Tricky – but welcome – changes to the Access and Correction Obligation

Taking a look at the access component first. The tweak to the correction component is at the end of this paper.

Currently, an organisation is under an obligation to provide an individual with:

(a) personal data about the individual that is in the possession or under the control of the organisation and

(b) information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request

An organisation is not required to provide an individual with the individual's personal data or other information in respect of the matters specified in the Fifth Schedule to the Personal Data Protection Act, the PDPA. These are generally matters of convenience from the organisation's perspective - for example, an organisation is not required to provide opinion data kept solely for an evaluative purpose, but may choose to do so. Similarly, an organisation is not required to respond to a request if the request is unreasonable, if the information is trivial or if the request is otherwise frivolous or vexatious.

Perhaps more importantly, an organisation is not permitted to provide an individual with the individual's personal data or other information if doing so could reasonably be expected to:

(a) threaten the safety or physical or mental health of an individual other than the individual who made the request

(b) cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request

(c) reveal personal data about another individual

(d) reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity or

(e) be contrary to the national interest

In addition, an organisation is not permitted to inform any individual that it has provided personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual.

Proposed change to prohibition relating to 'other individuals'

On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020. In it, certain changes were proposed that affect the circumstances where an organisation is not permitted to provide an individual with the individual's personal data or other information.

In its Public Consultation Paper, the Commission referred to the prohibitions in paragraphs (c) and (d) above and said that from its experience these prohibitions have resulted in implementation issues for organisations providing access to personal data (for example, removing third parties' personal data captured in CCTV footage).

Therefore, the draft amendment bill reduces the scope of the prohibitions set out above. It will allow organisations to provide access to personal data regardless of whether providing access could:

(1) reveal personal data about another individual or

(2) reveal the identity of an individual who has provided personal data about another individual and that individual does not consent to the disclosure of their identity

Amendments to the Access Obligation to implement the 'other individuals' initiative

First, the following two new definitions will be added to the PDPA:

'user activity data' - personal data about an individual that is created in the course or as a result of the individual's use of any product or service provided by the organisation.

'user-provided data' - personal data provided by an individual to the organisation.

Second, section 21 will be amended by including a new subsection (3A). The effect of the new subsection is that:

• subsections (3)(c) and (d) - as set out above - does not apply to any user activity data about the individual who made the request, despite such data containing personal data about another individual
• subsections 3(c) and (d) does not apply to any user-provided data from the individual who made the request, despite such data containing personal data about another individual

Amendments to the Access Obligation - notifications to individuals

If an organisation does not satisfy a request to provide an individual with the individual's personal data or other information because the organisation:

(1) is not required to do so - that is, because the Fifth Schedule applies - and/or

(2) is not permitted to do so because one or more of paragraphs (a) to (e) above apply,

the organisation must notify the individual of the rejection. This must be done within the prescribed time and in accordance with prescribed requirements. The prescribed time and requirements are not yet known.

An organisation must accede to the access request if it is able to provide an individual with the individual's personal data and other information:

(1) without the personal data or other information that it is not required to provide and/or that it is not permitted to provide and

(2) without information relating to any disclosure to a prescribed law enforcement agency

In any such case, it must notify the individual of the exclusion of any personal data or other information excluded because it is not required to provide it or not permitted to provide it.

Preservation of copies of personal data

The Commission mentions in the Public Consultation Paper that there is currently no requirement for organisations to preserve a copy of the individual's requested personal data if the organisation denies the individual's access request. This results in situations where the requesting individual is no longer able to obtain access to the requested personal data even if they seek recourse for the rejection of the request, if the organisation deletes it.

The draft amendment bill will add a requirement for an organisation to preserve a copy of the personal data to which an organisation refuses to give access under the Access and Correction Obligation. The organisation must preserve it for a period that is yet to be prescribed, although the Commission mentions in the Public Consultation Paper a period of at least 30 calendar days after rejection of the request or until the individual has exhausted their right to apply for a reconsideration request or to appeal the decision, including to a Court, whichever is later.

The organisation will be required to ensure that the copy of the personal data it preserves is a complete and accurate copy of the personal data.

Correction of an error or omission in personal data

An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. The organisation has to make the correction as soon as practicable unless the organisation is satisfied on reasonable grounds that a correction should not be made to the personal data. (There are other obligations too, such as to notify certain third parties, but they are not relevant to the proposed amendment.)

An organisation is not required to correct or otherwise alter an opinion, including a professional or an expert opinion. In addition, an organisation is not required to correct personal data in respect of the matters specified in the Sixth Schedule.

The matters set out in the Sixth Schedule at present are not surprising - organisations are not required to correct:

(a) opinion data kept solely for an evaluative purpose

(b) any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results

(c) the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust

(d) personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre

(e) a document related to a prosecution if all proceedings related to the prosecution have not been completed

The draft amendment bill will add '(f) derived personal data'.

'Derived personal data' is personal data about an individual that is derived by an organisation in the course of business from other personal data about the individual or another individual in the possession or under the control of the organisation. It does not include personal data derived by the organisation using any prescribed means or method.

The Commission mentions in the Public Consultation Paper that derived personal data does not include data that is derived by the organisation using simple sorting or common mathematical functions, like averaging and summation. Perhaps this gives some insight into what may be excluded from the definition of 'derived personal data'.

The Commission notes in the Public Consultation Paper that to ensure organisations remain accountable for personal data in their possession or under their control, organisations will still be required to provide individuals with:

• access to derived personal data and
• information about the ways in which the derived personal data has been or may have been used or disclosed by the organisation within a year before the date of the request for such information

Written by Lyn Boxall, Director, Lyn Boxall LLC