by Hannah YeeFen Lim
With the main data protection provisions of Singapore’s Personal Data Protection Act 2012 (“PDPA”) coming into its fourth year of operation, this book is timely for organisations, practitioners, academics, students and anyone with an interest in analysing (i) the current state of the personal data protection laws in Singapore, (ii) how the provisions in the PDPA have been applied across the body of enforcement decisions by the Personal Data Protection Commission (PDPC), and (iii) areas of the PDPA where organisations could benefit from more guidance in their ongoing compliance journey.
Interesting aspects of the book include:
1. The opening chapter, where the author has gone to great lengths to contextualise the framework for protecting personal data, drawing from principles and cases in the US, UK and Europe, and bringing the discussion to Singapore, where business needs are balanced with individual interests around the collection, use and disclosure of personal data.
2. A discussion of the “reasonable person” test that underpins many operative provisions within the PDPA, whereby this conceptual framework could present challenges as different segments of today’s society may have differing views and understanding of what personal data protection is or ought to be, depending on demographics such as age and digital literacy.
3. A detailed analysis on various principles and techniques on anonymisation of data sets. As organisations collect, store and use more personal data than ever, a sound understanding and proper anonymisation of personal data could offer a middle ground to balance business needs for keeping the data and address security obligations over such data in an increasing cyber threat landscape.
4. Measures that organisations can consider in the protection of personal data, and in particular, steps to take to manage data breaches and data breach notifications. This section is topical given the highly networked digital environment of today’s organisations where cyber security breaches are occurring with greater regularity, and offers a glimpse of what is on the horizon under the mandatory data breach management framework in the Cybersecurity Bill that is due to be passed in Singapore.
Overall, the book is refreshing and recommended. The author offers alternate perspectives on how various concepts and operative provisions in the PDPA can be better managed, and makes a sincere call for more prescription using a “scientific approach”, in addition to the current principles or risk-based approach for compliance.
► Jack Ow
Partner at an international law firm, specialising in data protection and cybersecurity
Data Protection in the Practical Context – Strategies and Techniques is available at the Singapore Academy of Law.