Personal Data Protection Act 2012 (“PDPA”) sets out the Singapore law on data protection and also regulates telemarketing practices.
Today, vast amounts of personal data are collected, used and even transferred to third party organisations for a variety of reasons. This trend is expected to grow exponentially as the processing and analysis of large amounts of personal data becomes possible with increasingly sophisticated technology.
With such a trend comes growing concerns from individuals about how their personal data is being used. Hence, a data protection regime to govern the collection, use and disclosure of personal data is necessary to address these concerns and to maintain individuals’ trust in organisations that manage data.
By regulating the flow of personal data among organisations, the PDPA aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.
What is PDPA?
Personal Data Protection Commission (“PDPC”) was formed on 2 January 2013 while the Do Not Call (“DNC”) registry come into effect on 2 January 2014.
Data Protection rule finally come into effect on 2 July 2014. The formation in phases allowed organisation time to review, adopt and incorporate these practices into their policies and procedures.
The PDPA governs the collection, use, disclosure and care of personal data. Individuals have the right to protect their personal data (rights to access & correction), and organisations are to collect and use personal data in a legitimate and reasonable purpose.
Organisations that collect, use or disclose personal data of employees, customers or other individuals need to ensure that systems, policies and processes are in place to comply with the PDPA.
Organisation is defined as any individual, company, association or body of persons, corporate or unincorporated whether or not formed or recognised under the law of Singapore, or resident, or having an office or a place of business in Singapore.
Personal Data is any data that can be used to identify an individual on its own, which is considered uniquely identifying data. In addition, generic data used along with uniquely identifying data is also considered personal data. Personal data defined under the PDPA may include:
• Full name
• National Registration Identity Card (NRIC) / Foreign Identification Number (FIN) Passport number
• Photograph or video image of an individual
• Personal mobile number
• Name and residential address
• Voice recording of an individual
• DNA profile
• Place of work
• Business contact information which includes individual’s name, position name or business title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.
• Personal data that has been recorded at least 100 years
• Personal data of a person who has been deceased for more than 10 years
Organisations are required to obtain consent of the individual before collecting, using or disclosing his or her personal data for a purpose and allow them to withdraw their consent.
2. Purpose Limitation
Organisations may collect, use or disclose personal data about an individual only for purposes for which consent was obtained and not beyond what is reasonable to provide the product or service.
Organisations must notify the individuals of the purposes for which it intends to collect, use or disclosure his or her personal data during collection.
4. Access and Correction
Organisations must upon request, provide individual his or her personal data and information in which their personal data were collected, used or disclosed in the past year. Correct any error or omission in individual’s personal data upon request.
Organisations are required to provide their customers personal data within 30 days. Under the PDPA, if a company cannot respond to a customer’s access request within 30 days, then the company will have an additional 30 days from the date they were unable to fulfil the request to respond in writing to the customer. Allow customers to update, correct and delete data.
Organisations must make reasonable effort to ensure that the personal data collected is accurate and complete during collection or when deciding which will affect the individual.
Organisations must protect all personal data in its possession or under its control to prevent unauthorised access, modification, collection, use, disclosure, copying or disposal whether in hardcopy of electronic form.
Organisations should take cybersecurity, physical and administrative measures to safeguard data and ensure personal data security.
Organisations are required to cease retention or dispose personal data as soon as it has fulfilled a business or legal purpose.
Organisations should ensure that standard of protection accorded to personal data is comparable to the PDPA when it is transferred overseas.
Organisations must designate at least one Data Protection Officer (“DPO”) who will ensure compliance with the PDPA and make his/her contact information readily available to the public. Organisations must develop and make available personal data protection policies to public and employees which includes complaint-handling process.
The DNC Provisions prohibit organisations from sending Singapore telephone numbers including mobile, fixed line, residential and business numbers registered with the DNC Registry unless organisations have obtained their clear and unambiguous consent or have an on-going relationship (for text / fax).
Organisations may appoint one or a team of persons to be its DPO or outsource parts of DPO function to a service provider. However, DPO’s function is management’s responsibility and service providers should only cover operational aspects of the DPO function.
DPO responsibilities may include, but not limited to, the following:
• Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
• Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
• Manage personal data protection related queries and complaints;
• Alert management to any risks that might arise regarding personal data; and
• Liaise with the PDPC on data protection matters, if necessary.
The PDPC may:
• Impose a financial penalty of up to $1 million
• Direct your business to stop collecting, using or disclosing personal data in contravention of the PDPA
• Direct your business to destroy personal data collected in contravention of the PDPA
• Suffer reputation damage
GDPR – General Data Protection Regulation
The European Union (EU)’s digital privacy legislation equivalent of PDPA in Singapore. GDPR came into effect on May 25, 2018.
Last 14 May 2020, a public consultation paper on PDPA was published. The proposed changes include:
1. Mandatory Data Breach Notification
Organisations are required to notify the PDPC and affected individuals of any notifiable data breach as soon as it is practicable (in any case no later than 3 days after the day the organisation assesses a notifiable breach).
Data breach is notifiable if it:
• is likely to result in significant harm to an affected individual (for instance, where a breach affects a certain class of personal data which is to be prescribed in further regulations); or
• affects not fewer than the minimum number of affected individuals prescribed (which has been proposed to be 500).
2. Wider Scope for Deemed Consent
Scope of deemed consent will be expanded to include (i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or (ii) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out.
3. Data Portability Obligation
Individuals can request a copy of their personal data to be transmitted to another organisation, enabling consumers to switch service providers more easily.
4. Increased Financial Penalties
Financial penalties for non-compliance with the PDPA will be raised up to 10% of annual gross turnover, if its annual turnover exceeds S$10 million; or S$1 million, whichever is higher.
More information on the Public Consultation on Personal Data Protection (Amendment) Bill can be found here.
A data breach refers to an incident exposing personal data in an organisation’s possession or under its control to the risks of unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Data breaches often lead to financial losses and a loss of consumer trust for the organisation.
Data breaches can occur due to various reasons, such as malicious activity, human error or computer system error. It is important for organisations to put in place measures which allow them to monitor and take pre-emptive actions before data breaches occur.
The PDPC has developed “Guide to Managing Data Breaches 2.0 (“Guide”)” to help organisations manage data breaches effectively. It also highlights key considerations for organisations in notifying the PDPC and affected individuals of a data breach.
More information on Guide to Managing Data Breaches 2.0 can be found here.
• Appoint a Data Protection Officer (DPO)
• Develop and implement personal data protection policies to handle personal data in electronic or non-electronic forms
• Prepare templates, forms, notices to notify purposes and seek consent
• Prepare information and response when individuals/customers request information about their personal data
• Prepare request form to allow correction of personal data
• Establish security arrangements to secure the personal data held by your organisation
• Set retention period to safely dispose of personal data that is no longer needed
• Ensure protection of personal data when transferring overseas
• Manage service providers that handle personal data to ensure compliance with PDPA requirements
• Implement and communicate your data protection policies, practices and process to your customers and employees
• Conduct risk assessment exercise to flag out any potential data protection risks
• Establish regular compliance programme to verify adherence to PDPA requirements
• Develop process of handling queries and complaints from the public
• Put in place robust data breach management plan to manage and respond to data breaches
In this age of digital transformation where technology and innovation are widely used, proper data handling is key. Organisations should ensure that the data they collect, store and share are properly protected. Organisations should treat PDPA seriously and ensure that sufficient measures are in place and data protection obligations are met. It is also important to remain updated to keep abreast of developments in the PDPA.
RHT Compliance Solutions comprises experienced and certified professionals with extensive regulatory, compliance and risk management experience from Singapore, Hong Kong and the region. The team aims to provide clients with insightful, risk-focused and costeffective solutions through their extensive experience in serving a wide spectrum of clients across diverse financial sectors from regulators, asset managers, fintech firms, insurance agents and brokers, remittance to commodities and corporate services.
1920RHT Management Consultants is a management consultancy firm that works with business owners, leaders, executives and team leaders to resolve their business issues, mitigate risks and find opportunities for growth and value creation. 1920RHT provides Data Protection services among other things, including Data Protection Officer (DPO) as a service and Data Protection Consultancy. DPO as a service is designed for companies that do not have a full time dedicated DPO while Data Protection Consultancy is designed to help companies overcome data protection challenges tailored according to their business need.
RHT Group of Companies
1 Paya Lebar Link #06-08
PLQ 2 Paya Lebar Quarter