In a previous issue of our Chronicle, we wrote about the plans of the Ministry of Information, Communications and the Arts (since renamed as the Ministry of Communications and Information) (MCI) to introduce legislation to regulate the collection, use, and disclosure of personal data. Prior to this, Singapore did not have an overarching data protection law. Personal data was protected to a limited extent only by certain sector-specific legislation, such as the Banking Act, the Official Secrets Act, as well as voluntary codes of practice such as the Model Data Protection Code for the Private Sector.
The Personal Data Protection Act 2012 (PDPA) was passed on 2 January 2013. The PDPA will take effect in phases, starting with the provisions relating to the formation of the Personal Data Protection Commission (PDP Commission), which came into effect on 2 January 2013. Provisions relating to the “Do Not Call” registry (DNC Registry) will come into force in early 2014 and the main data protection rules will come into force in mid 2014. This allows organisations time to review and adopt internal personal data protection policies and practices for compliance with the PDPA. The exact dates on which these provisions will come into force will be announced at a later date.
HIGHLIGHTS OF THE PDPA
- General Principles
The PDPA establishes a baseline standard of protection for personal data, taking into account the following concepts:
- Consent – Organisations may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions as prescribed in the PDPA).
- Purpose – Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use, or disclosure.
- Reasonableness – Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.
These rules complement and will not supersede existing sector-specific legislative and regulatory frameworks and the common law.
The data protection provisions in the PDPA (excluding the provisions relating to the DNC Registry) generally do not apply to:
- Any individual acting in a personal or domestic basis.
- Any employee acting in the course of his or her employment with an organisation.
- Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data.
- Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.
- Data Protection Commission
The PDPA will be administered by the newly-established PDP Commission, which will also undertake public education and engagement programmes to help organisations understand and comply with the PDPA, and promote awareness of the importance of personal data protection in Singapore.
- Implementation of Procedures
Organisations are required to implement policies and practices to comply with the PDPA (and communicate the same to their staff), develop processes to deal with complaints arising out of the application of the PDPA, and make information available on request in relation to such policies and practices and such complaints processes.
- DNC Registry
The PDPA provides for the establishment of a national DNC Registry. The DNC Registry will allow individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.
- Care of Personal Data
The PDPA requires organisations to:
- Take reasonable efforts to ensure the accuracy of personal data collected by them, if that data will be used to make a decision that will affect the individual to which that data relates or will be disclosed to another organisation.
- Make reasonable security arrangements to prevent unauthorised access to; collection, use, disclosure, copying, modification or disposal of; or other similar risks to, personal data in their possession or under their control.
- Cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which such personal data was collected is no longer served by retention of the personal data, and retention is no longer necessary for legal and business purposes.
- Refrain from transferring any personal data to a country or territory outside Singapore except in accordance with the PDPA.
- Access and Correction Rights
An individual has the right to require an organisation to give him access to his personal data in the organisation’s possession and control, and to inform him about the use of such data. An individual also has the right to request an organisation to correct any error or omission in the personal data relating to him held by the organisation.
CONSULTATION PAPERS ON THE PROPOSED REGULATIONS AND GUIDELINES ON THE PDPA
In early February 2013, the PDP Commission issued three consultation papers on the proposed regulations and guidelines to implement the PDPA, comprising:
- the Proposed Regulations on Personal Data Protection in Singapore, which are intended to supplement the operation of the PDPA;
- the Proposed Advisory Guidelines on Key Concepts in the PDPA, which elaborates on the key concepts in the PDPA including the interpretation of key terms like the definition of personal data, key obligations of organisations under the PDPA including the obligations to obtain consent for the collection, use and disclosure of personal data, and the treatment of personal existing data; and
- the Proposed Advisory Guidelines on the PDPA for Selected Topics, which explains how the PDPA applies to particular issues which may be of specific concern to businesses and members of the public.
- Proposed Regulations on Personal Data Protection in Singapore
Various sections of the PDPA provide for matters that may be prescribed by way of regulations to supplement the operation of the provisions of the PDPA. The Proposed Regulations on Personal Data Protection in Singapore provide for, among others:
- The form, manner and procedures for making and responding to requests for access to or correction of personal data.
- The requirements to be complied with by organisations for the transfer of personal data out of Singapore.
- The classes of persons who may act for minors or other individuals who lack capacity to act under the PDPA.
- The procedural and administrative matters such as the form, manner and procedures relating to applications and complaints to the PDP Commission.
- Proposed Advisory Guidelines on Key Concepts in the PDPA
The Proposed Advisory Guidelines on Key Concepts in the PDPA elaborates upon key concepts in the PDPA, including:
- The definitions of important terms used in the PDPA, such as personal data, collection, use, disclosure, reasonableness and organisation.
The various obligations on organisations under the PDPA (as mentioned above) to:
- have reasonable purposes, notify the purposes of, and obtaining consent for, the collection, use, or disclosure of personal data;
- allow individuals to access and correct their personal data; and
- take care of personal data.
- The DNC Registry provisions.
The said guidelines also provide several examples illustrating the practical application of the PDPA to various factual scenarios.
- Proposed Advisory Guidelines on the PDPA for Selected Topics
The Proposed Advisory Guidelines on the PDPA for Selected Topics explains the obligations of organisations involved in or in respect of the following areas:
- Analytics and research.
- The employment recruitment process.
- The collection, use, and disclosure of NRIC numbers.
- Online activities
The proposed regulations and guidelines serve to clarify how the PDP Commission will apply and enforce the PDPA, particularly in gray areas which the PDPA does not expressly address. A copy of the consultation papers can be found at the following website: http://www.pdpc.gov.sg/personal-data-protection-act/public-consultations . More information on the PDPA and the PDP Commission can be found at the website of the PDP Commission: http://www.pdpc.gov.sg. The responses issued by the PDP Commission to the frequently asked questions about the PDPA also provide a useful explanation of the various concepts and rules of the PDPA and set out various examples to illustrate the same. These responses can be found at the following link: http://www.pdpc.gov.sg/faqs/overview..