Personal Data Protection Act: A Primer for Businesses
By Sara Ng
Singapore ranked No. 6 in the world for having the most databases exposed to the Web in 2022, making it an easy target for hackers. This article discusses why it is important for businesses to pay attention to personal data protection and how they can take steps to protect their data.
What is Personal Data?
Personal data is any data, whether true or not, about an individual who can be identified:
(a) from that data alone; or
(b) from that data and other information to which the organisation has or is likely to have access
Examples of personal data include names, addresses, e-mail addresses, personal identification numbers, photos, fingerprints, diagnostics, and biological material.
What is the Personal Data Protection Act (PDPA)?
The PDPA governs the collection, use, and disclosure of personal data by organisations in Singapore. It is designed to protect the rights of individuals over the use of personal data while also recognizing the need for organisations to collect, use, or disclose personal data for legitimate purposes.
The PDPA applies to personal data stored in both electronic and non-electronic formats. It does not apply to public agencies, individuals acting in a personal or domestic capacity, or organizations acting on behalf of public agencies. The PDPA also does not apply to the following categories of personal data:
1. Personal data that is contained in a record that has been in existence for at least 100 years; and
2. Personal data about a deceased individual who has been dead for more than 10 years
3. Business contact information, which is information not provided by an individual solely for personal purposes, such as name, title, work phone number, address, and email
Obligations under the PDPA
The PDPA imposes a number of obligations on businesses, including:
- Obtaining consent from individuals before collecting, using, or disclosing their personal data
- Using personal data only for the purposes for which it was collected
- Taking steps to protect personal data from unauthorized access, use, or disclosure
- Allowing individuals to access and correct their personal data
- Disposing of personal data in a secure manner
Offences and Penalties
Organizations that violate the PDPA may be subject to fines and other penalties. For example, organizations that fail to notify the Personal Data Protection Commission (PDPC) of a data breach within 72 hours may be fined up to S$1 million.
The recent case of Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60 has also demonstrated how emotional distress and loss qualify as damage resulting from a loss of control of personal data.
Practical Issues
Here are some tips for businesses to safeguard personal data:
1. Implement a strong data protection policy and procedures. The policy should outline how the business collects, uses, discloses and stores personal data.
2. Have strong passwords on devices and accounts.
3. Install anti-malware software.
4. Encrypt or password-protect email attachments that contain personal data. The password should be communicated separately.
5. Have cybersecurity insurance.
6. Dispose of personal data in a secure manner when it is no longer needed.
7. Conduct regular data protection audits to help identify and address any gaps in compliance.
8. Provide training to employees on data protection.
In the event of a data breach, businesses should take the following steps:
1. Contain the breach by reporting it to the data management team and conducting an initial assessment to determine the severity of the breach, its cause, whether it is ongoing, and the number of individuals and types of personal data affected.
2. Assess the breach by considering the sensitivity of the data, the presence of mitigating factors (such as data encryption), and the nature of the harm to individuals (if any).
3. Notify the PDPC within 72 hours if the breach is likely to cause significant harm or impact, or if it affects 500 or more individuals. Businesses should also notify affected individuals if there is a risk of significant harm or impact.
4. Evaluate the breach by implementing remediation actions, identifying weaknesses, and evaluating the effectiveness of the response and any further corrective actions required.
By following these tips, businesses can help to protect their customers' personal data and comply with the PDPA. We have advised many clients on PDPA compliance and are available for consultation and engagement on such matters. If you would like to speak to a lawyer on this issue, please email us at info@covenantchambers.com.