The Personal Data Protection Bill was read for the first time in Parliament on 10 September 2012 after several rounds of public consultation exercises conducted by the Ministry of Information, Communications and the Arts. The bill was passed in Parliament on 15 October 2012 and is expected to come into force in January 2013.
Once in force, the Personal Data Protection Act (PDPA) will affect all organisations that are engaged in data collection, processing and disclosure of personal data within Singapore.
While the enactment of the PDPA in Singapore is expected to strengthen Singapore's reputation as a business hub, all companies and businesses operating in Singapore must be mindful of their obligations under this new law to avoid breaching the law and incurring the financial penalties that may be meted out for such breaches.
A Data Protection Commission (DPC) will be established pursuant to the PDPA to administer and enforce the PDPA. The DPC has the power to initiate investigations and/or conduct enquiries and may direct non-complying organisations to pay a financial penalty of up to S$1 million. The directions made by the DPC may be registered in the Singapore District Court for enforcement. However, it is not expected that the DPC would go about conducting investigations actively. Rather, the DPC may well rely on complaints lodged with it by individuals who feel aggrieved.
Individuals who suffer loss directly as a result of a breach of the PDPA will also have a right to commence civil action against the non-complying party after the DPC has made a final decision in relation to the contravention of the PDPA.
What data is protected?
The PDPA applies to all data, whether true or otherwise, about individual(s) which will allow the individual(s) to be identified from that data, or from the combination of that data with other accessible information.
Brief overview of obligations imposed on organisations by the PDPA
The PDPA will prohibit organisations from collecting, using, or disclosing personal data about an individual unless that individual has given his or her consent or if such collection, use, or disclosure is required by law.
Organisations may only collect, use or disclose personal data for reasonable purposes. Organisations are not allowed to require individuals to consent to the collection, use or disclosure or personal data beyond what is reasonable to provide their product or service to the individuals. For example, a doctor should not disclose his patient list to his wife running a travel agency to allow his wife to offer holiday deals to his patients who may benefit from recuperating at an overseas location.
The consent of an individual to the collection, use or disclosure of personal data will not be deemed to have been given unless the organisation informs the individual of the purposes for the collection, use or disclosure of the personal data. Individuals who have given such consent may withdraw their consent at any time.
Organisations are required to make a reasonable effort to ensure that personal data collected is accurate and complete. This is especially where personal data is likely to be used by the organisation to make a decision that affects the individual or if the data is to be disclosed to another organisation. Take for example, the case of an individual who is dismissed for misconduct, but an employment tribunal finds that the dismissal was unfair, and the individual reinstated. While it may be accurate for the employer to record that the employee was dismissed, the employer's records should reflect the tribunal's decision that the employee should not have been dismissed.
In addition, the PDPA will also require companies to take steps to:
- make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data;
- destroy documents containing personal data or remove the means by which the personal data may be associated with the individuals, as soon as the purpose for which that personal data was collected is no longer being served by retention of the data, and retention of such data is no longer necessary for legal or business purposes;
- designate one or more individuals to ensure that they comply with the PDPA ("Personal Data Officer"); and
- develop and implement policies necessary to comply with the PDPA.
That said, organisations will be given a "sunrise" or transition period after the enactment of the PDPA to implement the necessary policies to comply with the PDPA. A transition period of 18 months will be given before the data protection rules in the PDPA come into force.
The National "Do Not Call Registry"
Another major feature of the PDPA will be the setting up of a national "Do Not Call Registry". This is a registry that will allow individuals to register themselves to opt-out of receiving marketing messages in the form of phone calls, short message service (SMS) messages, multimedia message service (MMS) messages, and fax messages.
Under the PDPA, it will be an offence for organisations to send a message to a Singapore telephone number registered in the "Do Not Call Registry". Such an offence is punishable by a maximum fine of S$10,000. A transition period of 12 months will be given before the provisions in the PDPA relating to the "Do Not Call Registry" come into force.
Notwithstanding the transition periods given, organisations should begin to take their obligations under the impending PDPA seriously and also educate employees on these obligations because acts done by their employees in the course of their employment will be treated as acts done by their employers for the purposes of the PDPA.
Some of the immediate actions that organisations should consider in preparation for the enactment of the PDPA would include:
- ensuring that adequate computer and security measures are in place to protect personal information that is stored in the organisation's systems
- reviewing and updating their data retention policies (especially for companies who hold substantial amounts of personal data);
- assessing who in the organisation would be best suited to perform the role of the Personal Data Officer;
- reviewing how the company acquires, use or handle personal data.