tashka2000 - Fotolia

Singapore to review personal data protection rules

If given the green light, the proposed changes to the Personal Data Protection Act will require organisations to notify the authorities of data breaches

This article can also be found in the Premium Editorial Download: CW ASEAN: CW ASEAN: Juggling in the cloud

Singapore is planning to review its personal data protection laws to keep up with the changing technology landscape, such as the growing adoption of the internet of things (IoT) where seeking consent from consumers for the collection and use of personal data may not be practical.

This was revealed by Singapore’s minister for communications and information, Yaacob Ibrahim, at a personal data protection seminar organised by the Personal Data Protection Commission (PDPC) on the sidelines of RSA Conference Asia-Pacific and Japan on 27 July 2017.

In his address, Yaacob noted that it has been five years since the Personal Data Protection Act (PDPA) came into effect, and that is timely to review and update the laws to reflect Singapore’s ambitions of becoming a trusted global hub for innovative uses of data.

Among several other obligations, the PDPA requires organisations to seek consent from consumers for the collection, disclosure and use of personal data. The fast-emerging digital economy, however, is presenting challenges for consent-based approaches to personal data protection.

“Ubiquitous computing has changed the nature of data collection from active interaction to a passive one where devices seamlessly collect and transmit personal data across communications networks,” the PDPC said in a public consultation document, noting that it is not always possible to anticipate the purposes for using and disclosing personal data at the onset.

“Furthermore, where huge volumes of personal data involving large numbers of individuals are collected at high velocities and from a variety of sources, it may not be practical for organisations to seek individuals’ consent in every instance of data collection, or to attempt to identify the individuals to seek their consent for every new purpose,” it added.

Data collection without consent

The PDPC is thus considering “notification of purpose” as a basis for collecting, using and disclosing personal data under the PDPA, subject to conditions such as when it is impractical to obtain consent and when the collection, use or disclosure of personal data is not expected to have adverse impact on individuals.

Kevin Shepherdson, CEO and founder of Straits Interactive, a data protection consultancy, said organisations should not use the notification of purpose as a disguise to collect personal data for secondary purposes.

For example, a notification to inform people that they are being monitored by CCTV cameras for security and safety purposes should be just that. “The CCTV footage cannot be used for other purposes like promoting the popularity of certain events,” he said.

Breach notification to become compulsory

The PDPC is also proposing to introduce mandatory data breach notification to replace the voluntary one in place today.

“Notification will enable affected individuals to better protect themselves by taking some action, and allow affected organisations to receive guidance from the PDPC on how to manage the breach. We will build in thresholds to ensure this requirement does not become an unnecessary burden,” said Yaacob.

Yaacob added that the PDPC would also work with companies to create regulatory sandboxes to allow it to understand how the proposed changes to the PDPA might work in practice. This will enable the PDPC to fine-tune the details before the amendments are made.

Read more about data protection in APAC

Sheena Chin, country manager for Veritas Singapore, said the proposed changes to the PDPA were vital for local companies, given the recent onslaught of cyber attacks in Singapore, and would instil discipline to ensure better data management practices.

“Local companies will have to adhere to the regulation, provide greater transparency and quicker turnaround time to report the necessary information to the relevant authorities,” she said.

Operational challenges of data protection

Straits Interactive’s Shepherdson, who is also the author of 88 privacy breaches to beware of, said the amount of information to be included in the proposed breach notification had to be something that could be reasonably provided within 72 hours, which is similar to regulations in the Philippines.

Singapore companies, especially SMEs [small and medium-sized enterprises], are still trying to grapple with operational compliance with the PDPA so they may struggle with complying with this requirement. This is yet another requirement for Singapore companies to demonstrate accountability,” he said.

Several organisations had been taken to task for flouting personal data protection rules in recent years. In 2014, karaoke operator K Box was fined S$50,000 (US$36,700) for leaking the personal data of more than 300,000 customers.

More recently in July 2017, Orchard Turn Developments, which manages the ION Orchard mall in Singapore’s prime shopping belt, was slapped with a financial penalty of S$15,000 for failing to make reasonable security arrangements to protect personal data of its members.

Read more on Data protection regulations and compliance