Organisations Need to Start Preparing for Handling Data Portability Requests
25 June 2019
The Personal Data Protection Commission (PDPC) has issued a Public Consultation on Data Portability and Data Innovation Provisions. The consultation ends on 3 July 2019, and makes the following proposals:
- Organisations should be required to transmit personal data held by that organisation to another if so requested by the data subject;
- Organisations will not need to specifically seek consent to use a data subject’s personal data if the use is for business innovation purposes; and
- The obligations of access and correction will not apply to derived data.
The obligation for organisations to transmit personal data held by that organisation to another upon the request of the data subject is intended to allow individuals to change service providers without the constraint of losing access to data built up with their existing service provider. For example, an individual using a music streaming service has accumulated data on his favourite songs and music preferences that will be lost if he wants to move to another service provider. The obligation to require data portability will mean that the individual will be able to ask his music streaming service provider to transmit his data to the other service provider thereby allowing the individual greater consumer choice. The obligation encourages service providers to focus on improving their services rather than relying on the stickiness afforded by holding on to the individual’s data.
The PDPC has proposed that the obligation of data portability will only apply if the other organisation has a presence in Singapore. This means that the organisation is registered in Singapore and has a presence here. The incumbent organisation will not be required to transfer the data if the receiving organisation is an overseas organisation.
As the aim of the PDPC is to encourage the growth of innovation in the business use of data, only electronic data will be subject to the obligation. Furthermore, the data to be transferred is only that which has been provided by the individual (including data on third parties that has been provided) and data generated by the individual’s activities. Data has been given a very wide definition: emails, documents, photographs, and social media posts are proposed to be included.
The organisation does not, however, have to provide data that it has generated from analysing these data points. Nor does it have to provide data which, if disclosed, would reveal confidential information that could harm the competitive position of the organisation.
Upon receiving a request to transmit the data to another organisation, the organisation has to, among other things, verify the data to be ported by allowing the individual to view the data (or a sample) before transmitting it to the receiving organisation. The individual should be allowed to remove data that he does not want to transfer. A reasonable fee may be charged to recover the cost of providing the service. The data should be provided to the receiving organisation in a commonly used machine readable format.
Data innovation provisions
Currently, organisations have to obtain the consent of individuals from whom they collect personal data for the collection, use or disclosure of that data. As a general rule, unless an individual has given consent to the organisation to use his data for a certain purpose, the organisation may not use the data for another purpose. To obviate the need to require organisations to seek consent for new and innovative uses of the data that may not have been anticipated and to encourage the growth of data analysis, the PDPC is proposing to allow exempt organisations from the requirement to seek consent to use an individual’s personal data if the data is to be used for the following business innovation purposes
- Operational efficiency and service improvements;
- Product and service development; or
- Knowing customers better.
It is also proposed that data that has been generated from analysing personal data obtained from an individual will also be exempted from the access and correction obligation.
Dealing with the proposed new obligation of data portability
While it is still early days, it is not premature for organisations to start looking into developing procedures for dealing with the proposed data portability obligation. These would include establishing procedures for:
- Confirming the identity of the data subject making the request
- Locating the relevant personal data;
- Determining and removing the data that constitutes derived data and commercially sensitive data;
- Communicating with data subjects;
- Allowing the data subject to review and redact the relevant personal data; and
- Recording and tracking requests and responses, including all correspondence related to requests and internal documents that demonstrate the data controller's efforts to locate the data.