About PDPA

All You Should Know About Protecting Data

 

 

Why PDPA Now?

PDPA was effected in 2012. However it only receives much attention by the public in recent years. Why? Because there were more news on cases of data breach lately. Singapore companies fined record S$1.28 million for PDPA breaches in 2019 alone with the highest fine at $58,000. A United States-based cyber-security firm reported 96% of Singapore companies have had at least one breach in the past 12 months due to external cyber attacks.

With increasing consciousness of data use by companies, individuals are concerned over how companies deal with their personal data. An organisation in breach of any of the data protection provisions under PDPA can be fined up to S$1 million

Ignorance is NOT bliss. Therefore it is important to protect yourself with the right knowledge for PDPA. If you are not sure and want to know more, do find out about our PDPA courses to help equip you and your organisation for PDPA.

Knowing & Understanding PDPA

If you do read PDPC’s website, there are a lot of information for you to digest regarding PDPA. PDPC has also given extensive examples for your reference. While we appreciate the language that is being written, we think some may find it “legalistic”. Therefore we intend to provide you either a summary or our further explanation of what we think the gist of each section meant. We have excluded the sections on Legislation and Public Consultation which you can read from PDPC’s website. Do note that what we have provided are purely for your information and reference and should not be taken as legal advices.

Overview of PDPA

What is Personal Data?

Firstly, it is important to know what are considered as personal data and what are not. While there is no exhaustive list of what are personal data, common understanding of personal data includes:

  • full name;
  • personal email address
  • a mobile phone number;
  • a home address;
  • an identification card number;
  • an Internet Protocol (IP) address;
  • photograph or video image of an individual;
  • data held by a hospital or doctor;
  • Thumb print;
  • DNA profile.

By itself, some of these data is not considered personal data (e.g., IP address) but with other recorded information, facts or personal knowledge, are considered as personal data.

Business Contact Information (BCI) are not covered under PDPA. It is almost all items you can find on a business name card. BCI can include:

  • company UEN (Unique Entity Number);
  • general emails (such as enquiry@abc.com);
  • business email address;
  • business title/ position;
  • business telephone;
  • business address.

Personal data is protected by PDPA, underwhich is a protection law that sets the rules of how a company collect and use personal data, how they disclose these data to any party and how the company take care of this personal data in terms of protection during storage, use and transfer.

The provisions relating to the DNC Registry came into effect on 2nd January 2014. By default, any marketing company can call, text or fax your number (not limited to mobile phones) unless you register your number with the DNC list. 

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).

The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

Objectives of the Personal Data Protection Act

There is a growing trend of people getting conscious and concerned on how their personal data is being used, stored and transferred. Therefore the objective of introducing PDPA is to give confidence that Singapore is a place that can be trusted to do business with because it respects the individual’s right to their personal data and the needs of companies to collect, use or disclose personal data for legitimate and reasonable reasons.

Do note that while it is easier to establish what is legitimate and what is not, reasonable reasons are not as straight foward to understand. PDPC has given some examples to the collection of data for marketing purposes which we will cover under the Main Advisory Guidelines.

Today, vast amounts of personal data are collected, used and even transferred to third party organisations for a variety of reasons. This trend is expected to grow exponentially as the processing and analysis of large amounts of personal data becomes possible with increasingly sophisticated technology.

With such a trend comes growing concerns from individuals about how their personal data is being used. Hence, a data protection regime to govern the collection, use and disclosure of personal data is necessary to address these concerns and to maintain individuals’ trust in organisations that manage data.

By regulating the flow of personal data among organisations, the PDPA also aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.

The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

How does the Personal Data Protection Act work?

PDPA is done in such a way that it complements regulatory and sector-specific legislative frameworks . This makes sense as PDPA cannot conflict with the legal framework. This means if your industry is already currently regulated, e.g., insurance industry, under the Insurance Act and Insurance Intemediaries Act, you have to take into account all the laws governing your industry and PDPA when handling personal data.

This section also provide a brief of 2 of the 9 obligations under the advisory guidelines namely consent and purpose obligations. The reasonableness concept is covered with examples under Advisory Guidelines On Requiring Consent For Marketing Purposes.

The PDPA will ensure a baseline standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks. This means that organisations will have to comply with the PDPA as well as the common law and other relevant laws that are applied to the specific industry that they belong to, when handling personal data in their possession. 

The PDPA takes into account the following concepts:

  • Consent – Organisations may collect, use or disclose personal data only with the individual’s knowledge and consent (with some exceptions);

  • Purpose – Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and

  • Reasonableness – Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

Application of the Personal Data Protection Act

Personal data can be in soft copies or hard copies. Part III of PDPA Advisory Guidelines on Key Concepts talks about data protection provisions which includes the 9 obligations, which is covered separately.

Part IV talks about other rights, obligations and uses. One thing to note about Part IV is it covers your existing rights to data (since your may have collected the data before the existence of the Act). In short:

  • If you have a contractual obligation (say to transfer or sell customers data to a 3rd party and customers are not aware), it cannot be used as an excuse to contravene the PDPA.
  • If there are inconsistencies of other written laws with PDPA, the previous shall prevail.
  • If you have collected data before the Act, you can continue to use those data (for purposes indicated upon collection) unless the customer withdraw consent or the consent was inconsistent with PDPA guidelines.

In other words, you still have to follow the new guidelines provided by PDPA regardless.

Although the headline of the section says “Application”, this section actually inform us when PDPA generally do not apply. And these include:

  • If you are an individual acting on a personal basis. Meaning you do not represent an organisation in collecting the data.
  • If you are employed by an organisation, you are collecting data on behalf of the organisation. Therefore you are not in breach of PDPA. However the organisation should have drawn procedures on how such data is collected, stored and handled. But this does not mean the individual can steal the data. This will fall out of scope and is likely to become a criminal act if occurs.
  • Public agencies or organisation representing the public agencies falls out of the provisions. Listed are 67 government agencies wtih 6 deletions.
  • Personal data, as it meant is personal, data such as business contact information of name, position, business emails, business address or information not provided solely for personal purposes are not under the provisions of the Act. Therefore you need to differentiate between personal and business data.

The PDPA covers personal data stored in electronic and non-electronic forms.

The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

  • Any individual acting in a personal or domestic basis.

  • Any employee acting in the course of his or her employment with an organisation.

  • Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.

  • Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.

 

When did the Personal Data Protection Act Come into effect?

Just note the date when the Act comes into effect (DNC Registry effected on 2 January 2014 and main data protection rules on 2 July 2014). Whatever it is, moving forward, you just have to comply how your organisation collect, use and care for personal data with PDPA guidelines.

The PDPA took effect in phases starting with the provisions relating to the formation of the PDPC on 2 January 2013. Provisions relating to the DNC Registry came into effect on 2 January 2014 and the main data protection rules on 2 July 2014. This allowed time for organisations to review and adopt internal personal data protection policies and practices, to help them comply with the PDPA.

Development of the Personal Data Protection Act

This section gives references to how this Act came about. It did not come out of thin air but from established data protection laws already developed by other countries. It is probably then contextualise to Singapore’s needs. 

There could be on-going changes to the guidelines too as the world gets more digitalise. It is good to update yourself with latest guidelines to protect your data and yourself.

In the development of this law, references were made to the data protection regimes of key jurisdictions that have established comprehensive data protection laws, including the EU, UK, Canada, Hong Kong, Australia and New Zealand, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework. These references are helpful for the formulation of a regime for Singapore that is relevant to the needs of individuals and organisations, and takes into account international best practices on data protection.

Three public consultations were conducted since 2011 to seek feedback on the proposed data protection regime. The public consultation sought the public’s views on topics including the coverage of the proposed law, the proposed data management rules and transitional arrangements for organisations to comply with the new law. For more information on the public consultations, please visit the MCI website

Get in Touch

If you have any question pertaining our PDPA course, PDPA training, DPO or consultation services, feel free to get in touch with us. We would love to help you protect your data and protect you.