The much anticipated Personal Data Protection Act 2012 (the “PDPA”) became law on 1 January 2013. After a series of public and industry consultations were carried out, the PDPA is considered by many commentators to be a timely and long overdue move. Previously, Singapore had no over-arching data protection laws in force, but only limited sector-specific confidentiality obligations, found in legislation such as the Banking Act and the Official Secrets Act, as well as self-regulatory codes of practice such as the Private Sector Model Data Protection Code, which are both non-binding and voluntary in nature. The PDPA is intended to be a baseline law and is applicable not only to all organisations in Singapore (except for organisations in the public sector), but also to organisations which may not be physically located in Singapore but are engaged in data collection, processing or disclosure of such data within Singapore.
The PDPA governs the collection, use and disclosure of personal data by organisations in a manner that recognises and balances both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable commercial and operational purposes. The PDPA is intended to curb excessive and unnecessary collection of an individual’s personal data by businesses, and includes requirements such as obtaining the consent of individuals to disclose their personal information.
Key Features of the PDPA
- Establishment of a Data Protection Commission (“DPC”) to administer and enforce the PDPA;
- The operation and applicability of the PDPA to all private sector organisations in Singapore as well as all organisations located outside of Singapore that are engaged in data collection, processing or disclosure of such data within Singapore;
- The requirement of at least one designated individual within each organisation to be responsible for compliance with the PDPA (“Personal Data Officer”);
- The requirement for organisations to implement policies and practices to comply with the PDPA;
- Introduction of general rules and exclusions relating to the collection, use and/or disclosure of personal data;
- To allow individuals to request access to their personal data held by an organisation in order to find out how organisations have used or are using the personal data collected, to correct any inaccurate information collected and to seek redress for suspected breaches of the PDPA;
- Introduction of a penalty and enforcement regime for breaches of the PDPA; and
- Introduction of a Do Not Call Registry (“DNC Registry”).
Data Protection Commission (“DPC”)
The Ministry of Communications and Information (the “MCI”) established the DPC and a Data Protection Advisory Committee (“DPAC”) on 2 January 2013 to administer, and advise on the PDPA respectively.
Operation and Applicability of the PDPA
The PDPA ensures a standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks. Therefore, organisations will have to comply with the PDPA as well as the common law and other relevant existing laws that are applied to the specific industry that they belong to, when handling personal data. The PDPA covers personal data stored in both electronic and non-electronic forms.
The data protection provisions in the PDPA (excluding the provisions relating to the DNC Registry) generally do not apply to:
- Any individual acting in a personal or domestic basis.
- Any employee acting in the course of his or her employment with an organisation.
- Any organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data.
- Business contact information.
Personal Data Officer and Compliance with the PDPA
In meeting with its responsibilities under the PDPA, the organisation should consider what a reasonable person would consider appropriate in the circumstances. An express obligation is imposed by the PDPA on an organisation to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. On an organisation wide level, the organisation should develop and implement policies and practices that are necessary to meet obligations imposed by the PDPA, develop a process and system to receive and respond to complaints arising with respect to the application of the PDPA, ensure information is communicated to staff, and make information available on request relating to the foregoing.
General Rules and Exclusions
Collection and Use of Personal Data
The PDPA takes the following considerations into account in assessing the collection and use of personal data:
Organisations may not collect, use or disclose personal data about an individual unless the affected individual gives, or is deemed to have given, his or her consent to the collection, use or disclosure, or unless authorised under the PDPA or required by law.
Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of the purpose for collection, use or disclosure and that purpose would be considered appropriate by a reasonable person in the circumstances.
Care of Personal Data
The PDPA takes the following considerations into account in assessing the care of personal data:
Reasonable efforts shall be made to ensure that personal data collected by or on behalf of the organisation is accurate and complete.
An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
When the PDPA is in force, records of personal data will no longer be permitted to be held for an indefinite period of time. Rather, records of personal data must cease to be retained as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by retention of the personal data, and if retention is no longer necessary for legal or business purposes.
- Transfer of Personal Data outside Singapore
An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA.
Access and Correction Rights
Individuals have the right to request for their personal data that is in the possession or control of the organisation and to obtain information about the use of such data. Where the personal data collected has been disclosed to a third party, the organisation shall provide the individual with the list of third parties which the personal data may have been disclosed to.
Individuals also have the right to request the organisation to correct any inaccurate data and the organisation should take steps to correct such inaccuracy at the request of the individual concerned, unless there are reasonable grounds to refuse to do so.
Do Not Call Registry (“DNC Registry”)
The Act provides for the setting up of a DNC Registry, which will allow individuals to register their phone numbers to opt-out of marketing or premium service messages from organisations. Organisations will be required by law to check with the registry and ensure that they do not send messages to the numbers registered unless they have obtained clear and unambiguous consent.
Exceptions such as messages without commercial elements, for example messages promoting political or charitable causes, messages soliciting donations, market research and messages that promote national programmes of a non-commercial nature, would not be covered by the DNC Registry at this juncture.
Organisations will be given a transitional 18 months to comply with the PDPA, before the data protection provisions enter into force (projected mid-2014). During this “Sunrise Period”, the DPC is expected to focus on awareness-building activities to educate and reach out to consumers and organisations about the PDPA and issue advisory guidelines to help organisations adjust their data protection practices to comply with the PDPA.
The DNC Registry is expected to be ready for public registration by early 2014.
Penalty and Enforcement Regime of the PDPA
After the Sunrise Period, the DPC is empowered to conduct investigations to review complaints, or initiate investigations on its own accord. The DPC may issue guidelines or give directions to remedy non-compliance of the PDPA.
Further, criminal and/or civil sanctions may be meted out for non-compliance with the PDPA. The DPC may impose financial penalties of up to S$1 million and officers of body corporates could be liable criminally for the offence committed by the body corporate, where that offence is committed with the consent, connivance, or neglect of the officer.
Contraventions of the DNC Registry (see below) provisions will constitute an offence and persons in breach may be liable to conviction and/or a fine not exceeding S$10,000.00 per breach.