There is probably a lot of personal data about you that has already been collected by commercial parties
Today, vast amounts of your personal data can be collected and transferred to third party organizations. For example, data about your address, email, gender and age may be collected whenever you fill up your particulars in a sign-up sheet.
Even then, it’s no longer the limit of what data is being collected. A ton of data is collected about you all the time without requiring you your active contribution. An app you use might have access to geo-location data and know where you are at various times of the day, for example.
New business models are emerging everyday with the rise of accessing the internet through the smart phone. StatCounter recently reported that mobile and tablet internet usage exceeded desktop for the first time worldwide. Collecting large amounts of personal data will be at the core of many of these models as startups and businesses try to use this data to create more value.
Given the rise of technology and data collection capabilities, this trend is expected to grow exponentially. According to the Economic Development Board (EDB), the data analytics sector will likely add $1 billion in value to the economy by 2017. Data collection will similarly be of growing importance.
Singapore introduced the PDPA in 2013 to protect personal data
In response to this, the Singapore Government has introduced the Personal Data Protection Act (PDPA). The PDPA aims to regulate the collection, use and disclosure of personal data between organizations. By doing so, it aims to posit Singapore as a trusted and world-class hub for business. Yet, not many SMEs know about data protection or privacy or have many misconceptions about it.
AsiaLawNetwork sat down with 2 lawyers who specialize in data protection to talk about the PDPA in detail. This article is a guide to PDPA by Mark Toh (Engelin Teh Practice LLC) and Jeremiah Chew (Lee & Lee).
What is data protection?
Jeremiah: Data protection is the right of every individual in Singapore to ensure that his or her personal data is only collected, used and/or disclosed with his / her permission.
What is PDPA?
Jeremiah: The Personal Data Protection Act, or PDPA, is a statute which was passed in 2012, and came into operation in four stages in 2013 and 2014. It governs the collection, use and disclosure of personal data by organisations, and also establishes the Do Not Call Register.
Mark: The PDPA and the relevant areas it governs can be visualized in the following diagram
© Mark Toh 2016. Not to be reproduced without express permission.
Top 3 most common misconceptions about PDPA?
Misconception 1 — “It is OK to collect as much information as I want from my customers and employees. I might need it someday.”
FACT: An organisation should only collect personal data for reasonable purposes. In other words, before collecting a piece of personal data, organisations should ask themselves – do I really need this piece of personal data? As an example, one of my clients, which is in the business of renting out space for events, used to ask customers to provide details such as their nationality and their date of birth. These details were not necessary for the client’s business purposes and we advised the client to stop collecting them.
Misconception 2 — “I am allowed to collect data about a person such as geographical location, gender and date of birth without asking permission, because it is not personal data.”
FACT: “Personal data” has a broad meaning in the PDPA. It does not just refer to data which, on their own, allow an individual to be identified (such as name, NRIC). It also refers to data which, in combination with other available pieces of data, allow an individual to be identified. For example, a person’s height (175 cm), gender (male), race (Chinese) and house location (Bishan) may not seem particularly “personal” when viewed individually. However, what if I know that there is only one Chinese male in an organisation who is 175 cm tall and lives in Bishan? In such a case, I would be able to identify that person based on the data I have about him – even if I do not know his name or what he looks like.
Misconception 3 — “I can transfer personal data to my headquarters in another country, because we are all part of the same company.”
FACT: Under the PDPA, if an organisation wishes to transfer personal data outside Singapore, it must comply with certain requirements in the PDPA. In particular, it must ensure that the personal data being transferred is protected to a same or similar standard as it is protected under the PDPA.
Misconception 1 — (For the general public) “The PDPA gives people a right to privacy, including against the government.”
FACT: The PDPA is concerned with Data Protection instead of Privacy. Data Protection means “safeguards relating to personal data” (Oxford Dictionary of Law), and is a more restrictive term. On the other hand, Privacy is “the right of an individual to be left alone and to keep certain matters secluded from public view” (Oxford Dictionary of Law). Due to the unfortunate influence of American and European culture, “privacy” is usually seen as being enforceable against everyone, including the government for breaches of privacy.
However, the PDPA does not bind the Government.
Misconception 2 — (For the general public) “The PDPA imposes obligations on everybody.”
FACT: The PDPA is only applicable to collection of personal data in the course of an organisation’s business. Even then, some types of business are specifically exempted from certain portions of the PDPA.
Misconception 3 — (For organisations) “Only big businesses must comply with the PDPA.”
FACT: The PDPA applies to all organisations, including societies, NGOs, charities, religious organisations, unincorporated associations, informal associations, student organisations, private schools, etc.
What are the consequences of non-compliance? Any examples?
|Non-compliance with Data Protection Obligations||Non-compliance with the Do-Not-Call Registry|
|Mark: May be subject to an investigation by the PDPC (Personal Data Protection Commission).||Mark: May be fined up to S$10,000 per offence.|
|Jeremiah: The punishment for a breach may include a fine of up to S$1 million. The largest penalty imposed by the PDPC to date is S$50,000. (Re K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd).
Repeat offenders may face a more severe fine – an organization that was found to have committed two separate breaches of the PDPA was fined a much larger amount for the second offence.”
Organizations have usually been issued warnings or fined between $500 (Re Chua Yong Boon Justin  SGPDPC 13) to $50,000. The act is new and the PDPC has only begun to release enforcement reports.
|Mark: The current common tariff for first-time offenders appears to be S$3,000 per offence.|
|Mark: There is potential for civil liability according to s. 32 of the PDPA|
There will certainly be negative publicity resulting from this, leading to a drop in reputation and consumer confidence. All PDPA cases are reported online on the Personal Data Protection Commission’s Website and are further released on public databases such as Singapore Law Watch.
They also agree that the PDPC may direct companies who have breached the PDPA to take steps to rectify and/or contain the breach. For example, a travel agency that disclosed passenger information without the passenger’s’ consent was directed to take steps to prevent further disclosure of the information. However, in cases where personal data has been wrongfully disclosed to a large group of people, it may be almost impossible to prevent further disclosure. Prevention is definitely better than cure.
Who should pay more attention to PDPA?
Jeremiah: Companies who deal with a large amount of personal data daily, such as telcos, banks, and managing agents for condos. Companies who rely on direct marketing to promote their goods and services, such as real estate agencies, credit card companies and fitness centres.
Mark: Any company which deals with individuals in their personal capacity on a regular basis. This includes the service, mass marketing, communications, delivery / logistics, and F&B sectors. Employers should also be aware that the data of their employees has to be protected. Individuals should also know their rights and take care to ensure that their personal data is not misused.
Any comments or advice for sector-specific PDPA guidelines?
Jeremiah: The sector-specific PDPA guidelines do not take precedence over the PDPA. Rather, they indicate the manner in which the PDPC will interpret the PDPA in relation to organisations in these sectors. An organisation’s first priority should therefore be to ensure that its staff (especially the ones in charge of ensuring compliance with the PDPA) are familiar with the PDPA, and not simply rely on the sector-specific guidelines alone.
Mark: The best way for now is to refer to the sector-specific PDPA guidelines on the PDPC website. For specific questions regarding specific sectors, organisations should seek legal advice.
Can you give us concrete, practical and actionable things / steps I need to do to be PDPA compliant? How would you prioritize these? Which are the most difficult to get done?
Mark: You could take the following steps:
- Appoint someone (ideally of middle/senior managerial level, but reporting straight to the Board) to be the DPO (Data Protection Officer) and have him understand the PDPA; There are training courses available from external professional agencies to help laymen understand the PDPA. Alternatively, as there is no requirement for a DPO to be an employee of the organisation, you may appoint an external professional as a DPO and have him or her review and train your staff.
- Have a suitably qualified person conduct an audit of your firm’s practices. There are resources available from the PDPC website, such as the PDPA Checklist, to help you conduct such audits on your own. Alternatively, engage a professional to do so.
- Identify weaknesses in processes and remedy them. Prepare the appropriate standard forms.
- Establish a Data Protection Plan and ensure all employees are aware and able to understand it and the importance of keeping to such processes. Provide them with appropriate resources to remind them of such.
- Prepare appropriate standard forms and operating procedures to ensure proper consent is obtained and data is protected.
- If you conduct marketing through contacting Singapore telephone numbers, register an account with the Do-Not-Call registry and check each telephone number against the registry before attempting to contact them.
- Have a clear contingency plan in place in case of a breach of the PDPA.
- Update and review the Data Protection Plan and practices from time to time.
Jeremiah: These are some suggested steps that an organization should take, in chronological order:
|Appoint a Data Protection Officer (DPO), who will be responsible for ensuring that the organization complies with the PDPA.||1-2 days||The PDPA requires organizations to have at least one DPO. If the organization has several departments, consider appointing a data protection representative for each department, who can assist the DPO in PDPA-related issues.|
|Help the DPO (and the data protection representatives, if any) to understand the PDPA.||1-2 weeks||As a good starting point, the PDPC has helped to develop a two-day course for DPOs / data protection representatives: “Fundamentals of the Personal Data Protection Act” (https://www.pdpc.gov.sg/organisations/help-for-organisations/pdpa-bm-wq). There are many other organisations in Singapore which conduct PDPA courses and training sessions, including law firms.|
|Undertake a privacy impact assessment (PIA).||Anywhere from 2 weeks to 3 months||The purpose of the PIA is to understand the types of personal data collected by the organization, identify potential data protection issues and consider how they can be resolved.
This will often be the most time-consuming and tedious stage, especially if the organization regularly deals with personal data. As an example, I helped to conduct a PIA for an SGX-listed property developer which took more than 2 months from start to finish.
Filling in the PDPC’s PDPA checklist is a good start for any organization conducting a PIA. However, identifying and resolving potential data protection issues often requires an in-depth knowledge of the PDPA, the subsidiary legislation and the various guidelines issued by the PDPC. Sometimes, there is no straightforward answer and it is necessary to make a judgment call based on an interpretation of the PDPA. Unless an organization has employees who are privacy experts, it may be worthwhile engaging privacy lawyers to assist with the PIA.
|Carry out the recommendations in the PIA.||2-4 weeks||Examples of recommendations include crafting of privacy policies, amending existing documents for PDPA compliance, setting up new processes or workflows for handling personal data, implementing security measures, liaising with service providers to ensure that they are PDPA-compliant, and contacting customers to seek consent for marketing purposes.|
A list of useful PDPA resources
Both: As the PDPC enforces the PDPA, their publicly available guidelines – which indicate how they will enforce the PDPA – are one of the most useful resources. I would recommend that all DPOs and data protection representatives familiarize themselves, at the very least, with the Advisory Guidelines on Key Concepts in the PDPA and the Advisory Guidelines on the PDPA for Selected Topics. This PDPA checklist by PDPC is also helpful.
Where can I get help if I need more help with PDPA?
Want legal advice over the phone from Mark Toh?
If you would like to get quick and specific advice on PDPA, Mark Toh is available for a Quick Consult where he will advise you over the phone for a transparent, flat fee starting at S$49. Click HERE to schedule a Quick Consult with Mark Toh right now.
Join our Facebook Live Q&A with Jeremiah Chew this Wednesday!
Jeremiah Chew from Lee & Lee will be answering your questions on PDPA Live on Facebook this Wednesday (16 November 2016). This is the second in our very successful series of Live Q&A with great lawyers in our network. You can watch our earlier FB Live Q&A with Samuel Ng on “Tips on the Law for Startups” that garnered 6k views in a few days HERE.
Click HERE to sign up now!
The information contained in this article is accurate as at the time of publication. All views expressed are solely the opinions of the contributors and do not necessarily reflect the opinions of their respective firms. This article is not to be relied on as legal advice and you are advised to seek legal advice from a solicitor for any questions you may have in relation to the above-mentioned topic. All rights are fully reserved, and you may not reproduce or amend this article in whole or in part without obtaining the prior express written consent of Asia Law Network and the contributors to this article.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.