On 15 October 2012, Parliament passed the Personal Data Protection Bill with the intention of bringing into effect the Personal Data Protection Act (PDPA) in phases in accordance with the schedule proposed by the Ministry of Communications and Information, following a public consultation conducted between March and April 2012.
Some aspects of the PDPA have already come into effect in two previous phases: (1) provisions relating to the constitution of the Personal Data Protection Commission (PDPC) on 2 January 2013; and (2) provisions relating to the Do-Not-Call Registry on 2 January 2014. The main provisions of the PDPA relating to the obligations of organisations and data protection (Provisions) are proposed to come into effect on 2 July 2014.
In this article, we look briefly at some matters which organisations should know in anticipation of the Provisions coming into effect.
Who must comply with the data protection provisions?
An organisation is defined in the PDPA as “any individual, company, association or body of persons, corporate or unincorporated whether or not formed or recognised under the law of Singapore; or resident, or having an office or a place of business in Singapore”. Every organisation must comply with the Provisions unless it falls within one of the following categories:-
- an individual acting in a personal or domestic capacity;
- an employee acting in the course of his or her employment with an organisation;
- a public agency or an organisation acting on behalf of a public agency in relation to the collection, use and disclosure of the data; or
- a data intermediary (who “processes personal data on behalf of another organisation but does not include an employee of that other organisation”), in which case, the protection and retention obligations under sections 24 and 25 of the PDPA still apply.
Any organisation that uses a data intermediary retains full responsibility for the obligations under the Provisions as if the data was processed by the organisation itself.
The Provisions set out the obligations of organisations relating to personal data of individuals in the following areas:-
- collection, use and disclosure;
- access and correction;
- retention and protection; and
Organisations must appoint at least one individual to be responsible for ensuring that the organisation complies with the PDPA (Data Protection Officer). The business contact information of (at least one of) the Data Protection Officer(s) must be made publicly available.
There are no other systems expressly prescribed in the PDPA.
However, organisations must develop and implement policies and practices which are necessary to ensure that they meet their obligations under the PDPA. Organisations must communicate the policies and practices, and information on such policies and practices, to their staff – this may perhaps be facilitated through manuals or training sessions.
Organisations must develop processes to receive and respond to complaints that may be brought up by individuals with respect to the PDPA. Organisations must also be ready at all times to furnish information upon request on any of its policies or processes relating to personal data.
Collection, use and disclosure
Organisations are prohibited from collecting, using or disclosing personal data unless the relevant individuals have given, or are deemed to have given, their consent or if such collection, use or disclosure is required by law. In addition to obtaining consent, organisations must also ensure that the collection, use and/or disclosure is carried out only for the purposes for which the individuals have given consent or are deemed to have given consent.
Consent may be obtained in written or verbal form, though with verbal consent, it would also be good practice to subsequently obtain confirmation of the consent in writing.
A crucial aspect of consent is notification to the individual concerned of the purpose of the collection, use or disclosure of his/her personal data.
While there is no prescribed manner or form for such notification, it would generally be good practice for an organisation to state its purpose in written form (which may be in electronic or other form of documentary evidence). This ensures that individuals are clear about the purposes for which his/her personal data is being collected, used or disclosed and both the individual and the organisation will be able to refer to a clearly documented statement in the event of dispute. Regardless of whether the notification is in written form or not, such notification should be clear, provide the appropriate information and be easily accessible and comprehensible.
Organisations should also consider developing processes to regularly review the effectiveness and relevance of their notification policies and practices.
Access and correction
Organisations should be able to, on request, provide an individual with personal data about the individual which is in the possession of or under the control of the organisation, and information about the ways in which the personal data has been or may be used within the year before the date of the request.
Organisations should also be able to correct an individual’s data upon his request and send the corrected personal data to every other organisation to which the personal data had been disclosed within a year before the date of the correction. Organisations must ensure that both access and correction can be provided as soon as reasonably possible.
Reasonable effort must be made to ensure that the data collected is accurate and complete. In doing so, organisations should take into account certain factors with respect to the data such as its nature and significance to the individual concerned, the purpose for its collection, use or disclosure, its reliability, its currency, and the impact on the individual concerned if such data is inaccurate or incomplete. Organisations should therefore perform risk assessments and may consider requiring individuals or third party sources to give declarations of accuracy and completeness and/or assurances of verification of the accuracy and completeness of personal data at the time of collection.
Retention and protection
Organisations need to make reasonable security arrangements to prevent the unauthorised access to, collection, use, disclosure, copying, modification or disposal of data and other similar risks. In adopting such security arrangements, organisations should consider designing their security arrangements to fit the nature of the data held and the possible harm from potential breaches. In the event of a breach, organisations should be prepared to respond promptly and effectively.
Well-trained, reliable personnel should be identified to be responsible for ensuring the security of the data, and organisations should implement robust policies and procedures for ensuring appropriate levels of security of varying levels of sensitivity.
Some examples of procedures and systems include implementing employee confidentiality obligations and conducting regular training sessions for staff to impart good practices in handling data and strengthening awareness of threats to security of personal data storage. Employee access may be restricted to a “need-to-know” basis and privacy filters, self-lock and/or time- out mechanisms on software may be installed to minimise unauthorised access by persons using the facilities or instruments of the organisations such as laptops. In addition, organisations may wish to ensure that their IT service providers are able to provide the requisite standard of IT security.
Organisations should also review the adequacy of their security systems from time to time.
Organisations have an obligation to cease to retain documents containing personal data, or remove the means by which the data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose(s) for which the data was collected is no longer being served and that its retention is not necessary for legal or business purposes.
Organisations should therefore regularly review data to determine if the data is still needed and/or whether the purposes for which they were disclosed are still current. As a best practice, organisations should prepare a retention policy setting out their approach to the retention period for personal data.
Consequences of non-compliance
Failure to comply with the Provisions may result in any of the following:-
- a review or investigation of the organisation’s conduct by the PDPC who may give such directions as it sees fit in accordance with section 28(2) and section 29(2) of the PDPA, including a financial penalty of up to S$1 million; or
- where the individual has suffered loss or damage directly as a result of the contravention of any of Parts IV, V and VII of the PDPA (collection, use and disclosure, access and correction, protection and retention), commencement of civil proceedings against the organisation.
Thus, this begs the question: how ready is your organisation?