Jurisdiction - Singapore
Reports and Analysis
Singapore – PDPC Issues Additional Guidance Documents.

23 September, 2014

 

 

Background


On 11 September 2014, the Personal Data Protection Commission (“PDPC”) issued the finalised Advisory Guidelines for the Education Sector (“Education Guidelines”), the Social Service Sector (“Social Service Guidelines”) and the Healthcare Sector (“Healthcare Guidelines”). The PDPC also issued a revised version of the Advisory Guidelines on the Personal Data Protection Act (‘’PDPA’’) for Selected Topics (“Selected Topics Guidelines”) which includes a new chapter on photography. These new guidelines take into account feedback received by the PDPC during the public consultation earlier this year.
The PDPC has also issued an educational handbook entitled “A Guide to Notification” which illustrates some of the good practices that organisations can adopt when providing notification on their policies and practices relating to personal data.
The issuance of these additional documents provides timely guidance to both the industry and the public with regard to the PDPC’s view on how the data protection provisions (“DP Provisions”) and the Do Not Call provisions (“DNC Provisions”) under the PDPA can be implemented in practice.

These guidelines and the PDPC’s Guide to Notification are discussed in greater detail below.

 

Part I: Education Guidelines


The Education Guidelines were developed in consultation with the Ministry of Education (“MOE”) and Council for Private Education (“CPE”) to address the unique circumstances faced by theeducation sector in complying with the PDPA.
The PDPC clarified that the DP Provisions shall not impose any obligation on public agencies, egthe Government and specified statutory bodies like the CPE. As such, the Education Guidelines will only be relevant to education institutions (“EIs”) that do not fall within the definition of a public agency, such as government-aided schools, specialised 

schools, independent schools, autonomous universities, and foreign system schools, etc.


Definition Of “Educational Purposes”


Although the term “educational purposes” is not defined in the PDPA, the PDPC understands that EIs may collect, use or disclose a student’s personal data for various purposes such as to provide the student with education services, to evaluate the student’s suitability for a course, or to administer bursaries, scholarships and relevant financial assistance schemes to eligible students. In the closing note to the Education Guidelines, the PDPC advised that if it is not clear whether “educational purposes” would cover the activities that EIs have in mind, the EI should consider elaborating or expanding on the notified purposes for clarity, based on factors such as the specific facts of the case, in addition to its business and operational needs.


Personal Data Of Minors


Regarding the collection, use and disclosure of personal data of minors, paragraph 2.7 of the Education Guidelines recommend EIs to obtain consent from the parent or legal guardian of the student, as a pre-school or kindergarten student would not have legal capacity to provide his/her consent for the collection, use and disclosure of his/her personal data.

 

Personal Data Of Alumni


EIs should obtain fresh consent from their alumni to use and disclose their personal data if it is for purposes that are different from that for which the personal data was collected, eg if EIs intend to publish the names and photographs of its top students and renowned alumni in marketing collateral. Similarly, fresh consent should be obtained if a third party organisation makes a request to EIs for the salary details of recently graduated alumni, eg to produce a yearly report on the starting salaries of fresh graduates in each industry sector. In addition, the PDPC suggests that EIs may consider anonymising the data, eg by removing personal identifiers, and aggregating data points, so that unique individuals cannot be identified from the data.


Security Checks


The Education Guidelines clarify that an individual is deemed to have given consent to an EI’s collection of his/her personal data for security purposes if the individual provides his/her personal data voluntarily for the purpose. It is good practice for EIs to place a prominent sign at the reception desk indicating that visitors’ details will be collected for security purposes. EIs should also assess whether it is reasonable to collect the personal data of visitors to their premises, and avoid over-collecting personal data, especially NRIC numbers.


Disclosure To Public Agencies


EIs may compile and submit personal data of their students (including their names, ages, addresses, and examination grades for each subject) to a public agency, to allow it to use the data to understand the performance trends of the categories of students for its annual policy review. In this regard, EIs are not required to obtain the consent of the individual students to disclose their personal data to a public agency like MOE, as there is an exception in the Fourth Schedule of the PDPA for disclosure of personal data of current or former students of an education institution to a public agency for the purposes of policy formulation or review.


Evaluative Purposes Exception


Paragraph 2.20 of the Education Guidelines clarifies that EIs may collect and use a student’s personal data without his/her consent for the purposes of evaluating the student’s suitability for admission. The EI may request for a copy of the student’s performance records from his/her previous EI, and that EI need not obtain consent to disclose the student’s personal data under the exception in the Third Schedule of the PDPA for evaluative purposes.


Access And Correction Requests


With regard to the access obligation under section 21 of the PDPA, EIs are required to provide students access to their personal data in accordance with the PDPA upon request and as soon as reasonably possible, in addition to information about the ways in which that personal data has been used or disclosed within a year before the date of the request.
However, an exception in the Fifth Schedule of the PDPA states that where the data is opinion data kept solely for an evaluative purpose, or the information is in respect of any examination conducted by an EI, examination scripts, and examination results (prior to the release of the results), EIs are not obliged to grant the individual’s access request.
With regard to the correction obligation under section 22 of the PDPA, EIs should make the correction as soon as practicable and send the corrected data to the relevant organisations to which the personal data was disclosed to within the year before the date of the correction request, unless the EI is satisfied on reasonable grounds that the correction should not be made. One exception is where the data is opinion data kept solely for evaluative purposes. In that case, the EI is not required to omit or make corrections to a teacher’s remarks to the extent that the remarks are regarded as an opinion.

 

Transfer Limitation Obligation


The Education Guidelines suggests two ways in which the transfer limitation obligation may be satisfied:

 

(a) an EI reviews the obligations under the data protection law that an overseas EI is subject to, and determines that theoverseas EI would be bound by legally enforceable obligations to provide a standard of protection to its students’ personal data that is comparable to the PDPA; or
(b) an EI provides a student with a written summary of the extent to which his/her personal data will be protected to a standard comparable to that under the PDPA in the overseas country, and obtains consent from the student for the cross-border transfer of personal data.


Data Intermediaries


Paragraph 5.5 of the Education Guidelines provides that vendors which process personal data on behalf of the EIs, eg providing transport services for the EI for the students pursuant to a written contract, will be considered data intermediaries, and subject only to the protection obligation and the retention limitation obligation, whereas the EI will continue to be subject to all the DP Provisions under the PDPA.


Specified messages And Exemption Order


Where an EI sends an SMS to students about an activity, insofar as the activity does not involve an offer to supply a good or service or have any of the other purposes listed in the definition of a specified message, the EI would not be sending a specified message, and therefore the DNC Provisions would not apply.


Under the Personal Data Protection (Exemption from Section 43) Order (“Exemption Order”), the fact that a parent enrolled his/her child and provided his/her contact information voluntarily does not give rise to an ongoing relationship between the parent and the EI. Instead, the ongoing relationship is generally established between the EI and the student. Thus, the EI should obtain clear and unambiguous consent, evidenced in written or any other form, from the parent if it wishes to send specified messages to the parent’s telephone number.

 

Part II: Social Service Guidelines


The Social Service Guidelines were developed in consultation with the National Council of Social Service (“NCSS”) to address the unique circumstances faced by the social service sector in complying with the PDPA. The PDPC recognises that voluntary welfare organisations (“VWOs”) may collect, use or disclose an individual’s personal data including the full name, NRIC number, contact details, financial and family situation, medical history, etc for purposes such as evaluating the individual’s suitability for social services or administering social services to the individual.


In general, the DP Provisions shall not impose any obligation on any public agency, or any organisation in the course of acting on behalf of a public agency, which includes the Government and specified statutory bodies like the NCSS. As such, the Social Service Guidelines are relevant to VWOs that do not fall within the definition of a public agency, or are not in the course of collecting, using or disclosing personal data on behalf of a public agency.


Capacity To Consent


At the outset, paragraph 2.23 of the Social Service Guidelines states that VWOs may wish to consider how best to obtain consent from individuals who may not have the capacity to give consent for themselves, such as a person who is mentally unwell, or is a minor. In this regard, the DP Provisions do not affect any authority, right, obligation or limitation under other laws and VWOs should accordingly ensure compliance with other laws such as the Mental Capacity Act.


Fund-Raising


The Social Service Guidelines provide clarification as to when VWOs would be required to comply with the consent, purpose limitation and notification obligations in relation to the sending of fund-raising inserts within a monthly bill which a third party organisation will send to its database of customers. Where a VWO does not have control over the processing of the personal data in the third party’s database for sending the fund-raising inserts, the VWO would not likely be subject to theDP Provisions for engaging the third party to send the inserts.


However, where donors send their personal data directly to a VWO in connection with their donations, the VWO is considered to have control over the processing of donors’ personal data and would then be subject to the DP Provisions. Ultimately, in determining whether the VWO is required to comply with the DP Provisions, the PDPC will consider the specific facts of the case eg the actual arrangement between the VWO and the third party regarding the reliance on the database.


Case Conferences


Paragraph 2.13 of the Social Service Guidelines provides that in cases where an individual has multiple social and medical needs and has been receiving social service assistance from more than one VWO, it is possible for there to be coordination among the VWOs insofar as consent has been obtained from the individual in question. As a typical case conference is likely to involve the disclosure of the individual’s personal data (such as his/her medical history, family conditions, services that the individual is currently receiving, or has received in the past) by more than one VWO, the VWOs involved are required to notify the individual of the purpose for the collection, use and disclosure of his/her personal data for the case conference in addition to obtaining his/her consent, unless an exception applies.


Client Surveys


Where a VWO intends to conduct a survey on the impact of its services on individuals, which involves the collection and use of personal data (including full names, contact details and income levels), it must obtain consent from the survey participants before publishing the results of the survey, whether in its annual report and/or on its website, in a form that identifies the survey participants. The PDPC clarifies in paragraph 2.14 of the Social Service Guidelines that if the VWO intends to use or disclose personal data that had previously been collected for other purposes, it should consider whether the exception for use or disclosure of personal data without consent for research in paragraph 1(i) in the Third Schedule or paragraph 1(q) in the Fourth Schedule of the PDPA respectively, would be applicable.


Photographs On Social Media Networks


To the extent that any photographs taken by employees of a VWO shows identifiable individuals, the VWO would need to obtain consent of the individuals for the collection, use or disclosure of the photographs. Under the PDPA, employees (including volunteers) who are acting in the course of their employment with an organisation are excluded from the application of the DP Provisions. Similarly, individuals who are acting in a personal capacity are not required to comply with the DP Provisions. 


The Social Service Guidelines offer further guidance in relation to situations where individuals take photographs during an event hosted by a VWO and upload them onto their personal social media network page. If the person taking the photographs was acting in a personal capacity when taking the photographs, then publishing it on the social media network profile page would not be a breach of the DP Provisions and the VWO would not be responsible for the person’s conduct. 


Conversely, if the person was an employee or volunteer when taking the photographs, or the unpublished photographs belong to the VWO, then the VWO may be liable for the person’s conduct under the PDPA, even if that person is not liable. In this case, the employee’s or volunteer’s actions may potentially cause the VWO to breach the PDPA, for example, in relation to the VWO’s compliance with the protection obligation.


Evaluative Purpose Exception


Under paragraph 2.23 of the Social Service Guidelines, consent is not required for a VWO to collect and use an individual’s personal data if the collection or use is necessary for an evaluative purpose, eg to determine the individual’s suitability or eligibility for grant of social assistance under the scheme administered by a public agency. Similarly, consent is not required for a VWO to disclose an individual’s personal data to another VWO which provides social assistance if the disclosure is necessary for an evaluative purpose.


Collection Of Personal Data From Third Parties

 

An individual who is applying for a financial assistance programme offered by a VWO may be required to provide the personal data of family members living in the same household, including their full names and employment status, as part of the enrolment process in order to evaluate his/her suitability for its programme. Under these circumstances, the VWO can collect the family members’ personal data from the individual without the family members’ consent, pursuant to paragraph 1(m) in the Second Schedule of the PDPA, which relates to the provision of personal data of individuals by another individual to enable the VWO to provide a service for the personal or domestic purposes of that other individual.


Access Requests


VWOs should generally provide individuals with access to their personal data and information about the ways in which such personal data has been or may have been used by the VWO over the past year. However, paragraph 3.8 of the Social Service Guidelines states that VWOs should consider if any prohibition under the PDPA applies. For example, section 21(3) of the PDPA prevents VWOs from providing an individual with his/her personal data or other information if it could reasonably be expected that doing so would cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request. VWOs should also consider if any of the exceptions to the access obligation in the Fifth Schedule of the PDPA would apply. Additionally, the VWO should exercise due diligence and adopt appropriate measures to verify the identity of the person making the access request.


Specified Messages


If a VWO sends an SMS to its donors and volunteers to publicise an event, that SMS is likely to fall under the definition of a specified message to the extent that it is an offer to provide a service. Similarly, if a VWO markets another VWO’s event to the donors and volunteers in its own database, then the VWO would be considered to have sent specified messages. 


However, under paragraph 8.9 of the Social Service Guidelines, if a VWO sends an SMS to its volunteers and donors asking for donations or to thank them for their help during a fund-raiser, the SMS would not constitute a specified message as it does not offer to supply a good or service or have any of the other purposes listed under the definition of specified message.

 

Part III: Healthcare Guidelines


The Healthcare Guidelines were developed in consultation with the Ministry of Health to address the unique circumstances faced by the social service sector in complying with the PDPA. 


Consent


Deemed Consent For Purposes Relating To A Patient’s Visit


In the healthcare context, it is not uncommon for clinics and healthcare institutions to require a first-time patient to fill out a registration form providing personal data such as the patient’s NRIC number and mobile number.


Paragraph 2.3 of the Healthcare Guidelines suggests that a good practice that healthcare institutions can adopt in this regard is to indicate which fields on the registration form (or any form collecting personal data) are compulsory and which are optional.
Where a patient voluntarily provides personal data on a healthcare institution’s registration form, this is likely to constitute deemed consent to the healthcare institution for purposes relating to the provision of medical care by that healthcare institution. Such deemed consent is likely to cover the following purposes: 


(a) the purposes of collection, use or disclosure of the patient’s personal data by medical students or doctors of the healthcare institution. This is because the definition of an “employee” under the PDPA would cover volunteers who working under an unpaid work relationship, such as medical students in the context of medical practice (paragraph 2.4 of the Healthcare Guidelines);


(b) the purposes of a healthcare institution’s internal processes for quality assurance and service improvement and corporatebusiness functions, to the extent that these purposes support the delivery of medical care to the patient (paragraph 2.7 of the Healthcare Guidelines); and


(c) the purposes of using a patient’s personal data that is stored on the National Electronic Health Records (“NEHR”) database, or disclosing personal data of the patient to other healthcare institutions through the NEHR, provided that such use or disclosure relates to the purpose that the patient had first consented to, iefor the purpose of providing medical treatment to the patient. (paragraph 2.10 of the Healthcare Guidelines). 


The Healthcare Guidelines also clarifies that it is not necessary, at the point of seeking a patient’s consent, for a healthcare institution to notify every specific activity that it may undertake in respect of using and disclosing that patient’s personal data. Rather, it would be more important for the patient to be notified of the objectives or the reasons for the collection, use and disclosure of the personal data (ie for purposes of the healthcare institution providing medical treatment to the patient). 


No Deemed Consent For Purposes Beyond The Provision Of Medical Care


Generally, the PDPC considers that a patient will not be deemed to have consented to purposes that are beyond the provision of medical care to the patient, or which involves the use of personal data that has “no nexus” to the patient’s visit to the clinic. This includes, for instance, any marketing of health products unrelated to the patient’s condition.
Further, the PDPC’s view is that if a healthcare institution wishes to use patients’ personal data to develop teaching materials or conduct training, the healthcare institution would typically need to separately notify the patient and obtain the patient’s consent for such purpose.


Referrals By A Patient’s Doctor


In the scenario where a doctor recommends a patient for a referral to another healthcare institution or specialist, the PDPC’s view as set out in paragraph 2.5 of the Healthcare Guidelines is that the patient would be regarded as providing consent to the first doctor if the patient agrees, for instance verbally, to that doctor’s recommendation to be referred.


Family Medical History 


A common scenario that arises in medical practice involves doctors asking patients if they have any family history of certain medical conditions. The PDPC recognises that it is not in all cases that information about a medical condition which a patient’s family member suffers from would constitute personal data under the PDPA. 


For instance, the patient’s family member may not be identified if the doctor does not ask the patient for more details about that family member, and the doctor also cannot identify that family member from any data about the family member (or when combining such data with other likely accessible data or information).


Even where the family member can be identified, there may still be an exception for the doctor to collect personal data of the patient’s family member (from the patient) without the consent of the patient’s family member, pursuant to paragraph 1(m) in the Second Schedule of the PDPA.


Disclosing Personal Data Of Employees Who Participate In Company Healthcare Schemes


Under paragraph 2.9 of the Healthcare Guidelines, the PDPC deals with the issue of whether consent is required before an employee’s medical information can be disclosed by a clinic to an employer, or to a managed care provider (which manages the employer’s company healthcare scheme). In this context, the Healthcare Guidelines provides that a clinic should generally only disclose the employee’s personal data if the clinic has obtained the employee’s consent. Accordingly, clinics would themselves need to further consider the issue of when an employee’s medical information is no longer simply “personal data” as defined under the PDPA, but where such medical information is also protected by other laws such as those relating to patient confidentiality. 


Using Personal Data For Research Purposes Without Consent

 

In the case of retrospective research studies or registry research, organisations may wish to use patient personal data for which it may not have obtained the relevant consent from the patients concerned. 


The PDPC notes that it may be possible that the exception under paragraph 1(i) in the Second Schedule of the PDPA could apply in such cases, in order that the personal data can be used without consent. However, the linkage of the personal data to other information should not be harmful to the individuals identified by the personal data and the benefits to be derived from the linkage should clearly be in the public interest.


Further, the Healthcare Guidelines highlight that an organisation that intends to use such personal data for research purposes without consent should take into account the opinion of its Institutional Review Board, or equivalent body, which provides ethics approval for the research project.


Access To Medical Records And Other Personal Data


A patient may make a request to a clinic to access personal data that he had provided through a registration form, or to obtain the diagnosis of a condition that is recorded in a doctor’s handwritten notes. 


While the clinic will generally be required under the PDPA to grant the patient access to such personal data, the Healthcare Guidelines suggest that it may not be necessary in every case for the clinic to provide such personal data in a form other than the original form in which such personal data was recorded. For instance, instead of providing the patient with a copy of the doctor’s handwritten notes containing the diagnosis, the clinic can provide a medical report issued by the doctor setting out the diagnosis.


Further, it is open to the clinic to charge a reasonable fee for the access request. However, the PDPC has highlighted that the clinic must respond to the access request as soon as reasonably possible. If the clinic is unable to respond to the access request within 30 days from the time that the request is made, it must inform the patient in writing within the 30-day timeframe as to when it will be able to respond to the request.


Application Of The Correction Obligation


Paragraph 3.13 of the Healthcare Guidelines set out three scenarios on how a clinic may respond toa patient’s request for correction of his personal data:


(a) where a patient requests the clinic to correct his contact details in the clinic’s records to reflect his new postal address, it would be reasonable for the clinic to correct that patient’s contact details to ensure that they are accurate and current;


(b) where a patient requests the clinic to correct information about his smoking habits which the doctor recorded during a previous visit to the clinic, the clinic may decide not to correct its records if it is satisfied upon reasonable grounds that a correction need not be made; and 


(c) where a patient requests the clinic to correct a diagnosis about his medical condition, and such diagnosis is a professional or expert opinion, the clinic will not be required under the PDPA to correct or otherwise alter that diagnosis.


The PDPC has clarified that, if a correction that is requested is not made, the clinic should annotate such personal data with the corrections that were requested but not made.


Application Of The DNC Provisions To Healthcare Scenarios 


Part III of the Healthcare Guidelines makes clear that a clinic will not be able to avail itself of the exemption under the Exemption Order if it is intending to call or send a text message informing one of its patients about a new drug which could be an effective treatment for a medical condition (eg a drug for asthma) that the patient did not seek treatment for at that clinic (ie the patient had never sought treatment for asthma or asthma-related conditions at that clinic) and the patient does not have an ongoing relationship with the clinic. 


In such a scenario, prior to calling or sending any text messages to the patient, the clinic must check the Do Not Call Register to ensure that the patien tis not registered on the relevant register(s). Alternatively, the clinic must have obtained clear and unambiguous consent in writing (or in such other accessible form) from the patient.

 

Part IV: Updated Advisory Guidelines On Photography


To clarify the application of the DP Provisions in relation to photography-related activities, the PDPC has issued a new chapter in the Selected Topics Guidelines dealing with photography-related activities (“Photography Guidelines”).

Obtaining Consent


Generally, a professional photographer who takes a photograph of an identifiable individual in the course of his business will be required to obtain the individual’s consent, unless he is taking the photograph on behalf of and for the purposes of another organisation pursuant to a written contract.


There may be limited exceptions for photographs taken in public places.


Individuals Acting In A Domestic Or Personal Capacity


The PDPC notes that there may be situations where the collection and use of personal data in a photograph containing personal data of an individual may not require consent when the photographer is acting in a personal or domestic capacity. The following examples assist to clarify the application of this exception under section 4(a) of the PDPA.


Photographs Taken At An Event For Employees 


Where Employee A takes a photograph with his friend (Person B), at an event organised by Employee A’s employer (Organisation C), and uploads that photograph on Employee A’s own social media account, Employee A would not need to comply with the DP Provisions.
If, however, Organisation C subsequently wishes to use the photograph taken by Employee A for business or commercial purposes (such as publishing the photograph on its social media account for its own publicity purposes), Organisation C will need to ensure that consent is obtained from Person B, prior to publishing the photograph for the business or commercial purposes. 


Submission Of Photographs To A Competition


Where a professional photographer (Person D) takes a photograph of his aunt (Person E) at a family event, and submits that photograph for a photography competition for professional freelance photographers, which is organised by Organisation F, the PDPC considers that Person D is unlikely to be acting in a domestic or personal capacity.
On the other hand, if Person D submits the same photograph to a photography competition organised by a social and recreation club on the club member’s favourite family member, the PDPC considers that Person D is likely to be considered to be acting in a domestic or personal capacity in this context. 


Consent For Photo-Taking At A Private Event Or Venue


The PDPC has noted that, at private events or venues where photographers are present, it is unlikely that an organisation will be able to rely on deemed consent solely by virtue of an individual remaining in an area where photographers can be seen to be present. The rationale for this is that it would be difficult, if not impossible, in such circumstances to accurately determine if the individual had awareness of the existence of the photographers or the photo-taking activities. Importantly also, the PDPA does not impose any obligation on individuals to indicate that they do not consent. Instead, the obligations under the PDPA are imposed on organisations to ensure that the necessary consent is obtained (unless an exception applies).


In this regard, organisations should take measures to ensure that the attendees of the private event are aware of the purposes for which their photographs are collected, used and disclosed. For instance, if an organisation wishes to rely on deemed consent to use the photographs taken for purpose of publication in its own internal newsletter, it may take measures such as the following:


(a) stating clearly in the invitation to the attendees that photographs of the attendees will be taken at the event for purposes of publication in the organisation’s internal newsletter;


(b) putting up an obvious notice at the reception or entrance of the venue toinform attendees that photographs will be taken at the event for purposes of publication in the organisation’s internal newsletter; or


(c) getting the photographer to ask attendees to pose for their photograph to be taken for purposes of publication in the organisation’s internal newsletter, and to take the photograph only if the attendee voluntarily poses for the photograph.


Alternatively, the organisation could consider obtaining actual consent by clearly indicating on a form for confirmation of attendance, which is signed by the attendees and returned to the organisation, that photographs will be taken at the event for the organisation’s corporate purposes.


Withdrawal Of Consent


The PDPC has clarified that the withdrawal of consent by an individual has no effect on personal data that is already publicly available. This means that, if an organisation has published an annual report containing a photograph of an individual, and that individual subsequently withdraws consent, the organisation will not be required to recall all copies of the annual report that had been circulated prior to the individual’s withdrawal of consent. However, organisations will be required to cease further use or disclosure of that personal data (eg in future publications).


Separately, in the case where a photograph or video contains multiple individuals, and one of the individuals withdraws his consent, an organisation may still use or disclose that photograph or video, provided that:


(a) the organisation masks the image of the individual who withdrew consent; or


(b) the organisation is authorised or required under the PDPA or under other written law to use or disclose that individual’s personal data without consent.


Exception For Artistic And Literary Purposes


In the closing note to the Photography Guidelines, the PDPC also sought to clarify the exception under the PDPA.


In relation to professional photographers who take photographs for an organisation’s private events or activities, the PDPC’s view is that such photographers would not generally be able to rely on the PDPA exception for artistic and literary purposes to use the photographs taken in their own portfolio or for publicity purposes. Instead, the organisation is recommended to establish arrangements with the photographers to obtain consent for such photographers to use the photographs in their own portfolio or for publicity purposes.

 

Part V: PDPC’S Handbooks: A Guide To Notification


The PDPC has also issued a new “Guide to Notification”, which is a practical guide to assist organisations in providing clearer notifications to consumers on the collection, use and disclosure of personal data.


The PDPC’s Guide to Notification provides guidance on various aspects of how organisations can notify consumers of the collection, use and disclosure of personal data, and it also provides illustrations as to the following:


(a) sample layouts for notifications;


(b) sample language that can be used in notifications; 


(c) examples of the types of location at which notifications should be placed;


(d) good practices which organisations should adopt when obtaining consent;


(e) examples of how an organisation may state the purposes for which it is obtaining consent; 


(f) sample lucky draw forms for collection, use and disclosure of personal data in the context of lucky draws; and

 

(g) sample notices informing individuals that CCTVs are in operation.

 

Concluding Remarks


The recently issued advisory guidelines for the education, social service and healthcare sectors are useful in clarifying how the PDPA provisions operate in the specific contexts of these sectors. However, it must be highlighted that these advisory guidelines should be read in conjunction with the other advisory guidelines issued by the PDPC from time to time, including the Advisory Guidelines on Key Concepts in the PDPA (which explain in greater detail the obligations that organisations have to comply with under the PDPA), the Advisory Guidelines on the DNC Provisions and the Advisory Guidelines on Selected Topics.


Ultimately, as the personal data protection regime under the PDPA only operates as a baseline law and builds upon existing sector-specific legal and/or regulatory frameworks, the burden lies with organisations to assess if their existing practices comply with their obligations both under the PDPA, as well as under any applicable sector-specific framework.


References


Please click on the following links to access the documents.


1. Advisory Guidelines for the Education Sector
2. Advisory Guidelines for the Healthcare Sector
3. Advisory Guidelines for the Social Service Sector
4. Advisory Guidelines on the Personal Data Protection Act for Selected Topics (Chapter 9 on Photography)
5. A Guide to Notification

 

Drew & Napier

 

Chong Kin Lim, Director, Drew & Napier

chongkin.lim@drewnapier.com

 

Charmian Aw, Director, Drew & Napier

charmian.aw@drewnapier.com

 

Drew & Napier TMT Practice Profile in Singapore

 

Homegrown TMT Firms in Singapore

Comments are closed.