PDPC & affected people must be informed if data breach is likely to cause significant harm: S Iswaran

WP MP Gerald Giam also raised the question of why it was necessary to have a different set of data protection laws for both the government and private sectors.

Matthias Ang | November 02, 2020, 10:03 PM

A data breach that affects more than 500 people will be considered as 'significant' in scale, under amendments to the Personal Data Protection Act (PDPA).

Should such a breach happen, organisations must notify the Personal Data Protection Commission (PDPC).

In addition, they must also notify both the PDPC and affected individuals should the breach be likely to result in significant harm to affected parties.

Speaking in Parliament on Nov. 2, at the second reading of the Amendments Bill to the PDPA, Minister for Communications and Information, S Iswaran, stated:

"This places the onus on organisations to assess the scale and impact of data breaches, ensures they are duly accountable to individuals for the personal data in their care, and empowers individuals to take timely measures to protect themselves if a data breach occurs."

New offences to be set out for accountability

Iswaran added that new offences for the mishandling of data will also be set out to enhance accountability.

Such offences include:

  • The disclosure of personal data,
  • The use of such data which results in personal gain for the offender or another party, or harm or loss to another person,
  • The re-identification of anonymised information.

In clarifying the scope and aim of the offences, Iswaran said:

"While the primary responsibility and liability for breaches of the PDPA rest with organisations, these new offences are aimed at individuals who know that their actions are not authorised or who act recklessly."

The Minister further noted that these related amendments will also be made to the Public Sector (Governance) Act and Monetary Authority of Singapore Act, so as to align the public and private sector data regimes.

WP MP Gerald Giam: Why not a universal set of data laws for both public and private sectors?

This brought up a question by Workers' Party MP Gerald Giam in his speech on the Amendments Bill: Why not implement a universal set of data protection laws for both the government and private sectors?

Here, Giam noted:

"The PDPA specifically exempts the government from having to comply with it. The government has explained that this is because it has its own set of data privacy standards, which are set out in the Public Sector (Governance) Act (PSGA), the Official Secrets Act (OSA), the Banking Act, the Income Tax Act (ITA), the Statistics Act and the Instruction Manual 8 (IM8), among others."

Giam then argued, "Having public data controllers governed by a hodgepodge of separate legislation is likely to lead to differing standards and gaps in coverage."

In addition, the lack of a single set of rules for privacy leaves individual data owners unclear as to what level of personal data protection they are entitled to.

The regulations for government also pertain mainly to internal checks on the government ministries and agencies, and punitive consequences for individual officers, he said.

"A citizen who has incurred damages as a result of a data breach by a government agency has little recourse to pursue civil remedies against that agency. The PDPA, on the other hand, grants such recourse against offending organisations. This could be seen as a lower threshold of accountability on the part of the government should these breaches occur."

PAP MP Janil Puthucheary: Necessary to separate data protection laws for private and public sectors

In response, PAP MP Janil Puthucheary stated, "We believe the standards for government should be as high, if not higher than for the private sector."

On this point, Janil clarified that the PDPA was not the equivalent of the PSGA and the other aforementioned acts combined.

Rather, the equivalence is between the PDPA and PSGA only, with the other laws coming on top of the PSGA, "governing and controlling behaviour within specific domains," he added.

As for why it was necessary to have a different set of data protection laws for the government and private sectors, Janil said:

"We believe that we need these two approaches, because government is not a private company, nor should it behave as such, and you cannot expect a private company to behave like government.

Mr. Giam goes on about the burdens that he felt as a civil servant. If the private SMEs had to comply with all the regulations that he had to struggle with as a civil servant, they would not be able to do business in quite the same way. And perhaps innovation, the ease of customer relations, the ease of coming up with new products would be impeded."

Totally unrelated but follow and listen to our podcast here

Top image screenshot collage from CNA