The Singapore Personal Data Protection Commission (PDPC) has issued a paper seeking the public’s views on approaches to managing personal data in the digital economy. The paper seeks views on:
- an enhanced framework for the collection use and disclosure of personal data; and
- mandatory data breach notification.
In the paper, the PDPC outlines various options in a review of the current regime relating to consent. The paper discusses whether “notification of purpose” is an appropriate consideration to be included in consents and whether it may be impractical for an organisation to obtain consent or whether the collection, use and disclosure of personal data is not expected to have an adverse impact on the data subject. The paper uses references to privacy legislation in Australia, New Zealand, British Columbia and Europe as part of its discussion. The paper also discusses whether a legitimate business purpose or a “Legal or Business Purpose” without obtaining appropriate consent may be an acceptable alternative.
Regarding mandatory data breach notification, the paper draws on various legislation in Australia, Canada and US states to propose a data breach notification framework. The framework provides for notification where the risk of impact or harm to individuals and the scale of the breach are the criteria for reporting of a data breach to the data subject and/ or the PDPC. The PDPC expects the notifications to apply concurrently with other similar obligations currently applying to the financial services sector through Monetary Authority of Singapore Notices. Potential exceptions and exemptions are discussed as well as a 72 hour notification timeframe.
The public consultation paper can be found at https://www.pdpc.gov.sg. Comments are due at the PDPC by 21 September 2017.