New Data Protection Law in Singapore
On 2 January 2014, Singapore embarked on the 1st phase of implementing the Personal Data Protection Act (PDPA). The PDPA is a huge step up from the previous lack of a comprehensive regime for privacy and data protection in Singapore despite the rising prevalence of electronic commerce and social networking.
The 1st phase of implementation saw the establishment of the Personal Data Protection Commission and the introduction of a “Do Not Call Registry” which allows individuals to voluntarily opt out of receiving marketing phone calls, mobile messages and faxes via their Singapore telephone numbers.
Although the PDPA imposes restrictions on the collection and use and disclosure of personal data, it recognises the rights of individuals to protect their personal data and serves to exhort them to make better informed decisions before giving out personal data.
The 2nd phase of implementation will take effect from 2 July 2014 when the rest of the regulatory framework, which establishes a baseline standard of personal data protection, will need to be complied with.
The PDPA runs in parallel with laws in specific industries which will continue to be relevant (eg, banking secrecy laws).
Broadly, the framework imposes the following key obligations on organisations:
• Not to collect, use or disclose personal data without the individual’s consent
• To provide information on the purpose for collection, use or disclosure
• To collect, use or disclose only for purposes which are appropriate
• To provide personal data of the requestor in its possession or control
• To correct personal data of the requestor in its possession or control
• To ensure that personal data collected is accurate and complete
• To protect personal data in its possession or control
• Not to retain personal data if the purpose for collection is no longer served or no longer necessary
• Not to transfer personal data outside of Singapore
Both electronic and non-electronic forms of personal data are covered. Except for certain exempted categories, all organisations are expected to comply with the above.
As the provisions are stated broadly, ambiguity exists. Advisory guidelines have been issued to clarify these provisions and more are expected in the future.
As non-compliance may lead to financial penalties of up to SGD1 million, it may be useful to bear the following in mind:
• Review existing policies on personal data collection, use, disclosure and retention
• Designate the role of “personal data protection officer” to manage and operate compliance measures
• Conduct periodic audits to determine compliance gaps and ensure policy compliance on personal data practices
While the personal data protection framework is “work-in-progress” and gaps currently exist, its introduction is a step in the right direction in meeting a perceived long-felt want. Organisations involved in collecting and using personal data in Singapore should become more mindful and sensitive towards the issues of personal data protection and take the necessary steps to address its implications.