Personal Data Protection Breaches
The following summarises selected key issues related to how PDPC may exercise its enforcement powers in cases of personal data protection breaches.
Organisations covered by the PDPA
The Personal Data Protection Act 2012 (PDPA) applies to organisations, including:
“... any individual, company, association or body of persons, corporate or unincorporated, whether or
(a) formed or recognised under the law of Singapore; or
(b) resident, or having an office or a place of business, in Singapore;"
The data protection obligations in the PDPA do not impose any obligations on:
any individual acting in a personal or domestic capacity;
any employee acting in the course of his employment with an organisation;
any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data; or
any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision.
Personal Data Protection Complaint Handling
The PDPC expects organisations to take individuals’ concerns about their personal data seriously and to work actively with individuals to sort out their concerns.
When a complaint is received by the PDPC, the PDPC may assess if it can help to address the individual’s concerns by facilitating communications between the individual and organisation. If an individual and an organisation are unable to resolve the matter directly and require additional assistance, the PDPC may refer the matter for mediation by a qualified mediator. The PDPC will only do so if both the individual and the organisation agree that the matter be referred to mediation. If the matter is resolved amicably, the PDPC will generally not proceed with further investigations. Where applicable, the PDPC may direct the parties to resolve the matter through alternative dispute resolution.
The PDPC encourages all parties to consider the above processes before lodging a complaint with the PDPC. The PDPC may, upon complaint or of its own motion, conduct an investigation to determine whether an organisation is compliant with the PDPA.
Aggravating and Mitigating Factors
In this section, the PDPC sets out a non-exhaustive list of some aggravating and mitigating factors that the PDPC may consider when it calculates a financial penalty.
Some of the factors which the PDPC may consider to be aggravating factors include, but are not limited to:
the organisation failed to actively resolve the matter with the individual in an effective and prompt manner;
intentional, repeated and/or ongoing breaches of the Data Protection Provisions by an organisation. This would include situations where the organisation knew, or ought reasonably to have known, of the risk of a breach, or breach of the Data Protection Provisions but continued with its operations without taking measures to minimise the risk or remedy the breach;
obstructing the PDPC during the course of investigations (such as making efforts to withhold or conceal information requested by the PDPC);
failing to comply with a previous warning or direction from the PDPC; and
the organisation is in the business of handling personal data (such as medical or financial data), but failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of that personal data.
Some of the factors which the PDPC may consider to be mitigating factors include, but are not limited to:
the organisation has actively and promptly tried to resolve the matter with the individual;
the organisation has taken reasonable steps to prevent or reduce the harm of a breach (such as putting in place strong passwords and/or encrypting the personal data to prevent unauthorised access);
the individual affected by the breach has already received a remedy in some other form (for example, through a civil action against the organisation);
the organisation has engaged with the individual in a meaningful manner and has voluntarily offered a remedy to the individual, and that individual has accepted the remedy;
the organisation took immediate steps to reduce the damage caused by a breach (such as informing individuals of steps they can take to mitigate risk); and
the organisation voluntarily disclosed the personal data breach to the PDPC as soon as it learned of the breach, and co-operated with the PDPC in its investigations.
Handling of Reviews
The PDPC may review applications made by individuals on the following matters:
an organisation’s refusal to provide access to personal data requested by a complainant (an “access request”), or failure to provide such access within a reasonable time;
a fee required by an organisation from the complainant in relation to a complainant’s access request or a request to correct personal data requested by a complainant (a “correction request”); or
an organisation’s refusal to correct personal data requested by the complainant in a correction request, or a failure to make such a correction within a reasonable time.
When the PDPC receives an application for a review, the PDPC will first consider whether it can help to address the individual’s concerns by facilitating communications between the individual and organisation. If an individual and an organisation are unable to resolve the matter directly and require additional assistance, the PDPC may refer the matter for mediation by a qualified mediator. The PDPC will only do so if both the individual and the organisation agree that the matter be referred to mediation. If the matter is resolved amicably, the PDPC will generally not proceed with the review.
The PDPC encourages all parties to consider the above processes before submitting a review with the PDPC. Some of the possible outcomes of a review include:
for the organisation to give access to the personal data specified by the individual (which the organisation has refused or failed to give access to within a reasonable time);
for the organisation to make the correction specified by the individual (which the organisation has refused or failed to make within a reasonable time); or
for the organisation to be disallowed from charging a fee, for the fee to be reduced or for the organisation to make a refund of a fee paid by the complainant.
Power to Require the Production of Documents or Information
Where the PDPC has reasonable grounds for suspecting that an organisation is not complying with the PDPA, it may require any organisation to produce specified documents or to provide specified information, by written notice.
The PDPC is not limited to approaching an organisation suspected of infringement and/or the organisation’s officers. For example, the PDPC may approach third parties such as an organisation’s outsourced service providers, associated business agents and other affiliates. When requiring an organisation to produce a document, the PDPC may:
take copies or extracts from any document produced;
require a person served with a notice to produce the document to provide an explanation of the document produced; and
if the document is not produced, require a person served with a notice to produce the document (or any past or present officer or employee of that person) to state, to the best of that person’s knowledge or belief, where the document can be found.
Power to Enter Premises for Inspection
The PDPC has powers enabling it to enter premises and to gain access to information, documents and equipment or articles relevant to an investigation.
When entering any premises for inspection, the PDPC's inspector or person assisting the inspector will identify himself by producing his Authorisation Card and evidence of his authority to enter the premises.
Please contact the PDPC's main line at 6377 3131 (during office hours) if you require verification of an officer’s identity.
Power to Enter Premises without Warrant
The PDPC may effect entry into any premises without a warrant by giving the occupier of the premises at least 2 working days’ written notice of the intended entry and indicating the subject matter and purpose of the investigation. The PDPC may also effect entry into any premises without a warrant and without notice, if the inspector has reasonable grounds for suspecting that the premises are, or have been, occupied by an organisation which is being investigated in relation to a contravention of the PDPA. The PDPC may exercise this power if the inspector has taken reasonable practicable steps to give notice to the organisation but has not been able to.
The PDPC is not limited to entering the premises of an organisation suspected or infringement but may enter any premises. This includes premises of associated business partners or customers of an organisation.
Power to Enter Premises under Warrant
The PDPC may apply to a District Court for a warrant authorising an inspector or officer of the PDPC named in the warrant (“named officer”) and other persons assisting the inspector or authorised in writing by the PDPC (“accompanying officers”) to enter and search any premises.
Access to Legal Advice
If the PDPC exercises its powers to effect entry into the occupier’s premises, the occupier of the premises may request to consult its legal advisor. The investigating officer, authorised person, inspector or person required by the inspector may allow this request if he thinks that it is reasonable and the time taken occupier’s legal adviser to arrive at the premises is reasonable. The exercise of the right to consult a legal advisor must not delay or impede the inspection. The investigating officer, authorised person, inspector or person required by the inspector may not wait for an external legal adviser to arrive, if the occupier has an in-house legal advisor present on the premises, or if the occupier was given prior notice of the intended entry.
Directions to Secure Compliance
Section 29(1) of the PDPA provides that the PDPC may, if it is satisfied that an organisation is not complying with any of the Data Protection Provisions, give the organisation such directions as the PDPC thinks fit in the circumstances to ensure the organisation’s compliance with that provision.
Section 29(2) of the PDPA further provides that the PDPC may (without prejudice to section 29(1) of the PDPA) give an organisation that is not complying with any of the Data Protection Provisions any or all of the following directions:
to stop collecting, using or disclosing personal data in contravention of the PDPA;
to destroy personal data collected in contravention of the PDPA;
to comply with any direction of the PDPC under section 28(2) of the PDPA;
to pay a financial penalty of such amount not exceeding $1 million as the PDPC thinks fit.
General Offences and Penalties
It is an offence under section 51(3)(b) and (c) of the PDPA to:
obstruct or impede the PDPC, its inspectors or other authorised officers in the exercise of their powers or performance of their duties under the PDPA; or
knowingly or recklessly make a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC, in the course of the performance of the duties or powers of the PDPC under the PDPA.
An organisation or person that commits an offence under section 51(3)(b) or (c) of the PDPA is liable to:
in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
in any other case, to a fine not exceeding $100,000.