![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The Ministry of Information, Communications and the Arts (MICA) released the proposed personal data protection bill on 19 March and invited comments from the public ending 30April.
MICA conducted two public consultations on the proposed data protection (DP) regime as well as the Do-Not-Call Registry (DNC) in 2011. The DP regime covers the scope of the proposed DP law; related rules on use, collection, disclosure and transfer of personal data outside Singapore; data accuracy; retention of personal data, and penalty and enforcement-related matters. Following the DP consultation, there was strong public interest and a call for a national DNC, and DNC public consultation was conducted on 31 October 2011. Collectively, the following are the salient features of the proposed legislation known as Personal Data Protection Act. (PDPA).
Structure
Part I deals with the preliminary matters of the act; Part II on the Data Protection Commission (DPC) and administration; Part III on the general rules on protection of personal data; Part IV on collection, use and disclosure of personal data; Part V on access to and correction of personal data; Part VI on care of personal data; Part VII on enforcement (Part III to Part VI); Part VIII on appeals to the Data Protection Commission Appeal Committee, the High Court and the Court of Appeal; Part IX on the DNC, and Part X on general matters. Note that there are 10 schedules accompanying the PDPA.
Definition of personal data
The term personal data is defined as data about an individual who can be identified from that data or together with that data and other information to which the organization is likely to have access.Note that the definition does not differentiate between true and false personal data; that it is immaterial whether it is a single piece of information or a group of information taken together that may relate to an identified or identifiable individual as they will be considered as personal data, and the term data covers both electronic and non-electronic forms of personal data.
Coverage
PDPA is a “baseline” regime that covers all private organizations, including small companies with low annual turnover as opposed to excluding companies with minimum turnover such as those in Australia, which
businesses with less than A$3 million unless they are health service providers or trading in personal information. Public organizations are excluded from PDPA’s coverage. The standard imposed by the government on the protection of personal data may be the same, if not stricter, than PDPA in some cases.
Companies collecting personal data
The PDPA will cover organizations engaged in data collection, processing or disclosure within Singapore even though the specific organization concerned is located outside of Singapore.
The wide coverage is so despite the difficulty of prosecuting a pure online entity. This approach is in line with other enacted legislation such as the Computer Misuse Act (CMA). Part 1 (Application) spells out in great detail on the affected personal data with a “Singapore link.”
Exclusions from PDPA
The PDPA also excludes:
- personal data in a record for 100 years;
- a data intermediary that processes data on behalf of another party except as to the rules applicable on safeguarding the data;
- information on deceased individuals to be protected from disclosure and safeguarded for up to 10 years from date of death without further obligation to retain them apart from current retention requirements;
- business contact information unless provided in a personal context, and
- information for educational purposes such as examination marks and personal data in scripts and other related documents as well as universities in the process of admitting students. Note that exclusions to the PDPA are contained under Section IV of the PDPA as well as in the third, fourth and fifth schedules, respectively.
Contact point of organization
PDPA requires that an organization needs to appoint someone responsible for the organization’s compliance to PDPA such as handling queries from the public. The organization is finally accountable for the compliance of the PDPA but not the individual.
Conditional supply of services or products/explicit, implied deemed consent
Organizations are prohibited from requiring an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable as condition for supplying a service or product to an individual. The key principle is not to prescribe in great detail the manner in which consent is given. However, organizations need to be upfront on the purpose for collecting the information with the individual so as to avoid any misunderstanding with the consumers in relation to the implied use of the information in the future. In all cases, what is reasonable is the key determinant in deciding whether an organization is compliant to the spirit of the PDPA. At the same time, organizations are not allowed to assume that consent is automatically given by an individual within a certain timeframe, the so-called “failure to opt out as deemed consent” option, in dealing with individuals, as this exposes individuals to unnecessary risks.
Withdrawal of consent
Consent may be given to an organization that in turn may outsource the processing of the data to a third party. If the consent is withdrawn later by the individual, the organization is obliged to comply with the individual’s request but not beyond that, so as not to overburden the organization with unnecessary compliance cost. The individual is of course free to inform the third party regarding the withdrawal of the consent.
Penalty, enforcement regime and transitional arrangements
Similar to other jurisdictions, the administrative body of PDPA, the Data Protection Commission (DPC) is given powers to give directions to organizations that have been found to breach the requirements of PDPA. An individual may commence private civil proceedings against an organization for breaching the PDPA after a final determination by DPC on the specific complaint. A proposed sunrise period of no less than 18 months is proposed for all organizations to comply with the PDPA after enactment.
Do-Not-Call Registry (DNC)
The DNC is contained in Part IX of PDPA, and below is a summary of the key points:
- The proposed types of messages include SMS and MMS messages but exclude messages delivered by post as well as those sent through cell broadcast for the time being.
- The specific message is addressed to a Singapore telephone number regardless of where it originates or the technologies used for transmitting the message, for example, VOIP.
- Business numbers may be registered with DNC only by an organization that owns the number or by their authorized employees.
- Any individual not wishing to receive any messages must register with DNC. Registration is free, and it remains until withdrawn or if associated with any telecommunication service, until the service terminated.
- Correspondingly, organizations are able to send messages to those who have provided consent to receive them. However, note that there is no exception for existing business relationships and these organizations should leverage on their existing business relationships to obtain fresh consent.
- Senders need to provide the originating number or suitable contact information in those messages sent.
- The DNC would adopt a “filtering” approach where organizations need to send their proposed list of numbers at least once every 30 days to confirm whether any Singapore numbers are listed on the register. The registry would also provide small quantity number lookup service for businesses.
Summary
The DPDA provides a baseline platform for the management and protection of personal data against abuse due to the intrusive nature of modern communication technologies used both by individuals as well as organizations. Overall, it takes a commonsensical approach, balancing the needs of the individual vis-a-vis the needs of commercial organizations without overburdening them with excessive operational costs. The key principle embedded throughout the PDPA is what a reasonable person or organization should aim for and operate with regarding the collection, use and disclosure, accuracy, protection, retention, access and correction of personal data.
