PDPA Rules & Requirements

Guidelines You Should Know

Main Advisory Guidelines

9 Obligations

Stated on PDPC’s website, the advisory guidelines it publishes indicate the manner in which the PDPC will interpret provisions of the PDPA. They are not legally binding on the PDPC or any other party. Similary, we provide a summary of the gist of these guidelines for your reference only and are not legally binding.

The key concepts of the main advisory guideline is the 9 obligations for data collection, use and management. They can be subdivide into 3 stages I) Collection, Use and Disclosure (1-3), Access & Correction (4) and Care (6-9). The guidelines are summarised below:

Consent Obligation
Purpose Limitation Obligation
Notification Obligation
Access and Correction Obligation
Accuracy Obligation
Protection Obligation
Retention Limitation Obligation
Transfer Limitation Obligation
Accountability Obligation

Consent Obligation

Obtaining Consent from Individual

With the exception permited by law, unless the individual gives consent, any organisation cannot collect, use or disclose the person’s personal data. Therefore to obtain the individual’s consent is the consent obligation.
When obtaining consent from the individual, the organisation has to inform the individual what is the purpose of the collection, use and disclosure of the individual’s personal data. Otherwise the consent is not valid.
For good practice, a consent should be done in written format. So that if there are arguments in future, the organisation can show proof that consent was obtained.

Obtaining Verbal Consent

A verbal consent will be difficult to justify. And in the event of verbal consent, the organisation should try to do some form of documentation including noting the consent was done for what purposes with the time and date of that consent. E.g. A SPA salesperson collects personal data during a roadshow informs an individual she is collecting the data for the purpose of contacting that individual and for for a current promotion and also allow contact for future promotions. The salesperson then follows with an email to the individual confirming the consent of the individual, together with the purpose of the collection of the personal data.
When sending text messages, the organisation has to take note that individuals under the DNC list requires a clear and unambiguous specified message under the provision of DNC. It is always a good practice to do so anyway regardless whether or not the individual is under DNC list.

Failure to Opt Out

In general, do not use the opt out consent method (meaning the individual provide consent by default unless choose to opt out). There are too many ambiguities for dispute. If you adopt the opt out approach in seeking consent, you could be bearing the risks of not satisfying the Notification Obligation and Consent Obligation.

Obtaining Consent from a Person Validly Acting on Behalf of an Individual

Any person can get someone else to act on behalf, even in the case of providing a consent for personal data collection. It is a good practice is a follow up email to the personal data collected and notify a consent has been given.
A consent is not valid when the collection, use and disclosure of the personal data is beyond what is reasonable to provide the product or service. Misleading or deceptive way of collecting personal data also nullify a consent. It is important that the reasons to ask for personal data is necessary or integral in providing the product or service. We cover these more at the 6 consent examples.
Requiring consent for personal data collection for lucky draw is not prohibited. However the logic behind the draw has to be related. Otherwise it could give rise to misleading or deceptive which could nullify a consent.
During data collection, it is a good practice to indicate the compulsory field and optional fields.
Vaguely stated purposes, inaccurate terms, an illegible font, or placed in an obscure area of a document or a location that is difficult to access are considered as misleading or deceptive practices. Avoid these.

Deemed Consent

2 situations considered as deemed consent:
1. Individual voluntarily provide personal data for a purpose. Example, signing up an online membership to enjoy a membership discount or swipping a credit card for payment after a meal or booking a taxi or physical body measurements before a voluntarily health screeing.
2. Consent may be deemed is where an individual consents to the disclosure of his personal data by one organisation (“A”) to another (“B”). Example you make a credit card payment at the SPA. The payment needs to transmit through a bank therefore so it that data on the credit card. Note that when you purchase products online, the seller may disclose your details to a courier company. This is not considered as a deemed consent. The organisation has to state that they will be passing your data to a 3rd party to handle logistics. These are 2 separate matters. Also see notification obligation.
A referral scenario could be an example of deemed consent. But organisation has to make it clear upfront with to the referee.
Providing personal data to a unit under corporate group that has several units can also be deemed consent for the same data to be used by other units of the corporate group.

Due Diligence when Obtaining Personal Data from 3rd Party Sources

In you are purchasing personal data from another company/ source, you should exercise due diligence to make sure the source can legally give consent for the collection, use and disclosure of personal data on behalf of the individual. To protect youself, you should ask for written confirmation and a document copy of that consent from the individual.

Obtaining Personal Data from 3rd party sources Without Consent of Individual

Circumstance that allows obtaining personal data from 3rd party sources without consent from individual such as:
1. Collection of personal data needed to respond to an emergency that threatens the life, safety or health of that individual or others.
2. The personal data is available in the public.
3. Collection needed for evaluation purposes.
4. Disclosure needed to contact next-of-kin or a friend of any injured, ill or deceased individual.
Though consent is not required, the enquiror should state the purpose of such collection to the enquiree.
The exceptions to consent obligation do not mean you are absolve from other laws for example, the obligation to confidential information and contractual obligation.

Consent Withdrawal

PDPA provides that an individual may withdraw consent or deemed consent for the collection, use and disclosure of personal data. There are 4 requirements set out:
1. Individual must give the organisation a reasonable time for notice of such withdrawal.
2. Organisation has to inform the individual the likely consequences of such a withdrawal upon receipt of request from the individual.
3. Organisation cannot prohibit such a withdrawal from the individual.
4. After the consent withdrawal, the organisation must cease to collect, use or disclose the personal data. This applies to all data intermediaries and agents too.

Organisation Must Allow Consent Withdrawal

While PDPC does not provide a specific time frame for organisation to effect a consent withdrawal, it considers a withdrawal notice of at least 10 business days from the day the organisation receives the withdrawal notice, to be reasonable notice. For good practice, organisation should inform the individual what is the time frame that a withdrawal would be effected and a withdrawal policy as such:
1. Advise individual how a consent withdrawal can be submitted.
2. The contact details of who to submit the withdrawal to.
3. Distinguish between optional and necessary purposes. And if withdrawal is for which purpose. For example, withdrawal to continue to receive newsletter does not mean terminating membership to enjoy discounts.
An orgnisation cannot prohibit an individual from consent withdrawal. In the event when an organisation requires the personal data to fulfill its contractual obligations to the individual, it still cannot state in the contract that the individual cannot withdraw its consent. However, upon a consent withdrawal, if the contract can no longer be fulfilled, any legal consequences arising out of such withdrawal would not be affected.
An individual can with consent but provide fresh consent to the organisation again.

Effect of a Withdrawal Notice

To effect a withdrawal notice, it should include:
1. Content of the withdrawal notice;
2. A clearly expressed intent to withdraw consent;
3. The channel through the notice was sent.
Example: An organisation can send via email, text message or fax to an individual who gave consent. In a typical email with unsubscribe button, it may appear as below:
1. General – “To stop receiving marketing messages from us, please click on the ‘unsubscribe’ button.”
2. Specific – “To stop receiving marketing messages from us via e-mail, please click on the ‘unsubscribe’ button. To stop receiving marketing messages from us via other channels, kindly send us an e-mail at no-reply@abc.com.”
In both scenarios, since the channel used was via email, by unsubscribing would mean the individual want to discontinue receiving messages via email.
The orgnisation can continue to send marketing messages via other means unless they receive email from the individual indicating to cease sending marketing messages via the other means.

Actions by Organisation after Receiving Consent Withdrawal

The organisation should inform the individual the consequences of consent withdrawal, if any. It could be a straight forward consequence or it could result in its service contract could not longer be valid which may also lead to legal implication.
Upon receipt of consent withdrawal, the organisation must also inform data intermediaries and agents to cease collection, use or disclose the personal data.
Other than data intemediaries and agents, there is no need to inform any other parties about the individual’s consent withdrawal.
PDPA does not dictate the organisation to delete or destroy the personal data once consent is withdrawn. The organisation can continue to keep that data. Refer to Retention Limitation Obligation for more information.

Exceptions to Consent Obligation

Mentioned earlier under “Obtaining Personal Data from 3rd party sources Without Consent of Individual” are some examples of exceptions to this obligation. However the exceptions to consent obligation do not mean you are absolve from other laws for example, the obligation to confidential information and contractual obligation.

Public Available Data

Public available data means personal data that requires minimal effort of any general public to obtain or access to that data. This includes little or few restrictions of the general public to sign up as a member to a group in order to access such data. A typical example is your personal data on your Facebook account which can be seen by any general public that sign up with Facebook too. Of course, you can disable such function on your Facebook account and allow only close friends to be able to view your profile. In such instance, such personal are no longer public data.
Since it is also common that individuals may change their access to their personal data at any point in time, PDPC will take the position if that personal data was available publicly at the point of collection to determine if the data was publicly available. Therefore orgnisations that collected the data publicly then is allowed to use and disclose without consent.
Personal data observed in public is a category of personal data that is specifically included in the definition of public available personal data. There are 2 requirements under this application:
1. The personal data must be observed by reasonably expected means.
  - The basically means individuals should expect their personal data is collected in a particular manner at a place or event.
  - Example given is when individual is at a shopping mall should expect his image to be taken by CCTV for security reasons. Or it could be a public event when individuals, including photographers are taking pictures openly. An individual should expect their image to be taken as well. Of course it is always good practice for organisations to put up signages to inform the public that their images could be taken.
2. The personal data must be observed at a location or event at which the individual appears and that is open to the public.
  - By definition, a place open to public means there is little or no restrictions to access by members of the public. Rule of thumb says the more restrictions, the lesser the space is deemed public. Physical restrictions like fence, wall etc. are a form of restrictions
  - But physical restriction is not the only consideration. Therefore events that are open to public, including paid events by the general public are considered as open to public. Or special events for members may also be considered open to public.
PDPC also consider private spaces within public place. A private event in a park or a private function in a restaurant means the event itself is not open to the public. Such are incidents that are not considered as open to public.
For argument, the private space within a taxi is not considered as open to public. Therefore consent has to be seeked for in-car camera which takes the video of the passenger.
PDPA has provided exceptions for news organisations to collect, use and disclose personal data without consent solely for its news activity, regardless of whether the personal data is publicly available. A news organisation is any organisation which business consists, in whole or in part, of news activity carried out in relation to a relevant broadcasting service, a newswire service or the publication of a newspaper

Purpose Limitation Obligation

PDPA limits the purpose and extent an organisation can collect, use and disclose personal data to 2 purposes:
1. A reasonable individual would consider appropriate under the circumstance which the data is collected, use or disclose;
2. The individual is being informed by the organisation.
This purpose obligation guideline is to make sure that organisation collects, use and discloses the personal data for the purposes intended and informed (see also notification obligation) to the individual, and that such purposes should be considered reasonable.
A reason purpose is what a reasonable person would consider appropriate in the circumstances of which the collection, use and disclosure of the personal is made. The context of the purpose including it legality are taken into consideration.
The context of the purpose has to be related to the service or product offered. A blanket cover stating to provide marketing promotion as the orgnisation deemed fit could be taken out of context and is not reasonable.

Notification Obligation

Other than seeking consent (Consent Obligation) and making sure the consent is aligned with the Purpose Limitation Obligation, the organisation has to make sure it notifies the individual. This give rise to Notification Obligation.
PDPA states that an orgnisation must inform the individual:
1. On or before the collection, use and disclosure of the personal data, the purpose of such activity;
2. Any purpose that are not informed during personal data collection for its use and disclosure.
This Notification Obligation does not apply to cases where consent are deemed or exceptions of consent obligation.
To minimise the risk of violating PDPA provisions, organisations should identify the purpose for collecting, using and disclosing personal data so they know what are the personal data they have to collect from the individuals. What your are collecting, use and disclose has to align with its purpose.
Notification Obligation highlights 3 important points:
1. Organisation has to inform the individual of its purpose;
2. The way (form and manner0 the organisation informs the individual of its purpose;
3. How (details and information) the organisation states its purpose to the individuals.

Informing Individuals of its Purpose

Organisation has to inform the individual the purpose of its collection, use and disclosure of the individual’s personal data.
Examples would be personal data required to enter into a contract, whether direct, or through an agent of the company (e.g. insurance agent or property agent).

The Way (Form and Manner0 of Informing Its Purpose

While PDPA does not specify a way an organisatiion is to inform its purpose, an organisation should think of the best way of informing the individual such that the purpose and intent for the collection, use and disclosure of his personal data is clear.
The guidelines provided 4 relevant factor in determining if the notification done is appropriate:
1. The situation and how the collection is done;
2. The amout of personal data to collect;
3. The frequency of personal data collection;
4. The channel of which the data is collected (face-to-face, phone of internet etc.).
It is always good practice for an organisation to clearly state in written form its purpose (with mandatory and optional fields) to the individual so there is no ambiguity in understanding and future disputes.

Notification through Data Protection Policy (or Privacy Policy)

Organisation may develop a data protection policy or privacy policy that comply with PDPA, stating its purpose, procedures and policies to the collection, use and disclosure of personal data.
Such policy can be informed to the individual through physical document or the orgnisation’s website. 2 things to note when notifying the individuals with such policy:
1. In the event when physical copy of the policy is not made available, the organisation has to provide the individual the chance to view its policy before collecting the personal data.
2. An organisation should set out its purpose in specific terms rather than general terms in its policy. Be clear of what the collection, use and disclosure of the personal data is for.
There is no need to provide details of the organisation’s corporate governance which are not related to the organisation’s personal data protection.

Information Required when Stating Purpose

An organisation need only to state the purpose to the level of which is reasonable for the individual’s collection, use and disclosure of the personal data. It is not required to state every single activity that the organisation might do with the personal data, which can include activities that are integral to the proper functioning of the overall business operations related to the purpose and to fulfill its product or service delivery to the individual.
The guideline mentioned 5 points an organisation to consider while making its notification:
1. Clearly and concise stated purpose;
2. Purpose is required for the delivery of organisation’s product or service. As oppose to optional purposes;
3. If the personal data is disclosed to another party, and how the organisation make it known to the individual;
4. If stating the purpose helps the individual to better or hinder understand the purpose of the individual’s personal data collection, use of disclosure;
5. Considering organisation’s business process in trying to be specific in its notification.
Example: Store A: informs the personal data will be disclosed to an outsourced marketing company for the purpose of marketing its products. Store B: states that personal data provided may be used and disclosed for valid business purposes. Evidently, Store A provided a sufficient specific purpose while Store B’s purpose was insufficient and not specific.

Good Practice to Consider Related to Notification Obligation

When informing the individual with notifications, organisation should consider:
1. Notifications that are clear and easy to understand to intended audience. Avoid legalistic terms, confusing or misleading contents.
2. Provide layered contents by putting the most important points upfront and less important points to the back. Individuals may not have the time to read through all the information.
3. Highlight in appropriate manner, the purposes that may pose a concern or unexpected to the individual.
4. The most appropraite channel of notification. Whether physical form, website or call etc.
5. Regulary review the effectiveness and relevance of notification process, practices and policies.

Use of Personal Data Not Indicated in Its Purpose

In the event an organisation wishes to use and disclose personal data before seeking new consent, the organisation should determine:
1. If the scope of the original consent falls within the organisation’s servicing of the existing business relationship with the individual;
2. If it can be considered as deemed consent;
3. If the new purpose falls within the exceptions of consent.
If the new purpose does not fall within the 3 points above, the organisation need to inform the individual for use and disclosure of personal data not informed earlier and seek new consent for such new purpose(s).

Access and Correction Obligation

PDPA sets out the rights of an individual to access its personal data, under the control by the organisation, to make changes to the individual’s personal data. These falls under the Access and Correction Obligation guidelines.
This obligation also applies to personal data that might not be under the possession (but under control) of the organisation; for example data intermediaries and agents.
It is important to take note that data intermediaries is not obligated to PDPA. The organisation has to bear the responsibilities for all personal data related matters. The organisation should enter a contract with its data intermediaries for such personal data access and correction.

Obligation to Provide Access

PDPA states that an organisation, under the request of the individual, must provide access to the individual’s his personal data as soon as reasonably possible to the following:
1. Personal data of the individual in the possession or control of the organisation;
2. Information about the ways in which that personal data has been or may have been used or disclosed by the organisation within a year before the date of the individual’s request.
An individual can request an organisation to access:
1. Part or all of his personal data;
2. Information on how his data was may or may not have been used or disclosed over the one year from the date of request.
An organisation is not required to provide access to documents or its system that do not contain or compromise to the personal data in question. It just need to provide relevant information pertaining to that individual’s personal data, or only part of a document related to the individual’s request if needed.
If the data is no longer under the possession of the organisation, it should inform the individual accordingly. It also need not disclose the source of the personal data.
An organisation can choose to charge a fee to an individual’s request in physical copy of his personal data. If the organisation is unable to provide the information required directly to the individual, in whatever reason (e.g. cannot be extracted), the organisation may provide the individual an opportunity to examine the requested data.
Organisation is also obliged to provide information in unstructured form, e.g., personal data embedded in email. However it does not need to provide access if the burden to provide such access unreasonable or disproportionate to the individual’s interest or the request is meaningless.
If the individual is able to access his own personal data, the organisation has to inform the individual on how he can access, retrieve and correct his personal data.
While PDPC does not state an individual needs to provide reason(s) to gain access to his personal data, it is good practice for organisations to ask the individual what information is he looking for. This can include a date and time for video captures. The organisation has the right to provide alternate solution(s) to the individual’s request if the essence of the request is met. For example, the individual requested for a masked video but the organisation can provide a printout from the video instead, for cost savings pruposes.
Before granting access, the organisation should exercise caution and adopt proper measure to verify the individual’s identity. In the event of a 3rd party request, make sure he has the legal authority to act on behalf of the individual.
In the event when 2 or more individuals are requesting personal data at the same time for records in the same set (e.g. video capturing a few individuals), the organisation may obtain request from each party to grant access to each other personal data. If such consent cannot happen, the organisation can only provide each other data separately and mask out the other individual’s personal data.

Information Relating the How Personal Data is Used or Disclosed

PDPA provides that when requested on how an individual’s personal data is used or disclosed, the organisation must provide such information up to one year from such request. An organisation can create a standard list of how such information is used or disclosed and update this list on a regular basis to keep its information accurate. Generally, if the organisation is providing personal data to a third party, it needs to be specific to indicate which party it is providing the data to rather than a generic blanket cover (e.g., ABC Pharmaceutical Company versus A renowned pharmaceutical company).
It is more important to let the individual knows the purpose of disclosure of personal data than to give specific instances when the personal data was disclosed. E.g., providing certain data to auditors for audition purposes.

Respond Time Frame for Granting Access

PDPA states that an organisation has to provide access to personal data within reasonable possible time. After receiving an access request, if the organisation is unable to respond within 30 days, it shall inform the individual in writing within 30 days of the time by which it will be able to respond to such request.

When Not to Accede an Access Request

If an organisation has valid reasons not to grant access for a request, it may inform the applicant.
For exception cases, the organisation need not provide access.
An organisation shall not inform any individual or organisation that is has disclosed personal data to an authorised officer of any law enforcement agencies. In such cases, the organisation can refuse, confirm or deny the existence of personal data, or the use of it without consent for any investigation or proceedings (or related appeals) that have not been completed.
If the individual refuses to pay the organisation for the service fee to obtain the information. Such fees can be reviewed by PDPC and is subjected to reduction, confirmation, disapproval or refund.
On ground that the personal data might threaten or bring harm, physical or mental to another individual other than the request individual, the organisation shall not accede to such access request.
Other situations such as:
- Revealing personal data of another person;
- Revealing the identity who provided personal data of another individual without the consent to disclose the identity;
- Contrary to National Interest.

Access Obligation and Fees Chargeable

An organisation may charge a fee to the individual to recover the cost to obtain information related to the access. Such costs may include cost of producing a physical copy of the personal data. Note that capital purchases (e.g., buying equipment to grant access) may not be transferred to the individual.
PDPC does not prescribe a standard fee to be charged by organisation. However, organisations are expected to exercise proper judgement. Such fees may be reviewed by PDPC, upon the application of an individual.
The organisation need to inform the individual the estimated fee in writing. In the event the organisation wish to charge a higher fee than the original estimate, it has to inform the individual of the increased fee too. The organisation can refuse to grant access or provide information unless the individual agrees to pay the fee.

Exceptions to Grant Access for Personal Data

PDPA has provided 10 specific exceptions to granting access for personal data. Below is extracted from the guideline:
1. opinion data kept solely for an evaluative purpose (purpose of determining the suitability, eligibility or qualifications of an individual for employment, promotion in employment or continuance in employment);
2. any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
3. the personal data of beneficiaries of a private trust;
4. personal data kept by an arbitral institution or a mediation centre;
5. a document related to a prosecution if all proceedings related to the prosecution have not yet been completed;
6. personal data which is subject to legal privilege;
7. personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
8. personal data collected, used or disclosed without consent for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed;
9. the personal data was collected by an arbitrator or mediator in the conduct or an arbitration or mediation for which he was appointed to act –
  - under a collective agreement under the Industrial Relations Act;
  - by agreement between the parties to the arbitration or mediation;
  - under any written law; or
  - by a court, arbitral institution or mediation centre; or
10. any request —
  - that would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests;
  - if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interests;
  - for information that does not exist or cannot be found;
  - for information that is trivial; or
  - that is otherwise frivolous or vexatious.

Preservation of Personal Data when Processing an Access Request

Organisations that schedules periodic deletion of personal data should attend to access request as soon as possible before the personal data is deleted. An example of such case is the periodic deletion of CCTV footages.
Organisations are not to unnecessarily preserve and retain data indefinitely when there is no need for business and legality matters.

Preservation of Personal Data after Rejecting an Access Request

When an organisation rejects an access request for reasons it deemed inappropriate, the organisation should, as good practice, keep a copy of the withheld personal data for a period of 30 days after rejecting the request. Note that the individual may seek PDPC’s review of his case. When asked upon by PDPC, the organisation should, in good practice, preserve the withheld data until PDPC conclude its review, or when the individual’s right to apply for appeal and reconsideration is exhausted.
If PDPC finds that the organisation had not granted access on reasonable ground under PDPA to the individual, the organisation may face enforcement actions.
As good practice, the organisation should keep a record of the personal data granted or not granted access to the individual.

Obligation to Correct Personal Data

PDPA provides that the individual has the right to submit a request to correct an error or omission in the personal held by the organisation and the organisation has to consider whether the correction should be made. PDPA also provides unless the organisation think such a correction should not be made, it should:
1. Correct the personal data the soonest practical possible;
2. Send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction request was made.
An organisation has no right to charge for personal data correction.
PDPA allows an organisation (other than credit bureau) to send the corrected personal data only to specific organisations which the data was disclosed within one year from the corrected data, with consent from the individual.
The other organisations which were notified for the change in personal data, are also required to make good such changes.
If an organisation, on reasonable grounds decides that a change in personal data need not be made, it should in good practice, annotate that such a request was made but no change required, and also the reason(s) why the changes was not required.

Exceptions to Obligation to Correct Data

The exceptions to obligation to correct data is similar to the first 5 points to the exceptions to grant access. An organisation is not required to correct personal data when:
1. The data kept is for evaluative purposes.
2. Any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
3. Tthe personal data of beneficiaries of a private trust;
4. Personal data kept by an arbitral institution or a mediation centre;
5. A document related to a prosecution if all proceedings related to the prosecution have not yet been completed;

Response Time to Correction Request

Similar to the response time to grant access, PDPA states that an organisation has to correct the personal data within reasonable possible time. After receiving the correction request, if the organisation is unable to respond within 30 days, it shall inform the individual in writing within 30 days of the time by which it will be able to correct the personal data.

Form of Access and Correction Requests

Other than the standard procedures and forms that the organisation provide to the individual for requesting access or correction to his personal data, the organisation should accept all requests made in writing. Such written request can be sent via the business contact information or to its DPO, Data Protection Officer.
The organisation remains responsible to grant access and correction to the individual’s request and should handle such request the soonest possible.

Accuracy Obligation

PDPA requires an organisation to keep the personal data it collected or collected on behalf to be accurate and complete if that data is to be used in such a way that will affect the individual or be disclosed from one organisation to another.
In order to make sure that the personal data is accurate and complete, the organisation is to make sure:
1. It accurately records the data, whether directly from the individual or through another organisation;
2. Personal data is completed by collecting all relevant parts thereof;
3. Takes reasonable appropriate steps to maintain accuracy and correctness of the personal data;
4. Takes appropriate consideration in updating the personal data.

Requirement of Reasonable Efforts

The Accuracy Obligation requires organisations to make reasonable efforts to maintain the accuracy and completeness of personal data, and take into account of:
1. Nature of the data concerned (e.g., data concerning health of the individual);
2. Purpose of the personal data collected, use and disclosed;
3. Reliability of the data (e.g., from a trusted source);
4. Currency of the data (data is collected recently or some time ago);
5. The impact of the data on the individual if it is not accurate and complete.
While it is not required that an organisation has to check for accuracy and completeness, or to review such data each time it needs to use or disclose the personal data, the organisation should perform its own risk assessment and make reasonable efforts to make sure the personal data to be used that affects the individual is accurate and complete.

Accuracy of Data Collected Directly from Individual

When in doubt, an organisation can ask the individual to verify (written or oral) for the personal data the individual may provide directly to the organisation. If the currency of the data is important, the organisation should take steps to verify the personal data is up to date from the individual.
A typical example would be application of personal loan. The credit company would verify both the financial status, employment status, residential address of the individual for a new loan when the old data was done 2 years make. This is to make sure the personal data is kept current.

Accuracy of Data Collected from 3rd Party

Organisation should practice more caution for personal data it does not collect directly from the individuals. Depending on the reliability of the source, the organisation may take different approaches to ascertain the accuracy and completeness of the personal data which can include asking the 3rd party for a written confirmation of the personal data is accurate and complete. The organisation can also conduct independent verification is it thinks necessary to do so.
In considering if the personal data should be updated, the organisation should note that not all data requires update. Factual data need not be updated. Data that can affect decision making process (e.g. health condition, financial status, educational qualifications and certifications etc.) should be considered for updating.

Protection Obligation

PDPA requires company to make reasonable security measures to protect the personal data collected from being unauthorised accessed, collected, use, disclosed, copied, modified, disposed or similar risks.
Because each organisation’s offerings are different. And each organisation’s amount and level of sensitivity of personal data collected are different, there is no standard protection across all organisations per se. Therefore each organisation should adopt security measures that reasonable and appropriate to its situation.
PDPC guideline provide 4 points an organisation, in practice, should:
1. Organise and design its data protection security measure according to the nature of organisation’s personal data collection;
2. Identify and train a personnel to be responsible for information and data security;
3. Plan the level of security and access according to the level of sensitivity of the data;
4. Prepare a plan for information security breaches.
It is also recommended that organisation takes a risk assessment to determine if its information security is adequate, considering:
1. Size of organisation and type of personal data held;
2. Which personnel within the organisation has access to those data;
3. Whether the personal data is held within the organisation or another 3rd party.
The guideline has also given examples of security arrangements for:
1. Administrative Measures:
  - Include confidentiality obligation in employees’ contracts;
  - Implement policies and procedures for information security and include disciplinary actions in the event of data breach;
  - Train employees for good practices in handling personal data and increase awareness of personal data security threat;
  - Ensure the organisation does not hold unncessary personal data which increase the need to protect such data.
2. Physical Measures:
  - Confidential documents should be clearly and prominently marked;
  - Store confidential documents in locked cabinets;
  - Restrict employees access to sensitive personal data;
  - Use privacy filters on desktops to avoid unauthorised personnel from viewing the data;
  - Proper disposal of confidential data;
  - Use appropriate mode of data transfer that enhance security. E.g., registered mail;
  - Provide a summary of the personal data for use so that access to the stored data is minimised;
  - Always confirm the receipient of the data is the intended party.
3. Technical Measures:
  - Ensure computer network is secured;
  - Use stronger usernames and passwords for access;
  - Encrypt personal data;
  - Auto-lockout for computers after certain duration of inactivity by user during access;
  - Install approiate computer security softwares and settings;
  - Check for proper disposal of IT devices that are sold, disposed or reused;
  - Use appropriate level of security for sending and receiving sensitive information through emails;
  - Update computer security software and IT equipment regularly;
  - Make sure IT service provider are up to standard in providing the IT security.

Retention Limitation Obligation

PDPA requires an organisation to cease retention of personal data, or removal/ deletion associated with a particular individual, as soon as that data no longer serve the purpose for that individual, and is no longer needed for legal and business purposes.

How Long Personal Data Can be Retained

While the Retention Obligation does not state a duration to how long an organisation can retain a personal data, the organisation should not retain the data in perpetuity when it does not have legal and business purposes with that data. The organisation should also follow legal or specific industry-standard requirements that may apply.
PDPA provide the retention period of personal data depends on:
1. The purpose why the personal data was collected:
  - As long as one or more purposes of why the data was collected is/are still valid;
  - Kept for “just-in-case” purposes and not for any purposes that were notified to the individual;
2. Legal and business purposes which may include situations like:
  - The personal data is required for ongoing legal actions involving the organisation;
  - Retention to comply with laws, regulations, international/regional/bilateral standards;
  - Retention of the data needed for busienss operation such as generating annual reports or performance forecasts.
Organisation should do regular review to the personal data it retains. For organisation that hold different personal data types may conduct different review cycles for each type of personal data. The retention policy could also differ to different personal data type, groups or batches.
Orgnisation with policies in place for data protection should include the duration of such data to be retained and subject these policies to Retention Limitation Obligation.
Organisations, with good practice should prepare appropriate data retention policy to set out their retention period for various personal data type.

Ceasing to Retain Personal Data

When there is no longer a need to retain a personal data, the organisation should take appropriate actions, in the reasonable soonest possible time, remove such data associated with that individual.
When the organisation ceased to retain the personal data, it should also make sure its data intermediaries and agents should no longer have access to such data. Data in document form has to be:
1. Returned to the concerned individual;
2. Transferred to another organisation or person under the instructions of the concerned individual;
3. Destroying and proper disposal of the document. E.g., Shredding;
4. Anonymising the personal data – when the personal data is no longer associated with a particular individual.
An organisation that keeps personal data in cabinets and trasfers the data to warehouse, or keeping the document in archive soft copy format and restricting access to the data is still considered as retaining the data.
An organisation, when cease to retain documents, should render such document completely irretrievable or inaccessible. PDPC will consider the followings factors to decide if an organisation has in fact, ceased to retain personal data:
1. Whether the organisation has the intention to access or use that data;
2. How much efforts or resources the organisation has to expend in using or accessing that data again;
3. Whether such data can be accessed by 3rd parties;
4. Whether the organisation has been reasonable efforts in making sure to destroy and dispose the personal data.

Transfer Limitation Obligation

PDPA provides that an organisation must not transfer any personal data to a country or territory outside Singapore, except in accordance with requirements it prescribed.
An organisation can, however, transfer personal data overseas, if it has taken steps to comply to data protection provisions for transferring personal data and the recipient of the data (outside Singapore) is bound by legal obligations similar to that of PDPA. PDPA provides 4 conditions when personal data can be transferred overseas:
1. Any law;
2. Any contract that:
  - needs the recipient of the personal data, some form of protection to the data which is at least comparable to the provisions of PDPA;
  - specifies the countries and territories to which the personal data may be transferred under the contract;
3. Any binding corporate rules that:
  - needs the recipient of the personal data, some form of protection to the data which is at least comparable to the provisions of PDPA;
  - specify the recipient of the data to be transferred, the countries and territories to which the personal data may be transferred and the rights and obligations provided by the binding corporate rules.
4. Any other legal binding instruments.
An organisation has to make sure the recipient of the personal data is bound by legally enforceable obligations comparable to PDPA and is deemed to have statisfy the requirement if:
1. The individual who data is to be transferred as given consent to such a transfer;
2. The transfer is necessary for the organisation to perform its direct contractual duty towards the individual, fulfilling the request of the individual;
3. The transfer is necessary for the organisation to conclude or perform a contract between itself and a third party which is entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest;
4. The transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA. See exception to consent. Under such cases, the organisation has to make sure it has taken reasonable steps to ensure the recipient of the personal data does not use the data for other purposes.
5. The personal data is in transit – personal data that are transferred through Singapore without being used, accessed and disclosed to any other organisation except for the transferring organisation (and its staff). E.g. data passing through servers in Singapore enroute to other destination overseas;
6. The personal data is publicly available in Singapore.
The guideline has provided examples such as:
1. Transferring personal from the local subsidiary to a parent group located overseas;
2. Purchase of tour packages and hotel reservations;
3. Moving clients’ personal to cloud-base solutions located overseas;
4. Transferring of medical records for an injured client while traveling overseas;
5. Transferring of commercial advertising video taken in a public location in Singapore.
The guideline has also provided the minimal protection from the recipient while transferring data, should have the minimal set up below:


S/N	Area of Protection	Recipient Is:
S/N	Area of Protection	Data Intermediary	Organisation (except Data Intermediary)
1	Purpose of Collection, Use and Disclosure by Recipient		√
2	Accuracy		√
3	Protection	√	√
4	Retention Limitation	√	√
5	Policies on Personal Data Protection		√
6	Access		√
7	Correction		√

While the table above indicates that certain Data Protection Provisions under PDPA are not imposed on a data intermediary, it is expected that organisations engaging such data intermediaries would generally have imposed obligations that ensure protection in the relevant areas in their processing contract.

Accountability Obligation

In data protection, accountability means how an organisation carry out its responsibility for personal data which it has collected or obtained for processing, or which it has control over, and include situations of which it uses and disclose such personal data.
PDPA requires an organisation to take measures to make sure they comply with the obligations under PDPA. Some measure, such as appointing a DPO (Data Protection Officer) is required by PDPA but certain measures are good practices for an organisation to do so.

Appointing a DPO (Data Protection Officer)

PDPA requires an organisation to appoint at least one individual to be responsible for the compliance of the organisation to PDPA requirements. While the organisation may designate an individual to be DPO, in which the DPO may delegate the responsibilities to another individual, the organisation remains legally responsible to comply with PDPA and not the designated individuals. But organisation should designate appropriate individual(s) to make sure it stays compliance to PDPA requirements.
The responsibilities of the DPO include working with the higher management and organisation’s business units, to develop and implement appropriate data protection policies and practices for the organisation. There is a wide range of works by the DPO which can include:
1. Coming out with a personal data inventory list;
2. Data protection risks and assessment;
3. Monitor and report data protection risks;
4. Internal training on data protection compliance;
5. Acting as primary data protection expert and engage various stakeholders for data protection;
6. Data governance and cybersecurity integration.
A DPO need not be a staff of the organisation but should be sufficiently skilled and knowledgeable; and be empowered to discharge their duties as DPO. The individual appointed as DPO should be trained and certified.
PDPA requires an organisation to make available the business contact information of at least one individual that represents the company to answer any questions regarding the collection, use and disclosure of personal data.
The business contact information of the individual should be made readily accessible from Singapore, operating during Singapore business hours and a Singapore telephone number if it is provided. This is especially important if the relevant person is not physically based in Singapore.

Developing and Implementing Data Protection Policies and Practices

PDPA sets out 4 key requirements under Accountability Obligation, namely:
1. An organisation is required to develop and implement both internal and external data protection policies and practices to meet its obligations under the PDPA. The policies and practices should take into consideration the purposes, types and amount of personal data it collects and is made easy to be accessed by personnel who require such knowledge. There should also be monitoring mechanisn and process controls to make sure the implementation of the policies and practices are effective.
2. An organisation should develop a process to effectively receive and respond to complaints that may arise from individuals pertaining their collection, use and disclosure of personal data.
3. An organisation is required to communicate with its staff the practices and policies of personal data protection. It should be incorporated into the organisation’s training and awareness programs. The organisation should also include additional information and material for the staff to effectively implement such policies and practices.
4. An organisation is required to make information available on request concerning its data protection policies and practices and its complaint process so that an individual can locate the necessary information and inform the organisation if he has any concern or complaint regarding his personal data controlled by the organisation.

Other Provisions

The guideline provided some examples where the organisation has to be answerable to individuals and the PDPC, and be prepared to be held accountable:
1. Individual can request the organisation to access his personal data so that he can find out what information are held under possession or in control by the organisation and how his personal data is being used and disclosed;
2. Individual can file a compliant with PDPC and PDPC can review and investigate the organisation’s conduct and compliance with PDPA;
3. PDPC may, in the event find that the organisation has contravene the Act, provide directions to the organisation to ensure compliance and impose a penalty of up to SGD 1 million;
4. Individuals who suffered damaged under the Act can carry out civil proceedings against the organisation.

Other Measures Relating to Accountability

Organisations may wish to consider conducting Data Protection Impact Assessments (“DPIA”) in appropriate circumstances, and implementing a Data Protection Management Programme (“DPMP”) to ensure that their handling of personal data is in compliance with the PDPA.

Get in Touch

If you have any question pertaining our PDPA course, PDPA training, DPO or consultation services, feel free to get in touch with us. We would love to help you protect your data and protect you.