The Personal Data Protection Commission ("PDPC") issued finalised guidelines ("Guidelines") on the Personal Data Protection Act 2012 ("the Act") on 24 September 2013.
The Guidelines come on the back of public consultations, which saw interest groups push-back on positions in draft guidelines issued in February 2013.
What are guidelines?
Guidelines aim to give organisations and individuals greater clarity by elaborating on how the PDPC will interpret specific obligations of organisations under the Act. The guidelines are advisory in nature and do not bind the PDPC.
The Guidelines assist the interpretation of the Act's Do-Not-Call and data protection provisions, which come into effect on 2 January and 2 July 2014 respectively.
This article discusses key issues in the implementation of the data protection law.
Key issues in the Guidelines
1. Failure to opt-out as consent?
In general, the failure to opt-out will not suffice as consent. The PDPC considered that, in determining if consent has been obtained, the crucial consideration is whether the individual had in fact provided consent in the circumstances.
However, in limited circumstances, the failure to opt-out can be a valid manner of consent where:
(i) an organisation has clearly notified the individual of the purposes for which PD is being processed; and
(ii) it is clear that the individual's failure to opt-out is not due to the inability to give consent, a lack of awareness that he or she is required to give consent, or other similar circumstances.
2. Opt-in consent necessary to override DNC registration
Organisations have to check the relevant Do Not Call Register(s) to confirm Singapore telephone numbers are not listed on those Register(s).
Organisations may not need to perform this check, when a user or subscriber has given clear and unambiguous consent in written or other accessible form, to the sending of the marketing message to that number.
Factors determining whether consent was clear and unambiguous include:
- Whether the organisation clearly and specifically notified the user or subscriber that marketing messages would be sent; and
- Whether the user or subscriber gave consent to receive marketing messages through some form of positive affirmative action (opt-in consent). Inaction is unlikely to amount to consent.
Therefore, in order not to perform the check on Do Not Call Register(s), opt-in consent is necessary.
3. Publicly available exception
Organisations are able to collect, use and disclose personal data that is publicly available without consent. This is one of the main exceptions to the general requirement of consent under the Act.
The Act defines 'publicly available' as personal data that is "generally available to the public, including personal data which can be observed by reasonably expected means at a location or event at which the individual appears and that is open to the public".
a. Test of 'reasonably expected means' is objective
The test is an objective one which considers what individuals ought to reasonably expect rather than what a particular individual expects.
The test is not whether the individual would expect his or her personal data to be collected, but whether the means of collection ought to be reasonably expected given the circumstances. The more open the location, the wider the range of reasonably expected means.
b. Considerations in determining 'reasonably expected means'
In determining what 'reasonably expected means' of collection of personal data are, the following considerations should be borne in mind:
i. Personal data is still publicly available even if any member of the public could obtain or access that personal data with few restrictions. For example, events that may be entered only upon payment of fees by a member of the public may still be considered open to the public.
ii. The purpose of collecting personal information is immaterial to the consideration of whether the means used to collect the personal data was reasonably expected.
iii. The manner in which personal data is collected is also a relevant consideration. Surreptitiously taken photographs, even in a public place, would not be considered a reasonably expected means.
iv. The availability of means is also relevant. For instance, widely available cameras in smart phones will more likely be considered a reasonably expected means.
c. Considerations in determining what constitutes a location open to the public
The definition of 'publicly available' also includes personal data is observed at a location open to the public.
Private spaces within public places may still be considered closed to the public, depending on factors such as the nature of restrictions and public expectations.
Examples of private spaces within public spaces would include the interior of a hired taxi or a locked cubicle of a public toilet.
As a best practice, organisations should nevertheless put up relevant notices to inform individuals that personal data is being collected, even in public places such as shopping malls and lift lobbies.
4. Concept of reasonableness
An organisation is required to consider, in meeting its responsibilities under the Act, what a reasonable person would consider appropriate in the circumstances. A reasonable person is a 'person who exercises the appropriate care and judgement' in the circumstances.
The PDPC noted that the standard of reasonableness is objective and 'evolutionary'. One suggested step by the PDPC is to view a particular situation from the perspective of an individual and consider what the individual would think of as fair.
5. Accuracy of personal data records
Organisations may presume that personal data provided directly by the individual concerned is accurate in most circumstances. When in doubt, an organisation may consider requiring an individual to make a declaration that the personal data is accurate and complete.
6. Consent for common business practices
Organisations do not need to specify every activity related to the processing of personal data when notifying individuals of purposes.
In particular, activities that are directly related to the collection, use and disclosure of personal data or integral to the proper functioning of overall business operations related to the purpose need not be specified.
For example, if an organisation wishes to obtain an individual's consent to collect or use personal data to provide the individual a service, the organisation need not specify every activity it undertakes to provide that service.
Internal corporate governance processes such as allowing auditors access to personal data as part of an audit also need not be specified.
7. Retention Limitation
Organisations are required to delete or anonymise data if the purpose of collection is no longer being served by retention and if retention is no longer necessary for business or legal purposes ("retention limitation obligation").
Organisations do not have to apply a unique retention date to each set of personal data, and can continue to use existing retention policies applied to groups of personal data, so long as the existing retention policies are in line with the retention limitation obligation under the act.
8. Withdrawal of consent
Where individuals withdraw consent for the collection of their personal data, organisations are required to inform them of the consequences of withdrawal and cease collecting, using or disclosing data, unless otherwise required under the PDPA or other law.
The PDPC clarified that the Act does not require an organisation to delete all personal data about the individual concerned upon receipt of a notice withdrawing consent.
Deletion would therefore continue to be governed by the retention obligation.
9. Data Protection Officers ("DPO")
The Act requires organisations to designate a DPO to be responsible for an organisation's compliance with the Act and to answer questions in relation to data protection policies and practices.
The PDPC has clarified that the DPO need not be an employee of the organisation and does not need to be based in Singapore. However, the DPO should be accessible during Singapore business hours and in the case of telephone numbers, be Singapore numbers.
Organisations may therefore designate an intercompany or regional DPO.
Further guidelines in the works
The PDPC has held back further guidelines on the access and correction obligation, the transfer limitation obligation, as well as guidelines on individuals who may act for others under the Act.
Guidelines pertaining to these matters, along with details relating to the operation of the Do-Not-Call Registry will be made known separately by the PDPC at a later date.
The following materials are available on the PDPC website at <pdpc.gov.sg>:
1. Advisory Guidelines On Key Concepts In The Personal Data Protection Act (published on 24 Sep 2013) (http://www.pdpc.gov.sg/docs/default-source/advisory-guidelines/advisory-guidelines-on-key-concepts-in-the-pdpa-(24-sept).pdf?sfvrsn=2)
2. Advisory Guidelines On The Personal Data Protection Act For Selected Topics (published on 24 Sep 2013)
For more information on how data protection affects your organisation, please contact Sheena Jacob (firstname.lastname@example.org) or Jinesh Lalwani (email@example.com).