The Personal Data Protection Act

imagesSDYQ0M7GIntroduction

1.  The Personal Data Protection Act (“the Act”) was passed by Parliament on 15 October 2012. The Act was enacted by Parliament to regulate the collection, use and disclosure by organisations (including companies) of personal data. The Act is applicable to all companies regardless of their size. The Act is also applicable regardless of the amount of personal data handled by the company. The Act will come into force in several phases. The provisions relating to the establishment of the Personal Data Protection Commission (“the Commission”) came into force on 2 January 2013. The provisions relating to the Do Not Call Registry (“DNC Registry”) came into force on 2 January this year. The provisions relating to the main data protection obligations will come into force in the middle of this year.

2.  If an organisation has not complied with any of the main data protection obligations under the Act when it comes into force, the Commission can give directions to the organisation to pay a financial penalty of up to $1 million. After the main data protection obligations comes into force, the Commission has the power to conduct investigations for non-compliance against any organisation on its own accord (that is, without any complaint being lodged with the Commission by any individual against the company) to determine whether an organisation is not complying with the Act. If an offence under the Act committed by a company is proved to have been committed with the consent or connivance of an officer, or attributable to any neglect on his part, the officer as well as the company shall be guilty of an offence and shall be liable to be proceeded against and punished accordingly. The Act has defined ‘officer’, in relation to a company, to mean (among other officers) any director or chief executive of the company. The Act provides that any person guilty of an offence under the Act for which no penalty is expressly provided shall be liable to a fine of up to $10,000 or to imprisonment for a term up to 3 years or to both.

Main data protection obligations of the Act

3.  ‘Individual’ is define in the Act as a natural person, whether living or deceased. This definition of individual is wide enough to include employees or customers of organisations. Generally, organisations presently can collect, use and disclose personal data about individuals at will. However, from the middle of this year, 9 main data protection obligations of the Act will come into force. They are Consent Obligation, Purpose Limitation Obligation, Notification Obligation, Access and Correction Obligation, Accuracy Obligation, Protection Obligation, Retention Limitation Obligation, Transfer Limitation Obligation and Openness Obligation. 

Steps for implementation and compliance of main data protection provisions

4.  The Act requires all organisations to develop and implement policies and practices on personal data protection that are necessary for the organisation to meet the obligations of the organisation under the Act. All organisations must communicate these policies and practices to their staff. Further, all organisations must also develop a complaints process to receive and respond to complaints that may arise with respect to the application of the Act. All of these must be made available on request to the public.

5.  Under the Act, all organisations must designate at least 1 person as compliance officer or the personal data protection officer (“DPO”) to be responsible for ensuring the organisation complies with the Act. It would therefore be prudent for organisations, as a first step, to appoint the DPO. The DPO can be from within the organisation or outside the organisation. The organisation can designate more than 1 person to be its DPO if it so wishes.

6.  The DPO must work closely with all the departments within the organisation to develop and implement the policies and practices on personal data protection. The DPO must also educate employees on the data protection policies and practices. Hence, it is desirable to appoint the DPO who is knowledgeable and/or trained in the provisions of the Act.

7.  Data protection ought to be the responsibility of the entire organisation, not just the DPO. If it was left to the sole responsibility of the DPO, compliance with the main data protection rules of the Act will be difficult.

8.  When the main data protection rules come into force in the middle of this year, the DPO may have to liaise with the authorities (including the Commission) and with individuals. He/she must be trained to handle complaints from employees, customers or the public or any request from them for access or correction of personal data. The DPO’s business contact detail need to be publicly made available. 

Company Contracts and Policies headed for important changes

9.  Organisations will have to draft new set of policies to comply with the Act. These include a policy on general data protection as well as a policy or a document on the obtaining of consent from individuals to collect, use or disclose their personal data. The Advisory Guidelines issued by the Commission state that “As a good practice, an organisation should obtain consent that is in writing or recorded in a manner that is accessible for future reference” (emphasis added). The other policy that may be needed to be drafted is the withdrawal of consent policy for individuals who wish to withdraw their consent to the use of their data.

10.  Further, the Act requires that organisations, which transfer data out of Singapore, must ensure that the data transferred out of Singapore receives a standard of protection comparable to that of the Act. Organisations must refrain from transferring any personal data to a country outside of Singapore except in accordance with the Act. For example, organisations which have parent companies, branches or subsidiary companies outside of Singapore must refrain from transferring any personal data to their parent companies, branches or subsidiary companies outside of Singapore except in accordance with the Act.

Conclusion

11.  The Commission has already started investigating into complaints of non-compliance of the provisions of the Act relating to the DNC Registry. As stated earlier, the DNC Registry came into force on 2 January this year. On the first day of the DNC Registry’s operations (2 January 2014), the Commission was already investigating complaints from the public for non-compliance of the Act (The Straits Times article published on 3 January 2014 titled “Do-Not-Call kicks in with 400,000 numbers”). It was also reported in this article that “Early indications are that companies are also taking the new rules now in force seriously”. A Commission spokesman is quoted as saying “Operationally, things are running as expected. The fact that companies were coming in five minutes after the start of the DNC Registry means that companies are serious about (it), and taking steps to comply”.

12.  Further, on 20 January 2014, the Senior Minister of State for Communications and Information (Mr. Lawrence Wong) informed Parliament that there “are several cases of non-compliance that the Commission is currently investigating”. He also informed Parliament that the Commission “will do the investigation for each and every case and follow up with prosecution, if necessary”.

13.  When the main data protection rules comes into force in the middle of this year, the Commission is obligated under the Act to investigate non-compliance of the main data protection rules of the Act. For some of the consequences of non-compliance with the main data protection rules of the Act, please refer to paragraph 2 above.

By Dravida Maran, Lawyer

All information contained herein is intended only for your general information. It is not intended and/or should not be regarded under any circumstances as legal advice.