Headlines published in the last 30 days are listed on SLW.

Watchdog begins public consultation on data law changes

Watchdog begins public consultation on data law changes

Source: Straits Times
Date Published: 23 May 2019
Author: Hariz Baharudin

The proposed data portability provision will give individuals greater control over their data, and enable greater access to more data by organisations to "facilitate data flows and increase innovation", said the PDPC.

The Republic's privacy watchdog has started a public consultation to seek views on proposals to introduce data portability and data innovation provisions in the Personal Data Protection Act (PDPA), as part of an ongoing review of the laws.

The Personal Data Protection Commission (PDPC), in a statement yesterday, said the consultations will be open for six weeks until July 3.

The proposed data portability provision will give individuals greater control over their data, and enable greater access to more data by organisations to "facilitate data flows and increase innovation", said the PDPC.

For instance, it could allow consumers to switch service providers in industries like banking, insurance or telecommunications without losing their past records, such as their personal particulars, loan repayment and purchase histories.

At the same time, the data innovation provisions will make it clear that organisations can use data appropriate for business purposes without individuals' consent, said the PDPC.

PDPC deputy commissioner Yeong Zee Kin, in the statement, said that while data is a "key enabler" of digital transformation, a balance must be achieved between data protection and business information.

Mr Yeong added: "We are taking firm steps to position Singapore as a trusted data hub in the global digital economy by seeking feedback on the proposed data portability and innovation provisions, as well as test-bedding data breach notification measures."

The privacy watchdog said the two proposals provide a balanced regulatory approach in empowering consumer choice and supporting innovation.

They are also to align with what other countries such as Australia, India, New Zealand and Japan are doing.

"Such alignment is crucial in ensuring that the PDPA keeps pace with progressive global developments and strengthens international recognition of Singapore's data protection regime," the PDPC said.

Hariz Baharudin

Lower fines for firms that admit role in data breach

Organisations that admit their role in a data breach and plead guilty to it may get a lower financial penalty from the privacy watchdog if the cause is a common breach.

Common breaches include URL manipulation, poor password management or printing errors resulting in incorrect recipients.

The Personal Data Protection Commission (PDPC) said in a statement yesterday that it is aware that even well-prepared organisations may not eliminate all risk of data breaches.

They can now avoid a full investigation by requesting an undertaking option from the PDPC in the event of a data breach.

This may be granted if the organisations can prove they had in place "proper accountability practices, monitoring and remediation plans" in the case of a data breach.

The organisations must also deliver an undertaking to execute a fully developed and prepared contingency plan to resolve a data breach when it occurs.

Before granting this option, the PDPC also has to assess that such an undertaking would achieve similar or better enforcement outcomes compared with a full investigation.

These steps are being taken to "bring investigations on clear-cut data breaches to a conclusion quickly", the commission said.

Under the Personal Data Protection Act, organisations can be given a financial penalty of $1 million for their role in breaches.

The law makes it clear that organisations have an obligation to make reasonable security arrangements to protect the personal data that they possess or control, and to prevent unauthorised access, collection, use, disclosure or similar risks.

The commission yesterday also announced the launch of its updated guide which contains, among other things, recommendations on how organisations should handle breaches.

The guide also includes examples and clarifications to address common queries from organisations, such as policy considerations by the PDPC when deciding to initiate or discontinue an investigation, as well as financial penalty assessment factors.

There are also recommendations for organisations on when to notify the PDPC and individuals of a breach, as well as the timeliness of this notification.

For example, organisations conducting internal investigations and assessments of a potential data breach should take no more than 30 days from when they are made aware of a potential breach.

And if more than 500 individuals are affected, or if significant harm or impact to the individuals is likely to occur due to a breach, organisations are recommended to notify the PDPC no later than 72 hours from the time they have completed their assessment.

The commission said it had engaged stakeholders in updating the guide, which it will monitor and adjust as necessary.

The recommendations are in line with upcoming plans to implement mandatory breach notification, which the PDPC will introduce in the upcoming review of the Personal Data Protection Act.

The commission has urged companies to adopt the recommendations "as this will allow them to respond to data breaches confidently and prepare for the PDPC's planned introduction of a mandatory breach notification in its upcoming Act Amendment".

Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.




Latest Headlines

No content

A problem occurred while loading content.

Previous Next
1903 STEP UK
Maritime and Shipping Law Course

Terms Of Use Copyright 2019 by Singapore Academy of Law
Back To Top