Additional offences under the PDPA that could get you into trouble

On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.

The amendment bill adds a new Part VIIIA to the Personal Data Protection Act, the PDPA. It sets out offences affecting personal data and anonymised information. These are offences that may be committed by individuals, including employees of organisations and of public agencies. They are, in summary:

• unauthorised disclosure of personal data
• improper use of personal data and
• unauthorised re-identification of anonymised information

when an individual takes such an action either knowing that they are not authorised to do so or being so careless about whether they are authorised or not that they are reckless about it.

In the case of improper use of personal data, whether there has been a gain by the individual or harm or a loss caused to another person is also relevant.

In relation to each of the three new offences, the individual is guilty of an offence unless they have a defence, that will be set out in the PDPA. On conviction, the individual is liable to a fine not exceeding $5,000 or to imprisonment for a term not exceeding two years or both.

In the Public Consultation Paper, the Commission said that besides strengthening organisational accountability, the accountability of individuals would also be strengthened. The aim is to hold individuals who handle or have access to personal data (for example, employees or contractors) accountable for egregious mishandling of personal data.

Commission's comments on intentions and applicability

Organisations will remain primarily accountable for data protection

The Commission took pains to point out in the Public Consultation Paper that the introduction of these offences by individuals does not detract from its policy position of holding organisations primarily accountable for data protection. Organisations remain liable for the actions of their employees in the course of their employment with the organisation.

Examples where employees would not be liable

The Commission stated that employees acting in the course of their employment, in accordance with their employer's policies and practices, or whose actions are authorised by their employers, will not run the risk of such criminal sanctions. For instance, in connection with re-identifying anonymised information, the Commission mentioned that cybersecurity specialists, data scientists, AI engineers and statisticians in the information security and encryption industry who re-identify anonymised data would not be held liable for criminal sanctions if their re-identification is authorised by their employers in order:

• to carry out research and development or 
• to test the robustness of their organisations' information security products and service or their clients' information security systems,

The Commission said that other individuals who will not be subject to criminal sanctions include academic researchers who re-identify anonymised data as part of their research work and teaching of topics on anonymisation and encryption. Similarly, individuals who independently carry out effectiveness testing of organisations' information security systems, either as white-hat hackers or as part of bug bounty programmes, will not be subject to criminal sanctions.

Not applicable where there is a private dispute

Finally, the Commission said that it does not intend for the new offences to apply in situations where the conduct is in the nature of a private dispute for which there is recourse under private law (for example, where an ex-employee takes an organisation's customer list when joining a competitor).

The Commission said that such private disputes should continue to be settled through civil suits or other forms of dispute resolution.

Commission's comments regarding public officers and criminal penalties

The new rules do not apply to individuals who are public officers because they are governed under the Public Sector (Governance) Act.

The Commission noted that the Public Sector Data Security Review Committee (PSDSRC) recommended that individuals who are not public officers should be held liable for criminal penalties similar to those under the Public Sector (Governance) Act.

Consequently, the penalties for individuals found guilty of each offence are aligned for public officers and for individuals who are not public officer - for example, individuals working in private enterprise.

Written by Lyn Boxall, Director, Lyn Boxall LLC

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.