September deadline looms for data protection
Mark your calendars. From 1 September 2019, companies in Singapore need to assess whether they should be collecting, using or disclosing customers’ national identification numbers. Find out what you can do to mitigate potential data risks.
Currently, the island state is one of three Southeast Asian countries with comprehensive data protection regulation and a government agency focused on data privacy and protection. The Personal Data Protection Commission (PDPC) was set up in January 2013 to “promote and enforce personal data protection”.
In a speech at the International Conference of Data Protection and Privacy Commissioners, Yeong Zee Kin, PDPC’s Deputy Commissioner said: “Singapore recognises that a robust data protection regime is an important foundation for the digital economy. In the digital economy, data is a strategic asset for companies.”
“Data can help companies optimise the way they operate, improve existing products and services, or to innovate new ones. We must reach beyond pro forma compliance with data protection laws, which is a necessary condition but no longer a sufficient condition in today’s competitive and data-driven landscape,” Yeong said.
How the change in law will affect companies
The importance of personal data protection has been in the limelight over the last few years. In November 2017, the PDPC launched a public consultation on advisory guidelines covering national registration identity card (NRIC) numbers. It introduced the Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers on 31 August 2018 and set a compliance deadline of 1 September 2019.
From 1 September this year, all companies are “are expected to stop collecting, using or disclosing customers' NRIC and other national identification numbers where it is not required under the law or necessary to establish or verify an individual's identity to a high degree of fidelity”.
The new guidelines apply regardless of whether the company has received express consent from the individual to collect, use or disclose their identification number.
This guideline will also apply to any other permanent identifiers that such as birth certificate, foreign identification or work permit numbers. Partial identifier numbers are also covered in this updated guideline. Although passport numbers are periodically replaced every time a new passport is issues, companies are to avoid collecting the full passport number unless justified.
The PDPC views that indiscriminate collection or negligent handling of these identification numbers may increase the risk of unintended disclosure and may even end up being used for illegal activities such as identity theft or fraud.
According to the 2018 PDP Digest Protection of Sensitive Personal Data , the nature of sensitive personal data is not exhaustively defined – there is no express legislative definition. Rather, the definition incrementally evolves around the potential for harm brought about by improper collection, use or disclosure. The PDPC’s advisory guidelines and decisions also make frequent reference to the concept of sensitivity.
For example, in 2018, PDPC fined three insurance companies – Aviva, NTUC Income and AIF Asia-Pacific Insurance – for leaking personal policyholder data. Policyholders either received inaccurate statements in which their personal data was disclosed to an unrelated party or had a wrong contact number on their policy letter. According to PDPC, sensitive personal data includes names of the policyholder’s dependents or beneficiaries, the sum insured under the insurance policy, the premium amount and type of coverage.
What are the exceptions?
Government agencies or any organisation that is acting on its behalf is exempted from this guideline.
Responding to this exception, a government spokesperson told the local newspaper, The Straits Times, that the Government is the issuing authority for the NRIC and that it rightfully uses it to "discharge its functions and services with citizens in a secure manner”.
Personal identifiers may also be obtained or shared if required by law such as when subscribing to a new phone line, checking into a phone line or joining an organisation as a new employee.
Are you prepared?
Dell EMC interviewed 2,200 decision-makers around the world, covering the Americas, Europe, Middle East, Africa and Asia Pacific. The subsequent Global Data Protection Index 2018 found that although organisations are managing a greater volume of data, only 16% believe that their current data protection solutions will be able to meet future business challenges.
The survey also found that a surprising 76% of respondents’ organisations have suffered data disruption of some kind in the previous 12 months – from data loss to inability to recover data from their current data protection method or product.
In Singapore, PDPC is expected to enforce stricter rules around data protection and privacy compliance and will increasingly shift their focus from compliance to accountability among companies.
In a speech on October 2018, PDPC commissioner Tan Kiat How said: “accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is a demonstration that an organisation has put in place measures which pre-emptively identifies and addresses personal data risks.”
There is also heightened customer awareness on personal data privacy in Singapore with recent high profile cases such as data theft of 14,000 people diagnosed with HIV and a data breach of 1.5 million SingHealth patient records.
The PDPC has also started to speak about other related issues such as data breach notification and data portability across borders.
Companies will need to take concrete steps to ensure data privacy compliance and mitigate potential data breaches in the future.
Tools such as risk assessments, data protection management programmes and consent registers help to pre-empt and identify data protection risks.
There should also be at least one individual designated as the Data Protection Officer (DPO) to ensure compliance although this does not exempt the company from fulfilling its data protection obligations. Although the DPO need not be physically present in Singapore, he/she must be accessible during Singapore business hours and must be able to handle queries and complaints around personal data protection issues.
With the evolving personal data protection landscape and increasing number of legislation in this area, companies may need to rely on industry experts to ensure compliance.