Delivered in Parliament on 2 November 2020
Mr Deputy Speaker sir, the PDPA Bill seeks to update the original PDPA Act to strengthen data privacy protections and individual data autonomy, ensure greater accountability on the part of organizations and enhance the power of the PDPC.
I do not oppose the Bill and agree with the comments expressed by my Parliamentary colleagues Mr Gerald Giam and Mr Louis Chua Kheng Wee.
I shall focus my speech on just a few areas where I would like to pose technical clarifications and offer suggestions.
Mandatory Data Breach reporting Guideline
Firstly, I would like to speak on the mandatory data breach reporting guideline.
I suggest that the we could, in Section 26B, provide a clearer and more precise definition of “significant harm” to an individual that would warrant notification. In other words, it would be helpful if the government could provide a statutory definition or further guidance as to the factors to be taken into account in assessing the nature of the “harm” and any relevant thresholds before the PDPC would hold the view that “significant harm” has been occasioned, so that organisations have clarity in their assessment as to when a data breach will be considered a notifiable data breach.” The definition provided in Section 26B sub-section 2 seems rather broad.
Also, on this point, allowing for exemption of organisations by the PDPC from notifying affected individuals of data breaches in the new Section 26D is problematic. In this clause, the obligation to notify affected individuals can be waived “subject to any conditions that the [PDPC] thinks fit”.
Given that such an overly broad “escape” clause may undermine the legal spirit of the mandatory data breach notification requirement, I would like to ask: what are circumstances in which the government may activate this clause, and would the government consider tightening and carefully circumscribing the scope and use of this clause, to reduce any potential for abuse and the perception of arbitrariness?
New offences for individuals
Secondly, the amended Bill creates new offences to hold individuals accountable for egregious mishandling of personal data on behalf of an organisation or public agency.
The thrust of the PDPA is to hold businesses responsible such that risk can be treated as a business cost rather than something to be potentially placed on individual “scapegoats” who may have little bargaining power as employees.
With new offences for the unauthorised mishandling of personal data by individuals (including employees), there is the possibility that “scapegoating” may happen. Junior employees with lesser bargaining power may be held liable, while higher-ranked employees and the organisation itself may face reduced accountability thereby.
While the amendments spell out possible grounds of defence that the accused individual may take, has the government given some thought to what additional measures should be put in place to prevent such “scapegoating”?
“The right to be forgotten”
Thirdly, I would like to speak about what has been referred to, in the context of the GDPR, to the “right to be forgotten.”
I would suggest further extending the retention limitation obligations in the PDPA to be aligned with Article 17 of the GDPR, where individuals may interface with an organisation to request the deletion of data, and where withdrawal of consent may lead to an obligation to immediately delete personal data. Such an obligation seems to me to be not be overly onerous on businesses.
Sunrise period for SMEs
Fourthly, businesses, especially SMEs, sole proprietorships and some not-for-profit organizations, may experience difficulties in adhering to these new, more rigorous regulations.
I would like to ask when this Bill will come into effect and would the government consider allowing for a transition or grace period?
Such a suggestion would be in line with:
- The previous 18-month transition period adopted before most of the substantive provisions of the PDPA took effect when it was enacted in 2012;
- The 2-year transition/sunrise period which was given when the GDPR was adopted in the European Union in 2016, during which time there was delayed enforcement so that organizations would have time to prepare.
During this transition period, the PDPC could consider providing greater support to SMEs and volunteer organizations in several respects.
Firstly, training of staff to understand the new requirements imposed and guidance to introduce new processes and frameworks in compliance with these requirements
- For instance, in the 2018 SingHealth data breach, the delay (of 28 days) in the reporting of the incident to senior management could be attributed to lack of staff training and absence of a reporting framework.
- Voluntary organisations, in particular, may benefit from such training as they may lack knowledge of these requirements. For instance, in 2019, Henry Park Primary School Parents’ Association was found by the PDPC to have been negligent in failing to make reasonable security arrangements to protect members’ personal data, and appoint a Data Protection Officer.
Secondly, the PDPC could, in this transitional period, provide guidance and possibly subsidies for adopting compliant IT systems, to reduce the compliance burden on these organizations while encouraging good data protection practices.
This would be particularly helpful for SMEs and B2B (business-to-business) companies in Singapore, as they often store data in an unstructured way, using folders in an ad-hoc fashion. As such, if a data breach were to happen, the data review process could be particularly complex, time-consuming and costly for them.