PDPC unveils initiatives to amp up organisation accountability

It has launched its data portability public consultation as well as an updated guide to managing data breaches.

The Personal Data Protection Commission (PDPC) has introduced three new initiatives to facilitate the movement and use of data to support innovation, and strengthen accountability amongst organisations in Singapore, an announcement revealed.

These comprise of a public consultation to seek views on proposed data portability and data innovation provisions as part of the review of the Personal Data Protection Act 2012, a new guide on active enforcement as part of PDPC’s drive for organisations to shift from compliance to accountability, and an updated guide to managing data breaches 2.0, to help organisations manage and respond to data breaches more effectively.

“We are taking firm steps to position Singapore as a trusted data hub in the global digital economy by seeking feedback on the proposed data portability and innovation provisions, as well as testbedding data breach notification measures,” Yeong Zee Kin, deputy commissioner of PDPC, said in a statement.

Open for six weeks starting 22 May, the public consultation will be the PDPC’s third to seek feedback and views on the proposed introduction of the data portability and data innovation provisions. This consultation builds on the data portability discussion paper launched in February 2019.

The proposed data portability provision is said to provide individuals with greater control over their personal data and enable greater access to more data by organisations to facilitate data flows and increase innovation, whilst the proposed data innovation provision makes it clear that organisations can use data for appropriate business purposes without individuals’ consent.

Also read: MAS irons out customer liability in updated e-payments guideline

Meanwhile, the PDPC’s new guide to active enforcement articulates its approach in deploying its regulatory powers to act efficiently and effectively when dealing with data breaches to safeguard the public interest. 

The PDPC has also introduced a new expedited decision process to bring investigations on clear-cut data breaches to a conclusion quickly. The process draws on data breach cases in the last four years and feedback from stakeholders, the commission highlighted.

In expedited decision cases where financial penalties are involved, the organisation’s admission of its role in the incident will be taken into consideration as a strong mitigating factor. “Examples of cases eligible for the process include common forms of data breaches such as URL manipulation, poor password management, or printing errors resulting in incorrect recipients,” PDPC explained.

Also read: PDPC slapped $750,000 penalty on IHiS for breaching data protection obligations

Additionally, the commission’s updated guide to managing data breaches 2.0 outlines that organisations should have in place monitoring measures to provide early detection and warning for possible data breaches, as well as a data breach management plan for reporting and assessing a data breach. 

The guide also updates recommendations in two main areas - thresholds for notifying the PDPC and individuals of a data breach, and the timeliness of notification. Notification thresholds are expanded to consider large numbers to be where 500 or more individuals are affected, or where significant harm or impact to the individuals is likely to occur due to a breach.