Privacy watchdog proposes mandatory notification for certain data breaches

Privacy watchdog proposes mandatory notification for certain data breaches

03:26
Singapore's privacy watchdog has announced proposed changes to the Personal Data Protection Act (PDPA), including the required reporting of certain data breaches to customers. 

SINGAPORE: Singapore's privacy watchdog has announced proposed changes to the Personal Data Protection Act (PDPA), including the required reporting of certain data breaches to customers. 

This is to "give affected individuals the opportunity to take steps to protect themselves from the risks and impact of a data breach", the Personal Data Protection Commission (PDPC) said in a press release on Thursday (Jul 27).

To avoid imposing "overly onerous regulatory burdens on organisations" or "inadvertently create notification fatigue for individuals", the commission proposes that the notifications be mandatory only when there is a risk of impact or harm for the customers.

Organisations will also be required to notify PDPC of such instances or when there is a "significant scale of breach"; for example when it involves the data of more than 500 people. As it is required for the organisation to also notify a law enforcement agency of the breach, the two notifications should be done concurrently to "minimise regulatory burden", said PDPC.  

TACKLING "CONSENT REGIME"

The PDPA relies primarily on individual consent as a key basis for organisations to collect, use and disclose personal data. This will not change.

However, in light of the fast evolving digital ecosystem, there are certain challenges with getting consent in some instances.

PDPC is therefore considering - among other changes - strengthening the PDPA for companies to be able to collect, use or disclose personal data in cases where consent is not easily obtained.

In cases where it is impractical to get consent from people on how their personal data will be used, the commission is proposing that companies can still collect and use the data, if there is no adverse impact on individuals.

For example, data collected by a pharmacy via its customer satisfaction survey - which may include name, age, gender and health products bought - can be shared with a research company for a study on health supplements as long as there is no adverse impact on the customer. 

The company, however, has to place a public notice on what the information is being used for.   

In a case where there is an adverse impact on the user, the data can still be used if it benefits the public. For example, if a bike-sharing company wants to share personal data of blacklisted customers with a bad track record of misusing and damaging its bicycles with other companies, it can do so, as this could help reduce public nuisance.

The PDPC said it will introduce an online assessment tool, as well as guides to help companies in data protection management. 

PROMOTING "RESPONSIBLE DATA SHARING"

These proposed changes aim to encourage responsible data sharing so that businesses can innovate while protecting user data, said Dr Yaacob Ibrahim, Minister of Communications and Information, at the fifth annual Personal Data Protection seminar. 

"Today, companies already have to share data with others in the ecosystem in order to provide services. For example, when we purchase car insurance, our good driving record with one insurance company can be ported over to another insurance company when we switch insurers.

"The no-claim bonus allows good drivers to enjoy a preferential insurance premium. Companies that collaborate can achieve so much more for their customers," he said. 

"Data is at the centre of the digital economy," Dr Yaacob added. "By supporting data sharing for innovation, strengthening business accountability and facilitating cross-border data flows, we hope to build a trusted, robust and progressive data protection ecosystem in Singapore that allows us to harness the economic opportunities offered by the digital economy."

Source: CNA/hs