Singapore has been at the forefront of the world in the area of personal information privacy protection. On October 15, 2012, Congress passed the Personal Data Protection Act 2012 (“PDPA”), established the Personal Data Protection Commission as the executive body of the bill, and issued a number of supporting guidelines.
On 2020 November 2, Singapore’s Parliament passed the Personal Data Protection (Amendment) Act 2020. This is the first comprehensive review of PDPA since 2012, and the changes have had a significant impact on businesses and consumers alike. Under the amendment, organizations could use data more without consent, but the penalties for data violations would be more severe.
On 2021 March 15, the Singapore Personal Data Protection Commission (PDPC) released the latest revisions to the Notification of Data Breaches and the Personal Data Protection (Enforcement) Regulations. Among them, the Personal Data Protection (Enforcement) Regulations details the newly introduced voluntary commitment provisions in the Personal Data Protection Act (PDPA), further clarifying key elements such as PDPC’s investigative procedures, types of enforcement actions and penalties.
The scope of PDPA
Organizations for which PDPA applies include:
(a) An organization established under Singapore law;
(b) An organization with an office or location in Singapore.
Organizations can take the form of individuals, companies, or non-companies (such as associations). These organizations are required to comply fully with the Act, unless there are exceptions, such as:
(a) individuals who process data for personal or family reasons;
(b) The employee processes personal data (the organization is responsible for the employee’s behavior);
(c) Public institutions, such as the Government.
Definition of personal data
Personal data in PDPA is defined as similar to GDPR, meaning that data that can be identified to an individual such as:
(a) The data itself can be determined to the individual;
(b) Through this data and other personal data that the organization can access, the individual’s data can be determined.
The data itself can be determined into an individual’s data, called a unique identifier, such as name, passport number, phone number, face image, sound, fingerprints, etc.
For gender, nationality, age and other data, although it is not possible to determine the individual alone, but the data and the above-mentioned unique identifier or through the combination of other data can also be identified to the individual, at this time the data become personal data.
The PDPA does not apply to the following categories of personal data:
(a) The Act does not apply to individuals whose personal data has been in existence for at least 100 years or who have died for more than 10 years;
(b) For a decreased individual who has been dead for 10 years or less, only the provisions of the Act relating to data disclosure and protection apply.
PDPA makes it clear that the act does not apply to business contact information. Business contact information is defined as “an individual’s name, position, business contact number, business address, business email, business fax, and other similar personal information.” The collector does not require personal consent to collect, use, and disclose business contact information.
Under PDPA, a data intermediary is defined as “an organization that processes personal data for another organization, excluding employees of another organization.” That is, organizations do not process data for their own purposes, which is the data intermediary, which is very similar to the concept of processors under GDPR.
Under PDPA, data intermediary only needs to comply with the obligations of “data protection obligations” and “data retention restrictions.” However, if the data intermediary collects data for its own purposes, it is required to comply fully with all data protection obligations under PDPA.
What is “consent”?
Similar to the privacy laws of other countries, the data collector needs to obtain the “consent” of the data subject. Consent under PDPA can be written or oral. However, the Singapore Personal Information Protection Agency recommends a positive approach to obtaining user consent. If the user’s consent is obtained by way of withdrawal, there is a risk that the statutory notification obligation will be found to have been breached.
For consent to the Do Not Call (DNC) Registry, PDPA enforces the need for explicit consent from the user.
(a) Deemed consent by conduct
Compared with the privacy protection laws of other countries, there is a specific type of consent under the PDPA, which can treat a certain behavior as consent. There are two main situations:
- The user voluntarily provides his personal information through a certain behavior, and this behavior is reasonable.
- When an individual agrees to an organization to transfer his personal information to another organization.
(b) Obtain personal information from third parties
We sometimes collect information, not directly from the data subject, but through a third party. In this case, it is usually necessary to obtain the consent of the data subject, but in exceptional cases, it is not necessary to obtain the consent of the data subject.
- Circumstances where personal consent is required to collect through a third party
When obtaining personal information from a third party, it is usually necessary to obtain the consent of the data subject, which can be in the following two forms:
(1) The third party can agree to the collection, use and disclosure of personal information on behalf of the individual;
(2) The individual has agreed to a third party to disclose his or her personal information.
- When collecting through a third party without personal consent
(1) Personal information is collected to respond to emergencies;
(2) Personal information is already publicly available;
(3) The collection of personal information is for evaluation purposes.
The organization is required to abide by the Personal Data Protection Act (PDPA) when using, collecting or disclosing personal data. The following are the ten obligations under the PDPA:
- Consent Obligation
When organization collect, use or disclose personal information, they must first obtain the individual’s consent, and allow the individual to withdraw the consent after the individual has given a reasonable notice. After withdrawing the consent, the company must cease collecting, using and/or disclosing such personal data.
- Purpose Limitation Obligation
The organization can only collect, use or disclose the purpose agreed by the individual, and the personal data can only be used within a reasonable scope applicable to the products or services provided by the company.
- Notification Obligation
The organization must inform individuals of the purpose for collecting personal data and the purpose and scope of use before collecting, using or disclosing your personal data.
- Access and Correction Obligation
The organization is obliged to request and provide individuals as soon as reasonably possible regarding to the details of personal data owned or controlled by the organization and how to use or disclose such personal data within one year after the request is made.
- Accuracy Obligation
The company need to ensure the accuracy of personal information.
- Protection Obligation
The organization should formulate necessary security measures to protect the possession or control of personal data within the security range. Security measures need to prevent any unauthorized access to personal data from being collected, used, and/or disclosed.
- Retention Limitation Obligation
The organization can only keep personal data for the purposes required by law or business.
- Transfer Limitation Obligation
If the organization needs to transfer personal data overseas, such as storing the data in the cloud, ensure that the country to which the data is transferred can provide a comparable level of data protection as PDPA.
- Data Breach Notification Obligation
The organization shall have the right to state their data protection practices, policies and complaint procedures when requesting personal information data.
- Accountability Obligation
If the company’s information is leaked and causes (or may cause) significant damage to the affected persons, or at least 500 people are affected, PDPC and the affected persons must generally be notified.
(c) Withdrawal of “consent”
“Consent” under PDPA can be withdrawn, but attention should be paid to the method of “consent” withdrawal and its consequences.
The Transfer Limitation
Under PDPA, data cannot generally be transferred across borders unless the data recipient can provide the same data protection as under PDPA in a legally binding manner, much like data transfer under GDPR.
“Do Not Call” (DNC) Registry
The “Do Not Call” registry is a feature of PDPA. In 2014, Singapore established the “Do Not Call” registry. Individual are protected from promotional calls, text messages or faxes by registering their phone number with the “Do Not Call” registry.
The rights granted directly to data subjects under PDPA include access and correction rights. The scope is much smaller than the right to be forgotten under the GDPR and the right to carry data. There are also exceptions where access and correction rights are not required, and PDPA does not directly impose access and correction obligations on data intermediaries.
The implementation of PDPA
Singapore has established the Personal Data Protection Committee (PDPC) to undertake the development and implementation of PDPA, which has three main powers:
(a) the power to adopt other forms of dispute resolution: for example, through conciliation or other modalities;
(b) The right to audit: the right of the audit organization to reply to the right of access and correction of the data subject;
(c) The right to investigate: in certain circumstances, the right to investigate may be exercised.
Application in employment relationships
Employers collect employee information sometimes to:
(a) manage or terminate employee relationships, such as opening payroll accounts, conducting employee training, posting employee photos on the intranet, etc.;
(b) The purpose of the assessment, such as the evaluation of the qualifications for employment, promotion and renewal.
Under the PDPA, personal data collected for the purpose of managing or terminating employee relations does not require the employee’s consent, but it is required to fulfil the obligation of notification, such as notification through labor agreements or employee handbooks.