By Adrian Ee & Ellen Zhu
Under the new PDPA, organisations, which include individuals, companies and associations, are required to comply with data protection obligations.
The PDPA protects the personal data of both living and deceased individuals. Personal data as defined under the PDPA means any data about an individual who can be indentified from that data, whether alone or together with other information to which an organisation has or is likely to have access.
The PDPA imposes legal obligations on organisations which may be enforced by individuals. For example, an individual may lodge a complaint with the Personal Data Protection Commission or bring a civil action in Court if he suffers any loss as a result of an organisationâ€™s failure to comply with the PDPA. Fines may also be imposed on organisations under the PDPA.
Organisations may not contract out of their obligations under the PDPA.
Main Data Protection Obligations of Organisations
The main data protection obligations of organisations under the PDPA are as follows:
- Organisations have to obtain consent from individuals in order to collect, use or disclose personal data of them:
- Consent must be separately obtained for the collection, use and disclosure of personal data. For example, if an organisation has obtained an individualâ€™s consent to collect his personal data, the organisation may not use that data if it fails to also obtain consent to use that data.
- Consent has to be obtained before the collection, use or disclosure of personal data.
- Consent must pertain to specific purposes. For example, if an organisation has obtained consent to use an individualâ€™s personal data for administrative purposes only, it may not also use that data for marketing purposes.
- Organisations may not, as a condition of providing goods or services, require consumers to consent to the collection, use or disclosure of their personal data beyond what is reasonable to provide the goods or services. For example, it would be unreasonable for an ice-cream vendor to require all his customers to write down their NRIC numbers before he sells ice-cream to them. Such a practice would be in contravention of the PDPA.
- Organisations must not mislead any individual or use deceptive means when obtaining consent to collect, use or disclose personal data.
- Consent can be withdrawn by an individual at any time. Organisations should ensure that individuals are able to communicate their withdrawal of consent to the organisations without undue difficulty.
- If any of the prescribed exceptions under the PDPA applies, organisations would not be required to obtain consent from individuals before collecting, using or disclosing their personal data.
- Upon request, organisations must allow individuals to have access to and to amend their personal data in the organisationsâ€™ possession unless there are reasonable grounds for refusing to do so.
- Organisations can no longer hold on to personal data indefinitely and are required to cease retention when it is no longer necessary for any legal or business purpose.
In order to comply with the above data protection obligations, organisations must:
- Put in place policies and practices that are necessary to comply with the PDPA;
- Put in place a process to receive and respond to complaints in relation to the PDPA;
- Familiarise their staff with the policies and practices;
- Make available upon request to individuals information about the policies and practices as well as the complaint process;
- Update “privacy notices”, whether in hard copies or on websites, giving information such as how the personal data will be used and how individuals may have access to their personal data;
- Make reasonable security arrangements to protect the personal data in the organisationsâ€™ possession in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or other risks; and
- Appoint a Data Protection Officer to ensure that the organisation complies with the above obligations under the PDPA. The Data Protection Officerâ€™s responsibilities include to develop policies for the handling of personal data, to communicate policies to customers, members and employees, to handle queries and complaints from customers, to alert the organisation about any risk that might arise with personal data and to liase with the Personal Data Protection Commission.
The data protection provisions of the PDPA came into effect on 2 July 2014.
Compliance with the Do-Not-Call (“DNC”) Provisions of the PDPA
The main purpose of the DNC provisions is to stop unsolicited telemarketing activities targeted at users of Singapore telephone numbers. The DNC provisions apply to voice calls, text messages (including messages sent via Whatsapp etc.) and fax messages sent or received in Singapore. Telemarketing messages caught by the DNC provisions include messages that offer to supply, advertise or promote goods or services. Organisations are required to comply with the DNC provisions even if they authorise a third party to send such messages on their behalf.
The DNC regime operates by registration. In a nutshell, if a Singapore telephone number is registered on the DNC Registry, an organisation cannot send telemarketing messages to that telephone number unless the user has given clear and unambiguous consent that the organisation can do so or if any of the prescribed exceptions under the PDPA applies.
Organisations are required to conduct checks against the DNC Registry before sending telemarketing messages to Singapore telephone numbers. For checks conducted between 2 January 2014 and 31 May 2014, the results will be valid for 60 days from the receipt of the results. For checks conducted between 1 June 2014 and 1 July 2014, the results will be valid up to 31 July 2014. From 2 July 2014 onwards, the results will be valid for 30 days from the receipt of the results.
An important exemption allows organisations to send telemarketing messages by text or fax to individuals with whom the organisations have an ongoing relationship without checking the DNC Registry. The exemption requires organisations to state in the messages how individuals may unsubscribe using the same delivery channel. After an individual has unsubscribed, organisations must cease sending such messages within a period of time. This exemption does not apply to voice calls.
The DNC provisions came into effect on 2 January 2014.
Further information and guidelines on the PDPA may be obtained from www.pdpc.gov.sg.