Generally, the powers of the PDPC in the enforcement of any breach of data protection law include:
- powers relating to alternative dispute resolution;
- powers relating to review applications; and
- powers of investigation.
Any individual affected by an organisation’s non-compliance with any of the main data protection provisions may lodge a complaint with the PDPC. Upon receipt of a complaint, the PDPC may investigate or review the matter, or direct the parties as to the appropriate mode of dispute resolution. As mentioned in question 2, the PDPC may commence an investigation in respect of potential breaches of the PDPA further to a complaint, or on its own motion.
In this regard, the Enforcement Guidelines and the public guidance published on the PDPC’s website as of 31 May 2019 states that, when a complaint is received by the PDPC, the PDPC may assess if it can help to address the individual’s concerns by facilitating communications between the individual and the organisation.
If the individual and the organisation are unable to resolve the matter directly and require additional assistance, the PDPC may refer the matter for mediation by a qualified mediator where both the complainant and the organisation involved have consented to the same.
According to the PDPC’s Guide on Active Enforcement (published 22 May 2019), in considering whether to take enforcement action on data breaches, the PDPC is guided by the following key objectives:
- to respond effectively to breaches of the PDPA where the focus is on those that adversely affect large groups of individuals and where the data involved are likely to cause harm or loss to the affected individuals;
- to be proportionate and consistent in the application of enforcement action on organisations that are found in breach of the PDPA; where penalties imposed serve as an effective deterrent to those that risk non-compliance to the PDPA; and
- to ensure that organisations that are found in breach take proper steps to correct gaps in the protection of personal data.
As to the type of enforcement action it may take, the PDPC may choose to do any one of the following:
- Suspension or discontinuation of the investigation: the PDPC may discontinue investigations and simply issue an advisory notice where the impact is assessed to be low. Examples of circumstances where the PDPC may do so include where complainant has not complied with a direction, the parties involved have mutually agreed to settle, or any party has commenced legal proceedings in respect of any contravention of the PDPA.
- Undertaking: the PDPC may initiate an undertaking process, which includes a written agreement between the organisation and the PDPC in which the organisation voluntarily commits to remedy the breaches and take steps to prevent recurrence. A key consideration is the effectiveness of the remediation plan and the organisation’s readiness to implement it forthwith. The organisation’s request to invoke the undertaking process must be made very soon after the incident is known - that is, either upon commencement of investigations or in the early stages of investigations. The PDPC will not accept an undertaking request in certain cases, for example, where the organisation refutes responsibility for the data breach incident, or where the organisation requests for time to produce a remediation plan, or where the organisation does not agree for the undertaking to be published.
- Expedited breach decision: the PDPC may issue an expedited breach decision at its discretion in certain circumstances where there is an upfront, voluntary admission of liability for breaching relevant obligations under the PDPA. The expedited breach decision will achieve the same enforcement outcome as a full investigation. Where financial penalties are involved, the organisation’s admission of its role in the incident will be taken as a strong mitigating factor. However, admissions might not be considered as a mitigating factor for repeated data breaches. The organisation must make a written request to the PDPC for an expedited decision when investigations commence.
- Full investigation process: for incidents with high impact, and where facilitation or mediation is inappropriate in the circumstances (eg, where there is a disclosure of personal data on a large scale or where the personal data disclosed could cause significant harm), the PDPC may initiate a full investigation immediately.
That said, where the PDPC is satisfied that an organisation has breached the main data protection provisions under the PDPA, it is empowered with a wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:
- stop collecting, using or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to or correct personal data, or reduce or make a refund of any fee charged for any access or correction request; or
- pay a financial penalty of up to S$1 million.
Financial penalties are intended to act as a form of sanction and deterrence against non-compliance when directions alone do not sufficiently reflect the seriousness of the breach, and in assessing the seriousness of the breach, the PDPC considers a number of factors, including the following:
- impact of the organisation’s breach;
- whether the organisation had acted deliberately or wilfully;
- whether the organisation had known or ought to have known the risk of a serious contravention and failed to take reasonable steps to prevent it;
- extent of non-compliance in terms of the PDPA obligations that the organisation had failed to discharge;
- number of individuals whose personal data had been subjected to harm and risks as a result of the breach;
- whether the organisation had appointed a data protection officer or equivalent to ensure accountability with the PDPA;
- types of personal data that were compromised or put at risk as a result of the breach; and
- whether the organisation had previously been found to have similarly breached the PDPA.
In calculating a financial penalty, the PDPC considers how a reasonable organisation should behave in a particular situation, and adopts the following principles to determine the amount:
- the amount should be proportionate to the seriousness of the breach;
- the amount should provide sufficient deterrence against future or continued non-compliance by the organisation and others;
- the amount should take into account aggravating and mitigating factors;
- cooperativeness of the organisation in the course of investigations;
- whether remedial action(s) were implemented;
- whether there was voluntary notification of the data breach;
- whether the organisation had engaged with the affected individuals in a meaningful manner and had voluntarily offered a remedy, and that the individuals had accepted the remedy; and
- whether the organisation admitted to liability for the data breach.
According to the PDPC’s Enforcement Guidelines and the public guidance published on the PDPC’s website as of 31 May 2019, some of the factors that the PDPC may consider to be aggravating factors include:
- the organisation failing to actively resolve the matter with the individual in an effective and prompt manner;
- intentional, repeated or ongoing breaches of the data protection provisions by an organisation;
- obstructing the PDPC during the course of investigations (such as making efforts to withhold or conceal information requested by the PDPC);
- failing to comply with a previous warning or direction from the PDPC; and
- the organisation is in the business of handling large volumes of sensitive personal data (such as medical or financial data), but failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of that personal data.
Some of the factors that the PDPC may consider to be mitigating factors include:
- the organisation’s active and prompt resolution of the matter with the individual;
- the organisation taking reasonable steps to prevent or reduce the harm of a breach (such as putting in place strong passwords or encrypting the personal data to prevent unauthorised access);
- the individual affected by the breach has already received a remedy in some other form (for example, through a civil action against the organisation);
- the organisation engaging with the individual in a meaningful manner and having voluntarily offered a remedy to the individual, and that individual having accepted the remedy;
- the organisation taking immediate steps to notify affected individuals of the breach and reduce the damage caused by a breach (such as informing individuals of steps they can take to mitigate risk); and
- the organisation voluntarily notifying the personal data breach to the PDPC as soon as it learned of the breach, and cooperating with the PDPC in its investigations.
As of 31 May 2019, the PDPC has issued a total of 76 grounds of decisions against 98 organisations, with a significant majority of these cases relating to breaches of the Protection Obligation. The most common types of data breaches involve the deliberate disclosure of personal data; poor technical security arrangements; poor physical security arrangements; errors in mass email/post; and insufficient data protection policies.
On 15 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on SingHealth Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyber-attack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients to be compromised.
Any person who suffers loss or damage directly as a result of a contravention of any of the main data protection provisions may also commence a private civil action in respect of such loss or damage suffered (see question 38 for further information on such right of private action).
Non-compliance with certain provisions under the PDPA may also constitute an offence, for which a fine or a term of imprisonment may be imposed. The quantum of the fine and the length of imprisonment (if any) vary, depending on which provisions are breached. For instance, a person found guilty of making requests to obtain access to or correct the personal data of another without authority may be liable on conviction to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding 12 months, or both. Intentionally disposing of, altering, falsifying, concealing or destroying a record containing personal data or information about the collection, use or disclosure of personal data is an offence that may be punishable upon conviction with, in the case of an individual, a fine of up to S$5,000, and in the case of an organisation, a fine of up to S$50,000. The obstruction of PDPC officers (eg, in the course of their investigations) or provision of false statements to the PDPC may be punishable upon conviction with, in the case of an individual, a fine of up to S$10,000 or imprisonment for a term not exceeding 12 months; and in the case of an organisation, a fine of up to S$100,000.
Back to top