuals and the PDPC hen there is a breach that poses any risk of impact or harm to the individuals. Where the breach does not pose any risk of impact or harm to affected individuals but is of a significant scale (e.g. 500 affected individuals), organisations are only required to notify PDPC of the breach. The public consultation sought views on the proposed time frames for data breach notifications to affected individuals and to PDPC.

Feedback was received that PDPC should adopt a consistent risk-based approach, and a higher threshold for notification to avoid imposing overly onerous regulatory burdens. Several respondents also requested for more time than the proposed cap of 72 hours to notify PDPC of a breach. They also asked for clarifications on when the ‘clock’ starts for the 72- hour time frame.

PDPC will retain the criteria for notification of a breach to individuals and DPC. However, it will not prescribe a statutory threshold for number of affected individuals for assessing ‘significant scale’. Further guidance on assessing whether a data breach is likely to result in significant impact or harm and for assessing the scale of impact would be provided in guidelines.

PDPC intends to retain the proposed time frames for notification to affected individuals (i.e. ‘as soon as practicable’) and to PDPC (i.e. ‘as soon as practicable, no later than 72 hours’). But an assessment period of up to 30 days will be permitted, from the day the organisation first becomes aware of a suspected breach, to assess its eligibility for notification. This follows Australia’s notifiable data breaches scheme. The document makes it clear that the organisation must notify all affected individuals as soon as practicable from the time it’s determined that the breach is eligible for reporting, of whether the organisation has fully utilised the 30-day assessment period. If the breach is discovered by a data intermediary (DI) that is processing personal data on behalf and for the purposes of another organisation, the 30-day assessment period for that organisation will commence from the time the DI first becomes aware of the breach. The DI will be required to notify the organisation without undue delay.

The PDPC also sought views on the proposed exceptions to the requirement to notify affected individuals. In view of the responses, PDPC intends to extend the coverage of the law enforcement exception to include investigations carried out by agencies that are authorised by the law. On the technological protection exception, PDPC plans to broaden the exception beyond technological encryption and make it technology neutral. The unauthorised collection, use or disclosure of personal data that has been encrypted may not constitute a data breach unless the data can be decrypted. An exception will also be provided for organisations which have taken remedial actions to reduce the potential harm or impact to the affected individuals. In all these cases, organisations will still be required to notify PDPC of eligible breaches.

Concurrent notification to PDPC and other regulators

Views on the proposed concurrent application of PDPC’s mandatory data breach notification regime with other sectoral breach notification regimes were divided, with some in agreement with the proposed approach, and others proposing that only a single regulator should be notified of a breach.

Where an organisation is required to notify a sectoral or law enforcement agency of a data breach under other written law, and that data breach meets the criteria for notification under the PDPA, the organisation must notify the other sectoral or law enforcement agency, and it must also notify PDPC and affected individuals. In order to minimise the regulatory burden on organisations, they may adopt the same format of notification required for reporting to the other sectoral regulator or law enforcement agency for its breach notifications to PDPC. For breach notifications to affected individuals, PDPC will issue advisory guidelines to provide guidance on the information to be provided in organisations’ communications to ensure clarity and assurance for affected individuals.

PDPC will also explore mechanisms for streamlining notifications to PDPC and the relevant sectoral or law enforcement agencies to help further reduce the compliance efforts and costs for organisations.

Read the complete document here.


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend