28 May, 2014
Overview And Background
On 19 May 2014, the Personal Data Protection Act 2012 (Commencement) Notification 2014 (“PDPA Commencement Notification”) and the Personal Data Protection Regulations 2014 (“PDP Regulations”) were gazetted. The PDPA Commencement Notification provides for Parts III to VII of, and the Second to Sixth Schedules to, the Personal Data Protection Act 2012 (“PDPA”) to come into operation on 2 July 2014.
In tandem with the gazetting of the PDPA Commencement Notification and the PDP Regulations, the Personal Data Protection Commission (“PDPC”) also published revised versions of the following guidelines on 16 May 2014:
(a) Advisory Guidelines on Key Concepts in the PDPA (“Key Concepts Guidelines”); and
(b) Advisory Guidelines on the PDPA for Selected Topics (“Selected Topics Guidelines”)
(collectively, the “Advisory Guidelines”).
The revision to the Key Concepts Guidelines resulted in the inclusion of the following three chapters:
(a) Applicability to Inbound Data Transfers (Chapter 11);
(b) The Access and Correction Obligation (Chapter 15); and
(c) The Transfer Limitation Obligation (Chapter 19).
The revision to the Selected Topics Guidelines resulted in the addition of a chapter on Data Activities Relating to Minors (Chapter 8).
By way of background, the PDPA serves as a baseline law, governing the collection, use and disclosure of individuals’ personal data1 by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.2
The PDPA contains two main sets of provisions, namely, those pertaining to the Do Not Call Registry and the personal data protection obligations. The various provisions relating to the Do Not Call Registry came into force on 2 January 2013, whereas the personal data protection provisions in Parts III to VII of the PDPA (“Data Protection Provisions”) will come into operation on 2 July 2014. As the effective date draws closer, organisations involved in the processing of personal data should evaluate the adequacy of their existing business policies and processes so as to be well prepared to fully comply with the new personal data protection regime.
On 5 February 2013, the PDPC launched a public consultation on the proposed PDP Regulations and Advisory Guidelines. Following this, the revised Advisory Guidelines incorporating comments from the consultation were published on 24 September 2013.
The PDP Regulations and the latest revised Advisory Guidelines aim to give organisations and individuals greater clarity by elaborating on how the PDPC will interpret specific obligations of organisations under the PDPA. In particular, the PDP Regulations also clarify and expand on the existing scope of obligations with regard to the access and correction obligation, transfer of personal data outside of Singapore, and rules for individuals who may act for others under the PDPA.
The Advisory Guidelines are not legally binding on the PDPC or any other party, nor do they modify or supplement in any way the legal effect and interpretation of the PDPA and subsidiary legislation. Direct reference should be made to the PDPA and other legislation for the complete and definitive statement of the provisions of any such legislation. In the event of any inconsistency, the PDPA and any regulations or rules issued thereunder (including the PDP Regulations) will prevail over the Advisory Guidelines.3
A non-exhaustive summary of the key issues in the PDP Regulations, as well as the corresponding revisions to the Advisory Guidelines, is set out below.
Key Issues
Access And Correction Obligations
The PDPA gives individuals the right to make access and/or correction requests to organisations that possess or control their personal data, subject to certain conditions and exceptions.
Organisations are generally obliged to accede to such requests unless an exception applies.
Under Section 21(1) of the PDPA, an organisation must, upon request by an individual, provide the individual with access to his or her personal data that is in the organisation’s possession or control, and information about the ways in which the personal data may have been used or disclosed by the organisation within a year before the date of the request (“Access Obligation”).
Under Sections 22(1) and 22(2)(b) of the PDPA, an organisation must comply with a request made by an individual to correct an error or omission in that individual’s personal data that is in the organisation’s possession or control, and, subject to certain conditions and exceptions, correct the personal data as soon as practicable, and send the corrected personal data to every other organisation to which the personal data was disclosed to within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose (“Correction Obligation”).
PDP Regulations
With regard to the Access Obligation and Correction Obligation, the PDP Regulations sets out how applicants may make access or correction requests; how organisations should respond to such requests; the timeframe for organisations to provide a response to the applicant; situations where organisations may refuse to confirm or deny existence, use or disclosure of personal data; and the fees organisations may charge applicants for responding to such requests.
The PDP Regulations set out the process by which applicants who wish to make an access or correction request are required to comply with. The requirements for submitting requests are that the request:
(a) must be made in writing;
(b) must include sufficient detail to enable the organisation, with a reasonable effort, to identify the applicant, the personal data and use and disclosure information requested by the applicant (in relation to access requests), or correction requestedby the applicant (in relation to correction requests); and
(c) must be sent to the organisation in accordance with Section 48A of the Interpretation Act4, by sending it to the organisation’s data protection officer in accordance with the business contact information provided under Section 11(5) of the PDPA5, or in such other manner as is acceptable to the organisation.
There are different obligations imposed on organisations in respect of access and correction requests.
For example, the PDP Regulations impose an obligation on an organisation to respond to each access request for information relating to the use or disclosure of his or her personal data as accurately and completely as necessary and reasonably possible. In comparison, with regard to correction requests, the PDP Regulations do not impose a duty to respond to correction requests.
If an organisation is unable to comply with the requirements imposed by the PDPA in respect of the Access Obligation or Correction Obligation within 30 days after receiving either an access or correction request made in accordance with the PDP Regulations, the organisation must (within the 30-day period) inform the applicant in writing of the time by which it will respond to the request.
Where an organisation is required to provide an applicant access to his or her personal data, the organisation must provide the applicant with a copy of his or her personal data and use and disclosure information in a documentary form or in such other form requested by the applicant and is acceptable to the organisation. If it is impracticable in a particular case to provide a copy of the personal data and use and disclosure information in documentary form, the organisation should allow the applicant a reasonable opportunity to examine the personal data and use and disclosure information.
Further, subject to Section 21(4) of the PDPA,6 an organisation may, in response to an access request, refuse to confirm or may deny:
(a) the existence of personal data referred to in paragraph 1(h) of the Fifth Schedule to the PDPA7; or
(b) the use of personal data without consent under paragraph 1(e) of the Third Schedule to the PDPA8 or the disclosure of personal data without consent under paragraph 1(f) of the Fourth Schedule to the PDPA,9 for any investigation or proceedings, if the investigation or proceedings and related appeals have not been completed.
In relation to the charging of fees for access requests, an organisation may charge the applicant a reasonable fee for services provided to the applicant to enable the organisation to respond to the access request. An organisation must not charge a fee to respond to the access request unless the organisation has provided a written estimate of the fee, and if an organisation wishes to charge a fee higher than the written estimate provided, it must have notified the applicant in writing.
In contrast, an organisation shall not charge an applicant any fee to comply with an organisation’s obligation to correct personal data and send the corrected personal data to organisations to which the personal data has been disclosed, in accordance with Section 22(2) of the PDPA.
Advisory Guidelines
Obligation To Provide Access To And Correct Personal Data
An organisation’s obligation in responding to an access request is to provide the individual with access to the complete set of personal data requested by the individual which is in the organisation’s possession or under its control, unless any relevant exception in Section 21 or the Fifth Schedule to the PDPA applies.
The Key Concepts Guidelines further clarify that an organisation is not required to provide access to the documents (or systems) which do not comprise or contain the personal data in question, as long as the organisation provides the individual with the personal data that the individual is entitled to have access to under Section 21 of the PDPA.
In certain circumstances, the individual making the access request may ask for a copy of his or her personal data in documentary form. In this regard, organisations should provide the copy and have the option of charging the individual a reasonable fee for producing the copy. However, the personal data may sometimes reside in a format that cannot be practicably provided to the individual in documentary form, whether as physical or electronic copies (eg the data cannot be extracted from a special machine owned by the
organisation). In such circumstances, the organisation may provide the individual a reasonable opportunity to examine the requested personal data.
The Key Concepts Guidelines have also clarified that the scope of the Access Obligation applies equally to personal data captured in unstructured forms such as personal data embedded in emails. In this regard, organisations are generally required to implement processes to keep track of the collection, use and disclosure of all personal data in their possession, including unstructured personal data.
Further, if the personal data requested by the individual can be retrieved by the individual himself or herself (eg personal data residing in online portals to which access has been granted by the organisation), the organisation may inform the individual how he or she may retrieve the data requested.
An organisation does not have to provide access to personal data which is no longer within its possession or under its control when the access request is received, or if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interest or if the request is otherwise frivolous or vexatious. Where an organisation no longer possesses the personal data, the organisation should generally inform the requesting individual that it no longer possesses the personal data and is thus unable to meet the individual’s request.
In relation to the Correction Obligation, if an organisation is satisfied upon reasonable grounds that a correction should not be made, Section 22(5) of the PDPA requires the organisation to annotate the personal data in its possession or under its control, indicating the correction that was requested but not made. As a matter of good practice, the organisation may also wish to annotate the reasons why it decided that the correction should not be made.
Information Relating To Ways Which Personal Data Has Been Used Or Disclosed
The Key Concept Guidelines also clarify that in responding to a request for the organisations to which personal data has been disclosed, an organisation should individually identify each possible third party, instead of simply providing general categories of organisations to which personal data has been disclosed. This will enable individuals to directly approach the third party organisation to which his or her personal data has been disclosed.
In this regard, organisations may develop (and update periodically) a standard list of all possible third parties to whom personal data may have been disclosed, and provide that standard list to individuals who request for information relating to how the personal data has or may have been disclosed.
Further, in specifying how the personal data has been or may have been used or disclosed within the past year, organisations may provide information on the purposes rather than the specific activities for which the personal data had been or may have been used or disclosed. For instance, in response to an access request, an organisation may state that the personal data was disclosed for audit purposes rather than describing all the instances when the personal data was disclosed.
Exceptions To The Obligation To Provide Access To Or Correct Personal Data
Section 21(2) of the PDPA provides that an organisation is not required to provide individuals with personal data or other information specified in Section 21(1) of the PDPA in respect of the exceptions specified in the Fifth Schedule to the PDPA.
That said, the Key Concepts Guidelines clarify that an organisation is not prohibited from providing information in respect of the matters specified in the Fifth Schedule and may do so if it decides to. If an organisation does not provide access to personal data in respect of the matters specified in the Fifth Schedule, the organisation may, as good practice, inform individuals of the relevant reason(s), if appropriate.
In addition to the exceptions specified in the Fifth Schedule to the PDPA, as well as the situations specified under Section 21(3) of the PDPA where an organisation must not provide personal data or other information specified in Section 21(1) of the PDPA, the Key Concepts Guidelines highlight an additional obligation under Section 21(4) of the PDPA – where an organisation has disclosed personal data to a prescribed law enforcement agency without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule of the PDPA10 or under any other written law, the organisation shall not inform the individual that the personal data has been so disclosed.
In the event that an individual is engaged in legal proceedings with an organisation and makes an access request to obtain relevant personal data or other information, the organisation would not be required to provide the requested information if any exception applies, eg under paragraph 1(h) of the Fifth Schedule of the PDPA, an organisation is not required to provide access to personal data collected, used or disclosed without consent for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed.
For the avoidance of doubt, organisations should note that the Data Protection Provisions do not affect discovery obligations under law that parties to a legal dispute may have.
With regard to correction requests, the Key Concepts Guidelines highlight Section 22(6) of the PDPA, which provides that an organisation is not required to correct or otherwise alter an opinion, including a professional or an expert opinion. In addition, Section 22(7) provides that an organisation is not required to make a correction in respect of the matters specified in the Sixth Schedule to the PDPA.
Fees Chargeable For Access To Personal Data
Organisations may charge a reasonable fee for granting access to an individual’s personal data. The purpose of the fee is to allow organisations to recover the incremental costs of responding to the access request.
As organisations are required to make the necessary arrangements to provide for standard types of access requests, costs incurred in capital purchases (eg purchasing new equipment in order to provide access to the requested personal data) should not be transferred to individuals. In addition, the fee should accurately reflect the time and effort required to respond to the request.
In general, if an organisation requires an individual to pay a fee in relation to an access request, the organisation should inform the individual of the fee amount and all relevant details, eg accepted payment methods and payment processing time.
Response Time Frame For Access And Correction Requests
The Key Concepts Guidelines clarify that an organisation should respond to an access or correction request within 30 days. If an organisation is unable to respond to an access or correction request within 30 days of the time the request is made, the organisation shall inform the individual in writing within that time frame of the time by which it will be able to respond to the request. Further, it would be good practice for organisations to also specify the reasons for not being able to respond within 30 days of receiving the access or correction requests.
Form Of Access And Correction Requests
The Key Concepts Guidelines state that while organisations may provide standard forms or procedures for individuals to submit access and/or correction requests, organisations should accept all requests made in writing and sent to the business contact information of its Data Protection Officer, or in the case of a body corporate, left at or sent by pre-paid post to the registered office or principal office of the body corporate in Singapore, where sufficient information has been provided for the organisation to meet the requests.
Transition Period In Relation To Access Requests
In paragraph 4.5 of the Closing Note for the public consultation issued by the PDPC on the proposed PDP Regulations, the PDPC noted that organisations which receive access requests soon after the data protection rules come into force on 2 July 2014 may not necessarily have put in place systems to appropriately capture how personal data may have been used prior to 2 July 2014. In this regard, the PDPC acknowledged that since the transition period before the Data Protection Provisions come into force was given for organisations to prepare themselves to comply with the PDPA, organisations should not be expected to have captured information on how personal data might have been used during the transition period.
The PDPC stated in the Closing Note that it will bear in mind the above when determining whether any organisation has complied with an access request in the first year following 2 July 2014 and the directions to be issued in the event of non-compliance. In doing so, the PDPC will generally also consider whether the organisation has acted reasonably to respond to an access request and whether an exception applies. Further, the PDPC clarified that it would likely consider an organisation which receives an access request in the first year following 2 July 2014, to have fulfilled the Access Obligation if the organisation has acted reasonably and made a best effort attempt to respond to an access request.
PDP Regulations
Cross-Border Transfers Of Personal Data
Part III of the PDP Regulations specifies the conditions under which an organisation may transfer personal data to a country or territory outside Singapore. Additional clarifications are provided in Chapters 11 and 19 of the Key Concepts Guidelines.
The PDPA limits the ability of an organisation to transfer personal data overseas. In particular, Section 26(1) of the PDPA provides that an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA (“Transfer Limitation Obligation”).
Requirements For Transfer
The PDP Regulations prescribe that before transferring an individual’s personal data to a country or territory outside Singapore, a transferring organisation is required to take appropriate steps to:
(a) ensure that the transferring organisation will comply with Parts III to VI of the PDPA (ie the Data Protection Provisions) in respect of the transferred personal data, while such personal data remains in the possession or under the control of the transferring organisation; and
(b) ascertain whether, and to ensure that, the recipient of the personal data in the country or territory outside Singapore is bound by legally enforceable obligations (in accordance with Regulation 10 of the PDP Regulations) to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA.
In respect of requirement (a) above, a transferring organisation would be taken to have satisfied this requirement in respect of the personal data while it remains in the possession or under the control of the transferring organisation if the personal data is:
(i) data in transit;11 or
(ii) publicly available in Singapore.
With regard to requirement (b) above, a transferring organisation is taken to have satisfied this requirement in respect of an individual’s personal data which it transfers to a recipient in a country or territory outside Singapore if:
(a) subject to certain conditions, the individual consents to the transfer of personal data to that recipient in that country or territory;
(b) the transfer of personal data to the recipient is necessary for the performance of a contract between the individual and the transferring organisation, or to do anything at the individual’s request with a view to the individual entering into a contract with the transferring organisation;
(c) the transfer of personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party which is entered into at the individual’s request;
(d) the transfer of the personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party if a reasonable person would consider the contract to be in the individual’s interest;
(e) the transfer of personal data to the recipient is necessary for the personal data to be used:
(i) for any purpose which is clearly in the interests of the individual (if consent for its use cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent);
(ii) to respond to an emergency which threatens the life, health or safety of the individual or another individual; or
(iii) in the national interest; or
disclosed:
(i) for any purpose which is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way;
(ii) to respond to an emergency that threatens the life, health or safety of the individual or another individual;
(iii) subject to certain conditions, where there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected and consent for the disclosure of the data cannot be obtained in a timely way;
(iv) in the national interest; or
(v) for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual;
(f) the personal data is data in transit; or
(g) the personal data is publicly available in Singapore.
It should also be noted that nothing in the provisions of the PDP Regulations relating to the transfer of personal data outside Singapore would prevent an individual from withdrawing any consent given for the transfer of personal data to a country or territory outside Singapore.
Legally Enforceable Obligations
PDP Regulation 10(1) provides some guidance on what would constitute “legally enforceable obligations”. Legally enforceable obligations include obligations imposed on a recipient of personal data under:
(a) any law;
(b) any contract that:
(i) requires the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA; and
(ii) specifies the countries and territories to which the personal data may be transferred under the contract;
(c) any binding corporate rules (“BCR”) (which may only be used for recipients that are related to the transferring organisation) that:
(i) require every recipient of the transferred personal data that is related to the transferring organisation and does not already satisfy a legally enforceable obligation (via any law, contract in accordance with paragraph (b) above, or any other legally binding instrument), to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA; and
(ii) specify: (1) the recipients of the transferred personal data to which the BCR apply; (2) the countries or territories to which the personal data may be transferred under the BCR; and (3) the rights and obligations provided by the BCR; or
(d) any other legally binding instrument.
Advisory Guidelines
Inbound Data Transfers
The Key Concepts Guidelines clarify that where personal data is collected overseas and is subsequently transferred into Singapore, the Data Protection Provisions will apply in respect of the activities involving the personal data in Singapore.
Moreover, where personal data originating from outside Singapore is collected by an organisation in Singapore for use or disclosure for its own purposes in Singapore (ie not as a data intermediary for another organisation), the organisation is required to comply with the Data Protection Provisions under the PDPA from the time it seeks to collect the personal data (if such collection occurs in Singapore) or from the time it brings the personal data into Singapore.
The PDPC noted that where personal data is collected outside Singapore, such collection may be subject to the data protection laws of the country or territory in which it was collected (if any). In determining whether an organisation has complied with the Notification Obligation or Consent Obligation under the PDPA before collecting, using or disclosing the personal data in Singapore, the PDPC will take into account the manner in which the personal data was collected in compliance with such data protection laws.
Scope Of Contractual Clauses
In setting out contractual clauses that require the recipient to comply with a standard of protection in relation to the personal data transferred to him or her that is at least comparable to the protection under the PDPA, a transferring organisation should minimally set out protection with regard to the following areas when transferring personal data to a recipient organisation (which is not a data intermediary): (a) purpose of collection, use and disclosure of personal data by the recipient; (b) accuracy; (c) protection; (d) retention limitation; (e) policies on personal data protection; (f) access; and (g) correction.
However, where the recipient is a data intermediary (ie an organisation processing personal data on behalf of and for the purposes of the transferring organisation pursuant to a contract evidenced or made in writing), a transferring organisation should minimally set out protection with regard to protection and retention limitation.
The PDPC also noted that while certain Data Protection Provisions are not imposed on data intermediaries under the PDPA, it is expected that organisations engaging such data intermediaries would generally have imposed obligations that ensure protection in the relevant areas in their processing contract.
Individuals Who May Act For Others Under The PDPA
Exercise Of Certain Rights Under The PDPA In Respect Of A Deceased Individual
An “individual” is defined in the PDPA to mean a natural person, whether living or deceased. However, the applicability of the PDPA to deceased individuals is limited. In this regard, Section 4(4)(b) of the PDPA provides that the PDPA shall not apply in respect of personal data about a deceased individual, except that the provisions in relation to the disclosure of personal data and Section 24 of the PDPA shall apply in respect of personal data about an individual who has been dead for 10 years or less.
In this regard, Regulation 11(1) of the PDP Regulations stipulates that certain specified persons may exercise all or any of the following rights in respect of a deceased person who has been dead for 10 years or less:
(a) the right to give or withdraw any consent for the purposes of the PDPA;
(b) the right to bring a private action for relief in civil proceedings in respect of any loss or damage directly suffered as a result ofa contravention of Parts IV, V and VI of the PDPA by an organisation; and
(c) the right to bring a complaint under the PDPA.
Further, Regulation 11(2) of the PDP Regulations provides that the following persons are specified for purposes of Regulation 11(1) of the PDP Regulations:
(a) a person appointed under the deceased individual’s will to exercise the rights referred to in Regulation 11(1) of the PDP Regulations, or a personal representative of the deceased individual, unless the person or personal representative (as the case may be) has expressly renounced the grant of such right; or
(b) if no person or personal representative referred to in paragraph (a) above is able to exercise such right or power, the deceased individual’s nearest relative determined in accordance with the First Schedule to the PDP Regulations (which sets out the order of priority for the determination of the nearest relative of a deceased individual).
Minimum Age To Exercise Rights And Powers Under The PDPA
Chapter 8 of the Selected Topics Guidelines provides some guidance on the issue of data activities relating to minors.
The Selected Topics Guidelines highlight that the PDPA does not specify the situations in which a minor (ie an individual who is less than 21 years of age) may give consent for the purposes of the PDPA. In general, whether a minor can giveconsent would depend on other legislation and common law.
In this regard, the Selected Topics Guidelines provide that organisations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent, in determining if he or she can effectively provide consent on his or her own behalf for purposes of the PDPA.
The PDPC noted that the age threshold of 13 years appears to be a significant one in relation to according protection to minors. In this regard, the PDPC recognised that as a practical matter, some organisations may already have policies or practices providing for an age threshold of 13 years in relation to consent. Bearing in mind the above, the PDPC stated that it will adopt the practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to provide consent on his or her own behalf. However, where an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from an individual, such as the minor’s parent or guardian, who is legally able to provide consent on the minor’s behalf.
In this regard, the Selected Topics Guidelines clarify that where an organisation requires the consent of a minor for the collection, use or disclosure of his or her personal data, the organisation should consider whether it would be appropriate for the organisation to obtain consent given on behalf of the minor from an individual who can legally give consent on behalf of the minor. As a general guide, where the minor is under the age of 13 years, organisations may wish to obtain consent for the collection, use or disclosure of the minor’s personal data from an individual who can legally give consent on behalf of the minor, such as the minor’s parent or guardian.
The Selected Topics Guidelines also note that under Section 15 of the PDPA, an individual may be deemed to have consented to the collection, use or disclosure of his or her personal data for a purpose if he or she voluntarily provides the personal data for that purpose, and it is reasonable that the individual would voluntarily provide the personal data.
With regard to minors, the PDPC is of the view that whether a minor voluntarily provides his or her personal data for a purpose voluntarily would depend on various factors including the following:
(a) the minor’s understanding of the purpose for which his or her personal data is provided;
(b) the minor’s understanding of the effect of giving his or her personal data for that purpose; and
(c) whether there was any undue influence on the minor with respect to the provision of his or her personal data.
As noted above, the PDPC has indicated that it will, as a general guide, take the view that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his or her own behalf, and this guideline would similarly apply to deemed consent.
However, in view of the potential difficulties of establishing whether deemed consent applies, the PDPC is of the view that organisations that wish to rely on deemed consent in certain situations should take extra care to establish whether a minor has sufficient understanding of the purposes for which the organisation is collecting, using and disclosing personal data, and the consequences of giving his or her personal data in such situations. Organisations should also refrain from exercising any undue influence to obtain personal data from minors
.
Further, the PDPC has also noted that given the generally greater sensitivity surrounding treatment of minors, it may be prudent for organisations to consider putting in place relevant precautions if they are (or expect to be) collecting, using or disclosing personal data about minors. As a matter of good practice, organisations that provide services targeted at minors could state terms and conditions in language that is readily understandable by minors, or use pictures and other visual aids to make such terms and conditions easier to understand. Other good practices could include placing additional safeguards against unauthorised disclosure of, or unauthorised access to, personal data of minors, or anonymising the personal data of minors before disclosure, where feasible.
In relation to establishing measures to comply with the Accuracy Obligation, organisations should also consider taking extra steps to verify the accuracy of personal data about a minor, especially where such inaccuracy may have severe consequences for the minor.
Concluding Remarks
As part of its efforts to facilitate understanding and compliance of the personal data protection obligations in the PDPA, the PDPC will continually evaluate the need to publish guidelines in the future on other topics.
References
Please click on the following links to access the documents.
1. Personal Data Protection Regulations 2014
2. Advisory Guidelines on Key Concepts in the PDPA
3. Advisory Guidelines on the PDPA for Selected Topics
4. Closing Note for the public consultation issued by the PDPC on the proposed PDP Regulations
End Notes:
1 Personal data is defined as “data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access” (Section 2, PDPA).
2 Key Concepts Guidelines at para. 2.1.
3 See document issued by the PDPC entitled “Introduction to the Guidelines” at para. 3.1 (available on the PDPC’s website at: http://www.pdpc.gov.sg/docs/default-source/introduction-to-the-advisory-guidelines/introduction-to-the-guidelines.pdf?sfvrsn=0).
4 Section 48A of the Interpretation Act (Cap. 1) relates to the service of documents on individuals, partnerships and bodies corporate. Specifically, Section 48A(1)(c) states that in the case of a body corporate, a document may be served (a) by delivering it to the secretary or other like officer of the body corporate; or (b) by leaving it at, or by sending it by pre-paid post to, the registered office or a principal office of the body corporate in Singapore.
5 Section 11(5) of the PDPA provides that “an organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4)” (ie an organisation’s designated data protection officer(s) or their delegates)
6 Where an organisation is not required to inform any individual requesting access to his or her personal data that it has disclosed personal data to a prescribed law enforcement agency, if the disclosure was made without the consent of the individual in relation to the exceptions to disclosure in the Fourth Schedule of the PDPA relating to investigation, proceedings or prescribed law enforcement agencies, or under any written law.
7 Personal data collected, used or disclosed without consent, under paragraph 1(e) of the Second Schedule, paragraph 1(e) of the Third Schedule or paragraph 1(f) of the Fourth Schedule, respectively, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed.
8 Where the use is necessary for any investigation or proceedings.
9 Where the disclosure is necessary for any investigation or proceedings.
10 Paragraph 1(f) of the Fourth Schedule of the PDPA: the disclosure is necessary for any investigation or proceedings; paragraph 1(n) of the Fourth Schedule of the PDPA: the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions and duties of the officer.
11 The PDP Regulations defines the term “data in transit” as “personal data transferred through Singapore in the course of onward transportation to a country or territory outside Singapore, without the personal data being accessed or used by, or disclosed to, any organisation (other than the transferring or an employee of the transferring organisation acting in the course of the employee’s employment with the transferring organisation) while the personal data is in Singapore, except for the purpose of such transportation.” An example of “data in transit” given in the Key Concepts Guidelines would be data from overseas passing through servers within Singapore enroute to its destination overseas.
For further information, please contact:
Lim Chong Kin, Director, Drew & Napier
Charmian Aw, Director, Drew & Napier
Drew & Napier TMT Practice Profile in Singapore
Homegrown TMT Firms in Singapore