Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

Prior to the enactment of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), Singapore did not have an overarching law governing the protection of personally identifiable information. The collection, use, disclosure and care of personal data in Singapore were regulated to a certain extent by a patchwork of laws including common law, sector-specific legislation and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks will continue to operate alongside the PDPA.

The PDPA was implemented in three phases. On 2 January 2013, selected provisions of the PDPA came into operation. These include provisions that:

  • set out the scope and interpretation of the PDPA;
  • provide for the establishment of the Personal Data Protection Commission (PDPC) and the Data Protection Advisory Committee (DPAC); and
  • provide for the establishment of Do-Not-Call (DNC) registers by the PDPC, and other general provisions of the PDPA.

On 2 January 2014, provisions relating to the DNC registry came into force; and the main data protection provisions under parts III to VI of the PDPA came into effect on 2 July 2014. The main data protection provisions set out the obligations of organisations with respect to the collection, use, disclosure, access to, correction and care of personal data.

There are various regulations and advisory guidelines under the PDPA which deal with specific issues in greater detail.

The Personal Data Protection Regulations 2014 (the PDP Regulations) were gazetted on 19 May 2014. The PDP Regulations supplement the PDPA in three key areas as follows:

  • the requirements for transfers of personal data out of Singapore;
  • the form, manner and procedures for making and responding to requests for access to or correction of personal data; and
  • persons who may exercise rights in relation to disclosure of personal data of deceased individuals.

The other regulations issued under the PDPA are:

  • Personal Data Protection (Composition of Offences) Regulations 2013;
  • Personal Data Protection (Do Not Call Registry) Regulations 2013;
  • Personal Data Protection (Enforcement) Regulations 2014; and
  • Personal Data Protection (Appeal) Regulations 2015.

In addition, the PDPC has issued a number of advisory guidelines, and guides to provide greater clarity on the interpretation of the PDPA. The PDPC has also developed sector-specific advisory guidelines for the telecommunication sector, the real estate agency sector, the education sector, the healthcare sector, the social service sector, for transport services for hire (specifically in relation to in-vehicle recordings) and for management corporations. The PDPC also publishes an annual Personal Data Protection Digest (PDP Digest), which is a compendium comprising the PDPC’s grounds of decisions, summaries of unpublished cases where a finding of no-breach was found and a collection of data protection-related articles contributed by data protection practitioners.

The formulation of the PDPA framework has taken into account international best practices on data protection. As indicated during the second reading of the PDPA in Parliament, the then Minister of Information, Communications and the Arts had referred to the data protection frameworks in key jurisdictions such as Canada, New Zealand, Hong Kong and the European Union, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the APEC Privacy Framework, in developing the PDPA framework.

The PDPC is currently undertaking a review of the PDPA, and has held three public consultations in this regard. First, the Public Consultation for Approaches to Managing Personal Data in the Digital Economy (issued 27 July 2017) sought the public’s views on introducing:

  • a Proposed Enhanced Framework for the Collection, Use and Disclosure of Personal Data; and
  • a Proposed Mandatory Data Breach Notification Requirement.

The consultation closed on 5 October 2017, and the PDPC issued a response to the feedback received on 1 February 2018.

Second, the Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy (issued 27 April 2018) sought the public’s views on:

  • streamlining the DNC provisions in Part IX of the PDPA and the Spam Control Act into a single legislation governing all unsolicited commercial messages;
  • introducing an Enhanced Practical Guidance framework under the PDPA, which allows the PDPC to provide guidance to organisations with greater clarity and certainty; and
  • streamlining the exceptions to obtaining consent for the collection, use and disclosure of personal data, found in the Second, Third and Fourth Schedules to the PDPA.

The consultation closed on 12 June 2018, and the PDPC issued a response to the feedback received on 8 November 2018.

Third, the Public Consultation on Review of the Personal Data Protection Act 2012 - Proposed Data Portability and Data Innovation Provisions (Data Portability and Data Innovation Public Consultation) (issued 22 May 2019) in which the PDPC sought the public’s views on:

  • introducing a Data Portability Obligation, which requires organisations to, at the request of the individual, provide the individual’s data that is in the organisation’s possession or under its control, to be transmitted to another organisation in a commonly used machine-readable format; and
  • introducing provisions in the PDPA to clarify that organisations can use personal data (collected in compliance with the Data Protection Provisions of the PDPA) for the purposes of: (i) operational efficiency and service improvements; (ii) product and service development; or (iii) knowing customers better.

On 20 February 2018, Singapore became the sixth APEC economy to participate in the APEC Cross-Border Privacy Rules (CBPR) system, along with the USA, Mexico, Canada, Japan and the Republic of Korea. Singapore also became the second APEC economy to participate in the APEC Privacy Recognition for Processors (PRP) system. Collectively, the CBPR and PRP systems allow a smoother exchange of personal data among certified organisations in participating economies, and ensure that data protection standards are maintained for consumers in the Asia-Pacific region.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The PDPA is administered and enforced by the PDPC. The PDPC was originally established as a statutory body under the PDPA on 2 January 2013 and was under the purview of the Ministry of Communications and Information (MCI). With effect from 1 October 2016, the PDPC has been subsumed as a department/division under the Info-communications Media Development Authority (IMDA).

The PDPC may initiate an investigation to determine whether an organisation is compliant with the PDPA, upon receipt of a complaint or on its own motion. As set out in the Advisory Guidelines on Enforcement of Data Protection Provisions (Enforcement Guidelines), the factors that the PDPC may consider in deciding whether to commence an investigation include:

  • whether the organisation may have failed to comply with all or a significant part of its obligations under the PDPA;
  • whether the organisation’s conduct indicates a systemic failure by the organisation to comply with the PDPA or to establish and maintain the necessary policies and procedures to ensure its compliance;
  • the number of individuals who are, or may be, affected by the organisation’s conduct;
  • the impact of the organisation’s conduct on the complainant or any individual who may be affected;
  • whether the organisation had previously contravened the PDPA or may have failed to implement the necessary corrective measures to prevent the recurrence of a previous contravention;
  • whether the complainant had previously approached the organisation to seek a resolution of the issues in the complaint but failed to reach a resolution;
  • where the PDPC has sought to facilitate dispute resolution between the complainant and the organisation, whether the complainant and the organisation agreed to participate in the dispute resolution process and their conduct during the dispute resolution process and the outcome of the dispute resolution process;
  • where the PDPC has commenced a review, whether the organisation has complied with its obligations under the Enforcement Regulations in relation to a review, the organisation’s conduct during the review and the outcome of the review;
  • public interest considerations; and
  • any other factor that, in the PDPC’s view, indicates that an investigation should or should not be commenced.

In the course of its investigation, the PDPC is empowered to:

  • by notice in writing, require any organisation to produce any specified document or to provide any specified information;
  • by giving at least two working days’ advance notice of intended entry, enter an organisation’s premises without a warrant; and
  • obtain a search warrant to enter an organisation’s premises, and search the premises or any person on the premises (the latter, if there are reasonable grounds for believing that he or she has in his or her possession any document, equipment or article relevant to the investigation), and take possession of, or remove, any document and equipment or article relevant to an investigation.

The PDPC is also empowered to review complaints in relation to access and correction requests (see questions 37 and 38 for more information on access and correction requests).

The PDPA also establishes the Data Protection Advisory Committee (DPAC), which advises the PDPC on matters relating to the review and administration of the personal data protection framework, such as key policy and enforcement issues. Currently, the Advisory Committee is headed by Mr Leong Keng Thai, who is also the Deputy Chief Executive Officer of the IMDA.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

The PDPC may enter into a co-operation agreement with a foreign data protection authority for data protection matters such as cross-border co-operation. Co-operation may take the form of information exchange or any other assistance as necessary to assist in the enforcement or administration of data protection laws.

Specifically, section 10 of the PDPA provides that the co-operation agreement has to be entered into for the purposes of:

  • facilitating co-operation between the PDPC and another foreign data protection authority in the performance of their respective functions insofar as those functions relate to data protection; and
  • avoiding duplication of activities by the PDPC and another foreign data protection authority, being activities involving the enforcement of data protection laws.

In this regard, the cooperation agreement may include provisions to:

  • enable the PDPC and the other foreign data protection authority to furnish to each other information in their respective possession if the information is required by the other for the purpose of performance by it of any of its functions;
  • provide such other assistance to each other as will facilitate the performance by the other of any of its functions; and
  • enable the PDPC and the other foreign data protection authority to forbear to perform any of their respective functions in relation to a matter in circumstances where it is satisfied that the other is performing functions in relation to that matter.

Under the PDPA, the PDPC may only furnish information to a foreign data protection authority pursuant to a cooperation agreement if it requires of and obtains from that authority an undertaking in writing by it that it will comply with terms specified in that agreement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the PDPC.

Where the information requested contains personal data that is treated as confidential under the PDPA, the PDPC may only disclose the information to the foreign data protection authority if the following conditions are specified:

  • the information or documents requested by the foreign data protection authority are in the possession of the PDPC;
  • the foreign data protection authority undertakes to keep the information confidential at all times; and
  • the disclosure of the information is not likely to be contrary to the public interest (section 59(5) of the PDPA).

The PDPC is also a participant in the Asia Pacific Economic Corporation Cross-border Privacy Enforcement Arrangement (APEC CPEA), which creates a framework for the voluntary sharing of information and provision of assistance for privacy enforcement-related activities.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Generally, the powers of the PDPC in the enforcement of any breach of data protection law include:

  • powers relating to alternative dispute resolution;
  • powers relating to review applications; and
  • powers of investigation.

Any individual affected by an organisation’s non-compliance with any of the main data protection provisions may lodge a complaint with the PDPC. Upon receipt of a complaint, the PDPC may investigate or review the matter, or direct the parties as to the appropriate mode of dispute resolution. As mentioned in question 2, the PDPC may commence an investigation in respect of potential breaches of the PDPA further to a complaint, or on its own motion.

In this regard, the Enforcement Guidelines and the public guidance published on the PDPC’s website as of 31 May 2019 states that, when a complaint is received by the PDPC, the PDPC may assess if it can help to address the individual’s concerns by facilitating communications between the individual and the organisation.

If the individual and the organisation are unable to resolve the matter directly and require additional assistance, the PDPC may refer the matter for mediation by a qualified mediator where both the complainant and the organisation involved have consented to the same.

According to the PDPC’s Guide on Active Enforcement (published 22 May 2019), in considering whether to take enforcement action on data breaches, the PDPC is guided by the following key objectives:

  • to respond effectively to breaches of the PDPA where the focus is on those that adversely affect large groups of individuals and where the data involved are likely to cause harm or loss to the affected individuals;
  • to be proportionate and consistent in the application of enforcement action on organisations that are found in breach of the PDPA; where penalties imposed serve as an effective deterrent to those that risk non-compliance to the PDPA; and
  • to ensure that organisations that are found in breach take proper steps to correct gaps in the protection of personal data.

As to the type of enforcement action it may take, the PDPC may choose to do any one of the following:

  • Suspension or discontinuation of the investigation: the PDPC may discontinue investigations and simply issue an advisory notice where the impact is assessed to be low. Examples of circumstances where the PDPC may do so include where complainant has not complied with a direction, the parties involved have mutually agreed to settle, or any party has commenced legal proceedings in respect of any contravention of the PDPA.
  • Undertaking: the PDPC may initiate an undertaking process, which includes a written agreement between the organisation and the PDPC in which the organisation voluntarily commits to remedy the breaches and take steps to prevent recurrence. A key consideration is the effectiveness of the remediation plan and the organisation’s readiness to implement it forthwith. The organisation’s request to invoke the undertaking process must be made very soon after the incident is known - that is, either upon commencement of investigations or in the early stages of investigations. The PDPC will not accept an undertaking request in certain cases, for example, where the organisation refutes responsibility for the data breach incident, or where the organisation requests for time to produce a remediation plan, or where the organisation does not agree for the undertaking to be published.
  • Expedited breach decision: the PDPC may issue an expedited breach decision at its discretion in certain circumstances where there is an upfront, voluntary admission of liability for breaching relevant obligations under the PDPA. The expedited breach decision will achieve the same enforcement outcome as a full investigation. Where financial penalties are involved, the organisation’s admission of its role in the incident will be taken as a strong mitigating factor. However, admissions might not be considered as a mitigating factor for repeated data breaches. The organisation must make a written request to the PDPC for an expedited decision when investigations commence.
  • Full investigation process: for incidents with high impact, and where facilitation or mediation is inappropriate in the circumstances (eg, where there is a disclosure of personal data on a large scale or where the personal data disclosed could cause significant harm), the PDPC may initiate a full investigation immediately.

That said, where the PDPC is satisfied that an organisation has breached the main data protection provisions under the PDPA, it is empowered with a wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:

  • stop collecting, using or disclosing personal data in contravention of the PDPA;
  • destroy personal data collected in contravention of the PDPA;
  • provide access to or correct personal data, or reduce or make a refund of any fee charged for any access or correction request; or
  • pay a financial penalty of up to S$1 million.

Financial penalties are intended to act as a form of sanction and deterrence against non-compliance when directions alone do not sufficiently reflect the seriousness of the breach, and in assessing the seriousness of the breach, the PDPC considers a number of factors, including the following:

  • impact of the organisation’s breach;
  • whether the organisation had acted deliberately or wilfully;
  • whether the organisation had known or ought to have known the risk of a serious contravention and failed to take reasonable steps to prevent it;
  • extent of non-compliance in terms of the PDPA obligations that the organisation had failed to discharge;
  • number of individuals whose personal data had been subjected to harm and risks as a result of the breach;
  • whether the organisation had appointed a data protection officer or equivalent to ensure accountability with the PDPA;
  • types of personal data that were compromised or put at risk as a result of the breach; and
  • whether the organisation had previously been found to have similarly breached the PDPA.

In calculating a financial penalty, the PDPC considers how a reasonable organisation should behave in a particular situation, and adopts the following principles to determine the amount:

  • the amount should be proportionate to the seriousness of the breach;
  • the amount should provide sufficient deterrence against future or continued non-compliance by the organisation and others;
  • the amount should take into account aggravating and mitigating factors;
  • cooperativeness of the organisation in the course of investigations;
  • whether remedial action(s) were implemented;
  • whether there was voluntary notification of the data breach;
  • whether the organisation had engaged with the affected individuals in a meaningful manner and had voluntarily offered a remedy, and that the individuals had accepted the remedy; and
  • whether the organisation admitted to liability for the data breach.

According to the PDPC’s Enforcement Guidelines and the public guidance published on the PDPC’s website as of 31 May 2019, some of the factors that the PDPC may consider to be aggravating factors include:

  • the organisation failing to actively resolve the matter with the individual in an effective and prompt manner;
  • intentional, repeated or ongoing breaches of the data protection provisions by an organisation;
  • obstructing the PDPC during the course of investigations (such as making efforts to withhold or conceal information requested by the PDPC);
  • failing to comply with a previous warning or direction from the PDPC; and
  • the organisation is in the business of handling large volumes of sensitive personal data (such as medical or financial data), but failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of that personal data.

Some of the factors that the PDPC may consider to be mitigating factors include:

  • the organisation’s active and prompt resolution of the matter with the individual;
  • the organisation taking reasonable steps to prevent or reduce the harm of a breach (such as putting in place strong passwords or encrypting the personal data to prevent unauthorised access);
  • the individual affected by the breach has already received a remedy in some other form (for example, through a civil action against the organisation);
  • the organisation engaging with the individual in a meaningful manner and having voluntarily offered a remedy to the individual, and that individual having accepted the remedy;
  • the organisation taking immediate steps to notify affected individuals of the breach and reduce the damage caused by a breach (such as informing individuals of steps they can take to mitigate risk); and
  • the organisation voluntarily notifying the personal data breach to the PDPC as soon as it learned of the breach, and cooperating with the PDPC in its investigations.

As of 31 May 2019, the PDPC has issued a total of 76 grounds of decisions against 98 organisations, with a significant majority of these cases relating to breaches of the Protection Obligation. The most common types of data breaches involve the deliberate disclosure of personal data; poor technical security arrangements; poor physical security arrangements; errors in mass email/post; and insufficient data protection policies.

On 15 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on SingHealth Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyber-attack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients to be compromised.

Any person who suffers loss or damage directly as a result of a contravention of any of the main data protection provisions may also commence a private civil action in respect of such loss or damage suffered (see question 38 for further information on such right of private action).

Non-compliance with certain provisions under the PDPA may also constitute an offence, for which a fine or a term of imprisonment may be imposed. The quantum of the fine and the length of imprisonment (if any) vary, depending on which provisions are breached. For instance, a person found guilty of making requests to obtain access to or correct the personal data of another without authority may be liable on conviction to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding 12 months, or both. Intentionally disposing of, altering, falsifying, concealing or destroying a record containing personal data or information about the collection, use or disclosure of personal data is an offence that may be punishable upon conviction with, in the case of an individual, a fine of up to S$5,000, and in the case of an organisation, a fine of up to S$50,000. The obstruction of PDPC officers (eg, in the course of their investigations) or provision of false statements to the PDPC may be punishable upon conviction with, in the case of an individual, a fine of up to S$10,000 or imprisonment for a term not exceeding 12 months; and in the case of an organisation, a fine of up to S$100,000.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The PDPA applies to all organisations in Singapore, regardless of their scale or size.

An ‘organisation’ is defined broadly under the PDPA as including any individual, company, association or body of persons, corporate or unincorporated, and whether or not formed or recognised under the law of Singapore, or resident or having an office or place of business in Singapore.

Certain categories of organisations are carved out of the application of the PDPA, such as:

  • individuals acting in a personal or domestic capacity;
  • employees acting in the course of their employment with an organisation; and
  • public agencies, or organisations acting on behalf of a public agency in relation to the collection, use or disclosure of personal data.

The PDPA is intended to set a baseline standard for personal data protection across the private sector, and will operate alongside (and not override) existing laws and regulations. The PDPA provides that the new general data protection framework does not affect any right or obligation under the law, and that in the event of any inconsistency, the provisions of other written laws will prevail. For example, the banking secrecy laws under the Banking Act (Cap. 19) (Banking Act) still govern customer information obtained by a bank, and the Telecom Competition Code still governs end-user service information obtained by a telecoms licensee.

The PDPC has also published a number of sector-specific advisory guidelines to provide greater clarity on the interpretation of the PDPA in various sectors (see question 1).

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Interception of communications and monitoring and surveillance of individuals

To the extent that personal data is collected in the interception of communications and in the monitoring and surveillance of individuals, the PDPA applies to the organisation collecting such data. As such, the individual’s consent has to be sought before any such collection takes place, unless such consent is not required (see question 11 for more information on the consent requirement and its exceptions).

For example, the Advisory Guidelines on the Personal Data Protection Act for Selected Topics (Selected Topics Guidelines) indicate that an employer may not need to seek consent for any personal data collected from its monitoring of its employees’ use of company computer network resources as long as such collection is reasonable for the purpose of managing or terminating the employment relationship, although under section 20(4) of the PDPA, it is still required to notify its employees of this purpose for such collection of their personal data.

In relation to CCTV surveillance, the Selected Topics Guidelines explicitly clarify that organisations that install CCTVs in their premises are required to put up notices informing individuals that CCTVs are operating in the premises, stating the use and purpose of such surveillance, and if both audio and video recordings are taking place, to state as such, to fulfil their obligation to obtain consent for the collection, use or disclosure of personal data from CCTV footage. This is unless such consent is not required, for example, if the CCTV surveillance is necessary for any investigation or proceedings, insofar as it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data. Moreover, the PDPC recommends that while such notices should be placed at points of entry or prominent locations in a venue or a vehicle to enable individuals to have sufficient awareness that CCTV has been deployed in the general locale, they do not have to reveal the exact location of the CCTV cameras. The PDPC also clarifies that an individual may request access to CCTV footage containing his or her image in accordance with the PDPA, unless an exception to this right applies (see question 37 for more details on an individual’s right to access his or her personal data and its limitations). However, the PDPC has also indicated that organisations are generally required to provide access to CCTV footage where the images of other individuals present in the CCTV footage are masked as required (assuming that consent from the other individuals for the disclosure of their personal data has not been obtained).

In addition, where an organisation collecting such personal data via the interception of communications or the performance of surveillance or monitoring activities is a public agency (eg, the Singapore Police Force or the IMDA), it is excluded from the application of the PDPA under section 4(1)(c) of the PDPA. Thus, to the extent that the above exceptions apply, the organisation collecting personal data via interception of communication or monitoring and surveillance of individuals will not have to seek the individuals’ consent prior to such collection.

Apart from the PDPA, there are other regulations that allow for the interception of communications and the monitoring and surveillance of individuals. Below is a non-exhaustive list of such regulations:

  • Organisations providing telecommunications services and holding services-based operations licences may have to comply with interception requests by the IMDA and other authorities. Specifically, condition 16.2 of the IMDA’s standard Services-Based Operator (Individual) (SBO (I)) licence conditions expressly permit disclosure of subscriber information where the disclosure of subscriber information is deemed necessary to the IMDA or such other relevant law enforcement or security agencies in the exercise of their functions or duties. Condition 26.1 of the IMDA’s standard SBO (I) licence conditions also requires licensees to ‘provide the [IMDA] with any document and information within its knowledge, custody or control, which the [IMDA] may, by notice or direction require’.
  • Section 20 of the Criminal Procedure Code (Cap. 68) empowers the police to require the production of a ‘document or other thing’ (which is necessary or desirable for any investigation, inquiry, trial or other proceeding under the Code) by issuing a written order to ‘the person in whose possession or power the document or thing is believed to be’.
  • Section 10 of the Kidnapping Act (Cap. 151) states that the Public Prosecutor may authorise any police officer to, inter alia, ‘intercept any message transmitted or received by telecommunication’ or ‘intercept or listen to any conversation by telephone’.
  • Section 19 of the Cybersecurity Act 2018 (No. 9 of 2018) (Cybersecurity Act) states that where information regarding a cybersecurity threat or incident has been received by the Commissioner, he or she may exercise certain powers as are necessary to investigate the cybersecurity threat or incident, including the power to require the provision of any document in a person’s possession or information considered to be related to the matter.
Electronic marketing

Generally, where the personal data of an individual is collected, used and disclosed for marketing purposes, the consent of the individual concerned must be obtained and such consent must not have been obtained as a condition for the provision of a product or service where it would not be reasonably required to provide that product or service. The PDPC has noted in its Advisory Guidelines on Key Concepts in the Personal Data Protection Act (Key Concepts Guidelines) that a failure to opt out will not be regarded as consent in all situations, and recommended that organisations obtain consent from an individual through a positive action of the individual (eg, opt-in consent).

In relation to the sending of marketing communications by telephone call or text messaging (or fax) to a Singapore telephone number, Part IX of the PDPA requires an organisation to:

  • verify against the relevant DNC Registry to confirm that the telephone number is not listed before sending the message or calling, unless clear and unambiguous consent to the sending of the specified message to that number is obtained in evidential form;
  • include information identifying the sender for messages and details on how the sender can be readily contacted, and such details and contact information should be reasonably likely to be valid for at least 30 days after the sending of the message; and
  • for voice calls, not conceal or withhold the calling line identity from the recipient.

Section 11 read with the Second Schedule of the Spam Control Act (Cap. 331) (Spam Control Act) requires any person who ‘sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages (which include both emails and SMS/MMS) in bulk’ to comply with certain obligations. These include, among others, requirements that unsolicited commercial electronic messages must contain an unsubscribe facility; the label ‘<ADV>’ to indicate that the message is an advertisement; and the message must not contain header information that is false or misleading. Section 9 of the Spam Control Act also prohibits electronic messages from being sent to electronic addresses generated or obtained through the use of a dictionary attack or address-harvesting software. The Spam Control Act provides for civil liability (including the grant of an injunction or the award of damages) against parties in breach of these requirements. Statutory damages of up to S$25 per message may be awarded, up to an aggregate of S$1 million (unless the plaintiff proves that his or her actual loss is higher).

In addition to the requirements under the Spam Control Act regarding the sending of spam messages, the PDPA would also apply to personal data collected, used or disclosed through the use of such electronic marketing. Generally, the PDPA requires organisations to obtain consent for a stated purpose to collect, use or disclose the contact information of individuals, unless any exception applies.

With that said, the PDPC is proposing to review, streamline and merge the DNC provisions of the PDPA and the Spam Control Act into a single legislation governing all unsolicited commercial messages, and has sought comments on this as part of its Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy (see question 1).

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Various other legislation in Singapore sets out specific data protection rules, some of which are sector-specific. For instance:

  • the Banking Act proscribes the disclosure of customer information by a bank or its officers;
  • the Computer Misuse Act (Cap. 50A) deals with computer system hackers and other similar forms of unauthorised access or modification to computer systems;
  • the Cybersecurity Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore to ensure that computers, systems and data are better protected;
  • the Electronic Transactions Act (Cap. 88) provides for the security and use of electronic transactions by criminalising any disclosure of electronic data obtained pursuant to the Act, unless the disclosure is expressly allowed under the Act, required by any written law, or mandated by an order of court;
  • the Private Hospitals and Medical Clinics Act (Cap. 248) contains provisions relating to the confidentiality of information held by private hospitals, medical clinics, clinical laboratories and healthcare establishments licensed under the Act;
  • the Official Secrets Act (Cap. 213) contains provisions relating to the prevention of disclosure of official documents and information;
  • the Statutory Bodies and Government Companies (Protection of Secrecy) Act (Cap. 319) details provisions protecting the secrecy of information of statutory bodies and government companies; and
  • the Telecom Competition Code issued under the Telecommunications Act (Cap. 323) contains certain provisions pertaining to the safeguarding of end-user service information. Notably, the IMDA has introduced amendments to the provisions governing end-user service information in the Telecom Competition Code effective 2 July 2014, taking into account that the PDPA will be the primary legislation governing personal data.

With regard to the financial sector, the Monetary Authority of Singapore (MAS) is empowered under the Monetary Authority of Singapore Act (Cap. 186) and other sectoral legislation to issue directives and notices. Examples of MAS-issued regulatory instruments which are relevant to data protection include the Notices and Guidelines on Technology Risk Management, MAS Notices and Guidelines on Prevention of Money Laundering and Countering the Financing of Terrorism (AML/CFT), and the MAS Guidelines on Outsourcing. Broadly, these MAS guidelines make clear that financial institutions may continue the existing practice of collecting, using and disclosing personal data without customer consent for the purposes of meeting the AML/CFT requirements, and acknowledge customers’ rights under the PDPA to access and correct personal data that is in the possession or under the control of the financial institutions.

PII formats

What forms of PII are covered by the law?

All formats of ‘personal data’ are covered under the PDPA, whether electronic or non-electronic, and regardless of the degree of sensitivity. ‘Personal data’ is broadly defined under the PDPA as data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

Data protection provisions

The data protection provisions under the PDPA generally apply to all organisations that collect, use or disclose personal data in Singapore, regardless of whether they are formed or recognised under Singapore law or whether they are resident or have an office or place of business in Singapore. As such, organisations that are located overseas are still subject to the data protection provisions so long as they collect, use or disclose personal data in Singapore. In addition, organisations that collect personal data overseas and host or process it in Singapore will generally also be subject to the relevant obligations under the PDPA from the point that such data is brought into Singapore.

Do-not-call provisions

Similarly, the DNC provisions under the PDPA apply to all individuals and organisations sending marketing messages to Singapore telephone numbers, as long as either the sender (when the marketing message is sent) or the recipient (when the marketing message is accessed) is present in Singapore. As an example of its application, the requirement to check the DNC registers would not apply to overseas telecoms service operators sending marketing messages to Singapore subscribers roaming on overseas telecoms networks, because these messages would not be sent or accessed in Singapore. However, organisations in Singapore that outsource their telemarketing activities to overseas organisations and authorise the sending of marketing messages should note that they are still responsible for complying with the DNC provisions, as section 36(1) of the PDPA defines a sender to include a person who causes the message or a voice call containing the message to be sent, or authorises the sending of the message or the making of a voice call containing the message.

For completeness, as mentioned above, the PDPC is proposing to review, streamline and merge the DNC provisions of the PDPA and the Spam Control Act into a single legislation governing all unsolicited commercial messages, and has sought comments on this as part of its Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy (see question 1).

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Yes, the PDPA regulates the collection, use and disclosure of personal data by an organisation. An organisation that collects, uses or discloses personal data is accordingly required to comply with the data protection provisions under the PDPA.

A ‘data intermediary’, however, is exempt from the majority of the data protection provisions under the PDPA. A data intermediary refers to an organisation that processes personal data on behalf of and for the purposes of another organisation (the principal organisation) pursuant to a written contract. A data intermediary is only required to comply with the rules relating to the protection and retention of personal data (see question 32 for further details), while the principal organisation is subject to the full suite of data protection provisions under the PDPA as if it were processing the personal data itself.

A data intermediary that processes personal data in a manner that goes beyond the processing required under the written contract would not be considered a data intermediary, and is subject to the full suite of data protection provisions under the PDPA in respect of that processing.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Yes, the processing of personal data is expressed in terms of ‘collection, use and disclosure’ of the same under the PDPA. An individual’s consent is required before an organisation can collect, use or disclose such individual’s personal data, unless otherwise required or authorised by law. Such consent must be validly obtained and may be either expressly given or deemed to have been given.

For consent to be considered validly given, the organisation must first inform the individual of the purposes for which his or her personal data will be collected, used or disclosed. These purposes have to be what a reasonable person would consider appropriate in the circumstances. Fresh consent would need to be obtained where personal data collected is to be used for a different purpose to which the individual originally consented.

In addition, organisations should note that consent obtained via the following ways does not constitute valid consent for the purpose of the PDPA:

  • where consent is obtained as a condition of providing a product or service, and such consent is beyond what is reasonable to provide the product or service to the individual; and
  • where false or misleading information is provided, or deceptive or misleading practices are used, in order to obtain or attempt to obtain the individual’s consent for collecting, using or disclosing personal data.

The PDPA stipulates that consent is deemed to have been given where the following conditions are satisfied:

  • where an individual voluntarily provides his or her personal data to the organisation for a particular purpose; and
  • it is reasonable that the individual would voluntarily provide his or her personal data.

Where an individual has given (or is deemed to have given) consent for the disclosure of his or her personal data by Organisation A to Organisation B for a particular purpose, such individual would also be deemed to have given consent to Organisation B for the collection, use or disclosure of his or her personal data for that particular purpose.

While consent is generally needed, the Second, Third and Fourth Schedules to the PDPA provide for specific situations where personal data can be collected, used or disclosed without the individual’s consent.

The Second Schedule to the PDPA allows personal data to be collected without consent, for example, where:

  • the collection of personal data is necessary for any purpose that is clearly in the interest of the individual, if consent for its collection cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
  • the personal data is publicly available;
  • the collection of personal data is necessary for any investigation or proceedings, and if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
  • the collection of personal data is for the purpose of recovery of a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
  • the collection of personal data is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services;
  • the personal data is included in a document produced in the course of, and for the purposes of, the individual’s employment, business or profession and collected for the purposes consistent with the purposes for which the document was produced; or
  • the personal data is collected by an individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual.

The Third Schedule to the PDPA allows personal data to be used without consent, for example, where:

  • the use is necessary for any purpose that is clearly in the interests of the individual and:
    • if consent for its use cannot be obtained in a timely way; or
    • the individual would not reasonably be expected to withhold consent;
  • the personal data is publicly available;
  • the use is necessary for any investigation or proceedings;
  • the personal data is used for an organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation; or
  • the use is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services.

The Fourth Schedule to the PDPA allows personal data to be disclosed without consent, for example, where:

  • the disclosure is necessary for any purpose that is clearly in the interests of the individual if consent for its disclosure cannot be obtained in a timely way;
  • the personal data is publicly available;
  • the disclosure is necessary for any investigation or proceedings;
  • the disclosure is necessary for an organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
  • the disclosure is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services; or
  • the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer.

In its Public Consultation on Approaches to Managing Personal Data in the Digital Economy, the PDPC has proposed two new bases for organisations to collect, use or disclose personal data without the need for consent; namely, ‘notification of purpose’ and ‘legitimate interests’.

First, the PDPC has proposed to introduce ‘notification of purpose’ as a basis to collect, use or disclose personal data under the PDPA without consent, where the collection, use or disclosure of personal data is not expected to have any adverse impact on the individual. Organisations that wish to rely on this basis must provide the individual with appropriate notification of the purpose of the collection, use or disclosure of the personal data, and information about how the individual may opt out, where applicable. Also, organisations must conduct a risk and impact assessment, such as a data protection impact assessment, as an accountability measure to identify and mitigate any risks when seeking to rely on the ‘notification of purpose’ basis.

Second, the PDPC has proposed to enable organisations to collect, use or disclose personal data without consent in circumstances where there is a need to protect legitimate interests that will have economic, social, security or other benefits for the public (or a section thereof). Such benefits to the public must outweigh any adverse impact to the individual, and organisations wishing to rely on this ‘legitimate interests’ basis must conduct a risk and impact assessment to determine this is the case. As an additional safeguard, the PDPC intends to provide for an openness requirement whereby organisations relying on ‘legitimate interests’ as a basis to collect, use or disclose personal data must:

  • disclose its reliance on ‘legitimate interests’ as a ground for collection, use or disclosure (eg, through the organisation’s data protection policy that is made available to the public); and
  • make available a document justifying the organisation’s reliance on ‘legitimate interests’ and the business contact information of the person who is able to answer individuals’ questions about such collection, use or disclosure on behalf of the organisation.

The PDPC published its response to the feedback on the public consultation on 1 February 2018, and it is expected that the proposed changes will be implemented in due course.

Most recently, in its Data Portability and Data Innovation Public Consultation, the PDPC further proposes to introduce data innovation provisions in the PDPA to clarify that organisations can use personal data for the purposes of: (i) operational efficiency and service improvements; (ii) product and service development; or (iii) knowing customers better. This will enable organisations to confidently use personal data to derive business insights and innovate in the development and delivery of products and services. However, the PDPC clarifies that the proposed data innovation provisions in the PDPA only apply to the use of such data for business innovation purposes only, and not to the collection or disclosure of the same. For the collection and disclosure of personal data, organisations are still required to notify the individual and seek his or her consent, unless an applicable exemption under the Second or Fourth Schedule of the PDPA applies. The PDPC issued this public consultation paper on 22 May 2019 and is currently seeking comments on the proposed changes.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Generally, the PDPA does not distinguish between the types and sensitivities of personal data. However, section 24 of the PDPA requires that an organisation would need to make ‘reasonable security arrangements’ to protect, and to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks to personal data in its possession or under its control. The PDPC has noted that organisations should take into account the sensitivity of personal data when deciding on the appropriate level of security arrangements needed to protect it (see question 20).

Certain types of personal data are also accorded less stringent rules under the PDPA. For instance, the data protection provisions under the PDPA do not apply to personal data that has been contained in a record that has been in existence for at least 100 years. In addition, personal data pertaining to deceased individuals is also excluded from most of the obligations under the PDPA. In relation to such data, organisations will be subject only to the requirements to make reasonable security arrangements for the protection of such data, and the requirements relating to disclosure of personal data. These reduced obligations will apply for 10 years from the deceased’s date of death. In this regard, an individual appointed under the deceased’s will to exercise such rights (or, if there is no such person, the deceased’s nearest relative) may exercise all or any of the following rights in relation to the protection of the deceased’s personal data:

  • the right to give or withdraw any consent for the purposes of the PDPA;
  • the right to commence a private civil action in respect of any loss or damage suffered from a contravention of any of the provisions under Parts IV to VI of the PDPA; and
  • the right to bring a complaint under the PDPA.

While the PDPA does not distinguish between the treatment of personal data of minors and that of individuals above 21 years of age, the PDPC has, in its Selected Topics Guidelines, recommended that organisations take appropriate steps to ensure that a minor can effectively give consent on his or her own behalf, in light of the circumstances of the particular case including the impact on the minor in giving consent. In this regard, the PDPC has also indicated that it will adopt the practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his or her own behalf. However, where, for example, an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from an individual who is legally able to provide consent on the minor’s behalf (eg, his or her parent or other legal guardian).

Notably, the PDPC has imposed more stringent guidelines with respect to National Registration Identity Card (NRIC) numbers and other national identification numbers. According to the rules in the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers (issued 31 August 2018), which are expected to take effect from 1 September 2019, organisations are generally not allowed to collect, use or disclose NRIC numbers and other national identification numbers unless such collection, use or disclosure is (i) required under law (or an exception under the PDPA applies); or (ii) necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The obligation to notify stems primarily from the process of seeking valid consent (see question 11). In particular, organisations are obliged to inform individuals of:

  1. the purposes for the collection, use or disclosure of his or her personal data, on or before collecting the personal data;
  2. any other purpose for the use or disclosure of personal data that has not been notified to the individual under (1), before such use or disclosure of personal data; and
  3. on request by the individual, the business contact information of a person who is able to answer the individual’s questions about the collection, use or disclosure of the personal data on behalf of the organisation.

Only after the above information has been notified to the individual can he or she be considered to have validly given his or her consent to the collection, use or disclosure of his or her personal data in accordance with the purposes made known to him or her.

While the PDPA requires that such notice be provided to the individual on or before the collection, use and disclosure of his or her personal data, there is no prescribed manner or form in which such a notice must be given.

In relation to personal data that was collected by an organisation prior to the data protection provisions under the PDPA coming into effect on 2 July 2014, there is no express requirement under the PDPA that requires the organisation to notify individuals whose personal data they hold. However, fresh consent would need to be obtained from the individual concerned where the personal data collected is to be used or disclosed for a different purpose from that to which consent was originally given. It follows that the individual would need to be notified of the new purposes for which the personal data is to be collected, used or disclosed.

Exemption from notification

When is notice not required?

In addition, the Second, Third and Fourth Schedules to the PDPA also set out respectively certain circumstances where an individual’s consent need not be obtained for the collection, use and disclosure of his or her personal data (see question 11 for more details). Accordingly, the notification obligation would not apply under such circumstances.

However, section 20(4) of the PDPA carves out an exception to this concession. An organisation, on or before collecting, using or disclosing the personal data about an individual for the purpose of managing or terminating an employment relationship, has the obligation to inform the individual of that purpose; and, on request by the individual, the business contact information of a person who is able to answer the individual’s questions about the collection, use and disclosure on behalf of the organisation. This is despite the fact that the same organisation has no obligation to seek the consent of the individual before collecting, using or disclosing personal data for such purposes.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

There is no specific requirement under the PDPA that compels organisations that hold the personal data of individuals to offer such individuals the right to have a degree of choice or control over the use of their personal data.

However, individuals have a right under section 16 of the PDPA to withdraw consent (including deemed consent) given to an organisation in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. The individual would need to give reasonable notice to the organisation as to the withdrawal of his or her consent. Thereafter, upon receipt of such notice, the organisation would need to inform the individual of the likely consequences of the withdrawal of consent, although the organisation should not prohibit the individual from withdrawing consent. Where the individual has withdrawn his or her consent, organisations would be required to inform their data intermediaries and agents to similarly cease collecting, using or disclosing the personal data of this individual.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Section 23 of the PDPA generally requires that organisations make a reasonable effort to ensure that the personal data they collect is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual or is likely to be disclosed by the organisation to another organisation. This is regardless of whether the personal data is collected directly by the organisation or on behalf of the organisation.

The PDPC, in its Key Concepts Guidelines, has stated that an organisation must make a reasonable effort to ensure that:

  • it accurately records the personal data it collects (whether directly from the individual concerned or through another organisation);
  • the personal data it collects includes all relevant parts thereof (so that it is complete);
  • it has taken the appropriate (reasonable) steps in the circumstances to ensure the accuracy and correctness of the personal data; and
  • it has considered whether it is necessary to update the information.

The Key Concepts Guidelines also state that organisations, in deciding what is considered a reasonable effort, should take into account the following factors:

  • the nature of the data and its significance to the individual concerned (eg, whether the data relates to an important aspect of the individual such as his or her health);
  • the purpose for which the data is collected, used or disclosed;
  • the reliability of the data (eg, whether it was obtained from a reliable source or through reliable means);
  • the currency of the data (that is, whether the data is recent or was first collected some time ago); and
  • the impact on the individual concerned if the personal data is inaccurate or incomplete (eg, based on how the data will be used by the organisation or another organisation to which the first organisation will disclose the data).
Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Yes, section 25 of the PDPA provides that organisations (including data intermediaries) should cease to retain personal data, or remove the means by which it can be associated with particular individuals, as soon as it is reasonable to assume that:

  • such retention no longer serves the purposes for which the data was collected; and
  • retention is no longer necessary for legal or business purposes. Such legal or business purposes may, for example, include situations where the personal data is required for an ongoing legal action involving the organisation; where retention of the personal data is necessary in order to comply with the organisation’s obligations under other applicable laws; or where the personal data is required for an organisation to carry out its business operations, such as to generate annual reports or performance forecasts.

In addition, the PDPC, in its Key Concepts Guidelines, has clarified that personal data should not be kept by an organisation ‘just in case’ it may be needed. However, personal data may be retained so long as one or more of the purposes for which it was collected remains valid.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes, the purposes for which personal data can be used or disclosed by organisations is restricted to the purposes for which the individual concerned had given his or her consent to the organisation in respect of the same.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Generally, fresh consent would need to be obtained where organisations are seeking to collect, use or disclose personal data for different purposes from those to which the individual concerned had given his or her consent (see question 11).

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Section 24 of the PDPA requires that organisations make ‘reasonable security arrangements’ to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Organisations that process personal data on behalf of an organisation (i.e., data intermediaries) are also subject to the same requirement.

While the PDPC has recognised that there is no one-size-fits-all solution, it has, in its Key Concepts Guidelines, noted that an organisation should:

  • design and organise its security arrangements to fit the nature of the personal data held by the organisation and the possible harm that might result from a security breach;
  • identify reliable and well-trained personnel responsible for ensuring information security;
  • implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity; and
  • be prepared and able to respond to information security breaches promptly and effectively.

In this regard, the PDPC has also published the following guidance documents to aid organisations in the management of electronic personal data and data breaches respectively:

  • Guide to Securing Personal Data in Electronic Medium (Electronic Data Guide); and
  • Guide to Managing Data Breaches 2.0 (Data Breach Guide).

The Electronic Data Guide sets out good info-communications technology (ICT) security measures that organisations should adopt to protect electronic personal data (eg, in relation to ICT security audits and tests, authentication and authorisation, computer networks and email security); while the Data Breach Guide provides some guidance for organisations as to the effective preparation for and management of data breaches.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

There is presently no strict requirement prescribed under the PDPA to notify the PDPC or individuals of breaches of data security. However, in its Public Consultation on Approaches to Managing Personal Data in the Digital Economy, the PDPC has proposed a mandatory data breach notification requirement under the PDPA, to better oversee the level of incidences and management of data breaches at the national level. According to the PDPC’s responses to the public consultation (published 1 February 2018), the PDPC has proposed that organisations notify both the affected individuals and the PDPC in situations where the breach is ‘likely to result in significant harm or impact to the individuals to whom the information relates’. In contrast, where the breach does not pose any risk of impact or harm to affected individuals, but is of a significant scale (eg, 500 affected individuals), the PDPC has proposed that organisations notify the PDPC only.

In relation to the time-frame for notification, the PDPC has stated in its response that it intends to provide for an assessment period of up to 30 days from the day the organisation first becomes aware of a suspected data breach, to assess whether the suspected data breach is eligible for notification. Following the organisation’s assessment, where the organisation determines that the data breach is eligible for reporting, then the organisation must notify the relevant parties within the required time-frame (ie, ‘as soon as practicable’ to affected individuals, and ‘as soon as practicable, no later than 72 hours’ to the PDPC, from the time of determination).

The mandatory data breach notification requirement is not in effect yet, but is expected to be implemented in due course.

The Data Breach Guide recommends, as best practice, that organisations notify the PDPC where significant harm or impact is likely or where 500 or more individuals are affected, as soon as practicable, no later than 72 hours from the time the organisation has made its assessment.

Further, the Data Breach Guide recommends that organisations should include certain information in the notification to the PDPC, such as:

  • extent of the data breach;
  • type and volume of personal data involved;
  • cause or suspected cause of the breach;
  • whether the breach has been rectified;
  • measures and processes that the organisation had put in place at the time of the breach;
  • information on whether affected individuals of the data breach were notified and if not, when the organisation intends to do so; and
  • contact details of persons whom the PDPC could contact for further information or clarification.

According to the Data Breach Guide, organisations should include certain information in the notification to affected individuals (or the parents or guardians of young children, where applicable), such as:

  • how and when the data breach occurred;
  • types of personal data involved in the data breach;
  • what the organisation has done or will be doing in response to the risks brought about by the data breach;
  • specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused;
  • contact details and how affected individuals can reach the organisation for further information or assistance (eg, helpline numbers, e-mail addresses or websites); and/or
  • where applicable, what type of harm or impact the individual may suffer from the compromised data.

In addition, the Data Breach Guide also provides that organisations should consider alerting the police (in cases of hacking, theft or unauthorised system access by an employee) or the Cyber Security Agency of Singapore (in cases of cyber-attacks, that is, deliberate exploitation of computer systems, technology-dependent enterprises and networks) if they suspect that criminal acts have been perpetrated as these bodies may also offer assistance to the organisations (eg, preserving evidence for investigation).

Whether organisations notify the PDPC of such data breaches, and whether they have adequate recovery procedures in place, will affect the PDPC’s decision on whether an organisation has reasonably protected the personal data under its control or possession.

In addition, one of the mitigating factors that the PDPC may consider when determining a financial penalty to be imposed on an organisation that has breached the PDPA, is whether the organisation voluntarily disclosed the personal data breach to the PDPC as soon as it learned of the breach and cooperated with the PDPC in its investigations (see question 4).

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

Yes, section 11(3) of the PDPA specifically requires that organisations designate one or more individuals to be the organisation’s data protection officer (DPO). This may be a person whose scope of work solely relates to data protection or a person in the organisation who takes on this role as one of his or her multiple responsibilities. The business contact information of at least one of these DPOs would need to be made known to the public.

The DPO is responsible for ensuring that the organisation complies with the provisions of the PDPA, although the designation of a DPO does not relieve an organisation of its obligations and liabilities (in the event of non-compliance with these obligations) under the PDPA.

The public guidance published on the PDPC’s website as of 31 May 2019 sets out that the possible responsibilities of a DPO may include, but are not limited to, the following:

  • ensuring compliance of the PDPA when developing and implementing policies and processes for handling personal data;
  • fostering a data protection culture among employees and communicating personal data protection policies and processes to stakeholders;
  • managing personal data protection-related queries and complaints;
  • alerting the management to any risks that might arise with regard to personal data; and
  • liaising with the PDPC on data protection matters, if necessary.
Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

Yes, generally, section 12 of the PDPA requires an organisation to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA, and make information about its policies and procedures publicly available. Furthermore, to be able to comply with access requests by individuals (see question 37), the Key Concepts Guidelines state that organisations are generally required to implement processes to keep track of the collection, use and disclosure of all personal data under their control, including unstructured data.

Organisations are also required under section 24 of the PDPA to make reasonable security arrangements to prevent the unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks to any personal data in their possession or under their control. While the PDPC has recognised that there is no one-size-fits-all solution for organisations, it has, in its Key Concepts Guidelines, noted that an organisation should:

  • design and organise its security arrangements to fit the nature of the personal data held by the organisation and the possible harm that might result from a security breach;
  • identify reliable and well-trained personnel responsible for ensuring information security;
  • implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity; and
  • be prepared and able to respond to information security breaches promptly and effectively.

Organisations are also expected to cease retaining documents containing personal data, or remove the means by which personal data is associated with particular individuals, as soon as it is reasonable to assume that the purposes for which the personal data was collected is no longer being served by its retention, or the retention of the same is no longer necessary for legal or business purposes.

The obligations above would apply to both the principal organisation and the data intermediary alike.

New processing regulations

Are there any obligations in relation to new processing operations?

There is presently no strict requirement prescribed under the PDPA for organisations to apply a privacy-by-design approach or carry out a privacy impact assessment. However, it is good practice for organisations to conduct regular Data Protection Impact Assessments (DPIAs) to assess and address personal data protection risks specific to the organisation. This would allow organisations to better assess their compliance with the PDPA, and thereafter implement appropriate operational or technical safeguards.

The Guide to Data Protection Impact Assessments describes the key aspects of a DPIA.

In brief, organisations should:

  • provide an overview of the project and the key considerations surrounding the DPIA;
  • define the scope of the DPIA, such as identifying the specific system or process that the DPIA needs to be carried out on;
  • define the risk assessment framework or methodology for the DPIA;
  • identify the parties whose inputs or views would have to be sought during consultation or interview sessions; and
  • provide an estimate of time required for key tasks and overall timeline for conducting the DPIA.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

No, there is presently no such requirement under the PDPA for organisations that collect, use or disclose personal data (whether in the capacity of a principal organisation or a data intermediary) to register with the PDPC. However, DPOs may register with the PDPC to keep abreast of developments in the PDPA.

Formalities

What are the formalities for registration?

There is presently no requirement under the PDPA for organisations to register with the PDPC.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

There is presently no requirement under the PDPA for organisations to register with the PDPC.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

There is presently no requirement under the PDPA for organisations to register with the PDPC.

Public access

Is the register publicly available? How can it be accessed?

There is presently no requirement under the PDPA for organisations to register with the PDPC.

Effect of registration

Does an entry on the register have any specific legal effect?

There is presently no requirement under the PDPA for organisations to register with the PDPC.

Other transparency duties

Are there any other public transparency duties?

While there is no obligation on an organisation to make public statements on the nature of its processing of personal data per se, section 12 of the PDPA (also known as the Openness Obligation) requires an organisation to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA, and to make such policies and practices known to the public.

As part of the Openness Obligation, an organisation is required to appoint a DPO and make available his or her contact details to the public. As good practice, the business contact information of the DPO should be readily accessible from Singapore, operational during Singapore business hours and, in the case of telephone numbers, be Singapore telephone numbers (see question 22).

For completeness, an organisation is also required under section 21 of the PDPA to provide individuals with the following information upon request:

  • their personal data that is in the possession or under the control of the organisation; and
  • information about the ways in which that personal data has been or may have been used or disclosed within a year before the date of request for access (see question 37).

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

Organisations that process personal data on behalf of another organisation (the principal organisation) are considered ‘data intermediaries’ under the PDPA. Such data intermediaries are exempt from most of the main data protection provisions under the PDPA. Data intermediaries are subject only to the data protection provisions relating to the protection and retention of personal data. Specifically, they are required to:

  • make reasonable security arrangements to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and
  • anonymise or cease retaining personal data, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the data was collected, and retention is no longer necessary for legal or business purposes.

The principal organisation is subject to the full suite of data protection obligations under the PDPA as if it were processing the personal data itself.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Disclosure of personal data to other recipients must be in accordance with the applicable requirements under the PDPA (see questions 11 and 13).

Furthermore, in certain circumstances, the PDPA restricts an organisation from providing an individual with:

  • his or her personal data that is in the possession or under the control of the organisation; or
  • information about the ways in which his or her personal data has been or may have been used or disclosed by the organisation within a year before the date of the request, in the situation where an individual has requested access to such personal data or information pursuant to the PDPA. See question 37 for a list of circumstances under which an individual’s right to access his or her personal data is restricted.
Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

Yes, section 26 of the PDPA prohibits organisations from transferring personal data out of Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to the transferred personal data that is comparable to the protection under the PDPA.

Under the PDP Regulations, all organisations transferring personal data from Singapore to countries or territories outside of Singapore are required to ensure that the recipient of such personal data is bound by ‘legally enforceable obligations’ to provide to the transferred personal data a standard of protection that is at least comparable to the protection accorded under the PDPA. These ‘legally binding obligations’ include obligations imposed under law, contract, binding corporate rules (for transfers to ‘related’ organisations), or any other legally binding instrument.

Where the transfer of personal data is pursuant to a contract, contractual clauses are to be contained in a legally binding contract that is enforceable against every receiving organisation under the contract. Such a contract must:

  • require the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA; and
  • specify the countries and territories to which the personal data may be transferred under the contract.

Where binding corporate rules are used, these rules must:

  • require every related recipient of the transferred personal data to provide a standard of protection for the personal data transferred that is at least comparable to the protection under the PDPA; and
  • specify:
    • the recipients of the transferred personal data to which the binding corporate rules apply;
    • the countries and territories to which the personal data may be transferred under the binding corporate rules; and
    • the rights and obligations provided by the binding corporate rules; and
  • only be used for recipients that are related to the transferring organisation.

Notwithstanding, a transferring organisation is taken to have satisfied its obligation to ensure that the recipient is bound by legally enforceable obligations to provide to the transferred personal data a PDPA-comparable standard of protection, where:

  • the individual consents to the transfer of the personal data to that recipient in that country or territory, after being provided with a reasonable summary in writing of the extent to which the personal data to be transferred will be protected to a PDPA-comparable standard, provided:
    • such consent was not required by the transferring organisation as a condition of providing a product or service, unless the transfer is reasonably necessary to provide the product or service to the individual; and
    • the transferring organisation did not obtain or attempt to obtain such consent by providing false or misleading information about the transfer, or by using other deceptive or misleading practices;
  • the transfer of the personal data to the recipient is necessary for the performance of a contract between the individual and the transferring organisation, or to do anything at the individual’s request with a view to the individual entering into a contract with the transferring organisation;
  • the transfer of the personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party that is entered into at the individual’s request;
  • the transfer of the personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party if a reasonable person would consider the contract to be in the individual’s interest;
  • the transfer of the personal data to the recipient is necessary for the personal data to be used:
    • for any purpose that is clearly in the interests of the individual (if consent for its use cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent);
    • to respond to an emergency that threatens the life, health or safety of the individual or another individual; or
    • in the national interest;
  • the transfer of the personal data to the recipient is necessary for the personal data to be disclosed:
    • for any purpose that is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way;
    • to respond to an emergency that threatens the life, health or safety of the individual or another individual;
    • where there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected and consent for the disclosure of the data cannot be obtained in a timely way (provided that the transferring organisation notifies the individual, whose personal data is disclosed, of such disclosure and the purposes for such disclosure, as soon as may be reasonably practicable);
    • in the national interest; or
    • for the purpose of contacting the next of kin or a friend of any injured, ill or deceased individual;
  • the personal data is data in transit (ie, personal data transferred through Singapore in the course of onward transportation to a country or territory outside Singapore, without the personal data being accessed, used by or disclosed to any organisation (other than the transferring organisation or an employee of the transferring organisation) while the personal data is in Singapore, except for the purpose of such transportation); or
  • the personal data is publicly available in Singapore.
Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

No, there is presently no such requirement under the PDPA to notify the PDPC of transfers of personal data.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

The PDPA imposes an obligation on organisations transferring personal data out of Singapore to ensure that the recipient of such personal data is bound by ‘legally enforceable obligations’ to provide to the transferred personal data a standard of protection that is at least comparable to the protection accorded under the PDPA (see question 34). Where organisations use contractual clauses for the purpose of imposing such ‘legally enforceable obligations’, the PDPC, in its Key Concepts Guidelines, distinguishes between data intermediaries and all other organisations (see questions 10 and 32 for more information on data intermediaries), and the applicable standard of protection.

Where the recipient is a data intermediary, the transferring organisation has to set out minimal protections with regard to the protection and retention limitation of the personal data.

Where the recipient is an organisation other than a data intermediary, the transferring organisation has to set out protections for the transferred personal data with regard to:

  • the purpose of collection, use and disclosure by the recipient;
  • accuracy;
  • protection;
  • retention limitation;
  • policies on personal data protection;
  • access; and
  • correction.

For onward transfers of personal data, the PDP Regulations provide an exemption for ‘data in transit’, which, in summary, refers to personal data transferred through Singapore in the course of onward transportation to a country or territory outside Singapore, without the personal data being accessed or used by, or disclosed to, any organisation while the personal data is in Singapore, except for the purpose of such transportation. An organisation transferring personal data overseas will be deemed to comply with the transfer limitation obligation in respect of data in transit.

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Yes, under section 21 of the PDPA, individuals have the right to request an organisation to provide them with:

  • their personal data that is in the possession or under the control of the organisation; and
  • information about the ways in which that personal data has been or may have been used or disclosed within a year before the date of request for access.

This individual’s right of access is subject to a number of exceptions as set out in section 21(3) of the PDPA. Organisations are not allowed to provide an individual with his or her personal data or other information where such provision could reasonably be expected to:

  • threaten the safety or physical or mental health of an individual other than the individual who made the request;
  • cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
  • reveal personal data about another individual;
  • reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his or her identity; or
  • be contrary to the national interest.

Further, the Fifth Schedule to the PDPA sets out certain situations where organisations are not required to accede to such requests. For example, organisations need not provide access to personal data or information as to how the personal data has been or may have been used or disclosed, in respect of situations such as the following:

  • documents relating to a prosecution, if all proceedings related to the prosecution have not been completed;
  • personal data that is subject to legal privilege;
  • personal data that, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
  • personal data collected, used or disclosed without consent for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; or
  • any request:
    • that would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests;
    • if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interests;
    • for information that does not exist or cannot be found;
    • for information that is trivial; or
    • that is otherwise frivolous or vexatious.

Under the PDP Regulations, organisations are entitled to charge the individual a reasonable fee for access to his or her personal data. This is to allow organisations to recover the incremental costs incurred in the form of time and effort spent by the organisation in responding to the access request. Under the PDPA, organisations are also required to respond to an access request as soon as reasonably possible. Subject to this, the PDP Regulations provide that, if an organisation is unable to respond to an access request within 30 days from the request, it must inform the individual in writing within that same time frame of the time by which it will be able to respond to the request (which should be the soonest possible time it can provide access).

In a situation where two or more individuals make an access request at the same time for their respective personal data captured in the same records, the Key Concepts Guidelines provide that:

  • the organisation is required to provide each individual with access only to his or her own data unless consent from the other parties is obtained; and
  • the prohibition under section 21(3)(c) of the PDPA does not apply where the other individual has consented to the disclosure of his or her personal data, or where any of the exceptions listed under the Fourth Schedule of the PDPA may apply.

The Key Concepts Guidelines further provide that:

  • if an organisation is able to provide an individual with his or her personal data and other information without the personal data or other information excluded under sections 21(2), (3) and (4) of the PDPA, then an organisation must do so; and
  • if an organisation has scheduled a periodic disposal of personal data, but has received an access request prior to such disposal, then it should identify such requested personal data as soon as reasonably possible and preserve the personal data while the access request is being processed.

In addition, the Guide to Handling Access Requests recommends, among other things, that:

  • organisations should clearly make access request channels available (eg, access requests may be submitted in person, through email or by post);
  • organisations should keep a record of all access requests received and processed, documenting clearly whether the requested access was provided or rejected, the rationale being that such proper documentation may help organisations in the event of a dispute or an application to the PDPC for a review;
  • organisations should implement appropriate retention policies for the keeping of such records (ie, organisations should cease to retain records containing the individual’s personal data where retention is no longer necessary for any legal or business purposes); and
  • organisations should preserve the personal data requested while processing an access request:
    • for a duration of minimally 30 days after rejecting an access request; and
    • for the whole duration when the PDPC is conducting a review of an organisation’s rejection of the access request and until any right of an individual for reconsideration and appeal is exhausted.
Other rights

Do individuals have other substantive rights?

Yes, section 22 of the PDPA provides an individual with the right to request an organisation to correct any error or omission in his or her personal data that is in the possession of or under the control of the organisation. This is, however, subject to certain exemptions. For instance, organisations need not correct any error or omission in any personal data about the individual that is in the possession or under the control of the organisation, upon request by the individual concerned, if the request relates to:

  • opinion data kept solely by the organisation for an evaluative purpose;
  • any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
  • personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
  • personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre; or
  • a document related to a prosecution if all proceedings related to the prosecution have not been completed.

Unlike access requests, organisations are not entitled to charge a fee for correction requests. Under the PDPA, organisations are required to correct the personal data as soon as reasonably practicable. Subject to this, the PDP Regulations provide that, if an organisation is unable to make the necessary correction within 30 days from the request, it is required to inform the individual in writing within the same time frame of the time by which it will be able to do so (which should be the soonest practicable time it can make the correction). Unless it is satisfied on reasonable grounds that a correction should not be made, an organisation is required to correct the personal data, and send the corrected personal data to every organisation to which the personal data was disclosed within one year of the date the amendment was made, insofar as that organisation needs the corrected personal data for any legal or business purpose.

The PDPA also provides an individual with the right to commence a private action against an organisation where such an individual has suffered loss or damage directly as a result of non-compliance by the organisation of the data protection provisions under Parts IV to VI of the PDPA, subject to certain limitations (see question 39).

Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Yes, any person who suffers loss or damage directly as a result of non-compliance by an organisation with the data protection provisions under Parts IV to VI of the PDPA will have a right of action for relief in civil proceedings in a court. However, where the PDPC has made a decision under the PDPA in respect of such a contravention, this right is only exercisable after such a decision issued by the PDPC becomes final after all avenues of appeal have been exhausted. The court may grant relief as it thinks fit, including an award of an injunction or declaration, or damages.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

The right to commence a private action for loss or damage suffered directly as a result of an organisation’s non-compliance with the PDPA would be an action for relief in civil proceedings. As mentioned, however, such right is only exercisable provided that any relevant infringement decision issued by the PDPC has become final after all avenues of appeal have been exhausted.

Therefore, if an individual becomes aware that an organisation has failed to comply with the PDPA, such individual may lodge a complaint to the organisation directly, or bring a complaint to the PDPC. Upon receipt of a complaint, the PDPC may then investigate or review the matter, or direct the parties as to the appropriate mode of dispute resolution.

Where the PDPC is satisfied that an organisation has breached the data protection provisions under the PDPA, the PDPC is empowered with a wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:

  • stop collecting, using or disclosing personal data in contravention of the PDPA;
  • destroy personal data collected in contravention of the PDPA;
  • provide access to or correct personal data; or
  • pay a financial penalty of up to S$1 million.

(For more details on the type of enforcement actions that may be taken by the PDPC, see question 4).

Should any organisation or individual be aggrieved by the PDPC’s decision or direction, such organisation or individual may request the PDPC to reconsider its decision or direction. Thereafter, any organisation or individual aggrieved by the PDPC’s reconsideration decision may submit an appeal to the Data Protection Appeal Panel. Alternatively, an aggrieved organisation or individual may appeal directly to the Data Protection Appeal Panel without first submitting a reconsideration request. An appeal can be made against the Data Protection Appeal Panel’s decision to the High Court on limited grounds, namely on a point of law or where such decision relates to the amount of a financial penalty. Reconsideration applications and appeal requests must be made within 28 days after the issuance of the relevant direction or decision; there is no automatic suspension of the direction or decision concerned except in the case of the imposition of a financial penalty or the amount thereof.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

The application of the data protection provisions does not extend to ‘business contact information’, which is defined as ‘an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and other similar information about the individual, not provided by the individual solely for his personal purposes’.

In addition, organisations are allowed to continue using (which could include disclosure that is necessarily part of such use) personal data collected before 2 July 2014, for the purposes for which the personal data was collected, unless consent for such use is withdrawn or the individual indicates or has indicated to the organisation that he or she does not consent to the use or disclosure of the personal data.

In relation to the DNC provisions, the following messages are excluded from the meaning of a specified message under the Eighth Schedule to the PDPA and therefore not subject to the application of the DNC provisions:

  • any message sent by a public agency under, or to promote, any programme carried out by any public agency that is not for a commercial purpose;
  • any message sent by an individual acting in a personal or domestic capacity;
  • any message that is necessary to respond to an emergency that threatens the life, health or safety of any individual;
  • any message the sole purpose of which is:
    • to facilitate, complete or confirm a transaction that the recipient has previously agreed to enter into with the sender;
    • to provide warranty information, product recall information or safety or security information with respect to a product or service purchased or used by the recipient; or
    • to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender;
  • any message in relation to a subscription, membership, account, loan or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of goods or services offered by the sender, the sole purpose of which is to provide:
    • notification concerning a change in the terms or features;
    • notification of a change in the standing or status of the recipient; or
    • at regular periodic intervals, account balance information or other type of account statement;
  • any message the sole purpose of which is to conduct market research or market survey; and
  • any message sent to an organisation other than an individual acting in a personal or domestic capacity for any purpose of the receiving organisation.

In addition, the Personal Data Protection (Exemption from Section 43) Order 2013 exempts individuals and organisations sending specified messages to Singapore telephone numbers from the requirement to check the DNC registry, where they have an ongoing business relationship with the subscribers or users of those Singapore telephone numbers. However, the application of the exemption is subject to a number of conditions:

  • at the time of the transmission of the specified message, the sender has to be in an ongoing relationship with the recipient;
  • the purpose of the specified message has to be related to the subject of the ongoing relationship;
  • only specified text and fax messages may be sent to the recipient. Specified messages sent by way of voice calls are not covered by the exemption;
  • the specified message has to contain an opt-out facility for recipients to give an opt-out notice to opt out of any exempt message from the sender; and
  • the recipient has not withdrawn his or her consent to be sent, or indicated his or her lack of consent to or opted out of being sent, the specified message.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

Yes. However, organisations aggrieved by the PDPC’s decision or direction must first:

  • request the PDPC to reconsider its decision or direction and thereafter appeal to the Data Protection Appeal Panel; or
  • appeal directly to the Data Protection Appeal Panel without submitting a reconsideration request.

Only if such organisation is still aggrieved by the decision of the Data Protection Appeal Panel may it appeal against the Data Protection Appeal Panel’s decision to the High Court. An appeal to the High Court can only be made on limited grounds - namely on a point of law or where such decision relates to the amount of a financial penalty.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

The PDPC has noted that any personal data collected through the use of ‘cookies’ would not be treated differently from other types of personal data, and organisations that collect personal data using cookies would equally be subject to the requirements of the PDPA. Not all cookies collect personal data (eg, session cookies may only collect and store technical data needed to play back a video on a website). Organisations are only required to obtain consent for cookies that collect personal data. Furthermore, the Selected Topics Guidelines clarify that there may not be a need to seek consent for the use of cookies to collect, use or disclose personal data where the individual is aware of the purposes for such collection, use or disclosure and voluntarily provides his or her personal data for such purposes. Such activities include (but are not limited to) transmitting personal data for effecting online communications and storing information that the user enters in a web form to facilitate an online purchase. Further, for activities that cannot take place without cookies that collect, use or disclose personal data, consent may be deemed if the individual voluntarily provides the personal data for that purpose of the activity, and it is reasonable that he or she would do so. In situations where the individual configures his or her browser to accept certain cookies but rejects others, he or she may be deemed to have consented to the collection, use and disclosure of the personal data by the cookies that he or she has chosen to accept. However, the mere failure of an individual to actively manage his or her browser settings does not imply that he or she has consented to the collection, use and disclosure of personal data by all websites for their stated purpose.

In addition, the Selected Topics Guidelines make clear that where organisations use cookies for behavioural targeting that involves the collection and use of an individual’s personal data, the individual’s consent is required.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

Organisations that make telemarketing calls or send messages of a commercial nature are required to check the DNC registry at least once every 30 days before sending any such marketing messages, unless they have obtained clear and unambiguous consent from the recipients in evidential form. Organisations may also wish to refer to the Advisory Guidelines on Requiring Consent for Marketing Purposes.

Regarding the rules on marketing by email, the Spam Control Act governs the sending of unsolicited emails or spam in Singapore. For more details on the specifics of contravening these rules, see question 6.

As mentioned above, the PDPC is proposing to review, streamline and merge the DNC provisions of the PDPA and the Spam Control Act into a single legislation governing all unsolicited commercial messages, and has sought comments on this as part of its Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy (see question 1).

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

The Electronic Data Guide provides guidance for organisations that use cloud computing service providers (CCSPs). For instance, organisations that adopt cloud services for the management of personal data need to be aware of the security and compliance challenges that are unique to cloud services, and where the CCSP is unable to customise a service for the organisation, the organisation must decide if the security measures put in place by the CCSP provides reasonable security for the personal data.

On the flip side, CCSPs are required to comply with the PDPA (in particular, the obligation to implement reasonable security arrangements to protect personal data in their possession or under their control); any applicable subsidiary legislation that may be enacted from time to time; and any applicable sector-specific data protection frameworks to the extent that CCSPs provide cloud services to customers operating in these sectors.

Notably, CCSPs are required to make reasonable security arrangements to protect personal data in their possession or under their control. While there is no one-size-fits-all approach in complying with this obligation, the guidance issued by the PDPC may be relevant in assessing whether a CCSP has fulfilled its obligation. For instance, the Data Breach Guide sets out broad steps that organisations may consider taking in planning for and responding to data breaches as well as the Electronic Data Guide, which sets out a good number of practices for organisations to take to protect electronic personal data.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?Data Protection Trustmark (DPTM) Certification Scheme

As mentioned in question 1, on 2 January 2019, the IMDA launched the DPTM, a voluntary enterprise-wide certification scheme. The DPTM certification scheme incorporates elements of the PDPA, international benchmarks (eg, APEC CBPR/PRP requirements) and best practices. The aim of the DPTM certification scheme is to help organisations increase their competitive advantage, build consumer trust, and demonstrate sound and accountable data protection practices. An independent assessment body will be appointed to assess whether an organisation’s data protection policies are aligned with DPTM requirements. Organisations may submit applications to IMDA for approval to participate in the DPTM certification scheme. The DPTM certification is valid for three years and organisations may apply for re-certification at least six months before the date of expiry.

Model Artificial Intelligence (AI) Governance Framework

On 23 January 2019, the PDPC issued a Proposed Model Artificial Intelligence Governance Framework for public consultation and pilot adoption. The accountability-based framework helps chart the language and frame the discussions around harnessing AI in a responsible way. In summary, the two guiding principles are as such:

  • Organisations using AI in decision-making should ensure that the decision-making process is explainable, transparent and fair. Although perfect explainability, transparency and fairness are impossible to attain, organisations should strive to ensure that their use or application of AI is undertaken in a manner that reflects the objectives of these principles. This helps build trust and confidence in AI.
  • AI solutions should be human-centric. As AI is used to amplify human capabilities, the protection of the interests of human beings, including their well-being and safety, should be the primary considerations in the design, development and deployment of AI.
Data Portability and Data Innovation Public Consultation

As mentioned in questions 1 and 11, on 22 May 2019, the PDPC issued the Data Portability and Data Innovation Public Consultation, in which it proposes the introduction of (a) a data portability obligation under the PDPA, which would require organisations to, at the request of the individual, provide the individual’s data that is in the organisation’s possession or under its control, to be transmitted to another organisation in a commonly used machine-readable format, as well as (b) data innovation provisions in the PDPA which would clarify that an organisation can use personal data (collected in compliance with the Data Protection Provisions of the PDPA) for the purposes of: (i) operational efficiency and service improvements; (ii) product and service development; or (iii) knowing customers better.