The Singapore Government has passed the Personal Data Protection Act 2012 (PDPA) which provides for the first time in Singapore for the protection of personal data (PD) and the setting up of a Do-Not-Call regime. After several rounds of extensive public consultation, the PDPA was read in Parliament for the final time on 15 October 2012 and passed. According to the Government, the PDPA is likely to come into effect in early 2013.
The PDPA will govern the collection, use and disclosure of PD by organisations in a manner that recognises both the right of individuals to protect their PD and the need to collect, use or disclose PD for purposes that a reasonable person would consider appropriate.
One of the main objectives of the PDPA is to position Singapore as a hub for global data management and cloud computing. It is intended that the PDPA should provide a baseline law that operates in tandem with more stringent sectoral regulations. The PDPA is not intended to be burdensome for businesses but will curb excessive and unnecessary collection of an individual’s data by organizations. The PDPA also establishes a Do-Not-Call registry for individuals who do not wish to receive marketing messages in specified forms.
The PDPA will be administered by the Personal Data Protection Commission (PDPC). The PDPC will enforce the law but will also undertake outreach and educational activities relating to the PDPA.
The PDPA is divided into two parts: (i) data protection and (ii) the Do-Not-Call regime.
Data Protection - Scope of coverage of the PDPA
i. Types of data covered – PDPA applies to data, whether true or not, about an individual who can be identified – (a) from that data, or (b) from that data and other information to which the organization has or is likely to have access. The definition applies to all types of data, whether electronic or not. The PDPA will be consistently applied across all types of PD - including health, employment and financial standing data.
ii. Who the PDPA applies to – The PDPA applies to all private sector organizations, large or small. It also applies to individuals who are using the data other than for domestic or personal use.
iii. Who the PDPA does not apply to - The PDPA will not apply to public agencies or organisations acting on behalf of a public agency in relation to the collection, use or disclosure of PD. The rationale for this exclusion is that the public sector has its own set of rules. The rules on data protection also do not apply to individuals acting in a personal capacity.
iv. Both Singapore-based & overseas organisations covered - The PDPA will apply to organisations in Singapore and those that are engaged in data collection, processing or disclosure of data of individuals within Singapore, even if the organisation is not physically located in Singapore.
i. General exclusions - The full DP obligations do not apply to:
a. Data intermediaries will only have to comply with the safeguarding and retention obligations under the PDPA. A data intermediary is an organisation which processes person data on behalf of another organisation, but does not include an employee of that other organisation. In contrast, data controllers, which are organisations with control of the data, will have to comply with all provisions;
b. Business contact information is excluded. Business contact information is defined as an individual’s name, position name or title, business telephone number, address, e-mail or fax number and other similar information.
c. PD pertaining to deceased individuals, except provisions on disclosure and protection if the individual has been dead for 10 years or fewer; and
d. PD contained in a record in existence for at least 100 years;
ii. Privacy Officer – Organisations will need to designate at least one individual to be responsible for compliance with the PDPA and to answer queries on DP practices.
iii. Rules on the collection, use and disclosure of PD
a. Collection of PD necessary for supply of products or services – Under the PDPA, organisations are prohibited from requiring an individual to consent to the collection, use or disclosure of PD as a condition of supplying the product or service, beyond what is reasonable to provide that product or service.
b. Consent – An organisation is required to obtain an individual’s consent for the collection, use or disclosure of that individual’s PD. The PDPA does not prescribe the manner in which consent may be given. Organisations seeking consent would need to notify individuals of the purposes for the collection, use or disclosure of PD. These purposes should be purposes that a reasonable person would consider appropriate in the circumstances. They should not be overly broad. In some cases, consent will be deemed. An individual is deemed to have given consent if that person voluntarily provides that PD for a purpose and it is reasonable that individual would voluntarily provide the data. If an individual gives, or is deemed to have given consent to the disclosure of PD by one organization to another for a particular purpose, the individual is deemed to consent to the collection, use and disclosure by that other organisation for the same purpose. Individuals have a right to withdraw consent at any time. However, in relation to PD already in an organisation’s possession, withdrawal of consent would only apply to the organisation’s prospective use or disclosure of the PD.
c. Collection, use and disclosure of PD without consent
The PDPA allows for the collection, use and disclosure of PD without consent in specific circumstances.
These circumstances include, but are not limited to, collection, use and disclosure of PD:
(a) that is publicly available;
(b) for any necessary purpose that is clearly in the interest of the individual;
(c) for beneficiaries of insurance policies and trusts, and for investigative purposes;
(d) for a business asset transaction;
(e) for artistic or literary purposes;
(f) for news activities;
(g) for research purposes;
(h) for evaluative purposes; and
(i) for creating a credit report, if the collection is done by a credit bureau or bank.
The exclusion of publicly available information is likely to assist organizations that glean PD from such sources and to not limit activities performed in public, such as the taking of photographs in public places.
d. Purpose – The collection of PD must be for reasonable purposes and fulfill the purposes that the organization discloses. Although it is good practice for organisations to explain why it is reasonable to collect PD and specify details of how it will be shared, this is not mandatory.
Organisations are required to seek fresh consent if the PD is used for different purposes.
e. Specific types of data – The PDPA is a baseline regulation, and sectoral agencies that determine how to deal with specific types of data, such as children’s PD, medical data and financial data will be able to put into place stronger protection. These sectoral laws will continue to apply.
f. Transfers of data out of Singapore - For transfers of PD outside Singapore, an organisation can only make such transfers if it ensures that organisations overseas maintain a standard of protection comparable to the protection under the PDPA. It is likely that this can be fulfilled in a number of ways, including contractual arrangements and binding corporate rules.
iv. Rules on access and correction
Access – Generally, upon the request of an individual, the organisation should take steps to assist the individual in obtaining his PD, provide the individual with information about the ways in which the PD has been used and provide the individual with the names of the individuals and organisations to whom the PD has been disclosed.
Correction – Organisations should take steps to correct any inaccurate data at the request of the individual, if the data is in the possession of the organisation or under its control. Such corrected data should also be sent to any other organisations to which the PD was disclosed within a year before the date the correction was made.
Organisations will be allowed to charge a reasonable fee to recover any costs incurred in allowing individuals to access and correct data on a cost recovery basis.
There are circumstances where organisations would not be required to provide individuals access to certain PD:
- where the PD would reveal confidential commercial information, which could harm the competitive position of an organisation;
- PD subject to legal professional privilege; and
- PD collected or created by a mediator or arbitrator
Organisations can also refuse requests for PD where the requests would unreasonably interfere with operations because of repetitious or systematic requests, or which are frivolous or vexatious.
v. Rules on accuracy, protection and retention of PD
Accuracy - Organisations will be required to make a reasonable effort to ensure that PD collected by or on behalf of the organisation is reasonably accurate and complete, if the PD is likely to be used by the organisation to make a decision that affects the individual to whom the PD relates, or is likely to be disclosed by the organisation to another organisation.
Protection - Organisations will be required to protect PD in its possession or under its control, by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or other similar risks. This obligation will apply to data intermediaries as well.
Retention – An organisation must not retain PD or remove means by which the PD can be associated with particular individuals, as soon as it is reasonable to assume that (a) the purpose for collecting the data is no longer being served by retention and (b) retention is no longer necessary for legal or business reasons. This obligation will also apply to data intermediaries.
The PDPA adopts a complaints-based approach to enforcement. The PDPC will review the actions of organizations brought to its attention and issue decisions for compliance. Financial penalties of up to S$1 million may be imposed. There is however no breach notification requirement under the PDPA.
There is also a private right of action available under the PDPA for individuals who have suffered damages as a result of a breach.
Do Not Call (DNC) Registry
Introduction - The DNC Registry will allow individuals to register to opt-out of receiving marketing messages in the form of voice calls, text messages, including SMS and MMS, and fax messages. Email and post are not included as unsolicited email is regulated by the Spam Control Act and can also be blocked by filters. Specified messages sent without the use of telephone numbers (such as messages sent through cell broadcast) will also be excluded from the ambit of the DNC Registry.
Separate DNC registries for voice, SMS and fax will be set up and individuals can opt out and register at any one or all these registries.
Application – The DNC Registry provisions will apply to marketing messages addressed to a Singapore telephone number where the sender is in Singapore when the message is sent or when the recipient is in Singapore when the message is accessed.
Marketing messages - Where one of the purposes of a message is to offer to supply, advertise or promote goods or services, or to promote the suppliers or prospective suppliers of goods and services, that message would be considered a marketing message.
Non-marketing messages - Messages without marketing elements, such as messages promoting political or charitable causes, messages soliciting donations, market research messages and messages that promote national programmes of a non-commercial nature would not be considered marketing messages.
Business numbers – Business numbers can be registered under the DNC Registry, but messages sent to organisations for any purpose of the receiving organisations are not considered marketing messages. This means owners of business numbers will not be able to prevent B2B marketing, but organisations cannot send messages to a business number registered on the DNC to market products or services to individuals. This balance seeks to mitigate the impact on B2B transactions whilst preserving the right of individuals not be reached at business numbers for personal marketing purposes.
Explicit consent – Organisations can nevertheless send specified messages to individuals who have registered their numbers on the DNC Registry if that organisation has obtained explicit consent from the individuals.
The DNC obligations will apply to organisations that outsource their promotion or advertising functions to other organisations if they are found to authorise that other organisation’s acts.
“Filtering” of DNC lists – Organisations will need to send their database for a campaign to the DNC Registry for “filtering” within 60 days (for the first 6 months and eventually for 30 days) of the campaign in order to confirm whether any Singapore telephone number is listed on the registers.
Penalty and enforcement regime – Penalties will be capped at $10,000 per breach and up to $1,000 in composition fines. A Data Protection Commission will also have the power to require the cooperation of telecommunication licensees in the investigation of whether an organisation has breached the DNC Rules.
The PDPA is likely to come into effect in January 2013. The Singapore Government will establish the Data Protection Commission and issue Guidelines from about March 2013 to assist organisations’ in their efforts to comply with the PDPA.
Transitional provisions - The data protection obligations in the PDPA will be effective 18 months after the PDPA comes into effect and the sunrise period will apply equally to small and large companies alike. The DNC Registry however will be implemented earlier, 12 months after the PDPA comes into effect.
Existing PD – Organisations will be allowed to use PD collected before the day of commencement of the PDPA for purposes for which the data was collected unless consent for such use is withdrawn. However, obligations relating to safekeeping and retention of such PD will apply.
The PDPA will not invalidate existing contractual agreements for the use of customers’ PD. However, fresh consent would need to be obtained for new uses of existing PD. Where consent was not previously obtained, individuals may require organisations to stop using the PD by indicating that they do not consent to such use.
The PDPA marks a milestone in providing some form of protection for individuals’ PD in Singapore notwithstanding the exclusion of public agencies from the law. It is intended to be a baseline law without stringent requirements such as breach notification. The PDPA is seen as an important step in attracting more data centres and data analytics businesses to set up operations in Singapore and to regulate the flow of data, even as Singapore positions itself as a regional data hub. The DNC aspects of the law will provide challenges for the direct marketing industry and B2C marketing across a wide range of industries but is likely to have less of an impact on compliance costs after the initial period of compliance. Overall, the PDPA provides a regime that can boost Singapore’s attractiveness to companies as a business hub in Asia.
For more information, please contact Sheena Jacob at Sheena.Jacob@twobirds.com or Jinesh Lalwani at Jinesh.Lalwani@twobirds.com.