Virus or no virus, the PDPA is still here…

Now more than ever organisations should ensure compliance with the Personal Data Protection Act, or risk heavy fines

With a global pandemic infecting the world, stock markets crashing and entire teams working from home, data protection may have, understandably, taken a back seat in terms of priorities. However, given the massive amount of personal information companies are now taking on, understanding what to do with that data is more important than ever.

Many companies will have been forced to change their processes and introduce new ones in order to comply with guidance and new health rules, some of which may require the taking of personal information. For instance, go into any gym or shop and you are often required to take your temperature and write it down, along with your name, contact and other personal details.

For many businesses owners they have gone from not accepting any personal details of their customers to now holding significant amounts of personal data, which also means they now need to ensure they comply with the Personal Data Protection Act 2012 (PDPA).

Unless required by law, companies are generally not allowed to collect, use or disclose an individual’s NRIC number (or copy of NRIC). However following an advisory written by the PDPC in light of COVID-19, ‘Organisations may collect personal data of visitors to premises for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the coronavirus disease 2019 (COVID-19).’ While this is allowing business to support contact tracing efforts to contain the virus, such collected personal data remains subject to all other data protection obligations under the PDPA.

Importantly for businesses, though, are the penalties and fines which come with breaching the Act. The Personal Data Protection Commission (PDPC) of Singapore regularly outlines its decisions on its website where names and details of the offenses are listed. In 2019 alone there was over one and a half million dollars in fines handed out to companies, and a 168% increase in the number of data investigations since 2017.

Quite apart from the embarrassment of being listed on a public register, the fines are very real and ranged from SGDS$5,000 to SGD$1,000,000 – something many companies can ill afford during this COVID-19-induced recessionary period. Yet thanks to the significantly increased amount of personal data firms are collecting, they are more vulnerable than ever to being hit by an investigation, and potential fine.

There are three main ways organisations can still fall foul of the Act. The first is misuse, organisations may only collect such data for the purposes of contact tracing and other response measures in the event of an emergency. Should an organisation use this data for any other purpose – whether intentionally or unintentionally – they risk an investigation. For instance, should the database of data be mixed up with a pre-existing marketing database and the individuals receive promotional e-mails, that would be a breach of the PDPA

The second is poor security, if you read many of the PDPC decisions, many of them come about due to poor security or weak processes within organisations which result in the leaking and disclosure of personal data. This could be as simple as an employee accidentally releasing information, or hackers accessing the data. Poor security can result in significant fines under the PDPA

Lastly, retention of personal data. Given that this data is only to be collected due to the COVID-19 ‘emergency’, the organisation should get rid of this information once it is safe to assume it is no longer required. Obviously for the time being, organisations should safely keep this personal data until the COVID-19 pandemic has ended. However, as soon as it is safe to do so, they should get rid of all the data that they collected

We are living through very extraordinary times and the focus of many business leaders is elsewhere, understandably. However, given the economic situation now is probably one of the worst times to be hit with a fine as a result of breaching the PDPA, especially if that fine is avoidable.