• DE
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK
  • DE
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK
Back to Articles

Key changes in 2019 for personal data protection compliance

12 February 2019
Glen Chee Director at DWF Compliance highlights the key changes in 2019 in relation to the protection of personal data.

Handling of NRIC Collection

The Personal Data Protection Commission (“Commission”) has issued guidelines providing more comprehensive advice on the collection, use and disclosure of National Registration Identification Card or "NRIC" numbers and include stricter controls over their usage. In addition, other national identification numbers (e.g. birth certificate numbers, foreign identification numbers and work permit numbers) and passport numbers will also be accorded the same treatment as NRIC numbers under the Guidelines. An organisation is generally prohibited from collecting, using or disclosing an individual's NRIC number or a copy of the NRIC unless required by law.

The Commission will enforce the Guidelines from 1 September 2019. Organisations will have to take immediate steps to review its practices and make changes which are necessary to ensure that any existing or proposed collection or use of the NRIC is either permitted under the law or is otherwise justified.

Mandatory data breach notification

Another key proposal is the adoption of a data breach notification framework in Singapore. The organization must apply the risk of impact or harm test to the affected individuals when making a decision with regards to notifying the affected individuals and notifying the Commission.

Relaxation of the Consent Principle: Consent not required where individual has been notified of purpose.

General requirement for deemed/express consent to collect, use and disclose personal data will be relaxed if notifying the individuals of the purpose of data handling can be an appropriate basis for an organisation to collect, use and disclose personal data - i.e. consent is not required - if the collection, use or disclosure of personal data is not expected to have any adverse impact on the individuals.

Data Protection Trust Mark

The Commission Has announced that the PDPA will launch a Data Protection Trust Mark Certification scheme in 2019. A "DP Trustmark" will be a visible indicator that a business adopts sound practices and keeps its processes updated regularly.

How we can help

We help our clients to review, update their practices, policies and processes to include the proposed PDPA changes.

We offer a full suite of PDPA compliance services to help organisations comply with PDPA requirements, including training and assessments.

Please do not hesitate to contact us if you require any assistance.