Presented at a workshop for the Internet Society Singapore Chapter in May 2013. Visit techmusicartandlaw.blogspot.com to contact the author, or www.isoc.sg to find out more about the Internet Society in Singapore

1. Title of Show
Name of Presenter
Date
Applying the
Personal Data Protection Act
(Prepared for the Internet Society,
Singapore Chapter)
Benjamin Ang
Lecturer, Law & Management, Temasek Polytechnic
Consultant, Keystone Law Corporation
techmusicartandlaw.blogspot.com
www.isoc.sg

2. Are these practices safe under the Act?
o NUTZ Supermarket runs a lucky draw contest
and collects phone numbers and email
addresses from 100,000 customers.
1. NUTZ hires a telemarketing company to call all the
customers to offer them discount card membership
2. NUTZ shares the phone numbers with Krusty Cheese, a
large supplier of NUTZ, so that Krusty can run a sales
promotion

3. Are these practices safe under the Act?
3. Jacky, the former IT manager of NUTZ, leaves to start
his own business, and sends SMS to all customers
telling them of his new venture
4. In order to investigate CBT by Jacky, NUTZ hands over
the customer data to the police
5. Customers call NUTZ to complain, and are left on hold
because no department is prepared to handle them

4. QUICK REVISION

5. Personal Data Protection Act
o Controls the collection, storage, use and
disclosure of personal data –
• data about an individual who can be identified from
that data, or
• who can identified from that data + other information
to which the organisation has or is likely to have access
o Does not apply to actions by individuals for
personal use (s4)
o Does not apply to Business Contact Information

6. Business Contact Information
o Information not provided by the individual
solely for his personal purposes e.g.
• name,
• position name or title,
• business telephone number,
• business address,
• business electronic mail address etc

7. Consent Required
o Section 13: Organizations need consent to
• Collect personal data
• Use personal data
• Disclose personal data
o Section 14: Organizations cannot collect consent
through deceptive or misleading practices
o Section 16: Individuals can withdraw consent
that they have given to organizations

8. Where Consent is Not Required
o Section 21: Organizations
are allowed to release
personal data to law
enforcement agencies
o No changes to other
existing laws (e.g. search
and seizure under the
Criminal Procedure Code)

9. The Do Not Call Registry (Part IX)
o If a person signs up with the Do Not Call
Registry, organizations cannot call or message
that person to try to
• sell products or services
• or offer business
• or investment opportunities
o unless the person has given consent
o Also covers SMS messages (Sections 36 and 37).

10. DNC Registry – persons responsible
o “sender”, means a person —
• sends the message / makes a call,
• causes the message to be sent / call to be made, or
• authorises the sending of the message / making of the
call

11. DNC Registry - duties
o Duty to check the Register anytime within the
period of 30 days before sending the message
o Calling line identity not to be concealed
o Clear and accurate information of persons who
authorises the sending
o Contact information of individual/organisation
o Information provided to be reasonably for at
least 30 days after message is sent

12. What organisations must do
o Develop policies and
practices to ensure
compliance
o Designation of key
personnel to ensure
compliance but
organisation remains
ultimately responsible
o Staff education
o Develop a complaints
response process – e.g. a
process to take in
requests for correction of
DP and withdrawal of
consent
o Transparency to the
public regarding
information of
designated personnels
and complaints response
process
o Seek legal advice

13. What individuals can do
o Make a complaint to the
Personal Data Protection
Commission, who can
• direct them to resolve it
through mediation
(Section 27),
• or make an order against
the organization to stop
what it’s doing, destroy
the data, and pay a
penalty of up to $1 million
o If the individual wants
compensation,
• start civil proceedings in
court (Section 32)
• seek compensation or an
injunction

14. Are these practices safe under the Act?
o NUTZ Supermarket runs a
lucky draw contest and
collects phone numbers and
email addresses from 100,000
customers.
1. NUTZ hires a telemarketing
company to call all the
customers to offer them
discount card membership
2. NUTZ shares the phone
numbers with Krusty
Cheese, a large supplier of
NUTZ, so that Krusty can run
a sales promotion
3. Jacky, the former IT
manager of NUTZ, leaves to
start his own business, and
sends SMS to all customers
telling them of his new
venture
4. In order to investigate CBT
by Jacky, NUTZ hands over
the customer data to the
police
5. Customers call NUTZ to
complain, and are left on
hold because no department
is prepared to handle them