4 April, 2012
Legal News & Analysis – Asia Pacific – Singapore – TMT
INTRODUCTION
On 19 March 2012, the Ministry of Information, Communications and the Arts (“MICA”) issued a consultation paper to seek feedback on the proposed Personal Data Protection Bill (“DP Bill”). Closing date for feedback is 30 April 2012. The public consultation can be accessed here.
If approved by Parliament, the DP Bill will become Singapore’s first general data protection law (“DP Law”). The proposed DP Bill sets out:
(a) a general data protection framework (discussed in PART I below); and
(b) a national Do-Not-Call (“DNC”) Registry, for individuals to opt-out of receiving unsolicited marketing calls and messages (discussed in PART II below).
The latest public consultation comes after two previous ones that MICA had conducted to obtain feedback on the policy positions applicable to the proposed DP Law. (To view our previous legal updates on these public consultations, please click here and here.)
PART I: GENERAL DATA PROTECTION FRAMEWORK
The proposed DP Law is intended to set the minimum standards that private-sector organisations operating in Singapore must observe for the collection, use and disclosure of personal data. It will operate alongside existing sector-specific data protection frameworks. Organisations will generally be required to obtain the consent of individuals for the collection, use and disclosure of their personal data and limit such activities to reasonable purposes. Organisations must further take reasonable steps to ensure the accuracy and security of personal data. Individuals will have a right to inspect their own personal data that is stored by organisations and to request that inaccuracies be corrected.
Types of data covered
The proposed DP Law will cover “personal data”, which is defined widely to refer to all data from which an individual can be identified.
The proposed DP Law will apply to both electronic and non-electronic data, and the personal data of both living and deceased individuals. It will also be applied consistently across all types of personal data, regardless of the degree of sensitivity.
Organisations covered
The new DP Law is intended to apply to all private sector organisations, regardless of scale or size. The draft DP Bill defines “organisation” broadly, which includes any individual, company, association or body of persons, corporate or unincorporated. However, certain categories are excluded from the operation of the DP Law: individuals acting in a personal or domestic capacity, employees, public agencies, organisations acting as an agent for a public agency, and other prescribed classes of organisations.
Government agencies will not be subject to the requirements of the DP Law, as the Government has its own set of data protection rules which all public officers must comply with. Additionally, the DP Law will not apply to an organisation in the course of acting as an agent of a public agency in relation to the processing of personal data, as such organisations would be subject to the Government’s data protection rules.
MICA has also clarified that the proposed DP Law will apply to organisations that have no physical presence in Singapore, as long as those organisations are engaged in data collection, processing or disclosure activities within Singapore. This includes overseas organisations that collect data from individuals in Singapore via online channels.
Exclusions
Several exclusions are provided for under the DP Law.
The proposed DP Law will not cover personal data contained in a record that has been in existence for at least 100 years.
MICA is also considering providing exclusions for examination marks and personal data contained in examination scripts and documents, as well as universities’ student admissions.
For now, MICA does not intend to exclude data transfers between related organisations (such as between an organisation and its head office), as MICA considers that it would be reasonable to require consent in such cases.
Data intermediaries
“Data intermediaries” are proposed to be excluded from the majority of obligations under the DP Law. “Data intermediaries” are defined as organisations which process personal data on behalf of another organisation but do not include employees of that other organisation, eg local hosting or cloud providers. While data intermediaries will not be required to comply with the general requirements pertaining to collection, use, disclosure, access and correction, and accuracy and retention of personal data, they will, however, be required to make reasonable security arrangements to protect personal data in their custody or under their control. Organisations that engage data intermediaries to process information on their behalf will be responsible for general compliance with the DP Law in respect of the information.
Personal data of deceased individuals
MICA has proposed that personal data pertaining to deceased individuals be excluded from most of the obligations under the DP Law. Instead, organisations will only be subject to the requirements to:
(a) make reasonable security arrangements for the protection of such data; and
(b) comply with the requirements relating to disclosure of personal data.
These reduced obligations will only apply for 10 years from the deceased’s date of death. Provisions relating to the collection, use and processing of personal data will not apply, nor will access and correction rights apply.
Business contact information and related data
MICA has also proposed an exclusion for business contact information, which includes an individual’s name and his/her business telephone number, address and email address. However, personal data provided by the individual solely for use in the personal context will not constitute business contact information.
Data protection representative
To promote accountability, organisations will be required to designate one or more individuals responsible for ensuring compliance with the requirements of the proposed DP Law.
Consent
An individual’s consent will be required before an organisation can collect, use or disclose the individual’s personal data, unless required or authorised by law. There are three broad categories of consent under the DP Law: express, implied and deemed consent.
Organisations seeking consent will be required to state the purposes for which they are collecting, using or disclosing the personal data.
Referrals
Where referrals are made by existing customers of an organisation, consent by the referred individual is required to be obtained either prior to, or at the point of collection. As there may be practical difficulties obtaining consent from referred individuals directly, MICA has acknowledged that confirmation may be sought from the referror that such consent had been given instead.
Consent as a condition of supplying a product or service
Organisations will not be allowed to require individuals to consent to the collection, use or disclosure of personal data, as a condition of supplying a product or service, beyond what is reasonable to provide that product or service. However, such prohibition does not apply if organisations are required or authorised to collect additional data under other laws.
Deemed consent
An individual will be deemed to have given consent for the collection, use or disclosure of his/her personal data for a purpose if:
(a) he voluntarily provides the personal data to the organisation for that purpose; and
(b) it is reasonable that he would voluntarily provide such data.
In cases where individuals are notified of an organisation’s intent to collect, use or disclose their personal data but do not object within a reasonable timeframe, MICA considers that there should not be automatic deemed consent, as a “failure to opt-out” approach will place an unfair burden on individuals who may be unable or unaware of the need to object, or the implications of not objecting. That said, there may be instances in which consent may be implied through an individual’s inaction, or which may fall within the provision for deemed consent.
Withdrawal of consent
An individual may withdraw his/her consent to the collection, use or disclosure of his/her personal data at any time upon giving reasonable notice, unless doing so would frustrate the performance of a legal obligation. It is intended that withdrawal of consent would only apply prospectively.
Where an individual has withdrawn consent, organisations will not be required to inform third parties to whom data has been disclosed of the withdrawal, except for third parties which are the organisation’s data intermediaries or agents. Instead, the individual may contact these third parties in order to withdraw his/her consent.
Exclusions from consent requirements
There will be prescribed situations which are excluded from the requirement to obtain consent for the collection, use or disclosure of personal data, as set out in the Third, Fourth and Fifth Schedules of the draft DP Bill. For example, an organisation may collect, use and disclose personal data about an individual without consent where it is necessary to respond to an emergency that threatens the life, health or safety of the individual. In particular, employers may also collect, use or disclose an individual’s personal data without the employee’s consent (but with notification to the employee) for the purpose of managing or terminating an employment relationship.
Purpose
Under the draft DP Bill, organisations may only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances, and which fulfill the purposes disclosed to the individual concerned. Fresh consent has to be obtained where personal data collected is to be used for a different purpose than what was originally consented to.
MICA’s intent is not to allow carte blanche transfer of personal data among organisations without individuals’ consent. To this end, organisations that wish to collect personal data of individuals from another organisation must ensure that the organisation from which the personal data is collected is permitted to disclose it under the DP Law, and the organisation processing the data would have to ensure that the collecting organisation’s purposes are in accordance with what the individual consented to.
Extra-territorial transfers
For data transfers out of Singapore, regardless of whether the transferring and receiving organisations are related entities, MICA proposes to require organisations to comply with the DP Law. MICA considers that personal data should be accorded a similar level of protection even if transferred outside Singapore.
Access and correction rights
Under the proposed DP Law, individuals will have the right to query how organisations have used or are using their personal data. Upon an individual’s request, organisations will be required to disclose to the individual his/her personal data in the custody or control of the organisation, and how the personal data has been or may have been used by the organisation. Credit bureaus will additionally be required to disclose to the individual the sources from which they received the personal data.
Individuals will also have the right to request organisations to correct any inaccurate data that is in the organisation’s control, unless there are reasonable grounds for not doing so. Organisations are required to send the corrected data to any third-party to which the personal data was disclosed, within a year before the correction was made.
MICA proposes to allow organisations to charge individuals a reasonable fee for access and correction requests.
Organisations will not be permitted to provide individuals access to their personal data, when disclosure:
(a) could reasonably be expected to threaten the safety or physical or mental health of another individual, or cause immediate or grave harm to the requesting individual;
(b) would reveal personal data about another individual;
(c) would reveal the identity of another individual who has provided personal data about another and the former does not consent to the disclosure of his/her identity; or
(d) would harm the national interest.
MICA also recognises that in certain circumstances, it may be impractical for organisations to grant individuals access to certain personal data. A comprehensive list of exceptions is contained in the Sixth and Seventh Schedules of the draft DP Bill. For example, organisations will not be required to provide access to personal data that is subject to legal professional privilege or data that is created by a mediator or arbitrator in the conduct of a mediation or arbitration.
Accuracy, protection and retention
MICA proposes to retain the rules pertaining to the accuracy, protection and retention of personal data that it had earlier laid out in its previous public consultations.
Accuracy of personal data
Organisations must make reasonable efforts to ensure that personal data collected is accurate and complete, if it is likely that the data will be used to make a decision that affects the particular individual or be disclosed to another organisation.
Protection of personal data
Organisations will be required to protect personal data in their custody or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or other similar risks.
Retention of personal data
Where an organisation uses an individual’s personal data to make a decision that directly affects him or her, the data must be retained for at least one year, so that the individual will have a reasonable opportunity to access it.
Organisations must delete or anonymise personal data as soon as it is reasonable to assume that the purpose for collecting the data is no longer served by its retention, and retention is no longer required for legal or business purposes.
Organisations will not be required to specify retention periods upfront when collecting personal data.
Data breach notifications
While it will not be mandatory for organisations to issue data breach notifications, such notifications may be considered as mitigating factors in future enforcement actions.
Enforcement and civil action
A Data Protection Commission (“DPC”) will be set up to oversee the implementation of the proposed DP Law. The DPC will be given powers to
administer the proposed DP Law, including the power to issue guidelines and directions to remedy non-compliance, to review complaints and initiate investigations, as well as to impose financial penalties.
The DPC may direct organisations to, inter alia:
(a) stop collecting, using or disclosing personal data in contravention of the DP Law;
(b) destroy personal data collected in contravention of the DP law; and
(c) pay a financial penalty of up to $1 million.
MICA has noted that while there is no formal mechanism for the DPC to hear reconsideration requests, the DPC may in future consider other procedural avenues to allow organisations to make their representations to the DPC.
An independent Data Protection Appeal Panel (“DPAP”) will be established to hear appeals by aggrieved organisations against the DPC’s enforcement decisions. Further appeals to the High Court may be made against the DPAP’s decision in respect of points of law or the amount of a financial penalty.
Civil action
Individuals who suffer loss or damage as a result of infringements can institute civil proceedings against infringing organisations. Remedies that may be sought include injunctions, declarations, and damages.
Transitional arrangements
Sunrise period
To allow organisations sufficient time to comply with the new DP Law, it is proposed that a sunrise period (from the time the DP Bill is passed until the provisions take effect) of 18 months be made applicable to all organisations. During this period, the DPC will conduct activities to inform businesses and consumers of their rights and obligations under the new regime. MICA will further assist organisations by publishing guidelines on various pertinent issues under the new DP Law.
Existing personal data
For existing personal data collected prior to the operation of the new DP Law, MICA proposes to allow organisations to use such data for the purposes for which such data was collected, and only for reasonable existing uses. Fresh consent would be needed before data can be used for a new purpose, or for purposes beyond what would be considered reasonable.
Additionally, where personal data has been collected with consent, individuals will have the right to withdraw their consent. Where consent has not been obtained, individuals will have the right to require organisations to stop using the personal data by indicating that they do not consent to such use.
Specific scenarios
In its consultation paper, MICA has provided examples of how the DP Law is expected to apply in the following scenarios.
Use of NRICs and NRIC numbers
In general, the collection, use or disclosure of NRICs, NRIC numbers or other unique identifiers will not be prohibited under the DP Law, although in certain instances such activities may be unnecessary or excessive for the stated purposes.
Lucky draws
In general, individual participants of lucky draws and contests would have consented to giving their personal data for the purpose of participation. Businesses that collect personal data for secondary purposes such as marketing will need to disclose and seek consent for such purposes.
CCTVs
ndividuals’ images captured on CCTV will be considered personal data under the DP Law, although there is an exclusion for CCTV footage captured for private or home use. Organisations using CCTV in their premises should inform individuals, eg by putting up prominent signs or announcements. CCTV surveillance should be for limited and defined purposes or as required by law. Images should be destroyed when no longer required for the defined purposes.
Photography in public places
Photographs capturing individuals’ images would generally be considered personal data. While photographs taken for non-commercial purposes are likely to be excluded from the DP Law, the requirements for subsequent collection, use or disclosure of the photographs would depend on the purposes of these activities. MICA recommends that organisations generally avoid taking photographs that would identify individuals, or seek their consent for the image to be included in a photograph.
Cookies
“Cookies” are small files that are downloaded onto a device when the user accesses certain websites. While cookies can enable websites to track users’ online behaviour, MICA takes the view that the DP Law should not hinder the legitimate use of cookies in enabling websites to improve service offerings. As a start, websites that notify users of the use of cookies will be deemed to have obtained users’ consent to the collection of personal data by cookies. Where there is no notification, the DPC will assess each case to decide whether there is deemed consent.
Location-based Services (“LBS”) and Geo-location Data
LBS refers to services delivered to a mobile device based on the device’s geographic location, while geo-location data refers to data pertaining to the geographic location of a party. Providers of LBS would be expected to comply with the DP Law in respect of any personal data (including geo-location data where applicable) under their control or custody.
PART II: DNC REGISTRY
The DNC Registry is intended to provide a simple and effective way to “opt-out” of receiving marketing messages by means of a one-time registration of Singapore telephone numbers. The DNC Registry is targeted at messages which contain marketing elements, which are sent via telephone calls, text messages or faxes. Any sender of a message falling within the definition of a “specified message” will be required to check if any recipient telephone numbers are registered on the DNC Registry within 30 days before sending the message.
Types of messages covered
Marketing messages
MICA has proposed for the DNC Registry to cover a list of specified messages with marketing purposes. Such marketing messages are essentially messages which offer to supply, advertise or promote goods or services. While non-marketing messages (including personal, charity-driven, electoral or political messages and market surveys) would generally fall outside the purview of the DNC Registry, MICA has indicated that the DNC Registry may be expanded in future to include non-marketing messages should the need arise.
Medium through which message is sent
The DNC Registry will cover messages sent to telephone numbers in sound, text, visual or other forms. Telephone calls, faxes, SMS and MMS messages would fall within the ambit of the DNC rules. The DNC Registry also applies to specified messages sent through smartphone applications that use a telephone number as an identifier or via other technologies using a mobile data connection, eg Whatsapp, Viber.
The DNC Registry does not cover email messages, post, messages sent to individuals’ home addresses, or other messages sent without the use of telephone numbers, eg messages sent through cell broadcast.
No geographical limitation
The DNC Registry will only apply to specified messages which are addressed to a Singapore telephone number. It is inconsequential where the message originates, where the sender is located when the message is sent, where the device used to access the message is located, and where the recipient is located when the message is accessed.
Registration and withdrawal
Registration and withdrawal of telephone numbers The DNC Registry will allow Singapore telephone numbers of individuals, as well as businesses, to be registered. MICA proposes to have two methods for registration of a number on the DNC Registry:
(a) by dialing a toll-free number using the telephone number which is proposed to be registered (the DNC Registry will automatically identify the originating number); or
(b) by filling up an online form and providing proof of ownership of the phone number. Registration of telephone numbers will be free-of-charge.
Registration is permanent until withdrawn from the DNC Registry, or the termination of the number. MICA proposes that telecommunication licensees which are assigned Singapore numbers will be required to submit terminated telephone numbers to the DNC Registry monthly for de-registration.
MICA proposes to allow telephone numbers to be withdrawn free-of-charge from the DNC Registry by adopting similar methods as with registration.
Consent
For individuals who have registered their telephone numbers on the DNC Registry, MICA proposes to allow organisations to send specified messages to these individuals if the organisation has obtained explicit consent from the individual. In this regard, it will not be sufficient for businesses to show that they have an existing business relationship with the individual. Further guidance as to what constitutes explicit consent will be provided by the DPC at a later stage.
MICA has also clarified that explicit consent given by individuals before the DNC Registry comes into operation would still suffice to allow organisations to send specified messages to them. However, the explicit consent of an individual may be withdrawn at any point in time.
Identification of sender
MICA proposes to require that any specified message sent to a Singapore telephone number must include either the originating number, or the organisation’s name and a suitable contact number. For specified messages sent as voice calls or fax messages, the calling line identity of the sender must not be concealed or withheld.
Filtering of DNC lists
“Filtering” of numbers registered with the DNC Registry
MICA proposes to create three separate DNC registers, one each for telephone calls, faxes and text messages (including SMS and MMS). Any organisation intending to send specified messages would be required to send a list of telephone numbers to the DNC Registry for “filtering” at least once every 30 days, to confirm whether any Singapore telephone number on their list is listed in any of these registers. Organisations would not be required to “filter” numbers for which individuals had provided their explicit consent to receive specified messages, even if such individuals had registered with the DNC Registry. Organisations that engage a subcontractor to carry out the sending of specified messages will nevertheless retain the primary responsibility for complying with the “filtering” requirements.
Fees and registration
Details on the charging framework for the “filtering” process will be provided closer to the setting up of the DNC Registry. The DNC charges will be on a cost-recovery basis, and are likely to be proportional to the quantity of numbers “filtered”. While MICA had previously suggested that organisations will have to pay an annual subscription fee to check the DNC Registry, it has now stated that it will consider shorter-term subscriptions for organisations which advertise or promote their products only a few months in a year.
Small-quantity number lookup service
MICA intends to offer a small quantity number lookup service. As previously stated in last year’s public consultation on the DNC Registry, it is expected that organisations will be able to input phone numbers one by one into an online form (subject to a maximum number within a particular timeframe) to check if those numbers are registered within the DNC Registry. The aim is to ensure that smaller operations will be spared from higher compliance costs.
Accountability for agents, partners and vendors
As a general principle, organisations should be responsible for their agent’s actions since agents are considered to be employed by the organisations.
Penalty and enforcement
Under the DNC framework, persons who breach the DNC rules would be liable to penalties of up to $10,000 per breach, and up to $1,000 in the case of compounded fines. Generally, organisations in breach of the DNC rules (eg sending specified messages to a Singapore telephone number without complying with the “filtering” requirements or without providing the required contact information) would be liable to penalties based on each message sent, whereas telecommunication service providers who fail to provide information on terminated numbers as mandated are liable to penalties based on each incident of failure.
Sunrise period
To provide sufficient time for organisations to comply with the DNC framework, MICA estimates that the DNC Registry and DNC rules would only come into operation at least 12 months from the time the DP Law is enacted.
REFERENCES
Please click here to access MICA’s consultation paper on the Proposed Data Protection Bill.
For further information, please contact:
Lim Chong Kin, Director, Drew & Napier