Changes To PDPA: Situations When Companies Are Allowed To Collect Or Disclose Data

Since the Personal Data Protection Act (PDPA) was enacted in 2012, no amendments have been made to it – that is until early this month. On Nov 2, Parliament passed the Personal Data Protection (Amendment) Act 2020. It is the first comprehensive review of PDPA since 2012 and the changes are significant to both businesses and consumers. 

This amendment allows organisations to use data without consent in more cases, but also includes stiffer penalties for data breaches.

Three new exceptions to consent have been introduced for organisations to use data without consent. This means businesses can now use, collect or disclose data for the following:

#1 Legitimate Interests

Organisations will be allowed to use data without consent where there are larger public or systemic benefits and/or where obtaining individuals’ consent may not be appropriate. Examples of situations of legitimate interests include instances of fraud or money laundering, threats to physical safety and security, ensuring IT and network security, or preventing the misuse of services. 

However, firms must conduct a risk and impact assessment, and disclose their reliance on this exception, such as in an external-facing policy or agreement. Businesses cannot rely on this exception to carry out direct marketing without consent.

#2 Business Improvements

This exception applies if an organisation wishes to know more about their customers, including prospective customers, in order to carry out operational efficiency and service improvements, or develop or enhance products/services. This exception also applies to a group of companies, including its subsidiaries. However, certain conditions must be met in order to rely on this exception:

– It must not be relied on to collect, use or disclose personal data for the purpose of sending direct marketing messages.

– The personal data disclosed must relate to an individual who is a customer of both the disclosing and collecting organisation.

– The use of personal data must be what a reasonable person would consider appropriate in the circumstances.

#3 Enhanced Research & Development

To facilitate ease of R&D for businesses, the requirements for using personal data for research without consent will be eased, subject to certain conditions:

– Must have a clear public benefit

– Must not have an adverse effect on individuals; and

– Must not be published in a form that identifies any individual

This exception might apply to institutes carrying out scientific research and development, or arts and social science research, or to market research aimed at understanding potential customer segments. However, disclosure for research purposes will continue to be subject to stringent restrictions, such as being able to prove that it is impracticable to obtain consent.

Read Also: Guidelines On Price Transparency: 4 “Strategies” Businesses Should Avoid In Infringing The Consumer Protection (Fair Trading) Act (“CPFTA”)

Business owners should also take note that the definition of deemed consent has been expanded. This now includes consent for contractual necessity, where data processing is reasonably necessary to perform a contract. An example is when a customer provides his address when ordering an item online and the address is then given to the logistics provider for delivery.

Deemed consent has also been expanded to include notification, where organisations can notify their customers of the new purpose of their data and allow them reasonable time to opt-out and withdraw consent subsequently. But companies must not rely on the notification and opt-out ground for direct marketing. 

Heavy Fines For Data Breaches And Compulsory Reporting

Besides certain changes in how an organisation collects and uses data, another key change in the Bill includes a larger financial penalty for breaches. It is also now compulsory for organisations to report breaches of a certain scale and its severity to the Personal Data Protection Commission (PDPC).

Companies with an annual turnover exceeding S$10 million can now be fined up to 10 per cent of its annual turnover in Singapore, or S$1 million, whichever is higher. Previously, the maximum fine was S$1 million.

Before the amendment Bill was passed, companies need not notify any party if there was a data breach. Under the PDPA changes introduced recently, it is now mandatory by law for firms to notify PDPC if the breach is likely to result in significant harm to the individuals whose personal data is affected by the breach or if the breach affects more than 500 individuals. 

Should a breach occur and if it has been assessed to be one that is likely to result in significant harm, organisations must notify the affected individuals without delay. Organisations must also inform PDPC no later than three calendar days after determining that the breach meets the notification criteria. Any unreasonable delay will constitute a breach of the notification requirement. Organisations must also notify PDPC before or at the same time as the affected individuals and not after. 

According to the amended PDPA, there are exceptions to the mandatory data breach notification requirement. These include situations where significant harm is unlikely to occur or where organisations are instructed not to notify individuals by law enforcement agencies or the PDPC.

New Offences For Mishandling Of Personal Data

Individuals will now be held accountable for mishandling personal data on behalf of an organisation or public agency. It is an offence for employees to knowingly or recklessly disclose any personal data or use it for wrongful gain or loss to any person.

What Should Businesses Do Now?

Now that organisations will be held to a higher standard of accountability, the onus is on business owners to ensure their internal data protection and cybersecurity policies are updated accordingly. Organisations should also monitor developments, as well as technical and legal procedures. 

Current policies on consent should be assessed and revised or updated. Companies that engage in telemarketing or sending marketing emails must now comply with these updated requirements or risk being subjected to a financial penalty. 

Read Also: Can Children And Teenagers Work Legally In Singapore?

Building a Sustainable Future

Be part of the Singapore Green Plan 2030 and achieve your business’ sustainability goals. Fund your green initiatives today with the OCBC SME Sustainable Financing Framework.

Subscribe To The DollarsAndSense Business Pass

Enjoy what you are reading and want more? Join The DollarsAndSense Business Pass and unlock access to valuable tools, exclusive networking opportunities, and tap into the wisdom of industry experts to fuel your business expansion!

You May Also Like