Skip to main content

Advertisement

Advertisement

Informing customers of breaches among proposed PDPA changes

SINGAPORE — Under a slew of proposed changes to the Personal Data Protection Act (PDPA), companies would have to notify customers as soon as possible if their data — such as NRIC numbers, credit card information or passwords — had been compromised.

Minister for Communications and Information Dr Yaacob Ibrahim announcing a proposed review of the Personal Data Protection Act at the Personal Data Protection Seminar on Thursday (Jul 27). Photo: Tan Weizhen/TODAY

Minister for Communications and Information Dr Yaacob Ibrahim announcing a proposed review of the Personal Data Protection Act at the Personal Data Protection Seminar on Thursday (Jul 27). Photo: Tan Weizhen/TODAY

Follow TODAY on WhatsApp

SINGAPORE — Under a slew of proposed changes to the Personal Data Protection Act (PDPA), companies would have to notify customers as soon as possible if their data — such as NRIC numbers, credit card information or passwords — had been compromised.

Businesses would have to inform the Personal Data Protection Commission (PDPC) within 72 hours if they were hit by significant data breaches — when personal data of 500 or more consumers has been compromised.

In the first major review of the Act, which came into effect in 2014, they could also be allowed to use consumers’ personal data without getting their consent in certain cases.

This and other proposals were put up for public consultation on Thursday (July 27).

The PDPA currently requires an individual’s consent if an organisation wants to collect their personal data.

Announcing the review at the Personal Data Protection Seminar on Thursday, Minister for Communications and Information Yaacob Ibrahim said the PDPA was crafted in an era when “the majority of data was provided by users who fill in their personal particulars via physical and online forms”. 

“Today, data can be generated and mined through online activities and transactions,” he told the seminar at Sands Expo and Convention Centre.

Under the proposals, if companies wish to use customer data for legal or business purposes in situations where it is not appropriate to get their consent, they can do so provided it will be of “larger benefit to the public”.

For example, bicycle-sharing services may want to share, among themselves, data of customers with a track record of misusing or damaging bikes.

In cases when it is impractical to get consent, firms could use customer data provided it caused no “harm” to them, such as leading to calls or spam. 

For example, a developer of web-connected devices, like a smartwatch, may want to analyse users’ data to improve its services, but might not be able to get consent through the smartwatch interface. Under the proposals, it would be allowed to do so as long as it did not harm the consumers.

The proposed rules would just require the businesses to notify customers in any manner of their choosing, such as via their websites.

Mr Bryan Tan, of law firm Pinsent Masons, said the proposals offer “a more graduated approach”, adding: “It is a more refined way of giving businesses more options.”

On whether the criteria that businesses would have to meet before doing away with customers’ consent are sufficiently watertight, Mr Tan said the onus would lie on businesses to make that judgment — for example, whether customers would suffer harm as a result.

However, Mr Jack Ow, intellectual property & technology partner at RHTLaw Taylor Wessing, believes that “harm” may be interpreted differently by different organisations: “It remains open as to how the standard of harm should be assessed, and if objectively assessed, on whose or what standards, principles and/or morality.”

The proposals are up for public consultation until Sept 21. The PDPC hopes to implement them by 2019.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.