Possible Practical Issues and Solutions Regarding the New PDPA Guideline

Contributed by: Lenon Ong

Introduction

This article will discuss the possible practical issues that may arise in relation to the New Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers (“New Guideline”)[1] and the Personal Data Protection Act[2], as well as the proposed solutions that should be taken by the Personal Data Protection Commission (“PDPC”). For the purposes of this article, the Singapore National Registration Identification Card (“NRIC”) number and other national identification numbers, such as passport numbers and work permits, will be referred to as “Personal ID”.

adult-blank-business-326576
Photo by Pixabay on Pexels.com

The Personal ID is the most unique data that an individual possesses. Given the uniqueness and importance of Personal ID, it is no wonder that hackers place a high value on them. Compared to other personal data such as contact information and credit card numbers, which can be easily deactivated and changed, the Personal ID is bound to an individual and is unchangeable. According to industry estimates[3], the Personal ID costs much more than other types of personal data on the black market. As data becomes increasingly accessible, the PDPA and the New Guideline are key in regulating local and trans-border data processes.

A broad overview of the PDPA

The PDPA imposes a set of regulations to ensure a satisfactory level of data protection in Singapore. The PDPA has been enacted with the legislative purposes of protecting individuals and to facilitate commercial activities in Singapore as a business hub. Ever since the PDPA came into force in July 2014, the PDPA has been effective in imposing a set of obligations to keep personal data as secure as possible in the private sector. However, the PDPA does not cover the public sector, which has its own data protection regime.

Under the PDPA, the PDPC may impose a financial penalty of up to S$1 million if it finds that an organisation has breached the obligations imposed by the PDPA.

What is “personal data”?

“Personal data” is defined under section 2(1) of the PDPA as “data, whether true or not, about an individual who can be identified” either:

  1. “from that data”; or
  2. “from that data and other information to which the organisation has or is likely to have access”.

Therefore, Personal IDs such as NRIC numbers, Birth Certificate numbers, Foreign Identification Numbers (“FIN”), passport numbers, and Work Permit numbers are all considered to be personal data under the PDPA.[4]

Who must comply with the PDPA?

Pursuant to section 2(1) of the PDPA, “organisation” has a rather broad definition, which covers “any individual, company, association or body of persons, corporate or unincorporated”. Generally, even individuals would have to comply with the PDPA, as long as he or she is not acting in a personal or domestic capacity, as an employee of an organisation or public agency or any other prescribed organisations or classes of organisations.

What does the New Guideline entail?

The New Guideline complements the PDPA. The New Guideline clarifies how the PDPA applies to organisations’ collection, use and disclosure of Personal IDs. This would include the retention of physical NRICs by organisations. Generally, it would be legal to collect, use, and disclose personal IDs when required by law or when there is a need to accurately establish or verify the identities of the individuals to a high degree of fidelity.

It will be considered necessary to accurately establish or verify the identity of an individual to a high degree of fidelity:

  1. where the failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk; or
  2. where the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm to an individual and/or the organisation.

According to paragraph 3.16 of the New Guideline, where the collection of the Personal ID is necessary to accurately establish or verify the identity of the individual to a high degree of fidelity, it would generally be considered reasonable[5] for the organisations to require the consent of the individual to collect, use or disclose his or her Personal ID for the stated purpose. It is important to note that apart from complying with the New Guideline, the obligations under the PDPA must not be neglected.

agree-agreement-ankreuzen-210585
Photo by Pixabay on Pexels.com

Practical issues that might arise from the New Guideline and solutions

Misconception on the part of the consumer

It is undeniable that the New Guideline would be helpful for organisations in understanding how and when the collection, use, and disclosure of Personal IDs would be illegal. However, consumers might still be ignorant about when they can object to the collection, use, and disclosure of their Personal IDs in practice.

This problem might arise because of reasons such as language barriers, lack of education, or misconceptions about the new regulation. For instance, a foreign worker in Singapore who is ignorant about the specific details of the New Guideline due to his or her poor understanding of English might refuse to provide his or her Personal ID when signing up for a new bank account, even though it is perfectly legal for the bank to collect, use, or disclose his Personal ID for the purposes of financial transactions. The misconception that organisations cannot collect Personal IDs could lead to unnecessary conflicts and distress to the bank employee and the foreign worker. Therefore, there is room to further minimise the likelihood of disputes and delays in data collection.

Misconception on the part of the organisation

Compared to the average consumer, organisations do have more resources to seek legal assistance and clarify doubts on the New Guideline and the PDPA. However, not all organisations have sufficient resources to comply with the PDPA.

For example, non-profit organisations could face practical difficulties in trying to reasonably comply with the New Guideline and the PDPA. Usually, there would be a need to regularly refer to the PDPA and the PDPC’s guidelines while trying to review processes involving the collection, use, and disclosure of personal data. Moreover, the widespread requirement of “reasonableness” in the regulations can be rather vague to the layman. Compliance could be a time-consuming and daunting process for anyone who is not legally trained. There is a likelihood of misconception on the part of these organisations, despite being aware of the PDPA and attempts to comply with the obligations revolving around the collection, use, and disclosure of personal data.

Proposed solutions

Apart from stepping up awareness via educational posters for consumers and publishing guidelines for organisations, two solutions will be proposed. The first would be trusted certificates, and the second would be a grading system.

Both solutions aim to resolve the practical issues highlighted above by making it easier to comply with the PDPA, especially in situations involving the disclosure of personal data and Personal IDs by consumers and organisations. General awareness about data privacy and contractual clauses will also be heightened. The suggested solutions could work individually or complement each other.

1. Trusted certificates

One consideration would be to identify trusted organisations and attach a trusted “symbol” or certificate to such organisations. Trusted organisations would include organisations that are statutorily excluded from the limitations of the PDPA such as public agencies and any other prescribed organisations or classes of organisations pursuant to section 4(1)(d) of the PDPA. This would reduce the likelihood of conflicts when the trusted organisation attempts to collect Personal IDs at the first instance. Consumers would have greater ease of mind when disclosing their Personal IDs to organisations in possession of this certificate. Nonetheless, heavy penalties must be imposed for the misuse of the trusted certificates, and there must also be decent enforcement efforts.

2. Grading system

Another consideration would be to adopt a grading system. This solution would take a longer time to implement as it should optimally be implemented on as many organisations as possible.

The grading system would involve the PDPC evaluating business practices of organisations and recommending the level of disclosure to be made to the organisation. For instance, an “A-grade” organisation means that it would be generally safe to disclose Personal IDs and personal data to that organisation, which could be statutorily exempted from the PDPA. On the other hand, a “B-grade” organisation could require a certain level of caution when interacting with that organisation. A “C-grade” organisation might then be in a weak position to collect Personal IDs, and examples include cinemas and supermarkets.

It is crucial to implement a grading system on organisations because the solution supports one of the legislative purposes of the PDPA, which is to facilitate transactions in Singapore as a commercial hub[6]. The New Guideline, while strengthening data privacy, compromises on business efficiency. It would be desirable to consider lowering the costs of compliance in order to continue attracting foreign investment and trans-border business transactions.

Similarly, in the case of non-profit organisations, the increased costs in seeking legal advice could potentially deter such organisations from operating, or even forming in the first place. Non-profit organisations are usually beneficial to society as their operations range from animal welfare to community engagement. As non-profit organisations are not exempted from the obligations under the PDPA, it would be desirable to make the process of disclosing personal data as simple as possible.

Apart from potentially reducing the hours of work required by organisations in complying with the New Guideline and the PDPA, the average consumers could also benefit. With the presence of a grading system, consumers would be more conscious about data privacy and exercise caution in disclosing their personal data. In addition, consumers might be reminded to be more careful when signing any contracts by reading the clauses carefully.

checking-checklist-daily-report-1001752
Photo by rawpixel.com on Pexels.com

Conclusion

The New Guideline will undeniably reinforce data privacy in Singapore and is definitely a step in the right direction. However, the New Guideline could start rendering compliance with the PDPA more difficult and costly. The author believes that the above solutions can reduce costs of compliance as well as reduce the likelihood of misconceptions about the New Guideline by the average man or woman on the street.

_____________________________

[1] Personal Data Protection Commission, ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR NRIC AND OTHER NATIONAL IDENTIFICATION NUMBERS (Issued 31 August 2018) https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers—310818.pdf, accessed 10 October 2018.

[2] Singapore Statutes Online, PERSONAL DATA PROTECTION ACT 2012 (No. 26 of 2012), https://sso.agc.gov.sg/Act/PDPA2012, accessed 10 October 2018.

[3] Straits Times, Irene Tham, TIME TO END OVERUSE OF THE NRIC (Published 16 November 2017) https://www.straitstimes.com/opinion/time-to-end-overuse-of-the-nric, accessed 10 October 2018.

[4] Supra note 1 at paragraph 1.4 and 1.5.

[5] Supra note 1 at paragraph 3.16

[6] Parliamentary Debates Singapore: Official Report, vol 89 (15 October 2012)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s