Significant changes are proposed to Singapore's data protection law, which if passed would have a material impact on organisations' Singapore data protection compliance programmes. Here's what you need to know so you can plan ahead.
- Data breach notification will in most cases become mandatory
Perhaps one of the more important proposed amendments, notification of data breaches will be mandatory. Any data security breach which is likely to result in a risk of harm to the affected individual must be notified to the Personal Data Protection Commission (PDPC) and the affected individuals. In all other cases, data security breaches need only be notified to the PDPC where more than 500 individuals are affected. Notification will need to be provided as soon as practicable and in any event within 72 hours.
These changes are in line with a current trend in the region to move towards a model of mandatory breach notification, and is in keeping with similar requirements adopted by the EU, as well as in Canada and Australia. Organisations are, therefore, encouraged to review their internal processes now and ensure they have planned procedures in place for the notification and management of data breach incidents.
- Data intermediaries will also be required to notify data breaches
In addition, data intermediaries who are processing personal data on behalf of an organisation must notify that organisation if they become aware of a data breach (regardless of the severity of the data beach). Organisations will then be required to comply with the breach notification requirements outlined above.
Practically speaking, in order to ensure compliance with its notification requirements, organisations will need to conduct a review of its agreements with data intermediaries to ensure there are appropriate contractual obligations in place to ensure data intermediaries report breaches immediately. In our experience, most international organisations already insist on such a clause in their agreements with data intermediaries in any case.
- No need for consent in some cases where purpose of collection is notified
The amendments propose an alternative to obtaining consent for the collection, use or disclosure of personal data where obtaining consent is not practical in the circumstances (provided it would not have an adverse impact on the individual). This would be a pragmatic and welcome development.
- Notice or consent not needed if there is a legal or business purpose
Even more dramatically, neither notice or consent would be required if the collection, use or disclosure of the personal data is necessary for a legal or business purpose. Organisations would only be able to rely on this method where obtaining consent is not desirable or appropriate in the circumstances, and provided the benefit to the public clearly outweighs any negative impact to the individual. This is a much wider exemption than is available in other jurisdictions and, while businesses would no doubt welcome this, we anticipate guidance will be issued to reduce the possible abuse of this exemption.
- Data impact assessments required if not relying on consent
However, before relying on one of the new methods for the collection, use or disclosure of personal data, organisations will need to conduct privacy impact assessments and put in place appropriate measures to mitigate any risks. The concept and practice of privacy impact assessments is becoming increasingly widespread, e.g. in China and the EU, and so we expect international organisations will accept this condition in order to take advantage of not having to obtain prior consent, especially in respect of new projects or initiatives which touch on personal data.
While issuing a public consultation is a welcome step, the PDPC is yet to issue any guidance on how these proposed amendments will work in practice, for example, what would constitute notification to individuals when collecting data; how is 'adverse impact' on individuals is measured; how should risk and impact assessments be carried out.
Singapore also last month submitted a notice to join the APEC Cross-Border Privacy Rules system, and published new guidance on data sharing, as well as issuing a public consultation on the proposed Cybersecurity Bill. Therefore, organisations should be mindful that Singapore laws in the area are continuing to develop more generally, and are advised to monitor developments.
The public consultation exercise on these proposed changes will continue until 21 September 2017.