On 2 January 2013, the Singapore Personal Data Protection Act 2012 (PDPA) came into force with the formation of the Personal Data Protection Commission (PDPC) – a new body responsible for administering and enforcing this act. The PDPA is applicable to all organizations in Singapore, except organizations in the public sector.
PDPA seeks to regulate the activities of an organization with regard to collecting, using or disclosing personal data, and it provides individuals with access to their personal data that may be managed by organizations. The act also provides for the establishment of a national Do Not Call (DNC) Registry, enabling individuals to opt out of receiving any marketing pitches, sales calls, text messages or faxes by registering their phone numbers in the registry. The Act will be implemented progressively in phases; organizations will have 18 months transition period to streamline their policies and processes to ensure compliance. While the main provisions of the Act will kick in from July 2014, the DNC Registry will come into force on 2 January 2014.
PDPC has the legal power to review complaints from affected parties and refer parties to mediation. PDPC is also empowered to enter premises of an organization without warrant after issuing two days of advanced notice, obtain warrant to search and seize, and issue directions to an organization to a) stop collecting data or b) destroy data. PDPC can also impose financial penalties of up to S$1 million.
Therefore, organizations collecting data of individuals in Singapore have to be mindful of their obligations under this new law to avoid incurring legal actions on the grounds of non-compliance. Organizations engaging in telemarketing activities are required to honor their obligations under the Do Not Call Registry.
Why the Need?
Whenever you open a bank account, join a social networking website or book a flight online, you hand over vital personal information such as your name, address, and credit card number. What happens to this data? Could it fall into the wrong hands? What rights do you have regarding your personal information?
The information-based economy has led to the emergence of a new asset class – personal data that has overarching potential. Consequently, legislation to guard this new asset class has become a necessity. In line with other advanced economies, Singapore has joined the data-guardians club with the enactment of the Personal Data Protection Act 2012 (PDPA).
In Singapore collection of personal data such as phone number, address and NRIC number has remained a common practice, be it for an all important bank account opening or simply to gain access into a secured office building. Besides this direct data collection, information about individuals is discreetly being collected by the various social networking, messaging, mailing platforms and hoards of mobile applications that are avidly used by the digitally savvy residents of Singapore.
The seemingly insignificant data thus collected by organizations or voluntarily shared by the individuals is evolving into high value property in the evolving Big Data eco-system. Unscrupulous players can trade or misuse this property. Owing to its potential value, it requires legislative protection, requiring the organizations in possession of such data to comply with the regulations to ensure the security and integrity of the data.
PDPA Scope and Applicability
PDPA seeks to regulate the activities of organizations with regard to collecting, using or disclosing personal data, and it provides individuals with access to any personal data kept by organizations.
The term ‘Personal Data’ according to the Act refers to data, true or otherwise, about an individual who can be identified from that data or from the combination of that data with other information accessible to an organization. The PDPA covers personal data stored in both electronic and non-electronic forms, therefore organizations recording and keeping CCTV footage or recording their events and live promotions in photo and video formats also have to be vary of their obligations when they are used in publications or other forms of distribution.
The Act is applicable to all private sector organizations in Singapore as well as all organizations located outside Singapore that are engaged in data collection, processing or disclosure of such data within Singapore. Therefore organizations using offshore call centers for their marketing or sales and services are also required to ensure compliance with PDPA requirements. It must be noted that data intermediaries – the organizations involved in processing data on behalf of a principle owner of such data, are exempted from most of the requirements under the PDPA but have to comply with the regulations relating to data protection and retention.
PDPA does not supersede any of the existing sector specific laws or the common law; therefore, organizations are required to ensure compliance with common law as well as any relevant legislation that are specific to their sector, such as the Banking Act, which regulates the customer information collected by banks or the Private Hospitals and Medical Clinics Act, which regulates the confidentiality of patient information held by hospitals, clinics or labs.
PDPA does not apply to individuals acting in individual or domestic capacity, employees acting in the course of their employment, organizations acting on behalf of a public agency, and business contact information.
Organizations that collect personal data using ‘cookies’ would equally be subject to the requirements of the PDPA. Organizations whose websites notify their users on their cookie policy, are considered to have obtained deemed consent of the users to collect personal data.
For personal data collected and held by organizations prior to the enforcement of PDPA, the organizations are required to obtain consent from the individual if the data is to be used for a purpose different from the original purpose for which it was obtained, or if it is be used or disclosed for new purposes.
Key Requirements
In general the regulations under the PDPA underscore four concepts consent, purpose, legitimacy and protection.
Consent
Organizations are required to obtain consent from the individual to collect, use or disclose personal data for a specified purpose. The consent must be validly obtained without any deceptive or misleading information. The consent may be either express or deemed. It is considered a deemed consent when the individual voluntarily gives personal data or it is reasonable to assume that the individual would voluntarily provide the personal data. Some exemptions have been provided to this requirement for circumstances involving investigation, employment, debt, and interest of the individual.
Purpose
Organizations may collect, use or disclose personal data only for the stated purpose for which the individual has consented. If the personal data is to be used for a different purpose other than the original then fresh consent must be obtained.
Legitimacy
Organizations must take reasonable effort to ensure that personal data, which they collect, is accurate and complete. Organizations collecting personal data are required to designate one or more individuals to be the organization’s data protection officer. The officers will be responsible for ensuring that the organization complies with the provisions of the PDPA and at least one such officer’s business contact information must be made publicly available.
Protection
Organization would need to make reasonable security arrangements to protect, and prevent unauthorized access to or the collection, use, disclosure, copying, modification or disposal of personal data in its possession or under its control. Depending on the sensitivity of the data collected, robust measures must be in place to ensure the security of such data. Organizations must establish plans and procedures to promptly respond to any security breaches. However the Act does not provide specific details on the required arrangements for data security. Personal data collected by an organization cannot be retained when such retention is no longer necessary for legal or business purposes or the purpose for which it was obtained is no longer valid. Organizations transferring personal data out of Singapore are required to provide a standard of protection to the transferred personal data that is comparable to the protection under the PDPA.
Non-compliance with certain provisions under the PDPA may constitute an offence, for which a fine and/or a term of imprisonment may be imposed. Individuals suffering a loss or damage because of an organization’s non-compliance may file a private civil suit.
Individuals have the right to request for their personal data that is in the possession or control of the organization and to obtain information about the use of such data. Individuals have the right to request correction of inaccurate data and the organization should take steps to correct such inaccuracy, unless there are reasonable grounds to refuse to do so. The Act also provides certain exemption for such access to individuals. Individuals can withdraw their consent or deemed consent by serving a notice of withdrawal. Upon receipt of such withdrawal notice, an organisation should inform the consequences of withdrawal to the individual but should not prohibit such withdrawals.
DNC registries will be effective from early 2014. Organizations that make or send telemarketing calls and messages will be required to check the DNC Registries regularly to ensure their recipient’s numbers are not listed in the DNC registry. Such Organizations will need to check the DNC Registries at least once every 60 days during the first six months of the DNC Registry’s operation, and at least once every 30 days thereafter. Any breach will attract a fine of up to S$10,000 per offence.
The enactment of the PDPA is an important milestone for Singapore towards becoming a trusted international business hub for data assets. The Act was drafted after careful review of data protection regimes of leading jurisdictions. However as with any new legislation, some aspects will present an unknown labyrinth that organizations and individuals will have to navigate through and some grey areas are bound to arise. Keeping this in mind, the government (in consultation with various stakeholders) released its first Advisory Guidelines in September 2013. This advisory provides guidelines on obligations regarding consent, verification, etc. and recommends that organizations should refrain from over-collecting personal data. Further guidelines are anticipated in the future. GuideMeSingapore will monitor this landscape and provide updates as new developments occur; if you would like to be kept abreast of these update, please subscribe to our blog.