2017 revised edition - drew & napier€¦ · your guide to the personal data protection act...

2017 Revised Edition

All enquiries should be addressed to:

Lim Chong Kin Director & Head, Telecommunications, Media and Technology Practice Group

10 Collyer Quay #10-01

Ocean Financial Centre

Singapore 049315

Tel: +65 6531 4110

Fax: +65 6535 4864

Email: [email protected]

COPYRIGHT

© 2013, 2017 Drew & Napier LLC

First Published 2013

Second Edition Published 2017

All rights reserved. No part of this publication may be reproduced, stored in any retrieval system, or transmitted,

in any form or by any means, whether electronic or mechanical, including photocopying and recording, without

the permission of the copyright holder.

IMPORTANT DISCLAIMER: We have sought to state the law as at 1 February 2017. Drew & Napier LLC accepts

no liability for, and does not guarantee the accuracy of, information or opinion contained in this document. This

document covers a wide range of topics and is not intended to be a comprehensive study of the subjects

covered, nor is it intended to provide legal advice. It should not be treated as a substitute for specific advice on

specific situations.

Published by

10 Collyer Quay #10-01

Ocean Financial Centre

Singapore 049315

Printed in Singapore

Your Guide to the

Personal Data Protection Act

2012

Editors:

LIM Chong Kin Director, Head (Telecoms, Media and Technology Law Practice Group)

and Head (Competition and Regulatory Practice Group)

LL.B. (Hons), LL.M. (NUS); Advocate and Solicitor (Singapore)

Admitted to the Roll of Solicitors (England & Wales)

Charmian AW Director

LL.B. (Hons) (NUS); Advocate and Solicitor (Singapore)

Certified Information Privacy Professional (Asia) (CIPP/A)

Certified Information Privacy Professional (Europe) (CIPP/E)

Certified Information Privacy Professional (US) (CIPP/US)

2017 Revised Edition

Your Guide to the Personal Data Protection Act 2012

www.drewnapier.com

About Drew & Napier LLC

Drew & Napier LLC has provided exceptional legal advice and representation to discerning clients since

1889 and is one of the leading and largest law firms in Singapore.

The calibre of our work is acknowledged internationally at the highest levels of government and

industry. Our lawyers and senior counsel are the preferred choice when the stakes are high and the

issues complex.

The firm possesses unparalleled transactional, licensing and regulatory experience in data protection law

as well as the Telecommunication, Media and Technology, and postal sectors in Singapore, which it

attributes to its Telecommunications, Media and Technology Practice Group, led by Lim Chong Kin.

Drew & Napier assists clients in a wide range of data protection matters including data protection

review; training; compliance audits; and advisory. Since 2013, the firm has been appointed by the

Personal Data Protection Commission as its external legal and regulatory advisors, which speaks

volumes for its proven ability to deliver effective, timely and commercially-relevant solutions to its

clients.

For more information on Drew & Napier LLC, please visit www.drewnapier.com.


www.drewnapier.com

Drew & Napier’s Expertise in Data Protection Law – How We Can Help You

We regularly advise and assist MNC clients on data protection concerns in respect of their Singapore

operations. Our MNC clients include telco operators and Internet companies (ranging from social

networking sites to mobile device manufacturers to software developers). Our work for clients includes:

• Adapting global policies for data privacy and consumer protection for clients’ Singapore

operations and offices.

• Wide-ranging advice on the Singapore data protection regime.

• Advising on ad-hoc queries relating to potential or actual privacy breaches and the necessary

disclosure requirements and remedial actions in Singapore.

• Advising on data protection concerns relating to the introduction of novel telecommunication

services in the Singapore market.

We are also regularly engaged by MNCs as well as local clients across industries (including airlines,

manufacturing, entertainment, and fast-moving consumer goods), telcos and Internet companies to

conduct regulatory risk audits of their business operations to highlight potential areas of non-

compliance and to assist in the rectification of any problematic agreements and conduct. Our team of

lawyers is also experienced in conducting compliance audits of business practices, existing legal

agreements, and informal business arrangements.

In developing compliance programmes for our clients, we further value-add by creating manageable,

staff-level compliance manuals and training programmes to ensure that our clients are in a position to

operationalise their compliance procedures on a day-to-day basis.


www.drewnapier.com 3

Personal Data Protection Act 2012

INTRODUCTION TO THE PERSONAL DATA

PROTECTION ACT 2012 The Personal Data Protection Act 2012 (PDPA)

was passed by the Singapore Parliament on 15

October 2012. The PDPA establishes a general

data protection (DP) framework for the

protection of personal data across the private

sector (which is mainly set out in Parts III to VI

of the PDPA), as well as a Do-Not-Call (DNC)

Registry to address unsolicited telemarketing

calls and messages (which is mainly set out in

Part IX of the PDPA).

The following is a series of key questions and

answers to help you understand the impact of

the PDPA on your business.

1. When does the PDPA come into effect? The PDPA will be implemented in phases to

allow organisations sufficient time to adapt to

the new requirements.

A number of the PDPA’s provisions first came

into effect on 2 January 2013. These relate

mainly to the scope and interpretation of the

PDPA, establishment and powers of the

Personal Data Protection Commission (the

Commission), setting up of the Data Protection

Advisory Committee, and other general

provisions.

The DNC Registry rules are expected to come

into effect after a transition period of about 12

months, in early 2014, while the new DP

framework is expected to come into effect after

a transition period of about 18 months, in mid-

2014.

2. Is there an authority responsible for

administering the PDPA? The Commission is the statutory body

established on 2 January 2013 to administer and

enforce the PDPA. It is advised by the Data

Protection Advisory Committee. In addition,

the Info-communications Media Development

Authority of Singapore (IMDA) has been

appointed as the Administration Body to

provide administrative and other support to the

Commission. The Commission is also expected

to work with other sector regulators where

relevant.

PERSONAL DATA PROTECTION FRAMEWORK

3. To whom does the new DP framework

apply? The new DP framework applies to all

organisations, with certain exceptions.

“Organisation” is defined broadly to include any

individual, company, association or body of

persons, corporate or unincorporated, whether

or not:

(a) formed or recognised under the law of

Singapore; or

(b) resident or having an office or place of

business in Singapore.

The DP framework does not apply to:

(a) individuals acting in a personal or

domestic capacity;

(b) employees acting in the course of their

employment with an organisation;

(c) public agencies, or organisations acting

on behalf of a public agency in relation

to the collection, use or disclosure of

personal data; and

(d) other organisations as may be

prescribed.


4 www.drewnapier.com

Notably, the new DP framework is not intended

to apply to the public sector, which will

continue to be governed by its own set of data

protection rules.

Where the new DP framework applies, it will

impose a uniform standard of personal data

protection regardless of an organisation’s scale

or size.

The PDPA also recognises a category of

organisations referred to as “data

intermediaries”, which are organisations that

process personal data on behalf of other

organisations, e.g. organisations which merely

provide hosting or storage services to other

organisations. Where data intermediaries

process personal data on behalf of another

organisation (the principal organisation)

pursuant to a written contract, they will only be

subject to the DP rules relating to protection

and retention of personal data. On the other

hand, the principal organisation would be

subject to the full DP framework as if it were

processing the personal data itself.

4. What other laws regulate personal data

in Singapore? Currently, personal data in Singapore is

governed by a combination of sector-specific

frameworks and the common law.

The PDPA is intended to set a baseline standard

of personal data protection across the private

sector. Therefore, it will operate alongside (and

will not override) existing laws and regulations.

The PDPA provides that the new general DP

framework will not affect any right or obligation

under the law, and in the event of any

inconsistency the provisions of other written

law will prevail.

For example, the banking secrecy laws under

the Banking Act (Cap. 19) currently govern

customer information obtained by a bank, while

the Telecom Competition Code governs end

user service information obtained by a telecoms

licensee.

Once the new DP framework comes into effect,

organisations that are subject to existing data

protection frameworks (such as banks and

telecoms licensees) will need to ensure

compliance with the PDPA in addition to

continued compliance with any sector-specific

frameworks. For example, organisations may

need to consider expanding their existing

policies and procedures to cover personal data

belonging to employees, consultants, agents,

and contractors. Practical steps may include

updating of compliance manuals and

procedures and training staff to be aware of the

new requirements. Where applicable,

organisations will also need to appoint the

relevant personnel and develop a complaints-

handling process for compliance with the PDPA

(see question 9).

5. What data is regulated under the

PDPA? The PDPA does not prescribe a fixed list of the

types of data that are regulated. Instead, the

PDPA applies generally to “personal data”,

which is defined broadly to mean data, whether

true or not, about an individual who can be

identified from that data, or from that data and

other information to which the organisation has

or is likely to have access. Whether or not

certain types of information may be considered

personal data (e.g. the IP address of a device)

would depend on the specific context.

In addition, the PDPA does not distinguish

between data in electronic and non-electronic

form.

That said, certain types of data are excluded

from the PDPA. In particular, business contact

information is excluded from the new DP

framework. Business contact information refers

to an individual’s name, position name or title,

business telephone number, business address,

business electronic mail address or business fax

number and any other similar information

about the individual, not provided by the

individual solely for his/her personal purposes.

Generic information, such as gender,

nationality, age or blood group, which alone

cannot be used to identify a particular

individual, is also excluded. However, this

information will constitute personal data if,

when combined with a unique identified, may

identify an individual.



In addition, the PDPA does not apply to

personal data contained in a record that has

been in existence for at least 100 years. The

PDPA also does not apply to personal data

about deceased individuals, except that the

requirements to make reasonable security

arrangements for the protection of such data,

and the requirements relating to disclosure of

personal data will apply for 10 years from the

date of death.

The new DP framework will also exclude other

personal data (or classes thereof) as may be

subsequently prescribed.

6. What activities involving personal data

are regulated under the PDPA? The PDPA regulates the collection, use and

disclosure of personal data by organisations

(see question 10), although the PDPA does not

presently define the terms “collection”, “use” or

“disclosure”.

In addition, the PDPA sets out obligations

relating to an individual’s right to access his/her

personal data, the correction of

erroneous/incomplete personal data, accuracy

of personal data, protection of personal data,

retention of personal data, and the transfer of

personal data outside Singapore.

7. Is there a requirement to notify or

register with the Commission before processing data?

The PDPA does not presently prescribe any

such requirement.

8. Is there a need to appoint a data

protection officer? Yes, it is a requirement for organisations to

designate one or more individuals responsible

for ensuring that the organisation complies with

the PDPA, who may then delegate their

responsibility to another individual (collectively,

data protection officers).

Organisations must make available to the

public the contact details of at least one data

protection officer.

Organisations should note that the designation

of a data protection officer does not relieve an

organisation of its obligations under the PDPA.

9. What general responsibilities are

prescribed on organisations under the new DP framework?

In addition to the requirement to appoint data

protection officer(s), an organisation must also:

(i) develop and implement policies and practices

that are necessary for the organisation to meet

the obligations of the organisation under the

PDPA; (ii) develop a process to receive and

respond to complaints that may arise with

respect to the application of the PDPA; (iii)

communicate to its staff information on the

organisation’s policies and practices; and (iv)

make information available on request on

policies and practices and the complaint

process referred to above.

Further, there are obligations relating to the

collection, use and disclosure of personal data

(see question 10), and the rights of individuals

to request access to and correction of their

personal data (see questions 12 and 13).

Organisations must also make reasonable

efforts to ensure that personal data collected is

accurate and complete (see question 14),

protect personal data by making reasonable

security arrangements (see question 15), and

anonymise or cease retaining personal data

when the purpose for which the personal data

had been collected is no longer served by

retention, and retention is no longer necessary

for legal or business purposes (see question 16).

There are also specific obligations in relation to

the transfer of personal data outside Singapore

(see question 17).

10. What are the general requirements that

apply to the collection, use and disclosure of personal data?

Personal data collected before the new DP

framework comes into effect

Under the PDPA, personal data collected before

the new DP framework comes into effect may

be used by an organisation for the purposes for

which such personal data was collected, unless



the individual withdraws consent or indicates to

the organisation that he/she does not consent

to such use.

The Commission has also clarified that the

individual’s consent will need to be obtained

where existing data is to be used for a new

purpose different from the purpose for which it

was collected, or if the existing data is to be

disclosed to another organisation or individual,

unless one of the exceptions in the PDPA

applies.

Personal data collected after the new DP

framework comes into effect

Organisations are required to obtain the

individual’s actual or deemed consent to the

collection, use and disclosure of such personal

data, unless one of the exceptions in the PDPA

applies.

To obtain actual consent, organisations will first

need to inform the individual of the purposes

for which they are collecting, using or disclosing

the individual’s personal data, and, if requested

by the individual, the business contact

information of a representative who can

answer, on behalf of the organisation, the

individual’s questions about the collection, use

or disclosure of the personal data. Where

organisations intend to use or disclose personal

data for a different purpose than what was

originally consented to, they would need to

obtain fresh consent, unless one of the

exceptions in the PDPA applies.

Exceptions

There are exceptions to the requirement to

obtain consent for the collection, use and

disclosure of personal data, and these are set

out in the Second, Third and Fourth Schedules

of the PDPA. For example, there are exceptions

in relation to emergency situations,

investigations, publicly available personal data

or where personal data is used for evaluative

purposes (see question 19 for the meaning of

“evaluative purpose”).

(a) What rules are there concerning the form and content of consent? Does online consent suffice?

Consent may either be expressly obtained or

deemed to have been obtained (i.e. deemed

consent).

There are presently no specific rules as to the

medium through which the consent must be

obtained. For example, there are no rules

differentiating between consent obtained in

paper form, and consent obtained through

electronic means (e.g. online).

Importantly, the PDPA specifies that one of the

criteria for consent to have been validly

obtained is that the purposes for the collection,

use or disclosure of the personal data must be

notified to the individual, and, if requested by

the individual, the organisation must provide

the business contact information of a person

who is able to answer, on behalf of the

organisation, questions about the collection,

use or disclosure of personal data.

Further, consent will not be considered to be

validly given under the PDPA if organisations:

(a) as a condition of providing a product or

service, require an individual to consent

to the collection, use or disclosure of

personal data about an individual

beyond what is reasonable to provide

the product or service to that

individual; or

(b) obtain or attempt to obtain consent for

collecting, using or disclosing personal

data by providing false or misleading

information with respect to the

collection, use or disclosure of the

personal data, or using deceptive or

misleading practices. (b) Is there any provision for deemed

consent? In some cases, notwithstanding that express

consent has not been provided, the PDPA

specifies that consent may be deemed to have

been provided.



The PDPA stipulates that consent will be

deemed to have been given where the following

prerequisites are satisfied:

(a) where an individual voluntarily provides

his/her personal data to the

organisation for a particular purpose;

and

(b) it is reasonable that the individual

would voluntarily provide his/her

personal data.

In an example provided by the Commission, a

person provides his/her personal data when

registering with a clinic to seek medical

treatment. In such a situation, it would be

reasonable to deem that the person has given

consent for the clinic to use his/her personal

data for purposes related to his/her medical

treatment at the clinic, and there is no need for

the clinic to seek his/her express consent.

Where an individual has given (or is deemed to

have given) consent for the disclosure of his/her

personal data by Organisation A to

Organisation B for a particular purpose, such

individual would also be deemed to have given

consent to Organisation B for the collection,

use or disclosure of his/her personal data for

that particular purpose. (c) Are there any requirements relating to

the withdrawal of consent? An individual may withdraw his/her consent to

the collection, use or disclosure of his/her

personal data at any time upon giving

reasonable notice. Upon receipt of notice from

an individual that he/she intends to withdraw

consent, organisations are required to inform

the individual concerned of the likely

consequences of the withdrawal of consent.

Organisations should also not prohibit the

individual from withdrawing consent.

Organisations will be required to cease (and

cause its data intermediaries and agents to

similarly cease) collecting, using or disclosing

the personal data of an individual who has

withdrawn his/her consent to the same, unless

such collection, use or disclosure without the

consent of the individual is required or

authorised under the PDPA or other written

law. (d) Are there any special rules concerning

consent by minors?

There are presently no specific rules under the

PDPA regarding the obtaining of consent from

minors.

However, as indicated by the then Minister for

Information, Communications and the Arts in

Parliament, details of persons who may act for

minors and the extent to which they can

exercise their rights or powers may be

subsequently set out in subsidiary legislation.

11. For what purposes can personal data

be collected, used or disclosed? Personal data about an individual may only be

collected, used or disclosed for purposes that a

reasonable person would consider appropriate

in the circumstances, and that have been

notified to the individual, subject to the

exceptions provided for under the PDPA.

The organisation may also identify whether

consent can be deemed to have been given in

respect of the purpose for which it would like to

collect, use or disclose personal data. If not,

whether the purpose falls within the exceptions

from consent in the Third and Fourth Schedules

of the PDPA.

12. Are there any obligations to provide

individuals with access to their personal data in the possession or under the control of an organisation?

Individuals will have the right to request access

to their personal data that is in the possession

or under the control of organisations, and be

provided with information as to how

organisations have, or may have, used or

disclosed their personal data within a year

before the date of request for access.

Organisations may charge a fee for providing

such access to the individual, though the fee

charged should be reasonable and on a cost-

recovery basis.



There are exceptions to the requirement to

provide access to individuals’ personal data, and

these are set out in Section 21 and the Fifth

Schedule of the PDPA.

For example, an organisation is not required to

provide an individual with access to his/her

personal data, or information about the ways in

which that personal data has been or may have

been used or disclosed by the organisation

within a year of the access request, in respect of

certain types of personal data, such as personal

data subject to legal privilege, or personal data

which if disclosed, would reveal confidential

commercial information that could harm the

competitive position of the organisation.

In addition, an organisation shall not inform an

individual that it has disclosed personal data to

a prescribed law enforcement agency if the

disclosure was made without the consent of the

individual pursuant to the exceptions in relation

to investigations or proceedings and disclosure

to officers of prescribed law enforcement

agencies under the Fourth Schedule of the

PDPA.

Further examples are listed in question 18(d)

below.

13. Are there any obligations to correct

personal data in the possession or control of an organisation?

Individuals have the right to request that an

organisation correct an error or omission in the

personal data about him/her, which is in the

possession or under the control of that

organisation. Upon an individual’s request,

organisations will be required to correct the

personal data as soon as practicable, unless the

organisation is satisfied on reasonable grounds

that such correction should not be made.

Organisations will also need to send the

corrected data to every other organisation to

whom the personal data has been disclosed

within a year before the date the correction was

made, unless the other organisation does not

need the corrected data for any legal or

business purpose. The corrected data may be

sent only to specific organisations to which the

personal data was disclosed, if the individual

consents to this.

While organisations may charge a fee in respect

of the correction of the individual’s personal

data, the fee charged should be reasonable, and

on a cost-recovery basis.

There are exceptions to the correction

requirement, as set out in Section 22 and the

Sixth Schedule of the PDPA. For example,

organisations would not be required to correct

or alter an opinion, including a professional or

expert opinion. The correction requirement

would also not apply to opinion data kept solely

for an evaluative purpose (see question 19 for

the meaning of “evaluative purpose”), or

documents related to a prosecution if all

proceedings related to the prosecution have not

been completed.

14. Are organisations obliged to ensure the

accuracy of personal data in their possession or control?

Organisations must make reasonable efforts,

depending on the exact circumstances at hand,

to ensure that personal data collected is

accurate and complete, if it is likely that the

personal data will be used to make a decision

that affects the individual to whom the personal

data relates, or the personal data is likely to be

disclosed to another organisation.

15. What security requirements are

imposed in relation to personal data? Organisations (including data intermediaries)

must put in place reasonable security

arrangements to protect personal data in their

possession or under their control, and to

prevent unauthorised access, collection, use,

disclosure, copying, modification, disposal or

similar risks.

This may be in the form of different levels of

security depending upon the level of sensitivity

of the personal data.

16. How long can personal data be

retained? The PDPA does not specify a retention period

for personal data.



The baseline standard prescribed in the PDPA is

that organisations (including data

intermediaries) should not retain personal data

when such retention no longer serves the

purposes for which the data was collected, and

retention is no longer necessary for legal or

business purposes.

The retention duration is assessed on a standard of reasonableness under the PDPA but organisations are obliged to comply with any other legal or industry specific requirements that may apply.

17. What rules regulate the transfer of data

outside Singapore? The PDPA presently prohibits organisations

from transferring personal data out of

Singapore except in accordance with

requirements prescribed under the PDPA to

ensure that organisations provide a standard of

protection to the personal data so transferred

that is comparable to the protection under the

PDPA.

An organisations transferring personal data

overseas is assumed to have taken appropriate

steps to ensure that the recipient is bound by

legally enforceable obligations to provide a

standard of protection comparable to that

under the PDPA.

The Commission has indicated that further

requirements may be prescribed in due course,

which are envisioned to include the use of

contractual agreements between the parties

involved in the transfer of personal data.

Therefore, the onus would be on the

organisation to put in place measures, such as

contractual arrangements, to ensure a

comparable standard of protection is accorded

to personal data transferred overseas.

Organisations may apply to the Commission to

be exempted from such requirements as may

be prescribed.

18. Are there exceptions to the general

data protection obligations?

Yes, and these are set out within provisions in

the main body of the PDPA and the Second to

Sixth Schedules.

Some non-exhaustive examples of the

exceptions are highlighted below. (a) Collection of personal data without

consent

Personal data may be collected without consent

in the circumstances and subject to any

condition in the Second Schedule of the PDPA,

for example, where:

• collection of personal data is necessary for

any purpose that is clearly in the interest of

the individual, and: (i) if consent for its

collection cannot be obtained in a timely

way, or (ii) the individual would not

reasonably be expected to withhold

consent;

• the personal data is publicly available;


any investigation or proceedings, if it is

reasonable to expect that seeking the

consent of the individual would

compromise the availability or the accuracy

of the personal data;

• collection of personal data is for the

purpose of recovery of a debt owed to the

organisation by the individual or for the

organisation to pay to the individual a debt

owed by the organisation;


the provision of legal services by the

organisation to another person, or for the

organisation to obtain legal services;

• personal data is included in a document

produced in the course of, and for the

purposes of, the individual’s employment,

business or profession, and collected for the

purposes consistent with the purposes for

which the document was produced; or

• personal data is collected by an individual’s

employer and the collection is reasonable

for the purpose of managing or terminating

an employment relationship between the

organisation and the individual.

(b) Use of personal data without consent

Use of personal data without consent may be

permitted in the circumstances and subject to



any condition in the Third Schedule of the

PDPA, for example, where:

• the use is necessary for any purpose that is

clearly in the interests of the individual,

and: (i) if consent for its use cannot be

obtained in a timely way, or (ii) the

individual would not reasonably be

expected to withhold consent;


• the use is necessary for any investigation or

proceedings;

• the personal data is used for an

organisation to recover a debt owed to the



owed by the organisation; or

• the use is necessary for the provision of

legal services by the organisation to

another person, or for the organisation to

obtain legal services.

(c) Disclosure of personal data without consent

The Fourth Schedule of the PDPA provides for

circumstances and conditions under which an

organisation may disclose personal data

without consent, for example, where:

• the disclosure is necessary for any purpose

that is clearly in the interests of the

individual, if consent for its disclosure

cannot be obtained in a timely way;


• the disclosure is necessary for any

investigation or proceedings;

• the disclosure is necessary for an

organisation to recover a debt owed to the



owed by the organisation;

• the disclosure is necessary for the provision

of legal services by the organisation to

another person, or for the organisation to

obtain legal services; or

• the personal data is disclosed to any officer

of a prescribed law enforcement agency,

upon production of written authorisation

signed by the head or director of that law

enforcement agency or a person of a similar

rank, certifying that the personal data is

necessary for the purposes of the functions

or duties of the officer.

(d) Exceptions from access requirement Section 21 and the Fifth Schedule of the PDPA

set out the exceptions from the access

requirement. For example, organisations will

not be required to provide access to personal

data or information as to how the personal data

has been or may have been used or disclosed, in

respect of:

• documents related to a prosecution if all

proceedings related to the prosecution

have not been completed;

• personal data subject to legal privilege;

• personal data, which if disclosed, would

reveal confidential commercial information

that could, in the opinion of a reasonable

person, harm the competitive position of

the organisation; or

• any request: (i) that would unreasonably

interfere with the operations of the

organisation because of the repetitious or

systematic nature of the requests; (ii) if the

burden or expense of providing access

would be unreasonable to the organisation

or disproportionate to the individual’s

interests; (iii) for information that does not

exist or cannot be found; (iv) for

information that is trivial; or (v) that is

otherwise frivolous or vexatious. (e) Exceptions from correction

requirement Section 22 and the Sixth Schedule of the PDPA

set out the exceptions from the access

requirement. For example, organisations would

not be required to correct or alter an opinion,

including a professional or expert opinion. The

correction requirement would also not apply in

respect of opinion data kept solely for an

evaluative purpose (see question 19 for the

meaning of “evaluative purpose”), or

documents related to a prosecution if all

proceedings related to the prosecution have not

been completed.

19. Are there any provisions that govern

employee data specifically? Prima facie, employee data would be subject to

the new DP framework to the extent that such

data constitutes “personal data” as defined in

the PDPA (see question 5).



That said, there are exceptions in the PDPA that

provide for the collection, use and disclosure of

employees’ personal data without their consent.

For example, the Second Schedule of the PDPA

provides that an organisation may collect

personal data about an individual without the

consent of the individual or from a source other

than the individual where:

(a) the personal data is included in a

document produced in the course and

for the purposes of the individual’s

employment (e.g. an individual’s name

or email address included in an email

discussing work matters), provided that

such document is collected for

purposes consistent with the purposes

for which the document was produced;

or

(b) the personal data is collected by the

individual’s employer and the collection

is reasonable for the purpose of

managing or terminating an

employment relationship between the

organisation and the individual.

The Third and Fourth Schedules further provide

that data collected in accordance with the

foregoing exceptions may be used or disclosed

without the individual’s consent for purposes

consistent with the purpose of collection.

Notwithstanding, on or before collecting, using

or disclosing an individual’s personal data for

the purpose of managing or terminating an

employment relationship, the individual must

be informed of:

(a) such purpose; and

(b) upon request, the contact details of a

person who is able to answer the

individual’s questions about that collection, use or disclosure on behalf

of the organisation.

In addition, the Second, Third and Fourth

Schedules also provide that personal data may

be collected, used or disclosed without the

consent of the individual or from a source other

than the individual where the collection is

necessary for an evaluative purpose.

The PDPA contains a broad range of purposes

which constitute an “evaluative purpose”. These

include: determining the suitability, eligibility or

qualifications of an individual for employment

or for appointment to office, for promotion in

employment or office or for continuance in

employment or office, and for removal from

employment or office.

20. What considerations should my

organisation have about personal data in relation to a business asset transaction (e.g. a merger or acquisition)?

Organisations that wish to share personal data

about employees, customers, directors, officers

or shareholders, in order to determine whether

to proceed with a transaction, may do so

without obtaining the individuals’ consent if the

“business asset transaction” exception applies,

as set out in the Second and Fourth Schedules

of the PDPA.

A “business asset transaction” is defined to

mean the purchase, sale, lease, merger or

amalgamation or any other acquisition, disposal

or financing of an organisation or a portion of

an organisation or of any of the business or

assets of an organisation (apart from the

personal data to be shared under the

exception).

Under this exception, Organisation A may

disclose personal data to Organisation B

without obtaining individual consent in the

following circumstances:

(a) the organisations are parties or

prospective parties to a business asset

transaction;

(b) the personal data is about Organisation

A’s employees, customers, directors,

officers or shareholders; and

(c) the personal data relates directly to the

part of Organisation A or its business

assets with which the transaction is

concerned.

Organisations invoking the “business asset

transaction” exception would also need to

observe the following conditions.



In the case of prospective transactions:

(a) the personal data must be necessary

for the recipient organisation to

determine whether to proceed with the

transaction; and

(b) the organisations must enter into an

agreement requiring the receiving

organisation to use or disclose the

personal data solely for purposes

related to the transaction.

Where a transaction has been entered into:

(a) the recipient organisation must only

use or disclose the personal data for the

same purposes for which the disclosing

organisation would be permitted to do

so;

(b) if any personal data does not relate

directly to the part of the disclosing

organisation or its business assets with

which the transaction is concerned,

such personal data must be destroyed

or returned; and

(c) the employees, customers, directors,

officers and shareholders whose

personal data is disclosed must be

notified that the transaction has taken

place and that their personal data has

been disclosed.

If the transaction does not proceed or is not

completed, all personal data collected must be

destroyed or returned to the disclosing

organisation.

21. Are there any exceptions for personal

data that is required for research purposes?

Yes.

While the PDPA does not define the term

“research purpose”, the Third and Fourth

Schedules of the PDPA contain an exception

providing that an organisation may use or

disclose personal data about an individual

without his/her consent where the personal

data is used or disclosed for a research purpose,

including historical or statistical research.

However, this exception only applies if all the

following conditions are met:

(a) the research purpose cannot

reasonably be accomplished unless the

personal data is provided in an

individually identifiable form;

(b) it is impracticable for the organisation

to seek the individual’s consent;

(c) the personal data will not be used to

contact persons to ask them to

participate in the research; and

(d) linkage of the personal data to other

information is not harmful to the

individual identified by the personal

data and the benefits to be derived

from the linkage are clearly in the

public interest.

In addition to the foregoing conditions, where

the organisation is disclosing the personal data,

it must also ensure that the organisation

receiving the data has signed an agreement to

comply with:

(a) the PDPA;

(b) the policies and procedures relating to

the confidentiality of personal data of

the organisation that collected the

personal data;

(c) security and confidentiality conditions

of the organisation disclosing the

personal data;

(d) a requirement to remove or destroy

individual identifiers at the earliest

reasonable opportunity; and

(e) a requirement not to use the personal

data for any other purpose or to

disclose the personal data in

individually identifiable form without

the express authorisation of the

organisation that disclosed the

personal data.



22. Is there a requirement to notify

personal data security breaches to individuals or the Commission?

No, there is presently no such requirement

prescribed under the PDPA. It remains to be

seen if the Commission will in future issue any

specific guidance on the steps that an

organisation should take to respond to, contain

and/or recover from a breach.

However, it is good practice to notify individuals

affected by a data breach so that they may take

preventive measures to reduce the impact of

the data breach.

THE DO-NOT-CALL (DNC) REGISTRY

23. What is the DNC Registry? The DNC Registry is established under the

PDPA to address unsolicited telemarketing calls

and messages. When operational, individuals

will be allowed to register their Singapore

telephone numbers if they wish to opt out of

receiving telemarketing phone calls, text

messages and faxes from businesses. Any

organisation that makes or sends telemarketing

calls and messages will be required to check the

DNC Registry regularly in order to ensure that

recipient telephone numbers have not been

registered.

24. What types of messages are covered

by the DNC Registry? There will be 3 separate DNC registers, one

each for voice calls, text messages (including

SMS/MMS messages) and faxes. Subscribers

who do not wish to receive specified messages

of the relevant kind(s) may register their

numbers on the respective register(s). The DNC

Registry will not cover emails or post.

The DNC Registry will cover “specified

messages”, which are generally messages

(whether in sound, text, visual or other forms)

with one or more marketing purposes. Such

purposes include:

(a) offer to supply, advertise or promote

goods or services, or a supplier or

prospective supplier thereof;

(b) offer to supply, advertise or promote

land or an interest in land, or a supplier

or prospective supplier thereof;

(c) offer to provide, advertise or promote a

business or investment opportunity, or

a provider or prospective provider

thereof; and

(d) other prescribed purposes related to

obtaining or providing information.

The Commission has clarified that the DNC

Registry is not intended to cover messages sent

for other purposes, such as service calls or

reminder messages sent by organisations to

render service bought by an individual.

Messages for pure market survey or research

and those that promote charitable or religious

causes are also not covered by the DNC

Registry. The Commission has also clarified that

business-to-business marketing calls or

messages will not be covered under the DNC

Registry.

The Eighth Schedule of the PDPA contains a list

of messages that are expressly excluded from

the DNC Registry provisions. These include

messages which have the purpose of:

(a) facilitating, completing or confirming a

transaction that the recipient has

agreed to enter into with the sender;

(b) providing warranty information,

product recall information or

safety/security information with

respect to a product or service

purchased/used by the recipient;

(c) delivering goods or services, including

product updates/upgrades as

previously agreed between the sender

and recipient;

(d) notifying a change in terms or features,

status, or account balance information,

of a subscription, membership,

account, loan or other comparable

commercial relationship involving the



ongoing purchase or use by the

recipient of goods or services offered

by the sender.

The then Minister of Information,

Communications and the Arts had previously

indicated, during the PDPA’s Second Reading in

Parliament, that specified messages sent

through smartphone applications which use

Singapore telephone numbers as an identifier

will be covered by the DNC Registry. As such, it

would appear that messages and calls sent via

smartphone applications such as WhatsApp and

Viber would be subject to the DNC Registry

rules, to the extent that recipients may be

identified using a Singapore telephone number.

25. What numbers may be registered on

the DNC Registry? The DNC Registry will only accept registration

of Singapore telephone numbers. This includes

mobile, fixed-line, residential and business

numbers.

26. Will overseas telemarketers be affected

by the DNC Registry?

The DNC Registry provisions apply to specified

messages addressed to a Singapore telephone

number where:

(a) the sender is present in Singapore

when the message is sent; or

(b) the recipient is present in Singapore

when the message is accessed.

The Commission has clarified that if a

Singapore organisation outsources the

telemarketing function overseas, the Singapore

organisation that authorised the sending of the

message will need to comply with the DNC

Registry rules and will be responsible for the

sending of the message.

In addition, the Commission has clarified that if

both the telemarketing organisation and the

organisation that outsourced its telemarketing

function are overseas organisations, and the

recipient is overseas, the DNC Registry rules will

not apply (e.g. an overseas telecom service

operator sending promotional messages to

Singapore subscribers roaming on the overseas

telecom network will not need to check the

DNC Registry).

27. What obligations will apply to

organisations intending to send specified messages?

Organisations sending a specified message (see

question 24) to a Singapore telephone number

will be required to ensure that:

(a) they have recently checked that the

recipient number is not registered on

the relevant DNC register (within the

prescribed duration as detailed below);

(b) the message includes clear and

accurate information identifying the

sender as well as relevant contact

details; and

(c) in the case of voice calls, the sender’s

calling line identity is not concealed.

In particular, the Commission has indicated that

organisations intending to send specified

messages to Singapore telephone numbers will

be required to check the relevant register(s) at

least once every 60 days during the first 6

months of the DNC Registry’s operation, and at

least once every 30 days thereafter.

The Commission is expected to publish details

of applicable fees for checking the DNC

Registry subsequently.

Any person who contravenes (a), (b) or (c)

above will be guilty of an offence and liable to a

fine of up to S$10,000.

28. Is consent required for the sending of

specified messages? The DNC Registry is an opt-out system and

prima facie does not require consent to be

obtained for the sending of specified messages

to unregistered telephone numbers.

In the case of registered telephone numbers, an

organisation would need to obtain clear and

unambiguous consent from the user or

subscriber, which is evidenced in written or



other accessible form, before sending specified

messages to that telephone number.

Such consent may not be made a condition for

supplying goods, services, land, interest or

opportunity beyond what is reasonable to

provide the same.

Subscribers or users who have given their

consent (before, on or after the

commencement of the DNC Registry

provisions) and subsequently register their

telephone number would not be regarded as

having withdrawn their consent.

A user or subscriber may withdraw any consent

at any time by giving notice to the organisation.

29. Will registration on the DNC Registry

expire? Registration on the DNC Registry is permanent

until withdrawn by the user/subscriber, or until

the relevant telecommunication service linked

to the number is terminated.

In this regard, telecommunications service

providers would be required to report all

terminated Singapore telephone numbers to

the Commission. Failure to comply would

constitute an offence and the relevant

telecommunications service provider is liable to

be fined up to S$10,000.

ENFORCEMENT OF THE PDPA

30. What types of enforcement action do

organisations face for non-compliance with the PDPA?

The Commission is empowered to investigate

non-compliance with the PDPA, either upon

complaint or of its own motion (see question

31).

Where the Commission is satisfied that an

organisation is in non-compliance with the DP

framework under the PDPA, the Commission is

empowered with a wide discretion to issue such

remedial directions as it thinks fit. Without

limitation, such directions may include requiring

the organisation to:

(a) stop collecting, using or disclosing

personal data in contravention of the

PDPA;

(b) destroy personal data collected in

contravention of the PDPA;

(c) provide access to or correct personal

data (see question 32); and/or

(d) pay a financial penalty of up to S$1

million.

A contravention of the DNC Registry rules

under the PDPA is an offence, for which a fine

of up to S$10,000 per offence may be imposed

(see question 27).

31. What are the Commission’s powers of

investigation? The Commission’s detailed powers of

investigation are set out in the Ninth Schedule

of the PDPA.

Briefly, the Commission’s powers of

investigation include:

(a) the power to require any organisation

to produce documents or information;

and

(b) the power to enter and search

premises, with or without a court

warrant.

Where the Commission seeks to enter any

premises without a warrant, it will give at least 2

working days’ written notice of the intended

entry indicating the subject-matter and purpose

of the investigation.

An organisation or person who obstructs or

impedes the Commission or its officers, or

knowingly or recklessly makes a false statement

to the Commission, or knowingly misleads or

attempts to mislead the Commission, will

commit an offence and be liable to a fine of up

to S$10,000 or to 12 months’ imprisonment or

to both (for an individual), or a fine of up to

S$100,000 (for any other case).



32. What other measures can the

Commission take to resolve complaints?

Where appropriate, the Commission can refer a

complainant and the relevant organisation to

mediation with their consent. Alternatively, the

Commission may direct the complainant and

organisation to resolve the complaint in some

other specified manner (with or without their

consent).

Where the complaint relates to an individual’s

access or correction rights, the Commission

may review the matter and (as applicable):

(a) confirm a refusal to provide access to

personal data, or direct the

organisation to provide access to

personal data within a specified time;

(b) confirm, reduce, disallow or direct a

refund of a fee levied by the

organisation for providing access or

correcting personal data; or

(c) confirm a refusal to correct personal

data, or direct the organisation to

correct personal data in a specified

manner and timeframe.

In any event, it is an offence to evade an

individual’s request for access or correction of

personal data by: disposing of, altering,

falsifying, concealing or destroying personal

data or information about the collection, use or

disclosure of personal data. An organisation or

person who commits such an offence is liable to

be fined up to S$5,000 (for an individual) or up

to S$50,000 (for any other case).

33. Can company officers be made

personally liable for the company’s non-compliance with the PDPA?

Yes, depending on the nature of non-

compliance.

The new DP framework in the PDPA does not

impose any obligation on employees in general

(which may include company officers) who are

acting in the course of their employment.

However, in the case of penal offences under

the PDPA (including DNC offences), where such

offences are committed with a company

officer’s consent or connivance, or are

attributable to the officer’s neglect, such officer

may be held personally liable for the offence

and punished accordingly.

34. How can aggrieved parties challenge

the Commission’s decisions? The PDPA provides for aggrieved organisations

and individuals to challenge certain of the

Commission’s directions and decisions, in

particular remedial directions issued by the

Commission for breach of the DP framework

(including the imposition of financial penalties –

see question 30).

An aggrieved organisation or individual may

request the Commission to reconsider its

decision or direction. If any organisation or

individual is aggrieved by the Commission’s

reconsideration decision, it may then submit an

appeal to the Data Protection Appeal Panel.

Alternatively, an aggrieved organisation or

individual may appeal directly to the Data

Protection Appeal Panel without first

submitting a reconsideration decision.

An appeal can be made against the Data

Protection Appeal Panel’s decision to the High

Court on limited grounds, namely on a point of

law or where such decision relates to the

amount of a financial penalty.

Reconsideration applications and appeal

requests must be made within 28 days after the

issuance of the relevant direction or decision,

and it should be noted that there is no

automatic suspension of the direction or

decision concerned except where the

reconsideration or appeal concerns the

imposition of a financial penalty or the amount

thereof.

35. Are there any rights of private action

available for breaches of the PDPA? Yes. Any person who suffers loss of damage

directly as a result of non-compliance by an

organisation with the PDPA’s DP framework

will have a right of action for relief in civil



proceedings in a court. This is provided that any

relevant infringement decision issued by the

Commission has become final as a result of

there being no further right of appeal. The court

may grant such relief as it thinks fit, including

the award of an injunction or declaration, or

damages.

36. What steps may individuals take in the

event of an organisation’s non-compliance with the PDPA?

As mentioned in questions 8 and 9,

organisations must make publicly available the

contact details of at least one data protection

officer, and must also develop a complaints-

handling process. Effectively, this would allow

individuals to be able to complain directly to the

organisation concerned in respect of any non-

compliance with the PDPA.

Alternatively, an individual may bring a

complaint to the Commission, which may then

investigate or review the matter, or direct the

parties as to an appropriate mode of dispute

resolution.

As mentioned in question 35, an individual who

has suffered loss or damage directly as a result

of non-compliance with the new DP framework

will also have a right of private action in court,

provided certain conditions are met.

Under the PDPA, individuals have a right to

request access to their personal data and

information about the ways in which their

personal data have been used or disclosed by

the organisation in the preceding 1 year, subject

to the exceptions in the PDPA (see question 12).

Individuals are also entitled to request

organisations to correct any erroneous or

incomplete personal data, subject to the

exceptions in the PDPA (see question 13).


www.drewnapier.com

About the Telecommunications, Media and Technology (TMT) Practice

Group

Drew & Napier’s Telecommunications, Media & Technology (TMT) Practice Group is consistently ranked

as the leading IT, telecoms, broadcasting and multimedia legal practice in Singapore. The Practice Group

possesses unparalleled transactional, licensing and regulatory experience in the TMT and postal sectors,

as well as data protection law, in Singapore. The strength of the team, headed by Director Lim Chong

Kin, lies in a carefully-selected mix of more than 10 lawyers and paralegals familiar with infocomms and

media law, data protection, and sector-specific and general competition law.

The TMT Practice Group is particularly strong in its extensive work for government regulators, including

the Info-communications Development Authority (IDA) and Media Development Authority (MDA),

which are now merged as the Info-communications Media Development Authority (IMDA), the

Competition Commission of Singapore (CCS), and the Personal Data Protection Commission (PDPC). In

2016, for the 18th consecutive year, Drew & Napier’s TMT Practice Group was retained as IDA (now

IMDA)’s external legal and regulatory advisors, a record which speaks volumes for its proven ability to

deliver effective, timely and commercially-relevant solutions to its clients. The TMT Practice Group has

also acted for the MDA (now IMDA) for 14 consecutive years starting from 2002. Since 2013, Drew &

Napier’s TMT Practice Group has also been appointed as external legal and regulatory advisors to the

PDPC, which has been established to administer the Personal Data Protection Act.

The TMT Practice Group is also particularly experienced in acting for a broad range of leading

international technology industry players, several of which are major equipment manufacturers. Clients

who trust Drew & Napier on technology matters include MNCs, public listed companies, statutory

boards and some of the most established names in Singapore and internationally. We have advised and

acted for clients in drafting, reviewing and/or negotiating various technology contracts relating to

consultancy and project management, website service agreements (including privacy policies and data

management procedures), outsourcing, software integration, bespoke hardware and software, and

hardware/software maintenance. The firm’s broad client base allows it to offer unique insights on the

TMT industry from all perspectives.

Our accolades bear testimony to the quality of the Practice Group:

• Chambers Asia: standalone Band 1 TMT firm in Singapore for 2017, 2016, 2015, 2014, 2013,

2012, 2011, 2010, 2009, 2008

• Asia Pacific Legal 500: Tier 1 TMT practice for 2016/2017, 2015/2016, 2014/2015, 2013/2014,

2012/2013, 2011/2012, 2010/2011, 2009/2010, 2008/2009

• AsiaLaw Profiles: Outstanding Practice for 2017, 2016; Highly Recommended Practice for 2015,

2014 & 2013; Tier 1 (IT, Telecoms & Media) for 2012 & 2011

• Who’s Who Legal: TMT 2017, 2016 and Who’s Who Legal: Competition 2008-2016 both

recognise Chong Kin as a leading lawyer in regulatory and competition advisory work

10 Collyer Quay #10-01 Ocean Financial Centre Singapore 049315

Tel: +65 6535 0733 Fax: +65 6535 4906 www.drewnapier.com

The Drew & Napier TMT Team

Lim Chong Kin, Director, Head (Telecommunications, Media & Technology)

Chong Kin practices corporate and commercial law with strong emphasis in the

specialist areas of TMT law and competition law. He regularly advises on

regulatory, licensing, competition and market access issues. Apart from his

expertise in drafting “first-of-its-kind” competition legislation, Chong Kin also has

broad experience in corporate and commercial transactions including mergers and

acquisitions. He is widely regarded as a pioneer in competition practice in

Singapore and the leading practitioner on TMT and regulatory work. Chong Kin has won plaudits

for “[understanding] regulatory thinking like no other lawyer in the field” (Asia Pacific Legal 500);

has been recognised as “incisive, insightful and knowledgeable” (Chambers Asia Pacific 2017:

Band 1 for TMT); and has been endorsed for his excellence in regulatory work and competition

matters: Practical Law Company’s Which Lawyer Survey 2011/2012; Who’s Who Legal: TMT

2016 and Who’s Who Legal: Competition 2016. Asialaw Profiles 2016 notes: “Lim Chong Kin’s

work is consistently exceptional.”

Tel: +65 6531 4110 • Fax: +65 6535 4864 • Email: [email protected]

Charmian Aw, Director

Charmian is a Director in Drew & Napier’s TMT Practice Group. She is frequently

involved in advising companies on a wide range of corporate, commercial and

regulatory issues in Singapore. Charmian has also been actively involved in

assisting companies on Singapore data protection law compliance, including

reviewing contractual agreements and policies, conducting trainings and audits, as

well as advising on enforcement issues relating to security, access, monitoring, and

data breaches. She is also a co-chair of the International Association of Privacy Professionals

(IAPP) KnowledgeNet chapter in Singapore, and is a Certified Information Privacy Professional for

Europe, the United States, and Asia (CIPP/E, CIPP/US, CIPP/A). Charmian is recommended for

corporate-related TMT and data privacy work by The Asia Pacific Legal 500, and Who’s Who

Legal.

Tel: +65 6531 2235 • Fax: +65 6535 4864 • Email: [email protected]

2017 revised edition - drew & napier€¦ · your guide to the personal data protection act...

Documents