Overview of the Regulatory Framework of Data Protection
Singapore
A. Personal Data Protection Act 2012
The Singapore Personal Data Protection Act 2012 (“Singapore PDPA”) is the principal legislation regulating the collection, use, and disclosure of personal data by organizations in Singapore. The Singapore PDPA is administered by the Personal Data Protection Commission (the “PDPC”) which is part of the Infocomm Media Development Authority, under the purview of the Ministry of Communications and Information.
The Singapore PDPA does not apply to personal data that is contained in a record that has been in existence for at least 100 years; or to personal data about a deceased individual who has been dead for more than ten years.
Parts III and IV of the Singapore PDPA also exclude the application of its main data protection provisions (i.e., provisions governing the collection, use, disclosure, access, retention or cross-border transfer of personal data – the “Data Protection Provisions”) to:
- any individual acting in a personal or domestic capacity;
- any employee acting in the course of his or her employment with an organization;
- any public agency or organization acting on behalf of any public agency; and
- business contact information (name, position name or title, business telephone number, business address, business e-mail address, or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes).
Categories of Protected Data
(a) Personal data
The Singapore PDPA defines “personal data” as data, whether true or not, about an individual who can be identified from that data; or from that data with other information to which an organization has or is likely to have access.
(b) Sensitive personal data
The Singapore PDPA does not have a separate category or definition for “sensitive personal data” but the concept is introduced in recent advisory guidelines and decisions issued by the PDPC.
Key Concepts under the Singapore PDPA
The Singapore legislation uses generic terms in referring to data controllers, data subjects, and data processors, they are:
- (a) “Organization,” which broadly covers any individual, company, association, or body of persons, corporate or unincorporated, that carries out activities involving personal data whether or not (i) they are formed or recognized under the laws of Singapore; or (ii) are resident or have a place of business in Singapore.
- (b) “Individual,” referring to a natural person, whether living or deceased.
- (c) “Data intermediary,” referring to an organization which processes personal data on behalf of another organization but does not mean an employee of that other organization.
The terms “process” or “processing” mean the carrying out of any operation or set of operations in relation to personal data and includes recording, holding, organization, adaptation or alteration, retrieval, combination, transmission, erasure, or destruction of personal data.
1. Data Protection Provisions
The Singapore PDPA focuses on three main concepts:
- Consent: Organizations may collect, use, or disclose personal data only with the individual’s knowledge and consent (with exceptions);
- Purpose: Organizations may collect, use, or disclose personal data in an appropriate manner in particular circumstances, but only if they have informed the individual of the purposes for the collection, use, or disclosure; and
- Reasonableness: Organizations may collect, use, or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.
In line with the concepts above, the Data Protection Provisions of the Singapore PDPA set out nine main obligations with which organizations must comply if they undertake any activities relating to the collection, use, or disclosure of personal data. Each of these obligations is explained in comprehensive detail in the Key Concepts Guidelines issued by the PDPC. In summary, these guidelines lay out the following obligations:
- General rules (Part III): An organization must develop and implement appropriate policies and practices to meet obligations under the Singapore PDPA; accept and respond to complaints; communicate to staff regarding the policies and practices; and make such information available on request.
- Collection, use, and disclosure of personal data (Part IV): When handling personal data, an organization must have reasonable purposes, provide notification of such purposes, and obtain prior consent from individuals for the collection, use, or disclosure of personal data.
- Access and Correction (Part V): An organization must, upon request, allow individuals to access and correct their personal data and provide information about the ways in which the data has been used/disclosed during the year before the request. An organization must carry out the requested correction unless such a request can be refused in line with prescribed exceptions under the Singapore PDPA.
- Care of personal data (Part VI): An organization must take care of personal data (which relates to ensuring accuracy of data), protect personal data (including protection in the case of cross-border transfers), and not retain any personal data no longer needed.
2. Transfer of personal data outside of Singapore
The cross-border transfer of personal data is subject to the following restrictions:
- (a) the transferring organization must comply with the Singapore PDPA while the transferred personal data remains in its possession; and
- (b) the transferring organisation must ensure that the recipient is bound by legally enforceable obligations to afford the data a standard of protection that is at least comparable to that under the Singapore PDPA.
The mechanisms to achieve the above include obtaining the individual’s prior consent for the overseas transfer; entering into a data transfer agreement imposing on the recipient of the data a standard of protection that is comparable to that under the Singapore PDPA (data users may refer to model clauses recommended by the PDPC for this purpose), or where the transfer is necessary for circumstances listed under the Singapore PDPA.
3. Data intermediary’s liability
The Data Protection Provisions are generally imposed on organizations and not the data intermediaries. Data intermediaries are only independently subject to the Data Protection Provisions relating to protection and retention of personal data and not to any other Data Protection Provisions.
As such, although processing of the data may be carried out by a third party data intermediary, the organization will remain fully responsible in respect of the personal data processed on its behalf as if the personal data had been processed by the organisation itself.
Therefore, when engaging a third party service provider or contractor to process data on its behalf, an organization should ensure that the responsibility and scope of work of the service provider are clearly stipulated in the contract in compliance with the Singapore PDPA. In addition, it is a good practice for the organization to undertake an appropriate level of due diligence beforehand, to ensure that the potential data intermediary is capable of complying with the Singapore PDPA.
4. Do-not-call Registry
In addition to data protection, the Singapore PDPA also provides for the establishment of a national Do Not Call (“DNC”) Registry which allows individuals to register their Singaporean telephone numbers to opt out of receiving any marketing phone calls, mobile text messages, or faxes from any organizations in Singapore (“DNC Provisions”).
Among others, organizations must comply with the following stipulations when sending marketing messages to any Singapore telephone numbers:
- Check the relevant DNC registries to confirm the telephone number is not listed, unless clear and unambiguous consent for the sending of such messages has been given;
- Provide information identifying the sender of the marketing message and how the recipient can contact the sender; and
- Neither conceal nor withhold the calling line identity of the sender of the marketing message.
The PDPC has also issued extensive Advisory Guidelines on the DNC Provisions to help businesses comply with these provisions. Among others, the guidelines set out the types of messages that are covered and excluded from the DNC Provisions, the time period to retain documentary evidence of individuals’ consent to marketing messages, and other related matters.
5. Obligation to appoint a data protection officer
Every organization is required to appoint at least one data protection officer (“DPO”) to oversee the data protection responsibilities within the organization and ensure compliance with the Singapore PDPA. The registration of DPOs with the PDPC remains a voluntary (though recommended) procedure.
A. Sector-specific obligations
Certain categories of data are subject to sector-specific legislation, such as customer information obtained by financial institutions under the Banking Act (Cap. 19) and user information under the Securities and Futures Act (Cap. 289), both of which are under the purview of the Monetary Authority of Singapore.
These sector-specific laws operate alongside the Singapore PDPA. In other words, in handling personal data, organizations have to comply with the Singapore PDPA in addition to the specific requirements applicable to their respective industry. In the event of any inconsistency, the Singapore PDPA provides that the provisions of sector specific laws will prevail.
In consultation with industry players to address the unique issues that may arise in certain specific sectors, the PDPC has also issued advisory guidelines for:
- (a) Telecommunications;
- (b) Real estate agencies;
- (c) Education;
- (d) Health care; and
- (e) Social services.