- The Proposed Personal Data Protection Bill (Draft Bill) has general application and will apply as a baseline law applicable to all organisations in Singapore (excluding the public sector) operating concurrently with existing sector specific regulation.
- The Draft Bill, once passed, will have effect after a ‘sunrise’ period of at least 18 months.
- The Draft Bill continues to be relatively ‘employer friendly’ compared to data protection regimes in other jurisdictions.
The Draft Bill regulates the use, collection and disclosure of personal data by most organisations in Singapore (except those in the public sector). It also applies to organisations engaged in data processing activities with a ‘Singapore link’ (eg data is collected from individuals in Singapore) even if the organisation is not itself located within the country.
Personal data (in all forms whether electronic or manual and even CCTV footage) is described in the Draft Bill as data ‘…whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation is likely to have access.’
In summary, the general rules of data protection compliance in the Draft Bill require organisations to:
- obtain consent from individuals in order to collect, use or disclose personal data unless a specific exemption applies or where consent can be ‘deemed’ because an individual has voluntarily provided their personal data for a particular purpose,
- designate an individual to be responsible for data protection compliance,
- develop compliance policies and practices (including a complaints procedure),
- notify individuals of the purposes for collection, use or disclosure of their personal data (subject to applicable exemptions),
- provide individuals with access to their personal data and a right of correction (subject to applicable exemptions), and
- comply with requirements relating to the accuracy, security and retention of personal data.
Exemptions from the requirement to obtain consent
Our December article1 on the earlier data protection public consultation described the key aspects of how the proposed regime would apply to the employer / employee relationship. These largely remain unchanged in the Draft Bill.
In particular, the Draft Bill includes a number of exemptions which are particularly helpful to employers. For example, employers are generally not required to obtain an individual’s consent to collection, use or disclosure of personal data which is:
- business contact information (which includes an individual’s name, position title, business phone, email and other similar information not provided for use in a solely personal context),
- for the purposes of managing or terminating an employment relationship (although employers are still required to notify certain details about their processing of personal data as well as providing a business contact for any related queries),
- for evaluative purposes (which include determining suitability, eligibility or qualifications for employment, promotion or removal from employment such as obtaining employee references), and
- for certain business transaction purposes.
MICA has also made it clear that a further exemption from consent will be added to the Draft Bill before it is introduced to Parliament which will cover the collection, use or disclosure of personal data for the purpose of ‘establishing’ employment, to cover recruitment purposes.
Exemptions from an individual’s right to access personal data
Employers can also rely on exemptions to refuse an individual’s right to access their personal data including where:
- information is kept solely for evaluative purposes (eg employment references),
- certain investigation purposes (or related proceedings or appeals), or
- information cannot be found, is trivial or that is otherwise frivolous or vexatious.
Implications for employers
While the Draft Bill has many ‘employer friendly’ exemptions it is important that compliance is not overlooked. Employers must also ensure that they have clear policies and complaint handling processes as well as a designated individual appointed for data protection compliance ready for when the legislation comes into force.
Penalties for breaches of the Draft Bill are severe including fines of up to SGD 1 million and, potentially, criminal offences for organisations and individuals (including officers and management).
The Draft Bill is expected to be introduced before Parliament later this year. However, there will be a ‘sunrise’ period of 18 months after enactment before the provisions take effect and transitional provisions will also apply to existing personal data.