This article outlines the key features of new data protection rules which are due to come into force next year.
The main provisions of the Personal Data Protection Act 2012 (“PDPA”) will come into force on 2 July 2014, introducing to Singapore new rules governing the collection, use, disclosure and care of personal data. The new law generally recognises both the rights of individuals to protect their personal data from misuse and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
With one year to go before the new law bites, there is just enough time for organisations to review and/or adopt their internal personal data protection policies and practices, so that they are fully compliant with the new rules by the implementation date next year.
What is personal data?
Personal data refers to data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information which the organisation has or is likely to have access.
This covers electronic and non-electronic data and includes unique identifiers (e.g. identification or passport number), as well as any series of data (e.g. personal particulars, personnel file data, sensitive personal data, etc), which when combined would be able to identify the individual.
Who does the PDPA apply to?
The PDPA applies generally to all private sector organisations. Employees, for the purposes of the PDPA, would include full time/part time employees, temporary employees, fixed term employees, probationers, interns who “work” and volunteers (i.e. individuals working under an unpaid volunteer work relationship).
What does the PDPA mean for employers?
Appointment of Data Protection Officer
Employers are required to appoint at least one person to be responsible for ensuring that they comply with the PDPA.
Collection, use and disclosure
For personal data that employers collect before the personal data protection rules come into force, employers may continue to use such personal data for the purposes for which it was collected, unless the employee indicates that he or she does not consent to the use.
For personal data that employers collect after the personal data protection rules come into force, employers have to get the individual’s consent to the collection, use and disclosure of such personal data by informing the individual of the purpose(s) for the collection, use or disclosure of his or her personal data.
Employers that receive a request from an employee to withdraw the collection, use or disclosure of all or some of his or her personal data for certain purposes must inform him or her of the likely consequences of the withdrawal. If the employee prefers to proceed regardless, employers should cease the collection, use or disclosure of his or her personal data for the specified purpose.
Access and correction
On request of an employee, an employer is required, as soon as reasonably possible, to provide him or her with access to his or her personal data that it possesses or controls. The employer should also provide information about the ways in which the employee’s personal data has been or may have been used or disclosed by the employer within a year before the request.
An employee may request an employer to correct an error or omission in the personal data which the employer has in its possession or control. If the request is reasonable, the employer is to correct the error or omission as soon as practicable and send the corrected data to other organisations to which the data has been disclosed within a year the correction is made.
Care of personal data
Employers are required to make reasonable efforts to ensure that the personal data collected by or on behalf of them is accurate and complete if the personal data:
- Is likely to be used to make a decision that affects the employee, or
- Is likely to be disclosed by the employer to another organisation.
Employers are required to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Employers should cease to retain any documents containing personal data as soon as reasonable if the purpose for which that personal data was collected is no longer being served by retention of that personal data and when the retention is no longer necessary for legal or business purposes.
Employers may only transfer personal data outside of Singapore if the employers put in place measures to ensure that the protection provided to the personal data transferred is comparable to the protection under the PDPA.
Permitted purposes (without obtaining consent by the employee)
There are certain exceptions under the PDPA where employee consent is not required. These are set out briefly as follows:
- Managing and terminating an employment relationship
Consent from the employee is not required for the collection, use and disclosure of employee personal data if:
- The collection, use and disclosure of employee personal data by the employer is reasonable for the purpose of managing or terminating an employment relationship between the employer and the employee (for example use of personal data for payment)
- On or before collecting, using or disclosing such employee personal data, the employer informs the employee of that purpose; and
- On request by the employee, the employer furnishes the employee with the business contact information of a person who is able to answer the employee’s questions about the collection, use or disclosure of the employee’s personal data on behalf of the employer
- Evaluative purposes
Employee personal data can be collected, used and disclosed by the employer without need for the employee’s consent and without notification for “evaluative purposes”. “Evaluative purposes” includes the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates and for employment, promotion or removal of appointment to office.
- Business asset transactions
Employee personal data can be disclosed to a prospective party in a business asset transaction (defined to mean the purchase, sale, lease, merger or amalgamation, or any other acquisition, disposal or financing of any organization or a portion of an organization, or of any of the business or assets of an organization, other than the personal data to be disclosed) with the employer, without consent by the employee if:
- The personal data is about an employee, customer, director, officer or shareholder of the employer
- The personal data relates directly to the part of the employer or its business assets with which the business asset transaction is concerned
- The personal data must be necessary for the prospective party to determine whether to proceed with the business asset transaction
- The employer and the prospective party must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction; and
- The employer enters into the business asset transaction, the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that the business asset transaction has taken place and that the personal data about them has been disclosed to the prospective party
As the PDPA is only in its infancy in Singapore, it is difficult at this stage to foresee how the administration and enforcement of the PDPA would pan out – it is likely, in particular during the early years, that the Personal Data Protection Commission in Singapore (formed to administer and enforce the PDPA) will be guided and persuaded by the way regulatory authorities in other jurisdictions (for example the United Kingdom) handle issues in relation to their respective data protection rules.