highlights of the singapore personal data protection act 2012
TRANSCRIPT
Profile – Short Version
Previously worked for MNCs- NMB, McDonald’s, Seagate, Maxtor & SonyProduction, Program Mgt & Business Development-Asia Pacific, Middle East & South Africa
Own Business- Database Mining Consultancy- Real Estate Agency License- PDPA Seminars & Workshops
HIGHTLIGHTS
Singapore Personal Data Protection Act 2012Contents1) About SG PDPA Compliance2) What is Privacy ?3) What is the Purpose & Why ? 4) Penalties for non compliance ?4) Penalties for non-compliance ?5) 9 Organisation Obligations6) Do Not Call Registry7) Summary of PDPA Compliance Framework8) 3 Major Recommendations – Management Tools9) Seminar on 13 Sept 2013, 2pm to 5pm, M. Hotel
Seminar – Overview
Just 4 StepsSystematic Approach
Understanding & ComplianceUnderstanding & ComplianceSingapore Personal Data Protection Act 2012
13 September 2013, 2pm to 5pm, M.Hotel
David HK LimSG PDPA Compliance Resources Centre
Seminar Overview Singapore Personal Data Protection Act 2012
Contents Outline
1. What is PDPA 2012 2. Data Protection Provisions- General Rules / Collection, Uses & Disclosure- Access & Correction / Care of Personal Data- Access & Correction / Care of Personal Data3. Do Not Call Provisions4. Offences, Penalties & Civil Action5) Summary outline of PDPA Compliance Framework 6) Ten Major Elements of an Effective Compliance Program.
One Stop PDPA Solutions• Provides One Stop PDPA Solutions• Work with Professionals, Experts, Businessmen,
Lawyers, IT Data & Security, Others in PDPA Compliance solutions
• PDPA Compliance Marketing Consultancy• Conducts PDPA Seminars & Training Workshops• Provides training for jobs as PDPA Compliance Officers
& Managers• Supply PDPA trained personnel to companies• Offer PDPA solutions in IT Data Security & Management
Systems• SOP PDPA Compliance Manuals by Industry
About PDPA - Video
Your company MUST mandatory comply if :-
a) hire any employeesb) sell directly to individuals
c) collects personal data for business
d) deploy cold calls, sms or fax marketing.• You must appoint ONE Compliance Officer.
• The penalty for non-compliance is up to S$1 million.
• You cannot SMS, Cold Call or Fax to those registered with Do-Not-Call registry list provided by the government.
• The penalty for DNC non- compliance is S$10,000
B2B / B2C / M2M
• B2B – Business to Business- Not applicable
• B2C Business to Consumer• B2C – Business to Consumer- Applicable
• M2M – Machine to Machine- Applicable ?
Under this SG PDPA Act 2012 -Organisation means
• Companies & Businesses• Sole Proprietors• Organisations, Societies & Associations• Churches, Temples & Religious bodies• Even Individuals included• All – as long as Personal Data is involved- Online, On Record – Digital or Physical
WHO ARE THE MAIN PERSONNEL INVOLVED PDPA COMPLIANCE? AND WHY?
• Top Management – Chairman, CEO, MD, & Biz Owners.- Why ? The Penalty up to S$1 million for non-compliance.
• Human Resources / Compliance - Team- Employees Data / Legal Counsel / Compliance Policies.
•Sales & Marketing – Do Not Call provisions (DNC)Sales & Marketing Do Not Call provisions (DNC)• Comply with SMS, Cold Calls & Fax regulations.• Penalty S$10,000 for organisation.
• IT – Data Security & Management • Internal threats - Secured & authorised access • External threats – Firewall & Cloud Computing
• Legal / Contract Laws involving different countries- eg, EU & Singapore- More than 50 countries already have PDPA laws & growing.
4 Types of Privacy
• Physical• Communications• Spiritual / Intellectual• Spiritual / Intellectual• Information / Data
Type 4 - Information / Data
- Name - Identity- Photo- Income- Income- Ethnic Group- Gender- Age- Marital Status- Educational Level
What is PDPA about?
• Singapore Personal Data Protection Act 2012
• Passed by parliament on 15 October 2012Governs the Collection, Uses & • Governs the Collection, Uses & Disclosure and Retention & Disposal of Personal Data
• Becomes Law on 2 January 2013.
What is the purpose of PDPA ?
• Safeguard individuals personal data against misuse
• Individuals has control over their data• Complement sector-specific framework, Complement sector-specific framework, • Enhance Singapore’s competitive
advantages - data hosting & management• To be consistent with international
standards• Complaints based approach
What is Personal Identifiable Information?
• Individually identifiable information, eg Name, NRIC, passport, photo, credit card, bank account, DNA, Thumbprint, mobile number, personal email, etc.
• Any set of matching data, eg name, address, age, telephone number, occupation, etc.
- Example 1: NRIC or Photo or Credit Card - YES- Example 2: Name only. Mary Tan alone – NO.- Example 3: Name with address. Mary Tan, Blk 123,
Yishun St. 61, 01-123 - YES
MAJOR METHODS PERSONAL DATA COLLECTION
• 1) LUCKY DRAWS - RETAIL• 2) SURVEY FORMS - INSURANCE• 3) JOB APPLICATIONS – HR• 4) PHOTOCOPY NRIC - REGISTRATION• 5) ONLINE MEMBERSHIPS – INTERNET• 6) COOKIES – EMBEDDED SOFTWARES• 7) WARRANTY CARDS – SERVICE CENTRES• 8) “HACKING” – ESPIONAGE
4 MAIN COMPONENTS OF PDPAMUST REMEMBER & TO COMPLY
• 1) COLLECTION & CONSENT• 2) USES & DISCLOSURE• 3) RETENTION & DISPOSAL• 3) RETENTION & DISPOSAL• 4) DO NOT CALL REGISTRY
Personal Data of -• Employee’s personal data (HR Dept)• Customer’s personal data (individuals)
2 Examples – By IndustriesWhy must comply?
Example 1: SPAs • HR Dept. Employees Personal Data involved• Customers Contracts. Customers Individual Personal
Data involved.• Telemarketing / SMS. Individual Personal Data involved
name / mobile or telephone number– name / mobile or telephone numberExample 2: Leisure Cruises – many countries.• HR Dept. Employees Personal Data involved• Members. Customers individual Personal Data involved.• Telemarketing / SMS / Fax. Individual Personal Data
involved – name / mobile or telephone number• Transfer of Personal Data – different port of call.
Take Note: 3 Penalties of PDPA
• 1) No Compliance Policy - Penalty for organisation up to S$1 Million• 2) Non-Compliance Access & Correction
Penalty S$5,000 + Jail Term 12 months- Penalty S$5,000 + Jail Term 12 months• 3) Violation of Do-Not-Call provision- Penalty S$10,000 per violation
9 Obligations ALL Organisations MUST Comply
• 1) The Openness Obligation.• 2) The Consent Obligation.• 3) The Purpose Limitation Obligation.3) The Purpose Limitation Obligation.• 4) The Notification Obligation.• 5) The Access and Correction Obligation.• 6) The Accuracy Obligation.• 7) The Protection Obligation.• 8) The Retention Limitation Obligation.• 9) The Transfer Limitation Obligation.
National Do-Not-Call Registry
• “STN” : Singapore Telephone Number• Beginning with 3, 6, 8 or 9• “Specified Message” relating to supply,
promote of goods & services, land, promote of goods & services, land, business opportunity, obtaining information, etc
• Either Sender or Receiver in Singapore
What is National Do Not Call (DNC) registry about & coverage?
• Opt Out option for individuals NOT to receive any direct marketing
• Applicable to 3 registry-a) Telephone Registry: Voice calls (cold calls) a) Telephone Registry: Voice calls (cold calls) b) Text Registry: SMS (text message)c) Fax Registry: Fax • Direct Mailing (postal mailing) not included• Email is not included
PROPOSED FEE – ACCESS DNC
• Prepaid* 5K - $100, 10K - $150, 25K - $350, 100K -
$1,200, 250K - $2,700 & 1 Million - $10,000
• Pay-per-use fees** 1-300 @ $0.033, 301-5K @ $0.03, 5K-10K @
$0.026, 10K-25K @ $0.024,25K-100K @ $0.019, 100K-250K @ $0.015 & 250K-1 Million @ $0.012
Summary of PDPA Compliance Framework
• 1. Appointment of Data Protection Compliance Officer
• 2. PDPA Compliance System• 2.1. Data Protection Policy2.1. Data Protection Policy• 2.2. Compliance with 9 Organisation Obligations • 2.3. Compliance with the Do Not Call Provision• 2.4. Handling Complaints• 2.5. Communication of Policies & Practices• 2.6. HR issues.
3 MAJOR Recommendationsfor nominated Compliance Officer
Management Tools
• Design & Deploy Fact Finding Book- to manage & track whose fault - “Fault Finding Book”
Data Encryption & Security Solutions• Data Encryption & Security Solutions- to manage & track digital data usage & security
• Physical Data Security Solutions- to manage & track physical documents & disposal
Seminar
• Date: 13 September 2013. 2pm to 5pm.• Venue: M. Hotel. Anson Road/• Fee: S$650 per pax./ S$1,250 – 2pax.• Early Bird: S$600 per pax / S$1,225 – 2
pax. Register & paid up before 30 August 2013
• Limited to 20 pax only.
Q & A
Thank You !!