The document provides an overview of Singapore's Personal Data Protection Act (PDPA). It discusses the PDPA's nine obligations relating to the collection, use and disclosure of personal data by organizations. These include obtaining consent, limiting use to the purpose for which the data was collected, providing access to correct data, ensuring accuracy, protecting data, limiting retention, and restricting transfers. It also outlines the Do Not Call registry requirements and penalties for non-compliance. In conclusion, it notes that the registry and PDPA will come into force in 2014.
2. 2
Agenda
1. PDPA Introduction
2. Nine Obligations relating to the Collection, Use or Disclosure
3. Do not Call (“DNC Registry”)
4. Appeals & Penalty
5. In Conclusion
3. 3
1. PDPA Introduction
a. PDPA objective is to governs the collection, use, disclosure and care of
person data by organisations.
b. In a manner that recognises and balances both
i. The right of individuals to protect their personal data
ii. The need of organisations to collect, use or disclose personal data
for genuine & reasonable commercial and operational purposes.
c. Organisations will be given a transitional 18 months to comply with the
PDPA, before the data protection provisions enter into force (from 2-
Jan-2013 projected mid-2014).
4. 4
1. PDPA Introduction (cont..)
DefinitionsDefinitionsDefinitionsDefinitions of important termsof important termsof important termsof important terms
a.a.a.a. IndividualsIndividualsIndividualsIndividuals - “a natural person, whether living or deceased”
b.b.b.b. Personal dataPersonal dataPersonal dataPersonal data - “data, whether true or not, about an individual who can be identified from
that data; or other information to which the organisation have likely to access.
c.c.c.c. OrganisationsOrganisationsOrganisationsOrganisations - “any individual, corporate bodies such as company and unincorporated
bodies of persons such as associations”.
d.d.d.d. CollectionCollectionCollectionCollection ---- “any act or set of acts through which an organisation obtains control over or
possession of personal data”.
e.e.e.e. UseUseUseUse - “any act or set of acts by which an organisation use personal data. A particular use
of personal data may occasionally include collectioncollectioncollectioncollection or disclosuredisclosuredisclosuredisclosure that is necessarily part
of the use”.
f.f.f.f. DisclosureDisclosureDisclosureDisclosure ---- “any act or set of acts by which an organisation discloses, transfers or else
makes available personal data that is under its possession to any other organisation”.
g.g.g.g. PurposePurposePurposePurpose - “does not refer to activities which an organisation may intend to undertake but
its objectives or reasons relating to personal data”.
h.h.h.h. ReasonablenessReasonablenessReasonablenessReasonableness - “any act based on what a reasonable person would consider
appropriate in the circumstances”
5. 5
2. Nine Obligations relating to the Collection,
Use & Disclose of Personal data
1) The ConsentConsentConsentConsent Obligation
2) The PurposePurposePurposePurpose Limitation Obligation
3) The NotificationNotificationNotificationNotification Obligation
4) The AccessAccessAccessAccess & Correction& Correction& Correction& Correction Obligation
5) The AccuracyAccuracyAccuracyAccuracy Obligation
6) The ProtectionProtectionProtectionProtection Obligation
7) The RetentionRetentionRetentionRetention Limitation Obligation
8) The TransferTransferTransferTransfer Limitation Obligation
9) The OpennessOpennessOpennessOpenness Obligation
6. 6
2. Nine Obligations (cont..)
1) Consent obligationConsent obligationConsent obligationConsent obligation
a. An organisation must obtain the consent of the individual before
collecting, using or disclosing his personal data for a purpose.
I.I.I.I. ProvisionProvisionProvisionProvision ofofofof ConsentConsentConsentConsent
i. Cannot tie-up by means of product or service
ii. Cannot attempt by providing false information to collect, use or disclose personal
data.
II.II.II.II. Deemed ofDeemed ofDeemed ofDeemed of ConsentConsentConsentConsent
i. An individual voluntarily provided his personal data
ii. The individual was aware of the purpose for which the personal data was collected
III.III.III.III. Withdrawal ofWithdrawal ofWithdrawal ofWithdrawal of ConsentConsentConsentConsent
i. An individual must give reasonable notice of the withdrawal to the organisation
ii. On receipt of notice, the organisation must inform the consequences
iii. An organisation will not disallow an individual from withdraw, although this does
not affect any legal consequences from such withdrawal
IV.IV.IV.IV. Collection, use & discloseCollection, use & discloseCollection, use & discloseCollection, use & disclose WithoutWithoutWithoutWithout ConsentConsentConsentConsent
i. Generally available to public
ii. National interest
7. 7
2. Nine Obligations (cont..)
2) Purpose limitation obligationPurpose limitation obligationPurpose limitation obligationPurpose limitation obligation
a. An organisation may collect, use or disclose personal data about an
individual only for purposespurposespurposespurposes that a reasonable person would consider
appropriate in the circumstances.
b. Main objective is to ensure that organisations collect, use and disclose
personal data onlyonlyonlyonly for purposes that are reasonable.
ExampleExampleExampleExample::::
A fashion retailer is conducting a membership drive. It states in the
membership registration form that the purposespurposespurposespurposes for which it may use the
details provided by individuals who register including providing them with
updates on new products and promotions.
In this case, providing updates on new products and promotions may be a
reasonable purpose by fashion retailers.
8. 8
2. Nine Obligations (cont..)
3) Notification obligationNotification obligationNotification obligationNotification obligation
a. An organisation must notify the individual of the purpose(s) for which it
intends to collect, use or disclose the individual’s personal.
b. The circumstances in which it will be collecting the personal data.
c. The amount of personal data to be collected.
d. The frequency at which the data will be collected.
Example:Example:Example:Example:
Maya signs up for a spa membership over the Internet. The terms and
conditions for the spa membership outline and explain how Maya's personal
data will be used and disclosed.
For example, it states that Maya's address details will be used for sending her a
spa membership card and other communications from the spa. Maya clicks on
the “Accept” button at the bottom of the terms and conditions, to indicate her
acceptance of, and agreement to, the terms and conditions.
In this case, the spa has obtained Maya's consent for collection, use and
disclosure of her personal data in connection with the stated purposes.
9. 9
2. Nine Obligations (cont..)
4) Access & Correction ObligationAccess & Correction ObligationAccess & Correction ObligationAccess & Correction Obligation
a. An organisation must, upon request provide an individual with his or
her personal data and also Information about the ways in which the
personal data may have been used or disclosed during the past year.
b. Upon correction request from individual, the organisation is required to
consider whether correction should be made, it will be based on
reasonable grounds.
c. Correct the data as soon as practicable and send the corrected personal
data to every other organisation to which the personal data was
disclosed by the organisation within a year before the date the
correction request was made.
ExampleExampleExampleExample::::
Maya makes an access request to her spa, requesting information relating to
how her personal data has been used or disclosed. The request was made on
5th February 2013. The spa is only required to provide information on how her
personal data has been used or disclosed with the past year – that is, the period
from 6th February 2012 to the date of the request, 5th February 2013.
10. 10
2. Nine Obligations (cont..)
5) Accuracy obligationAccuracy obligationAccuracy obligationAccuracy obligation
a. An organisation must make a reasonable effort to ensure that personal
data collected by or on behalf of the organisation is accurate and
complete if the personal data is likely to be -
i. To be used by the organisation to make a decision that affects the
individual to whom the personal data relates
ii. To be disclosed by the organisation to another organisation.
ExampleExampleExampleExample::::
Nick applies for a home loan from a bank. The bank asks Nick to provide
relevant details such as his name, address, current employment status and
income, in order to assess whether to provide the loan to Nick.
Related to this, the bank asks Nick to provide supporting documents including
an identity document and his most recent payslip, in order to verify the
information provided by Nick. It also asks Nick to declare that the information
he has provided is accurate and complete.
In this scenario, the bank has made a reasonable effort to ensure that the
personal data collected from Nick is accurate and complete.
11. 11
2. Nine Obligations (cont..)
6) Protection obligationProtection obligationProtection obligationProtection obligation
a. An organisation must protect personal data in its possession or under its
control by making reasonable security arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification,
disposal or similar risks.
b. It might be useful for organisations to undertake a risk assessment
exercise to ascertain whether their information security arrangements
are adequate.
Example:Example:Example:Example:
In the employment context, it would be reasonable to expect a greater level of
security for highly confidential employee appraisals as compared to more
general information about the projects an employee has worked on.
12. 12
2. Nine Obligations (cont..)
7) Retention limitation obligationRetention limitation obligationRetention limitation obligationRetention limitation obligation
a. An organisation must cease to retain documents containing personal
data, or remove the means by which the personal data can be
associated with particular individuals as soon as it is reasonable to
assume that:
i. The purpose for which the personal data was collected is no longer
being served by retention of the personal data.
ii. Retention is no longer necessary for legal or business purposes
iii. personal data should not be kept by an organisation “just in case”
it may be needed.
Example:Example:Example:Example:
A dance school has collected personal data of its tutors and students. It
retains and uses such data (with the consent of the individuals), even if a
tutor or student is no longer with the dance school, for the purpose of
maintaining an alumni network. As the dance school is retaining the
personal data for a valid purpose, it is not required to cease to retain the
data under the Retention Limitation Obligation.
13. 13
2. Nine Obligations (cont..)
8) Transfer limitation obligationTransfer limitation obligationTransfer limitation obligationTransfer limitation obligation
a. An organisation shall not transfer any personal data to a country or
territory outside Singapore unless organisation provide a standard of
protection to personal data.
b. Transferring organisations must further ensure that receiving
organisations have in place appropriate internal policies governing its
employees, agents and sub-contractors whom have access to any
personal data received by the receiving organisation from a transferring
organisation.
14. 14
2. Nine Obligations (cont..)
9) Openness obligationOpenness obligationOpenness obligationOpenness obligation
a. An organisation must implement the necessary policies and procedures
in order to meet its obligations under the PDPA and shall make
information.
b. To develop a process to receive and respond to complaints that may
arise with respect to the application of the PDPA.
c. To communicate with its staff informing about its data protection
policies and practices
d. To make information available on request about its data protection
policies and practices and its process to receive and respond to
complaints.
15. 15
3. Do Not Call Registry (“DNC Registry”)
a. This Act provides for the setting up of a DNC Registry, which will allow
individuals to register their phone numbers to opt-out of marketing or
premium service messages from organisations.
b. Organisations will be required by law to check with the registry and
ensure that they do not send messages to the numbers registered
unless they have obtained clear and explicit consent.
c. Exceptions such as messages without commercial elements would not
be covered by the DNC Registry at this stage.
For Example message on
- Promoting Political, National Programs
- Voluntary service like requesting donations, charitable causes
- To provide information like warranty, security, goods deliver
- To conduct Market research or market survey
16. 16
3. Do Not Call Registry (cont..)
a. DNC registry accepts registration of Singapore telephone numbers,
including mobile, fixed-line, residential and business numbers but
Overseas telephone numbers is not registered.
b. Sending of Business-to-Business (B2B) marketing messages is not
currently covered by the requirements relating to the DNC registry
ExampleExampleExampleExample::::
John calls an employee of ABCD
Childcare Pte Ltd (“ABCD”), Mary,
through her Business contact number
(which John obtained from ABCD’s
website) to promote a product which
he thinks ABCD would purchase for use
at its childcare centres.
Such a call is not a specified message
for the purposes of the Do Not Call
Provisions.
PDPAPDPAPDPAPDPA ---- Do Not CallDo Not CallDo Not CallDo Not Call
- Phone calls
- Fax messages
Spam Control ActSpam Control ActSpam Control ActSpam Control Act
- Email
- Text messages
- MMS messages
Physical mailPhysical mailPhysical mailPhysical mail
18. 18
4. Appeal & Penalty Enforcement
AppealAppealAppealAppeal
a. After the Sunrise Period, the DPC (Data protection commission) is
authorised to conduct investigations to review complaints, or initiate
investigations on its own accord.
i. Appeal from direction or decision of Commission
ii. Appeals to High Court and Court of Appeal
PenaltyPenaltyPenaltyPenalty
a. A District Court will have authority and power to impose the full penalty
or punishment in respect of the offence.
b. Any personal guilty of offenses under this act shall be liable on
conviction to a fine not exceeding $10,000 or to imprisonment for a
term not exceeding 3 years or both.
c. In case of a continuing offence, to a further fine not exceeding $1,000
for every day.
d. For Organisation a financial penalty of an amount not exceeding $1
million.
19. 19
5. In Conclusion
a.Purpose & Objective of PDPA.
b.Rule and Regulation of DNC registry
c.The DNC Registry is expected to be ready for public registration by early
2014 & Personal data protection coming into force in mid 2014.
d.The requirement of at least one designated individual within each
organisation to be responsible for compliance with the PDPA (“Data
Protection Officer”)