PDPA Amendments: What Insurance Companies Should Know
By Jansen Aw, Ngaim Ruo Ling and Ting Chun Yen, Donaldson & Burkinshaw LLP
With Singapore’s evolving digital economy needs, on 2 November 2020, the Singapore parliament passed the Personal Data Protection (Amendment) Bill (“Bill”) which introduces important amendments to the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”). These amendments are expected to come into force in 2021. Alongside these amendments, the Personal Data Protection Commission (“PDPC”) also issued a draft Advisory Guidelines on Key Provisions of The Personal Data Protection (Amendment) Bill (“Draft Guidelines”) as an accompaniment to aid in the interpretation and understanding of the new Bill (and soon-to-be new Act).
We highlight below the facets of the upcoming changes to the PDPA that are pertinent to insurance companies.
(a) Deemed consent to be expanded
Presently, the PDPA allows for consent to be deemed from an individual’s conduct. The Bill introduces two additional forms of deemed consent, namely (i) deemed consent by contractual necessity and (ii) deemed consent by notification.
Deemed consent by contractual necessity
An individual may be deemed to have given consent for the disclosure and use of personal data to third-party organisations where it is reasonably necessary for the performance or conclusion of a contract. For example, when an online transaction is made, the individual customer would be deemed to have consented to the use of his personal data by third-party companies in processing the said payment.
Deemed consent by notification
Individual customers may be deemed to have given consent if notified by the organisation of the purposes of the intended collection, use or disclosure of their personal data, provided that there are safeguards in place including carrying out of an assessment of the potential adverse effects on the customer, and the customer does not opt-out within a reasonable period of time. As an example, when an insurance company collects voice data of customers for the purpose of managing disputes but subsequently intends to use it for authentication purposes for the customer’s account, the insurance company need not obtain express consent for the latter purpose so long as sufficient notification of the same was given, and the company has assessed that adverse effects on the individual are unlikely, as well as taken measures to eliminate and mitigate such adverse effects.
(b) Exceptions to Consent – Legitimate Interests & Business Improvement
While consent remains the cornerstone of the PDPA, the Bill provides new exceptions to the consent requirement, which include (i) the Legitimate Interest Exception, and (ii) the Business Improvement Exception.
Legitimate Interest Exception
Organisations can now collect, use or disclose personal data in circumstances where it conducts an assessment and is satisfied that the collection, use or disclosure is in the legitimate interests of the organisation or other persons (including other organisations), and the benefit to any section of the public is greater than any adverse effect on the individual. The organisation’s reliance on this exception must also be disclosed.
The Draft Guidelines provide an example whereby an insurance company may rely on this exception for the purpose of detecting and preventing fraud and misuse of their services. The insurance company must first conduct an appropriate assessment of legitimate interests. It must also disclose its reliance on this exception, such as by publishing in its data protection policy on its website that it is relying on the said legitimate interest exception to collect, use or disclose personal data for purposes of fraud detection and prevention. With those steps done, when an insured makes a claim on his insurance, the insurer may collect, use or disclose the insured’s personal information to ascertain if a claim is genuine, without requiring the insured’s express consent. This is an important function of the insurance industry that the PDPC has recognised, and this new exception is a welcomed introduction in facilitating such processes.
Business Improvement Exception
Organisations and entities belonging to a group of companies may use personal data without consent for the following business improvement purposes:
· operational efficiency and service improvements;
· improving, developing or enhancing products/services; and
· knowing the organisation’s customers.
This exception may allow insurance companies to employ data analytics to create new insurance products that are customised to customers’ needs. Data analytics require a certain volume of data, specifically personal data, to work effectively. The Business Improvement Exception helps to cut through the red-tape and practical difficulties of obtaining individual consent to carry out data analytics.
That said, in relying on this exception, organisations will need to ensure amongst other things that the business improvement purpose cannot reasonably be achieved without sharing personal data in an individually identifiable form, and the purpose is one that a reasonable person would consider appropriate in the circumstances. For instance, the Draft Guidelines explain that where a healthcare service provider and an insurance company that belong to a group of companies seek to create an automated claim assessment system, they may not rely on the Business Improvement Exception to share personal data without consent if non-individually identifiable data (e.g. aggregated patient profile data) can be used. These new exceptions are a welcome change especially for insurance companies in carrying out its data processing activities, without having to obtain express consent from individual customers which can be unwieldy.
(c) Mandatory Data Breach Notification
To further strengthen organisations’ accountability, the Bill introduces a mandatory notification of a data breach within 72 hours. An organisation is now required to notify the PDPC and/or its individual customers of a data breach where the breach results, or is likely to result, in (i) significant harm; or is (ii) of a significant scale (500 or more individuals).
The types of personal data that is considered likely to result in significant harm to affected individuals if compromised in a data breach include an individual’s full name or full national identification number in combination with, amongst other personal data, life/health insurance information. This would therefore include any health insurance information or claims information of an individual, including claim appeals, which are not publicly disclosed.
The introduction of a mandatory breach notification should be a clarion call for insurance companies to minimally put in place (i) a data breach notification plan and (ii) a remediation action plan, in case of a data breach occurrence.
(d) Increased financial penalties and enhanced enforcement powers of the PDPC
Currently, the PDPA prescribes a financial penalty of up to S$1 Million for contraventions of its data protection provisions. The Bill provides for the imposition of higher financial penalties for such contraventions. When the Bill comes into force, a company which is found not to have provided sufficient security safeguards to protect personal data under Section 24 of the PDPA could find itself facing a financial penalty at 10% of its annual turnover in Singapore if its annual turnover in Singapore exceeds S$10 million, or S$1 million, whichever is higher.
It is important that insurance companies continue to provide and maintain state-of-the-art security arrangements to protect the personal data of their clients and customers.
(e) Conclusion
The Bill is set to introduce an array of changes that would enhance personal data protection. This does not mean that the fundamental principles of personal data protection no longer apply, nor does it mean that organisations need to completely revamp of their existing processes. Rather, the fundamental tenets of good personal data protection practices still hold true, and organisations should take this opportunity to augment their existing processes and practices. This includes implementing a vigorous set of policies with clear instructions for respective departments processing personal data as well as instituting second-layer checking mechanisms. Where automated systems are in place, test runs should be routinely conducted with a proper set of data that imitates real life situations.
In anticipation of the Bill coming into force, insurance companies are highly recommended to conduct internal reviews and strengthen its policies, protocols and procedures to ensure that are ready to comply with the new obligations.
---------------------------
About the writers:
Jansen Aw (Partner), Ngaim Ruo Ling (Associate) and Ting Chun Yen (Associate) are lawyers practicing in the Litigation & Dispute Resolution and Technology & Data Protection Practices in Donaldson & Burkinshaw LLP in Singapore. Jansen advises clients on a wide-range of data protection matters, including on data breaches, data protection management programmes, data protection policies, notices and agreements. His clients are from a wide range of industries, including media, technology and telecommunication fields. Jansen was previously an Assistant Chief Counsel of the Personal Data Protection Commission (Singapore). He has obtained several qualifications in privacy and data protection, namely, CIPP/A, CIPP/E, and CIPM, and is an FIP with the International Association of Privacy Professionals.
Chat with the writers at:
jansen.aw@donburk.asia / ruoling.ngaim@donburk.asia / chunyen.ting@donburk.asia