The technological revolution of the 21st century has acted as a catalyst for data circulation. The ability to collect and transfer large volumes of data, including personal information, with an unprecedented velocity has changed the way companies operate and compete. As a result, personal data protection issues have been at the forefront of legal systems around the world.
In ensuring a baseline protection for this asset, Singapore has enacted the Personal Data Protection Act 2012 (the “PDPA” or the “Act”). With the introduction of PDPA Singapore posits itself among the most trusted business hubs in the world.
This article summarises the basic obligations of organizations regarding personal data collection, retention and dissemination.
What is Personal Data?
The Singapore PDPA defines “personal data” as data about an individual who can be identified either from that data or from that data and any other information that can be accessed by an organisation.
With the enforcement of the Personal Data Protection Act Singapore Government seeks to strike a balance between data use and the protection of personal privacy, by imposing a series of obligations on organisations about the collection, use and disclosure of personal data.
Besides ensuring compliance with the main obligations outlined in the Act, organizations are also required to make the information about their data protection policies and practices available to the public.
Here are the main obligations set out in the Act.
1. The Consent Obligation
Before collecting, using or disclosing any personal data, companies must make sure to acquire an individual’s consent. It can either be in the form of express consent such as consent in writing, or deemed consent, when an individual voluntarily provides personal data to an organisation for a certain purpose or when it is reasonable to assume that the individual would voluntarily provide the data.
However, when the information is publicly available, organisations will not need to obtain consent as this falls within the exceptions under the Act.
2. The Notification Obligation
Under this obligation companies are required to inform their customers about the purpose why the personal data is collected, used or disclosed.
Accordingly, organizations are not allowed to use the personal data for a different purpose other than that for which it was initially acquired, unless a fresh consent is provided by the customer.
However, if an organisation updates its data policy expanding the potential use of the personal data, the organisation arguably does not have to obtain fresh consent under the PDPA Singapore currently has in place. It will be sufficient for the organisation to notify the individuals of the changes and provide them with the option to withdraw their consent. However, organisations should obtain independent advice on their obligations where they are not certain of the reach of the updates to their data policy.
3. The Protection Obligation
Companies are required to take security measures to protect any personal data in their possession or under their control. This is to prevent unauthorised access, collection, use and disclosure, including but not limited to copying, modification and disposal.
Part 17.3 of the Advisory Guidelines on Key Concepts in Personal Data Protection Act (revised on 27 July 2017) provides some guidelines as to what is expected from an organisation under this obligation:
The organisation has to:
- take appropriate protection measures based on the nature of personal data held by the organization and prevent the potential harm that might be caused by a security breach;
- engage reliable and professional personnel responsible for providing information security
- have robust policies for providing high security of personal data of different levels of sensitivity; and
- be prepared to take timely action in case of potential security breaches.
Of the various obligations under the Act, companies are most often found in breach of data security breach obligation.
In 2016, the Singapore Personal Data Protection Commission (PDPC) had to commence an investigation and impose a penalty of S$50,000 on K Box Entertainment Group, a karaoke chain which failed to protect the personal data of its 317,000 customers. The company’s database had previously been hacked and the personal data of its members was made public. The tribunal found that among other shortcomings, the company did not have an adequate password policy, had weak control over unused accounts and failed to conduct audits to supervise the security of its database and system.
This case serves as a reminder to organisations to put in place adequate IT security arrangements to ensure the security of personal data. Organizations can refer to the PDPC’s Guide to Securing Personal Data in Electronic Medium (revised 20 January 2017) for good practices that they should undertake to protect electronic personal data.
4. The Retention Limitation Obligation
The Retention Limitation Obligation stops companies from retaining personal data in perpetuity where it does not have legal or business reasons to do so. This is because the prolonged holding of personal data increases the risk of an organisation breaching other obligations set out in the Act.
Whilst there is no fixed retention period prescribed by the Act, retention is limited in two ways. First, a company must not retain personal data when the data does not serve the initial purpose it was collected for.
Second, a company must not retain personal data when the retention is no longer necessary for legal or other business purposes. In a recent case, the PDPC found that Orchard Turn Development Pte had not been prudent in keeping a duplicate or additional set of personal data on its server for a period longer than necessary after it had served its purpose. The tribunal observed that this made the personal data susceptible to online attacks and external threats and was therefore more likely to be compromised. This was a factor that led the Court to find that the company was in breach of the Protection Obligation.
5. The Transfer Limitation Obligation
The PDPA also prohibits the transfer of any personal data to a country or territory outside of Singapore unless the standard of protection in that country or territory is similar to the protection under the Act. However, transfer will be allowed if the recipient is bound by a legally enforceable obligation to provide a standard of protection that is comparable to that under the Act
This can be done by two ways. The first way is a contractual agreement between the organisation in Singapore and the overseas organisation. The second way is for the organisation to adopt the “binding corporate rules” that apply across the board.
Organisations that have head offices or related offices overseas or organisations that outsource their business activities overseas should be especially mindful of this obligation.
6. Other Obligations
Apart from the obligations set out above, there are several other obligations which organisations are expected to comply with. This article does not delve into the details of these obligations. However, the obligations may be briefly summarised as follows:
a.The Access and Correction Obligation
Every individual has a right to access and correct their personal data. Organisations are therefore, expected to provide access for their customers to their personal data.
b. The Accuracy Obligation
Organisations seeking to collect, use and disclose personal data from customers are required to make a reasonable effort to ensure that the personal data collected is accurate and complete.
7. Enforcement & Consequences
The PDPC has the power to investigate individuals and companies to determine if they have met the obligations. The PDPC can also enforce personal data protection obligations by preventing further collection, use or disclosure of personal data, ordering for the destruction of any personal data that has been collected in contravention of the PDPA or imposing a financial penalty of an amount not exceeding S$1 million.
As such, it is essential for any organisation conducting its businesses in Singapore to implement robust data protection policies and business practices so as to avoid any breach of the Singapore Personal Data Protection Act.