This story was updated at 10:50AM to include comments from Veritas Technologies.
The Personal Data Protection Commission (PDPC) of Singapore yesterday (27 July 2017) launched a public consultation to review and update the four-year-old Personal Data Protection Act (PDPA).
The consultation, which will run until 21 September 2017, seeks views on the proposed enhanced framework for collection, use, and disclosure of personal data, as well as mandatory breach notification.
The PDPC proposes to expand the scope where personal data can be collected, used or disclosed when individual consent is not practical or desirable, such as in circumstances where benefits to the public outweigh the adverse impact to the individual (e.g. using the data to detect fraud and security threats).
The PDPA currently allows organisations to collect, use or disclose personal data for certain legal or business purposes even without the owner's consent.
In addition, the commission proposed to provide affected individuals with a notification of purpose that will serve as a basis that his/her data were collected, used and disclosed for a certain purpose.
PDPC said they will conduct a risk and impact assessment for both approaches to identify and mitigate the risks and impact to the individuals.
"Given the rapid advances in data-related technologies and business models, it is timely to review the Personal Data Protection Act to maintain the appropriate balance between safeguarding consumer interests and facilitating innovations around information sharing among organisations," said PDPC Commissioner Tan Kiat How.
Proposed mandatory breach notification
The PDPC also proposed to implement a mandatory breach notification for organisations.
Under the proposal, organisations hit by a data breach are required to inform their affected stakeholders of the incident. They must also inform the PDPC of the breach when it poses harm to affected individuals or when the scale of the breach is significant (ie. it involves 500 or more personal data).
The organisation must then inform the commission within 72 hours after the discovery of the breach. The proposal also covers data intermediaries or companies that process personal data on behalf of another organisation.
PDPC explained that mandatory breach notification will help affected individuals to take the necessary steps to protect themselves from the harms of a data breach. It will also allow the commission to provide immediate help to the affected organisation to mitigate the impact of the breach, as well as gain better view on the level of incidences and management of data breaches in the country.
'Businesses need a good data management strategy'
Sheena Chin, country manager for Singapore of Veritas Technologies, advised businesses to develop a strong data management strategy to help them adapt should the proposed PDPA amendment be passed.
Sign up for CIO Asia eNewsletters.