The Personal Data Protection Commission (PDPC) has recently issued a number of updates in relation to the Personal Data Protection Act  2012 (PDPA) including:-

  • updates  to  the  Advisory  Guidelines  on  Key  Concepts  and  Selected Topics of the PDPA; and
  • Personal Data Protection Regulations 2014 (Regulations).

In this article, we will explore some of the more pertinent updates.

Transfer of personal data outside Singapore

Section 26 of the PDPA prohibits the transfer of personal data outside of Singapore except in accordance with the requirements prescribed under the PDPA.

The Regulations now set out the requirements that an organisation must satisfy before it can transfer personal data outside of Singapore. The requirements are:-

  1. where a transferring organisation transfers personal data out of Singapore, while the personal  data  remains  in  the  control  or possession  of  the  transferring  organisation,   the   transferring organisation is required to comply with the PDPA in respect of such personal data even when the personal data is situated outside  of Singapore; and
  2. the transferring organisation must take  steps  to  ensure  that  the recipient of the personal data is bound by legally  enforceable obligations to provide to the transferred personal data a standard of protection that is  at  least  comparable  to  the  protection  under  the PDPA.

This requirement is considered satisfied in the following situations:-

  1. when the laws of the country to which the personal data is transferred provides a standard of protection comparable to Singapore;
  2. when the transferring organisation imposes obligations  on  the recipient (in the form of  contractual obligations, binding corporate rules or other legally binding instruments),  which  obligate  the recipient to provide a standard of protection for the personal data so transferred that is at least comparable to the protection under the PDPA. Any contract or binding corporate rules must set  out  the countries or territories to which the personal data may be transferred;
  3. when the individual consents to the transfer. In seeking consent of the individual, the transferring organisation has to provide a summary of the extent to which the transferred personal data will be protected to a standard of protection comparable to the PDPA;
  4. when the transfer is necessary in relation to or for the performance of a    contract,  between  (i)  the  individual  and  the  transferring organisation; (ii) between the transferring organisation and a third party which is entered into at the individual’s request; or (iii) between the  transferring organisation and  a  third  party  if  the  contract  is reasonably considered to be in the individual’s interest;
  5. where the transfer is necessary for the personal data to be used in any  of the manners set out in paragraphs 1(a), (b) or (d) of  the PDPA’s  Third Schedule or paragraph 1(a), (b), (c), or (o)  of  the Fourth Schedule of the PDPA.

Under the Regulations, two categories of personal data are exempt from the operation of section 26 of the PDPA:-

  1. personal data that is in transit (i.e. data that is transferred through Singapore in the course of onward transportation to another country without the data being used, disclosed in Singapore, except  in connection with the transportation); and
  2. personal data that is publicly available in Singapore.

Request for access to and correction of personal data

Sections 21 and 22 of the PDPA allow an individual to request access and correction of personal data. The Regulations set out the following with respect to an individual’s request:-

  1. A request must have sufficient details to enable the organisation to identify the person making the request and to act on the request.
  2. A request must be in writing and sent  to  the  organisation’s  data protection officer or in a manner acceptable to the organisation.
  3. An organisation must (unless it is impracticable to do so) provide an individual who has requested for access to personal data with a copy of the   personal  data  and  the   use   and   disclosure   information   in documentary form or such other form requested by the individual that is acceptable to the organisation.
  4. An organisation should comply with an access or correction request as soon  as reasonably possible. If an organisation is unable to comply within 30 days of the request, the organisation must before the expiry of the 30 day period, inform the individual in writing of the time required for the organisation to comply.
  5. An organisation may charge reasonable fees for an individual’s request for access of personal data, but no fees may be charged for correction of personal data. Prior notice of the fees and the quantum chargeable must be provided to the individual before the fees can be charged. An organisation need not comply with an access  request  unless  the individual agrees to pay the fees. The  PDPC  has  the  power  and discretion to review such fees.

Organisations will have to implement a request process and make details of its process publicly available.

Consent given by a minor

The PDPA does not specify any minimum age for a person to be able to give consent in respect of his/her personal data, for the purposes of the PDPA.

In the Advisory Guidelines, the PDPC has a adopted a practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his/her own behalf. However, the Advisory Guidelines further provide that where an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from another individual who is legally able to provide consent on the minor’s behalf.

In effect, the Advisory Guidelines seeks to apply a subjective test to the question of whether a minor is able to give effective consent under the PDPA. This requires organisations when seeking consent from any minor, to consider the question of whether that minor has a sufficient understanding of the nature and consequences of giving consent. In most circumstances, this will not be practicable. Organisations should carefully consider the collection, use and disclosure of personal data of minors and whether to seek consent from an individual who is legally able to provide consent  on the minor’s behalf.