On 15 October 2012, Singapore's Parliament approved the Personal Data Protection Bill, which provides the first full-coverage data protection law for Singapore. The law is aimed at providing minimum standards relating to the collection, use and protection of personal data. It also establishes the Personal Data Protection Commission (PDPC) and a Do Not Call Registry (DNC). The Personal Data Protection Act 2012 (PDPA) came into force on 1 January 2013, and organisations will be expected to comply fully with its requirements by the 2 July 2014. Further guidelines and regulations have been published and more are expected to give additional clarity to the implementation of the PDPA.
To whom will the PDPA apply?
The PDPA applies to the private sector in Singapore, irrespective of size and geographical location, where the personal data in question is collected in Singapore. It does not apply to Singapore's public sector. In addition, "data intermediaries", organisations which process personal data on behalf of other organisations also need to comply with selected obligations under the PDPA.
What constitutes personal data under the PDPA?
Personal data under the PDPA is defined as any data which can identify an individual, either on its own or in conjunction with any other data held or likely to be held by any organisation, whether or not kept in electronic form. However, certain types of personal data are excluded from the scope of the PDPA: business contact information relating to an individual's name, position, business address, number, email or similar information; personal data relating to individuals who have been dead for over ten years (subject to some exceptions); and personal data which has been on record for over 100 years, are all exempt.
Organisations are required to obtain the consent of individuals to their personal data being collected, used or disclosed. Organisations are allowed to decide how to obtain consent subject to certain constraints. Essentially, individuals must be informed of the purposes of the data collection and the uses to which the data will be put which should be those a reasonable person would consider appropriate in the circumstances. If an organisation has acquired an individual's consent or the individual is deemed to have given consent to disclose information to another organisation, that organisation may also process that personal data.
There are, however, some circumstances where consent is not always necessary for the collection, use or processing of personal data, for example, when it is made publically available; relates to news activities; is for the beneficiaries of trust and insurance policies; or it is collected by a bank or a credit bureau for the purpose of creating a credit report.
Other requirements for organisations processing personal data
Organisations must appoint a privacy officer with responsibility for compliance with the PDPA. Privacy officers are required to ensure data collected is reasonably accurate and complete and take reasonable steps to keep the data secure. Organisations and data intermediaries are also required not to retain personal data for longer than necessary.
The PDPA allows for cross-border data transfers provided the organisation wishing to transfer the personal data ensures that the receiving party has adequate levels of protection (whether prescribed by regulation or contractual) of no less than the standard of protection under the PDPA.
The PDPA establishes the PDPC to enforce and implement the PDPA. The PDPC may also issue advisory guidelines to clarify the PDPA and its effect on both organisations and individuals. There is no breach notification requirement under the PDPA. Organisations can be fined up to S$100,000 (just under €65,000) for obstructing the PDPC from carrying out its duties and S$50,000 (around €32,000) for certain breaches of the PDPA.
The DNC became operational on 2 January 2014. It allows individuals to opt out of receiving unsolicited marketing messages. This excludes email and post but includes voice calls, text messages and multimedia messaging services. Messages or calls made to a Singapore phone number, sent, received or accessed in Singapore will be caught by the regime. Organisations which intend sending marketing material are obliged to check whether intended recipients are registered with the DNC before doing so. Businesses are, however, allowed to promote related products and services to individuals with whom they have an "ongoing relationship" without having to consult the DNC. In addition, where clear, unambiguous consent has been obtained by an organisation then marketing messages may still be sent to an individual on the DNC. The PDPC has issued guidance on the new rules. In February 2014, the PDPC announced that it was taking action in response to 1500 valid complaints about failure to respect rules on unsolicited marketing communications. It is looking into criminal prosecution of one organisation; has offered to compound fines in relation to two organisations; and issued warning notices to over 100 organisations. The PDPC had previously said it would take a pragmatic view to enforcement but has clearly taken a proactive stance on this issue.
Guidance notes and consultations
In February 2013, the PDPC launched three consultations on Proposed Regulations and Advisory Guidelines covering:
- subject access and data correction – the paper outlines the proposed rights and responsibilities of organisations and considers what the appropriate amount charged to those making subject access requests should be. Comments are sought on the procedure for making and responding to requests;
- transfers of personal data outside Singapore – the PDPA allows personal data to be transferred outside Singapore where the recipient can protect the data to the same standard as it would be protected in Singapore. The paper asks for comments on appropriate means to achieve this (for example through binding corporate rules or contractual clauses) and on what the contractual methods should cover; and
- individuals who can act for others under the PDPA - the PDPA allows authorised individuals to act on behalf of others in exercising their rights under certain circumstances. The paper suggests minors between the ages of 14-18, can act on their own behalf provide they understand the consequences of exercising their rights. Comments are requested on minimum age limits for acting independently and also on how to make claims in respect of deceased individuals.
In May 2013, a consultation on the DNC was launched and in early 2014, there was a consultation on the proposed Real Estate Agency and Telecommunications Guidelines.
The PDPC issued guidelines on the PDPA in October 2013. The guidance note deals with the issue of consent to data processing. It says, among other things, that provided information about the processing of personal data is given in a clear and transparent manner before the processing begins, failure to opt out and submission of the data can constitute consent. The guidance also urges businesses to anonymise personal data where possible and to take steps to reduce the possibility of anonymisation being reversed (this is apparently adapted from the UK's guidance on anonymisation). It also covers security arrangements and advises businesses to carry out risk assessments and have policies for monitoring and responding to security breaches.
The PDPC is expected to publish further guidelines in the coming months.
The PDPA came into force in January 2013. The transitional period of eighteen months to allow private organisations time to comply with the new regime will end on 2 July 2014, but the 'do-not-call' rules have been in force since 1 January 2014.
The PDPA is a welcome piece of legislation and follows the trend of equivalent data protection legislation enacted in other parts of Asia.
For individuals, this legislation provides comfort that personal data collected from them will be subject to minimum standards of protection and will not be put to use outside the scope of their consent.
For organisations which collect personal data, the sunrise period together with the implementing regulations and guidelines, are intended to provide clarity as to the scope of their obligations and should assist and enable them to prepare for compliance with the legislation.