What is Data Portability?
by Yang Yen Thaw
2nd February 2021
Affinite's Chief Legal and PDPA Advisor, explores what exactly is data portability, its purpose and how the PDPA act has since accounted for data portability in its most recent amendment.
Defining Data Portability
Simply put, data portability is a right where individuals can move, copy, transfer their data from a service, place or organization, database, hardware devices, storage, or IT environment to another. Generally, data may be collected manually (on demand) or automatically (parsing or collected by sensors) and stored in silos or platforms that may not be compatible with another software readers. The reasons for doing so may vary with data collectors requiring high degree of control over data, for competition, or market capitalization. Data portability applies to accessibility and not ownership of personal data. Right to data portability under most laws aim to address the power imbalance data controllers have over personal data and regulate by allowing portability.
Data portability finds application in transferring data from different platforms such as telecommunications, social media platforms, change in mobile phone models, and other appliances.
The purpose of data portability is to provide individuals with greater autonomy and control over their personal data and to facilitate individuals’ switching services across innovative and competitive ecosystems.
Data Portability & PDPA Act
The Personal Data Protection Act has been amended in the version published on 1 February 2021 (Amended Act) by the Personal Data Protection (Amendment) Bill 2020 (Amendment Bill). There have been extensive public discussions with PDPC on including data portability, but it does not appear to have been included in Amended Act. Data portability provisions are included in Amendment Bill. The last reference to data portability was in January 2020 published by PDPC. There is also only one reference to it in the advisory guidelines to key concepts revised as of 1 February 2021; in particular to derived data. It is probably still under consideration. However, there are several references to data portability and porting in the Amended Act.
Source: Mediacorp - Singapore plans data portability requirement as part of PDPA update.
There is no definition in the Amendment Bill for data portability per se. While GDPR states that data to be ported should be in a structured, commonly used, machine-readable format and carried out by automatic means, the Amended Bill states that data portability applies only to electronic forms and which was collected or created by the porting organisation within a prescribed period before the request is received. It is mentioned if the electronic form should be unstructured or structured data, whether machine readable / parsable or human readable form. There is some argument that GDPR may be over regulatory defeating the purpose of privacy and conduct of business.
The PDPA focuses and puts the onus of complying with obligations on organizations. However, along with access and correction, data portability action is initiated by the individual. Access obligation (obligation from organization’s perspective and right from individual’s perspective) is a right to see and data portability is a right to move. There are exceptions for allowing data portability.
To comply with data portability, organizations must develop plans and procedures for securely transferring owner data in a structured, commonly used, machine-readable format. Data portability plans must include training internal IT staff on how to remain compliant with requirements. Data collectors and controllers should develop the means that will contribute to answer data portability requests, including interoperability, download tools and APIs. DPIAs will also aid in assessing any damage or breach that may be caused while porting data. As a good practice, organizations should comply with retention obligation where applicable.
As Singapore moves towards digitization, digitalization, and digital transformation, data portability plays a vital role in our daily lives and the wider digital economy.
Learn more about PDPA with Affinite Solutions
Partner with us to start your organisation's Data Protection Trustmark certified journey now. Gain valuable insights on the best PDPA practices and policies tailored to your business from our certified and dedicated consultants. Click the link below to learn more!