In Asia Cloud Computing Association’s Cloud Readiness Index 2012, Singapore scored the most points in areas such as data sovereignty, e-government and ICT prioritization, and intellectual property protection. However, the nation slipped from third to fourth place in the report—partly due to a low score in the area of data privacy. Although the common law and certain sectorial legislation already covered data protection, no legislation in Singapore comprehensively dealt with privacy or data protection at the date that the report was prepared.
Subsequently, on October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012 (PDPA) designed to govern the collection, use and disclosure of personal data in Singapore by any private organization, including those that are not physically located in Singapore. The PDPA came into full effect on July 2, 2014, and now all organizations that collect, use or disclose personal data in Singapore must comply with the PDPA, regardless of their place of incorporation. In this article, the first in a two-part series, we will look at the new structural framework and what organizations operating in Singapore need to consider.
First off, while commonly recognized as a “data privacy law,” the PDPA does not, in fact, recognize a right to privacy—in fact, the term “privacy” does not even appear in the PDPA. Contrary to the EU Data Protection Directive (95/46/EC) which expressly states in its preamble that “data processing systems are designed to serve man; whereas they must … respect their fundamental rights and freedoms, notably the right to privacy,” Singapore has opted for a more business-friendly approach. For instance, there is no notification requirement in the event of a security breach affecting personal data.
One of the purposes of the PDPA is to “increase consumer trust and strengthen Singapore's position as a trusted global data hub.” Thus, the PDPA focuses primarily on information management and, as expressly stated in article 3 of the PDPA, its purpose is “to govern the collection, use and disclosure of personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
The PDPA aims to regulate the flow of personal data, whereby consent of the individual is required before data relating to such individual may be collected, used or disclosed. The PDPA revolves around certain key obligations:
- Consent Obligation – Section 13 of the PDPA provides that collecting, using or disclosing an individual’s personal data is prohibited unless the individual gives, or is deemed to have given, his consent for the collection, use or disclosure of his personal data. Personal data is defined in the PDPA as any data, whether true or not, about an individual who can be identified either from that data alone or from that data and other information to which the organization has or is likely to have access. Consent is limited for the purpose for which it was given and may be withdrawn at any time, in which case the collection, use or disclosure of such personal data must immediately cease.
- Purpose LimitationObligation – Section 18 of the PDPA provides that collecting, using or disclosing personal data relating to an individual may be permitted only for the purposes that have been communicated to the individual or that a reasonable person would consider appropriate in the circumstances.
- NotificationObligation – Section 20 of the PDPA provides that individuals must be informed of the purposes for which their personal data will be collected, used and disclosed prior to such collection, use or disclosure.
- Access and CorrectionObligation – Sections 21 and 22 of the PDPA provide that individuals have the right to request from the organization access and correction of their personal data.
- AccuracyObligation – Section 23 of the PDPA requires organizations to make reasonable efforts to ensure that personal data collected is accurate and complete, if the personal data is likely to be used to make a decision or is likely to be disclosed to another organization.
- ProtectionObligation – Section 24 of the PDPA requires organizations to make reasonable security arrangements to protect personal data in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
- Retention Limitation Obligation – Section 25 of the PDPA requires an organization to cease to retain documents containing personal data as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes.
- Transfer Limitation Obligation – Section 26 of the PDPA limits the ability of an organization to transfer personal data outside Singapore. In particular, section 26(1) provides that an organization must not transfer any personal data outside Singapore except where it can ensure that a comparable standard of protection, as provided for under the PDPA, will be maintained over any personal data that is transferred. Organizations that collect personal data overseas and host and/or process it in Singapore will in any case be subject to the PDPA from the point that such personal data is brought into Singapore.
- Openness Obligation – Organizations are required to develop and implement policies and practices to ensure compliance with the PDPA and to make information about such data protection policies and practices available. In particular, section 11 of the PDPA sets out an obligation for an organization to designate an individual responsible for ensuring its compliance with the PDPA.
In order to enforce the PDPA, a Personal Data Protection Commission (the “PDPC”) was created. The DPA has a broad range of powers, including conducting investigations to verify compliance with the PDPA, ordering an organization to stop collecting or revealing data, ordering the destruction of the data and imposing financial sanctions of up to SG$ 1 million (equivalent to USD 800,000) in case of a breach of the PDPA.
Last but not least, the PDPA created a Do Not Call Registry (the DNC Registry) whereby organizations are prohibited from sending marketing messages, in the form of voice calls, text or fax messages, to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers registered with the DNC Registry. Under the PDPA, any person or organization found guilty of the offence of sending telemarketing messages to Singapore telephone numbers without checking the DNC Registry will be liable to a fine of up to US$10,000 per message sent. The DNC Registry provisions came into force on 2 January 2014 and more than 600,000 phone numbers have already been registered on the DNC Registry.
Companies operating in Singapore or collecting personal data in Singapore need to review their information handling practices to ensure that they comply with their obligations under the PDPA, even if the data is transmitted to another country and stored in the cloud. In part two of this series, we will explore the initial impact of the PDPA and the PDPC’s enforcement actions initiated by the PDPC. The DNC Registry has solicited the largest number of complaints, as it’s been in effect the longest, however, enforcement of other provisions of the PDPA is on the rise, and the PDPC is coming down with force.