12 June, 2013
The Personal Data Protection Act 2012 (“PDPA”) was passed in October 2012 and the Act takes effect in phases, with Parts I, II, VIII, IX (except Sections 36 to 38, 41 and 43 to 48) and X (except section 67(1)) and First, Seventh and Ninth Schedules having come into effect on 2 January 2013. The other provisions on the Do Not Call Registry (described below) and main data protection rules are respectively expected to come into effect in early 2014 and mid 2014.
What is PDPA?
The PDPA governs the collection, use and disclosure of personal data of individuals within Singapore by organisations and affects the way organisations conduct their business when personal data is involved. The PDPA also contains provisions on the Do Not Call Registry (which allows opting out of marketing messages addressed to Singapore telephone numbers to promote or advertise a good or service).
The PDPA is worded widely enough to apply to all private sector organisations whether located in or outside Singapore engaged in collection, processing or disclosure of personal data within Singapore. The PDPA does not, however, apply to personal data of individuals contained in a record for at least 100 years or personal data of a deceased person except that provisions on disclosure and protection of personal data still applies to personal data of individuals who are deceased for 10 years or fewer.
Under the PDPA, the following general rules have to be complied with by the organisation:
- To designate one employee as the personal data officer to ensure compliance with the PDPA and to make his business contact information available to the public;
- To develop and implement policies and practices to ensure compliance with the PDPA;
- To develop a process to receive and respond to complaints which may arise with respect to application of the PDPA;
- To communicate to the organisation’s employees, the said policies and practices (which may be done through training); and
- To make available on request, the said policies and practices and complaint process (which may be provided online or be reproduced in the employee handbook).
If the organisation already has in place, a data privacy system, it would be timely for a privacy audit to ascertain if its current data privacy system covers these general rules and if not, to make the necessary adjustments to have these in place.
Apart from compliance with the general rules above, under the PDPA, the general requirement is that consent (whether express or deemed consent) to the collection, use and disclosure of personal data is required unless required or authorised by law.
In obtaining consent (which would then constitute express consent), the organisation has to state clearly, the purpose for which it wishes to collect, use and disclose the personal data on or before collecting the personal data and the purpose has to be that which a reasonable person would consider appropriate in the circumstances. If consent was obtained for a stated purpose, fresh consent will be required if the personal data collected is to be used for a different purpose. Under the PDPA, there is deemed consent if the personal data was voluntarily provided and it is reasonable that the individual would have voluntarily provided the data.
It is also recognised under the PDPA that there may be instances where consent is not required for collection, use and disclosure of personal data. For instance, no consent is required for collection, use or disclosure of personal data under the PDPA if it is necessary to respond to an emergency that threatens the life, health or security of an individual, for national interest and if disclosed to a public agency and the collection is consistent with the purpose of the disclosure by the public agency.
The personal data previously collected prior to commencement of the PDPA is however exempted from the above requirements and the organisation may continue to use these personal data unless consent for such use is withdrawn or the individual indicates that he does not consent to the use. However such withdrawal only applies to prospective use and/or disclosure of personal data collected.
Individual’s Rights to Request Access to Their Personal Data
Subject to exceptions to an individual’s access rights to his personal data as provided under the PDPA (and described below), the PDPA allows the individual the right to request access to their personal data held by the organisation and to ascertain the usage of the personal data as well as to correct any inaccuracies in the personal data collected. Except where the PDPA otherwise provides, where the personal data collected has been disclosed to a third party, the individuals are entitled to know the identity of the said third party. Where there are inaccuracies in the data, at the request of the individual, the organisation is to take steps to correct any inaccuracy and send the corrected data to the third party organisation to which the previous data was disclosed to.
Some exceptions to an individual’s access rights include a document related to a prosecution if all proceedings related to the prosecutions have not been completed, personal data subject to legal privilege, personal data which, if disclosed, would reveal confidential commercial information that could be, in the opinion of a reasonable person, harm the competitive position of the organisation.
Maintaining Personal Data
The organisation must make reasonable efforts to (a) ensure that personal data collected is accurate and complete if likely to be used to make a decision affecting an individual or likely to be disclosed to another organisation; and (b) safeguard personal data within its control by making reasonable security arrangements to prevent unauthorised access, use, disclosure or similar risks. Personal data cannot be archived perpetually and documents containing them have to be destroyed or made anonymous once it is reasonable to assume the purpose for which they were collected is not served by retention and retention is not necessary for legal or business purposes. If the individual‘s personal data was used to make a decision that directly affects him, that personal data must be retained for at least one year after use so that he has a reasonable opportunity to access it.
The organisation would need to have in place a method to identify personal data in its possession which are be retained and the purposes for which they have been used and these are to be recorded in writing for easy access and notified to the individuals, where appropriate. The organisation has to regularly springclean the personal data in its possession and to destroy documents containing personal data or remove the means by which the personal data may be associated with the individual as soon as the purpose for which that personal data was collected is no longer served by its retention or the retention is no longer necessary for legal or business purposes.
If the personal data is to be transferred outside Singapore, the organisation will be required to comply with prescribed requirements to ensure that the personal data will enjoy a comparable standard of protection. Although exemption from such requirement may be applied with the Personal Data Protection Commission established under the PDPA (“Commission”), such exemption if granted, may be revoked by the Commission.
Civil and Criminal Liability for Non-Compliance
There is civil and criminal liability for non-compliance with the PDPA. The Commission has the power to review complaints against organisations, give appropriate directions (including to stop collection, use, disclosure or destruction of personal data that contravene the PDPA and impose a financial penalty of up to S$1 million) and powers of investigation. The Commission may also apply to the District Court to register and enforce its direction. As from the date of registration, such direction shall have the same force and effect as if it was an order originally obtained in the District Court which shall have jurisdiction to enforce such direction.
An individual who suffers loss or damage directly as a result of an organisation contravening the PDPA is entitled to take civil action against the organisation but only after the Commission’s decision on the contravention is final. The court may grant to the plaintiff, relief by way of injunction or declaration and/or damages and/or such other relief as the court thinks fit.
An officer of a body corporate could be criminally liable for the offences committed by the body corporate if the offence was committed with his consent, connivance or neglect. An offence under the PDPA by the officer and body corporate could lead to a fine of S$10,000 or up to 3 years’ imprisonment or to both for the officer and the body corporate.
It remains to be seen how the PDPA will be enforced in Singapore. Meantime, guidance may be sought from the Commission and other jurisdictions with a long and established history of enforcing data privacy laws in their jurisdiction.
For further information, please contact: