In 2012, Singapore enacted the new Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA). Before the main provisions come into force, which is planned for July 2014, Singapore’s Personal Data Protection Commission (PDPC) issued public consultations, or requests for comment, on a proposed regulation and two guidelines. While the PDPC is still reviewing the comments received, the proposals are a strong indication of how Singapore’s data protection law is likely to apply.
The proposed regulations include binding directives on how to comply with the PDPA:
- The regulations specify that individuals’ requests for access to their data should be in writing and sufficiently detailed.
- Controllers must respond to those access requests within 30 days, but are entitled to charge a minimal fee and to require a deposit.
- Any mechanism used for transferring data outside Singapore will be flexible, but must contain sufficient protection and be legally binding, either through use of contractual clauses or binding corporate rules, similar to that of the EU transfer mechanism.
- The regulations also discuss allowing a person acting on behalf of the data subject – for example, in cases of minors and deceased individuals – to provide consent. By contrast, the EU Directive applies only to living individuals.
The PDPC advisory guidelines on key PDPA concepts discuss the main obligations under the Act, and recommend that:
- Prior to obtaining consent, notice should be provided regarding which data is compulsory and which is optional. Failure to opt-out would not be deemed consent, but consent will be implied where the individual voluntarily provides data for a known purpose. No consent is required when data is publicly available.
- Data can be processed only for specified appropriate purposes disclosed in writing prior to collection.
- Reasonable efforts are made to ensure accuracy of data when disclosed to other organisations.
- Data is retained based on legal or industry standards.
- A person(s) responsible for ensuring compliance should be designated to satisfy the openness obligation.
- The ‘do not call register’ should be consulted before engaging in direct marketing.
The guidelines on selected topics cover several items, including data anonymisation, employment and online processing.
- Anonymisation is defined as the conversion of personal data into data incapable of being able to identify an individual – for example, through aggregation, data reduction, masking or pseudonymisation. Anonymisation would only cover data where any risk of re-identification is trivial, which can be tested using the ‘motivated intruder test’ set out in the UK Information Commissioner’s Office (ICO)’s Code of Practice – “Anonymisation: Managing Data Protection Risk Code of Practice.”
- Employers can benefit from a number of exemptions. The ‘evaluative purpose’ exception disposes of the consent obligation during recruitment, and employers are exempt from providing subjects with opinion data. Employee’s bank details and monitoring data can be processed for the purposes of administration and supervision without consent or notification.
- Employer may be vicariously liable for any PDPA breach caused by employees acting in the course of employment.
The PDPC guidance seems to have relied heavily on the existing EU data protection and cookie frameworks. Whether the comments received or the pending EU Data Protection Regulation will have an impact on the final regulations and guidance remains to be seen.