The Personal Data Protection Act (Singapore) was amended in November 2020. The amendment act added a new Part VIIIA to the PDPA (Personal Data Protection Act). It sets out offences that can affect anonymised information and personal data. This also brings to mind the importance of knowing the Data Protection principles and operations.
Nowadays, the Advanced Certificate in Data Protection Principles is offered to help individuals have a better understanding of data protection with emphasis on the legal requirements in Asia.
Complementing it, the Advanced Certificate in Data Protection Operational Excellence programme, covers the operational aspects in data protection and information security enabling the individual to know the operational aspect more thoroughly.
The offences can be committed by individuals, including employees of organisations as well as public agencies. In summary, they are:
- Unauthorised disclosure of personal data
- Inappropriate use of personal data
- Unauthorised re-identification of anonymised data or information
In the case of improper personal data use, whether there was harm or loss caused to another or a gain by the individual will also be considered. In relation to the three new offences, the individual is considered guilty of an offence, unless they have a valid defence.
On conviction, the individual will pay a fine not exceeding $5,000, an imprisonment for a term not exceeding two years, or both. In the Public Consultation Paper, the Commission stated that apart from strengthening organisational accountability, the accountability of individuals would also be strengthened.
The primary aim would be to hold those who have access or those who handle personal data (i.e., contractors or employees) accountable for egregious mishandling of personal data.
The Commission’s Comments on Applicability and Intentions
Organisations will be accountable for data protection.
The Commission points out in the Public Consultation Paper that the introduction of the offences committed by individuals will not detract from its policy position of putting organisations accountable for data protection. Organisations will also be liable for the actions of the staff and employees during their employment with the organisation.
Where employees will not be liable.
The Commission also stated that employees that act in accordance with the organisation’s practices and policies in the course of their employment or whose actions are authorised by the employers will not run the risk of such criminal sanctions.
For example, when re-identifying anonymised information, data scientists, AI engineers, statisticians, and cybersecurity specialists in the encryption industry and information security who re-identify anonymised data would not be held liable for any criminal sanctions if the re-identification is authorised by their employers in order:
To conduct research and development or
Test their clients’ information security systems or their organisations’ information security service and products
The Commission also stated that other people who will not be subjected to criminal sanctions include academic researchers that re-identify anonymised data as part of their teachings and work on topics like encryption and anonymisation.
In the same manner, those who perform effectiveness testing of the organisations’ information security systems independently (either as part of bug bounty programmes or white-hat hackers) will not be subjected to criminal sanctions.
Does not apply where there is a private dispute.
Lastly, the Commission stated that it does not intend for the new offences to apply in instances where the conduct is a private dispute for which there is recourse under private law. For instance, where a former employee takes the organisation’s customer list when they join a competitor).
The Commission stated that similar private disputes should be settled through a civil suit or other available forms of dispute resolution. The new rules will not apply to individuals who are public officers as they are governed by the Public Sector (Governance) Act.