- PrivacyOneStop

22/11/2020

Overview of the Amendments to the Singapore Personal Data Protection Act and Spam Control Act

The proposed amendments to the Personal Data Protection Act (PDPA) to address Singapore’s evolving digital economy needs, and related amendments to the Spam Control Act (SCA), were passed in the Parliament on 2 November 2020.

Some of the key changes are:

Introduction of the accountability principle - this shift towards an accountability approach is in line with international trends and best practices in data protection laws

Mandatory data breach notification - organisations must notify the PDPC about data breaches that are of significant scale. In addition, organisations must notify both the PDPC and the affected individuals when the data breaches result, or are likely to result, in significant harm to individuals.

Exclusion for agents of Government are removed and egregious mishandling of personal data is criminalized – private sector organizations are subject to the PDPA, even when they are acting on behalf of public agencies. Clause 22 sets out new offences for (a) disclosure of personal data; (b) use of personal data that results in personal gain for the offender or another person, or harm or loss to another person; and (c) re- identification of anonymised information.

Statutory undertakings – the Personal Data Protection Commission (PDPC) may, in lieu of a full investigation, accept written voluntary undertakings from organisations to remedy breaches and prevent their recurrence. For example, such undertakings may be accepted when organisations with effective monitoring and breach management systems notify the PDPC of a data breach, and undertake in writing to implement their breach management plan.

Strengthening the PDPC’s enforcement powers – the PDPC may now require the attendance of an individual or employee to give statements and produce documents that are relevant to the investigation.

Increased financial penalty cap for organization – to 10% of an organisation’s annual turnover in Singapore (whose annual turnover in Singapore exceeds $10 million) or S$1million, whichever is higher.

Enforcing Do Not Call (DNC) provisions under a civil administrative regime – prohibition of the use of dictionary attacks and address-harvesting software when sending messages to telephone numbers.

Deemed consent for contractual performance – organisations relying on deemed consent for contractual necessity can only collect, use and disclose personal data where it is reasonably necessary to fulfil the contract with the individual.

Legitimate interest exception – organisations must conduct an assessment to eliminate or reduce risks associated with the collection, use or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual. To ensure transparency, organisations must disclose when they rely on this exception.

Business improvement exception – organisations may use personal data for business improvement purposes including: (a) operational efficiency and service improvements; (b) developing or enhancing products or services; and (c) knowing the organisations’ customers. As a safeguard, this exception can be relied upon only for purposes that a reasonable person may consider appropriate in the circumstances, and where the purpose cannot be achieved without the use of the personal data.

Deemed consent by notification – organisations must before collecting, using or disclosing any personal data about the individual conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual. In addition, they must take reasonable steps to bring the following information to the attention of the individual: the organisation’s intention to collect, use or disclose the personal data, the purpose for which the personal data will be collected, used or disclosed and a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation’s proposed collection, use or disclosure of the personal data.

Data Portability Obligation – individuals can request for a copy of their personal data to be transmitted to another organisation.

The press release is available here and the Opening speech of the Minister for Communications and Information can be accessed here.

Photo by Kaboompics .com from Pexels.

Tags:

#Privacy #Singapore #Personal Data Protection Commission

Overview of the Amendments to the Singapore Personal Data Protection Act and Spam Control Act

Tags:

Latest Articles

Artificial Inteligence for Recruitment Purposes - When is It the Right Choice?

Privacy |

Consent |

Artificial Intelligence |

Compliance |

Privacy Programme |

GDPR |

Individual Rights |

Legitimate Interest |

Privacy Compliance Journey Series: Scope of the Law and Notification Requirements

Privacy |

Compliance |

Privacy Compliance Journey Series |

Privacy Programme |

Overview of the European Commission Draft of Standard Contractual Clauses Between Controllers and Processors Located in the EU

Privacy |

Standard Contractual Clauses |

Compliance |

GDPR |

European Commission |

Controller |

Processor |

Latest News

The Office of the Australian Information Commissioner Issues a Summary of 10 Steps to Undertaking a Privacy Impact Assessment

Privacy |

Compliance |

Australia |

Privacy Impact Assessment |

OAIC |

EDPB and EDPS Joint Opinion 1/2021

Standard Contractual Clauses |

GDPR |

European Data Protection Board |

European Data Protection Supervisor |

Singapore PDPC Issues a Guide to Job Redesign in the Age of AI

Guidelines |

Artificial Intelligence |

Compliance |

Singapore |

Personal Data Protection Commission |

Categories:

Tags:

PrivacyOneStop and Cookies