On 22 May 2019, Singapore’s Personal Data Protection Commission (PDPC) published a Guide on Active Enforcement that represents a change in the way that the commission handles enforcement actions going forward.
Under the current approach set out in the Advisory Guidelines on the Enforcement of the Data Protection Provisions, there are three main enforcement approaches. Where appropriate, the PDPC could utilize alternative dispute resolution mechanisms, such as mediation and facilitated negotiations, to resolve what is perceived to primarily be a dispute between the parties.
Alternatively, the PDPC could commence investigations that could involve it exercising the extent of its statutory powers of investigation under the Personal Data Protection Act (PDPA) to uncover facts and reach a decision. Finally, where the organization has made a decision involving the access and/or correction of personal data, the PDPC may review that decision.
The guide sets out two other intermediate enforcement options – voluntary undertakings and expedited decisions – that may be pursued in lieu of a full investigation. These were previously not expressly provided in the guidelines or in the PDPA. The guide provides information on the scope of these new options and the circumstances under which the PDPC will apply either enforcement option when investigating a breach.
This update is relevant to organizations that wish to better understand the new enforcement options that have become available and the preparatory steps that should be taken ahead of time to preserve the option for an organization to seek an undertaking.
An undertaking is a written commitment by the organization to the PDPC that voluntarily commits the organization to remedy the breaches and take steps to prevent recurrence. An undertaking is generally available when:
(1) It achieves a similar or better enforcement outcome for the PDPC more effectively and efficiently than a full investigation; or
(2) The organization can show that it has accountable data privacy practices in place, or a data protection trustmark, and that it has an effective remediation plan that it is prepared to implement.
The remediation plan should include steps to reduce the recurrence of the incident, as well as the implementation of monitoring and reporting processes, audits and policy/process reviews.
An undertaking will typically also include a description of the data breach incident and steps to notify and minimize harm to the affected individual. The PDPC also expects the organization to have executive-level endorsement to the undertaking, requiring that the undertaking be signed by the CEO or someone of equivalent rank.
The guide also provides examples of the circumstances when the PDPC will not accept an undertaking request, for example, when the organization refutes responsibility for the data breach incident, refuses to accept the terms and conditions of the undertaking, or refuses to agree for the undertaking to be published.
In particular, requests for an undertaking must be made soon after investigations commence and the organization must be ready with a remediation plan. The PDPC will not accept a request for an undertaking that requires additional time to produce a remediation plan.
Of the two situations where an undertaking is a viable option, the second option is partly within the control of the organization, and that organizations can be prepared for. This requires organizations to be ready ahead of time to demonstrate good accountable privacy practices.
Organizations that have done scenario planning and exercises to respond to data breach situations would be in a better position to prepare a remediation plan in the short timeframe soon after investigations commence. Organizations that have taken the additional step of obtaining a trustmark certification are also in a better position to seek an undertaking.
This underscores not only the importance of having documented processes in place, but also organizational preparedness in managing potential data breach situations.
The PDPC may consider an expedited decision if there is an upfront admission of liability by the organization involved on its role in the cause of the breach. The organization must submit a written request to the PDPC, and must provide and admit to all facts relevant to the data breach incident.
An expedited decision reduces the timeframe for an investigation to be concluded. Although the PDPC will still issue a full decision (and the relevant directions), an admission of liability will be a strong mitigating factor if financial penalties are involved.
The PDPC will usually launch a full investigation process immediately for data breach incidents with high impact, such as incidents where a large number of individuals are affected and the personal data disclosed could cause significant harm. Investigations that have been assessed to be of low impact may be discontinued.
If the PDPC determines that there has been a breach, the PDPC may impose: (1) a warning; (2) directions only; (3) financial penalties only; or (4) directions and financial penalties.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by emailing Danian Zhang at [email protected].