| PAP Nee Soon
  • Latest
    • Events
    • Lifestyle
    • Commentary
  • Volunteer
    • GE2020
      • Manifesto 2020
      • Emerging Stronger Together
      • A Brighter Future Together
      • Better Nee Soon
      • More Exciting Plans for Nee Soon
      • Map of improvements
      • Healthcare Hub of the North
      • Caring, Sustainable Town
      • No One Left Behind
      • Home With a Heart
    • Connect
      • Shanmugam’s Story: Keeping Our Homes Safe
      • Faishal’s story: Believe in People
      • Louis’ story:  Every Kid Deserves a Childhood
      • Derrick’s story: Putting Heartlanders First
      • Carrie’s Story: A Volunteering Trip that Changed Her Life
      • PAP Nee Soon Facebook Page
    • Contact
    | PAP Nee Soon
    • Latest
    • Volunteer
    • GE2020
    • Connect
    • Contact
    • Latest
      • Events
      • Lifestyle
      • Commentary
    • Volunteer
    • GE2020
      • Manifesto 2020
      • Emerging Stronger Together
      • A Brighter Future Together
      • Better Nee Soon
      • More Exciting Plans for Nee Soon
      • Map of improvements
      • Healthcare Hub of the North
      • Caring, Sustainable Town
      • No One Left Behind
      • Home With a Heart
    • Connect
      • Shanmugam’s Story: Keeping Our Homes Safe
      • Faishal’s story: Believe in People
      • Louis’ story:  Every Kid Deserves a Childhood
      • Derrick’s story: Putting Heartlanders First
      • Carrie’s Story: A Volunteering Trip that Changed Her Life
      • PAP Nee Soon Facebook Page
    • Contact

    Latest > Commentary

    Personal Data Protection (Amendment) Bill

    Speech by Mr. Louis Ng Kok Kwang, MP for Nee Soon GRC, at the Second Reading of the Personal Data Protection (Amendment) Bill

    (Bill No. 37/2020) 

    Introduction

    Sir, since we passed the Personal Data Protection Act in 2012, the Personal Data Protection Commission has been busy. It has investigated numerous data breaches and received a record-breaking 4,500 complaints last year.

    Data protection has become only more concerning, and this Bill helps address those concerns.

    I am heartened by the amendments requiring organisations to inform people who are affected by data breaches and to help people port their data to other services.

    These changes will help Singaporeans feel a greater sense of control over their data. Many will welcome these enhancements.

    That said, I have three points of clarification on the Bill.

    Data breach notification

    My first point is on data breaches.

    The Bill introduces a requirement for organisations to notify the Commission and affected individuals in certain instances where there is a data breach.

    One instance is when the data breach results in, or is likely to result in, significant harm to an affected individual.

    I understand the Commission intends to prescribe classes of personal data considered likely to result in significant harm to individuals.

    Beyond this, can Minister clarify what other circumstances will be prescribed to help organisations assess whether a data breach may lead to “significant harm” to affected individuals under Section 26B?

    Further, can Minister clarify what standard the Commission will apply when it reviews an organisation’s assessment on whether a data breach is notifiable?

    An organisation may decide not to notify affected individuals of a data breach because they assess that no significant harm was caused and the breach was not of a significant scale.

    If the Commissioner later disagrees with this assessment and reviews the organisation’s assessment, will the Commissioner do so by holding the organisation to the standard of a reasonable person?

    Can Minister also clarify whether the Commission will consider a good-faith, systematic assessment by an organisation as a mitigating factor in deciding whether and how much to penalise the organisation for failing to notify the Commission of a data breach?

    Adverse effect

    My second point is on the definition of adverse effect.

    The Bill now allows organisations to avoid asking for consent in certain cases. In several cases, they have to assess whether their actions will have an “adverse effect” on individuals.

    Under Section 15A, organisations have to assess the extent of adverse effect to decide whether deemed consent by notification is sufficient consent.

    Under Section 17, organisations have to weigh such adverse effect against the “legitimate interests” of the organisation or of other people.

    Can Minister define what it means to impose an “adverse effect” on an individual, and what are some examples of it?

    Such clarity is important because organisations will likely face practical challenges in identifying every possible adverse effect on an individual, and a wrong assessment may lead to harsher penalties for them.

    In line with the Act’s shift to a risk-based accountability approach, I would also suggest applying a standard of reasonableness when determining whether organisations have fulfilled their obligations.

    In other words, they should be required to assess the “adverse effect” on an individual only to the standard of a reasonable person.

    Finally, can Minister also clarify the intended differences between “significant harm” and “adverse effect” on individuals? It will help organisations comply with the Act.

    Data porting

    My third point is about the data porting obligation.

    This Bill empowers individuals to make data porting requests. This means individuals can ask organisations to send their personal information to other organisations.

    Organisations can say no only under conditions outlined in the new Twelfth Schedule.

    Will the Commission be releasing guidelines and examples to help organisations understand whether each of the conditions apply to them?

    The guidelines should especially clarify three conditions.

    First, these guidelines should clarify when the data would “reveal confidential commercial information” that could “harm the competitive position of the organisation”.

    I am sure many companies will be keen to cite this condition if they are asked to transfer data to a competitor.

    Second, the guidelines should clarify when the data is “trivial”.

    Third, the guidelines should clarify when the data porting request is “frivolous” or “vexatious”.

    Data porting is a new concept to many organisations in Singapore. Organisations will benefit from greater clarity on what counts as trivial, frivolous or vexatious.

    Conclusion

    Sir, notwithstanding these clarifications, I stand in support of the Bill.

    Watch the speech here

    READ MORE Commentary , Latest


      Deprecated: Function WP_Query was called with an argument that is deprecated since version 3.1.0! caller_get_posts is deprecated. Use ignore_sticky_posts instead. in /home/papneeso/public_html/wp-includes/functions.php on line 5663
    • On reducing administrative workload of teachers
    • On rent control measures on coffee shop stalls in HDB estates
    • Louis Ng on Stamp Duties (Amendment) Bill
    • Louis Ng on Endangered Species (Import and Export)(Amendment Bill)
    • Contact
    • Privacy Policy
    COPYRIGHT © PEOPLE'S ACTION PARTY. ALL RIGHTS RESERVED Published by People's Action Party Chong Pang branch, at the direction of K Shanmugam
    • Contact
    • Privacy Policy
    COPYRIGHT © PEOPLE'S ACTION PARTY. ALL RIGHTS RESERVED Published by People's Action Party Chong Pang branch, at the direction of K Shanmugam
    ?>