The Singapore Parliament recently passed the long-awaited Personal Data Protection Bill ("PDPA") after its third reading. The PDPA establishes a baseline data protection framework that applies to all organisations in the private sector. This implies that private sector organisations in certain highly regulated industries (e.g. banks, telecommunication service providers, healthcare institutions) will additionally have to comply with data protection requirements set out in sector-specific regulations.
The other major component of the PDPA is the establishment of a national do-not-call ("DNC") registry, which will hopefully provide individuals with a simple and efficient way to opt out of receiving unsolicited marketing messages. Essentially, organisations intending to make marketing calls or send marketing messages or facsimiles to a Singapore telephone number would be required to filter their list against the relevant DNC register (more on this below).
The PDPA is expected to be gazetted in the beginning of 2013, but the substantive provisions of the PDPA will only come into effect after a sunrise period of 18 months for the data protection framework, and a sunrise period of 12 months for the implementation of the DNC registry. This transition period allows the Personal Data Protection Commission ("Commission") time to engage in outreach efforts to build up awareness on the requirements imposed by the PDPA, and affords organisations an opportunity to "get their houses in order" for achieving compliance with the PDPA.
Key features of the data protection framework
Consent for collection, use and disclosure of personal data
The basic premise of the data protection framework set out in the PDPA is centred around notice and consent, and seeks to circumscribe the collection, use and disclosure of personal data by organisations by reference to the purposes disclosed to and agreed by the data subject. However, the PDPA also seeks to balance the right of an individual to control the use of his/her personal data against the legitimate need of organisations to process personal data, by putting in place a more flexible mechanism for deemed consent and various exemptions where consent is not required. Further, any processing of personal data that is authorised under other written laws will also not require the consent of the individual.
There are a number of constraints that organisations should take note of in seeking to obtain the requisite consent from consumers. For example, organisations are not allowed to extract consent by imposing this as a condition for the provision of goods or services to the data subject, where such consent is not reasonably required for the provision of the said goods or services. The purposes for which personal data may be processed are also required to be reasonably appropriate, even if expressly disclosed to the individual. Finally, it goes without saying that consent obtained through the provision of false or misleading information, or through deceptive or misleading practices will not constitute valid consent.
Consent (including deemed consent) can be withdrawn by the data subject at any time upon provision of reasonable notice to the organisation. Upon receipt of such a notice, the organisation can seek to educate the individual about the likely consequences of withdrawal of consent, but cannot prohibit the individual from withdrawing his/her consent.
In order to reduce costs associated with compliance with the PDPA, organisations are permitted to continue using personal data collected before the expiry of the 18-month sunrise period (i.e. the appointed date) for the purposes for which the personal data was collected. In other words, such pre-existing personal data would effectively be "grandfathered", and deemed to have been collected with the requisite consent. Naturally, this would not apply where the individual concerned indicates that he/she does not in fact consent, or withdraws his/her consent.
Access and correction of personal data
In keeping with the theme of transparency, individuals are given the right to request an organisation to disclose personal data about him/her that is in its possession or under its control, as well as information regarding how such personal data has been or may have been used or disclosed by the organisation within the year preceding the request. The organisation is required to comply with such a request unless it is able to rely on one of the exceptions or exemptions set out in the PDPA.
As a corollary to the foregoing obligation, the data subject also has the right to request the organisation to correct any error or omission in the personal data held by the organisation. If the organisation does act upon such a request for correction, it is also required to inform other organisations to which the personal data was disclosed within a year before the date the correction was made.
Retention of personal data
Besides the foregoing obligations, an organisation that retains personal data is subject to a number of other obligations. For example, the organisation is required to make a reasonable effort to ensure that personal data collected by or on behalf of it is accurate and complete.
The organisation is also required to adopt reasonable security measures to safeguard the personal data against unauthorised access, copying, modification etc. Finally, the organisation is required to delete or anonymise the personal data when retention is no longer required for business or legal reasons. It should be highlighted that these last two obligations are the only obligations under the data protection framework that would apply to data intermediaries (i.e. organisations that process personal data on behalf of another organisation).
While the obligations associated with the retention of personal data are not unduly onerous, they will necessarily imply administrative and financial overheads for the organisation. This constitutes a major factor discouraging organisations from engaging in wanton or excessive data collection practices.
Transfer of personal data outside of Singapore
The bill that was read in Parliament contains a new provision governing the transfer of personal data by an organisation to a recipient in a jurisdiction outside of Singapore. Organisations engaging in such transfers of personal data will be required to comply with prescribed requirements to ensure that the personal data will enjoy a comparable standard of protection. The PDPA also provides for exemptions from such requirements to be granted in appropriate circumstances. However, there is no visibility as to what the prescribed requirements or the requirements for exemption would look like at this point in time. Based on the report of the parliamentary debates on the PDPA, however, we suspect that the requirements will be principle-based and not overly prescriptive.
Implementation of the DNC registry
As alluded to above, the PDPA envisages the implementation of a national DNC registry for consumers to opt out of receiving marketing calls. The framework for the DNC registry will apply to any Singapore telephone number (including business numbers). It is expected that there will be 3 separate registers covering telephone calls, messages (SMS, MMS and instant messages sent via the data line) and facsimiles. Registration will be free and will not expire - a telephone number registered on the DNC registry will only be removed upon the consumer's application, or if the telephone number is subsequently terminated.
The obligations imposed would apply insofar as the sender (which is defined broadly to include the organisation authorising the making of a call or sending of a message) or recipient of a specified message is present in Singapore at the time the message is sent or accessed, as the case may be. This implies that the framework for the DNC registry would potentially have extraterritorial effect, although it remains to be seen how vigorously the Commission will enforce such obligations on offshore organisations.
In terms of the types of "specified messages" covered under the ambit of the DNC registry, the PDPA adopts a definition that appears to be adapted from the definition of a "commercial electronic message" under the Spam Control Act. However, there are a number of significant differences. In particular, an electronic message will only be deemed to be of a commercial nature under the Spam Control Act if the "primary purpose" of the message is one of the specified purposes, but a message will constitute a specified message under the proposed PDPA so long as "one of the purposes" of the message is one of the specified purposes. The good news is that the PDPA now contains a specific exclusion for business-to-business marketing communication.
Organizations are required to check the relevant DNC register before sending any specified message to a Singapore telephone number. Such checks have to be performed on a recurring basis - at least 30 days preceding the contact (although a longer duration of 60 days will be permitted for the initial 6-month period). We anticipate that the process will involve the organization uploading its contact list through a facility provided by the Commission, which will then be filtered and returned with the registered telephone numbers removed. There will be a cost associated with every such request.
Organisations that wish to send a specified message to a Singapore telephone number registered with the DNC registry are required to obtain "clear and unambiguous" consent from the relevant individual, either in writing or in such other form so as to be accessible for subsequent reference. While the current formulation of the consent required is arguably preferable to the previous requirement for "explicit" consent, we foresee that there may be difficulties establishing whether consent given was clear and unambiguous in certain scenarios. For example, while the use of a general or vaguely-worded clause buried within pages of other terms and conditions is unlikely to constitute clear and unambiguous consent, this clearly necessitates a qualitative assessment and engenders uncertainty.
Further, there are also constraints imposed upon the process by which such clear and unambiguous consent is obtained. Similar to the consent required for the collection, use and disclosure of personal data, the consent should not have been given as a condition for the supply of goods, services, land, interest or opportunity, beyond what is reasonable to provide the relevant goods, services, land, interest or opportunity, or obtained through the provision of false or misleading information or deceptive or misleading practices. These restrictions are also likely to prove problematic in practice.
Preparing for compliance with the PDPA
Notwithstanding the sunrise period, we would encourage any organization that would be subject to the requirements of the PDPA to start taking steps to identify measures that are required to achieve compliance. The first step would typically be the conduct of a privacy audit to determine the compliance "gaps" that need to be plugged before the end of the sunrise period.
The organization should also start to identify employee(s) who would be suitable for the role of "data protection officer", and who should spearhead efforts to get the organization's practices in shape before the appointed date. Such efforts will likely include the drafting of new policies or the review of existing policies on the organization's data privacy practices, both internally (for employee data) and externally (for customer data). Trainings will need to be conducted to familiarize employees with the requirements of the PDPA and compliance measures undertaken by the organization.
This may be an opportune time for organizations to perform some "spring-cleaning" of the personal data that is either in its possession or under its control. Where such personal data is no longer required for business or statutory purposes, it should be destroyed or anonymized in keeping with the requirements of the PDPA. As mentioned, this will serve to reduce the administrative and financial overheads incurred by the organization in complying with the PDPA going forward.
Finally, it may be worthwhile for organizations to device a method to identify pre-existing personal data that the organization decides to retain. Purposes for which such pre-existing personal data has been processed should be mapped to the data, and either recorded in writing or notified to the data subjects, where appropriate. This will go some way towards mitigating some of the risk factors associated with the grandfathering provision highlighted above.