SINGAPORE: The first in a series of public consultations on the review of the Personal Data Protection Act (PDPA) closed on Thursday (Feb 1), and the majority of the 68 responses received were "supportive" of the proposed mandatory breach notification regime.
The Personal Data Protection Commission (PDPC) released its response to the public consultation on Thursday, and found that the majority agreed with its approach to strike a reasonable balance between the need for organisations to collect, use and disclose personal data and individuals' right to the protection of their personal data.
The agency had announced its proposed changes last July, stating that the notifications be mandatory only when there is a risk of impact or harm for the customers.
Organisations will also be required to notify PDPC of such instances or when there is a "significant scale of breach", such as when it involves the data of more than 500 people for example, according to the proposals.
On this figure, the majority of respondents disagreed with the proposed threshold and several suggested removing it as a criterion. PDPC said it intends to retain the criterion of significant scale of breach for notification, but will not prescribe the statutory threshold of 500 or more.
"This is necessary for PDPC to effectively monitor the market for large scale breach incidences. PDPC will provide further guidance on assessing the scale of impact in guidelines," it said.
Many of the respondents also reiterated the need for guidelines from the agency to guide organisations in complying with the requirements of notification regime, it added.
The privacy watchdog said this is the first in a series of public consultations it is conducting for the review of the Act, and it will continue to solicit feedback and views on other areas of review.
Advisory guidelines and other resources will be provided to assist organisations in complying with the changes or new requirements when they are introduced, PDPC added.