More bite for data privacy soon

This article is more than 12 months old

Public consultation on proposed changes to Personal Data Protection Act launched

The law on personal data may soon be revised to keep it in step with the rapidly changing digital landscape.

On the one hand, organisations that see any breach of personal data may not be allowed to stay silent on it, as it could be made mandatory for them to inform the affected customers as well as the privacy commission.

This is to deepen trust in the growing digital economy.

On the other hand, there is a proposal to cut some slack for businesses and allow them to collect and use the personal data of consumers without their consent, if it is impractical to secure such permission.

This will especially benefit those in the Internet of Things (IoT) business - the next big technological revolution in which home devices like security cameras and fridges are connected to the Web.

Some of these moves by the Personal Data Protection Commission (PDPC) follow the lead of mature jurisdictions in the US, Canada and Australia.

In the event of data loss or breaches, it is important that individuals' interests are protected. Minister for Communications and Information yaacob Ibrahim

Launching a public consultation on the proposed changes to the Personal Data Protection Act three years after it fully kicked in, Minister for Communications and Information Yaacob Ibrahim said yesterday: "In the event of data loss or breaches, it is important that individuals' interests are protected."

Dr Yaacob added that notifying consumers would allow them to take steps such as change a leaked password or cancel a compromised credit card to protect themselves.

Consumers must be notified as soon as the breach is discovered, though it may not be necessary to inform them if the data is encrypted.

"This is to prevent notice fatigue due to over-communication," said Mastercard's senior managing counsel, Derek Ho.

If the breach involves 500 or more individuals, the PDPC must be told within 72 hours so that it can manage breaches at the national level.

And if critical infrastructure - including the energy, telecommunications and transport sectors - is involved in the breach, the Cyber Security Agency must also be informed.

Speaking at Singapore's fifth Personal Data Protection Seminar yesterday, where the proposed changes were flagged, Mr Tan Kiat How, Singapore's privacy commissioner, said that the PDPC has taken enforcement action against 300 organisations to date over data breaches.

Most received an advisory notice, though tougher action was taken in 30 serious cases.

The proposed changes will also allow organisations to share blacklists in order to prevent abuse.

For example, if financial or telecommunications firms want to share data among themselves of customers with bad payment track records, they will not be required to seek customers' consent.

Firms will also be allowed to collect and analyse the vast amount of data that flows from IoT devices without consumers' go-ahead, if they need this to improve services or the user experience.

In all such cases, the businesses must be able to prove that the consumer is not harmed in any way and the data is not abused.

The public consultation will end on Sept 21.