Minister for Communications and Information Dr Yaacob Ibrahim announcing
a proposed review of the Personal Data Protection Act at the Personal
Data Protection Seminar on Thursday (Jul 27). Photo: Tan Weizhen/TODAY
SINGAPORE – Businesses may be allowed
to use consumers’ personal data without getting their consent in cases
where it is impractical or inappropriate to do so under a series of
proposed changes to the Personal Data Protection Act (PDPA).
Announcing the review of the PDPA at the
Personal Data Protection Seminar on Thursday (July 27), Minister for
Communications and Information Yaacob Ibrahim noted that the PDPA was
crafted in an era where "the majority of data was provided by users who
fill in their personal particulars via physical and online forms". A
review is therefore necessary, he said, given the rate at which the
digital economy is gaining pace and the large amounts of data generated
on new digital interfaces,
"Today, data can be generated and mined
through online activities and transactions. Mobile apps can make use of
our location information to match us to the nearest car ride sharing
apps or food delivery options. (Internet of Things) devices stream data
from health sensors and home cameras so you can keep track of your loved
ones through various apps," he said.
Hence, the Government is looking into allowing
businesses to use consumers' personal data without getting their
consent in cases where it is impractical to do so, or for legal or
business purposes where it is not appropriate to get consent.
For example, bicycle-sharing services may want
to share data among themselves of customers with a bad track record of
misusing or damaging bicycles. The proposed changes will allow them to
do so without seeking customers’ consent, however, the companies would
need to prove that there is a larger benefit, and they could then choose
to deny service to such customers.
In another scenario, a developer of
Internet-connected devices such as a smart watch wants to analyse its
users' personal data to improve the user experience for its services,
but it is unable to get consent through the smartwatch interface. Under
the proposed changes, it could be allowed to do so, provided it does not
have any adverse impact on consumers.
The proposed new rules would just require them
to notify customers in any manner of their choosing, for instance via
their website.
The Personal Data Protection Commission (PDPC)
also mooted the introduction of a mandatory data breach notification
regime under the PDPA.
This means that companies will need to notify
affected customers as soon as possible if their data, such as NRIC
numbers, credit card information and passwords, has been breached.
If the scale of the breach is at 500 or more affected consumers, the company would need to inform the PDPC within 72 hours.
The PDPC is seeking views on these proposals
through a public consultation from July 27 to Sept 21, with an eye on
effecting these changes by 2019.
Urging companies to use data responsibly, Dr
Yaacob said whether the potential of data can be realised will boil down
to trust, that companies will collect and use data sensibly and protect
it well.
Comments
Post a Comment