The Singapore Law Gazette

Personal Data Protection – Powering Innovation Through Trust

The personal data protection provisions in the Personal Data Protection Act (PDPA) came into force in July 2014¹Personal Data Protection in the Workplace after a “sunrise” period of about 18 months. The theme of this year’s 6^th annual Personal Data Protection Commission (PDPC) seminar, was “Powering Innovation Through Trust”.

Seminar invitees include lawyers practising in the area of personal data. However, its principal audience consists of the management of small and medium enterprises in Singapore, including their data protection officers (DPOs). This year, the Cybersecurity and Data Protection Committee of the Law Society was invited to present a workshop on data breaches.² Members of the Committee who took part in facilitating the workshop were Ms Amira Nabila Budiyano (Gateway Law Corporation), Anil Narain Balchandani (IRB Law LLP), Jansen Aw (LVM Law Chambers LLC), Kao Kwok Weng Jonathan (Gao Guorong) (Bird & Bird ATMC LLP), Kevin Elbert (OC Queen Street LLC), Lim Kian Kim (Nanyang Law LLC), Lua Limian Jeremy (Norton Rose Fulbright (Asia) LLP), Ms Lyn Boxall (Lyn Boxall LLC) and Quah Pern Yi (CMS Singapore).

PDPC Announcement of a Data Protection Trustmark Certification

The PDPC generally takes the opportunity to announce new initiatives at its annual seminar. This year was no exception. Minister for Communications and Information, Mr S Iswaran, launched an open call for organisations to participate in a pilot for Singapore’s Data Protection Trustmark (DPTM) certification. He said that the scheme aims to foster sound, transparent and accountable data protection practices among Singapore‑based organisations and was developed in consultation with the industry.³ See the PDPC’s Media Release at https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/PDP-Seminar-2018/Media-Release—IMDA-and-PDPC-launch-DPTM-pilot-(250718).pdf for details.

The day before the PDPC’s seminar, Mr Tan Kiat How, Commissioner of PDPC, delivered the keynote speech at the International Association of Privacy Professionals (IAPP) Asia Privacy Forum. He also spoke broadly about innovation, noting that Singapore has embarked on a new phase of its digitalisation journey with the recent lunch of the “Digital Economy Framework for Action”.⁴ See https://www.imda.gov.sg/-/media/imda/files/sg-digital/sgd-framework-for-action.pdf?la=en. Mr Tan mentioned that the ability to use and share personal data innovatively and responsibly can translate into a competitive advantage for businesses. Infusing Artificial Intelligence (AI) into business operations can accelerate digital transformation.

Workshop on Data Breaches

As mentioned, the Cybersecurity and Data Protection Committee of the Law Society was invited by the PDPC to present a workshop on data breaches as part of the PDPC’s annual seminar. Consistently with the theme of “Powering Innovation Through Trust” and the focus on innovation, accountability and the digital economy, the Committee developed a data breach case study involving a digital start up business that lost the trust of its customers through poor data protection practices.

Committee Chairman Mr KK Lim opened the session with a briefing for workshop participants about individual roles and responsibilities where there is a data breach.

The first thing for an organisation to determine, of course, is whether there has in fact been a data breach involving personal data and when the organisation became aware of it. Next, the organisation must determine whether there is a legal obligation on it to report the data breach to the PDPC, the individuals whose personal data was compromised, any relevant sectoral regulator (such as the Monetary Authority of Singapore and the Ministry of Health) and/or, where the organisation has foreign operations, any foreign data protection regulator. The organisation must also determine if it is under any contractual obligations to report the data breach to third parties, such as its business partners.

An organisation needs to conduct a full investigation into the incident that has occurred. It might decide to retain external investigators and/or auditors to assist its internal investigative team. Mr Lim stressed that it is important to determine clearly the scope of the investigation and to avoid trying to “boil the ocean”. Collecting evidence can be difficult. The nature of digital evidence is such that it may reside in multiple medium. It is also important to preserve the evidence found during the investigation of the incident.

Of course, the organisation must take appropriate remedial action too. This includes identifying the root cause of the breach and taking steps to change or upgrade its risk control practices to avoid a recurrence of the data breach.

And last, but not least, an organisation should take a proactive approach in the sense of having a pre-breach notification plan developed ahead of any data breach. It can activate the plan and follow the policies prepared calmly and comprehensively documented in it, avoiding reactively scrambling in the often “hot house” environment of a breach having occurred.

Following Mr Lim’s preparatory remarks, participants in the workshop turned to the case study, which had been divided into four separate sections, for consideration. The members of the Committee who had volunteered to facilitate the session circulated among the tables to lend their expertise and to encourage discussion.

In the first of the four sections, workshop participants considered the scope of the PDPA – whether the organisation that was the subject of the case study was subject to the PDPA – whether its actions had breached the PDPA and whether the organisation was required to notify the PDPC or the affected individuals about the data breach that had occurred.

Two such individuals complained to the organisation about aspects of what had happened and one of them made a request for a correction of personal data. Workshop participants discussed the rights of these individuals and the ways in which the organisation should deal with their complaints and requests.

The heat was turned up further in the third of the four sections of the case study, with workshop participants needing to consider the actions of individuals who worsened the data breach, including by publicising it through social media. They were also asked to identify which individuals (by job title) should be involved in dealing with the data breach, concluding that there is a role for various departments within an organisation and that proper planning is vital.

Finally, the case study raised some technical/IT issues in its fourth stage, which workshop participants considered within the framework of the PDPC’s C.A.R.E. approach to managing data breaches: ⁵ See the PDPC’s ‘Guide to Managing Data Breaches’ at https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/guide-to-managing-data-breaches-v1-0-(080515).pdf.that is:

C = Containing the breach

A = Assessing risks and impact

R = Reporting the incident

E = Evaluating the response and recovery to prevent future breaches

Conclusion

Members of the Cybersecurity and Data Protection Committee of the Law Society were delighted to have the opportunity to support the PDPC’s “Powering Innovation Through Trust” theme by helping management of small and medium enterprises understand the value, particularly from a trust perspective, of being prepared for a data breach and handling it well.