The Advisory Guidelines on Key Concepts in the Personal Data Protection Act, issued by the Personal Data Protection Commission on 23 September 2013, were revised on 16 May 2014. The revised guidance relates to (1) the limits on transfers of personal data out of Singapore, (2) personal data collected overseas and subsequently transferred into Singapore and (3) access to and correction of personal data. The revisions were made in conjunction with issuing a closing note for the public consultation on Proposed Regulations on Personal Data Protection in Singapore (which ended on 1 April 2013). Sector specific advisory guidelines relating to the telecommunications sector and the real estate agency sector have also been issued. This comes just weeks before the full Personal Data Protection Act takes effect in Singapore, on 2 July 2014.

1. Background

1.1 PDPA

The Personal Data Protection Act 2012 (“PDPA”) establishes a general data protection law in Singapore, governing the collection, use and disclosure of individuals’ personal data by organisations. The PDPA also establishes the Personal Data Protection Commission (“PDPC”) to regulate the PDPA. The PDPC issues non-binding guidance on the manner in which the PDPC will interpret provisions of the PDPA.

Despite the PDPA having been adopted on 7 December 2012, the provisions relating to the formation of the PDPC came into effect on 2 January 2013, the provisions relating to the Do Not Call Registry came into effect on 2 January 2014 and the main data protection rules will come into force on 2 July 2014.

1.2 Regulations

Regulations relating to the Do Not Call Registry were adopted on 25 November 2013.

Proposed Regulations on Personal Data Protection in Singapore, relating to (1) requirements to be complied with by organisations for the transfer of personal data out of Singapore, (2) access to and correction of personal data and (3) individuals who may act for others under the PDPA, were consulted on between 5 February 2013 and 1 April 2013 (“Proposed Regulations”).

The closing note for the consultation on the Proposed Regulations, dated 16 May 2014, (“Closing Note”) contains extracts of regulations to be prescribed which are significantly different to the Proposed Regulations in a number of key areas, particularly in relation to requirements to be complied with by organisations for the transfer of personal data out of Singapore.

1.3 Guidelines

The following non-binding advisory guidelines have been issued by the PDPC:

  • Advisory Guidelines on Key Concepts in the Personal Data Protection Act (issued on 23 September 2013 and revised on 16 May 2014) (“Revised Key Concepts Guidelines”);
  • Advisory Guidelines on the Personal Data Protection Act for Selected Topics (issued on 24 September 2013 and revised on 16 May 2014);
  • Advisory Guidelines On The Do Not Call Provisions (issued on 26 December 2013);
  • Advisory Guidelines for the Telecommunication Sector (issued on 16 May 2014); and
  • Advisory Guidelines for the Real Estate Agency Sector (issued on 16 May 2014).

The PDPC has also commenced a public consultation on Proposed Advisory Guidelines for the Education, Healthcare and Social Service Sectors and Photography, which will close on 6 June 2014 (12.00pm).

The Revised Key Concepts Guidelines cover (1) requirements to be complied with by organisations for the transfer of personal data out of Singapore, (2) personal data collected overseas and subsequently transferred into Singapore and (3) access to and correction of personal data, as further discussed below.

2. Transfers of personal data out of Singapore

2.1 Summary of changes

The Revised Key Concepts Guidelines include a new chapter on requirements to be complied with by organisations for the transfer of personal data out of Singapore. The Revised Key Concepts Guidelines (and the Closing Note) provide that an organisation may transfer personal data overseas if it has taken appropriate steps to ensure that:

  • it will comply with the data protection provisions in the PDPA in respect of the transferred personal data while such personal data remains in its possession or under its control; and
  • any recipient is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the PDPA in relation to the transferred personal data, which may include obligations imposed on the recipient under:
    • any law;
    • a contract that (1) requires the recipient to provide a standard of protection that is at least comparable to the protection under the PDPA in relation to the transferred personal data and (2) specifies the countries and territories to which the personal data may be transferred under the contract;
    • any binding corporate rules that (1) require every recipient to provide a standard of protection that is at least comparable to the protection under the PDPA in relation to the transferred personal data and (2) specify the recipients of the transferred personal data to which the binding corporate rules apply, the countries and territories to which the personal data may be transferred under the binding corporate rules and the rights and obligations provided by the binding corporate rules; or
    • any other legally binding instrument.

2.2 Comparable law

Notably, the Proposed Regulations did not expressly recognise that any law, presumably a general privacy or data protection law in the recipient country, could afford a standard of protection that is comparable to that under the PDPA.

While the Proposed Regulations did acknowledge that organisations would be allowed some flexibility to determine the means to provide a comparable standard of protection as the PDPA, they also required a legally binding instrument to be in place which contains certain prescribed obligations and safeguards.

2.3 Minimum clauses

There are some other areas of difference between the Revised Key Concepts Guidelines and the Proposed Regulations, in relation to the use of contractual clauses. For example:

  • the Revised Key Concepts Guidelines provide that contractual clauses should set out, as a minimum, protections with regard to access and correction (as well as purposes, accuracy, protection, retention and policies, other than in respect of data intermediaries where only protection and retention would be needed, even though the PDPC expects organisations would include all relevant areas); but
  • the Proposed Regulations provided that there would be no requirement for an organisation to require the receiving party to allow access to or correction of personal data transferred overseas.

The Proposed Regulations also contained more detailed requirements in relation to purpose, use and disclosure than covered in the Revised Key Concepts Guidelines.

2.4 Rationale for the changes

The Closing Note acknowledges that the use of contracts or binding corporate rules may not be tenable in all circumstances and that the PDPC has therefore proposed that the Minister prescribe regulations with the following avenues for international transfers of personal data:

  • Self-assessment of legally enforceable obligations: the assessment may include consideration of factors such as any law, any contracts or binding corporate rules governing the transfer of personal data, or any other legally binding instrument; and
  • Legitimate reasons: organisations may be taken to have satisfied the obligations regarding the transfer of personal data outside Singapore where:
    • the individual whose personal data are to be transferred is provided a reasonable summary in writing of the extent to which the personal data to be transferred will be protected to a standard comparable to the protection under the PDPA;
    • the transfer is necessary for the performance of a contract between the individual and the organisation, or the transfer is done at the individual’s request with a view to the individual entering into a contract with the organisation; or
    • the transfer is necessary to carry out or conclude a contract between the organisation and a third party entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest.

The PDPC has also proposed that regulations provide for cross-border transfers to be permitted where:

  • the transfer is necessary for the personal data to be used or disclosed in certain specified situations (in the individual’s/national interest, where consent has not been obtained) and the organisation has taken reasonable steps to ensure that the personal data so transferred will not be used or disclosed by the recipient for any other purpose;
  • the personal data are in transit; or
  • the personal data are publicly available in Singapore.

The PDPC is also assessing whether any future participation in the APEC CBPR System should be another avenue for cross-border transfers to organisations within APEC economies.

2.5 Appropriate steps

The Revised Key Concepts Guidelines and Closing Note set out circumstances in which an organisation transferring personal data to a country or territory outside Singapore is taken to have satisfied the requirement, to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the PDPA in relation to transferred personal data, as follows:

  • the individual whose personal data are to be transferred gives consent to the transfer (the organisation should, among other things, provide the individual with a reasonable written summary of the extent to which the personal data transferred to those countries and territories will be protected to a standard comparable to the protection under the PDPA);
  • the transfer is necessary for the performance of a contract between the organisation and the individual, or to do anything at the individual’s request with a view to the individual entering into a contract with the organisation;
  • the transfer is necessary for the conclusion or performance of a contract between the organisation and a third party which is entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest;
  • the transfer is necessary for a use or disclosure in certain specified situations where the consent of the individual is not required under the PDPA, whereby the organisation may only transfer personal data if it has taken reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose;
  • the personal data are data in transit; or
  • the personal data are publicly available in Singapore.

3. Access and correction

In summary, the Revised Key Concepts Guidelines or Closing Note provide as follows:

  • Access request: an individual may submit a request to an organisation for access to some or all of the individual’s personal data  in the possession or under the control of the organisation and information about the ways in which the personal data have been or may have been used or disclosed by the organisation within the period of a year before the date of the individual’s request;
  • Response to access request: an organisation:
    • should exercise due diligence and adopt appropriate measures to verify an individual’s identity or to verify that the person making the request is validly acting on behalf of the individual;
    • must respond by providing the individual access to the complete set of personal data requested by the individual in the organisation’s possession or under its control, unless any relevant exception or restriction in the PDPA applies;
    • is not required to provide access to documents (or systems) which do not comprise or contain the personal data in question, as long as the organisation provides the individual with personal data that the individual is entitled to access under the PDPA, and may provide only personal data (or the sections of the document containing personal data) if it is feasible for it to do so;
    • does not need to provide access to information which is no longer within its possession, or under its control, when the access request is received;
    • may provide the individual with a reasonable opportunity to examine the requested data if the requested personal data resides in a form that cannot practicably be provided to the individual in documentary form, whether as physical or electronic copies; and
    • may charge a reasonable fee for access to the individual's personal data, in order to allow organisations to recover the incremental costs of responding to access requests, having given a written estimate of the fee and any increase to the relevant individual;
  • Data intermediaries: if an organisation has transferred personal data to a data intermediary that is processing the personal data under the control of the organisation, the organisation’s response to an access or correction request must take into account the personal data in the possession of the data intermediary;
  • Correction: an individual may submit a request for an organisation to correct an error or omission in the individual’s personal data in the possession or under the control of the organisation. Upon receipt of any such request, the organisation is required to consider whether the correction should be made; and
  • Timing: an organisation should respond to an access or correction request within 30 days from the time the request is made. If an organisation is unable to respond within 30 days, the organisation must inform the individual in writing, within that time frame, of the time by which it will be able to respond to the request (which should be the soonest possible time it can provide access or the soonest practicable time it can make the correction).

4. Other areas

The Closing Note also covers individuals who may act for others under the PDPA, in relation to the minimum age in order to exercise rights and powers under the PDPA and the priority of the nearest relatives to any deceased individuals.

The Revised Key Concepts Guidelines also cover personal data collected overseas and subsequently transferred into Singapore (and provide that the data protection provisions in the PDPA will apply in respect of activities involving the personal data in Singapore).

The Advisory Guidelines on the Personal Data Protection Act for Selected Topics, issued on 24 September 2013 and revised on 16 May 2014, have not be revised in any substantial way, other than to add a section on data activities relating to minors.

The Advisory Guidelines for the Telecommunication Sector, issued on 16 May 2014, cover the unique circumstances faced by the telecommunications sector in complying with the PDPA, including in relation to telephone and mobile equipment identity numbers, roaming, subscriber identity, itemised bills, pre-paid mobile, advertisements in bills, rights and obligations under other laws and do not call provisions.

The Advisory Guidelines for the Real Estate Agency Sector, issued on 16 May 2014, cover the unique circumstances faced by the real estate agency sector in complying with the PDPA.