On 8 May 2015, the Personal Data Protection Commission (the “Commission”) issued new advisory guidelines and helpful guides to help organisations, in particular small and medium enterprises, understand and comply with the Personal Data Protection Act (the “PDPA”). These additional guidelines focus on the requirement to obtain consent for marketing, protection of electronic personal data and managing of data breaches.
Set out below are highlights of the new advisory guidelines and helpful guides which are available from the Commission’s website www.pdpc.gov.sg. Please click on the relevant titles below to read further.
Obtaining consent for marketing
- Advisory Guidelines on Requiring Consent for Marketing Purposes: These guidelines focus on situations where organisations may wish to obtain an individual’s consent for: (a) sending marketing materials to the individual (whether by post, text, voice call, e-mail or otherwise); or (b) using the individual’s personal data for any other marketing activities by the organisation (e.g. publishing customers’ personal data in publicity materials). The guidelines set out a few common scenarios to illustrate how organisations may obtain consent in compliance with the PDPA.
- Sample Clauses for Obtaining and Withdrawing Consent: Organisations may refer to this guide for sample clauses to obtain an individual’s consent to collect, use or disclose personal data for particular purposes, as well as for an individual to withdraw consent or otherwise indicate non-consent.
Protecting electronic personal data and managing data breaches
- Is Personal Data Safe with Your Organisation?: This guide provides information on electronic personal data protection and sets out some recommendations on good information and communications technology (“ICT”) practices that organisations may consider implementing. There are also suggestions on safe disposal of electronic personal data.
- Guide to Securing Personal Data in Electronic Medium: This guide is for persons who are responsible for data protection within an organisation and also persons who supervise or work with ICT systems and processes. Some ICT knowledge will be required to understand the terminology and concepts used. This guide provides: (a) information on common topics related to security and protection of electronic personal data; (b) suggestions on good practices to protect electronic personal data; and (c) recommendations on enhanced practices to further improve protection of electronic personal data.
- Guide to Managing Data Breaches: This guide aims to help organisations manage personal data breaches effectively. It provides examples on how data breaches could occur (e.g. hacking, human error or computer system error) and the steps to take in responding to a data breach. A data breach is described in the guide as referring to the unauthorised access and retrieval of information that may include corporate and personal data. The guide advises organisations to notify the Commission as soon as possible of data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals.
Other recent PDPA developments
Pursuant to the Fourth Schedule of the PDPA, an organisation may disclose personal data about an individual without the consent of the individual to a public agency for the purposes of policy formulation or review if the personal data concerns the current or former patients of a healthcare institution licensed under the Private Hospitals and Medical Clinics Act or any other prescribed healthcare bodies. Pursuant to the Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 which came into effect on 1 March 2015, the “prescribed healthcare bodies” are as follows:
- Agency for Integrated Care Pte. Ltd.
- Alexandra Health System Pte. Ltd.
- Eastern Health Alliance Pte. Ltd.
- Jurong Health Services Pte. Ltd.
- National Healthcare Group Pte. Ltd.
- National University Health System Pte. Ltd.
- Singapore Health Services Pte Ltd
- An organisation that is an approved provider within the meaning of the Medical and Elderly Care Endowment Schemes Act.
The PDPA establishes the Singapore regime for the protection of personal data, ensuring a baseline standard of protection for individuals’ personal data across the economy. The PDPA contains two main sets of provisions, covering personal data protection and the Do Not Call (“DNC”) Registry, which organisations are required to comply with.
The personal data protection regime focuses on the protection of an individual’s “personal data”, i.e. data, whether true or not, about an individual who can be identified from that data or other accessible information. The DNC provisions require organisations to generally check the DNC Registry before sending telemarketing messages to consumers with Singapore telephone numbers via voice call, text message or fax.