Singapore - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
The Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA') is the principal data protection legislation in Singapore governing the collection, use and disclosure of individuals' personal data by organisations. Prior to the enactment of the PDPA, Singapore did not have an overarching law governing the protection of personal data. The processing of personal data in Singapore was regulated to a certain extent by a patchwork of laws including, common law, sector-specific legislation and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks will continue to operate alongside the PDPA.
The PDPA was passed by the Parliament of Singapore on 15 October 2012, and was implemented in three phases. The first phase of general provisions came into effect on 2 January 2013. These provisions relate to the scope and interpretation of the PDPA; the establishment of the Personal Data Protection Commission ('PDPC'), the authority that administers and enforces the PDPA; the establishment of the Data Protection Advisory Committee; the establishment of the Do-Not-Call ('DNC') Registers by the PDPC, and other general provisions of the PDPA. The second phase saw the provisions relating to the DNC Registry come into force on 2 January 2014. The third and final phase saw the main provisions, relating to the protection of personal data ('Data Protection Provisions'), specifically Parts III to IV of the PDPA, coming into effect on 2 July 2014.
In addition to the PDPA, the following subsidiary legislation has been issued to date:
- Personal Data Protection Regulations 2014 ('the Regulations');
- Personal Data Protection (Statutory Bodies) Notification 2013;
- Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014;
- Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015;
- Personal Data Protection (Exemption from Section 43) Order 2013 ('the Exemption Order');
- Personal Data Protection (Enforcement) Regulations 2014;
- Personal Data Protection (Do Not Call Registry) Regulations 2013;
- Personal Data Protection (Composition of Offences) Regulations 2013; and
- Personal Data Protection (Appeal) Regulations 2015.
The PDPC has issued a number of advisory guidelines, which, whilst not legally binding on any party, provide greater clarity on how the PDPC may interpret the provisions of the PDPA. Some examples include the Advisory Guidelines on Key Concepts in the Personal Data Protection Act ('the Key Concept Guidelines'); the Advisory Guidelines on the Personal Data Protection Act for Selected Topics; the Advisory Guidelines on Enforcement of Data Protection Provisions; and most recently, the Guide to Data Protection by Design for ICT Systems. All advisory guidelines and guides are accessible via the PDPC's website.
1.3. Case Law
Since 2016, the PDPC released a series of enforcement decisions that are helpful in illustrating how the PDPA is to be applied. These enforcement decisions are generally accessible via the PDPC's website. Below is an overview of some of the recent enforcement decisions.
As of 20 June 2019, the PDPC issued a total of 90 grounds of decisions against 114 organisations, with a significant majority of these cases relating to breaches of the Protection Obligation. The most common types of data breaches involve the deliberate disclosure of personal data; poor technical security arrangements; poor physical security arrangements; errors in mass email and/or post; and insufficient data protection policies.
To date, the highest financial penalties that the PDPC has imposed on organisations are SGD 250,000 (approx. €166,260) and SGD 750,000 (approx. €498,790) respectively on SingHealth Services Pte Ltd and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. (See Re Singapore Health Services Pte Ltd and another  SGPDPC 3). This unprecedented data breach which, arose from a cyber-attack on SingHealth's patient database system caused the personal data of some 1.5 million patients to be compromised.
The PDPA has also been considered in the Singapore courts. On 19 February 2019, the State Court dismissed a claim brought against the Singapore Swimming Club for defamation and breach of the PDPA. Although written grounds of judgment are not available, this case is significant as it appears to be the first time where the Singapore courts were asked to consider whether there was a breach of the PDPA, and the PDPC did not make any decision in respect of any purported contravention of the PDPA.
In addition to these enforcement decisions, the PDPC also publishes an annual Personal Data Protection Digest, which is a compendium comprising the PDPC's grounds of decisions, summaries of unpublished cases where a finding of no-breach was found and a collection of data protection-related articles contributed by data protection practitioners.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The PDPA generally applies to all organisations in respect of the personal data they collect, use and/or disclose.
However, the following categories of organisations are exempted from the application of the PDPA:
- individuals acting in a personal or domestic capacity;
- employees acting in the course of their employment with an organisation;
- public agencies or organisations acting on behalf of a public agency in relation to the collection, use or disclosure of personal data; or
- any other organisation or personal data, or classes of organisations or personal data as may be prescribed by the relevant legislation.
The PDPA sets a baseline standard for personal data protection across the private sector, and will operate alongside (and not override) existing laws and regulations. The PDPA provides that the data protection framework does not affect any right or obligation under the law, and that in the event of any inconsistency, the provisions of other written laws will prevail. For example, the banking secrecy laws under Banking Act (Chapter 19) 1971 (as revised) govern customer information obtained by banks.
2.2. What types of processing are covered/exempted?
Government agencies are not subject to the requirements of the PDPA, as they have their own set of data protection rules which all public officers must comply with. Organisations acting on behalf of a public agency in relation to the collection, use or disclosure of personal data are also excluded from the application of the Data Protection Provisions, though they remain subject to obligations under other laws and their contract with the relevant public agency.
The PDPA also applies to organisations with no physical presence in Singapore, as long as these organisations collect, use or disclose data within Singapore. For example, organisations located overseas which collect data from individuals in Singapore via online channels or platforms will be subject to the Data Protection Provisions.
It is worth noting that related organisations within an entity are not excluded from the application of the PDPA; an organisation which transfers personal data to its parent company or subsidiary will be subject to the Data Protection Provisions. Furthermore, organisations involved in the cross-border transfer of personal data from Singapore to locations overseas are also subject to the Data Protection Provisions.
'Data intermediaries' (defined in section 8 below) are partially excluded from the application of the Data Protection Provisions, and only have obligations under the PDPA in relation to:
- the protection of personal data in their possession or under their control, by making reasonable security arrangements to prevent the unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks; and
- the retention of personal data, by ceasing to retain documents containing personal data, or removing the means by which the personal data can be associated with particular individuals (e.g. destruction or anonymisation of personal data) as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer served by its retention, and retention is no longer necessary for legal or business purposes.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The PDPC is the regulatory authority that is responsible for administering and enforcing the PDPA. It is a statutory body under the purview of the Ministry of Communications and Information and part of the converged telecommunications and media regulator, the Infocomm Media Development Authority ('IMDA').
3.2. Main powers, duties and responsibilities
The main powers, duties and responsibilities of the PDPC are as follows:
- to promote awareness of data protection in Singapore;
- to provide consultancy, advisory, technical, managerial or other specialist services relating to data protection;
- to advise the Government on all matters relating to data protection;
- to represent the Government internationally on matters relating to data protection;
- to conduct research and studies, promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and support other organisations conducting such activities;
- to manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter governmental organisations, on its own behalf or on behalf of the Government;
- to administer and enforce the PDPA;
- to carry out functions conferred on the PDPC under any other written law; and
- to engage in such other activities and perform such functions as the Minister may permit or assign to the PDPC by order published in the Gazette.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: 'Personal data' under the PDPA refers to all 'data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.' This applies regardless of whether such data is in electronic or other form, and regardless of the degree of sensitivity. However, the PDPA expressly excludes the following categories of personal data from its application:
- 'business contact information,' which is defined as 'an individual's name, position name or title, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;'
- personal data that is contained in a record that has been in existence for at least 100 years; and
- personal data about a deceased individual who has been dead for more than 10 years.
Sensitive Data: Even though there is no special category for sensitive personal data in the PDPA, the PDPC took the view that personal data of a more sensitive nature should be safeguarded by a higher level of protection. The types of personal data that would typically be more sensitive in nature include an individual's national identification numbers (e.g. National Registration Identity Card and passport numbers); personal data of a financial nature (e.g. bank account details, Central Depository account details, securities holdings, transaction and payment summaries); insurance information (e.g. names of the policyholder's dependents or beneficiaries, sum insured under the insurance policy, the premium amount and type of coverage); an individual's personal history involving drug use and infidelity; sensitive medical conditions; and personal data of minors. (See Re Aviva Ltd  SGPDPC 14).
Data Controller: The PDPA does not use the term 'data controller.' Instead, it uses the more general term of 'organisations' when prescribing the obligations that organisations are required to comply with under the PDPA. The term 'organisation' broadly covers natural persons, corporate bodies (such as companies) and unincorporated bodies of persons (such as associations), regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore.
Data Processor: The term 'data processor' is not used in the PDPA, but an equivalent term 'data intermediary' is used. 'Data intermediary' refers to an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. Please refer to section 8 below for the definition of 'data intermediary.' See also section 2.2 above for more information on the obligations of data intermediaries.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
There is no obligation imposed on an organisation to notify or register with the PDPC before collecting, using, or disclosing any personal data in Singapore.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
Organisations are generally subject to the following obligations as found in the Data Protection Provisions. In particular, under the Consent Obligation, an organisation is required to obtain individuals' consent to:
- use or disclose their personal data unless such collection, use or disclosure is required or authorised under the PDPA or any other written law;
- is in response to an emergency that threatens the life, health or safety of the individual;
- is used to manage or terminate an employment relationship (provided that the employee is notified); or
- is publicly available.
Notably, the PDPC is currently undertaking a review of the PDPA, and has held three consultations in this regard. In the Public Consultation for Approaches to Managing Personal Data in the Digital Economy, the PDPC sought the public's views on, amongst others, two new bases for organisations to collect, use and/or disclose personal data without the need for consent, which are namely 'Notification of Purpose' and 'Legitimate Interests.'
Under the Notification of Purpose basis, the PDPC has proposed to enable organisations to collect, use and/or disclose personal data under the PDPA without consent, where the collection, use and/or disclosure of personal data is not expected to have any adverse impact on the individual. Organisations that wish to rely on this basis must, among other things, provide the individual with appropriate notification of the purpose of the collection, use and/or disclosure of the personal data, and conduct a risk and impact assessment to identify and mitigate any risks.
Under the 'Legitimate Interests' basis, the PDPC has proposed to enable organisations to collect, use and/or disclose personal data without consent in circumstances where there is a need to protect legitimate interests that will have economic, social, security or other benefits for the public (or a section thereof). Such benefits to the public must outweigh any adverse impact to the individual, and organisations must, among other things, conduct a risk and impact assessment to ensure that this is the case. The PDPC published its response to the public consultation on 1 February 2018, and it is expected that the proposed changes will be implemented in due course.
Most recently, in its Data Portability and Data Innovation Public Consultation, the PDPC further has proposed to introduce data innovation provisions in the PDPA to clarify that organisations can use personal data for the purposes of: (i) operational efficiency and service improvements; (ii) product and service development; or (iii) knowing customers better. This will enable organisations to confidently use personal data to derive business insights and innovate in the development and delivery of products and services. However, the PDPC clarified that the proposed data innovation provisions in the PDPA only apply to the use of such data for business innovation purposes only, and not to the collection or disclosure of the same. For the collection and disclosure of personal data, organisations are still required to notify the individual and seek his or her consent, unless an applicable exemption under the Second or Fourth Schedule of the PDPA applies. The PDPC issued this public consultation paper on 22 May 2019 and is currently seeking comments on such proposed changes.
An organisation is further required to state the purposes for which it is collecting, using or disclosing the data. Where the supply of a product or service is conditional upon consent given by an individual, such consent must not extend beyond what is reasonable to provide that product or service. Individuals can be deemed to have given consent when they voluntarily provide their personal data for a purpose, and it is reasonable that they would voluntarily provide such data. For deemed consent to apply, the onus is on the organisation to ensure that individuals were aware of the purpose for which their personal data was collected, used or disclosed. Individuals can generally withdraw consent at any time by giving reasonable notice, unless it would frustrate the performance of a legal obligation. On receipt of notice, the organisation must inform the individual of the consequences of such a withdrawal. Withdrawal of consent applies prospectively and will only affect an organisation's continued or future use of the personal data concerned. Organisations are generally required to inform agents and data intermediaries to whom the personal data has already been disclosed of the withdrawal.
An organisation collecting personal data from a third party source is required to notify the source of the purposes for which it will be collecting, using and disclosing the personal data. Moreover, the organisation should exercise the appropriate due diligence to check and ensure that the third party source can validly give consent for the collection, use and disclosure of personal data on behalf of the individuals or that the source had obtained consent for the disclosure of the personal data. In addition, organisations are subject to the Purpose Limitation Obligation. In particular, an organisation may only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances, and if applicable, have been notified to the individual concerned. Moreover, organisations are subject to the Notification Obligation. An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose his personal data on or before such collection, use or disclosure. Furthermore, organisations are subject to the Access and Correction Obligation. An organisation must allow an individual to access and correct his personal data in its possession or under its control upon request. In addition, the organisation is also obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year.
The organisation has a duty to respond to applicants' requests to access their personal data as accurately and completely as necessary and reasonably possible, subject to the exceptions in the Fifth Schedule of the PDPA. On receipt of individuals' requests, the organisation is obliged to provide the individuals, as soon as reasonably possible, (a) personal data about them that is in the possession or under the control of the organisation, and (b) information about the ways in which that personal data has been or may have been used or disclosed by the organisation within a year before the date of the request. An organisation should provide a copy of each applicant's personal data in documentary form or any other form requested by the individual as is acceptable by the organisation. If it is impracticable, the organisation may allow the individual a reasonable opportunity to examine the personal data.
In addition, individuals also have the right to request an organisation to correct any inaccurate data that is in the organisation's control, subject to the exceptions in the Sixth Schedule of the PDPA. Unlike access requests, there is no prescribed duty to respond to a correction request, however, an organisation must be satisfied on reasonable grounds that a correction should not be made. If no correction is made, the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made. Furthermore, organisations are required to send the corrected or updated personal data to specific organisations to which the data was disclosed within a year before the correction was made, unless those organisations do not need the corrected data for any legal or business purpose.
Under the Access Obligation, organisations may charge applicants a reasonable fee to respond to access requests. In doing so, an organisation must provide the applicant with a written estimate of the fee. If the organisation wishes to charge a fee that is higher than the written estimate, it will need to notify the applicant in writing of the higher fee. An organisation does not have to respond to an applicant's access request unless the applicant agrees to pay the fee. In contrast, an organisation is not entitled to impose a fee for correction requests. Upon receipt of an access or correction request, if the organisation cannot comply within 30 days, it must inform the individual in writing of the time by which it will respond to the request.
There are certain exceptions whereby organisations are allowed to withhold access to an individual's personal data. For example, when such access will reveal personal data about another individual or will be contrary to the national interest; if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual's interest; or if the request is otherwise frivolous or vexatious. In addition to the Fifth and Sixth Schedule to the PDPA, more specific rules concerning the Access and Correction Obligations may be found in Part II of the Regulations.
Moreover, organisations are subject to the Accuracy Obligation. In particular, an organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation.
This would generally require organisations to make a reasonable effort to ensure that:
- the personal data collected (whether directly from the individual concerned or through another organisation) is accurately recorded;
- the personal data collected is complete;
- appropriate steps have been taken to ensure the accuracy and correctness of the personal data; and
- they have considered whether it is necessary to update the personal data.
Organisations are subject to the Protection Obligation. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. In this regard, the PDPC has published the Guide to Securing Personal Data in Electronic Medium and Guide to Managing Data Breaches 2.0 to aid organisations in the management of electronic personal data and data breaches.
Organisations are subject to the Retention Limitation Obligation. An organisation is not required to declare its retention period when collecting personal data but must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected, and is no longer necessary for legal or business purposes. For more details, refer to section 13.3 below.
In addition, organisations are subject to the Transfer Limitation Obligation. An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA.
To do so, the organisation must generally ensure that the recipients of such personal data are bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. These 'legally enforceable obligations' include those imposed under law, contract or binding corporate rules, or any other legally binding instrument. More specific rules may be found in Part III of the Regulations. For more details, please also refer to section 13.1 below.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Generally, the PDPA provides that a data intermediary is subject to only the Protection Obligation and Retention Limitation Obligation. For more details on these obligations, please see our response to section 6.
Therefore, data intermediaries are typically subject to contractual obligations which necessitate compliance with the other obligations of the PDPA.
However, it should be noted that notwithstanding an organisation's ability to outsource some of its functions to its data intermediaries, the organisation nevertheless continues to be fully responsible for complying with the PDPA, as if the personal data was processed by the organisation itself.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
The PDPA draws a distinction between an 'organisation' and a 'data intermediary' in relation to the processing of personal data. The relevant definitions as set out in Section 2(1) of the PDPA are as follows:
(a) an 'organisation' is defined as any individual, company, association or body of persons, corporate or unincorporated, whether or not:
- formed or recognised under the law of Singapore; or
- resident, or having an office or a place of business, in Singapore;
(b) a 'data intermediary' is defined as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation; and
(c) 'processing' is defined as the carrying out of any operations or set of operations in relation to the personal data, and includes any of the following:
- organisation, adaptation or alteration;
- transmission; and
- erasure or destruction.
If an organisation is not a data intermediary, it is subject to the full set of data protection obligations under the PDPA. In contrast, as elaborated on in section 2.2 above, other than the Protection Obligation and the Retention Limitation Obligation, no other data protection obligations are imposed on a data intermediary, whereby it is processing personal data for or on behalf of an organisation pursuant to a contract in writing. Therefore, to avoid both parties having to answer to the data protection obligations to the full extent, the contract should state clearly the relationship and the rights and obligations of both parties.
Even if an organisation engages a data intermediary to process personal data on its behalf and for its purposes, Section 4(3) of the PDPA provides that it shall have the same obligations as if the personal data were processed by the organisation itself. Therefore, effectively the organisation will remain liable for the actions and omissions of the data intermediary for personal data that the data intermediary is processing on the organisation's behalf.
Furthermore, according to the Key Concept Guidelines, it is expected that organisations engaging such data intermediaries would generally have imposed obligations that ensure protection in the relevant areas in the processing contract.
The PDPC on 20 July 2016 issued a non-legally binding Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data and provided sample data protection clauses that an organisation purchasing services relating to the processing of personal data may include in the service agreements with the data intermediaries.
If the organisation fails to put in place data protection clauses in such service agreements, the organisation runs the risk of being held to have breached its Protection Obligation by failing to take necessary actions and precautionary measures to protect such personal data.
9. DATA SUBJECT RIGHTS
Data subjects have the following rights:
- the right to give and withdraw consent at any time by giving reasonable notice, unless it would frustrate the performance of a legal obligation;
- the right to request an organisation to give them access to their personal data in the organisation's possession or control, subject to the exceptions in the Fifth Schedule of the PDPA; and
- the right to request an organisation to correct any inaccurate data that is in the organisation's possession or control, subject to the exceptions in the Sixth Schedule of the PDPA.
With regard to the withdrawal of consent, data subjects should be cognisant of the fact that the withdrawal of certain types of consent may affect the ability of the organisation to continue providing them with the requested services.
With regard to the right to request access, data subjects have a right to find out what personal data the organisation has of them, and how the organisation has used their personal data over the past year.
For the avoidance of doubt, data subjects have no right in Singapore to request for an organisation to destroy or delete the personal data in the organisation's possession or control.
Please refer to section 6 above for more information.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
As part of the Openness Obligation, it is mandatory for organisations to appoint a DPO, or a panel of individuals, to be responsible for ensuring that the organisation complies with the PDPA. The organisation has to make the business contact information of the DPO publicly available. The appointed DPO may delegate the responsibility conferred by this appointment to appropriate individuals although, as mentioned previously, the organisation remains responsible for complying with the PDPA. Organisations that have not appointed a DPO are in breach of the Openness Obligation and may be subject to a financial penalty. The PDPC may also issue directions to that organisation to appoint a DPO.
Additionally, the PDPC has stated that recognition of the importance of data protection and the central role performed by a DPO has to come from the very top of an organisation and ought to be part of enterprise risk management frameworks. This would allow the board of directors and C-level executives to be made cognisant of the risks of a data breach. (See Re M Stars Movers & Logistics Specialist Pte Ltd  SGPDPC 15).
The organisation is also required to make available the business contact information of a person who is able to respond to questions relating to the collection, use or disclosure of personal data on behalf of the organisation under the Notification Obligation. This person may also be the designated DPO. While there is no requirement that such a person must be located in Singapore, to facilitate prompt responses to queries or complaints, the PDPC recommends, as good practice, that the business contact information of this person should be readily accessible from Singapore, operational during Singapore business hours and if telephone numbers are used, be Singapore telephone numbers.
In terms of the choice of DPO, the PDPC has stated that the DPO ought to be appointed from the ranks of senior management and be amply empowered to perform the tasks that are assigned to him or her. If not one of the C-level executives, the DPO should have at least a direct line of communication to them. This level of access and empowerment will provide the DPO with the necessary wherewithal to perform his/her role and accomplish his/her functions. (See Re M Stars Movers & Logistics Specialist Pte Ltd).
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
The PDPA does not prescribe a general obligation to notify individuals in the event of a data breach. However, the PDPC has stated that it is in general good practice to notify the affected individuals of such data breaches as this will encourage them to take the necessary preventive measures to reduce the impact of the breach and regain their trust. Organisations are also advised to notify the PDPC as soon as possible of any data breaches that may potentially cause public concern, particularly if the breach involves sensitive personal data, or where there is a risk of harm to some affected individuals. Where criminal activity is suspected, organisations are advised to notify the police and preserve evidence for investigation.
In particular, the PDPC has reminded organisations of their general duty to preserve evidence, including but not limited to documents and records, in relation to an investigation by the PDPC. (See Re NTUC Income Insurance Co-operative  SGPDPC 10).
The PDPC is contemplating introducing a mandatory data breach notification scheme, and sought the public's view on such a proposed scheme in its Public Consultation for Approaches to Managing Personal Data in the Digital Economy, the PDPC sought the public's views on, amongst others, a proposed mandatory data breach notification regime. The PDPC expressed in its Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy that it intends to implement a mandatory data breach notification regime, and that advisory guidelines will be issued by the PDPC to provide guidance for organisations in complying with the data breach notification requirements when introduced, including but not limited to:
- considerations for assessing whether data breaches meet the criteria for notification;
- the time frame for notification; and
- the types of information to be included in the breach notification to affected individuals and to the PDPC.
11.2. Sectoral obligations
In relation to financial institutions ('FIs'), the Guidelines on Outsourcing and Technology Risk Management Guidelines, both of which are issued by the Monetary Authority of Singapore ('MAS'), require FIs to notify the MAS of, amongst others, breaches of security and confidentiality of the FI's customer information in the following manner:
- within an hour of the discovery of a 'Relevant Incident,' defined in the Notice on Technology Risk Management as 'a system malfunction or IT security incident, which has a severe and widespread impact on the financial institution's operations or materially impacts the financial institution's service to its customers;' and
- 'as soon as possible of any adverse development arising from [their] outsourcing arrangements that could impact the institution' as well as any 'such adverse development encountered within the institution's group.'
The PDPC is responsible for enforcing the PDPA. Where the PDPC is satisfied that an organisation has breached the Data Protection Provisions under the PDPA, the PDPC is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:
- stop collecting, using or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to or correct personal data; or
- pay a financial penalty of up to SGD 1 million (approx. €665,050).
In the course of its investigation, the PDPC may:
- by notice in writing, require an organisation to produce any specified document or specified information;
- by giving at least two working days' advance notice of intended entry, enter into an organisation's premises without a warrant; and
- obtain a search warrant to enter an organisation's premises and take possession of, or remove, any document.
Non-compliance with certain provisions under the PDPA may also constitute an offence, for which a fine or a term of imprisonment may be imposed. The quantum of the fine and the length of imprisonment (if any) vary, depending on which provisions are breached.
For instance, a person found guilty of making requests to obtain access to or correct the personal data of another without authority may be liable on conviction to a fine not exceeding SGD 5,000 (approx. €3,300) or to imprisonment for a term not exceeding 12 months, or both (Section 51(2) of the PDPA).
An organisation or person who obstructs or impedes the PDPC or an authorised officer, or knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC in the exercise of their powers or performance of their duties under the PDPA, commits an offence for which that person would be liable upon conviction to a fine of up to SGD 10,000 (approx. €6,600) and/or to imprisonment for a term of up to 12 months (in the case of an individual), or a fine of up to SGD 100,000 (approx. €66,000) (in any other case).
An aggrieved individual or organisation may make a written application to the PDPC to reconsider its direction or decision. Thereafter, any individual or organisation aggrieved by the PDPC's reconsideration decision may lodge an appeal to the Data Protection Appeal Panel. Alternatively, an aggrieved individual or organisation may appeal directly to the Data Protection Appeal Panel without first submitting a reconsideration request. A direction or decision of the Data Protection Appeal Panel (via the Data Protection Appeal Committee) may be appealed to the High Court on a point of law or where such decision relates to the amount of a financial penalty. The decision of the High Court may be further appealed to the Court of Appeal.
An individual who suffers loss or damage directly as a result of a contravention of the provisions of the PDPA may also commence a private civil action. However, such a right of private action is only exercisable after all avenues of appeal, in respect of the relevant infringement decision issued by the PDPC, have been exhausted.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
As stated in section 6 above, any organisation transferring personal data out of Singapore must generally ensure that the recipients of such personal data are bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. In addition to this requirement, a contract imposing legally enforceable obligations must specify the countries and territories to which the personal data may be transferred under the legally enforceable obligations.
In relation to transfers of personal data outside of Singapore to related organisations, the PDPC has accepted binding corporate rules ('BCRs') as a form of such 'legally enforceable obligations,' which:
- require every recipient of the transferred personal data to provide to the personal data a standard of protection that is at least comparable to the protection under the PDPA;
- specify the recipients of the transferred personal data to which the BCRs apply;
- specify the countries and territories to which the personal data may be transferred under the BCRs; and
- specify the rights and obligations provided by the BCRs.
A recipient of personal data is considered 'related' to the transferring organisation if:
- the recipient, directly or indirectly, controls the transferring organisation;
- the recipient is, directly or indirectly, controlled by the transferring organisation; or
- the recipient and the transferring organisation are, directly or indirectly, under the control of a common person.
There are a few express situations whereby an organisation can be taken to have satisfied the requirement of taking appropriate steps to ensure that the recipient outside Singapore is bound by legally enforceable obligations to protect personal data in accordance with comparable standards. These include:
- where the individual consents to the transfer of the personal data to the recipient in that country;
- where the transfer of the personal data to the recipient is necessary for the performance of a contract between the individual and the transferring organisation, or to do anything at the individual's request with a view to the individual entering into a contract with the transferring organisation;
- where the transfer of personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party which is entered into at the individual's request, or which a reasonable person would consider to be in the individual's interest;
- where the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA, subject to the organisation taking reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose; and
- where the personal data is data in transit or publicly available in Singapore.
In the employment context, an organisation may collect, use and disclose the personal data of job applicants and their own employees. Where job applicants voluntarily provide their personal data for the job application, they may be deemed to consent to the organisation collecting, using and disclosing their personal data for the purpose of assessing their job applications. The organisation may continue to use the same personal data subsequently if the job applicant is employed for the purpose of managing the employment relationship with the individual. However, it may be necessary for the organisation to notify the individual and seek his or her consent at various points during the employment relationship, if the organisation requires more personal data or intends to use the personal data provided for purposes to which deemed consent may not apply or to which no applicable exception in the PDPA applies.
An organisation may also collect, use and disclose personal data of employees without consent for 'evaluative purposes' (which includes, amongst others, the purpose of determining the suitability, eligibility or qualifications of an individual for employment, promoting in employment or continuance in employment). This is to be contrasted against the collection, use and disclosure of employees' personal data for the purposes of managing or terminating the employment relationship, for which the employee's consent need not be obtained but the employee must still be informed of such a purpose.
Separately, it should be also noted that an organisation remains responsible for any breaches of the PDPA caused by their employees acting in the course of their employment. That said, if an organisation has taken such steps as practicable to prevent its employees from engaging in acts that breach the PDPA, the organisation will not be held liable for its employees' non-compliance.
Organisations therefore often include robust personal data protection clauses as well as employee data protection policies in their employment handbooks and contracts to address the various practices and procedures that the organisation has introduced to meet its obligations under the PDPA and to seek the necessary consents from its employees.
13.3. Data Retention
As stated above, the Retention Limitation Obligation in the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and such retention is no longer necessary for legal or business purposes.
The PDPA does not prescribe a specific retention period for personal data and the duration of time whereby an organisation can legitimately retain personal data is assessed on a standard of reasonableness, having regard to the purposes for which the personal data was collected and retained. Accordingly, legal or specific industry-standard requirements in relation to the retention of personal data may apply.
Where there is no longer a need for an organisation to retain personal data, the organisation should cease to do so. An organisation will be deemed to have ceased to retain personal data when it no longer has access to the documents and the personal data they contain, or when the personal data is otherwise inaccessible or irretrievable to the organisation. In considering whether an organisation has ceased to retain personal data the PDPC will consider the following factors in relation to the personal data:
- whether the organisation has any intention to use or access the personal data;
- how much effort and resources the organisation would need to expend in order to use or access the personal data again;
- whether any third parties have been given access to that personal data; and
- whether the organisation has made a reasonable attempt to destroy, dispose of or delete the personal data in a permanent and complete manner.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
The DNC Registry
The DNC Registry is designed to be a simple solution to block unwanted marketing messages and only applies to 'specified messages' which are addressed to a Singapore telephone number, where the sender of the specified message is present in Singapore when the specified message is sent; or where the recipient of the specified message is present in Singapore when the specified message is accessed.
'Specified messages' are basically messages for which one or more of its purposes (as determined by having regard to aspects such as the content, presentation and contact information) are concluded as being related to, amongst other things, advertising or offering to supply goods or services, land or interests in land or business or investment opportunities. However, specified messages exclude, amongst others, messages sent by an individual acting in a personal or domestic capacity; business to business marketing messages; messages which are necessary to respond to an emergency that threatens the life, health or safety of any individual; and market surveys.
The geographical locations of the originating message source and the receiving device are inconsequential.
Post, email and other messages delivered in physical form do not fall within the scope of the DNC rules although emails and other electronic messages are potentially governed by the Spam Control Act (Chapter 311A) (2007; last amended 2008) ('the Spam Control Act'). Briefly, the Spam Control Act governs the sending of unsolicited commercial electronic messages (including emails) that are sent in bulk, in particular, compliance with certain content requirements that are set out in the Second Schedule of the Spam Control Act. It should be noted that the DNC provisions also apply to marketing messages sent through smartphone applications that use a telephone number as an identifier or via other technologies using a mobile data connection, such as the mobile applications WhatsApp or Viber.
There are three separate Registers for voice calls, text messages (SMS or MMS) and faxes for which registration can be completed through the following means, although only Singapore telephone numbers will be accepted for registration:
- dial a toll-free number using the telephone number (which must not be subscribed to caller-ID blocking service) which is proposed to be registered;
- send an SMS using the telephone number which is proposed to be registered; and
- fill in an online form on the PDPC's website and provide proof of ownership of the phone number.
Registration of telephone numbers is free of charge. Registration is permanent until withdrawn or upon the termination of the number.
Against the above backdrop, the requirements imposed on companies are a relatively 'light touch.' Essentially, companies that wish to send marketing messages are required to, within 30 days before sending such message(s), check that the number(s) to which they are sending such message(s) are not registered with the relevant DNC Registry. To perform such checks, companies may apply for an account on the DNC Registry website. A one-time account creation fee will be charged. In order to enable organisations to better comply with the DNC rules, each account is provided 1000 free credits annually to check the DNC Registries.
In relation to telemarketing activities which are outsourced to overseas organisations, the Singapore organisation that outsources such telemarketing functions and authorises the sending of the message will be responsible for complying with the DNC Registry rules and the sending of the message.
However, the requirement to check the DNC Registries is not applicable to overseas telecom service operators sending messages promoting their cheaper IDD services to Singapore subscribers roaming on the overseas telecom network.
Companies that wish to send 'specified messages' to a Singapore telephone number, which is registered with the DNC Registry, are required to obtain the clear and unambiguous consent of the registrant to do so. By the same token, companies which have clear and unambiguous consent to send such messages to a Singapore telephone number need not check the DNC Registries before doing so.
Whenever a marketing message is sent, the message must contain clear and accurate information identifying the organisation, as well as its contact details. Where a marketing phone call is made, the telephone number from which the call is made must not be concealed.
The Exemption Order allows organisations which have an ongoing relationship with a subscriber or user of a Singapore telephone number to continue to send promotional messages on similar or related products, services and memberships via text or fax (but not voice call) to that Singapore telephone number without checking against the DNC Registry insofar as certain conditions are fulfilled. Each exempt message must contain an opt-out facility that subscribers or users may use to opt-out from receiving such telemarketing messages. If the subscriber or user opts out, the organisation can no longer rely on the exemption and must stop sending such specified messages to that individual after 30 days.
Notably, in its Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy (issued 27 April 2018), the PDPC sought the public's views on streamlining the DNC provisions in Part IX of the PDPA and the Spam Control Act into a single legislation governing all unsolicited commercial messages. While the PDPC has published its Response to the feedback received from the public consultation on 8 November 2018, there is no indication as to when the proposed changes will be implemented.
Data Protection Trustmark
On 2 January 2019, the IMDA launched the Data Protection Trustmark ('DPTM'), a voluntary enterprise-wide certification scheme. The DPTM certification scheme incorporates elements of the PDPA, international benchmarks (e.g. Asia Pacific Economic Cooperation Cross-Border Privacy Rules and Privacy Recognition for Processors requirements) and best practices. The aim of the DPTM certification scheme is to help organisations increase their competitive advantage, build consumer trust, and demonstrate sound and accountable data protection practices. An independent assessment body will be appointed to assess whether an organisation's data protection policies are aligned with DPTM requirements. Organisations may submit applications to IMDA for approval to participate in the DPTM certification scheme. The DPTM certification is valid for three years and organisations may apply for re-certification at least six months before the date of expiry.
National Registration Identity Card Numbers
The PDPC has imposed more stringent guidelines with respect to National Registration Identity Card ('NRIC') numbers and other national identification numbers. According to the rules in the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers (issued 31 August 2018), organisations are generally not allowed to collect, use or disclose NRIC numbers and other national identification numbers unless such collection, use or disclosure is (i) required under law (or an exception under the PDPA applies); or (ii) necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.