03 May 2021
The Personal Data Protection (Amendment) Act 2020 (the “Amendment Act”) was passed in Parliament on 02 November 2020, and is partially in force as of 01 February 2021. The Amendment Act marks the first comprehensive review of the Personal Data Protection Act 2012 (“PDPA”) since its enactment, and is the culmination of a series of consultations between the Ministry of Communications and Information (“MCI”), the Personal Data Protection Commission (“PDPC”) as well as public and industry stakeholders.
This article, Part 2 of a 3-part series, highlights some key updates to the PDPA introduced by the Amendment Act, and focuses on updates relating to individual rights, and in particular, access rights, preservation of data, and a new data portability obligation.
Access to personal data
The default position is that an organisation must give individuals access to their personal data.
Certain exceptions are provided at section 21(3) of the PDPA. In particular, sections 21(3)(c) and 21(3)(d) state that an organisation is not required to provide an individual with access to their personal data if by doing so, it would reveal personal data of another individual.
The Amendment Act introduces section 21(3A) – an exception to this exception. Section 21(3A) states that sections 21(3)(c) and 21(3)(d) do not apply to “user activity data” of the individual, and “user-provided data” from the individual.
“User activity data” means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation. “User-provided data” means personal data provided by an individual to the organisation.
In other words, where the organisation has collected personal data about the individual (i) arising out of the individual’s use of the organisation’s products or services; or (ii) as a result of the individual providing personal data to the organisation, the individual must still be given access to such personal data even if it reveals personal data of another individual.
The Amendment Act also introduces new sections 21(6) and 21(7) to the PDPA.
Section 21(6) states that if an individual makes an access request and the organisation does not provide any personal data to that individual because of the exceptions at sections 21(2) and 21(3), the organisation must notify the individual of its rejection.
Section 21(7) states that if an individual makes an access request and the organisation provides some but not all of the personal data requested because certain personal data is excluded pursuant to the exceptions at sections 21(2), 21(3) and 21(4), the organisation must notify the individuals of the exclusion of personal data requested under sections 21(2) and 21(3).
Section 21(4) is not included in this notification requirement because an organisation is not to inform an individual about its disclosures of that individual’s personal data to law enforcement agencies under the PDPA or any written law if the disclosure was made without the individual’s consent (e.g. an organisation that tips off the police about an individual’s illegal activity should not inform the individual about the tip-off).
Preservation of copies of personal data
Where an organisation refuses to provide an individual with a copy of their personal data pursuant to an access request, the new section 22A of the PDPA now requires that organisation to preserve a complete and accurate copy of that personal data for:
This obligation preserves the data in the event the individual is subsequently granted access to their personal data in the course of an appeal.
Data Portability Obligation (not yet in force)
Like the data breach notification obligation, the data portability obligation is another significant change introduced by the Amendment Act. Upon coming into effect, it will allow individuals to request for a copy of their personal data to be transmitted to another organisation.
Pursuant to a new Part VIB, an organisation will be required to comply with an individual’s data porting request where:
This obligation will be subject to certain exceptions, including where compliance would threaten or cause grave or immediate harm to the safety, physical or mental health of the individual or would be contrary to national interest. In addition, an organisation will not be required to comply if the data porting request is frivolous or vexatious, would unreasonably interfere with its operations, or the burden or expense would be unreasonable or disproportionate to the individual’s interests.
When it comes into effect, the data portability obligation will give individuals greater autonomy and control over their personal data, prevent consumer lock-in, and make switching between service providers more convenient.
Section 26(I) also permits an organisation to transmit personal data relating to person Y in the course of giving effect to a data porting request made by person X, if the data porting request is made in X’s personal capacity and relates to X’s user activity data or user-provided data. The receiving organisation that receives Y’s personal data must use that personal data only for the purpose of providing goods or services to X.
In this regard, it draws parallels with section 21(3A) which permits disclosing Y’s personal data pursuant to an access request made by X if the personal data relates to X’s user activity data or user-provided data.
Section 26(J) requires the porting organisation to preserve complete and accurate copies of the data specified in the porting request for a prescribed period.
Section 51(1)(c) makes it an offence to request porting of another individual’s personal data without that individual’s authority.
In adapting to the amended PDPA, organisations should review their data protection policies and procedures and ensure that they are in line with the new amendments.
In particular, organisations should ensure that they are sufficiently prepared to manage data breach incidents in light of the mandatory data breach notification obligation. Where they update their data protection policies and procedures, they should conduct internal training sessions on the same. Organisations should also review their operations and consider the feasibility of taking advantage of the expanded consent framework.
Please contact us if you need assistance on personal data protection matters.
Read the rest of this series
Director, BR Law Corporation
Trainee, BR Law Corporation
Post date. Edit this to change the date post was posted. Does not show up on published site. 3/5/2021
The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of publication, but may no longer be, now or in the future, in the employ of the firm.
Subscribe to our Newsletter
Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.