Expedited Data Breach Decision: PDPC Guide on Active Enforcement

Expedited Data Breach Decision: PDPC Guide on Active Enforcement

The Personal Data Protection Commission (PDPC) published a Guide on Active Enforcement on May 22, 2019, signaling a shift in how the PDPC will approach enforcement actions in the future.

There are three primary enforcement tactics under the present approach outlined in the Advisory Guidelines on the Enforcement of Data Protection Provisions. When appropriate, PDPC could use alternative dispute resolution processes such as mediation and assisted negotiations in resolving what appears to be primarily a dispute between the parties. In the alternative, the PDPC could launch investigations, which would entail the PDPC using its statutory powers of investigation under the PDPA to gather facts and make a conclusion. Finally, if the organization has judged personal data access and/or correction, the PDPC may review that decision.

Voluntary undertakings and accelerated decisions are two more intermediate enforcement methods described in the Guide that may be pursued in lieu of a full investigation. Previously, neither the Guidelines nor the PDPA specifically stated this. The Guide explains the extent of these additional alternatives as well as the situations in which the PDPC will use either enforcement option when investigating a breach.

This update is for organizations that want to better understand the new enforcement alternatives that have become available and the procedures that should be performed ahead of time to preserve the opportunity for an organization to seek an undertaking.

Also Read: Guarding against common types of data breaches in Singapore

Undertaking 

An undertaking is a written commitment made by the organization to the PDPC that voluntarily commits the organization to correct the violations and take actions to prevent future occurrences.

In most cases, an undertaking is available when:

1. It delivers a similar or better enforcement outcome for the PDPC than a comprehensive investigation; or

2. The organization can demonstrate that it has accountable data privacy practices in places, such as a Data Protection Trustmark (Trustmark) and an effective repair plan that it is ready to apply. 

Steps to reduce the occurrence of the incident and the development of monitoring and reporting mechanisms, audits, and policy/process evaluations should be included in the remediation plan.

A typical undertaking will include a summary of the data breach incident as well as efforts to notify and minimize harm to the impacted individual(s). The PDPC also expects the organization to have executive-level support for the undertaking, which requires the undertaking to be signed by the CEO or someone of equivalent status.

The Guide also includes examples of situations in which the PDPC will not accept an undertaking request. For example, the PDPC will not accept an undertaking request if the organization denies responsibility for the data breach occurrence, refuses to accept the undertaking’s terms and conditions or agrees to the undertaking’s publication. In particular, a request for an undertaking must be submitted immediately after the investigation begins, and the organization must have a remedial plan ready. The PDPC will not accept a request for an endeavor that necessitates more time to develop a remedial plan.

Of the two conditions in which an endeavor is a realistic alternative, the second is partly within the organization’s control and can be planned for. This necessitates that organizations be prepared to demonstrate excellent accountable privacy policies ahead of time. Organizations that have conducted scenario planning and exercises to respond to data breach situations will be better positioned to produce a remediation plan when investigations begin quickly. Organizations that have gone the extra mile to achieve a Trustmark certification are also in a better position to seek a project.

This highlights the necessity of having documented protocols in place and organizational preparedness in dealing with possible data breach situations.

Expedited Data Breach Decision 

The PDPC may consider an expedited determination if the organization(s) involved makes an upfront admission of culpability for its role in causing the breach. The organization must submit a written request to the PDPC and provide and admit all information pertinent to the data breach occurs. In general, the PDPC will consider an accelerated decision if the breach involves the failure to designate a data protection officer or establish a privacy policy or if the nature of the data breach is similar to precedent instances with similar factual categories.

An accelerated decision shortens the time it takes to complete an investigation. Although the PDPC will still issue a full judgment (including the applicable directives), admitting guilt will be a significant mitigating if financial penalties are involved.

Full Investigation Process 

When a data breach has a substantial impact, such as when a large number of people are affected and the personal data released potentially cause considerable harm, the PDPC will normally initiate a complete investigation right away. Investigations that have been determined to have a low impact may be terminated.

If the PDPC finds a violation, the PDPC may impose: (i) a warning; (ii) just directions; (iii) only financial penalties; or (iv) both directions and financial penalties.

Also Read: What you need to know about appointing a Data Protection Officer in Singapore