2 April, 2012
Legal News & Analysis – Asia Pacific – Singapore – TMT
The draft Personal Data Protection Bill has just been published by the Ministry of Information, Communications and the Arts (MICA). MICA is calling for a public consultation on the draft bill.
Introduction
The proposed introduction of Data Protection (“DP”) Laws in Singapore highlights the need to safeguard one’s personal data. However, it is recognized that companies need to use such data for the purposes of their businesses. The upcoming DP laws seek to balance these two competing interests.
Singapore’s DP regime would be implemented through the setting up of the Do Not Call (“DNC”) Registry and the passing of the Personal Data Protection Act (“PDPA”). The PDPA would apply to all individuals with regard to the use of their personal data for specified purposes. The DNC Registry applies specifically to marketing messages that are unsolicited and sent to an individual usually via phone calls or e-mail. Individuals who wish to be included in the DNC Registry would have to register their phone numbers. While the workings of the DNC Registry is relatively straightforward, the PDPA bears further elaboration as it applies to general uses of personal data across the board rather than just for marketing purposes.
Scope of the PDPA
It is proposed that the PDPA apply to all private organizations in Singapore. Even if the organization is not physically located in Singapore, it would be subject to the PDPA as long as it engages in data collection, processing or disclosure within Singapore. Public organizations are excluded because they are already regulated by separate sector specific DP rules that are currently already in place. The
PDPA will apply to both electronic and non-electronic forms of personal data. “Personal data” is defined as data, whether true or not, about an individual who can be identified from that data and/or other information to which the organization is likely to have access. Examples of “personal data” include an individual’s NRIC number, address, mobile number and e-mail address.
Consent required
In order for the organization to use an individual’s personal data, that individual has to give consent. For such consent to be obtained, the organization needs to inform the individual the purposes for the collection, use or disclosure of the personal data. The proposed PDPA also explicitly states that consent cannot be given as a prerequisite to the supply of goods or services and even where consent is given, that consent does not extend to personal data beyond what is reasonable to provide the product or service to that individual. The example cited by MICA’s consultation paper is that of an individual’s NRIC number not being necessary data for participation in a loyalty program.
However, despite the abovementioned requirements, consent is deemed given where the individual voluntarily provides the personal data to the organization.
Establishment of a DP commission (“DPC”)
It is proposed that the DPC be established to look into DP related issues and to enforce the DP law. Under the PDPA, the DPC has the power to ensure that organizations comply with the Act, for example, by directing errant organizations to cease any personal data related activity that goes against the PDPA or to pay a financial penalty for each breach.
Transition arrangements
MICA has proposed that organizations be given not less than 18 months from the time the PDPA is enacted to comply with it. Personal data that has been collected before the date of commencement of the Parts III to VI of the PDPA (i.e. parts relating to protection, collection, use, disclosure and care of personal data) can be used for the purpose the data was collected, subject to the use being reasonable.
