Published on

  • Be the first to comment


  1. 1. 1 Personal Data Protection Act (“PDPA”) Singapore
  2. 2. 2 Agenda 1. PDPA Introduction 2. Nine Obligations relating to the Collection, Use or Disclosure 3. Do not Call (“DNC Registry”) 4. Appeals & Penalty 5. In Conclusion
  3. 3. 3 1. PDPA Introduction a. PDPA objective is to governs the collection, use, disclosure and care of person data by organisations. b. In a manner that recognises and balances both i. The right of individuals to protect their personal data ii. The need of organisations to collect, use or disclose personal data for genuine & reasonable commercial and operational purposes. c. Organisations will be given a transitional 18 months to comply with the PDPA, before the data protection provisions enter into force (from 2- Jan-2013 projected mid-2014).
  4. 4. 4 1. PDPA Introduction (cont..) DefinitionsDefinitionsDefinitionsDefinitions of important termsof important termsof important termsof important terms a.a.a.a. IndividualsIndividualsIndividualsIndividuals - “a natural person, whether living or deceased” b.b.b.b. Personal dataPersonal dataPersonal dataPersonal data - “data, whether true or not, about an individual who can be identified from that data; or other information to which the organisation have likely to access. c.c.c.c. OrganisationsOrganisationsOrganisationsOrganisations - “any individual, corporate bodies such as company and unincorporated bodies of persons such as associations”. d.d.d.d. CollectionCollectionCollectionCollection ---- “any act or set of acts through which an organisation obtains control over or possession of personal data”. e.e.e.e. UseUseUseUse - “any act or set of acts by which an organisation use personal data. A particular use of personal data may occasionally include collectioncollectioncollectioncollection or disclosuredisclosuredisclosuredisclosure that is necessarily part of the use”. f.f.f.f. DisclosureDisclosureDisclosureDisclosure ---- “any act or set of acts by which an organisation discloses, transfers or else makes available personal data that is under its possession to any other organisation”. g.g.g.g. PurposePurposePurposePurpose - “does not refer to activities which an organisation may intend to undertake but its objectives or reasons relating to personal data”. h.h.h.h. ReasonablenessReasonablenessReasonablenessReasonableness - “any act based on what a reasonable person would consider appropriate in the circumstances”
  5. 5. 5 2. Nine Obligations relating to the Collection, Use & Disclose of Personal data 1) The ConsentConsentConsentConsent Obligation 2) The PurposePurposePurposePurpose Limitation Obligation 3) The NotificationNotificationNotificationNotification Obligation 4) The AccessAccessAccessAccess & Correction& Correction& Correction& Correction Obligation 5) The AccuracyAccuracyAccuracyAccuracy Obligation 6) The ProtectionProtectionProtectionProtection Obligation 7) The RetentionRetentionRetentionRetention Limitation Obligation 8) The TransferTransferTransferTransfer Limitation Obligation 9) The OpennessOpennessOpennessOpenness Obligation
  6. 6. 6 2. Nine Obligations (cont..) 1) Consent obligationConsent obligationConsent obligationConsent obligation a. An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose. I.I.I.I. ProvisionProvisionProvisionProvision ofofofof ConsentConsentConsentConsent i. Cannot tie-up by means of product or service ii. Cannot attempt by providing false information to collect, use or disclose personal data. II.II.II.II. Deemed ofDeemed ofDeemed ofDeemed of ConsentConsentConsentConsent i. An individual voluntarily provided his personal data ii. The individual was aware of the purpose for which the personal data was collected III.III.III.III. Withdrawal ofWithdrawal ofWithdrawal ofWithdrawal of ConsentConsentConsentConsent i. An individual must give reasonable notice of the withdrawal to the organisation ii. On receipt of notice, the organisation must inform the consequences iii. An organisation will not disallow an individual from withdraw, although this does not affect any legal consequences from such withdrawal IV.IV.IV.IV. Collection, use & discloseCollection, use & discloseCollection, use & discloseCollection, use & disclose WithoutWithoutWithoutWithout ConsentConsentConsentConsent i. Generally available to public ii. National interest
  7. 7. 7 2. Nine Obligations (cont..) 2) Purpose limitation obligationPurpose limitation obligationPurpose limitation obligationPurpose limitation obligation a. An organisation may collect, use or disclose personal data about an individual only for purposespurposespurposespurposes that a reasonable person would consider appropriate in the circumstances. b. Main objective is to ensure that organisations collect, use and disclose personal data onlyonlyonlyonly for purposes that are reasonable. ExampleExampleExampleExample:::: A fashion retailer is conducting a membership drive. It states in the membership registration form that the purposespurposespurposespurposes for which it may use the details provided by individuals who register including providing them with updates on new products and promotions. In this case, providing updates on new products and promotions may be a reasonable purpose by fashion retailers.
  8. 8. 8 2. Nine Obligations (cont..) 3) Notification obligationNotification obligationNotification obligationNotification obligation a. An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal. b. The circumstances in which it will be collecting the personal data. c. The amount of personal data to be collected. d. The frequency at which the data will be collected. Example:Example:Example:Example: Maya signs up for a spa membership over the Internet. The terms and conditions for the spa membership outline and explain how Maya's personal data will be used and disclosed. For example, it states that Maya's address details will be used for sending her a spa membership card and other communications from the spa. Maya clicks on the “Accept” button at the bottom of the terms and conditions, to indicate her acceptance of, and agreement to, the terms and conditions. In this case, the spa has obtained Maya's consent for collection, use and disclosure of her personal data in connection with the stated purposes.
  9. 9. 9 2. Nine Obligations (cont..) 4) Access & Correction ObligationAccess & Correction ObligationAccess & Correction ObligationAccess & Correction Obligation a. An organisation must, upon request provide an individual with his or her personal data and also Information about the ways in which the personal data may have been used or disclosed during the past year. b. Upon correction request from individual, the organisation is required to consider whether correction should be made, it will be based on reasonable grounds. c. Correct the data as soon as practicable and send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction request was made. ExampleExampleExampleExample:::: Maya makes an access request to her spa, requesting information relating to how her personal data has been used or disclosed. The request was made on 5th February 2013. The spa is only required to provide information on how her personal data has been used or disclosed with the past year – that is, the period from 6th February 2012 to the date of the request, 5th February 2013.
  10. 10. 10 2. Nine Obligations (cont..) 5) Accuracy obligationAccuracy obligationAccuracy obligationAccuracy obligation a. An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be - i. To be used by the organisation to make a decision that affects the individual to whom the personal data relates ii. To be disclosed by the organisation to another organisation. ExampleExampleExampleExample:::: Nick applies for a home loan from a bank. The bank asks Nick to provide relevant details such as his name, address, current employment status and income, in order to assess whether to provide the loan to Nick. Related to this, the bank asks Nick to provide supporting documents including an identity document and his most recent payslip, in order to verify the information provided by Nick. It also asks Nick to declare that the information he has provided is accurate and complete. In this scenario, the bank has made a reasonable effort to ensure that the personal data collected from Nick is accurate and complete.
  11. 11. 11 2. Nine Obligations (cont..) 6) Protection obligationProtection obligationProtection obligationProtection obligation a. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. b. It might be useful for organisations to undertake a risk assessment exercise to ascertain whether their information security arrangements are adequate. Example:Example:Example:Example: In the employment context, it would be reasonable to expect a greater level of security for highly confidential employee appraisals as compared to more general information about the projects an employee has worked on.
  12. 12. 12 2. Nine Obligations (cont..) 7) Retention limitation obligationRetention limitation obligationRetention limitation obligationRetention limitation obligation a. An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that: i. The purpose for which the personal data was collected is no longer being served by retention of the personal data. ii. Retention is no longer necessary for legal or business purposes iii. personal data should not be kept by an organisation “just in case” it may be needed. Example:Example:Example:Example: A dance school has collected personal data of its tutors and students. It retains and uses such data (with the consent of the individuals), even if a tutor or student is no longer with the dance school, for the purpose of maintaining an alumni network. As the dance school is retaining the personal data for a valid purpose, it is not required to cease to retain the data under the Retention Limitation Obligation.
  13. 13. 13 2. Nine Obligations (cont..) 8) Transfer limitation obligationTransfer limitation obligationTransfer limitation obligationTransfer limitation obligation a. An organisation shall not transfer any personal data to a country or territory outside Singapore unless organisation provide a standard of protection to personal data. b. Transferring organisations must further ensure that receiving organisations have in place appropriate internal policies governing its employees, agents and sub-contractors whom have access to any personal data received by the receiving organisation from a transferring organisation.
  14. 14. 14 2. Nine Obligations (cont..) 9) Openness obligationOpenness obligationOpenness obligationOpenness obligation a. An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information. b. To develop a process to receive and respond to complaints that may arise with respect to the application of the PDPA. c. To communicate with its staff informing about its data protection policies and practices d. To make information available on request about its data protection policies and practices and its process to receive and respond to complaints.
  15. 15. 15 3. Do Not Call Registry (“DNC Registry”) a. This Act provides for the setting up of a DNC Registry, which will allow individuals to register their phone numbers to opt-out of marketing or premium service messages from organisations. b. Organisations will be required by law to check with the registry and ensure that they do not send messages to the numbers registered unless they have obtained clear and explicit consent. c. Exceptions such as messages without commercial elements would not be covered by the DNC Registry at this stage. For Example message on - Promoting Political, National Programs - Voluntary service like requesting donations, charitable causes - To provide information like warranty, security, goods deliver - To conduct Market research or market survey
  16. 16. 16 3. Do Not Call Registry (cont..) a. DNC registry accepts registration of Singapore telephone numbers, including mobile, fixed-line, residential and business numbers but Overseas telephone numbers is not registered. b. Sending of Business-to-Business (B2B) marketing messages is not currently covered by the requirements relating to the DNC registry ExampleExampleExampleExample:::: John calls an employee of ABCD Childcare Pte Ltd (“ABCD”), Mary, through her Business contact number (which John obtained from ABCD’s website) to promote a product which he thinks ABCD would purchase for use at its childcare centres. Such a call is not a specified message for the purposes of the Do Not Call Provisions. PDPAPDPAPDPAPDPA ---- Do Not CallDo Not CallDo Not CallDo Not Call - Phone calls - Fax messages Spam Control ActSpam Control ActSpam Control ActSpam Control Act - Email - Text messages - MMS messages Physical mailPhysical mailPhysical mailPhysical mail
  17. 17. 17 3. Do Not Call Registry (cont..)
  18. 18. 18 4. Appeal & Penalty Enforcement AppealAppealAppealAppeal a. After the Sunrise Period, the DPC (Data protection commission) is authorised to conduct investigations to review complaints, or initiate investigations on its own accord. i. Appeal from direction or decision of Commission ii. Appeals to High Court and Court of Appeal PenaltyPenaltyPenaltyPenalty a. A District Court will have authority and power to impose the full penalty or punishment in respect of the offence. b. Any personal guilty of offenses under this act shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or both. c. In case of a continuing offence, to a further fine not exceeding $1,000 for every day. d. For Organisation a financial penalty of an amount not exceeding $1 million.
  19. 19. 19 5. In Conclusion a.Purpose & Objective of PDPA. b.Rule and Regulation of DNC registry c.The DNC Registry is expected to be ready for public registration by early 2014 & Personal data protection coming into force in mid 2014. d.The requirement of at least one designated individual within each organisation to be responsible for compliance with the PDPA (“Data Protection Officer”)