On 20 November 2020, the Personal Data Protection Commission (PDPC) issued the draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill (“Guidelines“).
We had summarized in our previous client alerts the changes proposed during the public consultation (“Consultation Paper”) on the Personal Data Protection (Amendment) Bill (“Bill”), as well as the salient differences between the Consultation Paper and the Bill that was introduced and read in the Singapore Parliament on 5 October 2020. The Bill has since been passed by Parliament on 2 November 2020 (“Act“).
For this client alert, we will focus on a few pertinent points that have been highlighted in the Guidelines.
- While not legally binding, the Guidelines set out how the PDPC would interpret the provisions of the Act when the amendments come into force.
- Given the further elaboration of the Act in the Guidelines, organizations should start considering how current data protection practices and policies may be impacted.
Pertinent points in the Guidelines
Enhanced consent framework
The Guidelines further elaborate on the two new forms of deemed consent (by contractual necessity and notification) that had been introduced in the Act.
Deemed consent by contractual necessity
This provision permits downstream processing of personal data for the performance or conclusion of a contract. The Guidelines further illustrate how this provision may benefit organizations. For example, if an individual makes a purchase over an e-commerce platform and provides the e-commerce platform with their personal data, the e-commerce platform would be able to rely on deemed consent by contractual necessity to disclose the individual’s personal data to the delivery company, and the delivery company would be able to rely on deemed consent by contractual necessity to collect, use or further disclose personal data where reasonably necessary to fulfil the transaction between the individual and the e-commerce platform (e.g., subcontractors in the entire delivery chain).
Deemed consent by notification
Deemed consent by notification permits collection, use and disclosure of personal data by notification if the individual does not opt-out. There are conditions to be met should an organization rely on deemed consent by notification, including the conducting of an assessment to eliminate or mitigate adverse effects (see our earlier client alert).
This new provision is useful for organizations that wish to use or disclose existing personal data for secondary purposes that are different from primary purposes, and are unable to rely on any of the exceptions to consent for the intended secondary use. In particular, consent by notification is particularly useful where the organization may not have a direct relationship or method to obtain consent from the individual, or it is impractical to obtain opt-in consent from all individuals.
The Guidelines illustrate that deemed consent by notification can be relied upon by a hotel chain to disclose personal data of its members to travel website companies to develop online travel resources and customized travel packages, if it assesses that there is likely to be no adverse effect on its members with respect to the disclosure of personal data and that emailing members of the intended disclosure of personal data is an appropriate and effective way of notifying its members (with a hyperlink provided in the email for members to opt out).
The Guidelines also illustrate what may be considered to be insufficient notification. In an example, placing notifications at the exhibition venue to inform visitors that facial images and movement data will be collected by the sensors would not be sufficient, as there is no reasonable timeframe for visitors to opt out from the use of their data. However, this does not rule out that notification may have been adequate if the participants had been notified beforehand.
Deemed consent by notification cannot be relied upon by an organization in the sending of direct marketing messages.
An organization may also wish to rely on the assessment checklist for deemed consent by notification issued by the PDPC here.
Mandatory data breach notification
A data breach is notifiable if it is likely to result in significant harm or is of significant scale (see our earlier client alert). The Act permits the prescription of circumstances under which a data breach will be deemed to be of significant scale or result in significant harm. The Guidelines state that significant harm is presumed if the following categories of personal data is involved:
- An individual’s full name or full national identification number in combination with any of the following personal data:
- financial information that is not publicly disclosed, including salary/remuneration, loan/credit history, credit report
- life/health insurance information that is not publicly disclosed, including claims appeals
- specified medical information, including any assessment, diagnosis, treatment, prevention or alleviation by a medical professional of an ailment, condition, disability, disease or disorder, or an injury affecting any part of the human body or mind
- information leading to identification of a vulnerable adult, child or young person who is the subject of an investigation or relating to court proceedings involving a child and young person, including information on places of temporary care and protection or places of safety
- private key used to authenticate or sign an electronic record or transaction
- An individual’s account information in combination with any required biometric data, security code, access code, password or answer to security question used to permit access to or use of the account, where the account can be subsequently misused for fraudulent transactions or to access any information mentioned in (a) above.
Defenses to egregious offenses
The Guidelines provide further information on the defenses to egregious offenses provided in the Act. The defenses set out in the Act cover instances of authorized conduct and reasonable belief, as well as publicly available information.
The Guidelines additionally illustrate the application of these defenses to employees or service providers. In addition, the Guidelines provide additional defenses that are intended to be prescribed in relation to offense of unauthorized re-identification of anonymized information, as follows:
- testing the effectiveness of the anonymization of personal data in the possession or under the control of an organization or public agency
- testing the integrity and confidentiality of anonymized information in the possession or under the control of an organization or public agency
- assessing, testing or evaluating the systems and processes of an organization or public agency for ensuring or safeguarding the integrity and confidentiality of anonymized information in the possession or under the control of the organization, or transmitted or received by the organization or public agency
The illustrations in the Guidelines suggest that these additional defenses are intended to provide comfort to persons who may need have legitimate reasons for re-identifying anonymized data sets in the course of their work. This includes data professionals (e.g., cybersecurity specialists and data scientists); service providers engaged to recover data from anonymized data sets; researches, teachers and academics who need to re-identify anonymized data as part of their research work; and white-hat hackers.
Other notable elaboration of the Act in the Guidelines are as follows:
- Legitimate interest exception to consent
The Guidelines provide further guidance on the considerations on how to make an assessment of the adverse effects, and to ensure that the legitimate interest outweighs any adverse effects. An organization may also wish to rely on the assessment checklist for the legitimate interest exception to consent issued by the PDPC here.
Fraud detection and prevention is one scenario identified in the Guidelines where the legitimate interest exception to consent may be relied upon, and an example of when this exception may be preferable instead to the legal necessity exception and consent (which may be relatively limited or inadequate).
- Business improvement exception to consent
The Guidelines provide further guidance on the application of sharing within the organization for business improvement purposes.
To illustrate, a restaurant and supermarket belong to the same group of companies. In order to rely on the business improvement exception to share personal data with the restaurant, the supermarket must ensure that the personal data disclosed relates to individuals who are the supermarket’s customers and the restaurant’s customers or prospective customers. The supermarket can only share personal data of its customers who are also customers of the restaurant or who sign up to receive the restaurant’s marketing information. There should also be an agreement between the supermarket and the restaurant that requires the restaurant to implement and maintain appropriate safeguards for the personal data shared.
- Penalty framework
The Guidelines provide the factors for consideration in determining a financial penalty to be imposed in the event that there is a breach of the PDPA (see our earlier client alert).