Singapore’s Mandatory Breach Notification obligation takes effect immediately

This article is produced by CMS Holborn Asia, a Formal Law Alliance between CMS Singapore and Holborn Law LLC.

Introduction

On 29 January 2021, the Personal Data Protection Commission (PDPC) announced that the amendments to the Personal Data Protection Act (PDPA) will take effect in phases, beginning 1 February 2021. In line with these amendments, the PDPC has updated the Advisory Guidelines on Key Concepts in the PDPA, the Advisory Guidelines on the Do Not Call (DNC) Provisions, and the Advisory Guidelines on Enforcement of Data Protection Provisions (together, the Advisory Guidelines) to help organisations with compliance. The key clarifications included in the Advisory Guidelines are set out below:

1. Amendments to the Consent Obligation

Exceptions to the Consent Obligation:

• Business improvement: This exception is applicable for the use of personal data within an organisation, and collection and disclosure within a group of companies. To rely on this exception, organisations must (a) ensure that the purposes cannot reasonably be achieved without using the personal data in individually identifiable form, (b) the purpose has to be considered appropriate by a reasonable person in the circumstances, and (c) the purpose must not be to send marketing messages.
• Legitimate interests exception: This exception is applicable for the collection, use and disclosure of personal data. To rely on this exception, organisations must (a) conduct an assessment and balancing test to determine that the legitimate interests outweigh any likely adverse effect to the individual (see here for PDPC’s recommended assessment checklist), (b) provide the individual with reasonable access to information on the organisation’s reliance on the exception and (c) the purpose must not be to send marketing messages. Organisations must also document and retain copies of its assessment and justify its reliance on the exception upon the PDPC’s request.
• Research exception: This exception is applicable for the use and disclosure of personal data. Organisations can only rely on this exception where (a) the research purpose cannot reasonably be accomplished unless the personal data is used or disclosed in an individually identifiable form, (b) it is impracticable to seek consent (for disclosure only), (c) there is a clear public benefit to using or disclosing the personal data for the research purpose, (d) the results of the research will not be used to make any decision that affects the individual and (e) the published results must be in a form that does not identify the individual.

Deemed consent: The amendments expand on the current deemed consent provisions of the PDPA and extends to (a) where disclosure and/or processing is reasonably necessary to conclude or perform a contract; or (b) where reasonable steps are taken to notify the individual of the purpose of the processing and the individual is given a reasonable opportunity to opt out.

• Deemed consent by contractual necessity: This category enables organisations to disclose personal data to downstream organisations where reasonably necessary to fulfil the contract between the individual and the organisation (e.g. where the information is used for the processing of payment between a consumer and a goods/service provider, the provision would apply to all parties involved in the payment processing chain and the entire delivery chain)
• Deemed consent by notification: This category is useful where organisations seek to use or disclose existing data for secondary purposes that are different from the primary purposes for which the personal data had been collected. This is subject to the conduct of an assessment to eliminate or mitigate adverse effects (see here for PDPC’s recommended assessment checklist), the taking of reasonable steps to ensure that notification provided to the individual is adequate, and the provision of a reasonable opt-out period. In addition, this category does not apply to the purpose of sending direct marketing messages.

2. Enactment of the Data Breach Notification Obligation

The enhanced PDPA requires organisations to assess whether a data breach is notifiable, and to notify the affected individual(s) (where required) and/or the PDPC where the data breach is assessed to be notifiable. A data breach notification is mandatory where:

• Significant scale: the breach is of a significant scale, i.e. where it involves the personal data of 500 or more individuals.
• Significant harm to affected individual(s): the compromised personal data relates to:
  • The individual’s full name or alias or identification number, in combination with any of the following:
    • Financial information which is not publicly disclosed including salary, income, bank account, credit card number, net worth;
    • Information leading to the identification of vulnerable adult, child or young person who is the subject of certain court proceedings;
    • Life, accident and health insurance information which is not publicly disclosed;
    • Specified medical information;
    • Information related to adoption matters; or
    • Private key used to authenticate or sign an electronic record or transaction.
  • Individual’s account identifier in combination with any password, security code, access code, response to security question, biometric or other data that is used or required to allow access to or use of the individual’s account.

Organisations must notify the PDPC as soon as practicable, but no later than 3 calendar days after it makes the assessment that a data breach is notifiable. Where required to notify the affected individual(s), the notification by organisations must be as soon as practicable (at the same time or after notifying the PDPC).

In addition, data intermediaries that process personal data on behalf of and for the purposes of another organisation (but not as an employee of that other organisation) or a public agency are required to notify that other organisation or public agency when a potential or actual data breach is detected without undue delay.

3. Amendments to offences for egregious mishandling of personal data

Individuals will now be held liable for the egregious mishandling of personal data in the possession of or under the control of an organisation, namely:

• Knowing or reckless unauthorised disclosure of personal data;
• Knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; and
• Knowing or reckless unauthorised re-identification of anonymised information.

The new offences only apply to egregious misconduct by individuals whose actions were not authorised by the organisation; organisations would still be liable for the conduct of their employees in the course of employment.

4. Prohibitions relating to the use of dictionary attacks and address-harvesting software

The enhanced PDPA introduces prohibitions on the use of telephone numbers that have been obtained by dictionary attacks or address-harvesting software. Messages with a Singapore link must not be sent, cause to be sent, or authorised to be sent to such telephone numbers.

A “dictionary attack” is defined as a method by which the telephone number of a recipient is obtained using automated means that generates possible telephone numbers by combining numbers into numerous permutations.

An “address-harvesting software” is one that is specifically designed or marketed for use for searching the Internet for telephone numbers and collecting, compiling, capturing or otherwise harvesting published telephone numbers.

5. Requirements on third-party DNC checkers

Third-party DNC checkers check the DNC Register for senders and provides information as to whether a Singapore telephone number is listed. Checkers are required to:

• Ensure that the applicable information provided to the sender is accurate in accordance with the results from the DNC Registry; and
• When communicating the applicable information, provide the sender with the date the checker received the results from the DNC Registry, and the validity period of the applicable information.

6. PDPC’s power to accept voluntary undertakings

The PDPC has the powers to accept a written voluntary undertaking from an organisation/individual where it has reasonable grounds to believe that:

• The organisation has not complied, or is not complying or is likely not to comply with any of the data protection provisions under the PDPA; or
• The person has not complied, is not complying, or is likely not to comply with the DNC provisions under the PDPA.

Such voluntary undertakings may include undertakings to:

• Take specified action within a specified time (e.g. improvement of cyber-defences and penetration tests on electronic databases);
• Refrain from taking any action (e.g. cease the use of personal data collected without consent); and/or
• Publicise the voluntary undertaking.

Organisations are encouraged to formulate effective remediation plans to rectify any breaches and address systemic issues to ensure compliance with the PDPA.

You may find a copy of the Advisory Guidelines at the following links:

• Advisory Guidelines on Key Concepts in the PDPA
• Advisory Guidelines on the DNC Provisions
• Advisory Guidelines on Enforcement of Data Protection Provisions

For more information on the PDPA amendments, please see our earlier Law-Now updates available here and here.