General provisions of the Personal Data Protection Act came into effect on 2 January 2013, meaning that companies have up to 18 months to ensure compliance with the Do-Not-Call registry provisions and data protection rules. What are your opinions on this?
The Personal Data Protection Act 2012 (“PDPA”) will be implemented in two phases – first, the Do-Not-Call (“DNC”) registry provisions will come into force after a transition period of 12 months (and the DNC registry is expected to be ready for registration by the public in early 2014); second, the data protection rules will come into force after a transition period of 18 months. This transition period of up to 18 months is essential as it provides larger private organisations an opportunity to thoroughly review and update their data management policies and procedures, and it gives smaller or medium-sized companies time to develop their data protection policies and make the necessary adjustments to their business processes in handling personal data.
What are the other key points of the Personal Data Protection Act?
The PDPA applies to all private organisations that collect or process personal data in Singapore, including the organisations that are not physically located in Singapore. It is important that companies take note of this extra-territorial effect of the law, particularly those companies that plan to expand their business to Singapore and multinational companies with existing business interests in Singapore.
Generally, organisations will have to obtain consent from individuals before collecting, using or disclosing their personal data. The PDPA also requires organisations to use personal data only for the purposes for which consent was obtained. Once the DNC provisions come into force, organisations will need to check the DNC registry before making unsolicited marketing phone calls, or sending mobile text messages or faxes to any Singapore telephone number.
Does it go far enough in your opinion?
Singapore has previously adopted a sectoral approach to data protection, relying on various sector-specific laws to protect personal data processed by organisations in certain regulated industries, such as telecommunications service providers, and financial and healthcare institutions.
The PDPA establishes an overarching data protection framework that applies to all organisations in the private sector and sets out baseline rules on the collection, use, disclosure and protection of personal data. The enactment of the PDPA brings Singapore’s data protection regime in line with international standards of data protection. Significantly, such enactment is a step forward in increasing the trust between consumers and businesses, facilitating cross-border data transfers, and in the medium to long term, the implementation of the new data protection regime will help bolster Singapore’s position as a major business and data management hub in Asia.
Unlike the data protection rules in certain European countries and many US states, the PDPA does not require organisations to notify or report data security breaches to the Personal Data Protection Commission (“PDPC”), the regulator responsible for enforcing the PDPA in Singapore. That said, businesses must take compliance seriously, as the PDPC has the power to impose a financial penalty of up to S$1 million, and the penalty for a criminal offence under the PDPA includes fines and imprisonment.
Has the amount of data protection-related challenges risen considerably as the growth of technology becomes more and more rapid?
Yes, absolutely. Technology has transformed the way organisations do business and utilise customer data. With the advent of the internet and advanced computing technology and the growing popularity of internet-enabled devices, personal data can be collected from individuals on a large scale quickly and processed and transferred abroad easily.
Is there anything else you would like to add?
Under the PDPA, every organisation in the private sector is required to appoint a data protection officer, who will be responsible for ensuring that the organisation complies with the PDPA.
Private sector organisations are advised to get the ball rolling as early as possible during the 18-month transition period, and among other things, review their business processes carefully, assess the data protection compliance risks associated with their internal and business practices, monitor the cost of compliance, conduct staff training, put in place sufficient technical and operational data security measures, and develop and implement effective data management strategies.