The Personal Data Protection Commission (PDPC) has introduced a new “Active Enforcement” guide with an aim to drive organisations to “shift from compliance to accountability”. Additionally, it also updated its “Guide to Managing Data Breaches 2.0” to help organisations manage and respond to data breaches more effectively, and launch a public consultation to seek views on proposed data portability and data innovation provisions.
These initiatives were announced by deputy commissioner of PDPC, Yeong Zee Kin at an event co-organised by the PDPC and Singapore Business Federation as part of Singapore’s week-long Privacy Awareness Week. He said that they are “firm steps” to position Singapore as a trusted data hub in the global digital economy. Recognising that a balance must be struck between data protection and business innovation, PDPC is seeking feedback on the proposed data portability and innovation provisions, as well as testbedding data breach notification measures.
“The PDPC also recognises the importance of being responsive and agile in enforcing data protection in an environment of fast-evolving data use, coupled with sweeping technological advances. Hence, the PDPC has converted its knowledge and experience in investigations to practical enforcement approaches in a Guide to Active Enforcement which businesses can refer to,” added Yeong.
The new guide to Active Enforcement details a new expedited decision process introduced by PDPC to bring investigations on clear-cut data breaches to a conclusion quickly. The process draws on data breach cases in the last four years and feedback from stakeholders. Examples of cases eligible for the process include common forms of data breaches such as URL manipulation, poor password management, or printing errors resulting in incorrect recipients.
In expedited decision cases where financial penalties are involved, the organisation’s admission of its role in the incident will be taken into consideration as a strong mitigating factor, said the press release. While companies may not be able to eliminate all risk of data breaches, PDPC said they should put in place “proper accountability practices, monitoring and remediation plans”.
The Active Enforcement guide also includes examples and clarifications to address common queries from companies, as well as financial penalty assessment factors.
Feedback from consultations
Meanwhile, organisations are urged to consider taking up the approach under the updated Guide to Managing Data Breaches 2.0, which incorporated feedback from PDPC’s prior consultations. Besides setting out the steps for containment and assessing the risk and impact of a breach, the guide also gives instructions on the actions to be taken after a breach. They include reporting of the breach to the PDPC and informing affected individuals, and evaluating response and reviewing actions taken to prevent further data breaches.
The guide also updates recommendations in two main areas – thresholds for notifying the PDPC and individuals of a data breach, and the timeliness of notification. The PDPC recommends that organisations conducting internal investigations and assessments of a potential data breach take no more than 30 days from when they are aware of a potential breach.
However, notification thresholds are expanded to consider large numbers to be where 500 or more individuals are affected, or where significant harm or impact to the individuals is likely to occur due to a breach. In such a case, organisations should notify the PDPC no later than 72 hours from the time they have completed their assessment.
Lastly, the PDPC has launched its third public consultation under the ongoing review of the PDPA to seek feedback and views on the proposed introduction of the data portability and data innovation provisions. The public consultation is open for six weeks starting today and will end on 3 July 2019.
This consultation builds on the data portability discussion paper launched in February 2019. The proposed data portability provision will provide individuals with greater control over their personal data and enable greater access to more data by organisations to facilitate data flows and increase innovation, while the proposed data innovation provision makes it clear that organisations can use data for appropriate business purposes without individuals’ consent.