The Personal Data Protection Act 2012 (Act) introduces a new consumer data protection regime in Singapore which governs the collection, use, disclosure and protection of personal data by private sector organisations and provides rights of access and correction of personal data for individuals.
This update looks at the key objectives, structural framework and main data protection rules under the new regime.
- The Act establishes a new data protection framework for the handling of personal data by private sector companies and other organisations, which includes the Data Protection Rules and Do Not Call Registry.
- The Data Protection Rules will enhance privacy protections for individuals in their general dealings with private sector entities and introduce a range of new standards largely consistent with the EU and Australian privacy regimes.
- Exemptions apply for public agencies, employees and individuals acting in a personal or domestic capacity, business contact information, records that are more than 100 years old and information about deceased persons.
- Data intermediaries are subject to the rules relating to protection and retention of personal data, but are otherwise exempt from the obligations to comply with the Data Protection Rules.
- The Do Not Call Registry will come into effect on 2 January 2014, followed by the Data Protection Rules in mid-2014.
- The Advisory Guidelines provide useful case examples to illustrate how the PDPC will interpret the rules in particular circumstances.
- Private sector entities should take a range of steps now to ensure that they will be able to comply with the new rules once they come into effect.
The Personal Data Protection Act 2012 (Act) passed into law in Singapore on 15 October 2012, and received assent on 20 November 2012.
Between February and April 2013, the Personal Data Protection Commission (PDPC) conducted a public consultation to further develop draft regulations and two sets of draft advisory guidelines to the Act. On 24 September 2013, the PDPC published:
- the Advisory Guidelines on Key Concepts in the Personal Data Protection Act; and
- the Advisory Guidelines on the Personal Data Protection Act for Selected Topics.1
At the time of writing, the PDPC is still considering the draft regulations to the Act, which will deal with (among other things) offshore transfers of personal data, the rights of minors and powers of authorised representatives.
The main objectives of the Act are to enhance data protection for individuals and to ‘strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for business’.2
It is hoped that the new regime will help to ‘create a conducive environment for the fast-growing global data management and processing industries, such as cloud computing’.3
Commencement and enforcement of the Act will be phased in over approximately 18 months. The provisions establishing the PDPC took effect on 2 January 2013. The Do Not Call (DNC) Provisions will come into force on 2 January 2014 and the Data Protection Rules will come into force on 2 July 2014.
During the sunrise period, organisations will need to review their existing information handling practices to identify the types of personal data that they collect, use and disclose, and develop and implement policies and procedures to ensure that they can comply with their new obligations under the Act.
They will also need to review their marketing processes to ensure they take account of the DNC Registry. From 2 December 2013, individuals and businesses will be able to register their Singapore mobile and fixed-line numbers to opt-out of receiving commercial marketing calls, text messages and facsimiles.
THE DATA PROTECTION FRAMEWORK
The key features of the new data protection framework are:
- the main data protection rules and minimum standards apply to private organisations to the extent that they are in possession or control of personal data. However, a more limited set of rules applies to ‘data intermediaries’ (discussed further below);
- the preservation of existing laws such that sector-specific laws and regulations dealing with collection, use, disclosure and related rights and obligations will prevail to the extent of any inconsistency with the Data Protection Rules;
- the establishment of the PDPC to administer and enforce the Data Protection Rules and to review and investigate complaints. This includes the conferral of powers on the PDPC to direct the parties to a complaint to the appropriate mode of dispute resolution, to review the conduct of organisations not complying with the Act and to give remedial directions as it considers appropriate. These directions may require an organisation to include to stop collecting, using or disclosing personal data, to destroy personal data, to grant access to or correct personal data, or to pay a financial penalty of up to SGD$1 million; and
- a private right of action for individuals to commence civil proceedings where the individual has suffered loss or damage arising from a contravention of the Act.
The Data Protection Rules apply specifically to ‘personal data’ which is defined to be:
data, whether true or not, about an individual who can be identified either from that data or together with other data or information to which the organisation is likely to have access.
The definition captures information that directly identifies an individual as well as information that can identify an individual when combined with other data. Examples include a person’s full name, passport number, mobile telephone number or personal email address. Personal data can be in any form, including images, photographs, videos and sound recordings.
However, whether data is personal data will depend on whether it can be used to identify the individual in the circumstances.
THE DATA PROTECTION RULES
In brief, the main Data Protection Rules set out under Parts III – VI of the Act are:
- The Consent Obligation: organisations may only collect, use or disclose personal data about an individual if the individual has given consent, subject to prescribed exceptions under the Act. Individuals have a general right to withdraw their consent at any time.
- The Purpose Limitation Obligation: organisations may only collect, use and disclose personal data about an individual for a purpose that a reasonable person would consider appropriate in the circumstances and, if applicable, which the organisation has notified to the individual.
- The Notification Obligation: before or at the time of collecting, using or disclosing personal data, organisations must inform the individual to whom it relates of the purposes of the collection, use and disclosure, except if the individual has already given, or is deemed to have given, consent for the particular purpose, or in prescribed circumstances where consent is not required.
- The Access and Correction Obligation: individuals have the general right to request organisations to provide access to and make corrections to their personal data. However, access must not be granted in certain circumstances such as where the disclosure would cause immediate harm to the individual’s mental health or reveal information about another individual.
- The Accuracy Obligation: organisations must make a reasonable effort to ensure that personal data collected by them, or on their behalf, is accurate and complete if it is likely to be used to make a decision that affects the individual or to be disclosed to another organisation.
- The Protection Obligation: organisations must protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, unauthorised use, unauthorised disclosure and similar risks.
- The Retention Limitation Obligation: organisations must cease to retain or permanently de-identify personal data as soon as it is no longer needed for the purpose for which it was collected or for other legal or business purposes.
- Transfer Limitation Obligation: transfers of personal data outside of Singapore must comply with the Regulations (which are generally intended to ensure that any transferred personal data is subject to a comparable level of protection as under the Act).
- The Openness Obligation: organisations must make information about their privacy policies and practices available on request and appoint a personal data protection officer with responsibility for answering enquiries and questions by individuals. The business contact information of the officer must be made available on request.
Do the rules apply to everyone?
The Data Protection Rules apply to all ‘organisations’, including individuals, companies and associations, whether or not they are formed or recognised under a law of Singapore, or whether they are resident, or having an office or place of business in Singapore, but excluding:
- public agencies, and organisations acting on behalf of a public agency in relation to collection, use or disclosure of personal data;
- employees acting in the course of their employment;
- individuals acting in a personal or domestic capacity; and
- other organisations prescribed in the Regulations to be exempt.
Similar to the EU regime, an organisation that processes personal data on behalf of another organisation (i.e. a ‘data intermediary’) is partially excluded from the Data Protection Rules. The term ‘process’ encompasses all kinds of operations in relation to personal data including recording, holding, retrieval, alteration, transmission and destruction.
Data intermediaries are required to comply with the Protection and Retention Limitation Obligations, but are otherwise exempt from the Data Protection Rules.
Are there any exemptions for certain kinds of data?
The Data Protection Rules do not apply to:
- ‘business contact information’ which includes an individual’s name, position or title, business telephone number, business address, business electronic mail address or fax number, and similar information excluding information provided by the individual solely for personal purposes;
- information contained in records that have been in existence for 100 years or more; or
- information about deceased persons, except that the rules relating to disclosure and protection of personal data will continue to apply to information about a deceased individual for a period of ten years from the date of their passing.
Organisations may continue to use personal data collected before the introduction of the Data Protection Rules, unless the individual subsequently withdraws consent. However, organisations cannot rely on existing contractual rights to continue to use and disclose personal data if such use / disclosure would contravene the Act.
The ‘reasonableness’ standard
The concept of reasonableness is integral to various obligations under the Data Protection Rules. There is no bright line test. However, the Advisory Guidelines provide examples to illustrate how the relevance of different considerations varies from case to case depending on the circumstances.
Analytics, Anonymisation and other matters
A range of selected topics which raise particular privacy issues are dealt with in the Advisory Guidelines on the Personal Data Protection Act for Selected Topics including analytics and research, anonymisation, CCTV, use of NRIC numbers, employment and online activities.
RECOMMENDATIONS FOR ORGANISATIONS
Before the Data Protection Rules take effect in mid-2014, there are several steps that organisations can take toward ensuring compliance:
- appoint one or more data protection officers;
- conduct a privacy audit of existing personal data held, identify information flows and examine current information collection and handling practices;
- audit contractual agreements with organisations involving the transfer of personal data outside Singapore;
- tailor security arrangements to minimise risk of harm that might result from a security breach;
- develop new policies and procedures for compliance with the Data Protection Rules;
- establish a consumer complaints process for receiving and handling complaints by individuals about the handling of their personal data; and
- communicate the new policies and procedures to all staff and conduct training and workshops to help ensure proper implementation.
1 Copies of the Advisory Guidelines can be found on the PDPC’s website at http://www.pdpc.gov.sg/resources/advisory-guidelines
3 Public Consultation Issued by the Ministry of Information, Communications and the Arts, Proposed Consumer Data Protection for Singapore, 13 September 2011, p 4.