On 2 November 2020, the Singapore Parliament passed amendments to the country’s Personal Data Protection Act (PDPA). It was the first time the law was reviewed and changed since it was enacted in 2012. At the time, it was one of the most progressive data protection laws in the world, pre-dating the EU’s General Data Protection Regulation (GDPR), but has since fallen short of the new wave of international data protection standards.
This became evident in June 2018, when Singapore suffered its worst data breach to date. The personal data of no less than 1.5 million healthcare patients including that of its Prime Minister, Lee Hsien Loong, was compromised. The Personal Data Protection Committee (PDPC) tasked with enforcing the PDPA was quick to react and issued some of its highest fines to date: S$750,000 (approx. $560,000) for Integrated Health Information Systems (IHIS), the technology agency running the healthcare institutions’ IT systems and $250,000 (approx. $186,000) for the data controller, SingHealth. However, the probe into the incident revealed that the primary cause of the data breach was weak cybersecurity practices.
The SingHealth data breach sparked concerns over the PDPA’s effectiveness in protecting Singaporean data subjects’ sensitive data and led to its first comprehensive review. The draft Personal Data Protection Amendment Bill was the subject of a public consultation conducted by the Ministry of Communications and Information and the PDPC between 14 and 28 May 2020 and was introduced in the Singapore Parliament by the Minister for Communications and Information on 5 October 2020. Now that it has been passed by the Parliament, the Amendment is expected to come into force before the end of 2020, once the President assents to it and a notification is published in the Government Gazette.
The amendments bring four crucial changes: the introduction of mandatory data breach notifications, updates to its consent provisions for the collection, use and disclosure of personal data, the addition of individuals’ right to data portability and increased financial penalties.
Data breach notifications are now mandatory
Data breaches notifications to the PDPC were voluntary until now, but they have become mandatory under the amended PDPA. Organizations are required to notify the PDPC if there is a data breach of significant scale – involving 500 individuals or more – that is likely to cause significant harm to the affected individuals.
Once an organization becomes aware of a data breach, it must assess whether the incident meets the requirements for a mandatory notification and if it does, it must inform the PDPC of the data breach in no later than 72 hours. Companies are also obligated to notify affected individuals as soon as practicable.
If a company’s response to a data breach manages to neutralize the danger posed to individuals through the compromised data, they are exempt from having to notify the PDPC and individuals about the breach. The same applies when the data exposed was subject to technological measures prior to the breach that makes it unlikely that the data breach will result in significant harm to the affected individuals. Encrypted data, for example, is likely to fall into this category. Companies also do not need to inform individuals of a data breach if so instructed by law enforcement agencies or the PDPC.
Expansion of consent exemptions and deemed consent
In a surprising twist, one of the major points of contention about the PDPA, relaxed consent provisions, were not restricted, but expanded. The PDPA’s notoriously lax consent requirements already allowed organizations to collect personal data without consent under 18 exemptions. There were also 10 exemptions for the use of personal data without consent and 19 exemptions for disclosure without consent. The PDPA also accepts deemed consent or data provided voluntarily by an individual to an organization as valid consent.
The amended PDPA has now added a further two exemptions to the list of circumstances under which organizations can collect, use or disclose personal information without consent: when it is in the legitimate interest of the organization and the benefit to the public is greater than any adverse effect on the individual and when it is for business improvement purposes.
Another two cases for deemed consent were also added: when the collection, use, or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction, and when individuals have been notified of the purpose of the intended collection, use, or disclosure of their personal data and are given a reasonable opportunity to opt out and they do not do so.
The right to data portability
Singaporean data subjects were granted the right to data portability under the amended PDPA. They will now be able to request that the personal information in the possession of a company be transmitted to another organization in a commonly used machine-readable format.
There are, however, exemptions to the rule. Data portability only applies to data provided by individuals themselves, not to any data created in the course of the individual’s use of a company’s product or service or derived by the organization in the course of business from other personal data. The receiving organization must also have a presence in Singapore.
Higher penalties
Penalties under the PDPA were already substantial, but the maximum fine was capped at S$1 million (approximately $745,000). Under the amended law, organizations whose annual turnover in Singapore exceeds S$10 million (roughly $7.45 million) can be fined up to 10% of their annual turnover in Singapore, while the threshold of S$1 million remains for all other cases.
In conclusion
The changes to the PDPA account for international developments in data protection legislation, technological advances, and new business models. They also shift the focus from how companies can collect and process data within the law to their accountability for the security of that data once it is in their possession.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.