Singapore's Personal Data Protection Commission moves to strengthen accountability and drive innovation
The Personal Data Protection Commission (PDPC) of Singapore has introduced three initiatives to facilitate the movement and use of data to support innovation, and to strengthen accountability among organisations:
- A public consultation to seek views on proposed data portability and data innovation provisions, as part of the review of the Personal Data Protection Act 2012 (PDPA);
- A new Guide on Active Enforcement as part of its drive for organisations to shift from compliance to accountability; and
- An updated Guide to Managing Data Breaches 2.0, to help organisations manage and respond to data breaches more effectively.
Deputy Commissioner of PDPC Yeong Zee Kin said, “Data is a key enabler of digital transformation, but a balance must be achieved between data protection and business innovation. We are taking firm steps to position Singapore as a trusted data hub in the global digital economy by seeking feedback on the proposed data portability and innovation provisions, as well as test-bedding data breach notification measures.
"The PDPC also recognises the importance of being responsive and agile in enforcing data protection in an environment of fast-evolving data use, coupled with sweeping technological advances. Hence, the PDPC has converted its knowledge and experience in investigations to practical enforcement approaches in a Guide to Active Enforcement which businesses can refer to, and also updated the Guide to Managing Data Breaches.”
Public consultation
The public consultation is the third under the ongoing review of the PDPA, to seek feedback and views on the proposed introduction of the data portability and data innovation provisions. This consultation builds on the data portability discussion paper launched in February 2019.
The proposed data portability provision will provide individuals with greater control over their personal data and enable greater access to more data by organisations to facilitate data flows and increase innovation, while the proposed data innovation provision makes it clear that organisations can use data for appropriate business purposes without individuals’ consent. Collectively, the proposals provide a balanced regulatory approach to empower consumer choice and support innovation in a digital economy.
This approach is aligned with a global push towards data portability, with jurisdictions such as Australia, India, Japan and New Zealand either having implemented or planning to implement data portability in their respective data protection regimes. Such alignment is crucial to ensuring that the PDPA keeps pace with progressive global developments and goes towards strengthening international recognition of Singapore’s data protection regime.
Guide to Active Enforcement
A new guide to active enforcement articulates PDPC's approach in deploying its regulatory powers to act efficiently and effectively when dealing with data breaches to safeguard the public interest.
The PDPC has introduced a new expedited decision process to bring investigations on clearcut data breaches to a conclusion quickly. The process draws on data breach cases in the last four years and feedback from stakeholders. To be eligible for handling under the new expedited decision process, cases must meet certain conditions. These include:
- The nature of the data breach is similar to precedent cases with similar categories of facts; and
- Where there is an upfront admission of liability for breaching the PDPA by the organisation.
In expedited decision cases where financial penalties are involved, the organisation’s admission of its role in the incident will be taken into consideration as a strong mitigating factor. Examples of cases eligible for the process include common forms of data breaches such as URL manipulation, poor password management, or printing errors resulting in incorrect recipients.
However, the PDPC is also aware that even companies that are well prepared may not eliminate all risk of data breaches. As such, organisations that can demonstrate to the PDPC that they have in place proper accountability practices, monitoring and remediation plans – such as Data Protection Trustmark-certified* organisations – can request to the PDPC for an undertaking option in the case of a data breach.
The undertaking is a written promise by the organisation that it is ready to execute a fully developed and prepared contingency plan to resolve a data breach when it has occurred; or where the PDPC assesses that an undertaking would achieve a similar or better enforcement outcome as opposed to a full investigation.
The Active Enforcement guide also includes examples and clarifications to address common queries from companies such as policy considerations by the PDPC when deciding to initiate or discontinue an investigation, as well as financial penalty assessment factors.
Guide to Managing Data Breaches 2.0
This updated guide better supports organisations in managing data breaches effectively. Under the Guide to Managing Data Breaches 2.0, organisations should have in place monitoring measures to provide early detection and warning for possible data breaches, and a data breach management plan for reporting and assessing a data breach. The guide also sets out the steps that organisations can take in responding to a data breach, which include:
- Thresholds for notifying the PDPC and individuals of a data breach, and
- The timeliness of notification.
Notification thresholds are expanded to consider large numbers to be where 500 or more individuals are affected, or where significant harm or impact to the individuals is likely to occur due to a breach.
The PDPC also recommends that organisations conducting internal investigations and assessments of a potential data breach take no more than 30 days from when they are aware of a potential breach, and if data breach notification thresholds are met, to then notify the PDPC no later than 72 hours from the time they have completed their assessment**.
PDPC has updated these areas to incorporate feedback from prior consultations, and will monitor and adjust them as necessary. Organisations are urged to consider taking up this approach as this will allow them to respond to data breaches confidently and prepare for the PDPC’s planned introduction of a mandatory breach notification in its upcoming Act Amendment. PDPC also welcomes feedback from organisations that have implemented these changes in order to make further improvements before breach notification becomes mandatory.
Details:
The public consultation is open for six weeks starting today and will end on 3 July 2019.
Both guides can be downloaded online.
*For more information and a full list of Data Protection Trustmark-certified organisations, please visit www.imda.gov.sg/dptm.
**Data intermediaries should report potential data breaches to their main organisation no later than 24 hours from when they first become aware of a potential data breach.
- A public consultation to seek views on proposed data portability and data innovation provisions, as part of the review of the Personal Data Protection Act 2012 (PDPA);
- A new Guide on Active Enforcement as part of its drive for organisations to shift from compliance to accountability; and
- An updated Guide to Managing Data Breaches 2.0, to help organisations manage and respond to data breaches more effectively.
Deputy Commissioner of PDPC Yeong Zee Kin said, “Data is a key enabler of digital transformation, but a balance must be achieved between data protection and business innovation. We are taking firm steps to position Singapore as a trusted data hub in the global digital economy by seeking feedback on the proposed data portability and innovation provisions, as well as test-bedding data breach notification measures.
"The PDPC also recognises the importance of being responsive and agile in enforcing data protection in an environment of fast-evolving data use, coupled with sweeping technological advances. Hence, the PDPC has converted its knowledge and experience in investigations to practical enforcement approaches in a Guide to Active Enforcement which businesses can refer to, and also updated the Guide to Managing Data Breaches.”
Public consultation
The public consultation is the third under the ongoing review of the PDPA, to seek feedback and views on the proposed introduction of the data portability and data innovation provisions. This consultation builds on the data portability discussion paper launched in February 2019.
The proposed data portability provision will provide individuals with greater control over their personal data and enable greater access to more data by organisations to facilitate data flows and increase innovation, while the proposed data innovation provision makes it clear that organisations can use data for appropriate business purposes without individuals’ consent. Collectively, the proposals provide a balanced regulatory approach to empower consumer choice and support innovation in a digital economy.
This approach is aligned with a global push towards data portability, with jurisdictions such as Australia, India, Japan and New Zealand either having implemented or planning to implement data portability in their respective data protection regimes. Such alignment is crucial to ensuring that the PDPA keeps pace with progressive global developments and goes towards strengthening international recognition of Singapore’s data protection regime.
Guide to Active Enforcement
A new guide to active enforcement articulates PDPC's approach in deploying its regulatory powers to act efficiently and effectively when dealing with data breaches to safeguard the public interest.
The PDPC has introduced a new expedited decision process to bring investigations on clearcut data breaches to a conclusion quickly. The process draws on data breach cases in the last four years and feedback from stakeholders. To be eligible for handling under the new expedited decision process, cases must meet certain conditions. These include:
- The nature of the data breach is similar to precedent cases with similar categories of facts; and
- Where there is an upfront admission of liability for breaching the PDPA by the organisation.
In expedited decision cases where financial penalties are involved, the organisation’s admission of its role in the incident will be taken into consideration as a strong mitigating factor. Examples of cases eligible for the process include common forms of data breaches such as URL manipulation, poor password management, or printing errors resulting in incorrect recipients.
However, the PDPC is also aware that even companies that are well prepared may not eliminate all risk of data breaches. As such, organisations that can demonstrate to the PDPC that they have in place proper accountability practices, monitoring and remediation plans – such as Data Protection Trustmark-certified* organisations – can request to the PDPC for an undertaking option in the case of a data breach.
The undertaking is a written promise by the organisation that it is ready to execute a fully developed and prepared contingency plan to resolve a data breach when it has occurred; or where the PDPC assesses that an undertaking would achieve a similar or better enforcement outcome as opposed to a full investigation.
The Active Enforcement guide also includes examples and clarifications to address common queries from companies such as policy considerations by the PDPC when deciding to initiate or discontinue an investigation, as well as financial penalty assessment factors.
Guide to Managing Data Breaches 2.0
This updated guide better supports organisations in managing data breaches effectively. Under the Guide to Managing Data Breaches 2.0, organisations should have in place monitoring measures to provide early detection and warning for possible data breaches, and a data breach management plan for reporting and assessing a data breach. The guide also sets out the steps that organisations can take in responding to a data breach, which include:
- Containing the breach to prevent further compromise of personal data
- Assessing the risks and impact of the breach
- Reporting the breach to the PDPC and informing affected individuals if necessary
- Evaluating responses to the breach and reviewing actions taken to prevent further data breaches
- Thresholds for notifying the PDPC and individuals of a data breach, and
- The timeliness of notification.
Notification thresholds are expanded to consider large numbers to be where 500 or more individuals are affected, or where significant harm or impact to the individuals is likely to occur due to a breach.
The PDPC also recommends that organisations conducting internal investigations and assessments of a potential data breach take no more than 30 days from when they are aware of a potential breach, and if data breach notification thresholds are met, to then notify the PDPC no later than 72 hours from the time they have completed their assessment**.
PDPC has updated these areas to incorporate feedback from prior consultations, and will monitor and adjust them as necessary. Organisations are urged to consider taking up this approach as this will allow them to respond to data breaches confidently and prepare for the PDPC’s planned introduction of a mandatory breach notification in its upcoming Act Amendment. PDPC also welcomes feedback from organisations that have implemented these changes in order to make further improvements before breach notification becomes mandatory.
Details:
The public consultation is open for six weeks starting today and will end on 3 July 2019.
Both guides can be downloaded online.
*For more information and a full list of Data Protection Trustmark-certified organisations, please visit www.imda.gov.sg/dptm.
**Data intermediaries should report potential data breaches to their main organisation no later than 24 hours from when they first become aware of a potential data breach.
Comments
Post a Comment