Personal Data Protection Act (“PDPA”)
Whether we like it or not, the topic of personal data is ironically not so personal anymore. In recent years, personal data has taken centre stage not only in Singapore, but across many developed nations. Whether you are an individual registering for a lucky draw, or an insurance company preparing to send out monthly statements to clients, personal data affects us all in ways we never expected.
So why has there been this “sudden” spotlight on personal data protection? It may not actually be as sudden as most people believe it to be. Singapore’s Personal Data Protection Act (“PDPA”) was first enacted in 2013, and it was only from 2 July 2014 that the PDPA came into force. Therefore, the Act has already been in force for more than 3 years, yet many individuals and organisations remain oblivious of its existence. However, ignorance is NOT bliss in this case, and enforcement by the Personal Data Protection Commission (“PDPC”) has picked up pace in the past year. One of the most severe penalties to-date is a fine of S$50,000 imposed on karaoke chain K Box Singapore, after the personal data of over 300,000 customers were posted online.
But what does the PDPA do? Essentially, it prohibits the indiscriminate collection of consumer’s personal data, and requires organisations to be accountable for the use of such data. The consequences of non-compliance the PDPA is not to be taken lightly - organisations that fail to observe the provisions of the PDPA may be fined up to S$1 million. Most times, a simple complaint by a disgruntled individual can bring some serious damage to a non-compliant organisation, and it is not just financial damage that is at stake.
A case in point is Toh-Shi Printing, which was a printing company hired by Aviva Insurance. Toh-Shi Printing had inadvertently caused the personal data of 8,022 individuals to be leaked when Aviva policyholders received inaccurate statements in which their personal data was disclosed. The PDPC fined the company S$25,000 for failing to implement adequate checks in processing personal data. The printing firm then admitted that the breach occurred due to its own staff failing to comply with the company’s security procedures. However, the repercussions did not just end with the fine – Toh-Shi Printing is now no longer in business as it could not sustain a profitable business in the aftermath of their damaged reputation.
Under the PDPA, it is mandatory for an organisation to appoint a Data Protection Officer (“DPO”) to act as a point-of-contact with the PDPC. The DPO need not be a distinct and separate role within the organisation, and a current employee can assume this role as well. It is prudent that organisations take this first step in their personal data protection journey by appointing a DPO.
The PDPA is only going to get stronger. There is currently an ongoing public consultation till 18 December 2017 to receive public feedback on the PDPA, and so far, NRIC numbers have taken the hot seat with many proposing that it be unlawful for mall operators and retailers to collect and use shoppers’ NRIC numbers to track parking redemptions, conduct lucky draws or manage membership accounts. Building owners may also be barred from retaining NRICs in exchange for visitor badges. These are likely to be enacted in stone in a matter of time. Presently, it is worth playing safe and collect NRIC details only where the law requires it, such as subscribing to a mobile phone line, or during emergencies.
If you are a private organisation, it is essential to have a system in place to not only protect personal data, but to have a proper response in the event of a breach. It is certainly not the case that the PDPC penalises organisations for each and every complaint received, and a proper reaction to alleviate the breach may get you by with just a warning from the PDPC. Therefore, it is vital that you create a system that is able to both prevent and cure any data breaches.
Our lawyers are trained by data protection specialists, and we are well-equipped to advise you on whether you have in place an appropriate data protection system that is both preventive against and reactive to data breaches. Please feel free to contact our firm should you wish to find out more.