Singapore launches new guide to promote accountability in personal data protection

SINGAPORE (July 15): Singapore on Monday launched a Guide to Accountability in personal data protection, as the city-state continues to ramp up its preparations for a future digital economy that is expected to generate large amounts of personal data.

The guide will see a shift in emphasis from a compliance-based approach in the management of personal data, which Singapore’s Personal Data Protection Commission (PDPC) says is increasingly impractical and insufficient to keep pace with developments in data processing activities.

“Amid a business environment that is constantly disrupted by technology, it is impractical to adopt the approach of a box-checking exercise when handling personal data,” says PDPC commissioner Tan Kiat How.

“In fact, a simplistic and rigid approach would do more harm than good in the long term,” he adds.

As such, the PDPC is shifting towards an accountability-based approach, which will provide consumers with greater assurances, enhance business competitiveness, and strengthen the public’s trust in organisations’ data protection practices.

“Simply put, accountability is exercising responsibility over personal data in your care, and being answerable to people who have entrusted their personal data to you,” Tan says.

Tan emphasises that the shift from compliance to accountability had started two years ago, and is a shift in emphasis rather than a change in principle.

The guide covers accountability in three broad areas: within an organisation, within the industry, and in enforcement. It includes examples and resources that organisations may use to translate accountability concepts into practical steps it can adopt.

Speaking at the opening of the International Association of Privacy Professionals (IAPP) Asia Privacy Forum 2019 on Monday, Tan says accountable organisations with a data breach management plan may approach PDPC with an undertaking if a data breach is confirmed – instead of having the threat of protracted investigations hanging over their heads.

“The undertaking will be accepted if it achieves similar or better enforcement outcome than a protracted investigation. If they are able to implement their breach management plan as scheduled, and it is implemented effectively, the will be no need to commence protracted investigations,” Tan says.

At the same time, organisations now have the option of requesting for an expedited breach decision in the case of clear-cut data breaches.

“They have to admit to a breach of the PDPA, and they have to assist PDPC in reaching a swift decision. This allows accountable organisations to conduct themselves with dignity and act responsibly,” says Tan. “We did not have this option before.”

Later this week, Minister for Communications and Information, S Iswaran, is expected to announce several new initiatives related to the Personal Data Protection Act (PDPA).

This is expected to include support of training and empowerment of organisations’ Data Protection Officers (DPOs).