DPMP and DPIA Guides Now Available
The PDPC has released two new guides to help you manage your privacy program:
- Developing a Protection Management Programme (DPMP) discusses a systematic framework building a robust personal data protection infrastructure
- Guide to Data Protection Impact Assessments (DPIAs) discusses key principles and illustrative examples for identifying, assessing, and addressing personal data protection risks
jbho: some nice simple templates. Good examples for getting started and avoiding over-engineered processes.
DP Starter Kit Now Available
My favorite DPA has released another DIY privacy kit. It contains sample forms, clauses, and communication materials to uses as starter materials, as well as tips and hints on complying with Data Protection and Do Not Call provisions of the PDPA.
PDPA Assessment Tool
The tool provides tips and hints, along with links to resources (like the PDPC’s advisory guidelines), to help develop, grow, and maintain your data protection policies and practices.
jbho: great tools from one of my favorite DPAs
Developing a Trusted Data Ecosystem to Support Singapore’s Digital Economy
The PDPC announced several new initiatives at the 5th Personal Data Protection Seminar on 27 July 2017. These initiatives include:
Public Consultation On The PDPA – The public consultation is a request for comment on Consent and Breach Notification.
The consent questions seek to provide flexibility in the collection and use of personal information, and balancing consumer protections with legitimate interest of a data controller. The questions asked are:
- Should the PDPA provide for Notification of Purpose as a basis for collecting, using and disclosing personal data without consent?
- Should the proposed Notification of Purpose approach be subject to conditions? If so, what are your views on the proposed conditions (i.e., impractical to obtain consent and not expected to have any adverse impact on the individual)?
- Should the PDPA provide for Legal or Business Purpose as a basis for collecting, using and disclosing personal data without consent and notification?
- Should the proposed Legal or Business Purpose approach be subject to conditions? If so, what are your views on the proposed conditions (i.e., not desirable or appropriate to obtain consent and benefits to the public clearly outweigh any adverse impact or risks to the individual)?
The PDPC is also proposing criteria for breach notification. Individuals and the PDPC would be notified when there is a risk of harm, and the PDPC would be notified of larger breaches where harm is unlikely. Exceptions would apply for law enforcement or where data is encrypted, and notification would be required within 72 hours of discovery of a breach. The questions asked are:
- What are your views on the proposed criteria for data breach notification to affected individuals and to PDPC? Specifically, what are your views on the proposed number of affected individuals (i.e., 500 or more) for a data breach to be considered of a significant scale to be notified to PDPC?
- What are your views on the proposed concurrent application of PDPA’s data breach notification requirements with that of other laws and sectoral regulations?
- What are your views on the proposed exceptions and exemptions from the data breach notification requirements?
- What are your views on the proposed time frames for data breach notifications to affected individuals and to PDPC?
Guide to Data Sharing – The PDPC has published guidance to explain how the PDPA applies to movement of personal information within an organization, disclosure to service providers (data intermediaries), and sharing with outside organizations. It reiterates the importance of purpose specification and informed consent, as well as discusses the scope (and limits) of consent exceptions. The guidance provides several example scenarios clarifying the PDPC’s expectations related to sharing of personal information, as well as a checklist of items to consider, including:
• Organisations or departments involved
• Frequency of sharing
• Types of Personal Data
• Purpose of the data sharing
• Risks assessment and mitigation
• Other considerations (e.g., Data Quality, SARs, etc.)
The PDPC also announced it filed a Notice of Intent to participate in the APEC Cross-Border Privacy Rules (CPBR) System, as well as plans to introduce a Data Protection Trustmark certification scheme by the end of 2018.
jbho: if you want to learn more, the PDPC has also posted some great teaching resources at:
Some of the best in the biz (imho).
Company Liable For Director’s Actions In Corporate Chat Room
A senior member of Executive Coach International shared personal views about an ex-employee, in a company sponsored WhatsApp chat room. The PDPC found the comments constituted an unauthorized use and disclosure of personal information (used without consent), for the purposes of discrediting the ex-employee (who departed on ‘unamicable’ terms).
Executive Coach stated the director was acting in a personal capacity, and it neither approved, nor had any knowledge of the director’s actions. The PDPC found that although the dispute may have been personal, the context of the exchange was an ongoing dispute between an employer and its ex-employee, thus the organization was liable.
Given the extenuating circumstances (not a public chat room, the individual actions of the director), the PDPC decided to formally warn Executive Coach, but not issue a fine.
jbho: a reminder that mum is always the word when it comes to former employees. Interesting that this was addresses as a privacy matter as opposed to an employment or disparagement matter. Fascinating to watch this nascent privacy regime mature (and quite quickly at that!)
Also a reminder that if you are going to sponsor social channels for employees, you should have some clear guidelines on how to use.
Updated Guidance On Anonymization And Health Care Reminders
The PDPC has updated Anonymization guidelines (chapter 3) of its Advisory Guidelines On The Personal Data Protection Act For Selected Topics. Updates include more detailed examples for acceptable use and disclosure of anonymized data, as well as additional guidance on assessing the risk of re-identification.
The PDPC has also updated its Advisory Guidelines for the Healthcare Sector, and added examples of how and when it’s okay to send appointment or other service reminders by phone or text message.
jbho: I don’t see any material changes, but the examples are good. The PDPC continues to publish some of the best guidance that’s out there.
PDPC Updates Guidance On Security, Disposal, And Website Design
The PDPC has published revisions to three security guides:
• Guide to Securing Personal Data in Electronic Medium
• Guide to Disposal of Personal Data on Physical Medium
• Guide on Building Websites for SMEs
The updates add examples illustrating good information handling practices under the PDPA, including using out-of-the-box and 3rd-party software, as well as how to configure software features when handling personal information.
The PDPC also added a new Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data to help prevent breaches, as well as:
• Preventing personal information from being sent to wrong recipients
• Minimizing the risk and impact of accidental disclosures to wrong recipients
• Understanding Lessons Learned from case studies
• Using checklists to implement best practices
jbho: the PDPC puts out some great materials, and are worth the read if securing data falls under your remit.
New TV Series on Personal Data Protection
The PDPC has launched a TV Show to introduce personal data protection topics to general audiences.
jbho: Talk about government support for privacy!
PDPC Updates Guidance On Consent
The Personal Data Protection Commission (PDPC) recently updated guidance on Consent and Do Not Call provisions (revised on 15 July 2016).
Chapter 12 has been revised to provide further clarity on the withdrawal of consent requirements, including how organisations are to facilitate and effect withdrawal of consent requests.
The section on Do Not Call Provisions in the Advisory Guidelines on Key Concepts has been incorporated into the Advisory Guidelines on the Do Not Call Provisions.
jbho: just in case you are following this