16 September, 2011
The long-awaited consultation paper on the proposed data protection regime has been issued by the Ministry of Information, Communications and the Arts (“MICA”). The consultation paper sets into motion a process which will culminate with the enactment of data protection legislation in Singapore.
Background
MICA recognizes that there is currently no data protection legislation in Singapore. Therefore, it proposes a baseline data protection framework which will be applicable to all organisations other than those in the public sector. International developments, the protection of consumer interests and the need to position Singapore as a trusted hub have necessitated the introduction of this data protection framework. Current sectoral regulations are likely to remain in place. MICA has sought public consultation over the scope of the proposed legislation.
Proposed Scope of Data Protection Legislation
I. Scope of Personal Data
Personal data is proposed to cover data about identifiable natural persons, living or deceased
II. Data Collectors
The proposed legislation would exclude public sector organisations such as ministries, statutory boards and organs of state. It is being considered whether the legislation should cover organisations outside Singapore collecting or processing information in Singapore.
III. General rules for collection
MICA proposes that the general principles of consent, purpose and reasonableness be applied when personal information is collected and used. However, questions as to the extent of consent and the exceptions to the general rules require input from the public.
IV. Transfer of Personal Data
MICA also proposes that organisations transferring data outside Singapore should take appropriate measures to protect personal data when such data is transferred out of Singapore.
V. Accuracy, Security and Retention
Reasonable measures are proposed to be undertaken to ensure that the personal data is accurately used and secure. Personal data should not be retained as soon as it is reasonable to assume that the purpose for which it was retained is no longer served by such retention.
V. Access to Personal Data
Organisations should allow an individual access to his personal data and correct any inaccurate data at his request.
VI. Data Protection Commission
A data protection commission will be set up to enforce the new legislation. An independent Appeals Board will also be constituted to hear appeals from decisions of the commission. The commission will have powers to issue orders to rectify non-compliance with the legislation and to require payment of a fine not exceeding $1 million.
VII. Transitional Procedures
MICA proposes that a sunrise process be applied to allow partial implementation of the legislation over one to two years to allow organisations to comply and administer the new legislation. The data protection legislation will also deem that consent for existing data collected by an organization for its existing purposes.
VIII. Do-Not-Call Registry
MICA is also seeking feedback whether a national do-not-call registry should be set up by an independent body to allow individual to opt-out their phone numbers.
Conclusion
The data protection legislation represents a milestone in Singapore’s legal development and IT infrastructure. It will change the way some business processes are carried out and will impact many businesses in Singapore. MICA is receiving feedback until 25 October 2011.
By Bryan Tan