On 22 May 2019, the PDPC published a consultation paper that outlines changes to the Personal Data Protection Act (PDPA), which involve a proposed data portability obligation (Data Portability Obligation) and proposed provisions that enable organisations to use data without consent for business innovation purposes (Business Innovation Provisions).
The Data Portability Obligation enables an individual to ask an organisation to provide another organisation with information relating to the individual in a commonly used machine-readable format. The Business Innovation Provisions allow organsations to make secondary use of personal data without seeking further consent from the individual.
This client alert outlines the scope of these proposed changes and would be of interest to any organisation that views personal data to be an asset to its business or uses personal data to deliver better services to consumers.
The Proposed Data Portability Obligation
Under the proposed Data Portability Obligation an organisation must, at the request of the individual, provide the individual's data, that is in the organisation's possession or under its control, to another organisation in a commonly use machine-readable format. The consultation paper further elaborates on the scope of this data portability obligation along various aspects:
(a) Covered Organisations
Organisations that would be required to provide data pursuant to data portability request are organisations, including organisations based abroad, that collect, use or disclose personal data in Singapore. The scope of coverage is similar to that for organisations currently covered under the PDPA.1 Data intermediaries will not be required to comply with the Data Portability Obligation, but organisations can contractually provide for its data intermediaries to process and respond to data portability requests on its behalf.
(b) Receiving Organisations
Organisations are only required to send data to receiving organisations that have a presence in Singapore. Organisations are not required to send data pursuant to a data portability request to a company overseas, but may choose to do so if requested.
(c) Requesting Individual
Any individual may make a data portability request to a Covered Organisation. The individual need not be in Singapore to make the request, so long as the organisation had collected, used or disclosed the individual's personal data in Singapore.
(d) Covered Data
The Data Portability Obligation only applies to data, held in electronic form, that is:
- provided by the individual to the organisation (User Provided Data); or
- generated by the individual's activities in using the organisation's product or service (User Activity Data).
The scope of the obligation would also include business contact information of the individual (though such data is otherwise excluded from the main provisions of the PDPA) and may include personal data of third parties other than the requester if that information is either User Provided Data or User Activity Data.
However, data that is held in non-electronic form (e.g. paper forms) are not subject to the Data Portability Obligation. Further, derived data - that is new data elements that are created through the processing of other data by applying business-specific rules are also excluded. For instance, a public transport service would be required to port over a commuter's sign up information pursuant to a data portability request but not the general commuter travel patterns derived from analyzing commuter travel histories.
Covered Organisations may also refuse to disclose data if in so doing it would reveal confidential commercial information that could harm the competitive position of the organisation.
The consultation paper also sets out the key responsibilities that a covered organisation should fulfil in respect of a data portability request including responsibility to provide an avenue to make the request, check the veracity of the request, and allow the individual to verify the data before it is ported. The covered organisation may charge a reasonable fee to cover the costs of porting the data, and the proposed timeframe to respond to a request is 7 calendar days.
It is also proposed that the receiving organisation is responsible for verifying that the data ported is complete and conforms to formats and standards of data transmitted. The receiving organisation may also choose to retain only the portion of the data that is relevant to it, and reject or delete irrelevant or excessive information.
The scope of the proposed Data Portability Obligations also make it possible for receiving organisations to define what personal information of the individual it needs to receive (for instance, user details and contact information for account opening) pursuant to a data portability request. The receiving organisation could send the request to the covered organisation on behalf of the individual.
While the Data Portability Obligation will apply generally, the PDPC is considering prescribing binding codes of practice for data portability in specific clusters or sectors. These codes of practice may include further prescriptive requirements regarding consumer safeguards, security of data and/or interoperability. The PDPC intends to develop these codes of practice in consultation with sector regulators and industry stakeholders.
The consultation paper also touches on the potential benefits and drawbacks of Data Portability. This topic was explored further in the data portability discussion paper issued by the Personal Data Protection Commission (PDPC) in collaboration with the Competition and Consumer Commission of Singapore (CCCS) earlier this year. You may refer to our client alert on the earlier discussion paper for a summary of the discussion paper.
The Proposed Data Innovation Provisions
The Proposed Data Innovation Provisions are intended to enable businesses to use personal data for certain business innovation purposes. These business innovation purposes are:
- operational efficiency and service improvements
- product and service development
- knowing the customer better
In so doing, organisations will not be required to notify or seek consent of individuals to use personal data for such business innovation purposes.
These provisions also extend to a situation where the individual has actively withdrawn consent. Ordinarily, businesses must delete or anonymise personal data when it is reasonable to assume that there is no longer a business or legal purpose for retention. The use of data pursuant to a business innovation purpose will be a recognized business purpose that allows the organisation to continue to retain personal information for business innovation purposes even after consent is withdrawn, although organisations will still have to take into consideration the risks of any unauthorised access or disclosure of personal data in their possession or under their control when setting the retention period.
However, consent continues to be required for collection and disclosure of personal data, even if such collection and disclosure is made for business innovation purposes.
The consultation paper also addresses the concept of "Derived Data" which is new data that is created through the processing of other data by applying business-specific logic or rules. It is expected that Derived Data is generated by data use for business innovation purposes, and such data could still be personal data under the current definitions. The proposed Data Innovation Provisions recognizes that the business-specific input and processing that goes into the creation of Derived Data and the resulting sensitivities around access to such data. It is proposed that apart from exempting Derived Data from the Data Portability Obligation (as set out above), organisations will also be exempted from access and correction obligations in respect of Derived Data. However, organisations will still be required to provide individuals with information about how the organisation may have used or disclosed Derived Data in the past year upon request.
You may find a copy of the consultation paper here. Individuals and organisations may provide their feedback on the consultation paper by email to firstname.lastname@example.org before 5 pm on 3 July 2019.
Please let us know if you have any queries regarding this consultation paper, or require assistance in making a submission.
In addition, the PDPC has also issued 2 other guides:
- a guide on active enforcement that sets out the active enforcement framework, which is PDPC's new approach to enforcement
- a revised guide to managing data breaches that takes into consideration intended changes to the PDPA to include a mandatory data breach notification requirement
1 Persons and organisations set out in Section 4(1), that are excluded from the ambit of the main provisions of the PDPA, will be similarly excluded from the Data Portability Obligation.