In February this year, the Singapore Personal Data Protection Commission (PDPC) launched a public consultation on proposed regulations and two sets of guidelines on key concepts and selected topics under the Personal Data Protection Act 2012 (No. 26 of 2012) (the Act). Following that consultation, the PDPC issued in September the final advisory guidelines on the key concepts. These final guidelines address the nine obligations that form the foundation for provisions under the Act.
The essential recommendations closely follow the Act and emphasise the main data protection principles, including that data may only be processed for specified purposes and that individuals must be provided with advance notice of the purposes for collection and what data may be optional or required. The advance notification requirement underpins the need for valid consent under the Act. Data should be accurate, complete and up to date. It is possible to presume this is the case when provided directly from the individual, but a written declaration should be requested as a safeguard. Organisations must keep data secure and undertake risk assessments to prevent any data breaches and should delete data in light with legal or industry standards to prevent further risk of loss. The PDPC also recommends that organisations appoint a Data Protection Officer and acknowledges that the DPO need not be an employee of that organisation nor based in Singapore.
The guidelines detail the methods organisations must undertake into order to obtain valid consent, in particular:
- Consent may not be obtained through deceptive or misleading practices or be a condition of a product or service
- Third party consent on behalf of an individual will only be valid where collection, use or disclosure is necessary in an emergency and where the data is publicly available
- Implied consent will only be valid where notification has been provided and the individual’s right to opt out is not due to an inability to give consent or a lack of awareness that consent is required
- Implied consent will be valid where an individual voluntarily provides their personal data for a known purpose or where information is generally available and can be obtained by reasonably expected means at a location or an event that is open to the public
- The consequences for withdrawing consent should be highlighted, and where consent is revoked, organisations should anonymise the data to render it irretrievable
The PDPC is yet to issue guidelines related to the topics on which it consulted earlier this year. Additional guidance is therefore anticipated which should shed further light on interpretation of the Act before it comes into force in July 2014.