2017 revised edition - drew & napier€¦ · your guide to the personal data protection act...
TRANSCRIPT
All enquiries should be addressed to:
Lim Chong Kin Director & Head, Telecommunications, Media and Technology Practice Group
10 Collyer Quay #10-01
Ocean Financial Centre
Singapore 049315
Tel: +65 6531 4110
Fax: +65 6535 4864
Email: [email protected]
COPYRIGHT
© 2013, 2017 Drew & Napier LLC
First Published 2013
Second Edition Published 2017
All rights reserved. No part of this publication may be reproduced, stored in any retrieval system, or transmitted,
in any form or by any means, whether electronic or mechanical, including photocopying and recording, without
the permission of the copyright holder.
IMPORTANT DISCLAIMER: We have sought to state the law as at 1 February 2017. Drew & Napier LLC accepts
no liability for, and does not guarantee the accuracy of, information or opinion contained in this document. This
document covers a wide range of topics and is not intended to be a comprehensive study of the subjects
covered, nor is it intended to provide legal advice. It should not be treated as a substitute for specific advice on
specific situations.
Published by
10 Collyer Quay #10-01
Ocean Financial Centre
Singapore 049315
Printed in Singapore
Your Guide to the
Personal Data Protection Act
2012
Editors:
LIM Chong Kin Director, Head (Telecoms, Media and Technology Law Practice Group)
and Head (Competition and Regulatory Practice Group)
LL.B. (Hons), LL.M. (NUS); Advocate and Solicitor (Singapore)
Admitted to the Roll of Solicitors (England & Wales)
Charmian AW Director
LL.B. (Hons) (NUS); Advocate and Solicitor (Singapore)
Certified Information Privacy Professional (Asia) (CIPP/A)
Certified Information Privacy Professional (Europe) (CIPP/E)
Certified Information Privacy Professional (US) (CIPP/US)
2017 Revised Edition
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com
About Drew & Napier LLC
Drew & Napier LLC has provided exceptional legal advice and representation to discerning clients since
1889 and is one of the leading and largest law firms in Singapore.
The calibre of our work is acknowledged internationally at the highest levels of government and
industry. Our lawyers and senior counsel are the preferred choice when the stakes are high and the
issues complex.
The firm possesses unparalleled transactional, licensing and regulatory experience in data protection law
as well as the Telecommunication, Media and Technology, and postal sectors in Singapore, which it
attributes to its Telecommunications, Media and Technology Practice Group, led by Lim Chong Kin.
Drew & Napier assists clients in a wide range of data protection matters including data protection
review; training; compliance audits; and advisory. Since 2013, the firm has been appointed by the
Personal Data Protection Commission as its external legal and regulatory advisors, which speaks
volumes for its proven ability to deliver effective, timely and commercially-relevant solutions to its
clients.
For more information on Drew & Napier LLC, please visit www.drewnapier.com.
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com
Drew & Napier’s Expertise in Data Protection Law – How We Can Help You
We regularly advise and assist MNC clients on data protection concerns in respect of their Singapore
operations. Our MNC clients include telco operators and Internet companies (ranging from social
networking sites to mobile device manufacturers to software developers). Our work for clients includes:
• Adapting global policies for data privacy and consumer protection for clients’ Singapore
operations and offices.
• Wide-ranging advice on the Singapore data protection regime.
• Advising on ad-hoc queries relating to potential or actual privacy breaches and the necessary
disclosure requirements and remedial actions in Singapore.
• Advising on data protection concerns relating to the introduction of novel telecommunication
services in the Singapore market.
We are also regularly engaged by MNCs as well as local clients across industries (including airlines,
manufacturing, entertainment, and fast-moving consumer goods), telcos and Internet companies to
conduct regulatory risk audits of their business operations to highlight potential areas of non-
compliance and to assist in the rectification of any problematic agreements and conduct. Our team of
lawyers is also experienced in conducting compliance audits of business practices, existing legal
agreements, and informal business arrangements.
In developing compliance programmes for our clients, we further value-add by creating manageable,
staff-level compliance manuals and training programmes to ensure that our clients are in a position to
operationalise their compliance procedures on a day-to-day basis.
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 3
Personal Data Protection Act 2012
INTRODUCTION TO THE PERSONAL DATA
PROTECTION ACT 2012 The Personal Data Protection Act 2012 (PDPA)
was passed by the Singapore Parliament on 15
October 2012. The PDPA establishes a general
data protection (DP) framework for the
protection of personal data across the private
sector (which is mainly set out in Parts III to VI
of the PDPA), as well as a Do-Not-Call (DNC)
Registry to address unsolicited telemarketing
calls and messages (which is mainly set out in
Part IX of the PDPA).
The following is a series of key questions and
answers to help you understand the impact of
the PDPA on your business.
1. When does the PDPA come into effect? The PDPA will be implemented in phases to
allow organisations sufficient time to adapt to
the new requirements.
A number of the PDPA’s provisions first came
into effect on 2 January 2013. These relate
mainly to the scope and interpretation of the
PDPA, establishment and powers of the
Personal Data Protection Commission (the
Commission), setting up of the Data Protection
Advisory Committee, and other general
provisions.
The DNC Registry rules are expected to come
into effect after a transition period of about 12
months, in early 2014, while the new DP
framework is expected to come into effect after
a transition period of about 18 months, in mid-
2014.
2. Is there an authority responsible for
administering the PDPA? The Commission is the statutory body
established on 2 January 2013 to administer and
enforce the PDPA. It is advised by the Data
Protection Advisory Committee. In addition,
the Info-communications Media Development
Authority of Singapore (IMDA) has been
appointed as the Administration Body to
provide administrative and other support to the
Commission. The Commission is also expected
to work with other sector regulators where
relevant.
PERSONAL DATA PROTECTION FRAMEWORK
3. To whom does the new DP framework
apply? The new DP framework applies to all
organisations, with certain exceptions.
“Organisation” is defined broadly to include any
individual, company, association or body of
persons, corporate or unincorporated, whether
or not:
(a) formed or recognised under the law of
Singapore; or
(b) resident or having an office or place of
business in Singapore.
The DP framework does not apply to:
(a) individuals acting in a personal or
domestic capacity;
(b) employees acting in the course of their
employment with an organisation;
(c) public agencies, or organisations acting
on behalf of a public agency in relation
to the collection, use or disclosure of
personal data; and
(d) other organisations as may be
prescribed.
Your Guide to the Personal Data Protection Act 2012
4 www.drewnapier.com
Notably, the new DP framework is not intended
to apply to the public sector, which will
continue to be governed by its own set of data
protection rules.
Where the new DP framework applies, it will
impose a uniform standard of personal data
protection regardless of an organisation’s scale
or size.
The PDPA also recognises a category of
organisations referred to as “data
intermediaries”, which are organisations that
process personal data on behalf of other
organisations, e.g. organisations which merely
provide hosting or storage services to other
organisations. Where data intermediaries
process personal data on behalf of another
organisation (the principal organisation)
pursuant to a written contract, they will only be
subject to the DP rules relating to protection
and retention of personal data. On the other
hand, the principal organisation would be
subject to the full DP framework as if it were
processing the personal data itself.
4. What other laws regulate personal data
in Singapore? Currently, personal data in Singapore is
governed by a combination of sector-specific
frameworks and the common law.
The PDPA is intended to set a baseline standard
of personal data protection across the private
sector. Therefore, it will operate alongside (and
will not override) existing laws and regulations.
The PDPA provides that the new general DP
framework will not affect any right or obligation
under the law, and in the event of any
inconsistency the provisions of other written
law will prevail.
For example, the banking secrecy laws under
the Banking Act (Cap. 19) currently govern
customer information obtained by a bank, while
the Telecom Competition Code governs end
user service information obtained by a telecoms
licensee.
Once the new DP framework comes into effect,
organisations that are subject to existing data
protection frameworks (such as banks and
telecoms licensees) will need to ensure
compliance with the PDPA in addition to
continued compliance with any sector-specific
frameworks. For example, organisations may
need to consider expanding their existing
policies and procedures to cover personal data
belonging to employees, consultants, agents,
and contractors. Practical steps may include
updating of compliance manuals and
procedures and training staff to be aware of the
new requirements. Where applicable,
organisations will also need to appoint the
relevant personnel and develop a complaints-
handling process for compliance with the PDPA
(see question 9).
5. What data is regulated under the
PDPA? The PDPA does not prescribe a fixed list of the
types of data that are regulated. Instead, the
PDPA applies generally to “personal data”,
which is defined broadly to mean data, whether
true or not, about an individual who can be
identified from that data, or from that data and
other information to which the organisation has
or is likely to have access. Whether or not
certain types of information may be considered
personal data (e.g. the IP address of a device)
would depend on the specific context.
In addition, the PDPA does not distinguish
between data in electronic and non-electronic
form.
That said, certain types of data are excluded
from the PDPA. In particular, business contact
information is excluded from the new DP
framework. Business contact information refers
to an individual’s name, position name or title,
business telephone number, business address,
business electronic mail address or business fax
number and any other similar information
about the individual, not provided by the
individual solely for his/her personal purposes.
Generic information, such as gender,
nationality, age or blood group, which alone
cannot be used to identify a particular
individual, is also excluded. However, this
information will constitute personal data if,
when combined with a unique identified, may
identify an individual.
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 5
In addition, the PDPA does not apply to
personal data contained in a record that has
been in existence for at least 100 years. The
PDPA also does not apply to personal data
about deceased individuals, except that the
requirements to make reasonable security
arrangements for the protection of such data,
and the requirements relating to disclosure of
personal data will apply for 10 years from the
date of death.
The new DP framework will also exclude other
personal data (or classes thereof) as may be
subsequently prescribed.
6. What activities involving personal data
are regulated under the PDPA? The PDPA regulates the collection, use and
disclosure of personal data by organisations
(see question 10), although the PDPA does not
presently define the terms “collection”, “use” or
“disclosure”.
In addition, the PDPA sets out obligations
relating to an individual’s right to access his/her
personal data, the correction of
erroneous/incomplete personal data, accuracy
of personal data, protection of personal data,
retention of personal data, and the transfer of
personal data outside Singapore.
7. Is there a requirement to notify or
register with the Commission before processing data?
The PDPA does not presently prescribe any
such requirement.
8. Is there a need to appoint a data
protection officer? Yes, it is a requirement for organisations to
designate one or more individuals responsible
for ensuring that the organisation complies with
the PDPA, who may then delegate their
responsibility to another individual (collectively,
data protection officers).
Organisations must make available to the
public the contact details of at least one data
protection officer.
Organisations should note that the designation
of a data protection officer does not relieve an
organisation of its obligations under the PDPA.
9. What general responsibilities are
prescribed on organisations under the new DP framework?
In addition to the requirement to appoint data
protection officer(s), an organisation must also:
(i) develop and implement policies and practices
that are necessary for the organisation to meet
the obligations of the organisation under the
PDPA; (ii) develop a process to receive and
respond to complaints that may arise with
respect to the application of the PDPA; (iii)
communicate to its staff information on the
organisation’s policies and practices; and (iv)
make information available on request on
policies and practices and the complaint
process referred to above.
Further, there are obligations relating to the
collection, use and disclosure of personal data
(see question 10), and the rights of individuals
to request access to and correction of their
personal data (see questions 12 and 13).
Organisations must also make reasonable
efforts to ensure that personal data collected is
accurate and complete (see question 14),
protect personal data by making reasonable
security arrangements (see question 15), and
anonymise or cease retaining personal data
when the purpose for which the personal data
had been collected is no longer served by
retention, and retention is no longer necessary
for legal or business purposes (see question 16).
There are also specific obligations in relation to
the transfer of personal data outside Singapore
(see question 17).
10. What are the general requirements that
apply to the collection, use and disclosure of personal data?
Personal data collected before the new DP
framework comes into effect
Under the PDPA, personal data collected before
the new DP framework comes into effect may
be used by an organisation for the purposes for
which such personal data was collected, unless
Your Guide to the Personal Data Protection Act 2012
6 www.drewnapier.com
the individual withdraws consent or indicates to
the organisation that he/she does not consent
to such use.
The Commission has also clarified that the
individual’s consent will need to be obtained
where existing data is to be used for a new
purpose different from the purpose for which it
was collected, or if the existing data is to be
disclosed to another organisation or individual,
unless one of the exceptions in the PDPA
applies.
Personal data collected after the new DP
framework comes into effect
Organisations are required to obtain the
individual’s actual or deemed consent to the
collection, use and disclosure of such personal
data, unless one of the exceptions in the PDPA
applies.
To obtain actual consent, organisations will first
need to inform the individual of the purposes
for which they are collecting, using or disclosing
the individual’s personal data, and, if requested
by the individual, the business contact
information of a representative who can
answer, on behalf of the organisation, the
individual’s questions about the collection, use
or disclosure of the personal data. Where
organisations intend to use or disclose personal
data for a different purpose than what was
originally consented to, they would need to
obtain fresh consent, unless one of the
exceptions in the PDPA applies.
Exceptions
There are exceptions to the requirement to
obtain consent for the collection, use and
disclosure of personal data, and these are set
out in the Second, Third and Fourth Schedules
of the PDPA. For example, there are exceptions
in relation to emergency situations,
investigations, publicly available personal data
or where personal data is used for evaluative
purposes (see question 19 for the meaning of
“evaluative purpose”).
(a) What rules are there concerning the form and content of consent? Does online consent suffice?
Consent may either be expressly obtained or
deemed to have been obtained (i.e. deemed
consent).
There are presently no specific rules as to the
medium through which the consent must be
obtained. For example, there are no rules
differentiating between consent obtained in
paper form, and consent obtained through
electronic means (e.g. online).
Importantly, the PDPA specifies that one of the
criteria for consent to have been validly
obtained is that the purposes for the collection,
use or disclosure of the personal data must be
notified to the individual, and, if requested by
the individual, the organisation must provide
the business contact information of a person
who is able to answer, on behalf of the
organisation, questions about the collection,
use or disclosure of personal data.
Further, consent will not be considered to be
validly given under the PDPA if organisations:
(a) as a condition of providing a product or
service, require an individual to consent
to the collection, use or disclosure of
personal data about an individual
beyond what is reasonable to provide
the product or service to that
individual; or
(b) obtain or attempt to obtain consent for
collecting, using or disclosing personal
data by providing false or misleading
information with respect to the
collection, use or disclosure of the
personal data, or using deceptive or
misleading practices. (b) Is there any provision for deemed
consent? In some cases, notwithstanding that express
consent has not been provided, the PDPA
specifies that consent may be deemed to have
been provided.
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 7
The PDPA stipulates that consent will be
deemed to have been given where the following
prerequisites are satisfied:
(a) where an individual voluntarily provides
his/her personal data to the
organisation for a particular purpose;
and
(b) it is reasonable that the individual
would voluntarily provide his/her
personal data.
In an example provided by the Commission, a
person provides his/her personal data when
registering with a clinic to seek medical
treatment. In such a situation, it would be
reasonable to deem that the person has given
consent for the clinic to use his/her personal
data for purposes related to his/her medical
treatment at the clinic, and there is no need for
the clinic to seek his/her express consent.
Where an individual has given (or is deemed to
have given) consent for the disclosure of his/her
personal data by Organisation A to
Organisation B for a particular purpose, such
individual would also be deemed to have given
consent to Organisation B for the collection,
use or disclosure of his/her personal data for
that particular purpose. (c) Are there any requirements relating to
the withdrawal of consent? An individual may withdraw his/her consent to
the collection, use or disclosure of his/her
personal data at any time upon giving
reasonable notice. Upon receipt of notice from
an individual that he/she intends to withdraw
consent, organisations are required to inform
the individual concerned of the likely
consequences of the withdrawal of consent.
Organisations should also not prohibit the
individual from withdrawing consent.
Organisations will be required to cease (and
cause its data intermediaries and agents to
similarly cease) collecting, using or disclosing
the personal data of an individual who has
withdrawn his/her consent to the same, unless
such collection, use or disclosure without the
consent of the individual is required or
authorised under the PDPA or other written
law. (d) Are there any special rules concerning
consent by minors?
There are presently no specific rules under the
PDPA regarding the obtaining of consent from
minors.
However, as indicated by the then Minister for
Information, Communications and the Arts in
Parliament, details of persons who may act for
minors and the extent to which they can
exercise their rights or powers may be
subsequently set out in subsidiary legislation.
11. For what purposes can personal data
be collected, used or disclosed? Personal data about an individual may only be
collected, used or disclosed for purposes that a
reasonable person would consider appropriate
in the circumstances, and that have been
notified to the individual, subject to the
exceptions provided for under the PDPA.
The organisation may also identify whether
consent can be deemed to have been given in
respect of the purpose for which it would like to
collect, use or disclose personal data. If not,
whether the purpose falls within the exceptions
from consent in the Third and Fourth Schedules
of the PDPA.
12. Are there any obligations to provide
individuals with access to their personal data in the possession or under the control of an organisation?
Individuals will have the right to request access
to their personal data that is in the possession
or under the control of organisations, and be
provided with information as to how
organisations have, or may have, used or
disclosed their personal data within a year
before the date of request for access.
Organisations may charge a fee for providing
such access to the individual, though the fee
charged should be reasonable and on a cost-
recovery basis.
Your Guide to the Personal Data Protection Act 2012
8 www.drewnapier.com
There are exceptions to the requirement to
provide access to individuals’ personal data, and
these are set out in Section 21 and the Fifth
Schedule of the PDPA.
For example, an organisation is not required to
provide an individual with access to his/her
personal data, or information about the ways in
which that personal data has been or may have
been used or disclosed by the organisation
within a year of the access request, in respect of
certain types of personal data, such as personal
data subject to legal privilege, or personal data
which if disclosed, would reveal confidential
commercial information that could harm the
competitive position of the organisation.
In addition, an organisation shall not inform an
individual that it has disclosed personal data to
a prescribed law enforcement agency if the
disclosure was made without the consent of the
individual pursuant to the exceptions in relation
to investigations or proceedings and disclosure
to officers of prescribed law enforcement
agencies under the Fourth Schedule of the
PDPA.
Further examples are listed in question 18(d)
below.
13. Are there any obligations to correct
personal data in the possession or control of an organisation?
Individuals have the right to request that an
organisation correct an error or omission in the
personal data about him/her, which is in the
possession or under the control of that
organisation. Upon an individual’s request,
organisations will be required to correct the
personal data as soon as practicable, unless the
organisation is satisfied on reasonable grounds
that such correction should not be made.
Organisations will also need to send the
corrected data to every other organisation to
whom the personal data has been disclosed
within a year before the date the correction was
made, unless the other organisation does not
need the corrected data for any legal or
business purpose. The corrected data may be
sent only to specific organisations to which the
personal data was disclosed, if the individual
consents to this.
While organisations may charge a fee in respect
of the correction of the individual’s personal
data, the fee charged should be reasonable, and
on a cost-recovery basis.
There are exceptions to the correction
requirement, as set out in Section 22 and the
Sixth Schedule of the PDPA. For example,
organisations would not be required to correct
or alter an opinion, including a professional or
expert opinion. The correction requirement
would also not apply to opinion data kept solely
for an evaluative purpose (see question 19 for
the meaning of “evaluative purpose”), or
documents related to a prosecution if all
proceedings related to the prosecution have not
been completed.
14. Are organisations obliged to ensure the
accuracy of personal data in their possession or control?
Organisations must make reasonable efforts,
depending on the exact circumstances at hand,
to ensure that personal data collected is
accurate and complete, if it is likely that the
personal data will be used to make a decision
that affects the individual to whom the personal
data relates, or the personal data is likely to be
disclosed to another organisation.
15. What security requirements are
imposed in relation to personal data? Organisations (including data intermediaries)
must put in place reasonable security
arrangements to protect personal data in their
possession or under their control, and to
prevent unauthorised access, collection, use,
disclosure, copying, modification, disposal or
similar risks.
This may be in the form of different levels of
security depending upon the level of sensitivity
of the personal data.
16. How long can personal data be
retained? The PDPA does not specify a retention period
for personal data.
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 9
The baseline standard prescribed in the PDPA is
that organisations (including data
intermediaries) should not retain personal data
when such retention no longer serves the
purposes for which the data was collected, and
retention is no longer necessary for legal or
business purposes.
The retention duration is assessed on a standard of reasonableness under the PDPA but organisations are obliged to comply with any other legal or industry specific requirements that may apply.
17. What rules regulate the transfer of data
outside Singapore? The PDPA presently prohibits organisations
from transferring personal data out of
Singapore except in accordance with
requirements prescribed under the PDPA to
ensure that organisations provide a standard of
protection to the personal data so transferred
that is comparable to the protection under the
PDPA.
An organisations transferring personal data
overseas is assumed to have taken appropriate
steps to ensure that the recipient is bound by
legally enforceable obligations to provide a
standard of protection comparable to that
under the PDPA.
The Commission has indicated that further
requirements may be prescribed in due course,
which are envisioned to include the use of
contractual agreements between the parties
involved in the transfer of personal data.
Therefore, the onus would be on the
organisation to put in place measures, such as
contractual arrangements, to ensure a
comparable standard of protection is accorded
to personal data transferred overseas.
Organisations may apply to the Commission to
be exempted from such requirements as may
be prescribed.
18. Are there exceptions to the general
data protection obligations?
Yes, and these are set out within provisions in
the main body of the PDPA and the Second to
Sixth Schedules.
Some non-exhaustive examples of the
exceptions are highlighted below. (a) Collection of personal data without
consent
Personal data may be collected without consent
in the circumstances and subject to any
condition in the Second Schedule of the PDPA,
for example, where:
• collection of personal data is necessary for
any purpose that is clearly in the interest of
the individual, and: (i) if consent for its
collection cannot be obtained in a timely
way, or (ii) the individual would not
reasonably be expected to withhold
consent;
• the personal data is publicly available;
• collection of personal data is necessary for
any investigation or proceedings, if it is
reasonable to expect that seeking the
consent of the individual would
compromise the availability or the accuracy
of the personal data;
• collection of personal data is for the
purpose of recovery of a debt owed to the
organisation by the individual or for the
organisation to pay to the individual a debt
owed by the organisation;
• collection of personal data is necessary for
the provision of legal services by the
organisation to another person, or for the
organisation to obtain legal services;
• personal data is included in a document
produced in the course of, and for the
purposes of, the individual’s employment,
business or profession, and collected for the
purposes consistent with the purposes for
which the document was produced; or
• personal data is collected by an individual’s
employer and the collection is reasonable
for the purpose of managing or terminating
an employment relationship between the
organisation and the individual.
(b) Use of personal data without consent
Use of personal data without consent may be
permitted in the circumstances and subject to
Your Guide to the Personal Data Protection Act 2012
10 www.drewnapier.com
any condition in the Third Schedule of the
PDPA, for example, where:
• the use is necessary for any purpose that is
clearly in the interests of the individual,
and: (i) if consent for its use cannot be
obtained in a timely way, or (ii) the
individual would not reasonably be
expected to withhold consent;
• the personal data is publicly available;
• the use is necessary for any investigation or
proceedings;
• the personal data is used for an
organisation to recover a debt owed to the
organisation by the individual or for the
organisation to pay to the individual a debt
owed by the organisation; or
• the use is necessary for the provision of
legal services by the organisation to
another person, or for the organisation to
obtain legal services.
(c) Disclosure of personal data without consent
The Fourth Schedule of the PDPA provides for
circumstances and conditions under which an
organisation may disclose personal data
without consent, for example, where:
• the disclosure is necessary for any purpose
that is clearly in the interests of the
individual, if consent for its disclosure
cannot be obtained in a timely way;
• the personal data is publicly available;
• the disclosure is necessary for any
investigation or proceedings;
• the disclosure is necessary for an
organisation to recover a debt owed to the
organisation by the individual or for the
organisation to pay to the individual a debt
owed by the organisation;
• the disclosure is necessary for the provision
of legal services by the organisation to
another person, or for the organisation to
obtain legal services; or
• the personal data is disclosed to any officer
of a prescribed law enforcement agency,
upon production of written authorisation
signed by the head or director of that law
enforcement agency or a person of a similar
rank, certifying that the personal data is
necessary for the purposes of the functions
or duties of the officer.
(d) Exceptions from access requirement Section 21 and the Fifth Schedule of the PDPA
set out the exceptions from the access
requirement. For example, organisations will
not be required to provide access to personal
data or information as to how the personal data
has been or may have been used or disclosed, in
respect of:
• documents related to a prosecution if all
proceedings related to the prosecution
have not been completed;
• personal data subject to legal privilege;
• personal data, which if disclosed, would
reveal confidential commercial information
that could, in the opinion of a reasonable
person, harm the competitive position of
the organisation; or
• any request: (i) that would unreasonably
interfere with the operations of the
organisation because of the repetitious or
systematic nature of the requests; (ii) if the
burden or expense of providing access
would be unreasonable to the organisation
or disproportionate to the individual’s
interests; (iii) for information that does not
exist or cannot be found; (iv) for
information that is trivial; or (v) that is
otherwise frivolous or vexatious. (e) Exceptions from correction
requirement Section 22 and the Sixth Schedule of the PDPA
set out the exceptions from the access
requirement. For example, organisations would
not be required to correct or alter an opinion,
including a professional or expert opinion. The
correction requirement would also not apply in
respect of opinion data kept solely for an
evaluative purpose (see question 19 for the
meaning of “evaluative purpose”), or
documents related to a prosecution if all
proceedings related to the prosecution have not
been completed.
19. Are there any provisions that govern
employee data specifically? Prima facie, employee data would be subject to
the new DP framework to the extent that such
data constitutes “personal data” as defined in
the PDPA (see question 5).
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 11
That said, there are exceptions in the PDPA that
provide for the collection, use and disclosure of
employees’ personal data without their consent.
For example, the Second Schedule of the PDPA
provides that an organisation may collect
personal data about an individual without the
consent of the individual or from a source other
than the individual where:
(a) the personal data is included in a
document produced in the course and
for the purposes of the individual’s
employment (e.g. an individual’s name
or email address included in an email
discussing work matters), provided that
such document is collected for
purposes consistent with the purposes
for which the document was produced;
or
(b) the personal data is collected by the
individual’s employer and the collection
is reasonable for the purpose of
managing or terminating an
employment relationship between the
organisation and the individual.
The Third and Fourth Schedules further provide
that data collected in accordance with the
foregoing exceptions may be used or disclosed
without the individual’s consent for purposes
consistent with the purpose of collection.
Notwithstanding, on or before collecting, using
or disclosing an individual’s personal data for
the purpose of managing or terminating an
employment relationship, the individual must
be informed of:
(a) such purpose; and
(b) upon request, the contact details of a
person who is able to answer the
individual’s questions about that collection, use or disclosure on behalf
of the organisation.
In addition, the Second, Third and Fourth
Schedules also provide that personal data may
be collected, used or disclosed without the
consent of the individual or from a source other
than the individual where the collection is
necessary for an evaluative purpose.
The PDPA contains a broad range of purposes
which constitute an “evaluative purpose”. These
include: determining the suitability, eligibility or
qualifications of an individual for employment
or for appointment to office, for promotion in
employment or office or for continuance in
employment or office, and for removal from
employment or office.
20. What considerations should my
organisation have about personal data in relation to a business asset transaction (e.g. a merger or acquisition)?
Organisations that wish to share personal data
about employees, customers, directors, officers
or shareholders, in order to determine whether
to proceed with a transaction, may do so
without obtaining the individuals’ consent if the
“business asset transaction” exception applies,
as set out in the Second and Fourth Schedules
of the PDPA.
A “business asset transaction” is defined to
mean the purchase, sale, lease, merger or
amalgamation or any other acquisition, disposal
or financing of an organisation or a portion of
an organisation or of any of the business or
assets of an organisation (apart from the
personal data to be shared under the
exception).
Under this exception, Organisation A may
disclose personal data to Organisation B
without obtaining individual consent in the
following circumstances:
(a) the organisations are parties or
prospective parties to a business asset
transaction;
(b) the personal data is about Organisation
A’s employees, customers, directors,
officers or shareholders; and
(c) the personal data relates directly to the
part of Organisation A or its business
assets with which the transaction is
concerned.
Organisations invoking the “business asset
transaction” exception would also need to
observe the following conditions.
Your Guide to the Personal Data Protection Act 2012
12 www.drewnapier.com
In the case of prospective transactions:
(a) the personal data must be necessary
for the recipient organisation to
determine whether to proceed with the
transaction; and
(b) the organisations must enter into an
agreement requiring the receiving
organisation to use or disclose the
personal data solely for purposes
related to the transaction.
Where a transaction has been entered into:
(a) the recipient organisation must only
use or disclose the personal data for the
same purposes for which the disclosing
organisation would be permitted to do
so;
(b) if any personal data does not relate
directly to the part of the disclosing
organisation or its business assets with
which the transaction is concerned,
such personal data must be destroyed
or returned; and
(c) the employees, customers, directors,
officers and shareholders whose
personal data is disclosed must be
notified that the transaction has taken
place and that their personal data has
been disclosed.
If the transaction does not proceed or is not
completed, all personal data collected must be
destroyed or returned to the disclosing
organisation.
21. Are there any exceptions for personal
data that is required for research purposes?
Yes.
While the PDPA does not define the term
“research purpose”, the Third and Fourth
Schedules of the PDPA contain an exception
providing that an organisation may use or
disclose personal data about an individual
without his/her consent where the personal
data is used or disclosed for a research purpose,
including historical or statistical research.
However, this exception only applies if all the
following conditions are met:
(a) the research purpose cannot
reasonably be accomplished unless the
personal data is provided in an
individually identifiable form;
(b) it is impracticable for the organisation
to seek the individual’s consent;
(c) the personal data will not be used to
contact persons to ask them to
participate in the research; and
(d) linkage of the personal data to other
information is not harmful to the
individual identified by the personal
data and the benefits to be derived
from the linkage are clearly in the
public interest.
In addition to the foregoing conditions, where
the organisation is disclosing the personal data,
it must also ensure that the organisation
receiving the data has signed an agreement to
comply with:
(a) the PDPA;
(b) the policies and procedures relating to
the confidentiality of personal data of
the organisation that collected the
personal data;
(c) security and confidentiality conditions
of the organisation disclosing the
personal data;
(d) a requirement to remove or destroy
individual identifiers at the earliest
reasonable opportunity; and
(e) a requirement not to use the personal
data for any other purpose or to
disclose the personal data in
individually identifiable form without
the express authorisation of the
organisation that disclosed the
personal data.
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 13
22. Is there a requirement to notify
personal data security breaches to individuals or the Commission?
No, there is presently no such requirement
prescribed under the PDPA. It remains to be
seen if the Commission will in future issue any
specific guidance on the steps that an
organisation should take to respond to, contain
and/or recover from a breach.
However, it is good practice to notify individuals
affected by a data breach so that they may take
preventive measures to reduce the impact of
the data breach.
THE DO-NOT-CALL (DNC) REGISTRY
23. What is the DNC Registry? The DNC Registry is established under the
PDPA to address unsolicited telemarketing calls
and messages. When operational, individuals
will be allowed to register their Singapore
telephone numbers if they wish to opt out of
receiving telemarketing phone calls, text
messages and faxes from businesses. Any
organisation that makes or sends telemarketing
calls and messages will be required to check the
DNC Registry regularly in order to ensure that
recipient telephone numbers have not been
registered.
24. What types of messages are covered
by the DNC Registry? There will be 3 separate DNC registers, one
each for voice calls, text messages (including
SMS/MMS messages) and faxes. Subscribers
who do not wish to receive specified messages
of the relevant kind(s) may register their
numbers on the respective register(s). The DNC
Registry will not cover emails or post.
The DNC Registry will cover “specified
messages”, which are generally messages
(whether in sound, text, visual or other forms)
with one or more marketing purposes. Such
purposes include:
(a) offer to supply, advertise or promote
goods or services, or a supplier or
prospective supplier thereof;
(b) offer to supply, advertise or promote
land or an interest in land, or a supplier
or prospective supplier thereof;
(c) offer to provide, advertise or promote a
business or investment opportunity, or
a provider or prospective provider
thereof; and
(d) other prescribed purposes related to
obtaining or providing information.
The Commission has clarified that the DNC
Registry is not intended to cover messages sent
for other purposes, such as service calls or
reminder messages sent by organisations to
render service bought by an individual.
Messages for pure market survey or research
and those that promote charitable or religious
causes are also not covered by the DNC
Registry. The Commission has also clarified that
business-to-business marketing calls or
messages will not be covered under the DNC
Registry.
The Eighth Schedule of the PDPA contains a list
of messages that are expressly excluded from
the DNC Registry provisions. These include
messages which have the purpose of:
(a) facilitating, completing or confirming a
transaction that the recipient has
agreed to enter into with the sender;
(b) providing warranty information,
product recall information or
safety/security information with
respect to a product or service
purchased/used by the recipient;
(c) delivering goods or services, including
product updates/upgrades as
previously agreed between the sender
and recipient;
(d) notifying a change in terms or features,
status, or account balance information,
of a subscription, membership,
account, loan or other comparable
commercial relationship involving the
Your Guide to the Personal Data Protection Act 2012
14 www.drewnapier.com
ongoing purchase or use by the
recipient of goods or services offered
by the sender.
The then Minister of Information,
Communications and the Arts had previously
indicated, during the PDPA’s Second Reading in
Parliament, that specified messages sent
through smartphone applications which use
Singapore telephone numbers as an identifier
will be covered by the DNC Registry. As such, it
would appear that messages and calls sent via
smartphone applications such as WhatsApp and
Viber would be subject to the DNC Registry
rules, to the extent that recipients may be
identified using a Singapore telephone number.
25. What numbers may be registered on
the DNC Registry? The DNC Registry will only accept registration
of Singapore telephone numbers. This includes
mobile, fixed-line, residential and business
numbers.
26. Will overseas telemarketers be affected
by the DNC Registry?
The DNC Registry provisions apply to specified
messages addressed to a Singapore telephone
number where:
(a) the sender is present in Singapore
when the message is sent; or
(b) the recipient is present in Singapore
when the message is accessed.
The Commission has clarified that if a
Singapore organisation outsources the
telemarketing function overseas, the Singapore
organisation that authorised the sending of the
message will need to comply with the DNC
Registry rules and will be responsible for the
sending of the message.
In addition, the Commission has clarified that if
both the telemarketing organisation and the
organisation that outsourced its telemarketing
function are overseas organisations, and the
recipient is overseas, the DNC Registry rules will
not apply (e.g. an overseas telecom service
operator sending promotional messages to
Singapore subscribers roaming on the overseas
telecom network will not need to check the
DNC Registry).
27. What obligations will apply to
organisations intending to send specified messages?
Organisations sending a specified message (see
question 24) to a Singapore telephone number
will be required to ensure that:
(a) they have recently checked that the
recipient number is not registered on
the relevant DNC register (within the
prescribed duration as detailed below);
(b) the message includes clear and
accurate information identifying the
sender as well as relevant contact
details; and
(c) in the case of voice calls, the sender’s
calling line identity is not concealed.
In particular, the Commission has indicated that
organisations intending to send specified
messages to Singapore telephone numbers will
be required to check the relevant register(s) at
least once every 60 days during the first 6
months of the DNC Registry’s operation, and at
least once every 30 days thereafter.
The Commission is expected to publish details
of applicable fees for checking the DNC
Registry subsequently.
Any person who contravenes (a), (b) or (c)
above will be guilty of an offence and liable to a
fine of up to S$10,000.
28. Is consent required for the sending of
specified messages? The DNC Registry is an opt-out system and
prima facie does not require consent to be
obtained for the sending of specified messages
to unregistered telephone numbers.
In the case of registered telephone numbers, an
organisation would need to obtain clear and
unambiguous consent from the user or
subscriber, which is evidenced in written or
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 15
other accessible form, before sending specified
messages to that telephone number.
Such consent may not be made a condition for
supplying goods, services, land, interest or
opportunity beyond what is reasonable to
provide the same.
Subscribers or users who have given their
consent (before, on or after the
commencement of the DNC Registry
provisions) and subsequently register their
telephone number would not be regarded as
having withdrawn their consent.
A user or subscriber may withdraw any consent
at any time by giving notice to the organisation.
29. Will registration on the DNC Registry
expire? Registration on the DNC Registry is permanent
until withdrawn by the user/subscriber, or until
the relevant telecommunication service linked
to the number is terminated.
In this regard, telecommunications service
providers would be required to report all
terminated Singapore telephone numbers to
the Commission. Failure to comply would
constitute an offence and the relevant
telecommunications service provider is liable to
be fined up to S$10,000.
ENFORCEMENT OF THE PDPA
30. What types of enforcement action do
organisations face for non-compliance with the PDPA?
The Commission is empowered to investigate
non-compliance with the PDPA, either upon
complaint or of its own motion (see question
31).
Where the Commission is satisfied that an
organisation is in non-compliance with the DP
framework under the PDPA, the Commission is
empowered with a wide discretion to issue such
remedial directions as it thinks fit. Without
limitation, such directions may include requiring
the organisation to:
(a) stop collecting, using or disclosing
personal data in contravention of the
PDPA;
(b) destroy personal data collected in
contravention of the PDPA;
(c) provide access to or correct personal
data (see question 32); and/or
(d) pay a financial penalty of up to S$1
million.
A contravention of the DNC Registry rules
under the PDPA is an offence, for which a fine
of up to S$10,000 per offence may be imposed
(see question 27).
31. What are the Commission’s powers of
investigation? The Commission’s detailed powers of
investigation are set out in the Ninth Schedule
of the PDPA.
Briefly, the Commission’s powers of
investigation include:
(a) the power to require any organisation
to produce documents or information;
and
(b) the power to enter and search
premises, with or without a court
warrant.
Where the Commission seeks to enter any
premises without a warrant, it will give at least 2
working days’ written notice of the intended
entry indicating the subject-matter and purpose
of the investigation.
An organisation or person who obstructs or
impedes the Commission or its officers, or
knowingly or recklessly makes a false statement
to the Commission, or knowingly misleads or
attempts to mislead the Commission, will
commit an offence and be liable to a fine of up
to S$10,000 or to 12 months’ imprisonment or
to both (for an individual), or a fine of up to
S$100,000 (for any other case).
Your Guide to the Personal Data Protection Act 2012
16 www.drewnapier.com
32. What other measures can the
Commission take to resolve complaints?
Where appropriate, the Commission can refer a
complainant and the relevant organisation to
mediation with their consent. Alternatively, the
Commission may direct the complainant and
organisation to resolve the complaint in some
other specified manner (with or without their
consent).
Where the complaint relates to an individual’s
access or correction rights, the Commission
may review the matter and (as applicable):
(a) confirm a refusal to provide access to
personal data, or direct the
organisation to provide access to
personal data within a specified time;
(b) confirm, reduce, disallow or direct a
refund of a fee levied by the
organisation for providing access or
correcting personal data; or
(c) confirm a refusal to correct personal
data, or direct the organisation to
correct personal data in a specified
manner and timeframe.
In any event, it is an offence to evade an
individual’s request for access or correction of
personal data by: disposing of, altering,
falsifying, concealing or destroying personal
data or information about the collection, use or
disclosure of personal data. An organisation or
person who commits such an offence is liable to
be fined up to S$5,000 (for an individual) or up
to S$50,000 (for any other case).
33. Can company officers be made
personally liable for the company’s non-compliance with the PDPA?
Yes, depending on the nature of non-
compliance.
The new DP framework in the PDPA does not
impose any obligation on employees in general
(which may include company officers) who are
acting in the course of their employment.
However, in the case of penal offences under
the PDPA (including DNC offences), where such
offences are committed with a company
officer’s consent or connivance, or are
attributable to the officer’s neglect, such officer
may be held personally liable for the offence
and punished accordingly.
34. How can aggrieved parties challenge
the Commission’s decisions? The PDPA provides for aggrieved organisations
and individuals to challenge certain of the
Commission’s directions and decisions, in
particular remedial directions issued by the
Commission for breach of the DP framework
(including the imposition of financial penalties –
see question 30).
An aggrieved organisation or individual may
request the Commission to reconsider its
decision or direction. If any organisation or
individual is aggrieved by the Commission’s
reconsideration decision, it may then submit an
appeal to the Data Protection Appeal Panel.
Alternatively, an aggrieved organisation or
individual may appeal directly to the Data
Protection Appeal Panel without first
submitting a reconsideration decision.
An appeal can be made against the Data
Protection Appeal Panel’s decision to the High
Court on limited grounds, namely on a point of
law or where such decision relates to the
amount of a financial penalty.
Reconsideration applications and appeal
requests must be made within 28 days after the
issuance of the relevant direction or decision,
and it should be noted that there is no
automatic suspension of the direction or
decision concerned except where the
reconsideration or appeal concerns the
imposition of a financial penalty or the amount
thereof.
35. Are there any rights of private action
available for breaches of the PDPA? Yes. Any person who suffers loss of damage
directly as a result of non-compliance by an
organisation with the PDPA’s DP framework
will have a right of action for relief in civil
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com 17
proceedings in a court. This is provided that any
relevant infringement decision issued by the
Commission has become final as a result of
there being no further right of appeal. The court
may grant such relief as it thinks fit, including
the award of an injunction or declaration, or
damages.
36. What steps may individuals take in the
event of an organisation’s non-compliance with the PDPA?
As mentioned in questions 8 and 9,
organisations must make publicly available the
contact details of at least one data protection
officer, and must also develop a complaints-
handling process. Effectively, this would allow
individuals to be able to complain directly to the
organisation concerned in respect of any non-
compliance with the PDPA.
Alternatively, an individual may bring a
complaint to the Commission, which may then
investigate or review the matter, or direct the
parties as to an appropriate mode of dispute
resolution.
As mentioned in question 35, an individual who
has suffered loss or damage directly as a result
of non-compliance with the new DP framework
will also have a right of private action in court,
provided certain conditions are met.
Under the PDPA, individuals have a right to
request access to their personal data and
information about the ways in which their
personal data have been used or disclosed by
the organisation in the preceding 1 year, subject
to the exceptions in the PDPA (see question 12).
Individuals are also entitled to request
organisations to correct any erroneous or
incomplete personal data, subject to the
exceptions in the PDPA (see question 13).
Your Guide to the Personal Data Protection Act 2012
www.drewnapier.com
About the Telecommunications, Media and Technology (TMT) Practice
Group
Drew & Napier’s Telecommunications, Media & Technology (TMT) Practice Group is consistently ranked
as the leading IT, telecoms, broadcasting and multimedia legal practice in Singapore. The Practice Group
possesses unparalleled transactional, licensing and regulatory experience in the TMT and postal sectors,
as well as data protection law, in Singapore. The strength of the team, headed by Director Lim Chong
Kin, lies in a carefully-selected mix of more than 10 lawyers and paralegals familiar with infocomms and
media law, data protection, and sector-specific and general competition law.
The TMT Practice Group is particularly strong in its extensive work for government regulators, including
the Info-communications Development Authority (IDA) and Media Development Authority (MDA),
which are now merged as the Info-communications Media Development Authority (IMDA), the
Competition Commission of Singapore (CCS), and the Personal Data Protection Commission (PDPC). In
2016, for the 18th consecutive year, Drew & Napier’s TMT Practice Group was retained as IDA (now
IMDA)’s external legal and regulatory advisors, a record which speaks volumes for its proven ability to
deliver effective, timely and commercially-relevant solutions to its clients. The TMT Practice Group has
also acted for the MDA (now IMDA) for 14 consecutive years starting from 2002. Since 2013, Drew &
Napier’s TMT Practice Group has also been appointed as external legal and regulatory advisors to the
PDPC, which has been established to administer the Personal Data Protection Act.
The TMT Practice Group is also particularly experienced in acting for a broad range of leading
international technology industry players, several of which are major equipment manufacturers. Clients
who trust Drew & Napier on technology matters include MNCs, public listed companies, statutory
boards and some of the most established names in Singapore and internationally. We have advised and
acted for clients in drafting, reviewing and/or negotiating various technology contracts relating to
consultancy and project management, website service agreements (including privacy policies and data
management procedures), outsourcing, software integration, bespoke hardware and software, and
hardware/software maintenance. The firm’s broad client base allows it to offer unique insights on the
TMT industry from all perspectives.
Our accolades bear testimony to the quality of the Practice Group:
• Chambers Asia: standalone Band 1 TMT firm in Singapore for 2017, 2016, 2015, 2014, 2013,
2012, 2011, 2010, 2009, 2008
• Asia Pacific Legal 500: Tier 1 TMT practice for 2016/2017, 2015/2016, 2014/2015, 2013/2014,
2012/2013, 2011/2012, 2010/2011, 2009/2010, 2008/2009
• AsiaLaw Profiles: Outstanding Practice for 2017, 2016; Highly Recommended Practice for 2015,
2014 & 2013; Tier 1 (IT, Telecoms & Media) for 2012 & 2011
• Who’s Who Legal: TMT 2017, 2016 and Who’s Who Legal: Competition 2008-2016 both
recognise Chong Kin as a leading lawyer in regulatory and competition advisory work
10 Collyer Quay #10-01 Ocean Financial Centre Singapore 049315
Tel: +65 6535 0733 Fax: +65 6535 4906 www.drewnapier.com
The Drew & Napier TMT Team
Lim Chong Kin, Director, Head (Telecommunications, Media & Technology)
Chong Kin practices corporate and commercial law with strong emphasis in the
specialist areas of TMT law and competition law. He regularly advises on
regulatory, licensing, competition and market access issues. Apart from his
expertise in drafting “first-of-its-kind” competition legislation, Chong Kin also has
broad experience in corporate and commercial transactions including mergers and
acquisitions. He is widely regarded as a pioneer in competition practice in
Singapore and the leading practitioner on TMT and regulatory work. Chong Kin has won plaudits
for “[understanding] regulatory thinking like no other lawyer in the field” (Asia Pacific Legal 500);
has been recognised as “incisive, insightful and knowledgeable” (Chambers Asia Pacific 2017:
Band 1 for TMT); and has been endorsed for his excellence in regulatory work and competition
matters: Practical Law Company’s Which Lawyer Survey 2011/2012; Who’s Who Legal: TMT
2016 and Who’s Who Legal: Competition 2016. Asialaw Profiles 2016 notes: “Lim Chong Kin’s
work is consistently exceptional.”
Tel: +65 6531 4110 • Fax: +65 6535 4864 • Email: [email protected]
Charmian Aw, Director
Charmian is a Director in Drew & Napier’s TMT Practice Group. She is frequently
involved in advising companies on a wide range of corporate, commercial and
regulatory issues in Singapore. Charmian has also been actively involved in
assisting companies on Singapore data protection law compliance, including
reviewing contractual agreements and policies, conducting trainings and audits, as
well as advising on enforcement issues relating to security, access, monitoring, and
data breaches. She is also a co-chair of the International Association of Privacy Professionals
(IAPP) KnowledgeNet chapter in Singapore, and is a Certified Information Privacy Professional for
Europe, the United States, and Asia (CIPP/E, CIPP/US, CIPP/A). Charmian is recommended for
corporate-related TMT and data privacy work by The Asia Pacific Legal 500, and Who’s Who
Legal.
Tel: +65 6531 2235 • Fax: +65 6535 4864 • Email: [email protected]