Personal Data Protection Commission publishes Public Consultation on Review of the Personal Data Protection Act

The Personal Data Protection Commission (PDPC) has commenced a public consultation on its proposals to amend the Personal Data Protection Act (PDPA) in two key areas: enhancing the framework for collection, use and disclosure of personal data and introducing mandatory breach notification requirements in certain circumstances.

The proposals, which are not yet available in the form of draft legislation, are aimed at ensuring that the PDPA remains relevant, having regard to technological advances and global developments and continues to safeguard consumers’ interests and personal data, while still allowing businesses to innovate.

Enhanced Framework for Collection, Use and Disclosure of Personal Data

The PDPC recognises the importance of data for innovation and growth.  It also recognises that in certain situations it may not be practical for organisations to seek individuals’ consent when collecting or using data, or to attempt to identify the individuals in order to seek their consent for every new purpose. 

Under the PDPC’s proposals, consent would continue to be “a key basis for collecting, using and disclosing personal data”.  Individuals’ consent should still be obtained where it is practical, in particular where individuals could be subject to any adverse effect or risk.  

However, the PDPA exceptions to the consent requirement would also be expanded to cover situations where obtaining consent is not practicable or desirable and where the public would benefit from the collection, use or disclosure of personal data.

The proposals identify the following additional grounds for collecting, using or disclosing personal data without individuals’ consent:

1. Notification of Purpose – Individuals are notified of the purpose for collecting, using or disclosing their personal data in the case where it would be impractical for the organisation to obtain consent and the collection, use or disclosure of data is not expected to have any adverse impact on the individuals concerned. 

2. Legal or Business Purpose – There is a legal or business purpose for collecting, using or disclosing data (e.g., to prevent fraud) and there are reasons for not relying on Notification of Purpose.  It must not be desirable or appropriate to obtain individuals’ consent and there must clearly be more benefit to the public than adverse impact or risk to individuals.

Under both proposed additional exceptions, organisations will be required to conduct risk and impact assessments and implement measures to mitigate the risks to the individual.

Data Breach Notification

Organisations are currently not obligated to notify the PDPC or affected individuals of any data breaches that might cause public concern or harm to affected individuals.  Citing practices adopted in other common law jurisdictions and the need to strengthen protection for individuals and build confidence in organisations’ management and protection of personal data, the PDPC proposes establishing a mandatory data breach notification regime under the PDPA.

The proposed framework would include the following criteria for notification to affected individuals and/or the PDPC of a data breach:

1. Risk of impact or harm to affected individuals – Organisations would be required to notify affected individuals (as soon as practicable) and the PDPC (as soon as practicable and no later than 72 hours after becoming aware of the breach) of data breaches that pose any risk of impact or harm to affected individuals.  Such situations might include breaches involving NRIC numbers or health or other sensitive information.

2. Significant scale of breach – Where the scale of the data breach is significant (even if it does not pose any risk of impact or harm), an organisation would be required to notify the PDPC (as soon as practicable and no later than 72 hours after becoming aware of the breach).  The PDPC envisages that data breaches involving 500 or more affected individuals would be considered of a significant scale requiring notification to the PDPC.

It is proposed that the data breach notification requirements under the PDPA will apply concurrently with data breach notification requirements under other laws and sectoral regulations.

If an organisation’s data intermediary experienced a data breach, the PDPC proposes that the data intermediary should immediately inform the organisation (regardless of the risk of harm or scale of impact), at which point the proposed notification framework outlined above would be triggered.

Certain exclusions from the breach notification requirements are proposed.  For instance, it will not be mandatory to notify affected individuals where such notification is likely to impede law enforcement investigations or where the breached personal data is encrypted to a reasonable standard.

Organisations should review their data protection policies and procedures to assess whether additional measures would need to be developed and implemented to comply with the proposed amendments to the PDPA. 

The public consultation is due to close on 21 September 2017.  A copy of the consultation paper is available here.