Update on the New Guides Issued by the Personal Data Protection Commission (PDPC) of Singapore on 22 May 2019
Introduction
On 22 May 2019, the Personal Data Protection Commission and the Singapore Business Federation co-organised a seminar on “Know Ahead to Stay Ahead – Leadership’s Engagement in Data Protection” in conjunction with Privacy Awareness Week of 2019. Our Firm’s Head of Practice in Cybersecurity, Privacy and Data Protection, K. K. Lim was invited by the organisers to chair the Panel Discussion for the above Guides.
Guide on Active Enforcement
Background
The PDPC is empowered by the Personal Data Protection Act 2012 (“the Act”) to investigate and enforce the Act on any data breaches. A data breach incident is defined as exposing any personal data under the control or possession of a company through unauthorised access, collection, use, disclosure, copying, modification, disposal or any other similar risk.
The objective of the Active Enforcement Framework (“Framework”)
The aim of this Guide is to provide a framework on how the Commission will exercise its powers in relation to the increasing number of data breach incidents (“Incident”). The Framework consists of the following:
(a) Suspension or Discontinuation of Investigation
Under this category, the PDPC will either suspend or discontinue an investigation if the impact of the Incident is low. What is considered a “low impact” incident is further spelt out in the attached Guide. For this category of enforcement action, an advisory is issued to the Company.
(b) Undertaking by the Company to PDPC
In this category, the company essentially undertakes in writing to the PDPC to voluntarily remedy the breach and to prevent future recurrence. The company should have a ready “drawer plan” for data breach management in existence. The discretion to grant this undertaking by PDPC is discretionary and the conditions when not to exercise this discretion are further laid down in the Guide.
(c) Expedited Breach Decision
In the event of a breach and the company admits upfront its liability, the Commission may consider an expedited breach decision regarding the breach to save time and expenses. Where financial penalties are concerned, the admission by the Company will be taken into consideration.
(d) Full Investigation Process
In any incident where many individuals are involved and the impact is judged as high, the Commission may undertake a full investigation into the breach. The outcome will be either one or a combination of the following: (i) a warning by the Commission; (ii) the Commission issues a direction to the Company; (iii) imposition of financial penalty by the Commission; and (iv) issuance of a direction by the Commission and imposing a financial penalty on the Company.
Guide to Managing Data Breaches 2.0
The Commission released the second Guide for companies on how to manage data breaches should it happen. The action to be taken by a company should follow this sequence: (“CARE”)
- Contain the data breach to prevent further compromise of personal data.
- Assess the nature and seriousness of the breach through the gathering of facts and, where necessary, take remedial action to prevent any harm to an individual.
- Report the breach to the Commission and/or the affected individuals.
- Evaluate the Company’s response to the data breach incident and steps to be taken to avoid future incidents.
Detailed examples of data breaches are also included in this Guide including specific discussions on the following: (i) possible causes of data breaches such as malicious activities, human errors, computer system errors; (ii) data breach notification to the Commission; and (iii) data breach notification to the affected individuals.
If there is a need to discuss on an urgent basis, please contact the Partner who is servicing your Company and/or send an email to kklim@eversheds-harryelias.com and a meeting will be arranged to discuss your specific concern/s.