The Personal Data Protection Act (PDPA) governs the collection, use, and disclosure of personal data by organizations in Singapore. Enacted in 2012, it has not been changed since and was considered one of the most progressive regulations of its time, forerunning the General Data Protection Regulation (GDPR) in Europe.

Despite all measures taken and the regulation in place, the following years from 2012 to 2020 have shown, that Singapore was not immune to a data breach. For instance, in 2019 more than a quarter (26,8%) of overall crime in Singapore was related to cybercrime.

In 2020, «aiming to strike a balance between the need to protect individuals’ personal data and private organizations’ need to collect, use and disclose personal data for legitimate and reasonable purposes», the act was updated.

The new amended act provided several crucial changes: an enhanced framework for the collection, use, and disclosure of personal data, mandatory breach notifications, the right of data portability, and higher penalties for uncontained breaches.

The new amended act provided several crucial changes: an enhanced framework for the collection, use, and disclosure of personal data, mandatory breach notifications, the right of data portability, and higher penalties for uncontained breaches.

Expanded deemed consent

The current PDPA prohibits organizations from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent.

The new section 15A of the PDPA implies that consent may be considered given if the organization informed the individual on intention and the purpose of using personal information and offered a reasonable period within which the individual can opt-out. There is an exemption still. Organizations cannot use the opt-out method, such as a pre-checked box, or require actions to opt-out to send direct marketing messages by email or phone to individuals.

Consent is also deemed given in case the individual voluntarily provides his personal data to the organization for purposes, limited by obvious purposes of use.

Exceptions, allowing a collection of personal data without consent

1. Legitimate Interests exception

Examples of legitimate interests include the purposes of detecting or preventing illegal activities (e.g. fraud, money laundering) or threats to physical safety and security, IT and network security; preventing misuse of services; and carrying out other necessary corporate due diligence.

Subjecting such purposes to consent is not viable as individuals may choose not to give consent or to withdraw any consent earlier given (e.g. individuals who intend to or who had engaged in illegal activities), impeding the organizations’ ability to carry out such functions.

Paragraph 2.28 under Part 2 of Draft Advisory Guidelines On Key Provisions Of The Personal Data Protection (Amendment) Bill (issued 20 November 2020).

2. Business Improvement exception

Organizations can use, without consent, personal data that they had collected in accordance with the DP Provisions of the PDPA, where the use of the personal data falls within the scope of any of the following business improvement purposes:

• improving, enhancing or developing new goods or services;
• improving, enhancing or developing new methods or processes for business operations in relation to the organizations’ goods and services;
• learning or understanding behavior and preferences of individuals (or groups);
• identifying goods or services that may be suitable for individuals (or groups) or personalizing or customizing any such goods or services for individuals.

Part 5 of the new First Schedule and Division 2 under Part 2 of the new Second Schedule PDPA.

3. Research exception

The research exception provides that organizations may use personal data for a research purpose, including historical and statistical research, subject to the following conditions:

• the research purpose cannot reasonably be accomplished unless the personal data is provided in an individually identifiable form;
• there is a clear public benefit to using the personal data for the research purpose;
• the results of the research will not be used to make any decision that affects the individual;
• in the event the results of the research are published, the organization must publish the results in the form that does not identify individual.

Paragraph 2.45 under Part 2 of Draft Advisory Guidelines On Key Provisions Of The Personal Data Protection (Amendment) Bill (issued 20 November 2020).

To rely on any of the new exceptions, organizations will need to assess the adverse effect on individuals and ensure the interests outweigh any effects. For example, the benefits of collecting information on the company-issued devices for the purpose of data loss prevention, outweigh any likely effect on its employees.

It also should be justified, that reaching a reasonably appropriate purpose was not possible without using and collecting personal data, and collecting consents was impracticable (e.g. research can become no longer viable etc.).

Organizations are also required to chose and put in place reasonable measures to reduce the likelihood of negative effects on an individual by minimizing the amount of personal data collected, implementing technological protection, etc. At the same time, new business improvement exception allows to collect, use and disclose personal data within a group of related corporations, if individuals, subject of data collection, are existing customers of sharing company and are existing or prospective customers of data receiving company.

Organizations still cannot rely on any of the exceptions to send out direct marketing messages.

The right to data portability

According to the amended PDPA individuals can now request to transmit his/her personal data from one company to another. This right applies only to data, initially provided by the individual. Companies cannot share information on customer experience or other. The receiving organization must also be present in Singapore.

Breach notifications are now mandatory

Data breach notifications to the Personal Data Protection Commission (PDPC, promoting, administering, and enforcing PDPA) were voluntary until the recent amendments. Now, in case of a significant scale breach, involving personal data of 500 or more individuals, or a breach that is likely to result in significant harm to individuals, the organization is required to notify PDPC within 72 hours. The organization will also have to inform affected individuals, as soon as practicable, unless other was instructed by the law enforcement agencies.

The regulation provides 30 days to assess, whether the breach is notifiable. If the organization is unable to complete its research within this period, it has to be prepared to give decent explanations to the PDPC.

Worth mentioning, that a data breach within an organization is not a notifiable one. For example, if the HR department sends an email, containing personal data of employees to another department by mistake, and the breach is contained, this data breach is not subject to notification.

Higher penalties

The new amended Act provides an increased maximum financial penalty for data breaching of up to 10% of an organization’s annual turnover in Singapore or SGD1,000,000 (USD746,000).

Technological protection

This exception includes any technological measures applied to personal data before the data breach to preserve it inaccessible from an unauthorized party. Technological measures include encryption, password protection, data loss prevention, etc. In such cases, the breach will most likely be contained and the organization will don’t have to notify the affected individuals of the data breach.

This being said, in order to comply with the updated regulation and the new data breach notification requirement, especially within a limited timeline, companies need to implement data breach prevention policies, introduce special software and have a clear response plan to manage data breach incidents effectively. Next Generation DLP as an all-in-one solution is an option worth considering.