PDPA (Amendment) Act 2020

If there’s one thing that the SimplePay team cares about as much as making your world of payroll a breeze, it’s giving you peace of mind about the data which you share with us. 

When the PDPA (Amendment) Bill 2020 was first released on 5 October, we got straight to work, reviewing and updating our pages and processes. The amendments gained presidential approval on 25 November and have since been published in the Government Gazette last Friday 11 December, meaning the amendments are now effective. Accordingly, we have updated our site’s PDPA webpage to reflect these changes.

Below we have provided a brief summary of the key changes and additions to the PDPA by the PDPA (Amendment) Act 2020 (the Amendment Act).

Data Breaches

The Amendment Act altered and expanded the definition of a data breach. Under the amended PDPA, a data breach is now defined as:

  1. The unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or
  2. the loss of a storage medium or device, on which personal data is stored in circumstances where one or more of the unauthorised actions in point 1 is likely to occur.

If your company experiences a notifiable data breach, you are required to inform the Personal Data Protection Commission (PDPC) of that breach.

A notifiable data breach is one that:

  1. Results, or is likely to result in Significant Harm to an affected individual; or 
  2. is, or is likely to be of a Significant Scale.

Significant Harm and Significant Scale are terms yet to be fully defined. In the explanatory statement to the Act, it states that there will be specified circumstances and requirements to be referenced in deciding if each is satisfied. At present, these have not been released, but there are suggestions of what may satisfy these requirements in the public consultation papers for the Amendment Act.

SimplePay acts as a data intermediary in providing you services. Data intermediaries also have data breach obligations. We will inform you of any external data breach, whether we deem it notifiable or not. We already have a strong grasp of the required steps to handle these situations and inform you through our operations in Europe. We continue to apply the rules and processes of the EU’s General Data Protection Regulation (GDPR) to all our business operations (including Singapore). GDPR imposes similar obligations, which means that we are well prepared in the unlikely event of a data breach.

Thankfully we have never had to put our data breach steps into practice. However, from this strong base of understanding, you can rest assured that we are ready to deal with the situation quickly, professionally and effectively.

Data Portability

Data portability allows individuals to request for their data to be ported from one organisation to another.

For this to be permitted:

  1. There must be an ongoing relationship between the individual and the organisation; and
  2. The individual must complete a data porting request in the prescribed format.

As a data intermediary, SimplePay is exempt from these obligations, but we will assist you in requests you may receive, as is reasonable.

More information on Data breaches and Data portability can be found on our PDPA webpage.

Protection of Personal Data

The original PDPA required companies to make reasonable security arrangements to protect information. The Amendment Act has expanded the definition to now also include the loss of any storage medium or device on which personal data is held. 

This is cast very broadly and could include both physical mediums, such as securing company laptops, and virtual mediums such as cloud-based resources and their connected servers. Although arguably implied by the original wording, this now expressly shows that these risks should be accounted for in any security arrangements made.

Financial Penalties

To enforce compliance with the PDPA, a number of penalties have been introduced for both individuals and employers. As an example, if your employee discloses personal data, or their conduct causes the disclosure of personal data under the control of your company, they could be liable to pay a fine of up to $5 000, or even face imprisonment for a term of up to two (2) years.

Equally, if your company is found to have breached certain provisions of the Act (Parts III-VI, VIA and VIB), it could face an order for specific performance and a fine of up to $1 million.

This really does show that compliance pays!

We hope this brief dive into the PDPA amendments has proved useful to you. If you have any questions relating to SimplePay’s PDPA compliance, you can contact our team at [email protected]

Equally, if you are not yet a client of SimplePay but would like to be, or if you’d like to know how we can take the effort out of filing and calculating payroll, get in contact with us or visit our website: www.simplepay.com.sg.

Keep well and stay safe.

Team SimplePay