The Personal Data Protection Act 2012 (Act) was passed by the Singapore Parliament on 15 October 2012 and came into effect in Singapore on 2 January 2013. One major component of the Act was to put in place general data protection provisions (the Data Protection Provisions) that apply to all organizations operating in the private sector in Singapore. Previously, only limited confidentiality obligations existed in Singapore under certain sector specific legislation.
The other major component of the Act was the introduction of a Do Not Call Registry (DNC Registry) to provide individuals with a way of opting out of receiving unsolicited marketing messages by registering their phones with the DNC Registry.
Parliament recognized that organizations would need time to put in place the necessary processes and procedures to ensure compliance with the Act and that the Personal Data Protection Commission (the Commission) – the body established to administer and enforce the Act – would need time to engage and build awareness on the requirements imposed by the Act. Due to this, the provisions of the Act relating to the DNC Registry only came into force on 2 January 2014, while the Data Protection Provisions will come into force on 2 July 2014.
1. Who is Affected?
The Act applies to all organizations in Singapore (except for organizations in the public sector), as well as all organizations located outside of Singapore that are engaged in data collection, processing, or disclosure of such data within Singapore.
2. What are the Requirements Imposed by the Act?
As the provisions of the Act relating to the introduction of the DNC Registry have already come into force, organizations are now required under the Act to check with the DNC Registry and ensure that they do not send any marketing messages (in the form of voice calls, text, or fax messages) to Singapore telephone numbers registered on the DNC Registry unless they have obtained clear and unambiguous consent from the owner of the registered telephone number. While there are exceptions to this requirement, such as messages without commercial content or where there is an ongoing commercial relationship, organizations that engage in marketing activities should take steps to ensure compliance with the Act.
Data Protection Provisions
Since the Data Protection Provisions become effective in just a few months, organizations should ensure that they take the necessary steps now to ensure compliance with the obligations imposed by the Act once they come into force. Ultimately, an organization should aim to develop and implement policies, procedures and practices necessary to fulfill the obligations imposed by the Act.
Under the Act, “personal data” is defined as “data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access.” The Act will apply to all personal data collected, used, or disclosed in Singapore. As such, organizations that collect personal data overseas and host and/or process it in Singapore will still be subject to relevant obligations under the Act from the point that such personal data is brought into Singapore.
The Act imposes on organizations the same obligations regarding personal data processed on their behalf and for their purposes by a data intermediary (a service provider, for example) as if the personal data were processed by the organization itself. However, a data intermediary that processes personal data on behalf of and for the purposes of another organization pursuant to a contract which is evidenced or made in writing will only be subject to the Data Protection Provisions relating to protection of personal data and retention of personal data and not any of the other Data Protection Provisions.
Pursuant to the Data Protection Provisions, organizations must:
Appoint at least one personal data officer. Organizations are required by the Act to appoint at least one designated individual within the organization to be responsible for compliance with the Act.
Obtain consent for collection, use, and disclosure of personal data. Organizations may not collect, use, or disclose personal data about an individual unless:
the affected individual(s) gives or is deemed to have given consent to the collection, use, or disclosure of such personal data
such collection, use, or disclosure is duly authorized under the Act
the collection, use, or disclosure is required by law. An individual is deemed to consent to the collection, use, or disclosure of personal data by an organization for an identified purpose if the individual voluntarily provides the personal data to the organization for that purpose, and it is reasonable that he or she would do so.
While consent can be obtained in a number of different ways, as a matter of good practice, organizations should obtain consent in writing or in a manner where such consent can be recorded in a way that can be easily accessed for future reference. It should also be noted here that should an organization fail to inform the individual of the purposes for which his or her personal data is being collected, used and disclosed, any consent given by the individual in such a situation would be rendered invalid under the Act.
Keep affected individual(s) informed and ensure that the underlying purpose is reasonable. The Act requires organizations to inform affected individual(s) of the purpose behind the collection, use, or disclosure of the personal data. Further, the purpose behind the collection, use, or disclosure of the personal data must be considered appropriate by a reasonable person under the circumstances.
Ensure accuracy, completeness, and implementation of reasonable security arrangements. Under the Act, reasonable efforts must be made by the organization to ensure that the personal data collected is accurate and complete. The organization must also ensure that after collection, reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks are implemented.
Provide access and correction rights. Organizations must provide the affected individual(s) with the means to:
request their personal data that is in the possession or control of the organization
obtain information about the use of such data, as well as the identity of any third parties to whom the data has been disclosed
request the correction of any inaccurate data.
Not retain personal data longer than necessary. Organizations will no longer be permitted to retain personal data for an indefinite period of time. Under the Act, organizations must put in place procedures to ensure that the records of personal data cease to be retained as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by retention of the personal data, and such retention is no longer necessary for legal or business purposes.
Not transfer any personal data outside Singapore except in compliance with the Act. Under the Act, an organization will only be permitted to make transfers of personal data outside Singapore if the organization ensures that the receiving organizations outside of Singapore provide a standard of protection regarding the transferred personal data that is comparable to the protection provided under the Singapore Act.
3. What are the Penalties for Non-Compliance with the Act?
Both criminal and civil sanctions are available for non-compliance with the Act. Vicarious liability attaches as well under the Act and organizations are responsible for any violation of the Act caused by their employees, irrespective of whether the violation was committed with the knowledge or approval of the employer.
Violations of the DNC Registry provisions of the Act will constitute an offense and persons in breach may be liable upon conviction for a fine not to exceed SGD10,000 per breach. Violations of the Data Protection Provisions of the Act will similarly constitute an offense under the Act and the Commission is empowered under the Act to impose financial penalties of up to SGD1 million for such violations.
Officers of a body corporate may also face criminal liability under the Act for the offenses committed by the body corporate where the offense is committed with the consent, connivance, or neglect of the officer. Upon conviction, certain offenses under the Act are punishable by imprisonment for up to 12 months, while more serious offenses are punishable by imprisonment for up to three years. Depending on the offense, fines of up to SGD100,000 may also be imposed in conjunction with any term of imprisonment.