Singapore Unit 2C Enforcement II Flashcards
What are the Amendments to MAS notices on AML/CFT?
Amendments to MAS Notices on Prevention of Money Laundering and Countering the Financing of Terrorism (AML/CFT) – were made when the Personal Data Protection Act was introduced in 2012.
The PDPA accommodates existing regulations and other reasonable situations. To avoid inconsistencies between the PDPA and sector-specific regimes, the PDPA states that it will not override sector-specific laws and regulations or anything imposed or conferred by the law.
Financial institutions cannot compromise their ability to perform effective customer due diligence. For the purposes of meeting the AML/CFT requirements, financial institutions may collect, use, and disclose personal data without customer consent.
Customers’ rights under the PDPA to access and correct personal data are limited to the personal data that they have provided to the financial institution.
Does financial institutions need to provide for data subjects access request?
Not required to provide any information about the ways the financial institution may have used or disclosed the personal data.
What are the data protection related clauses in SG Banking Act?
Banking Act – administered by MAS
- No disclosure to any third party except as specifically provided
- No further disclosure by any such third party
- Liability for fine up to $125,000 and/or imprisonment up to three years or fine up to $250,000 for non-individuals
- PDPA deleted the previously permitted disclosure for marketing of financial products and services
What must FIs do to comply with MAS’ Tech Risk Mgmt Guidelines?
Note: (The Technology Risk Management Guidelines have been revised. Current version was issued in January 2021.)
- The FI should assess and manage its exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data at the third party before entering into a contractual agreement or partnership.
- On an ongoing basis, FIs should ensure that third parties employ high standards of care and diligence in protecting data confidentiality and integrity as well as ensuring system resilience.
- The MAS has stressed that the use of third party service providers should not result in a deterioration of controls and compromise of risk management on the part of the FI. FIs should ensure that their third party service providers are able to meet regulatory standards expected of them.
From: https://www.linklaters.com/en-us/knowledge/publications/alerts-newsletters-and-guides/2021/march/05/singapore—mas-issues-updated-technology-risk-management-guidelines (not in the CIPP notes :’()
What does FI need to do to comply with MAS’ Outsourcing Risk Mgmt Guidelines? Which requirement was removed?
Outsourcing Risk Management Guidelines issued on 27 July 2016 and last revised on 5 October 2018 - expanded guidance to financial institutions on prudent risk management practices for outsourcing, including cloud services:
- a new section on cloud computing sets out MAS’s stance on it
- removed the requirement for financial institutions to pre-notify MAS of material outsourcing arrangements and
- revised the definition of “material outsourcing arrangement” to include, under certain circumstances, an arrangement that involves customer information.
Institutions should:
- Perform the necessary due diligence and apply sound governance and risk management practices when subscribing to cloud services
- Take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing
- Ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls
What does the PDPC do? Is it a govt authority or independent body?
The PDPC was established to administer and enforce the Personal Data Protection Act 2012 (PDPA). (From 1 October 2016, the Info-communications Media Development Authority (IMDA) is designated as the PDPC.) Can also issue guidelines indicating manner in which it will interpret the Act.
It is a government authority vs independent statutory body.
Functions include:
- formulating and implementing policies relating to the protection of personal data, including the relevant regulations and Advisory Guidelines, to help organisations understand and comply with the PDPA.
- Reviewing organisational actions in relation to data protection rules and issuing decisions or directions for compliance where necessary.
- Working with relevant sector regulators in exercising its functions (because the PDPA is baseline legislation)
- Undertaking public and sector-specific educational and outreach activities to help organisations adopt good data protection practices and to help individuals to better understand how they may protect their own personal data from misuse
- Overseeing the development and operation of the Do Not Call (DNC) Registry, to ensure that individuals receive only telemarketing messages they want, and to help organisations boost customer relations by increasing consumer confidence and trust.
What are the powers the PDPC has?
PDPC may give directions to ensure compliance:
- To stop collecting, using or disclosing of personal
- To destroy personal data collected in contravention
- To comply with any directions concerning access
- Except where any failure to comply with the PDPA is an offence, pay a financial penalty not exceeding $1m.
On and from 1 February 2021, may also give directions (including to pay a financial penalty) re Do Not Call rules, dictionary attacks, address-harvesting software.
Provision made for increase of maximum fines to a % of annual turnover in Singapore - maybe from early 2022.
Singapore’s PDPA is a complaint-based (versus an audit-based) regime.
The PDPC has the power to investigate an organisation:
- upon complaint or
- of its own motion (for example, where it suspects an infringement),
but does not have an explicit general audit power.
PDPC may enter premises with, or without, a warrant and has the power to require the production of documents and/or information.
CIVIL PROCEEDINGS
Individuals who suffer loss or damage directly as a result of a contravention of any provisions in
- Part IV – Collection, use and disclosure of personal data
- Part V – Access to and correction of personal data
- Part VI – Care of person data
of the PDPA have a right of action for relief in civil proceedings
On and after 1 February 2021, the right extends to:
- Part VIA - Data breach notification
- Part VIB - Data portability
- Part IX - Do Not Call rules
- Part IXA - Address-harvesting software and dictionary attacks
DIFFERENT ENFORCEMENT OPTIONS OF THE PDPC (SUBJECT TO DISCRETION)
Suspension / discontinuation:
- Where impact is assessed to be low
- When complainant has not complied with a direction, e.g., if any party has commenced legal proceedings in respect of any contravention of PDPA
- The matter may be more appropriately investigated by another regulatory authority
Voluntary undertaking:
- For organisations which request early that have: good accountability practices & effective remediation plan with timeframe
- Includes a written agreement between the organisation and the PDPC
Expedited breach decision:
- Allows investigations to be completed in shorter period of time
- For organisations which request early and provide upfront voluntary admission for breach of the PDPA & the facts (i.e. the organisations’ role in the breach)
Full investigation:
- For incidents with high impact, and where facilitation and/or mediation is inappropriate in the circumstances
PDPC decisions
- No breach
- Warning
- Directions
- Financial penalty
- Directions and financial penalties
What is the process for appealing Commissioner decisions?
The individuals or organisations dissatisfied with PDPC decisions:
- Have 28 days to appeal
- May appeal to the Data Protection Appeal Panel
(i) Will be heard by an Appeal Committee (3 or more members)
(ii) Appeal Committees will have all the powers and duties of the PDPC necessary for their work, plus those of a district court
- There can also be appeals to the High Court or the Court of Appeal
- Thus far, there are no appeal cases
The Appeal Committee may:
- Vary or set aside the PDPC direction or decision (which is the subject of appeal)
- Remit the matter to PDPC
- Impose, revoke or vary the amount of financial penalty
- Give directions the PDPC could have given
- Set aside findings of fact while holding a PDPC decisionWhat is the NRIC Guidelines? When can NRIC numbers be collected? When can physical NRIC be retained?
What is the NRIC Guidelines? When can NRIC numbers be collected? When can physical NRIC be retained?
COLLECTION:
Govt ID numbers or copy of (NRIC/FIN/WP/BC/PP)
Organisations are not allowed to collect, use or disclose except where it is:
Required under the law (or an exception under PDPA applies); or
Necessary to accurately establish or verify the identity of the individual to a high level of fidelity
Organisations that collect a copy must ensure it is not collecting excessive personal data contained in the copy for the purposes
RETENTION:
Physical NRIC or other Govt ID
Organisations must not retain the physical NRIC (or any ID containing NRIC numbers) except where:
Required under the law
What must an org do if an individual withdraws consent?
- A person may withdraw consent at any time by giving reasonable notice. - Organisations are not allowed to prohibit the withdrawal of any consent.
- The organisation must inform the individual of the expected consequences of such withdrawal.
- When this happens, the organisation and its data intermediaries must stop collection, use and disclosure of his personal data (3rd parties not included)
- The organisation need not delete the data even if requested if there are valid business/legal reasons.
- Fresh consent for purposes required under the Consent Obligation and Purpose Limitation Obligation
- Clear and unambiguous consent under the DNC Provisions
- Organisations are encouraged to maintain documentary evidence of consent or withdrawal of consent from data subjects.
What are the penalties for SG PDPA?
FINANCIAL PENALTY
a) Breach of DP provisions: up to *10% of organisation’s annual turnover in Singapore or $1 million, whichever is higher.
b) Breach of DNC Provisions or Breach of the prohibitions on the use of dictionary attacks and address-harvesting software:
(i) up to S$200,000 in the case of an individual;
(ii) and where it is an organisation, up to S$1 million or *5% of the organisation’s annual turnover in Singapore, whichever is higher
ACCESS AND CORRECTION OFFENCES AND PENALTIES
It is an offence under section 51(1) of the PDPA to make an access or correction request about another individual without the authority of that individual.
It is an offence under section 53(3)(a) to alter, destroy, etc. documents to evade an access and/or correction request
A person who commits an offence under section 51(1) is liable to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both.
An organisation or person that commits an offence under section 53(3)(a) is liable:
- in the case of an individual, to a fine not exceeding $5,000
- in any other case, to a fine not exceeding $50,000
GENERAL OFFENCES AND PENALTIES
It is an offence under section 51(3)(b) and (c) of the PDPA to:
- obstruct or hinder the PDPC, its inspectors or other authorised officers in the exercise of their powers or performance of their duties under the PDPA; or
- knowingly or recklessly make a false statement to the PDPC; or
- knowingly mislead or attempt to mislead the PDPC, in the course of the performance of the duties or powers of the PDPC under the PDPA
The organisation can be fined up to $1 million under Section 29(2)(d) for compliance failures that are not offences.
An organisation or person that commits an offence under section 51(3)(b) or (c) of the PDPA is liable to:
- in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both
- in any other case, to a fine not exceeding $100,000
If no penalty is expressly provided in the Act, the individual can be fined up to $10,000 or to imprisonment for a term not exceeding 3 years or to both (Section 56)
(Also see SG48 on Egregious mishandling)
SUMMARY
Data Protection Provisions:
- Enforcement: Civil admin regime
- 10% of an organization’s annual gross turnover in Singapore or S$1 million, whichever is higher
Do Not Call Provisions:
- Enforcement: Civil admin regime
(i) For individuals – S$200,000
(ii) For organisations – S$1 million unless the breach involves egregious conduct, in which the cap will be higher of S$1million or 5% of the organisation’s annual gross turnover in Singapore
Include Section 48B(1) prohibitions on the use of dictionary attacks and address-harvesting software
Individual (egregious handling):
- Enforcement: s48(d)(e)(f)
- S$5k or jail
Making unauthorized access/ correct/ data port request:
- Enforcement: s 51(1)
- Indi S$5k and/or 1 year jail
Evade access request:
- Enforcement: s53(3)(a)
- Indi S$5k, org S$50k
Obstruct/ fail to cooperate/ mislead PDPC:
- Enforcement: s51(3)(b)(c)
- Indi S$10k and/or 1 year jail, Org S$100k
How is egregious handling defined? What are the penalties for egregious handling?
Under Section 48(d)(e)(f), Individuals to be accountable for egregious mishandling of personal data in the possession of or under the control of an organisation (including a public agency).
Knowing or reckless unauthorised
- disclosure of personal data
- use of personal data for a gain or to cause a harm or loss to for a term not another person
- re-identification of anonymised data
Authorisation - Not an offence if
- Employees acting in course of employment
- Service providers engaged by organisation
Defences
- Publicly available data
- Testing of anonymization systems (applicable to Data professionals, cybersecurity specialists, data scientists, academic researchers, white hat hackers)
Penalties and sanctions, including employee liability changed significantly on 1 February 2021.
Criminal offence
- Fine not exceeding $5,000,
- Or to imprisonment for a term not exceeding 2 years
- Or to both
What is Freedom of Information about? Is it available in SG?
Freedom of Information Legislation = “public authorities are obliged to publish certain information about their activities; and members of the public are entitled to request information from public authorities.” After receiving the request in writing, these organisations must provide the information within 20 working days.
Globally, more than 80 countries have “Freedom of Information” laws, including Asian countries such as South Korea, China India and the Philippines.
However, Freedom of Information law may come in either one of two broad categories:
- Information about how a government makes decisions (e.g., the style of FOI legislation adopted in India)
- Information recording decisions made by government (e.g., the style of FOI legislation adopted in Australia)
Singapore has no freedom of information law of either type. Attempts by opposition legislators to introduce it have not been well-received.
