The Personal Data Protection (Amendment) Act 2020, which amends the Personal Data Protection Act 2012 (“PDPA” or the “Act”), will take effect in phases commencing from 1 February 2021. The amendments to the PDPA are the most significant since the Act first came into force in July 2014.

Amendments that came into force on 1 February 2021 include:

• mandatory data breach notification;
• additional scenarios of deemed consent;
• exceptions to express consent; and
• personal liability for egregious mishandling of personal data.

As highlighted in our earlier legal alert, businesses should consider reviewing their personal data management procedures and internal training programmes to adjust to the new laws and be well served to meet their personal data protection obligations.

Mandatory data breach notification

Organisations are required to notify the Personal Data Protection Commission (“PDPC”) of any data breach that:

• results or is likely to result in significant harm to the individuals who will be affected by such data breach; or
• is of a significant scale (i.e. involving 500 or more individuals).

Organisations should also notify affected individuals if the data breach results in (or is likely to result in) significant harm to them, unless certain exceptions apply.

A notifiable data breach must be reported to the PDPC as soon as practicable within three calendar days after the assessment of harm caused by the data breach. Notifications to affected individuals must be made as soon as practicable, at the same time or after notifying the PDPC.

Additional scenarios of deemed consent and exceptions to express consent

The scope of deemed consent for the collection, use and disclosure of personal data has been expanded to include:

• Deemed consent by contractual necessity – where it is reasonably necessary for the performance of a contract.
• Deemed consent by notification – where the individual is notified of the intended purpose of the data processing and does not opt out within a reasonable period as provided by the organisation.

In addition, new exceptions to the consent requirements have been added to facilitate obtaining of individual’s consent, namely:

• Legitimate interests exception – where the legitimate interests of the organisation to collect, use or disclose the personal data outweigh any adverse effect on the individual. Before relying on this exception, the organisation must conduct an assessment to identify any adverse effect on the individual and implement reasonable measures to mitigate such risk, and provide the individual with reasonable access to information about the intended data processing.
• Business improvement purposes exception – an organisation may use personal data without consent for certain business improvement purposes such as developing products/services, operational efficiency and service improvements.

Personal liability for egregious mishandling of personal data

Three new offences were introduced to hold individuals responsible for egregious mishandling of personal data by unauthorised disclosure, improper use, and/or unauthorised re-identification of anonymised information.

These offences are punishable on conviction by a fine not exceeding SGD5,000 or to imprisonment not exceeding two years or both. The offences are not intended to cover situations where the individuals are authorised to disclose, use or re-identify the data. Authorisation may take different forms for example, in the organisation’s written policies, handbooks and manuals, or ad-hoc authorisation for a specific action.

Amendments that have yet to come into force are provisions on the right to data portability to enable easy switching of service providers, and increased financial penalties for organisations of up to 10% of their annual turnover, if the organisation’s annual turnover exceeds SGD10 million.

If you have further questions on the above, please contact Heng Jun Meng of ZICO Insights Law LLC.

This alert is for general information only and is not a substitute for legal advice.