While the Personal
Data Protection Act (PDPA) had come into effect in phases from 2013 to 2014, effectively
at least 5 years ago, it is quite alarming to find that the number of breaches
reached an all time high in 2019.
41 organisations were slapped
with fines in 2019, while plenty more were given directions and warnings to put
necessary policies and practices in place. The total penalties appear to have
reached more than $1.6m for 2019. Arguably, this was skewed by the $1m penalty dished
out in respect of the incredible medical record data breach that occurred last year.
Nevertheless, for the
start of 2020, at the time of this article, a total of 14 organisations were
found in breach of the PDPA, with a total of $150,000 penalties already dished
out! Unless Singapore organisations take the regulations more seriously, we could
see the amount of breaches for 2020 overtake 2019.
When it comes to the make
of the organisations breaching the PDPA, the guilty parties are not limited to big
companies but even SMEs and non-profit organisations have fallen afoul. As
such, it is extremely important for any Singaporean organisation to understand the
PDPA, and put the necessary processes and guidelines in place.
The PDPA is not a
stagnant law, and it continues to change. The most recent change made by the Personal
Data Protection Commission (PDPC) was made on 1 September 2019 where it became
illegal for any organisation other than Government bodies to keep hold of or
collect the number of the following documents:
- NRICs
- Birth certificate numbers
- Foreign identification numbers
- Work permit numbers
Organisations will
only be able to do so if the collection is required by law or there is a need
to verify identities to a high degree of accuracy. A financial penalty of up to
$1m awaits for those who flout this and other provisions of the PDPA.
The next big change will be the proposed mandatory data breach notification requirements. While not yet effectively mandatory, guidance has already been issued on this in 2019.
The next big change will be the proposed mandatory data breach notification requirements. While not yet effectively mandatory, guidance has already been issued on this in 2019.
One thing's for sure: The Singapore government is taking the PDPA very seriously. As the PDPA continues to evolve, organisations must do the same and update themselves of ongoing changes of the PDPA and be clear of how the PDPA law works and its coverage.
Author: Azmin Mohd Khalib, Research and Learning, Wolters Kluwer SEA
Author: Azmin Mohd Khalib, Research and Learning, Wolters Kluwer SEA
No comments:
Post a Comment