We are moving away from a culture of mere compliance towards a more strategic accountability-based approach, stresses Mr Lim Chong Kin, commenting on how 2019 has witnessed a sea change in the Personal Data Protection Commission’s (PDPC) approach to data protection in Singapore.
If 2018 was the year that made Singapore businesses more attuned to the reality of how data breaches can impact their businesses and operations, then 2019 was the year that saw the PDPC pivoting from expecting mere compliance with the Personal Data Protection Act 2012 (PDPA) to promoting a culture of accountability.
CASE BY CASE
“There was certainly a sharp uptick in enforcement action by the PDPC in 2019; it issued a total of 57 enforcement decisions, compared to just 29 the year before,” notes Mr Lim Chong Kin, Co-head, Data Protection, Privacy and Cybersecurity Practice, Drew & Napier.
The most prominent case in 2019 was undoubtedly the SingHealth data breach. In summary, the PDPC found that both the SingHealth and its IT vendor, IHiS, had failed to put in place reasonable security measures to protect patients’ data. Both were therefore liable for breaching the Protection Obligation under the PDPA. As a result, SingHealth was fined a hefty $250,000, while IHiS was fined an even heftier $750,000. This case also emphasised that organisations have the primary role and responsibility of ensuring the overall protection of the personal data in its possession or control, even if they engage a data intermediary.
Studying the year’s cases also sheds more light on the PDPC’s expectations with respect to the Accountability Obligation. For example, Mr Lim advises those looking to gain a better understanding of the PDPC’s expectations with respect to “policies and practices” required under the PDPA’s Accountability Obligation to read the grounds of decision of two cases: Xbot Pte Ltd and Horizon Fast Ferry Pte Ltd.
He adds that two other cases — involving Genki Sushi and Bud Cosmetics Singapore — are also useful reads. “These new cases provide further insight into the PDPC’s approach in the interpretation of the various Data Protection Obligations under the PDPA,” he explains. “Several cases in this period are distinctive, representing various landmarks and firsts for the PDPC, among them the record $1 million combined fine imposed on SingHealth and IHiS.”
In tandem with this, on 22 May 2019, the PDPC published its Guide on Active Enforcement which articulates the PDPC’s new approach in deploying its enforcement powers. Notably, the Guide on Active Enforcement introduces two other enforcement options, undertakings and expedited decisions, which may be pursued in lieu of a full investigation.
RETHINKING OUR APPROACH TO DATA
Aside from the rise in enforcement action, 2019 was also the year in which the PDPC actively rolled out initiatives which highlighted the principle of accountability, most significantly, the replacement of the Openness Obligation with the new Accountability Obligation in the PDPA and the issuance of the PDPC’s Guide to Accountability under the PDPA on 15 July 2019.
Mr Lim welcomes this move, opining that the focus on accountability would not only help an organisation build and maintain trust with consumers in the short run, but also enhance the organisation’s business competitiveness in the long run. “Accountability in relation to data protection is the key ingredient for organisations looking to succeed in the digital economy,” he says, adding that the shift will necessarily spell new requirements for organisations. “They are now expressly required to be able to demonstrate to the PDPC how they are accountable for the personal data in their care.”
Given the breadth of these changes, SAL has rolled out its first-ever annual review dedicated to data protection. The session begins with review of the 2019 cases and their implications by Mr See Chern Yang, Director, Drew & Napier and Mr Sriram Chakravarthi, Senior Director & Chief Legal Counsel of SAL. Participants can then benefit from an update on the PDPA by PDPC’s Ms Evelyn Goh, Director (Policy & Technology), followed by a panel discussion that will feature the aforementioned as well as Mr Yeong Zee Kin, Deputy Commissioner, Personal Data Protection Commission and Ms Dian Chen, Senior Director APAC Compliance of Hilton International.
The views and opinions expressed in these articles are those of the individual author/interviewee and do not represent the views of SAL Group, Drew & Napier or other parties.