The Personal Data Protection Commission (PDPC) has recently issued a number of updates in relation to the Personal Data Protection Act 2012 (PDPA) including:-
- updates to the Advisory Guidelines on Key Concepts and Selected Topics of the PDPA; and
- Personal Data Protection Regulations 2014 (Regulations).
In this article, we will explore some of the more pertinent updates.
Transfer of personal data outside Singapore
Section 26 of the PDPA prohibits the transfer of personal data outside of Singapore except in accordance with the requirements prescribed under the PDPA.
The Regulations now set out the requirements that an organisation must satisfy before it can transfer personal data outside of Singapore. The requirements are:-
- where a transferring organisation transfers personal data out of Singapore, while the personal data remains in the control or possession of the transferring organisation, the transferring organisation is required to comply with the PDPA in respect of such personal data even when the personal data is situated outside of Singapore; and
- the transferring organisation must take steps to ensure that the recipient of the personal data is bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA.
This requirement is considered satisfied in the following situations:-
- when the laws of the country to which the personal data is transferred provides a standard of protection comparable to Singapore;
- when the transferring organisation imposes obligations on the recipient (in the form of contractual obligations, binding corporate rules or other legally binding instruments), which obligate the recipient to provide a standard of protection for the personal data so transferred that is at least comparable to the protection under the PDPA. Any contract or binding corporate rules must set out the countries or territories to which the personal data may be transferred;
- when the individual consents to the transfer. In seeking consent of the individual, the transferring organisation has to provide a summary of the extent to which the transferred personal data will be protected to a standard of protection comparable to the PDPA;
- when the transfer is necessary in relation to or for the performance of a contract, between (i) the individual and the transferring organisation; (ii) between the transferring organisation and a third party which is entered into at the individual’s request; or (iii) between the transferring organisation and a third party if the contract is reasonably considered to be in the individual’s interest;
- where the transfer is necessary for the personal data to be used in any of the manners set out in paragraphs 1(a), (b) or (d) of the PDPA’s Third Schedule or paragraph 1(a), (b), (c), or (o) of the Fourth Schedule of the PDPA.
Under the Regulations, two categories of personal data are exempt from the operation of section 26 of the PDPA:-
- personal data that is in transit (i.e. data that is transferred through Singapore in the course of onward transportation to another country without the data being used, disclosed in Singapore, except in connection with the transportation); and
- personal data that is publicly available in Singapore.
Request for access to and correction of personal data
Sections 21 and 22 of the PDPA allow an individual to request access and correction of personal data. The Regulations set out the following with respect to an individual’s request:-
- A request must have sufficient details to enable the organisation to identify the person making the request and to act on the request.
- A request must be in writing and sent to the organisation’s data protection officer or in a manner acceptable to the organisation.
- An organisation must (unless it is impracticable to do so) provide an individual who has requested for access to personal data with a copy of the personal data and the use and disclosure information in documentary form or such other form requested by the individual that is acceptable to the organisation.
- An organisation should comply with an access or correction request as soon as reasonably possible. If an organisation is unable to comply within 30 days of the request, the organisation must before the expiry of the 30 day period, inform the individual in writing of the time required for the organisation to comply.
- An organisation may charge reasonable fees for an individual’s request for access of personal data, but no fees may be charged for correction of personal data. Prior notice of the fees and the quantum chargeable must be provided to the individual before the fees can be charged. An organisation need not comply with an access request unless the individual agrees to pay the fees. The PDPC has the power and discretion to review such fees.
Organisations will have to implement a request process and make details of its process publicly available.
Consent given by a minor
The PDPA does not specify any minimum age for a person to be able to give consent in respect of his/her personal data, for the purposes of the PDPA.
In the Advisory Guidelines, the PDPC has a adopted a practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his/her own behalf. However, the Advisory Guidelines further provide that where an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from another individual who is legally able to provide consent on the minor’s behalf.
In effect, the Advisory Guidelines seeks to apply a subjective test to the question of whether a minor is able to give effective consent under the PDPA. This requires organisations when seeking consent from any minor, to consider the question of whether that minor has a sufficient understanding of the nature and consequences of giving consent. In most circumstances, this will not be practicable. Organisations should carefully consider the collection, use and disclosure of personal data of minors and whether to seek consent from an individual who is legally able to provide consent on the minor’s behalf.