Key amendments to the Singapore Personal Data Protection Act take into account technological advances, new business models, and global developments in data protection legislation, and will have an effect on healthcare providers. Financial penalties for breaches will increase as of October 1, 2022.
The Personal Data Protection (Amendment) Act 2020, which amends the Personal Data Protection Act 2012 (PDPA), came into effect in phases as of February 1, 2021. The PDPA amendments are some of the most significant since it first became effective in July 2014.
KEY PROPOSED AMENDMENTS
Amendments that became effective on February 1, 2021, include the following:
- Introduction of a mandatory data breach notification requirement
- Expansion of the scope of deemed consent
- Inclusion of additional exceptions to express consent
- Introduction of criminal offenses
Commencing October 1, 2022, the maximum financial penalty for breaches of the PDPA will also be increased.
MANDATORY DATA BREACH NOTIFICATION
Prior to the amendments, although the Personal Data Protection Commission (PDPC) encouraged organizations to make voluntary notifications upon the occurrence of a data breach, there was no mandatory obligation under the PDPA for organizations to notify data breaches to the PDPC and/or affected individuals.
Following the amendments to the PDPA, it is now mandatory for organizations to report notifiable data breaches.
- Organisations are required notify the PDPC and affected individuals if the data breach results in, or is likely to result in, significant harm to the affected individuals. A data breach is deemed to cause or be likely to cause “significant harm” if the compromised personal data belongs to certain classes of sensitive personal data, including an individual’s full name, full identification number, banking/financial information, life or health insurance information, and certain specified medical information by a medical professional.
- Organisations are required to notify the PDPC if there is a data breach of a significant scale (i.e., data breaches affecting 500 or more individuals) with some exceptions, such as where the organization has taken remedial action, or where the compromised personal data is subject to technological protection such that the breach is unlikely to result in significant harm to the affected individuals, or if the organization is instructed by law enforcement agencies or the PDPC not to notify individuals.
Where an organization has reason to believe that a data breach has occurred, it must conduct, in a reasonable and expeditious manner, an assessment as to whether it is a data breach requiring notification.
If the notification criteria are met, the organization must notify the PDPC as soon as practicable, but no later than 72 hours after the organization has made an assessment that a data breach requiring notification has occurred, and must notify the affected individuals as soon as practicable.
EXPANDED SCOPE OF DEEMED CONSENT
To facilitate the collection, use, or disclosure of personal data for legitimate interests and business purposes, in particular where there are wider public or systemic benefits, the amendments to the PDPA expand the scope of “deemed consent” under the PDPA and introduce new exceptions to the requirement to obtain consent from individuals before collecting, using, or disclosing their personal data.
The scope of “deemed consent” has been expanded following the amendments to the PDPA to cover these circumstances:
- Deemed consent by contractual necessity: Where the collection, use, or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction.
- Deemed consent by notification: Where individuals have been notified of the purpose of the intended collection, use, or disclosure of their personal data and are given a reasonable opportunity to opt out (and have not opted out).
EXCEPTIONS TO EXPRESS CONSENT
Organizations are now also permitted to collect, use, or disclose personal data without having to obtain consent from the individuals in two additional circumstances:
- Legitimate interest exception: Where it is in the legitimate interests of the organization and the benefit to the public is greater than any adverse effect on the individual.
- Business improvement purposes exception: Where it is for business improvement purposes (e.g., for operational efficiency and service improvements, developing or enhancing products or services, knowing the organization’s customers). It is also intended that this exception will apply to the collection, use, and disclosure of personal data by related corporations within a group, with additional safeguards and conditions to be satisfied.
PERSONAL LIABILITY FOR MISHANDLING OF PERSONAL DATA
Three new offenses were introduced to hold individuals responsible for knowingly or recklessly committing any unauthorized disclosure of personal data, using personal data for wrongful gain or causing a wrongful loss to any person, or for the re-identification of anonymised data. These offenses are punishable on conviction by a fine not exceeding SGD 5,000 (approximately $3,600), imprisonment not exceeding two years, or both.
INCREASE IN FINANCIAL PENALTY CAP
Previously, the maximum financial penalty for a breach of the provisions of the PDPA was SGD 1 million (approximately $726,070). The maximum financial penalty has been increased under the amendments to the PDPA to (1) up to 10% of an organization’s annual turnover in Singapore; or (2) SGD 1 million, whichever is higher, to act as a stronger deterrent.
OTHER UPCOMING CHANGES
The amendments to the PDPA also introduce a new data portability obligation. While the introduction of this new data portability obligation has already been passed by the Singapore Parliament, it is not yet in force.
Under the new data portability obligation, an organization must, at the request of an individual, transmit his or her personal data that is in the organization’s possession or under its control to another organization in a commonly used machine-readable format.
There will, however, be exceptions to the data portability obligation. For example, the obligation only applies to data that is provided by the individual or data about the individual created in the course of the individual’s use of the relevant product or service. Data that is derived by the organization in the course of business from other personal data will not be covered. The individual exercising the right must also have an existing, direct relationship with the organization, the data must be in electronic form, and the receiving organization must generally have a presence in Singapore.
The rationale for the new data portability obligation is that it will provide consumers with greater autonomy over their personal data, enable consumers to switch to new service providers more easily, and support the development of new and innovative services or applications as organizations will have more access to data.
IMPLICATIONS FOR THE HEALTHCARE SECTOR
- Healthcare providers will need to take note of the mandatory data breach notification obligation that has been introduced. Healthcare providers typically handle a high volume of sensitive personal data, including medical data and insurance information. A data breach involving certain classes of medical data and insurance information is deemed to be a data breach causing, or likely to cause, significant harm, and thus constitutes a breach requiring notification. Moreover, given the number of patients a healthcare organization handles, it is very possible that any data breach involving a healthcare organization would affect 500 or more individuals, which would also make it a notifiable breach.
- Healthcare providers should ensure that they have robust data breach plans in place, including protocols to handle data breaches and assessment procedures to determine if a data breach is notifiable and, if so, to ensure that the PDPC and/or the relevant individuals are notified within the prescribed timelines. Healthcare providers should also ensure that they take remedial action promptly in order to contain the data breach as soon as possible and mitigate the effects of the data breach. The PDPC will take such remedial actions into account when assessing the penalties to be imposed in the event of a breach of the PDPA provisions.
- Healthcare providers should also review their existing personal data and data retention policies and update them to incorporate the new requirements relating to consent. While the scope of deemed consent has been widened and new exceptions to the need to obtain express consent have been introduced, and while the PDPA permits the collection of personal data without consent if necessary to respond to an emergency that threatens the life, health, or safety of the individual or another individual, it would still be prudent to ensure that express consent is obtained for all collection, use, and/or disclosure of personal data of patients (where possible), so as to reduce or eliminate the need to rely on deemed consent or exceptions to express consent. If deemed consent or an exception to express consent is relied on, a clear assessment supporting the collection of personal data without consent should be carried out, supported, and documented.
- Healthcare providers that use data intermediaries should also review existing data transfer agreements or data processing agreements to ensure they contain the necessary contractual protections, including appropriate warranties and obligations, to protect the healthcare provider in the event of a data breach. For example, data intermediaries should be required to notify the healthcare provider promptly in the event it is aware of any data breach so that the healthcare provider may comply with its mandatory data breach notification obligations under the amended PDPA.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
*A solicitor of Morgan Lewis Stamford LLC, a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP