Voluntary undertakings - how they work from an organisation's perspective

In mid-2019, the Personal Data Protection Commission of Singapore issued its 'Guide on Active Enforcement'. The Commission said that the Guide articulated its new approach in deploying its enforcement powers to act effectively and efficiently on the increasing number of data breach incidents.  

The Guide promotes facilitation and remediation as methods of dispute resolution. It also considers various methods of enforcement actions, including an undertaking process under which the Commission could consider accepting a request from an organisation to enter into such a process in certain circumstances.  

When the Ministry of Communications and Information and the Commission launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020 on Thursday 14 May 2020 it included 'voluntary undertakings' - namely, a proposal to insert section 31A into the Personal Data Protection Act, the PDPA, on voluntary undertakings.  

In the Public Consultation Paper, the Commission said that statutory undertakings allow a regulator to apply more flexible and individually tailored approaches to enforcement. It said that, from its experience, organisations that have in place a data protection management plan will have an effective system for monitoring, internal reporting and management of data breaches. The implementation of a data breach management plan can be the subject of a statutory undertaking. The Commission said that, when coupled with mandatory data breach notification, statutory undertakings will further encourage organisations to adopt accountable practices.

The Commission also noted that several jurisdictions, such as Australia, Canada and the UK, offer undertakings as part of their enforcement regime. Mentioning its Active Enforcement Framework, the Commission said that the amendments to the PDPA will enhance the effectiveness of undertakings as an enforcement mechanism and that the statutory undertakings scheme will expand the range of options for enforcing breaches of undertakings.

Finally, the Commission mentioned that it may investigate the underlying breach if the organisation fails to comply with the statutory undertaking. Alternatively, a breach of a statutory undertaking will be enforceable by the Commission directly through the issuance of directions.  If the organisation fails to comply with these directions, the Commission may apply for the directions to be registered by the District Court under section 30 of the PDPA. (This option is open to the Commission presently and extends to all directions made by the Commission under the PDPA.)

General PDPA enforcement

Section 50(1) of the PDPA enables the Commission to conduct an investigation to determine whether an organisation is complying with the PDPA. Sections 29(1) and (2) empower it to give directions, including to pay a financial penalty, when it is satisfied that an organisation is not complying with the PDPA's data protection provisions - that is, Parts III to VI.

The proposed amendment bill will extend this power to give directions. The Commission will be able to give directions where it finds that a person is not complying with Part IX (the Do Not Call provisions) or Part IXA (new provisions prohibiting dictionary attacks and the use of address-harvesting software).  

'Person' includes both a natural person/individual and a legal person, such as a body corporate or other organisation.

Voluntary undertakings

Under the proposed amendment bill, the PDPA will include the following rules in relation to voluntary undertakings.  

These rules are expressly stated not to affect sections 29(1) and (2) and 50(1). In other words, the voluntary undertaking rules do not prevent the Commission from proceeding in investigations and issuing directions in the same way as it may do so at present.

When there can be a voluntary undertaking

An organisation or person concerned may give, and the Commission may accept, a written voluntary undertaking where the Commission has reasonable grounds to believe that:

• an organisation has not complied, is not complying or is likely not to comply with any data protection provision or
• a person has not complied, is not complying or is likely not to comply with any Do Not Call provision or any prohibition on dictionary attacks or the use of address-harvesting software

Example 1

An employee of an organisation has sent out an email to 3,000 individuals. Instead of putting all of the email addresses in the 'BCC' line, the employee put them in the 'To' line or in the 'CC' line. The result is that every addressee can see the email address of every other addressee. This is clearly a data breach. We know this because the Commission has taken enforcement action previously when the same error has been made by the employee of an organisation.

The organisation reports the data breach to the Commission. The organisation asks the Commission if the Commission will accept a voluntary undertaking from the organisation, as follows: 

1. undertaking #1: not to send out any further email blasts until it has updated its standard operating procedures so that a similar error will not be made again in the future
2. undertaking #2: to update its standard operating procedures within 30 days to prevent a similar error happening again
3. undertaking #3: to train all relevant staff in the updated standard operating procedure before they are permitted to send out an email blast
4. undertaking #4: to send a letter of apology to all recipients of the email immediately

Example 2

The Commission receives multiple complaints from individuals about a person or organisation having sent marketing messages to them despite them being on the Do Not Call register.  

The Commission investigates and it is determined that the marketing messages were sent incorrectly because the person or organisation had not kept its 'white list' of individuals who had given clear and unambiguous consent to receiving such messages up to date. In particular, where such consent had been withdrawn the person or organisation did not update its 'white list' accordingly.

The person or organisation asks the Commission if the Commission will accept a voluntary undertaking that it will in future always check the Do Not Call register before sending a marketing message and will no longer rely on a 'white list' for marketing purposes. 

What can be included in a voluntary undertaking

Without limiting the matters to which the voluntary undertaking may relate, it may include the organisation or person concerned giving:

• an undertaking to take specified action within a specified time
• an undertaking to refrain from taking specified action
• an undertaking to publicise the voluntary undertaking

When and how a voluntary undertaking can be varied

When reading the following rules, please keep two concepts in mind: 

• first, the word 'undertaking' can refer to, say a single clause in an overall document (as in the case of the four separate undertakings in the first example above or the one undertaking in the second example above) and
• the word 'undertaking' and the words 'voluntary undertaking' refers to that overall document that contains the undertakings.

1. The Commission may vary the terms of any undertaking included in a voluntary undertaking or include in it any additional undertaking mentioned above under 'What can be included in a voluntary undertaking'. 

The Commission can do this only after accepting the voluntary undertaking and only with the agreement of the organisation or person who gave the voluntary undertaking.

2. Despite the above requirement for agreement, where an organisation or a person fails to comply with any undertaking in a voluntary undertaking the Commission may give the organisation or person any direction the Commission thinks fit in the circumstances to ensure its compliance with the undertaking it has given.

3. In addition, where an organisation or person fails to comply with an undertaking to publicise the voluntary undertaking the Commission may do so (by doing whatever the person or organisation had undertaken to do).  

In any such case, the Commission may recover its costs and expenses from the person or organisation that gave the undertaking. 

Written by Lyn Boxall, Director, Lyn Boxall LLC

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.