Support Centre
Singapore - Data Protection Overview
Back

Singapore - Data Protection Overview

December 2020

INTRODUCTION

The Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA') governs the collection, use, and disclosure of individuals' personal data by organisations in a manner that recognises both the right of individuals to protect their personal data, and the need of organisations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

Apart from the PDPA, there has been a general push towards a culture of accountability by the Personal Data Protection Commission ('PDPC'), the regulator for data protection. For example, the PDPC implemented the Data Protection Trustmark Certification in 2019, which is a voluntary enterprise-wide certification program for organisations to demonstrate accountable data protection practices.

The PDPA has recently undergone its first comprehensive revision since its enactment in 2012 under the Personal Data Protection (Amendment) Bill 2020 ('the Amendment Bill'), which was passed in the Parliament of Singapore ('the Parliament') on 2 November 2020. These amendments to the PDPA have been passed but have yet to take effect and will come into force on a date appointed by notification in the Government Gazette ('the Gazette'). A large number of changes will be implemented under the Amendment Bill, for example, the enforcement powers of the PDPC will increase, and the PDPC will be able to impose financial penalties of up to 10% of an organisation's annual turnover in Singapore, or SGD 1 million (approx. €617,600), whichever is higher.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

The PDPA is the principal data protection legislation in Singapore governing the collection, use, and disclosure of individuals' personal data by organisations. Prior to the enactment of the PDPA, Singapore did not have an overarching law governing the protection of personal data. The processing of personal data in Singapore was regulated to a certain extent by a patchwork of laws including, common law, sector-specific legislation and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks will continue to operate alongside the PDPA.

The PDPA was passed by the Parliament on 15 October 2012, and was implemented in three phases. The first phase of general provisions came into effect on 2 January 2013. These provisions relate to the scope and interpretation of the PDPA; the establishment of the PDPC, the authority that administers and enforces the PDPA; the establishment of the Data Protection Advisory Committee; the establishment of the Do-Not-Call ('DNC') Registers by the PDPC, and other general provisions of the PDPA. The second phase saw the provisions relating to the DNC Registry come into force on 2 January 2014. The third and final phase saw the main provisions, relating to the protection of personal data ('Data Protection Provisions'), specifically Parts III to IV of the PDPA, entered into effect on 2 July 2014.

As of the time of writing, the Amendment Bill has been passed in the Parliament. A number of changes to the PDPA will be made under the Amendment Bill, including increasing the enforcement powers of the PDPC, and the broadening of certain exceptions in respect of the Data Protection Provisions under the PDPA.

In addition to the PDPA, the following subsidiary legislation has been issued to date:

The PDPA sets a baseline standard for personal data protection across the private sector, and will operate alongside (and not override) existing laws and regulations. The PDPA provides that the data protection framework does not affect any right or obligation under the law, and that in the event of any inconsistency, the provisions of other written laws will prevail. For example, the banking secrecy laws under Banking Act (Chapter 19) 1971 (as revised) govern customer information obtained by banks.

1.2. Guidelines

The PDPC has issued a number of advisory guidelines which, while not legally binding on any party, provide greater clarity on how the PDPC may interpret the provisions of the PDPA. Some examples include:

Additionally, in tandem with the amendments to the PDPA under the Amendment Bill, the PDPC has also issued the Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill which provide clarification on key provisions in the Amendment Bill, and will be finalised and issued when the amendments to the PDPA come into effect.

All advisory guidelines and guides are accessible via the PDPC's website.

1.3. Case law

Since 2016, the PDPC has released a series of enforcement decisions that are helpful in illustrating how the PDPA is to be applied. These enforcement decisions are generally accessible via the PDPC's website. Below is an overview of some of the recent enforcement decisions.

As of 25 October 2020, the PDPC has issued a total of 164 published grounds of decisions or summaries of grounds of decisions, with a significant majority of these cases relating to breaches of the Protection Obligation. The most common types of data breaches involve the deliberate disclosure of personal data, poor technical security arrangements, poor physical security arrangements, errors in mass email and/or post, and insufficient data protection policies.

To date, the highest financial penalties that the PDPC has imposed on organisations are SGD 250,000 (approx. €166,260) and SGD 750,000 (approx. €498,790) respectively on SingHealth Services Pte Ltd and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. (See Re Singapore Health Services Pte Ltd and another [2019] SGPDPC 3). This unprecedented data breach which arose from a cyber-attack on SingHealth's patient database system caused the personal data of some 1.5 million patients to be compromised.

The PDPA has also been considered in the Singapore courts. On 19 February 2019, the State Court dismissed a claim brought against the Singapore Swimming Club for defamation and breach of the PDPA. Although written grounds of judgment are not available, this case is significant as it appears to be the first time where the Singapore courts were asked to consider whether there was a breach of the PDPA, and the PDPC did not make any decision in respect of any purported contravention of the PDPA.

Additionally, in IP Investment Management Pte Ltd and others v Alex Bellingham [2019] SGDC 207, a judgment of the District Court delivered on 3 October 2019, the Court had to decide on a claim pursuant to the right of private action available to individuals under Section 32 of the PDPA. The Court found that there had been a breach of certain Data Protection Provisions and that the third plaintiff had suffered loss and damage through the defendant's misuse of his personal information. Accordingly, the Court granted an injunction restraining the defendant from using, disclosing, or communicating any personal data of the third plaintiff, and ordered the defendant to undertake the destruction of all personal data of the third plaintiff. However, the Court did not elaborate on the type of damage or loss required for an actionable claim under Section 32 of the PDPA.

In addition to these enforcement decisions, the PDPC also publishes an annual Personal Data Protection Digest, which is a compendium comprising the PDPC's grounds of decisions, summaries of unpublished cases where a finding of no-breach was found and a collection of data protection-related articles contributed by data protection practitioners.

2. SCOPE OF APPLICATION

2.1. Personal scope

The PDPA generally applies to all private organisations in respect of the personal data they collect, use, and/or disclose.

However, the following categories of organisations are exempted from the application of the PDPA:

  • individuals acting in a personal or domestic capacity;
  • employees acting in the course of their employment with an organisation;
  • public agencies; or
  • any other organisation or personal data, or classes of organisations or personal data as may be prescribed by the relevant legislation.

Government agencies are not subject to the requirements of the PDPA, as they have their own set of data protection rules which all public officers must comply with.

As at the time of writing, organisations acting on behalf of a public agency in relation to the collection, use, or disclosure of personal data are also excluded from the application of the Data Protection Provisions, though they remain subject to obligations under other laws and their contract with the relevant public agency. However, once the changes in the Amendment Bill (which has been passed but has yet to come into effect) are implemented, organisations working on behalf of public agencies will no longer be exempted from the application of the PDPA, and will have to comply with the provisions in the PDPA.

'Data intermediaries' are partially excluded from the application of the Data Protection Provisions if they are processing personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing, and only have obligations under the PDPA in relation to:

  • the protection of personal data in their possession or under their control, by making reasonable security arrangements to prevent the unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks; and
  • the retention of personal data, by ceasing to retain documents containing personal data, or removing the means by which the personal data can be associated with particular individuals (e.g. destruction or anonymisation of personal data) as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer served by its retention, and retention is no longer necessary for legal or business purposes.

Additionally, once the changes in the Amendment Bill are implemented, where a data intermediary has reason to believe that a data breach affecting personal data has occurred, it must, without undue delay, notify the organisation or the public agency of the occurrence of the data breach.

2.2. Territorial scope

The PDPA also applies to organisations with no physical presence in Singapore, as long as these organisations collect, use, or disclose data within Singapore. For example, organisations located overseas which collect data from individuals in Singapore via online channels or platforms will be subject to the Data Protection Provisions.

It is worth noting that related organisations within an entity are not excluded from the application of the PDPA; an organisation which transfers personal data to its parent company or subsidiary will be subject to the Data Protection Provisions. Furthermore, organisations involved in the cross-border transfer of personal data from Singapore to locations overseas are also subject to the Data Protection Provisions.

2.3. Material scope

The PDPA regulates the collection, use, and disclosure of personal data by organisations. The PDPA expressly excludes the following categories of personal data from its application:

  • 'business contact information,' which is defined as 'an individual's name, position name or title, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;'
  • personal data that is contained in a record that has been in existence for at least 100 years; and
  • personal data about a deceased individual who has been dead for more than ten years.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

The PDPC is the regulatory authority that is responsible for administering and enforcing the PDPA. It is part of the converged telecommunications and media regulator, the Infocomm Media Development Authority ('IMDA'), which is in turn a statutory body under the purview of the Ministry of Communications and Information.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the PDPC are as follows:

  • to promote awareness of data protection in Singapore;
  • to provide consultancy, advisory, technical, managerial, or other specialist services relating to data protection;
  • to advise the Government of Singapore on all matters relating to data protection;
  • to represent the Government internationally on matters relating to data protection;
  • to conduct research and studies, promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and support other organisations conducting such activities;
  • to manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter governmental organisations, on its own behalf or on behalf of the Government;
  • to administer and enforce the PDPA;
  • to carry out functions conferred on the PDPC under any other written law; and
  • to engage in such other activities and perform such functions as the Minister may permit or assign to the PDPC by order published in the Gazette.

4. KEY DEFINITIONS

Data controller: The PDPA does not use the term 'data controller.' Instead, it uses the more general term of 'organisations' when prescribing the obligations that organisations are required to comply with under the PDPA. The term 'organisation' broadly covers natural persons, corporate bodies (such as companies) and unincorporated bodies of persons (such as associations), regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore.

Data processor: The term 'data processor' is not used in the PDPA, but an equivalent term 'data intermediary' is used. 'Data intermediary' refers to an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. Please refer to section 8 below for the definition of 'data intermediary.' See also section 2.2 above for more information on the obligations of data intermediaries.

Personal data: 'Personal data' under the PDPA refers to all 'data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.' This applies regardless of whether such data is in electronic or another form, and regardless of the degree of sensitivity. However, the PDPA expressly excludes the following categories of personal data from its application:

  • 'business contact information,' which is defined as 'an individual's name, position name or title, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;'
  • personal data that is contained in a record that has been in existence for at least 100 years; and
  • personal data about a deceased individual who has been dead for more than ten years.

Sensitive data: Even though there is no special category for sensitive personal data in the PDPA, the PDPC takes the view that personal data of a more sensitive nature should be safeguarded by a higher level of protection. The types of personal data that would typically be more sensitive in nature include an individual's national identification numbers (e.g. National Registration Identity Card and passport numbers); personal data of a financial nature (e.g. bank account details, Central Depository account details, securities holdings, transaction and payment summaries); insurance information (e.g. names of the policyholder's dependents or beneficiaries, sum insured under the insurance policy, the premium amount and type of coverage); an individual's personal history involving drug use and infidelity; sensitive medical conditions; and personal data of minors. (See Re Aviva Ltd [2017] SGPDPC 14).

Health data: The term 'health data' is not used in the PDPA. Rather, similar to biometric data, health data would be considered a type of personal data, and therefore be covered under the PDPA. Depending on the particular factual context, the handling of health data could also be covered under other laws such as the Health Products (Clinical Trials) Regulations 2016, or the Medicines (Clinical Trials) Regulations 2016 in Singapore.

Biometric data: The term 'biometric data' is not used in the PDPA. Rather, biometric data would be considered as a type of personal data, and therefore would be covered under the PDPA.

Pseudonymisation: There is no specific reference to pseudonymisation in the PDPA. However, in its Advisory Guidelines on the PDPA for Selected Topics (9 October 2019), the PDPC has described pseudonymisation as an anonymisation technique involving 'replacing personal identifiers with other references,' and has also stated that the anonymisation of personal data may be carried out to render the anonymised data suitable for more uses than its original state (i.e., the original personal data) would permit under data protection regimes, since anonymised data would not allow the identification of an individual.

Additionally, in its Guide to Basic Data Anonymisation Techniques, the PDPC has also set out recommended best practices for pseudonymisation, and has recognised the distinction between irreversible pseudonymisation (i.e. where the original values are properly disposed and the pseudonymisation was done in a non-repeatable fashion) and reversible pseudonymisation (i.e. where the original values are securely kept but can be retrieved and linked back to the pseudonym).

5. LEGAL BASES

5.1. Consent

Under the Consent Obligation, an organisation is required to obtain individuals' consent to collect, use, or disclose their personal data unless such collection, use, or disclosure is required or authorised under the PDPA or any other written law. Some examples of when such collection, use, or disclosure is authorised under the PDPA is when such collection, use, or disclosure of personal data:

  • is done in response to an emergency that threatens the life, health, or safety of the individual;
  • is used to manage or terminate an employment relationship (provided that the employee is notified); or
  • is publicly available.

An organisation is further required to state the purposes for which it is collecting, using, or disclosing the data. Where the supply of a product or service is conditional upon consent given by an individual, such consent must not extend beyond what is reasonable to provide that product or service.

Individuals can be deemed to have given consent when they voluntarily provide their personal data for a purpose, and it is reasonable that they would voluntarily provide such data. For deemed consent to apply, the onus is on the organisation to ensure that individuals were aware of the purpose for which their personal data was collected, used, or disclosed. Two new forms of deemed consent will also be introduced under the Amendment Bill (which has been passed but has yet to come into effect) – deemed consent by contractual necessity (i.e. where disclosure of personal data from one organisation to another is necessary for the conclusion or performance of a contract or transaction between the individual and the organisation he/she had originally provided the personal data to), and deemed consent by notification (i.e. where an individual acquiesces after notification in compliance with certain requirements.).

Individuals can generally withdraw consent at any time by giving reasonable notice, unless it would frustrate the performance of a legal obligation. On receipt of notice, the organisation must inform the individual of the consequences of such a withdrawal. Withdrawal of consent applies prospectively and will only affect an organisation's continued or future use of the personal data concerned. Organisations are generally required to inform agents and data intermediaries to whom the personal data has already been disclosed of the withdrawal.

An organisation collecting personal data from a third-party source is required to notify the source of the purposes for which it will be collecting, using, and disclosing the personal data. Moreover, the organisation should exercise the appropriate due diligence to check and ensure that the third-party source can validly give consent for the collection, use, and disclosure of personal data on behalf of the individuals or that the source had obtained consent for the disclosure of the personal data.

5.2. Contract with the data subject

Where an organisation enters into a contract with an individual, the individual may be deemed to have given his consent for the collection, use, or disclosure of personal data (as the case may be). An individual gives deemed consent if the individual, without actually giving consent, voluntarily provides the personal data to the organisation for that purpose; and it is reasonable that the individual would voluntarily provide the data.

5.3. Legal obligations

An organisation is able to collect, use, and disclose personal data where it is required or permitted under law. For example, under Paragraph 1(n) of the Fourth Schedule to the PDPA, disclosure of personal data is permitted where it is to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer.

5.4. Interests of the data subject

An organisation is able to collect, use, and disclose personal data where it is in the interests of the individual in question. Under paragraphs 1(a) and 1(b) of the Second Schedule, 1(a) and 1(b) of the Third Schedule, and 1(a) and 1(b) of the Fourth Schedule to the PDPA, the collection, use, or disclosure of personal data is permitted without the consent of the individual where:

  • the disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way; or
  • the disclosure is necessary to respond to an emergency that threatens the life, health, or safety of the individual or another individual.

5.5. Public interest

An organisation is able to collect, use, and disclose personal data where it is in the public interest. For example, under Paragraph 1(d) of the Second Schedule, 1(d) of the Third Schedule, and 1(e) of the Fourth Schedule to the PDPA, the collection, use, or disclosure of personal data is permitted without the consent of the individual where the collection, use, or disclosure is necessary in the national interest.

5.6. Legitimate interests of the data controller

At present, there is no basis for the collection, use, or disclosure of personal data without consent, on the basis of legitimate interests of the organisation. However, in the Amendment Bill, a 'legitimate interests' exception to consent was introduced. Subject to certain requirements, organisations will be able to collect, use, and disclose (as the case may be) personal data about an individual if it is in the legitimate interests of the organisation or another person, and the legitimate interests of the organisation or other person outweigh any adverse effect on the individual.

The Amendment Bill has been passed in Parliament but has yet to come into effect as of the date of writing.

5.7. Legal bases in other instances

The Amendment Bill has introduced the concept of deemed consent by notification. If an organisation intends to rely on deemed notification by consent, the organisation must:

  • conduct an assessment to determine that the proposed collection, use, or disclosure of the personal data is not likely to have an adverse effect on the individual (including identifying any likely adverse effect on the individual, as well as identifying and implementing reasonable measures to eliminate, reduce the likelihood or mitigate the adverse effect); and
  • take reasonable steps to bring the following information to the attention of the individual:
    1. the organisation's intention to collect, use, or disclose the personal data;
    2. the purpose for which the personal data will be collected, used, or disclosed;
    3. a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection, use, or disclosure of the personal data.

If the individual does not notify the organisation before the expiry of the reasonable period mentioned in point 3 above that the individual does not consent to the proposed collection, use, or disclosure of the personal data by the organisation, the individual is then deemed to consent.

6. PRINCIPLES

The PDPA puts in place the following obligations on organisations in respect of their data activities:

  • Consent Obligation: An organisation must obtain an individual's consent before collecting, using, or disclosing his/her personal data for a purpose (Section 13 to 17 of the PDPA).
  • Purpose Limitation Obligation: An organisation may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (Section 18 of the PDPA).
  • Notification Obligation: An organisation must notify the individual of the purpose(s) for which it intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes (Sections 18 and 20 of the PDPA).
  • Access and Correction Obligation: An organisation must, upon request, allow an individual to access and/or correct his/her personal data in its possession or under its control. In addition, the organisation is obliged to provide the individual with information about the ways in which personal data may have been used or disclosed during the past year (Sections 21 and 22 of the PDPA).
  • Accuracy Obligation: An organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation (Section 23 of the PDPA).
  • Protection Obligation: An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks (Section 24 of the PDPA).
  • Retention Limitation Obligation: An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected and is no longer necessary for legal or business purposes (Section 25 of the PDPA).
  • Transfer Limitation Obligation: An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA (Section 26 of the PDPA).
  • Accountability Obligation: An organisation must appoint a person to be responsible for ensuring that it complies with the PDPA, typically referred to as a data protection officer ('DPO'), and develop and implement policies and practices that are necessary to meet its obligations under the PDPA, including a process to receive complaints. In addition, the organisation is required to communicate to its staff information about such policies and practices and make information available upon request to individuals about such policies and practices (Sections 11 and 12 of the PDPA).

In addition, the Amendment Bill will introduce two further obligations:

  • Data Breach Notification Obligation: An organisation must assess data breaches that have occurred affecting personal data in their possession or under their control, and are required to notify the PDPC, as well as affected individuals, of the occurrence of certain data breaches (notifiable data breaches).
  • Data Portability Obligation: Upon an organisation's receipt of a data porting request from an individual, the porting organisation must transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any prescribed requirements, such as requirements relating to technical, user experience, and consumer protection matters.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data processing notification

There is no obligation imposed on an organisation to notify or register with the PDPC before collecting, using, or disclosing any personal data in Singapore.

7.2. Data transfers

Organisations are subject to the Transfer Limitation Obligation. An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA.

To do so, the organisation must generally ensure that the recipients of such personal data are bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. These 'legally enforceable obligations' include those imposed under law, contract or Binding Corporate Rules, or any other legally binding instrument. More specific rules may be found in Part III of the Regulations.

Any organisation transferring personal data out of Singapore must generally ensure that the recipients of such personal data are bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. In addition to this requirement, a contract imposing legally enforceable obligations must specify the countries and territories to which the personal data may be transferred under the legally enforceable obligations.

In relation to transfers of personal data outside of Singapore to related organisations, the PDPC has accepted BCRs as a form of such 'legally enforceable obligations,' which:

  • require every recipient of the transferred personal data to provide to the personal data a standard of protection that is at least comparable to the protection under the PDPA;
  • specify the recipients of the transferred personal data to which the BCRs apply;
  • specify the countries and territories to which the personal data may be transferred under the BCRs; and
  • specify the rights and obligations provided by the BCRs.

A recipient of personal data is considered 'related' to the transferring organisation if:

  • the recipient, directly or indirectly, controls the transferring organisation;
  • the recipient is, directly or indirectly, controlled by the transferring organisation; or
  • the recipient and the transferring organisation are, directly or indirectly, under the control of a common person.

There are a few express situations whereby an organisation can be taken to have satisfied the requirement of taking appropriate steps to ensure that the recipient outside Singapore is bound by legally enforceable obligations to protect personal data in accordance with comparable standards. These include:

  • where the individual consents to the transfer of the personal data to the recipient in that country;
  • where the transfer of the personal data to the recipient is necessary for the performance of a contract between the individual and the transferring organisation, or to do anything at the individual's request with a view to the individual entering into a contract with the transferring organisation;
  • where the transfer of personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party which is entered into at the individual's request, or which a reasonable person would consider to be in the individual's interest;
  • where the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA, subject to the organisation taking reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose; and
  • where the personal data is data in transit or publicly available in Singapore.

7.3. Data processing records

There is no obligation imposed on an organisation to maintain any data processing records. However, all organisations should ensure that they comply with the Data Protection Provisions of the PDPA in carrying out their data activities.

7.4. Data protection impact assessment

At present, there is no obligation imposed on an organisation to put in place a Data Protection Impact Assessment ('DPIA'). However, once the changes introduced in the Amendment Bill come into force, certain provisions will require assessments (which may be narrower in scope than a full DPIA) to be done by an organisation. For example, an organisation that intends to rely on deemed consent by notification will be required to conduct an assessment to determine that the proposed collection, use, or disclosure of personal data is not likely to have an adverse effect on the individual.

In addition, we highlight that whilst DPIAs are not mandatory under the PDPA, the PDPC has published a Guide to Data Protection Impact Assessments. In it, the PDPC states that the DPIA is a tool that allows organisations to 'be better positioned to assess if their handling of personal data complies with the PDPA or data protection best practices, and implement appropriate technical or organisational measures to safeguard against data protection risks to individuals'.

7.5. Data protection officer appointment

As part of the Accountability Obligation, it is mandatory for organisations to appoint a DPO, or a panel of individuals, to be responsible for ensuring that the organisation complies with the PDPA. The organisation has to make the business contact information of the DPO publicly available. The appointed DPO may delegate the responsibility conferred by this appointment to appropriate individuals although, as mentioned previously, the organisation remains responsible for complying with the PDPA. Organisations that have not appointed a DPO are in breach of the Accountability Obligation and may be subject to a financial penalty. The PDPC may also issue directions to that organisation to appoint a DPO.

Additionally, the PDPC has stated that recognition of the importance of data protection and the central role performed by a DPO has to come from the very top of an organisation and ought to be part of enterprise risk management frameworks. This would allow the board of directors and C-level executives to be made cognisant of the risks of a data breach. (See Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15).

The organisation is also required to make available the business contact information of a person who is able to respond to questions relating to the collection, use, or disclosure of personal data on behalf of the organisation under the Notification Obligation. This person may also be the designated DPO. While there is no requirement that such a person must be located in Singapore, to facilitate prompt responses to queries or complaints, the PDPC recommends, as good practice, that the business contact information of this person should be readily accessible from Singapore, operational during Singapore business hours and if telephone numbers are used, be Singapore telephone numbers.

In terms of the choice of DPO, the PDPC has stated that the DPO ought to be appointed from the ranks of senior management and be amply empowered to perform the tasks that are assigned to him or her. If not one of the C-level executives, the DPO should have at least a direct line of communication to them. This level of access and empowerment will provide the DPO with the necessary wherewithal to perform his/her role and accomplish his/her functions. (See Re M Stars Movers & Logistics Specialist Pte Ltd).

7.6. Data breach notification

As at the time of writing, the PDPA does not prescribe a general obligation to notify individuals in the event of a data breach. However, the PDPC has stated that it is in general good practice to notify the affected individuals of such data breaches as this will encourage them to take the necessary preventive measures to reduce the impact of the breach and regain their trust. Organisations are also advised to notify the PDPC as soon as possible of any data breaches that may potentially cause public concern, particularly if the breach involves sensitive personal data, or where there is a risk of harm to some affected individuals. Where criminal activity is suspected, organisations are advised to notify the police and preserve evidence for investigation.

In particular, the PDPC has reminded organisations of their general duty to preserve evidence, including but not limited to documents and records, in relation to an investigation by the PDPC. (See Re NTUC Income Insurance Co-operative [2018] SGPDPC 10).

We highlight, however, that the Amendment Bill introduces a new Data Breach Notification Obligation, which requires organisations to assess data breaches that have occurred affecting personal data in their possession or under their control, and to notify the PDPC, as well as affected individuals, of the occurrence of certain data breaches (notifiable data breaches). A notifiable data breach is a data breach that:

  • results in, or is likely to result in, significant harm to any individual to whom any personal data affected by a data breach relates (affected individual); or
  • is, or is likely to be, of a significant scale (i.e. 500 or more individuals).

Organisations are subject to the Protection Obligation. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. In this regard, the PDPC has published the Guide to Securing Personal Data in Electronic Medium and Guide to Managing Data Breaches 2.0 to aid organisations in the management of electronic personal data and data breaches.

Sectoral obligations

In relation to financial institutions ('FIs'), the Guidelines on Outsourcing and Technology Risk Management Guidelines ('the Risk Management Guidelines'), both of which are issued by the Monetary Authority of Singapore ('MAS'), require FIs to notify the MAS of, amongst others, breaches of security and confidentiality of the FI's customer information in the following manner:

  • within an hour of the discovery of a 'Relevant Incident,' defined in the Risk Management Guidelines as 'a system malfunction or IT security incident, which has a severe and widespread impact on the financial institution's operations or materially impacts the financial institution's service to its customers;' and
  • 'as soon as possible of any adverse development arising from [their] outsourcing arrangements that could impact the institution' as well as any 'such adverse development encountered within the institution's group.'

7.7. Data retention

The Retention Limitation Obligation in the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and such retention is no longer necessary for legal or business purposes.

The PDPA does not prescribe a specific retention period for personal data and the duration of time whereby an organisation can legitimately retain personal data is assessed on a standard of reasonableness, having regard to the purposes for which the personal data was collected and retained. Accordingly, legal or specific industry-standard requirements in relation to the retention of personal data may apply.

Where there is no longer a need for an organisation to retain personal data, the organisation should cease to do so. An organisation will be deemed to have ceased to retain personal data when it no longer has access to the documents and the personal data they contain, or when the personal data is otherwise inaccessible or irretrievable to the organisation. In considering whether an organisation has ceased to retain personal data the PDPC will consider the following factors in relation to the personal data:

  • whether the organisation has any intention to use or access the personal data;
  • how much effort and resources the organisation would need to expend in order to use or access the personal data again;
  • whether any third parties have been given access to that personal data; and
  • whether the organisation has made a reasonable attempt to destroy, dispose of, or delete the personal data in a permanent and complete manner.

7.8. Children's data

No, there are no specific provisions regulating the processing of children's data. However, see the definition of 'sensitive data' under section 4.

7.9. Special categories of personal data

See the definition of 'sensitive data' under section 4.

7.10. Controller and processor contracts

The PDPA draws a distinction between an 'organisation' and a 'data intermediary' in relation to the processing of personal data. The relevant definitions as set out in Section 2(1) of the PDPA are as follows:

An 'organisation' is defined as any individual, company, association or body of persons, corporate or unincorporated, whether or not:

  • formed or recognised under the law of Singapore; or
  • resident, or having an office or a place of business, in Singapore.

A 'data intermediary' is defined as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation.

'Processing' is defined as the carrying out of any operations or set of operations in relation to the personal data, and includes any of the following:

  • recording;
  • holding;
  • organisation, adaptation or alteration;
  • retrieval;
  • combination;
  • transmission; and
  • erasure or destruction.

If an organisation is not a data intermediary, it is subject to the full set of data protection obligations under the PDPA. In contrast, as elaborated on in section 2.1 above, other than the Protection Obligation, the Retention Limitation Obligation, and (after the Amendment Bill comes into effect) the duty to notify the organisation/public agency of a data breach, no other data protection obligations are imposed on a data intermediary, whereby it is processing personal data for or on behalf of an organisation pursuant to a contract in writing. Therefore, to avoid both parties having to answer to the data protection obligations to the full extent, the contract should state clearly the relationship and the rights and obligations of both parties.

Even if an organisation engages a data intermediary to process personal data on its behalf and for its purposes, Section 4(3) of the PDPA provides that it shall have the same obligations as if the personal data were processed by the organisation itself. Therefore, effectively the organisation will remain liable for the actions and omissions of the data intermediary for personal data that the data intermediary is processing on the organisation's behalf.

Moreover, data intermediaries are typically subject to contractual obligations which necessitate compliance with the other obligations of the PDPA. According to the Key Concept Guidelines, it is expected that organisations engaging data intermediaries would generally have imposed obligations that ensure protection in the relevant areas in the processing contract.

The PDPC on 20 July 2016 issued a non-legally binding Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data and provided sample data protection clauses that an organisation purchasing services relating to the processing of personal data may include in the service agreements with the data intermediaries.

If the organisation fails to put in place data protection clauses in such service agreements, the organisation runs the risk of being held to have breached its Protection Obligation by failing to take necessary actions and precautionary measures to protect such personal data.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

Organisations are subject to the Notification Obligation. An organisation must notify the individual of the purpose(s) for which it intends to collect, use, or disclose his personal data on or before such collection, use, or disclosure. In addition, the organisation is also obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year.

Organisations are subject to the Accountability Obligation. An organisation must develop and implement policies and practices that are necessary for it to meet its key obligations under the PDPA, and to make information about such policies and practices publicly available, such as via an online personal data protection and/or privacy policy.

In addition, once the changes in the Amendment Bill come into effect, organisations will be required to notify affected individuals of a data breach that results or is likely to result in significant harm to them, unless certain prescribed exceptions apply.

8.2. Right to access

Organisations are subject to the Access Obligation. An organisation must allow an individual to access his personal data in its possession or under its control upon request.

The organisation has a duty to respond to applicants' requests to access their personal data as accurately and completely as necessary and reasonably possible, subject to the exceptions in the Fifth Schedule of the PDPA. On receipt of individuals' requests, the organisation is obliged to provide the individuals, as soon as reasonably possible, with:

  • personal data about them that is in the possession or under the control of the organisation; and
  • information about the ways in which that personal data has been or may have been used or disclosed by the organisation within a year before the date of the request.

An organisation should provide a copy of each applicant's personal data in documentary form or any other form requested by the individual as is acceptable by the organisation. If it is impracticable, the organisation may allow the individual a reasonable opportunity to examine the personal data.

Under the Access Obligation, organisations may charge applicants a reasonable fee to respond to access requests. In doing so, an organisation must provide the applicant with a written estimate of the fee. If the organisation wishes to charge a fee that is higher than the written estimate, it will need to notify the applicant in writing of the higher fee. An organisation does not have to respond to an applicant's access request unless the applicant agrees to pay the fee. In contrast, an organisation is not entitled to impose a fee for correction requests.

There are certain exceptions whereby organisations are allowed to withhold access to an individual's personal data. For example, when such access will reveal personal data about another individual or will be contrary to the national interest; if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual's interest; or if the request is otherwise frivolous or vexatious. In addition to the Fifth and Sixth Schedule to the PDPA, more specific rules concerning the Access and Correction Obligations may be found in Part II of the Regulations.

Additionally, once the changes in the Amendment Bill come into effect, an organisation which refuses to provide access to personal data requested by an individual under the Access Obligation must preserve a complete and accurate copy of the personal data concerned for not less than the prescribed period.

8.3. Right to rectification

Organisations are subject to the Correction Obligation. An organisation must allow an individual to correct his personal data in its possession or under its control upon request.

Individuals have the right to request an organisation to correct any inaccurate data that is in the organisation's control, subject to the exceptions in the Sixth Schedule of the PDPA. Unlike access requests, there is no prescribed duty to respond to a correction request, however, an organisation must be satisfied on reasonable grounds that a correction should not be made. If no correction is made, the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made. Furthermore, organisations are required to send the corrected or updated personal data to specific organisations to which the data was disclosed within a year before the correction was made, unless those organisations do not need the corrected data for any legal or business purpose.

Upon receipt of an access or correction request, if the organisation cannot comply within 30 days, it must inform the individual in writing of the time by which it will respond to the request.

8.4. Right to erasure

Individuals have no right in Singapore to request for an organisation to destroy or delete the personal data in the organisation's possession or control.

8.5. Right to object/opt-out

Individuals have the right to give and withdraw consent at any time by giving reasonable notice, unless it would frustrate the performance of a legal obligation.

With regard to the withdrawal of consent, data subjects should be cognisant of the fact that the withdrawal of certain types of consent may affect the ability of the organisation to continue providing them with the requested services.

8.6. Right to data portability

At present, individuals do not have a right to data portability. However, once the changes introduced in the Amendment Bill come into force, an individual may make a data porting request to a porting organisation. Upon receiving the data porting request, the porting organisation must (unless an exception applies) transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any prescribed requirements, such as requirements relating to technical, user experience and consumer protection matters.

8.7. Right not to be subject to automated decision-making

Individuals presently have no right in Singapore to require themselves to be exempted from automated decision-making.

8.8. Other rights

Organisations are subject to the Accuracy Obligation. In particular, an organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation.

This would generally require organisations to make a reasonable effort to ensure that:

  • the personal data collected (whether directly from the individual concerned or through another organisation) is accurately recorded;
  • the personal data collected is complete;
  • appropriate steps have been taken to ensure the accuracy and correctness of the personal data; and
  • they have considered whether it is necessary to update the personal data.

9. PENALTIES

The PDPC is responsible for enforcing the PDPA. Where the PDPC is satisfied that an organisation has breached the Data Protection Provisions under the PDPA, the PDPC is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:

  • stop collecting, using, or disclosing personal data in contravention of the PDPA;
  • destroy personal data collected in contravention of the PDPA;
  • provide access to or correct personal data; or
  • pay a financial penalty of up to SGD 1 million (approx. €617,600).

We highlight that the Amendment Bill introduces a higher financial penalty of up to 10% of an organisation's annual turnover in Singapore, or SGD 1 million (approx. €617,600), whichever is higher.

In the course of its investigation, the PDPC may:

  • by notice in writing, require an organisation to produce any specified document or specified information;
  • by giving at least two working days' advance notice of intended entry, enter into an organisation's premises without a warrant; and
  • obtain a search warrant to enter an organisation's premises and take possession of, or remove, any document.

Non-compliance with certain provisions under the PDPA may also constitute an offence, for which a fine or a term of imprisonment may be imposed. The quantum of the fine and the length of imprisonment (if any) vary, depending on which provisions are breached.

For instance, a person found guilty of making requests to obtain access to or correct the personal data of another without authority may be liable on conviction to a fine not exceeding SGD 5,000 (approx. €3,090) or to imprisonment for a term not exceeding 12 months, or both (Section 51(2) of the PDPA).

The Amendment Bill has also introduced further offences. Under one such offence, an individual commits an offence if he takes any action to re-identify or cause re-identification of a person to whom anonymised information in the possession or under the control of an organisation or a public agency relates, where the re-identification is not authorised by the organisation or public agency, and the individual either knows that the re-identification is not authorised or is reckless as to whether the re-identification is or is not authorised.  The penalty is a fine not exceeding SGD 5,000 (approx. €3,090) or to imprisonment for a term not exceeding two years, or both.

An organisation or person who obstructs or impedes the PDPC or an authorised officer, or knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC in the exercise of their powers or performance of their duties under the PDPA, commits an offence for which that person would be liable upon conviction to a fine of up to SGD 10,000 (approx. €6,180) and/or to imprisonment for a term of up to 12 months (in the case of an individual), or a fine of up to SGD 100,000 (approx. €61,770) (in any other case). Additionally, once the Amendment Bill comes into effect, any person who neglects or refuses to comply with an order to appear before the PDPC, or without reasonable excuse neglects or refuses to furnish any information or produce any document specified in a written notice to produce information, will be guilty of an offence punishable by a fine not exceeding SGD 5,000 (approx. €3,090) or to imprisonment for a term not exceeding 12 months, or both.

An aggrieved individual or organisation may make a written application to the PDPC to reconsider its direction or decision. Thereafter, any individual or organisation aggrieved by the PDPC's reconsideration decision may lodge an appeal to the Data Protection Appeal Panel. Alternatively, an aggrieved individual or organisation may appeal directly to the Data Protection Appeal Panel without first submitting a reconsideration request. A direction or decision of the Data Protection Appeal Panel (via the Data Protection Appeal Committee) may be appealed to the High Court on a point of law or where such decision relates to the amount of a financial penalty. The decision of the High Court may be further appealed to the Court of Appeal.

An individual who suffers loss or damage directly as a result of a contravention of the provisions of the PDPA may also commence a private civil action. However, such a right of private action is only exercisable after all avenues of appeal, in respect of the relevant infringement decision issued by the PDPC, have been exhausted.

9.1 Enforcement decisions

Please see section 1.3 above.