The Personal Data Protection Act (PDPA) came into effect on 1 July 2014, and was developed with reference to international frameworks, namely the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”) and the APEC Privacy Framework, and data protection laws of jurisdictions such as the European Union, the United Kingdom, Hong Kong, Canada, Australia and New Zealand.
In view of technological advances and global developments, such as Big Data, cybersecurity and cyberterrorism, Internet of Things and Artificial Intelligence, the Personal Data Protection Commission (PDPC) is considering other possible bases for collecting, using and disclosing personal data under the PDPA, as well as the need for mandatory data breach notifications to PDPC and affected individuals under the PDPA. The PDPC is also cognisant that there may be instances where consent is not desirable or appropriate, such as for detection of fraud or security threats.
The PDPC is therefore considering 2 main amendments to the PDPA:
- enhanced framework for the collection, use and disclosure of personal data (the “Enhanced Framework”); and
- mandatory data breach notification framework.
Continue reading “Legislative Update: Consultation & Proposed Amendments to PDPA in view of technological advancements and data security issues”
In this case, the Personal Data Protection Commission (PDPC) issued a warning to the organisation Executive Coach International Pte. Ltd. which provides life and executive coaching services to individual and corporate clients for breaching the Personal Data Protection Act (PDPA).
The organisation’s director disclosed an ex-employee’s personal history (her past drug problem and issue with infidelity in her amorous relationship) in a WhatsApp group chat comprising the ex-employee and the organisation’s other staff and volunteer trainees without the ex-employee’s consent and without notifying her of the purposes for the disclosure.
The organisation argued that the director had disclosed the personal data in his personal capacity. However, the PDPC found that the disclosure of personal data was made in the context of a dispute arising from the unamicable departure of the complainant from the organisation’s employment. The PDPC found that the director of the organisation was acting in the course of his employment as a director when he disclosed the complainant’s personal data. Therefore he cannot said to be acting in his personal capacity.
The Straits Times reported today that the Personal Data Protection Commission (PDPC), which is the government body under the Ministry of Communications and Information (MCI) responsible for enforcing Singapore’s Personal Data Protection Act 2012 (PDPA), announced that it is developing a local certification programme for data protection officers (DPOs).
Under the PDPA, all organisations which come under the scope of the Act are mandated to appoint data protection officers (DPOs). These officers may be employees or external consultants. The DPO has to ensure that the organisation is compliant with the PDPA.
Based on the PDPC’s survey of 1,513 organisations in March and June 2016, only about 40% of Singapore organisations have a DPO on their payroll.
While there is a foreign certification for data protection issued by the US-based International Association of Privacy Professionals, training for which is conducted by Straits Interactive, the PDPC hopes that the local certification will encourage more people to take up DPO certification, and give more recognition to the role of DPO. ST reports that “Experts estimate that there will be more than 10,000 DPO jobs here over the next three years.”
It is good for organisations to review their PDPA compliance and ensure they have a DPO appointed.
For individuals / employees / job-hunters, it is good to consider obtaining such DPO certification to boost one’s skill sets and qualification to meet the likely growing demand for DPO positions in the years to come.
For more information on PDPA compliance, visit http://www.singaporepdpa.com.
On 21 April 2016, the Personal Data Protection Commission (PDPC) issued a press release outlining its enforcement action against 11 organisations for breaches to the Personal Data Protection Act (PDPA).
The highlight penalty was a $50,000 fine and other directions meted out against karaoke chain K Box Entertainment Group Pte Ltd for not putting in place sufficient security measures to protect the personal data of 317,000 members (a list of the members’ details were uploaded onto some website), for inadequate data protection policies and the absence of a Data Protection Officer (DPO). Its IT vendor in charge of managing its content management system, Finantech Holdings Pte Ltd, was also fined.
PDPA breaches can result in financial penalties, valuable work hours spent on investigation proceedings, loss of trust from one’s clients, and reputational harm.
Since the PDPA came into full effect in July 2014, the PDPC has received 667 complaints. 92% of these complaints were resolved through investigation and facilitation between the respective organisations and individuals.
In this article, I consider some key themes in the enforcement action cases highlighted in the 21 April 2016 press release.
Continue reading “Legislative Update: enforcement action for PDPA breaches”