The Personal Data Protection Act 2012 (“PDPA“), which applies to all private organisations that collect or process personal data in Singapore will be implemented in two phases. The first phase, which was implemented on 2 January 2014, established a Do-Not-Call (“DNC“) registry, allowing persons to opt out of telemarketing activities by registering their Singapore telephone numbers with the DNC registry. The second phase, governing the collection use and disclosure of personal data, is scheduled to come into effect on 2 July 2014.
This article highlights some of the key points that organisations need to consider in preparing to comply with the personal data protection provisions under the PDPA.
What is personal data
Personal data is any data which can be used by an organisation to identify an individual, either on its own or together with other information to which that organisation has access. It expressly excludes business contact information, e.g. as contained in a business card, unless the card is given by an individual for a personal purpose (except where business contact information is specifically referred to in the PDPA).
How does the PDPA protect personal data
The PDPA comprises rules governing the collection, use, disclosure and care of personal data and requires organisations to have a legitimate and reasonable purpose for their collection, use or disclosure of personal data and to obtain the informed consent of an individual prior to the collection, use or disclosure of his personal data.
Organisations must also take steps to duly verify and protect personal data collected and to remove such data when it is no longer required.
Individuals must further be allowed to access and correct their personal data and to withdraw any previously provided consent.
How should organisations prepare to comply with the PDPA
Fundamentally, organisations must adopt and implement appropriate internal policies and practices relating to their collection, use or disclosure of personal data which are reasonable and relevant to their business needs and compliant with the provisions of the PDPA, by 2 July 2014. Organisations may continue to use personal data which has been collected before 2 July 2014 for the purposes it was collected, unless the individual has withdrawn consent. However if the purpose has changed, new consent will need to be obtained.
Organisations must also appoint a Data Protection Officer (“DPO“) to be overall responsible for their compliance with the provisions of the PDPA.
The basic steps that organisations should take are further detailed below.
Review of personal data usage requirements and existing personal data collection and management procedures
To determine the appropriate measures to be adopted to comply with the PDPA, an organisation should first review and determine:
- the type of personal data that it reasonably needs to collect, use or disclose for purposes of its business and for what legitimate purpose
- how such personal data is collected and retained
- what its existing policies and procedures and applicable contractual documentation and/or terms and conditions (including application forms, employment contracts, contracts with third party service providers and website user terms and conditions) provide in terms of personal data usage and protection
- who the personal data has been disclosed to
- where and how the personal data is kept and secured.
Prepare appropriate personal data protection policies and procedures
Once the review of existing personal data usage and management processes is complete, organisations should proceed to prepare appropriate personal data protection policies and procedures to fill any gaps to ensure compliance with the PDPA.
Information on these personal data protection policies and procedures must be made available on request.
This may be done by publishing such policies and procedures online. Organisations are also advised to regularly review and update these data protection policies to meet their changing business requirements.
Implement procedures for obtaining consent
An organisation must ensure that it has obtained consent from individuals for the collection, use and disclosure of the individuals’ personal data whenever required under the PDPA.
There is no prescribed means of obtaining consent but organisations are advised to obtain consent through a positive action of the individual, for example, by signing or ticking against a check-box in a form, instead of deeming consent through an individual’s failure to opt out.
Where consent is obtained verbally, organisations should subsequently confirm with the individual, in writing, that such consent had been given.
Organisations that obtain personal data of an individual from a third party source, such as a member’s referral programme, should take steps to verify that the source has the consent of the individual to release the information for the intended use.
Notify individuals of the purposes for collection, use and disclosure of personal data
Organisations are required to inform individuals of the purposes for which their personal data will be collected, used and disclosed, on or before such collection, use and disclosure.
The PDPA, again, does not prescribe a specific form or manner of providing such notification. Instead, organisations should determine the most appropriate way of doing so, considering factors such as (i) the circumstances in which it will be collecting the personal data, (ii) the frequency of collecting such data and (iii) the amount of personal data to be collected.
If an organisation wishes to notify individuals of the purposes for collection, use and disclosure of personal data through its data protection policy, it should provide the individual with an opportunity to view the data protection policy before collecting the relevant data.
Organisations should also take note of individuals who do not have the legal capacity to give consent e.g. individuals covered under the Mental Capacity Act or minors.
Ensure that personal data collected is accurate and complete
The PDPA requires organisations to take reasonable efforts to ensure that personal data collected is accurate and complete if the organisation is likely (i) to use such data to make a decision affecting the individual or (ii) to disclose such data to another organisation.
What amounts to a “reasonable effort” would depend on the circumstances. In most instances, organisations may presume that personal data provided directly by an individual is accurate. However, if personal data is collected from a third party source, it would be advisable to obtain confirmation from such source that it has verified the accuracy and completeness of the data.
Organisations should note that they are not entitled to impose a charge for the correction of personal data, as it is the organisation’s obligation under the PDPA’s Accuracy Obligation to obtain accurate and complete personal data.
Adopt security measures to protect personal data
The PDPA also obliges organisations to make reasonable security arrangements to protect personal data in its possession. In determining the type of security arrangements necessary, organisations should consider factors such as the nature of the personal data collected, the form in which it has been collected and the possible impact to the individual concerned in the event of a security breach. For example, organisations would be expected to provide a higher level of security for employee appraisals, as compared to more general information about the types of projects an employee has participated in.
Develop a retention policy for personal data
Under the PDPA, an organisation is are not allowed to retain personal data where it no longer has any legal or business reasons for doing so.
Accordingly, organisations need to regularly review personal data in their possession to determine if such data is still needed. It may also be necessary for organisations to implement different retention periods for different types of personal data.
Personal data which is no longer required should be deleted or anonymised or documents containing such data should be destroyed or returned to the individual concerned.
Facilitate the withdrawal of consent
Organisations must allow and facilitate the withdrawal of consent by individuals who have previously given consent to the collection, use or disclosure of their personal data.
To achieve this, organisations should make their consent withdrawal policies easily accessible, for example, by publishing the same on their websites.
The consent withdrawal policy should explain how to submit a notice of withdrawal of consent, as well as allow an individual to withdraw consent for optional purposes, without concurrently withdrawing consent for other purposes necessary to facilitate the supply of particular goods or services by an organisation.
Respond to complaints and requests for access to and correction of personal data
Organisations are required to develop a process to receive and respond to complaints that may arise with respect to the application of the PDPA and to make information on such processes available on request.
In addition, organisations should develop procedures to respond to requests for access to or correction of personal data in its possession.
An individual may request an organisation to provide information about the ways in which the individual’s personal data has been or may have been used or disclosed by the organisation within a year before the date of the request.
In order to handle such requests, organisations are advised to properly document the ways in which personal data is used and the identity of other parties to whom they may have disclosed such personal data.
Appointment of Data Protection Officer
All organisations that manage personal data are required to appoint at least one person as a DPO to be responsible for the organisation’s compliance with the PDPA. The job scope of the DPO may include the following:
- addressing queries or complaints regarding personal data from customers and employees;
- communicating internal personal data protection policies and processes to customers and employees; and
- liaising with the Personal Data Protection Commission (established under the PDPA), if necessary.
It is not necessary to employ another individual to be the DPO, as an existing employee may take on the role of DPO, i.e. as one of his or her overall responsibilities.
Organisations must make the business contact information, such as the email address, mailing address and telephone number, of the DPO available to the public.
Communicate and train employees on applicable personal data protection policies and procedures
Once an organisation has finalised its data protection policies and procedures, it must communicate information about such measures to its employees and train them appropriately on the implementation of such measures.
To be ready for the new personal data protection laws in Singapore, organisations need to review their existing personal data collection and management policies and processes, identify areas of non-compliance, make and implement the necessary changes to facilitate compliance with the PDPA and communicate these new measures to their employees. Organisations that have yet to take these steps are advised to do so immediately, to meet the impending deadline of 2 July 2014.
This update is provided to you for general information and should not be relied upon as legal advice.