On February 5, 2013, Singapore’s new data protection agency, the Personal Data Protection Commission, published its first consultation paper (the “Paper”) articulating proposals for a data protection regulation. The Paper outlines the Commission’s positions on three key issues: (1) requests for access and correction; (2) transfer of personal data outside of Singapore; and (3) individuals who may act for others under the Personal Data Protection Act (“PDPA”). The PDPA was passed by the Singapore Parliament in October 2012 and became law in January 2013.

Access and Correction

The Paper outlines the rights of individuals and the responsibilities of organizations with respect to access and correction. It notes that the PDPA allows organizations to charge a reasonable fee for individual access to information and discusses the parameters for such fees, but stops short of establishing a maximum charge. The Commission seeks comments on the manner in which individuals might make access requests and how organizations might respond to such requests.

Transfer of Personal Data Outside of Singapore

The PDPA allows data to be transferred outside of Singapore only if the receiving organization can protect the data in a manner that is comparable to what is required in Singapore. The Paper suggests this may be accomplished through use of a legally binding instrument such as binding corporate rules or contractual clauses, provided the legal instrument implements obligations that address purpose, use, disclosure, accuracy, protection and retention. The Commission requests comments on both the means for assuring protection for data transferred outside Singapore and possible requirements for the binding legal instruments.

Individuals Who May Act for Others

The PDPA allows authorized individuals to act on behalf of others to exercise personal data protection rights. The Paper suggests that minors who are 18 – 21 years old be able to act on their own behalf, and minors who are 14 – 18 years old be able to act on their own behalf if they understand the consequences of exercising their rights. Commenters are asked to provide thoughts on whether there should be a minimum age requirement.

The Paper also discusses acting on behalf of a deceased person, indicating that if the deceased individual did not appoint a personal representative, the individual’s closest relative should be able to act on his or her behalf. The Paper suggests a ranking order for relatives in that scenario.

Comments on the Paper are due by March 19, 2013, and may be emailed to pdpc_consultation@pdpc.gov.sg. For more information, please visit Singapore’s Personal Data Protection Commission website.