The Singapore Government has passed the Personal Data Protection Act
2012 (PDPA) which provides for the first time in
Singapore for the protection of personal data (PD) and the setting up of
a Do-Not-Call regime. After several rounds of extensive public consultation,
the PDPA was read in Parliament for the final time on 15 October 2012 and
passed. According to the Government, the PDPA is likely to come into effect in
early 2013.
The PDPA will govern the collection, use and disclosure of PD by
organisations in a manner that recognises both the right of individuals to
protect their PD and the need to collect, use or disclose PD for purposes that
a reasonable person would consider appropriate.
One of the main objectives of the PDPA is to position Singapore as a hub
for global data management and cloud computing. It is intended that the PDPA
should provide a baseline law that operates in tandem with more stringent
sectoral regulations. The PDPA is not intended to be burdensome for businesses
but will curb excessive and unnecessary collection of an individual’s data by
organizations. The PDPA also establishes a Do-Not-Call registry for
individuals who do not wish to receive marketing messages in specified forms.
The PDPA will be administered by the Personal Data Protection Commission
(PDPC). The PDPC will enforce the law but will also undertake outreach and
educational activities relating to the PDPA.
The PDPA is divided into two parts: (i) data protection and (ii) the
Do-Not-Call regime.
Data Protection – Scope of coverage of the PDPA
i. Types of data covered – PDPA applies to data, whether true or
not, about an individual who can be identified – (a) from that data,
or (b) from that data and other information to which the organization
has or is likely to have access. The definition applies to all types of
data, whether electronic or not. The PDPA will be consistently applied across
all types of PD – including health, employment and financial standing data.
ii. Who the PDPA applies to – The PDPA applies to all private
sector organizations, large or small. It also applies to individuals who are
using the data other than for domestic or personal use.
iii. Who the PDPA does not apply to – The PDPA will not apply to
public agencies or organisations acting on behalf of a public agency in
relation to the collection, use or disclosure of PD. The rationale for this
exclusion is that the public sector has its own set of rules. The rules on data
protection also do not apply to individuals acting in a personal capacity.
iv. Both Singapore-based & overseas organisations covered – The
PDPA will apply to organisations in Singapore and those that are engaged in
data collection, processing or disclosure of data of individuals within
Singapore, even if the organisation is not physically located in
Singapore.
Exclusions
i. General exclusions – The full DP obligations do not apply to:
a. Data intermediaries will only have to comply with the
safeguarding and retention obligations under the PDPA. A data
intermediary is an organisation which processes person data on behalf of
another organisation, but does not include an employee of that other
organisation. In contrast, data controllers, which are organisations with
control of the data, will have to comply with all provisions;
b. Business contact information is excluded. Business contact information is defined as an individual’s name, position name or title, business telephone number, address, e-mail or fax number and other similar information.
c. PD pertaining to deceased individuals, except provisions on disclosure and protection if the individual has been dead for 10 years or fewer; and
d. PD contained in a record in existence for at least 100 years;
ii. Privacy Officer – Organisations will need to designate at least
one individual to be responsible for compliance with the PDPA and to answer
queries on DP practices.
iii. Rules on the collection, use and disclosure of PD
a. Collection of PD necessary for supply of products or services –
Under the PDPA, organisations are prohibited from requiring an individual to
consent to the collection, use or disclosure of PD as a condition of supplying
the product or service, beyond what is reasonable to provide that product or
service.
b. Consent – An organisation is required to obtain an individual’s
consent for the collection, use or disclosure of that individual’s PD. The PDPA
does not prescribe the manner in which consent may be given. Organisations
seeking consent would need to notify individuals of the purposes for the
collection, use or disclosure of PD. These purposes should be purposes that a
reasonable person would consider appropriate in the circumstances. They
should not be overly broad. In some cases, consent will be deemed. An
individual is deemed to have given consent if that person voluntarily provides
that PD for a purpose and it is reasonable that individual would voluntarily
provide the data. If an individual gives, or is deemed to have given consent to
the disclosure of PD by one organization to another for a particular purpose,
the individual is deemed to consent to the collection, use and disclosure by
that other organisation for the same purpose. Individuals have a right to
withdraw consent at any time. However, in relation to PD already in an
organisation’s possession, withdrawal of consent would only apply to the
organisation’s prospective use or disclosure of the PD.
c. Collection, use and disclosure of PD without consent
The PDPA allows for the collection, use and disclosure of PD without
consent in specific circumstances.
These circumstances include, but are not limited to, collection, use and
disclosure of PD:
(a) that is publicly available;
(b) for any necessary purpose that is clearly in the interest of
the individual;
(c) for beneficiaries of insurance policies and trusts, and for
investigative purposes;
(d) for a business asset transaction;
(e) for artistic or literary purposes;
(f) for news activities;
(g) for research purposes;
(h) for evaluative purposes; and
(i) for creating a credit report, if the collection is done by a
credit bureau or bank.
The exclusion of publicly available information is likely to assist
organizations that glean PD from such sources and to not limit activities
performed in public, such as the taking of photographs in public places.
d. Purpose – The collection of PD must be for reasonable purposes
and fulfill the purposes that the organization discloses. Although it is good
practice for organisations to explain why it is reasonable to collect PD and
specify details of how it will be shared, this is not mandatory.
Organisations are required to seek fresh consent if the PD is used for
different purposes.
e. Specific types of data – The PDPA is a baseline regulation, and
sectoral agencies that determine how to deal with specific types of data, such
as children’s PD, medical data and financial data will be able to put into
place stronger protection. These sectoral laws will continue to apply.
f. Transfers of data out of Singapore – For transfers of PD outside
Singapore, an organisation can only make such transfers if it ensures that
organisations overseas maintain a standard of protection comparable to the
protection under the PDPA. It is likely that this can be fulfilled in a
number of ways, including contractual arrangements and binding corporate rules.
iv. Rules on access and correction
Access – Generally, upon the request of an individual, the organisation
should take steps to assist the individual in obtaining his PD, provide the
individual with information about the ways in which the PD has been used and
provide the individual with the names of the individuals and organisations to
whom the PD has been disclosed.
Correction – Organisations should take steps to correct any inaccurate
data at the request of the individual, if the data is in the possession of the
organisation or under its control. Such corrected data should also be sent to
any other organisations to which the PD was disclosed within a year before the
date the correction was made.
Organisations will be allowed to charge a reasonable fee to recover any
costs incurred in allowing individuals to access and correct data on a cost
recovery basis.
There are circumstances where organisations would not be required to
provide individuals access to certain PD:
- where the PD would reveal confidential commercial information, which
could harm the competitive position of an organisation;
- PD subject to legal professional privilege; and
- PD collected or created by a mediator or arbitrator
Organisations can also refuse requests for PD where the requests would
unreasonably interfere with operations because of repetitious or systematic
requests, or which are frivolous or vexatious.
v. Rules on accuracy, protection and retention of PD
Accuracy – Organisations will be required to make a reasonable effort to
ensure that PD collected by or on behalf of the organisation is reasonably
accurate and complete, if the PD is likely to be used by the organisation to
make a decision that affects the individual to whom the PD relates, or is
likely to be disclosed by the organisation to another organisation.
Protection – Organisations will be required to protect PD in its
possession or under its control, by making reasonable security arrangements to
prevent unauthorised access, collection, use, disclosure, copying,
modification, disposal or other similar risks. This obligation will apply to
data intermediaries as well.
Retention – An organisation must not retain PD or remove means by which
the PD can be associated with particular individuals, as soon as it is
reasonable to assume that (a) the purpose for collecting the data is no longer
being served by retention and (b) retention is no longer necessary for legal or
business reasons. This obligation will also apply to data intermediaries.
Enforcement
The PDPA adopts a complaints-based approach to enforcement. The PDPC
will review the actions of organizations brought to its attention and issue
decisions for compliance. Financial penalties of up to S$1 million may be
imposed. There is however no breach notification requirement under the
PDPA.
There is also a private right of action available under the PDPA for
individuals who have suffered damages as a result of a breach.
Do Not Call (DNC) Registry
Introduction – The DNC Registry will allow individuals to register to
opt-out of receiving marketing messages in the form of voice calls, text
messages, including SMS and MMS, and fax messages. Email and post are not
included as unsolicited email is regulated by the Spam Control Act and can also
be blocked by filters. Specified messages sent without the use of telephone
numbers (such as messages sent through cell broadcast) will also be excluded
from the ambit of the DNC Registry.
Separate DNC registries for voice, SMS and fax will be set up and
individuals can opt out and register at any one or all these registries.
Application – The DNC Registry provisions will apply to marketing
messages addressed to a Singapore telephone number where the sender is in
Singapore when the message is sent or when the recipient is in Singapore when
the message is accessed.
Marketing messages – Where one of the purposes of a message is to offer
to supply, advertise or promote goods or services, or to promote the suppliers
or prospective suppliers of goods and services, that message would be
considered a marketing message.
Non-marketing messages – Messages without marketing elements, such as
messages promoting political or charitable causes, messages soliciting
donations, market research messages and messages that promote national programmes
of a non-commercial nature would not be considered marketing messages.
Business numbers – Business numbers can be registered under the DNC
Registry, but messages sent to organisations for any purpose of the receiving
organisations are not considered marketing messages. This means owners of
business numbers will not be able to prevent B2B marketing, but organisations
cannot send messages to a business number registered on the DNC to market
products or services to individuals. This balance seeks to mitigate the impact
on B2B transactions whilst preserving the right of individuals not be reached
at business numbers for personal marketing purposes.
Explicit consent – Organisations can nevertheless send specified
messages to individuals who have registered their numbers on the DNC Registry
if that organisation has obtained explicit consent from the individuals.
The DNC obligations will apply to organisations that outsource their
promotion or advertising functions to other organisations if they are found to
authorise that other organisation’s acts.
“Filtering” of DNC lists – Organisations will need to send their
database for a campaign to the DNC Registry for “filtering” within 60 days (for
the first 6 months and eventually for 30 days) of the campaign in order to
confirm whether any Singapore telephone number is listed on the registers.
Penalty and enforcement regime – Penalties will be capped at $10,000 per
breach and up to $1,000 in composition fines. A Data Protection Commission will
also have the power to require the cooperation of telecommunication licensees
in the investigation of whether an organisation has breached the DNC Rules.
Implementation Framework
The PDPA is likely to come into effect in January 2013. The Singapore
Government will establish the Data Protection Commission and issue Guidelines
from about March 2013 to assist organisations’ in their efforts to comply with
the PDPA.
Transitional provisions – The data protection obligations in the PDPA
will be effective 18 months after the PDPA comes into effect and the sunrise
period will apply equally to small and large companies alike. The DNC Registry
however will be implemented earlier, 12 months after the PDPA comes into
effect.
Existing PD – Organisations will be allowed to use PD collected before
the day of commencement of the PDPA for purposes for which the data was
collected unless consent for such use is withdrawn. However, obligations
relating to safekeeping and retention of such PD will apply.
The PDPA will not invalidate existing contractual agreements for the use
of customers’ PD. However, fresh consent would need to be obtained for new uses
of existing PD. Where consent was not previously obtained, individuals may
require organisations to stop using the PD by indicating that they do not
consent to such use.
Conclusion
The PDPA marks a milestone in providing some form of protection for
individuals’ PD in Singapore notwithstanding the exclusion of public agencies
from the law. It is intended to be a baseline law without stringent
requirements such as breach notification. The PDPA is seen as an important step
in attracting more data centres and data analytics businesses to set up
operations in Singapore and to regulate the flow of data, even as Singapore
positions itself as a regional data hub. The DNC aspects of the law will
provide challenges for the direct marketing industry and B2C marketing across a
wide range of industries but is likely to have less of an impact on compliance
costs after the initial period of compliance. Overall, the PDPA provides a
regime that can boost Singapore’s attractiveness to companies as a business hub
in Asia.
