Jurisdiction - Singapore
Reports and Analysis
Singapore – Latest Developments In Data Protection.

3 July, 2014

 

 

The Personal Data Protection Regulations 2014 (“PDP Regulations“) and Personal Data Protection Act 2012 (Commencement) Notification 2014 (“PDPA Commencement Notification“) were gazetted on 19 May 2014. The PDPA Commencement Notification provides for Parts III to VII of, and the Second to Sixth Schedules to, the Personal Data Protection Act 2012 (“PDPA“) to come into operation on 2 July 2014. In other words, the provisions of the PDPA concerning the collection, use and disclosure of personal data will come into effect on 2 July 2014. 


The PDP Regulations clarify and expand on the existing scope of obligations with regard to:

 

(i) The access and correction obligation; 


(ii) The transfer of personal data outside of Singapore; and 


(iii) The rules for individuals who may act for others under the PDPA. 


In addition, the Personal Data Protection Commission (“PDPC“) published revised chapters of the following guidelines on 16 May 2014: 


(i) Data activities relating to minors; 


(ii) Applicability to inbound data transfers; 


(iii) The access and correction obligation; and 


(iv) The transfer limitation obligation. 


(“Revised Advisory Guidelines“) 


It is important to note that the PDP Regulations are legally binding, unlike the guidelines which have no legally binding effect. 


The Access And Correction Obligation 


The PDPA sets out that the access and correction obligation is firstly, the right of an individual to request for access to their personal data and for a correction to their personal data that is in the possession or under the control of an organisation; and secondly, a corresponding obligation of the organisation to provide access to and correction of the individual’s personal data. 


How To Make An Access And Correction Request 


The PDP Regulations set out the requirements as to how an individual may submit an access and correction request, namely: 


(i) Requests are to be made in writing


(ii) Requests must include sufficient detail to enable the organisation, with a reasonable effort to identify the applicant, the personal data and use and disclosure information or correction requested by the applicant; and

 

(iii) Requests must be sent to the organisation’s data protection officer or in such other manner as is acceptable to the organisation. 


In addition, the Revised Advisory Guidelines indicate that organisations may provide standard forms or procedures for individuals to submit access and correction requests. Requests may also be left at or sent by pre-paid post to the registered office or principal office of a body corporate in Singapore. 


Responding To An Access And Correction Request 


Before responding to an access request, organisations should exercise due diligence and adopt appropriate measures to verify an individual’s identity. The PDP Regulations state that an organisation must provide an applicant access to the personal data by providing the applicant a copy of the personal data and use and disclosure information in documentary form. If it is impracticable to provide the personal data in documentary form (e.g. the data cannot be extracted from a special machine owned by the organisation), the organisation may provide the individual a reasonable opportunity to examine the personal data and use and disclosure information. 


The PDP Regulations set out that organisations should respond to an access and correction request within 30 days from the time the request is made. If an organisation is unable to respond within this 30-day timeframe, they are to inform the individual in writing (within this 30-day timeframe) of the time by which it will be able to respond to the request, which should be soonest possible time it can provide access or make the correction). The Revised Advisory Guidelines also recommend that it would be good practice for organisations to specify the reasons for not being able to respond within 30 days of receiving the requests. 


The Revised Advisory Guidelines recommend that in responding to an individual’s request for the organisation to whom personal data has been disclosed, an organisation should individually identify each possible third party (e.g. pharmaceutical company ABC), instead of simply providing general categories of organisations to which personal data has been disclosed (e.g. pharmaceutical companies). 


The Transfer Of Personal Data Outside Of Singapore 


The PDPA sets out that transfer of any personal data to a country or territory outside Singapore must be in accordance with the requirements prescribed under the PDPA, to ensure that organisation provide a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA. 


The PDP Regulations state that in transferring personal data overseas, an organisation must ensure that it will comply with the PDPA while the personal data is within the organisation’s control or possession. The organisation is deemed to have complied with this requirement in respect of personal data in transit and personal data which is publicly available in Singapore.


The transferring organisation must also ensure the recipient of the personal data (who is located in a country or territory outside Singapore) is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to that under the PDPA. 


Legally Enforceable Obligations 


Legally enforceable obligations include a contract, binding corporate rules (BCRs) and law.

 

With regards to contracts, the PDP Regulations state that the contract must require the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA and specify the countries and territories to which the personal data may be transferred under the contract. 


With regards to binding corporate rules, the PDP Regulations state that binding corporate rules: 


(i) Must require every recipient of the transferred personal data that is related to the transferring organisation and does not already satisfy any law, any contract, any other legally binding instrument, to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA; 


(ii) Must specify the following:


(a) The recipients of the transferred personal data to which the binding corporate rules apply; 


(b) The countries and territories to which the personal data may be transferred under the binding corporate rules; and 


(c) The rights and obligations provided by the binding corporate rules; and 


(iii) May only be used for recipients that are related to the transferring organisation. 


Other Ways Of Complying With Legally Enforceable Obligations 


The PDP Regulations indicate that an organisation is taken to have satisfied the requirement to ensure the recipient is bound by legally enforceable obligations in the following scenarios: 


(i) The individual has given his consent to the transfer of his personal data; 


(ii) The transfer is necessary for the performance of a contract between the organisation and the individual; 


(iii) The transfer is necessary for the conclusion or performance of a contract between the organisation and the third party (which is entered to at the individual’s request); 


(iv) The transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA; 


(v) The personal data is data in transit; or 


(vi) The personal data is publicly available in Singapore. 


In order to rely on the consent of the individual discussed in this section at B(i), the PDP Regulations also state that in obtaining the individual’s consent to the transfer of his personal data, the organisation must ensure that the individual consents to the transfer of the personal data to that recipient in that country or territory. Further, the PDP Regulations indicate that the individual is not taken to have consented to the transfer of his personal data to a country or territory outside Singapore in the following situations: 


(i) Before giving his consent, the individual was not given a reasonable summary in writing of the extent to which the personal data to be transferred to that country or territory will be protected to a standard comparable to the protection under the PDPA; 


(ii) The transferring organisation required the individual to consent to the transfer as a condition of providing a product or service, unless the transfer is reasonably necessary to provide the product or service to the individual; or 


(iii) The transferring organisation obtained or attempted to obtain the individual’s consent for the transfer by providing false or misleading information, or by using other deceptive or misleading practices. 


Applicability To Inbound Data Transfers 


The Revised Advisory Guidelines indicate that where personal data is collected overseas and is subsequently transferred into Singapore, the PDPA will apply in respect of the activities involving the personal data in Singapore. Furthermore, where personal data originating from outside Singapore is collected by an organisation in Singapore for use or disclosure for its own purposes in Singapore (i.e. the organisation collecting the personal data is not an intermediary of another organisation), the organisation is required to comply with the PDPA from the time it seeks to collect the personal data (if such collection occurs in Singapore) or form the time it brings the personal data into Singapore. 


In addition, where personal data is collected outside Singapore, such collection may be subject to the data protection laws of the country or territory in which it was collected (if any). 


Data Activities Relating To Minors 


The PDPA does not specifically address the collection, use or disclosure of personal data with regards to minors. Under the Revised Advisory Guidelines, the Commission has adopted the view that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his own behalf. However, if an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from an individual, such as the minor’s parent or guardian, who is legally able to provide consent on the minor’s behalf.


In this regard, the Revised Advisory Guidelines state that it may be prudent for organisations to consider putting in place relevant precautionary measures if they are (or expect to be) collecting, using or disclosing personal data about minors. For example, organisations that provide services targeted at minors could state terms and conditions in language that is readily understandable by minors and use pictures and other visual aids to make such terms and conditions easier for minors to understand.

 

ATMD Bird & Bird

 

For further information, please contact:

 

Sheena Jacob, Partner, ATMD Bird & Bird

sheena.jacob@twobirds.com

 

ATMD Bird & Bird TMT Practice Profile in Singapore

 

Homegrown TMT Firms in Singapore

Comments are closed.