Changes to the access and correction obligations you should know

Changes to the access and correction obligations you should know

Currently, an organization is required to offer an individual with: (a) personal data on the individual that the organization has in its possession or under its control, and (b) information on how the personal data referred to in paragraph (a) was or may have been used or disclosed by the organization within a year before the date of the request.

An organization is not required to give an individual personal data or other information concerning the matters stated in the Fifth Schedule to the Personal Data Protection Act (PDPA).

From the organization’s standpoint, they are generally matters of convenience; for example, an organization is not obligated to give opinion data kept only for evaluative purposes but may choose to do so. Similarly, an organization is not compelled to answer a request if it is unreasonable, the requested information is minor, or the request is generally frivolous or vexatious.

Perhaps more importantly, an organization is not permitted to transmit personal data or other information to an individual if doing so could reasonably be expected to:

(a) endangers the safety or physical or mental health of someone other than the person who submitted the request;

(b) endanger the individual who made the request’s safety or bodily or mental health in an immediate or grave manner;

(c) divulge personal information about another person;

(d) expose the identity of an individual who has given personal data about another individual if the individual supplying the personal data does not consent to the revelation of his or her identity; or

(e) be inimical to national interests.

Furthermore, an organization is not entitled to notify any individual that it has disclosed personal data to a specified law enforcement agency if the disclosure was made without the individual’s consent.

Also Read: Guarding against common types of data breaches in Singapore

The proposed change to prohibition relating to ‘other individuals’

In collaboration with the Personal Data Protection Commission of Singapore, the Ministry of Communications and Information began an online public consultation of the Personal Data Protection (Amendment) Bill 2020 on May 14, 2020. Certain amendments were recommended to impact the conditions under which an organization is not entitled to furnish an individual with personal data or other information.

The Commission referred to the prohibitions in paragraphs (c) and (d) in its Public Consultation Paper, stating that in its experience, these prohibitions have resulted in implementation issues for organizations providing access to personal data (for example, removing third parties’ personal data captured in CCTV footage).

As a result, the draft amendment bill narrows the scope of the limitations mentioned above. It will enable enterprises to grant access to personal data regardless of whether such access may:

(1) share intimate information about another person or

(2) expose the identification of a person who has submitted personal information about another person but does not consent to the disclosure of their identity.

Amendments to the Access Obligation to implement the ‘other individuals’ initiative

First, the PDPA will be amended to include the following two new definitions:

• ‘User activity data’ is defined as personal data about an individual that is created during or as a result of the individual’s usage of any product or service provided by the organization.
• ‘User-supplied data’ is defined as the personal information provided to an organization by an individual.

Second, section 21 will be changed with the addition of a new subsection (3A). The new subsection has the following effect:

• As stated above, subsections (3)(c) and (d) do not apply to any user activity data on the individual who submitted the request, despite such data comprising personal data about another individual.
• Subsections 3(c) and (d) do not apply to any user-provided data from the individual who made the request, even if such data contains personal information about another person.

Amendments to the Access Obligation – notifications to individuals

If an organization refuses to comply with a request to furnish an individual with personal data or other information because the organization: (1) is not obligated to do so, owing to the application of the Fifth Schedule, and/or (2) is not permitted to do so because one or more of the preceding paragraphs (a) to (e) apply, then the individual must be notified of the rejection by the organization.

This must be completed within the time frame specified and in compliance with the specifications. The prescribed time and requirements have not yet been determined.

If an organization is able to provide an individual with personal data and other information, it must grant the access request:

(1) in the absence of any personal data or other information that it is not obligated to offer and/or is not permitted to provide, and

(2) without regard to any disclosure to a specified law enforcement agency

In such cases, it must advise the individual of any personal data or other information that has been excluded because it is not required to offer it or is not permitted to provide it.

Preservation of copies of personal data

According to the Commission’s Public Consultation Paper, organizations are currently required to keep a copy of the individual’s requested personal data if the organization declines the individual’s access request. As a result, even if the asking individual seeks recourse for the refusal of the request, if the organization deletes it, the seeking individual can no longer acquire access to the sought personal data.

The draft amendment bill will include a requirement for organizations to keep a copy of personal data to which they refuse access under the Access and Correction Obligation.

The organization must keep it for an unspecified period, though the Commission mentions in the Public Consultation Paper at least 30 calendar days after the request is rejected or until the individual has exhausted their right to apply for a reconsideration request or to appeal the decision, including to a Court, whichever comes first.

The organization must ensure that the copy of personal data it keeps is a complete and accurate copy of the personal data.

Correction of an error or omission in personal data

An individual may request that an organization correct an error or omission in personal data on the organization’s individual in its possession or control. Unless the organization is satisfied on reasonable grounds why a correction to the personal data should not be made, the organization must make the adjustment as quickly as possible.

An organization is not compelled to correct or otherwise alter an opinion, including the opinion of a professional or expert. Furthermore, an organization is not compelled to correct personal data in relation to the matters listed in the Sixth Schedule.

The issues listed in the Sixth Schedule are not surprising at the moment – organizations are not compelled to correct:

(a) opinion data that is only stored for evaluating purposes;

(b) any examination administered by an educational institution, examination scripts, and examination results prior to their distribution;

(c) personal information on beneficiaries of a private trust held solely to administer the trust;

(d) personal data retained by an arbitral institution or a mediation center only for the purposes of arbitral or mediation proceedings conducted by the arbitral institution or mediation center;

(e) a prosecution-related document if all prosecution-related processes have not been completed.

The draft amendment bill adding ‘(f) derived personal data’.

Personal data about an individual that an organization derives in the course of business from other personal data about the individual or another individual in the ownership or control of the organization is referred to as ‘derived personal data.’ It excludes any personal data obtained by the organization through any prescribed means or manner.

According to the Commission’s Public Consultation Paper, generated personal data does not include data obtained by the organization using simple sorting or standard mathematical functions such as averaging and summing. This may provide some insight into what might be omitted from the concept of “derived personal data.”

The Commission notes in the Public Consultation Paper that, in order to ensure that organizations remain accountable for personal data in their possession or control, organizations will still be required to provide individuals with access to derived personal data and information, about how the derived personal data has been or may have been used or disclosed by the organization within a year of the date of the request for such information.

Also Read: What you need to know about appointing a Data Protection Officer in Singapore