Last January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection Act 2020 will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification. This legal update provides a high-level summary of the PDPA Amendments that have taken effect.
The changes introduced by the PDPA Amendments to the Personal Data Protection Act 2012 (the PDPA) are the most significant since the PDPA first came into force on 1 July 2014. Please see our earlier blog post, Singapore tables changes to the Personal Data Protection Act in Parliament, discussing the key changes introduced by the PDPA Amendments.
The PDPA Amendments will take effect in phases, with the following three key changes taking effect from 1 February 2021:
Mandatory data breach notification: Organisations must notify the PDPC of any data breach that: (i) results in, or is likely to result in, significant harm to the affected individuals; or (ii) is of a significant scale (i.e., involves personal data of 500 or more individuals). Affected individuals must be notified if the data breach is likely to result in significant harm to them.
Prescribed personal data or classes of personal data deemed to result in significant harm: The Personal Data Protection (Notification of Data Breaches) Regulations 2021 (Regulations on Notification of Data Breaches) provide a prescribed list of personal data or classes of personal data that shall be deemed to result in significant harm to affected individuals if compromised in a data breach (e.g., authentication data relating to an individual’s account with an organisation, credit card information, bank account number, creditworthiness of an individual, salary information etc.).
Timeframes for notification: Notifications to the PDPC must be made as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes the assessment that a data breach is a notifiable data breach. Notifications to individuals must be made as soon as practicable, at the same time or after notifying the PDPC.
Information required: See Regulations on Notification of Data Breaches for a prescribed list of minimum information that the notification must contain.
Introduction of offences concerning mishandling of personal data by individuals: Individuals will be held accountable for egregious mishandling of personal data through the introduction of new criminal offences: (i) knowing or reckless unauthorised disclosure of personal data; (ii) knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and (iii) knowing or reckless unauthorised re-identification of anonymised data. The prescribed penalty for these offences, which may be imposed on individuals, is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.
Expansion of consent framework: New provisions to introduce deemed consent by contractual necessity and deemed consent by notification to allow organisations to collect, use and disclose personal data. Additionally, legitimate interest and business improvement exceptions have been introduced, with changes to the business asset transaction exception to broaden the scope and changes to the research exception to improve data innovation efforts. The expansions to the consent framework are accompanied by accountability requirements.