About PDPA

All You Should Know About Protecting Data

 

 

Enforcement of PDPA

Introduction

The PDPA allows PDPC to make sure organisations follow the Do Not Call (DNC) provisions. The introduction explains the DNC registry was effected in dates, 2 January 2014 and 2 July 2014 for organisations to transit for DNC. Now that the transition period is over, PDPC can conduct investigations to see if organisations comply with the Act. They can do so purely at their own discretion or when they receive a complaint. 

There are various ways PDPC can investigate. They can call or email masked like any customer. So it is best that your organisation gets PDPA-ready. As the saying, do not get caught with your pants down.

The Personal Data Protection Act 2012 (PDPA) empowers the PDPC to investigate and enforce the Do Not Call (DNC) provisions.

The PDPA was enforced in phases. The provisions relating to the DNC Registry came into effect on 2 January 2014 and the provisions relating to the main data protection on 2 July 2014. After the transition period, the PDPC may conduct investigations – upon complaint or on its own accord – to determine whether an organisation is complying with the Act.

Enforcement of the Do Not Call Registry Provisions

DNC is in place because there were increasing telemarketing calls, text messages and faxes and people are getting tired of such marketing tactics. You can opt out by registering with DNC. You will only continue to receive such calls, texts or faxed if:

  • On your own accord, agreed to receiving such calls, texts or faxes.
  • You have a current relationship with the organisation and the organisation is providing you on-going updates, e.g., change in their terms etc. so as to keep this relationship. Such messages are usually not marketing or sales oriented.
  • Someone is acting on a personal capacity.
  • You are expecting goods or services delivery and provided your contact as part of a transaction. Example: You ordered for Pizza Hut delivery and Pizza Hut contacted you.
  • A third party engaged by the organisation to deliver products or services you purchased for. Example: You ordered food from a particular restaurant and Panda Food contacted you.
  • A public agency promoting a non-commercial program. Example: You receive a call for census survey. 

Essentially, if you have a marketing and commercial message to someone, make sure the person:

  • Is not under the DNC list; or;
  • Given you the consent to contact him/her and have not unsubscribe from your list; or
  • Is not receiving promotional or commercial messages but only non-commercial updates if the person opted out from your mailing or contact list.

It is the duty of the organisation to:

  • Make sure before calling anyone, double check the number is not listed on the DNC list; and
  • Identify itself to the recepient of the message and how the recepient can contact the organisation.

A breach under the DNC provision can get you a fine of an amount up to $10,000 for each offence. PDPC has the power to compound the offence up to $1,000.

The aim of the DNC Registry is to reduce the number of unwanted telemarketing calls, marketing text messages and faxes. Registering your number on the registry does not stop non-telemarketing calls, text messages and faxes and some types of telemarketing calls, text messages and faxes, which may include:

  • Calls, text messages and faxes from businesses to which you have given your consent to receive telemarketing calls, text messages and/or faxes;

  • Calls, text messages and faxes solely to provide you with periodic updates on your account statement, to notify you of a change in the terms or features of your ongoing commercial relationship with them or otherwise, text or fax messages from organisations with whom you have an ongoing relationship, and the purpose of the text or fax message is related to the subject of the ongoing relationship;

  • An individual acting in a personal or domestic capacity;

  • An organisation which is delivering goods or services, including product updates or upgrades, that the recipient of the message is entitled to receive under the terms of a transaction that the recipient had previously entered into with the sender;

  • An organisation which is facilitating, completing or confirming a transaction that the recipient of the message has previously agreed to enter into with the sender; and

  • Public agencies promoting any programme carried out by any public agency which is not for commercial purpose.

For the list of messages that are excluded under the DNC Registry Provisions, please refer to the Eighth Schedule of the Act. You may also wish to refer to the Advisory Guidelines on the Do Not Call Provisions for further information.

An organisation that breaches any of its duties under the DNC provisions in the Act commits an offence and is liable on conviction to a fine of an amount not exceeding $10,000 for each offence. In appropriate cases, the PDPC has the power to compound the offence for a sum of up to $1,000. In brief, these duties include the following:

  • Duty to check the DNC Registers — before a person sends a telemarketing message to a Singapore telephone number, the person must check with the DNC Registers established by the PDPC under the Act to confirm that the number is not listed on a DNC Register, unless the person has obtained clear and unambiguous consent in evidential form from the user or subscriber of the number (section 43 of the Act); and

  • Duty to identify the sender of a message — when sending a specified message to a Singapore telephone number, the person must:

    i. include information identifying the sender and how the recipient can contact the sender (section 44 of the Act); 
    ii. for voice calls, not conceal or withhold from the recipient the sender’s calling line identity (section 45 of the Act).

 

Enforcement of the Data Protection Provisions

When in breach of PDPA, other than the possible penalty fine not exceeding $1 million, the organisation needs to rectify or make good the breaches. PDPC can direct the organisation to:

  • Cease to collect, use or disclose the personal data that has breached the Act;
  • Destroy the personal data collected that breached the Act;
  • Give access or correct the personal data.

The organisation that was found guilty of the breach can seek an appeal against the decisions of PDPC through Data Protection Appeal Panel (DPAP) which works as an independent body under PDPA. 

If the PDPC finds that an organisation is in breach of any of the data protection provisions in the PDPA, it may give the organisation such directions that it thinks appropriate to ensure compliance. These directions may include requiring the organisation to:

  • Stop collecting, using or disclosing personal data in contravention of the Act;
  • Destroy personal data collected in contravention of the Act;
  • Provide access to or correct the personal data; and/or
  • Pay a financial penalty of an amount not exceeding $1 million.

Data Protection Appeal Panel
The Data Protection Appeal Panel is an independent body established under the PDPA to hear appeals against directions or decisions of the PDPC, for matters relating to the data protection provisions (namely, Parts IV to VI) of the PDPA. For more information on the process and procedures for appeals, please click here.

    Offences Related to the PDPC’s Powers of Investigation

    When PDPC investigates, the organisation needs to cooperate. It is probably better to come clean than to make more mistakes which under the Act, means guilty of other offences such as:

    • Evading and not grant access or correct the breach and intent to dispose, alter, falsify or destroy (including getting someone to do likewise) a record containing personal data or information about the collection, use or disclosure of the personal data; 
    • Obstructing PDPC or authorised officer in performing their duties under the Act;
    • The organisation or person making false statements knowingly or recklessly (so better be careful), or trying to mislead PDPC while they are performing their duty, knowingly or attempt to (so don’t even try)

    Therefore the organisation should instead:

    • Cooperate fully with PDPC when asked to grant access for correction to the breach and not dispose, alter, hide or destroy or get someone else to do the same to the personal data or information regarding the collection, use and disclosure of the personal data.
    • Tell the truth to PDPC and not to hide or mislead PDPC officers in action.

    Trying to change the personal data of another individual without the individual’s authority is also an offence. 

    An organisation or a person is also guilty of an offence if any of the following is committed:

    • If the organisation or person with an intent to evade a request for access or correction under the Act, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing –

      i. Personal data; or 
      ii. Information about the collection, use or disclosure of personal data

    • If the organisation or person obstructs the PDPC or an authorised officer in the performance of their duties or exercise of their powers under the Act;

    • If the organisation or person knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC, in the course of the performance of its duties or powers under the Act; and

    • If a person makes a request for access or correction under the Act to obtain access to or to change the personal data of another individual without that individual’s authority.

    To lodge a complaint or apply for a review, please click here.

     

    Get in Touch

    If you have any question pertaining our PDPA course, PDPA training, DPO or consultation services, feel free to get in touch with us. We would love to help you protect your data and protect you.