Changes to the Singapore Personal Data Protection Act and implications in the pandemic context

Academic Views, Coronavirus / Thursday, June 25th, 2020

Associate Professor Warren Chik (Deputy Director, Centre for AI and Data Governance at SMU School of Law) considers forthcoming changes to the Personal Data Protection Act, in light of pandemic control and containment measures.

The recently issued Personal Data Protection (Amendment) Bill 2020 sets out proposed changes to the Personal Data Protection Act 2012 (PDPA), which governs how organisations in Singapore may collect, use and disclose personal data. This article considers the amendments’ impact on pandemic control and containment measures. However, as the Bill consolidates policy proposals from consultations over several years, it does not include key amendments dealing specifically with pandemic response measures, like the TraceTogether app on smartphones (which identifies close contacts and interactions), the wearable prototype (which does the same thing) and the national digital check-in system SafeEntry (which collects geo-locational and movement data).

While public policy and health concerns require the release and sharing of personal data (especially during a pandemic, when health, security and economic concerns are more urgent), the overall objectives of the privacy and data protection regime remain pertinent. The regime concerns the right of individuals to protect their personal data, counter-balanced with the need of organisations to have access to such data for reasonable and appropriate purposes. Even when policy concerns change, the rules for data governance must influence the direction that measures take, especially when alternative measures exist.

Certain key proposals are objective-neutral and do not have any direct or indirect effect on pandemic-related personal data collection on their own. These include new offences on the mishandling of personal data, and the data portability provisions. However, some proposals have added significance in the context of containment of COVID-19. For instance, the Bill introduces mandatory notification of a data breach to both the Personal Data Protection Commissioner and affected persons as soon as practicable, in the event of a data leak or breach by an organisation. Transparency is important in engendering trust and limiting any resulting damage. Remedial measures include change of security measures, and migration or deletion of personal information stored with the organisation concerned, which is explicitly held accountable for personal data under its control or possession.

Data about close contacts can reveal very private information about individuals and their relationships, and public agencies shoud be required to adhere to similar standards as the PDPA—if not higher ones.

This obligation for transparency and accountability should extend to the public sector, even though the PDPA does not cover “public agencies”. The public sector data security recommendations and rules should adhere to the same, if not even higher, stringent standards. This is especially so for sensitive data such as health records and contact information. Health records include health declarations (e.g. whether a person has symptoms like cough or fever) as well as the travel and health history of the individual and/or their close contacts. Close contacts can reveal very private information about an individual such as relationship status, sexual orientation and relations, and social or professional engagement, any of which can be potentially embarrassing or intrusive.

Organisations are obliged to notify the individual of a data breach if there is a likelihood of “significant harm”. They must notify the Commissioner if the harm is of a “significant scale”, set at a proposed threshold of 500 or more affected individuals. Prescribed categories of data should include the type of data being collected in relation to pandemic control measures like those previously mentioned, as long as they constitute personal data, which is data about an individual that can be identified from that data, whether or not in combination with other information that the organisation has it is likely to have access to.

Ideally, what is “significant harm” should be subjectively determined and relate to an individual’s personal situation and unique circumstance. However, the assessment, made first by the data controller, will likely be based on a collective and objective understanding of significant harm. This is especially so when it comes to a collective data collection exercise such as that undertaken in response to the pandemic. In any case, it can be reasonably argued that the display of symptoms relating to COVID-19 as well as an evaluation of the data subject’s health status can affect his or her job prospects and status, thus constituting “significant harm” if leaked.  Also, if early notification can help mitigate the negative effects of a data breach, then it should be considered in the determination to notify.

Discrimination faced by HIV+ individuals—which became of particular social concern following a high-profile leak of data in early 2019—illustrates the harm that breaches of health data privacy can occasion. (Screenshot from Channel News Asia website, taken on 24 June 2020.)

It should be noted that the PDPA does not cover public agencies (or organisations acting on its behalf) and hence its rules and the processes for complaint and the statutory right of private action that are available in the Act does not apply to lapses by government agencies. Instead, state agencies are governed separately by a suite of other statutes including the Public Sector (Governance) Act and the Official Secrets Act. Public servants are required to comply with data protection obligations by the terms of their employment contract and the Government Instruction Manual on IT Management. There are criminal penalties for the reckless or intentional disclosure of personal data without the requisite authorisation. Likewise, the proposed mandatory data breach notification obligations under the PDPA will not apply to public agencies, which may have their own guidelines and rules on reporting.

More significant are the proposals in the Bill pertaining to consent. In general, the consent of an individual to the collection, use or sharing of personal data will absolve data collections from liability under PDPA. One amendment on the table is the widening of “deemed consent” (a legally recognised alternative to actual or real consent) to include circumstances where the collection, use or sharing of personal data is “reasonably necessary to conclude or perform a contract or transaction”, or where there has been notification with reasonable opportunity to opt-out. Where organisations (and government authorities) that are involved in managing the pandemic response are concerned, these rules should apply consistently and be limited specifically to restricting, with a view to eliminating, the spread of the virus. The default position should still be to allow individuals to opt-in to their data collection and use. Only where opt-in is not practicable or may compromise the measures for the protection of public health and concerns, should the deemed consent exception be used in place of actual consent.

The change with the greatest direct implication for pandemic response is the new “legitimate interests” exception to the consent or opt-in requirement. This exception was meant to provide leeway for cases where the greater public good and systemic benefits can result from data management objectives that may not be appropriate or complementary with consent. The condition is that the “legitimate interests” of the organisation and public benefits must be greater than any “adverse effect” or impact on individuals. Necessary information for an effective pandemic response, such as contact tracing and isolation to prevent community infections, can certainly fit the criteria.  This “legitimate interest” exception should also be included in the data protection rules for the government agencies involved, including the health and manpower ministries.  

The Act does currently contain other exceptions to the requirement for consent—in particular, if the collection, use or sharing is in the “national interest”, in the individual’s interest, or in response to “an emergency that threatens the life, health or safety of [an] individual or another individual”.  But the pre-requisite to weigh the organisation’s (or public agency’s) interest against any adverse effects on the individual is a welcome additional safeguard that consider individuals’ privacy interests and rights beyond the broad strokes that existing exceptions currently provide. For instance, “national interest” is a very vague and ambiguous concept that is not defined or explained.  This leaves it to the determination of the data controller, and the authorities in the event of a complaint by a data subject, who will first have to discover the data collection, use or disclosure from a third party or through notification. The Act does provide a check-and-balance to potential abuse of these exceptions, through a complaint and appeal process to the Personal Data Protection Commissioner, and further to the courts.  But practically speaking, most individuals are unlikely to have the funds, time and inclination to bring the issue all the way to the courts.

The Supreme Court of Singapore. While recourse to legal action is available to aggrieved individuals in principle, it is a feasible route for few in practice. (Photo: Wikimedia/Zairon)

The amendments to the PDPA were not considered specifically in relation to the new reality of a pandemic-ridden world. But the effects of some of the changes, and the entire data protection regime, as a whole, remain relevant. They provide important safeguards for individual interests in limiting the use of an individual’s personal data, while acknowledging practical reality and the needs of public authorities and private organisations in doing their jobs.

A greater need for the use of personal information to fight a pandemic does not mean that personal data protection and privacy interests can be compromised to an unreasonable extent. It only means that there should be a justification for the collection and handling of personal data for public health objectives, which the current and proposed data protection framework can provide, while respecting checks and balances. This ensures that the pandemic is not used as an excuse for abuse, that the greatest consideration is given to alternative measures, and that optimal measures that respect public health as well as personal data privacy concerns can be formulated and implemented.

The Personal Data Protection Commission’s role in balancing the individual’s interests against the needs of organisations in the private sphere, and the government’s (in particular the Infocomm Media Development Authority’s) equivalent rules for the public sector, are integral to engender and maintain societal trust in the management and treatment of individual’s personal data. More civil society resources to serve as independent watchdogs will also be useful. The recourse to civil litigation, and to monetary compensation and protection orders in relation to personal data, are also important.

The law can also develop to give the individual more power to, for example, require the removal of their personal data generally (e.g. the concept of the right of erasure of personal data in the possession of a third party, also known as the “right to be forgotten” in Europe). Finally, also helpful will be the development of technology to protect personal data, and as alternatives to the use of personal data (e.g. the concept of “differential privacy” whereby personal data is aggregated for an organisation’s use, while the individual is not identified, hence maintaining their privacy). In short, it is the responsibility of all segments of society to protect personal data and privacy.

For media: Are you interested in republishing this article? Please see our guidelines here.