Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Singapore: Advisory Guidelines on Key Concepts

Melpomenem / Essentials collection / istockphoto.com

1. INTRODUCTION

1.1. Issuing body

The Personal Data Protection Commission ('PDPC') is Singapore's main authority in matters relating to personal data protection and represents the Singapore Government internationally on data protection related issues. Specifically, the PDPC is responsible for administering and enforcing the Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA'). The PDPC implements policies related to personal data protection and develops Advisory Guidelines to help organisations understand and comply with the PDPA.

This Guidance Note offers an overview of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act ('the Key Concepts Guideline').

1.2. Foundations and purpose

The Advisory Guidelines aim to provide further guidance on the requirements laid out in the PDPA and help organisations understand and comply with the same. As mentioned above, the PDPC has been empowered to implement policies related to personal data protection to aid businesses in their compliance with the PDPA.

The PDPC issued the Key Concepts Guideline on 23 September 2013, which was revised on 1 February 2021 to provide its latest version.

More specifically, the Key Concepts Guideline elaborates on and provides illustrations for the key obligations in the PDPA and interpretation of key terms in the same. To this end, the PDPC notes that the examples in the Advisory Guidelines serve to illustrate particular aspects of the PDPA and are not meant to exhaustively address every obligation in the PDPA that would apply in that scenario.

The Key Concepts Guideline

The Key Concept Guideline provides clarification in the following structure:

  • Part I: Introduction and overview of the PDPA;
  • Part II: Important terms used in the PDPA;
  • Part III: The main content of the Key Concept Guideline the data protection provisions and their applicability to inbound data transfers. The various 'Obligations' are comprised of the following:
    • the Consent Obligation (Section 12);
    • the Purpose Limitation Obligation (Section 13);
    • the Notification Obligation (Section 14)
    • the Access and Correction Obligation (Section 15);
    • the Accuracy Obligation (Section 16);
    • the Protection Obligation (Section 17);
    • the Retention Limitation Obligation (Section 18);
    • the Transfer Limitation Obligation (Section 19);
    • the Data Breach Notification Obligation (Section 20); and
    • the Accountability Obligation (Section 21);
  • Part IV: Offences affecting personal data and anonymised information; and
  • Part V: Other rights, obligations and uses.

1.3. Compliance benefits

The Key Concepts Guideline is not enforceable nor obligatory and do not require compliance, but it aims to help organisations comply with the PDPA and assist organisations and individuals' general understanding of the PDPA. As outlined above, the Key Concepts Guideline provides further clarification on key provisions in the PDPA and examined the laws applicability to particular issues. Although the Key Concepts Guideline is not legally binding, compliance with the same is beneficial for companies attempting to ensure compliance with the PDPA and its subsidiary legislation. In particular, Section 49 of the PDPA clarifies that advisory guidelines indicates the manner in which the PDPC will interpret the provisions of PDPA.

Offences under the PDPA

Part IV of the Key Concept Guideline provides a brief overview of offences under the PDPA.

1.4. Related legislation, frameworks, standards, and supplemental resources

The PDPC has released further advisory guidelines, including:

All advisory guidelines and guides are accessible via the PDPC's website.

Importantly, as the Key Concepts Guideline provides clarification to the PDPA, and is useful for compliance with the PDPA and its subsidiary legislation, such as:

In addition, Section 25 of the Key Concept Guidelines pertains to the applicability of the rights and obligations under the PDPA in relation to additional applicable laws.

2. SCOPE OF APPLICATION

The Key Concepts Guideline is silent on its scope of application.

However, as the Key Concepts Guideline is intended to aid individuals and organisation better understanding the provisions of the PDPA, the scope of application of the Key Concepts Guideline applies to the same extent as the PDPA.

Personal scope

Section 4 of the PDPA stipulates that it applies to organisations that collection, use, and disclosure of personal data. However, the PDPA, among other things, excludes the following from the obligation outlined in Parts III, IV, V, VI, VIA and VIB of the PDPA:

  • any individual acting in a personal or domestic capacity;
  • any employee acting in the course of his employment with an organisation;
  • any public agency; or
  • any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision

Territorial scope

The PDPA states that organisations that collection, use, and disclosure of personal data whether or not they are formed or recognised under the law of Singapore or resident, or having an office or a place of business, in Singapore.

Further to this, the section 11.1 of the Key Concept Guideline states that the Data Protection Provisions apply to organisations carrying out activities involving personal data in Singapore. Where personal data is collected overseas and subsequently transferred into Singapore, the Data Protection Provisions will apply in respect of the activities involving the personal data in Singapore.

Material scope

The PDPA applies to the collection, use, and disclosure of personal data which refers to means data, whether true or not, about an individual who can be identified (Section 2(1) of the PDPA):

  • from that data; or
  • from that data and other information to which the organisation has or is likely to have access.

In addition, the Selected Topics Advisory Guideline clarifies that anonymised data is not personal data and thus would not be governed by the PDPA.

3. KEY DEFINITIONS | BASIC CONCEPTS

The applicable definitions are provided in Section 2 of the PDPA. Further clarifications on the PDPA terms are provided for in Part II of the Key Concepts Guideline. Definitions addressed in the Key Concept Guideline include:

  • individual;
  • personal data;
  • organisation;
  • collection, use, and disclosure;
  • purpose; and
  • reasonableness.

4. DATA PROCESSING

The Consent Obligation

Obtaining consent from an individual

The Key Concept Guideline clarifies in situations where it may be impractical for organisations to obtain express consent in writing, they may choose to obtain verbal consent (Section 12.5 of the Key Concept Guideline). As good practice, the Key Concept Guideline states that organisations can consider adopting the following practices in cases when consent is obtained verbally, to prove that verbal consent had been given, in the event of disputes (Section 12.5 of the Key Concept Guideline):

  • confirm the consent in writing with the individual (which may be in electronic form or other form of documentary evidence); or
  • where appropriate in the circumstances, make a written note (which may be in electronic form or other form of documentary evidence) of the fact that an individual had provided verbal consent.

In relation to the use of Singapore telephone numbers, the Key Concept Guideline highlights that those organisations that wish to rely on an individual's consent to send specified messages to Singapore telephone numbers should ensure that the individual has given clear and unambiguous consent beforehand (Section 12.7 of the Key Concept Guideline). To this end, Key Concept Guideline provides that consent for the sending of specified messages to Singapore telephone numbers should be evidenced in written or other accessible form, noting that, verbal consent alone would be insufficient (Section 12.7 of the Key Concept Guideline).

Obtaining consent from a person validly acting on behalf of an individual

The Key Concept Guideline clarifies that in order to obtain consent from a person validly acting on behalf of an individual, the person would similarly have to be notified of the purposes for which the individual's personal data will be collected, used, and disclosed and the person must have given consent for those purposes on behalf of the individual (Section 12.9 of the Key Concept Guideline).

Collection by form

To ensure that consent if validly consent the Key Concept Guideline states that when collecting personal data through a form, it is a good practice for organisations to indicate which fields of personal data collection are compulsory and which are optional, and to state the purposes for which such personal data will be collected, used and/or disclosed individual (Section 12.14 of the Key Concept Guideline).

Deemed consent

The Key Concept Guideline clarifies that deemed consent can be useful where, among others, an organisation wishes to use or disclose existing data for secondary purposes that are different from the primary purposes for which it had originally collected the personal data for, and it is unable to rely on any of the exceptions to consent (e.g. business improvement, research) for the intended secondary use (Section 12.23 of the Key Concept Guideline). The Key Concept Guideline, however, notes that this use is subject to the organisation assessing and determining that the following conditions are met, taking into consideration the types of personal data involved and the method of collection, use, or disclosure of the personal data in the manner set out below (Section 12.23 of the Key Concept Guideline):

  • conduct an assessment to eliminate or mitigate adverse effects;
  • organisation must take reasonable steps to ensure that notification provided to individuals is adequate:
    • usual mode of communication; and
    • whether direct communication channels such as mail, email messages, telephone calls, or SMS are available; and
  • organisation must provide a reasonable opt-out period:
    • the nature and frequency of interaction with the individual; and
    • the communications and opt-out channels used

Consent for sending of directing marketing messages

The Key Concept Guideline provides that organisations should generally obtain express consent for the purpose of sending direct marketing messages to individuals (Section 12.28 of the Key Concept Guideline). Specifically, the Key Concept Guideline states that consent should be obtained through the opt-in method e.g., requiring action to check an unchecked box in order to give consent), highlighting that the PDPC does not consider the opt-out method (e.g., providing a pre-checked box and requiring action to opt-out) as appropriate for obtaining consent for the receipt of direct marketing messages (Section 12.28 of the Key Concept Guideline).

To this end, the Key Concept Guideline also notes that consent obtained using the opt-out method will not constitute clear and unambiguous consent under the Do Not Call Provisions for sending a specified message to a Singapore telephone number registered on the Do Not Call Registry (Section 12.28 of the Key Concept Guideline).

Obtaining personal data from third party sources with the consent of the individual

The Key Concept Guideline clarifies that organisations obtaining personal data from third party sources should exercise the appropriate due diligence to check and ensure that the third party source can validly give consent for the collection, use and disclosure of personal data on behalf of the individual under Section 14(4) of the PDPA or that the source had obtained consent for disclosure of the personal data (under Section 15 of the PDPA) (Section 12.33 of the Key Concept Guideline).

In the event the third party source could not validly give consent or had not obtained consent for disclosure to the collecting organisation, but concealed this from the collecting organisation, the Key Concept Guideline provides that actions taken by the collecting organisation to verify such matters before collecting the personal data from the third party source would be considered a possible mitigating factor considered by the PDPC should there be a breach of the PDPA relating to such collection or the collecting organisation’s use or subsequent disclosure of the personal data (Section 12.33 of the Key Concept Guideline).

Further to this the Key Concept Guideline outlines the following measures appropriate for the collecting organisation (A) to adopt to exercising appropriate due diligence to verify that a third-party source (B) can validly give consent or has obtained consent from the individual concerned (Section 12.34 of the Key Concept Guideline):

  • seek an undertaking from B through a term of contract between A and B that the disclosure to A for A's purposes is within the scope of the consent given by the individual to B;
  • obtain confirmation in writing from B;
  • obtain, and document in an appropriate form, verbal confirmation from B; or
  • obtain a copy of the document(s) containing or evidencing the consent given by the individuals' concerned to B to disclose the personal data.

Exceptions to consent

Legitimate interest

The PDPA outlines legitimate interest as an exception to the Consent Obligation in the PDPA (Part 3 (2-10) of the First Schedule to the PDPA). When relying on this basis the Key Concept Guideline notes that organisations must assess that they satisfy the following requirements (Sections 12.57 and 12.58 of the Key Concept Guideline):

  • identify and articulate the legitimate interests, including;
    • what the benefits and who the beneficiaries are; and
    • whether the benefits are real and present:
  • conduct an assessment; and
  • disclose reliance on the legitimate interests exception.

When conducting the assessment the Key Concept Guidelines clarifies that organisations are also required to identify and put in place reasonable measures to eliminate, reduce the likelihood of or mitigate any adverse effect to the individual. In determining the likely adverse effect on the individual, the Key Concept Guidelines notes that organisation should consider the following:

  • the impact of the collection, use, or disclosure of the personal data on the individual;
  • the nature and type of personal data and whether the individuals belong to a vulnerable segment of the population;
  • the extent of the collection, use or disclosure of personal data and how the personal data will be processed and protected;
  • reasonableness of the purpose of collection, use or disclosure of personal data; and
  • whether the predictions or decisions that may arise from the collection, use or disclosure of the personal data are likely to cause physical harm, harassment, serious alarm or distress to the individual.

While the Key Concept Guideline provides that organisations that rely on the legitimate interests exception must make it known to individuals that they are relying on this exception, they are not required to make available their assessments of legitimate interests to the public or to individuals as part of disclosing reliance on the exception (Section 12.60 of the Key Concept Guideline).

Business improvement

The Key Concept Guideline states that organisations may rely on the business improvement exception to use existing customers' personal data for data analytics and market research to derive insights and understand their existing customers prior to their business marketing activities (Section 12.79 of the Key Concept Guideline). It explains that the PDPC considers these to be preparatory activities for marketing purposes and are to be distinguished from the sending of direct marketing messages to individuals (Section 12.79 of the Key Concept Guideline).

Research purpose

The Key Concept Guideline provides that all the conditions for use of personal data for a research purpose are applicable together in addition to the consent of the individual for the disclosure being impracticable for the organisation to obtain. The Key Concept Guideline outlines the following as factors the commission considers relevant in assessing whether it is 'impracticable' to seek consent:

  • organisation does not have current contact information of the potential research subject or sufficient information to seek up-to-date contact information;
  • given the target population required for meaningful conclusions to be drawn from the research, the quantum of the research grant and the period allotted for the research, the costs of attempting to seek consent from each potential research subject would impose disproportionate resource demands and burden on the organisation or take up so much time that carrying out the research is no longer viable; and
  • exceptional circumstances where seeking the research subject's consent would affect the validity or defeat the purposes of the research, in particular, where seeking consent would skew the research or introduce bias into the research such that no meaningful conclusions can be drawn.

Further to this, the Key Concept Guideline clarifies that the PDPC considers the degree of practicability, and that mere inconvenience would not amount to 'impracticability.' Consequently, the Key Concept Guideline highlights that organisations relying on this exception have to demonstrate that the additional costs or time delays resulting from having to contact individuals for consent is so onerous such that the research is no longer viable.

Direct marketing purposes

The Key Concept Guideline clarifies that organisations should not rely on the legitimate interests nor business improvement exception to send direct marketing messages (Section 12.59 and 12.77 of the Key Concept Guideline). In general, the Key Concept Guideline states that organisations should obtain express consent to send direct marketing messages to individuals (Section 12.59 of the Key Concept Guideline). In addition, where direct marketing messages are sent to Singapore telephone numbers via voice call, text or fax, the organisation must comply with the Do Not Call Provisions of the PDPA (Section 12.59 of the Key Concept Guideline).

The Accuracy Obligation

The PDPA requires organisation to ensure that personal data is kept accurate and up to date (Section 23 of the PDPA). To ensure that personal data is accurate and complete, the Key Concept Guideline recommends that organisations make a reasonable effort to ensure that (Section 16.3 of the Key Concept Guideline):

  • it accurately records personal data which it collects (whether directly from the individual concerned or through another organisation);
  • personal data it collects includes all relevant parts thereof (so that it is complete); and
  • it has taken the appropriate (reasonable) steps in the circumstances to ensure the accuracy and correctness of the personal data; and
  • it has considered whether it is necessary to update the information.

Further to this, a 'reasonable effort' entails, among other things, an organisation taking into account factors such as (Section 16.4 of the Key Concept Guideline):

  • the nature of the data and its significance to the individual concerned (e.g. whether the data relates to an important aspect of the individual such as his health);
  • the purpose for which the data is collected, used, or disclosed;
  • the reliability of the data (e.g. whether it was obtained from a reliable source or through reliable means);
  • the currency of the data (that is, whether the data is recent or was first collected some time ago); and
  • the impact on the individual concerned if the personal data is inaccurate or incomplete (e.g. based on how the data will be used by the organisation or another organisation to which the first organisation will disclose the data).

Nevertheless, an organisation may not be required to check the accuracy and completeness of an individual's personal data each and every time it makes a decision about the individual and may not be required to review all the personal data currently in its possession to ensure that they are accurate and complete each and every time it is likely to make a decision about the individual (Section 16.5 of the Key Concept Guideline). However, the Key Concept Guideline notes that organisations should perform their own risk assessment and use reasonable effort to ensure the accuracy and completeness of such personal data that is likely to be used to make a decision that will affect the individual (Section 16.5 of the Key Concept Guideline).

Ensuring accuracy when personal data

Obtained from the individual

The Key Concept Guideline provides that, in most circumstances, organisations may presume that personal data provided directly by the individual concerned is accurate; however, when there is doubt, it recommends that organisations consider requiring the individual to make a verbal or written declaration that the personal data provided is accurate and complete (Section 16.6 of the Key Concept Guideline). In addition, organisations should take steps to verify that the personal data provided by the individual is up to date, for example, by requesting a more updated copy of the personal data before making a decision that will significantly impact the individual) (Section 16.6 of the Key Concept Guideline).

Obtained from third party source

The Key Concept Guideline suggests that organisations be more careful when collecting personal data about an individual from a third-party source including (Section 16.7 of the Key Concept Guideline):

  • take differing approaches to ascertain the accuracy and completeness of personal data it collects depending on the reliability of the source of the data; and
  • conducting further independent verification if it deems prudent to do so.

Retention Limitation Obligation

Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes.

The Key Concept Guideline outlines factors to consider when determining a retention period, namely (Section 18.4 of the Key Concept Guideline):

  • the purpose(s) for which the personal data was collected, including:
    • personal data may be retained so long as one or more of the purposes for which it was collected remains valid; and
    • personal data must not be kept by an organisation 'just in case' it may be needed for other purposes that have not been notified to the individual concerned; and
  • other legal or business purposes for which retention of the personal data by the organisation is necessary. For example, this may include situations where:
    • the personal data is required for an ongoing legal action involving the organisation;
    • retention of the personal data is necessary in order to comply with the organisation's obligations under other applicable laws, regulations, international/regional/bilateral standards which require the retention of personal data;
    • the personal data is required for an organisation to carry out its business operations, such as to generate annual reports, or performance forecasts;
    • the personal data is used for an organisation’s business improvement purposes such as improving, enhancing, or developing goods or services, or learning about and understanding the behaviour and preferences of its customers; or
    • retention of the personal data is necessary for research, archival, historical, artistic or literary purpose(s) that benefits the wider public or a segment of the public.

In addition, the Key Concept Guideline recommends that organisations review the personal data it holds on a regular basis to determine if that personal data is still needed (Section 18.5 of the Key Concept Guideline). Where an organisation holds a large quantity of different types of personal data, the Key Concept Guideline notes it may have to implement varying retention periods for each type of personal data as appropriate (Section 18.5 of the Key Concept Guideline).

Further to the above, as good practice, the Key Concept Guideline suggests that organisations prepare an appropriate personal data retention policy which sets out their approach to retention periods for personal data and a rationale for doing so in its personal data retention policy (Section 18.8 of the Key Concept Guideline). In particular, the Key Concept Guideline notes that this is applicable where personal data is retained for a relatively long period of time (Section 18.8 of the Key Concept Guideline).

Determining whether personal data is no longer retained

The Key Concept Guideline outlines factors which the PDPC will consider when determining whether an organisation has ceased to retain personal data, namely (Section 18.13 of the Key Concept Guideline):

  • whether the organisation has any intention to use or access the personal data;
  • how much effort and resources the organisation would need to expend in order to use or access the personal data again;
  • whether any third parties have been given access to that personal data; and
  • whether the organisation has made a reasonable attempt to destroy, dispose of or delete the personal data in a permanent and complete manner.

Further to this, the Key Concept Guideline clarifies that an organisation will be considered to have ceased to retain personal data when it no longer has the means to associate the personal data with particular individuals i.e. the personal data has been anonymised (Section 18.14 of the Key Concept Guideline).

5. MANAGEMENT SYSTEM

Data protection officers

The Key Concept Guideline clarifies that individual(s) designated by an organisation under Section 11(3) of the PDPA should be (Section 21.5 of the Key Concept Guideline):

  • sufficiently skilled and knowledgeable; and
  • amply empowered, to discharge their duties as a Data Protection Officer ('DPO'), although they need not be an employee of the organisation.

Further to this, the Key Concept Guideline notes that organisations should ensure that individuals appointed as a DPO are trained and certified (Section 21.5 of the Key Concept Guideline). Ideally, the Key Concept Guideline recommends that the individual be a member of the organisation's senior management team or have a direct reporting line to the senior management to ensure the effective development and implementation of the organisation's data protection policies and practices, as the commitment and involvement of senior management is key to ensure that there is accountability and oversight over the management of personal data in the organisation (Section 21.5 of the Key Concept Guideline).

Data protection policy and procedures

The Key Concept Guideline highlights in the development of a data protection policy organisations should take account of the types and amount of personal data it collects, and the purposes for such collection, and ensure that the same are easily accessible to the intended reader (Section 21.9 of the Key Concept Guideline). Furthermore, the Key Concept Guideline recommends that organisations put in place monitoring mechanisms and process controls to ensure the effective implementation of these policies and practices (Section 21.9 of the Key Concept Guideline).

Data Protection Impact Assessment

Organisations may wish to consider demonstrating organisational accountability through measures such as conducting Data Protection Impact Assessments ('DPIA') in appropriate circumstances, implementing a Data Protection Management Programme ('DPMP'), to ensure that their handling of personal data is in compliance with the PDPA (Section 21.15 of the Key Concept Guideline).

Specifically, the Key Concept Guideline notes that although failing to undertake such measures is not itself a breach of the PDPA, it could, in certain circumstances, result in the organisation failing to meet other obligations under the PDPA (Section 21.15 of the Key Concept Guideline).

6. DATA SECURITY

The Protection Obligation

Section 24 of the PDPA requires an organisation to make reasonable security arrangements to protect personal data. The Key Concept Guideline outlines that organisations should (Section 17.3 of the Key Concept Guideline):

  • design and organise its security arrangements to fit the nature of the personal data held by the organisation and the possible harm that might result from a security breach;
  • identify reliable and well-trained personnel responsible for ensuring information security; and
  • implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity; and d) be prepared and able to respond to information security breaches promptly and effectively.

In addition, the Key Concept Guideline states that it might be useful for organisations to undertake a risk assessment exercise to ascertain whether their information security arrangements are adequate (Section 17.4 of the Key Concept Guideline). In so doing, the Key Concept Guideline recommends considering (Section 17.4 of the Key Concept Guideline):

  • the size of the organisation and the amount and type of personal data it holds;
  • who within the organisation has access to the personal data; and
  • whether the personal data is or will be held or used by a third party on behalf of the organisation.

7. ACCOUNTABILITY AND RECORDKEEPING

Section 21 of the Key Concept Guideline outlines implementation of the Accountability Obligation.

Please see references to accountability requirements in section 5 above.

8. DATA SUBJECT RIGHTS

Withdrawal of consent

The Key Concept Guideline notes that the PDPC considers it difficult to take a one-size-fits-all approach and prescribe a specific time frame for reasonable notice to be given; however, as a general rule of thumb, the PDPC considers a withdrawal notice of at least ten business days from the day the organisation receives the withdrawal notice, to be reasonable notice (Section 12.41 of the Key Concept Guideline).

Where an organisation requires more time to give effect to a withdrawal notice, the Key Concept Guideline states that it is good practice for the organisation to inform the individual of the time frame by which the withdrawal of consent will take effect (Section 12.41 of the Key Concept Guideline).

Further to this, the Key Concept Guideline advise organisations to make an appropriate consent withdrawal policy that is clear and easily accessible to the individuals concerned (Section 12.42 of the Key Concept Guideline). This withdrawal policy should, for example (Section 12.42 of the Key Concept Guideline):

  • advise the individuals on the form and manner to submit a notice to withdraw their consent for specific purposes;
  • indicate the person to whom, or the means by which, the notice to withdraw consent should be submitted; and
  • distinguish between purposes necessary and optional to the provision of the products/services (that may include the service of the existing business relationship). Individuals must be allowed to withdraw consent for optional purposes without concurrently withdrawing consent for the necessary purposes.

In addition to the above, the Key Concept Guideline emphasises that organisations should not have inflexible consent withdrawal policies that seek to restrict or prevent individuals from withdrawing consent in accordance with the PDPA (Section 12.43 of the Key Concept Guideline).

Withdrawal to marketing

Where the withdrawal notice for marketing contains a general withdrawal message, i.e. it is not clear as to the channel of receiving marketing messages for which consent is withdrawn, the Key Concept Guideline clarifies that the PDPC will consider any withdrawal of consent for marketing sent via a particular channel to only apply to all messages relating to the withdrawal sent via that channel (Section 12.48 of the Key Concept Guideline).

Effective withdrawal of consent

In determining the effect of any notice to withdraw consent, the Key Concept Guideline states that the PDPC will consider all relevant facts of the situation (Section 12.46 of the Key Concept Guideline). This could include but is not limited to matters like (Section 12.46 of the Key Concept Guideline):

  • the actual content of the notice of withdrawal;
  • whether the intent to withdraw consent was clearly expressed; and
  • the channel through which the notice was sent.

In cases where an organisation provides a facility for individuals to withdraw consent (e.g., by clicking on an 'unsubscribe' link within an e-mail), the Key Concept Guideline notes that organisations should clearly indicate the scope of such withdrawal (Section 12.47 of the Key Concept Guideline). The Key Concept Guideline also encourages organisations to inform individuals of how they may withdraw consent for matters outside the scope of such withdrawal, highlighting that in facilitating any notice to withdraw consent, an organisation should act reasonably and in good faith (Section 12.47 of the Key Concept Guideline).

Responsibility of organisation in withdrawing consent

Once an organisation has received from an individual a notice to withdraw consent, the Key Concept Guideline recommends that organisation inform the individual concerned of the likely consequences of withdrawing his consent, even if these consequences are set out somewhere else, e.g., in the service contract between the organisation and the individual (Section 12.50 of the Key Concept Guideline).

Further to this, the Key Concept Guideline notes that apart from its data intermediaries and agents, an organisation is not required to inform other organisations to which it has disclosed an individual's personal data of the individual's withdrawal of consent (Section 12.50 of the Key Concept Guideline).

Notification Obligation

The Key Concept Guideline consider, among other things the manner and form in which the organisation should inform the individual of its purposes and the information and details to be included when an organisation states its purposes (Section 14.6 of the Key Concept Guideline).

The manner and form in which an organisation should inform the individual of its purposes

The Key Concept Guideline outlines relevant factors to consider when an organisation is determining the appropriate manner and form of notification to an individual, including (Section 14.10 of the Key Concept Guideline):

  • the circumstances and manner in which it will be collecting the personal data;
  • the amount of personal data to be collected;
  • the frequency at which the personal data will be collected; and
  • the channel through which the notification is provided (e.g. face-to-face or through a telephone conversation).

Further to this, the Key Concept Guideline notes that it is a good practice for organisations to state its purposes in a written form (which may be in an electronic form or other form of documentary evidence) so that the individual is clear about its purposes and both parties will be able to refer to a clearly documented statement of the organisation's purposes in the event of any dispute (Section 14.11 of the Key Concept Guideline).

The Key Concept Guideline clarifies that notification can be done through a privacy policy. However, the Key Concept Guideline states that organisations which choose to provide notification to individuals through a data protection Policy should note the following (Section 14.13 of the Key Concept Guideline):

  • where the policy is not made available to an individual as a physical document, the organisation should provide the individual with an opportunity to view its Data Protection Policy before collecting the individual’s personal data; and
  • data protection policies provide a more specific description of its purposes to a particular individual who will be providing his personal data in a particular situation (such as when subscribing for a particular service), to provide clarity to the individual on how his personal data would be collected, used or disclosed.

More specifically, in considering how specific to be when stating its purposes, organisations may have regard to the following (Section 14.16 of the Key Concept Guideline):

  • whether the purpose is stated clearly and concisely;
  • whether the purpose is required for the provision of products or services (as distinct from optional purposes);
  • if the personal data will be disclosed to other organisations, how the organisations should be made known to the individuals;
  • whether stating the purpose to a greater degree of specificity would be a help or hindrance to the individual understanding the purpose(s) for which his personal data would be collected, used, or disclosed; and
  • what degree of specificity would be appropriate in light of the organisation's business processes.

In considering how to notify individuals of their purposes, the Key Concept Guideline states that organisations should consider (Section 14.18 of the Key Concept Guideline):

  • drafting notices that are easy to understand and appropriate to the intended audience, providing headings or clear indication of where the individuals should look to determine the purposes for which their personal data would be collected, used or disclosed and avoiding legalistic language or terminology that would confuse or mislead individuals reading it;
  • using a 'layered notice' where appropriate, by providing the most important (e.g. summary of purposes) or basic information (e.g. contact details of the organisation's DPO) more prominently (e.g. on the first page of an agreement) and more detailed information elsewhere (e.g. on the organisation's website);
  • considering if some purposes may be of special concern or be unexpected to the individual given the context of the transaction, and whether those purposes should be highlighted in an appropriate manner;
  • selecting the most appropriate channel(s) for provide the notification (e.g. in writing through a form, on a website, or orally in person); and
  • developing processes to regularly review the effectiveness of and relevance of the notification policies and practices.

The Access and Correction Obligations

The Key Concept Guideline clarifies that organisations are not required to provide access to the documents (or systems) which do not comprise or contain the personal data in question, so long as the organisation provides the individual with the personal data that the individual requested and is entitled to have access to under section 21 of the PDPA (Section 15.6 of the Key Concept Guideline). In the case of a document containing the personal data in question, the Key Concept Guideline recommends that organisations, where feasible, provide only the personal data (or relevant sections of the document containing the personal data) without providing access to the entire document in its original form (Section 15.6 of the Key Concept Guideline).

In addition, the Key Concept Guideline states that organisations do not need to provide access to information which is no longer within its possession or under its control when the access request is received (Section 15.7 of the Key Concept Guideline). The Key Concept Guideline further explains that organisation should generally inform the requesting individual that it no longer possesses the personal data and is thus unable to meet the individual's access request and are not required to provide information on the source of the personal data (Section 15.7 of the Key Concept Guideline).

Notably, the Key Concept Guideline highlights that the obligation to provide access applies equally to personal data captured in unstructured forms, such as personal data embedded in emails; nevertheless, organisations are not required to provide access if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual's interest or if the request is otherwise frivolous or vexatious (Section 15.9 of the Key Concept Guideline).

Verifying an access request

Before responding to an access request, organisations should exercise due diligence and adopt appropriate measures to verify an individual's identity (Section 15.12 of the Key Concept Guideline). To this end, the Key Concept Guideline states that organisations may implement policies setting out the standard operating procedures on conducting verification when processing access requests (Section 15.12 of the Key Concept Guideline). In situations where a third party is making an access request on behalf of an individual, the organisation receiving the access request should ensure that the third party has the legal authority to validly act on behalf of the individual (Section 15.13 of the Key Concept Guideline).

Information relating to ways which personal data has been used or disclosed

Where an individual request information on the disclosure of their data by an organisation, the Key Concept Guideline recommends that in many cases, the organisation provide a standard list as an alternative to providing the specific set of third parties to whom the personal data has been disclosed, as part of its response to access requests that ask for information relating to how the personal data has been or may have been disclosed within the past year (Section 15.15 of the Key Concept Guideline).

More specifically, the Key Concept Guideline states that organisations should also update the standard list regularly and ensure that the information is accurate before providing the list to the individual (Section 15.15 of the Key Concept Guideline). Generally, the Key Concept Guideline provides that in responding to a request for information on third parties to which personal data has been disclosed, the organisation should individually identify each possible third party), instead of simply providing general categories of organisations to which personal data has been disclosed (Section 15.15 of the Key Concept Guideline).

Access that may reveal personal data about another individual

The PDPA provides exceptions to the stipulation that organisations must not provide access to the personal data or other information (Section 21(1) of the PDPA). The Key Concept Guideline outlines further exceptions, including:

  • the other individual has given consent to the disclosure of his personal data; or
  • any of the exceptions relating to disclosure of personal data without consent listed under the First and Second Schedules to the PDPA apply to the extent that the organisation may disclose the personal data of the other individual without consent.

Charging of fees

The Key Concept Guideline notes that organisations should exercise proper judgement in deriving the reasonable fee they charge based on their incremental costs of providing access, highlighting that the PDPC may, upon the application of an individual, review a fee charged by an organisation under section 48H of the PDPA (among other matters) (Section 15.27 of the Key Concept Guideline). In reviewing a fee, the Key Concept Guideline states that the PDPC may consider the relevant circumstances, including the absolute amount of the fee, the incremental cost of providing access which may include the time and costs incurred to search for the personal data requested, and similar fees charged in the industry (Section 15.27 of the Key Concept Guideline).

Preservation of personal data after rejecting an access request

The Key Concept Guideline notes that organisations should, where it has decided not to provide some or all the personal data requested in the individual's access request, preserve a complete and accurate copy of the withheld personal data for a period of at least 30 calendar days after rejecting the access request – as the individual may seek a review of the organisation's decision (Section 15.42 of the Key Concept Guideline). As good practice, Key Concept Guideline recommends that organisations keep a record of all access requests received and processed, documenting clearly whether the requested access was provided or rejected (Section 15.44 of the Key Concept Guideline).

Obligation to correct personal data

The PDPA states that an individual may submit a request for an organisation to correct an error or omission in the individual's personal data that is in the possession or under the control of the organisation (Section 22(1) of the PDPA). The Key Concept Guideline clarifies that where an organisation is satisfied upon reasonable grounds that a correction should not be made as a good practice, in addition to annotating the personal data in its possession or under its control indicating the correction that was requested but not made; also annotate the reasons and explain to the individual why it has decided that the correction should not be made (Section 15.50 of the Key Concept Guideline).

Form of the access request

The Key Concept Guideline provides that although organisations may provide standard forms or procedures for individuals to submit access and/or correction requests, organisations should accept all requests made in writing and sent to the business contact information of its data protection office ('DPO') or in the case of a body corporate, left at or sent by pre-paid post to the registered office or principal office of the body corporate in Singapore, where sufficient information has been provided for the organisation to meet the requests (among others) (Section 15.53 of the Key Concept Guideline).

9. CROSS-BORDER DATA TRANSFERS AND LOCALISATION

The Transfer Limitation Obligation

Section 26 of the PDPA limits the ability of organisations to transfer personal data to another organisation outside Singapore in circumstances where it relinquishes possession or direct control over the personal data. The Personal Data Protection Regulations 2021 specifies the conditions under which an organisation may transfer personal data overseas including:

  • any law;
  • any contract that imposes a standard of protection that is comparable to that under the PDPA, and which specifies the countries and territories to which the personal data may be transferred under the contract;
  • any binding corporate rules that require every recipient of the transferred personal data to provide a standard of protection for the transferred personal data that is comparable to that of the PDPA, and which specify:
    • the recipients of the transferred personal data to which the binding corporate rules apply;
    • the countries and territories to which the personal data may be transferred under the binding corporate rules; and
    • the rights and obligations provided by the binding corporate rules; or
  • any other legally binding instrument.

The Key Concept Guideline encourages organisations to rely on legally enforceable obligations or specified certifications, especially when they have an ongoing relationship with the recipient organisation, highlighting that legally enforceable obligations provide better accountability (Section 19.7 of the Key Concept Guideline).

Further to this, the Key Concept Guideline recommends, as good practice, that organisations rely on the below only if they are unable to rely on legally enforceable obligations or specified certifications (Section 19.7 of the Key Concept Guideline):

  • the individual whose personal data is to be transferred gives his consent to the transfer of his personal data, after he has been informed about how his personal data will be protected in the destination country;
  • the individual is deemed to have consented to the disclosure by the transferring organisation of the individual’s personal data where the transfer is reasonably necessary for the conclusion or performance of a contract between the organisation and the individual, including the transfer to a third party organisation);
  • the transfer is necessary for a use or disclosure that is in the vital interests of individuals or in the national interest, and the transferring organisation has taken reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose;
  • the personal data is data in transit; or
  • the personal data is publicly available in Singapore.

Scope of contractual clauses

The Key Concept Guideline highlights that in setting out contractual clauses that require the recipient to comply with a standard of protection in relation to the personal data transferred to him that is at least comparable to the protection under the PDPA, a transferring organisation should minimally set out protections with regard to the following areas (Section 19.9 of the Key Concept Guideline):

  • protection obligation;
  • retention limitation obligation; and
  • data breach notification obligation.

In addition, the Key Concept Guideline states that the PDPC recognises and encourages the use of the ASEAN Model Contract Clauses to fulfil the Transfer Limitation Obligation (Section 19.10 of the Key Concept Guideline).

10. VENDOR MANAGEMENT

The Key Concept Guideline includes various considerations where organisations engage with other organisations, vendors and third parties. For example, please see section 9 above in relation to vendor management associated with international data transfers.

11. INCIDENT AND BREACH

The Data Breach Notification Obligation

When determining whether to notify a breach, the Key Concept Guideline clarifies that data breaches affects 500 or more individuals, the organisation is required to notify the PDPC, even if the data breach does not involve any prescribed personal data in Personal Data Protection (Notification of Data Breaches) Regulations 2021 outlined in Section 20.15 (Section 20.20 of the Key Concept Guideline). Further to this, where an organisation is unable to determine the actual number of affected individuals in a data breach, the organisation should notify the PDPC when it has reason to believe that the number of affected individuals is at least 500, which may be based on the estimated number from a preliminary assessment of the data breach (Section 20.21 of the Key Concept Guideline).

Notification timeline

The Key Concept Guideline notes that prescribing a cap of three calendar days provides clarity for organisations as to the definitive time by which they will have to notify the PDPC by (Section 20.24 of the Key Concept Guideline). Where an organisation is required to notify affected individuals of a data breach, the Key Concept Guideline recommends that companies notify the affected individuals at the same time or after it notifies the PDPC (Section 20.25 of the Key Concept Guideline).

The adoption of remedial measures

The Key Concept Guideline clarifies that where there are appropriate technological measures applied to personal data (before the data breach which renders the personal data inaccessible or unintelligible to an unauthorised party, the organisation need not notify the affected individuals of the data breach (Section 20.30 of the Key Concept Guideline).

In assessing whether the technological protection measures taken are sufficient for the technological protection exception to apply, the Key Concept Guideline recommends that organisations take into consideration whether the technological protection is of a commercially reasonable standard and the prevailing industry practices in the sector (Section 20.31 of the Key Concept Guideline). The Key Concept Guideline states that organisations can also consider the availability and affordability of the options in determining what are reasonable technological protection measures (Section 20.31 of the Key Concept Guideline).

Data breaches discovered by a data intermediary

The Key Concept Guideline confirms that where a data breach is discovered by a data intermediary that is processing personal data on behalf and for the purposes of another organisation or public agency, the data intermediary is required to notify the organisation or public agency without undue delay from the time it has credible grounds to believe that the data breach has occurred (Section 20.7 of the Key Concept Guideline).

As a good practice, the Key Concept Guideline recommends organisations establish clear procedures for complying with the Data Breach Notification Obligation when entering into service agreements or contractual arrangements with their data intermediaries. The Key Concept Guideline states these agreements take into consideration factors relating to the data processing, including:

  • such as the volume and types of personal data involved;
  • the type and extent of data processing; and
  • the potential harm that may result from a data breach.

Data breaches involving more than one organisation

Where a data breach involves more than one organisation, the Key Concept Guideline clarifies that each organisations involved is individually responsible for complying with the Data Breach Notification Obligation in respect of that data breach (Section 20.10 of the Key Concept Guideline). However, the Key Concept Guideline notes that as a matter of administrative convenience, organisations may use the same information where relevant to individually submit the notification (Section 20.12 of the Key Concept Guideline).

12. PRIVACY BY DESIGN

The Key Concept Guideline highlights that organisations may wish to consider demonstrating organisational accountability through measures such as adopting a Data Protection by Design ('DPbD') to ensure that their handling of personal data is in compliance with the PDPA (Section 21.15 of the Key Concept Guideline). More specifically, the Key Concept Guideline notes that although failing to undertake such measures is not itself a breach of the PDPA, it could, in certain circumstances, result in the organisation failing to meet other obligations under the PDPA (Section 21.15 of the Key Concept Guideline).

13. ADDITIONAL REQUIREMENTS

In addition, the Key Concept Guidelines provides numerous practical examples as case studies for the implementation of its recommendations as well as additional information regarding the PDPA.


Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.

Feedback