Lawyer Lau Kah Mei shares 10 frequently asked questions on the Personal Data Protection Act (“PDPA”).
Question 1: Can I take a photograph of a specific person for my firm’s marketing purposes without getting his consent?
No, because among other obligations, the data protection provisions in the PDPA would require the photographer to first obtain consent from the individual before taking the photograph.
“Personal data” is defined to mean data, whether true or not, about an individual who can be identified from that data. Therefore, a photograph of an identifiable individual constitutes personal data about that individual.
However, there are exceptions in the PDPA. For example, the consent and notification obligations under the PDPA do not apply to an individual acting in a personal or domestic capacity. There is also an exception if the information is publicly available. If the photograph is taken of a person in a public space, this is also likely to fall within the “publicly available” exception.
Question 2: How can I dispose of personal data I have collected?
In August 2017, a former financial consultant was fined for breaching data protection laws by disposing of clients’ insurance policy-related documents in a rubbish bin in a residential estate.
The law requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Therefore, please destroy all personal data securely by shredding all such papers.
The destruction of electronically stored personal data should be appropriate for the level of sensitivity of the data involved. It should be noted that even if a file is deleted from the hard disk, it is possible to recover such deleted files. Measures such as secure erasure, degaussing and incineration can reduce the chance of this happening.
Question 3: Must a small organisation also appoint a data protection officer?
Yes, all organisations, including sole proprietorships, have to designate at least one person to be a Data Protection Officer (“DPO”), to ensure the firm complies with the PDPA. Note that definition of “organisation” in the PDPA includes individuals.
The organisation shall make available to the public at least one DPO’s business contact information. The business contact information may be a business telephone number or business electronic mail (email) address of the individual.
A DPO is usually someone who handles this role in addition to his other work unless the organisation has a lot of personal data to manage and needs to employ someone just for that position. Nevertheless, for the avoidance of doubt, the designation of a DPO does not relieve the organisation of any of its obligations under the PDPA.
Generally, the DPO has to make sure he is contactable by members of the public and has to implement thorough processes of handling personal data amongst other responsibilities.
The Personal Data Protection Commission may give the company such directions as it sees fit in the circumstances to ensure compliance with the PDPA and it may also impose a financial penalty not exceeding $1 million.
Where an offence under the PDPA is proved to have been committed with the consent or connivance or is attributable to any neglect of an officer of the company, the officer as well as the body corporate shall be guilty of the offence as well.
Question 4: What are the consequences of breaching the PDPA?
According to a news report in July this year, the Persona Data Protection Commission has taken enforcement action against 300 organisations to date with most of them receiving an advisory notice. But over 30 of them were serious cases, however, with organisations fined or rapped for lax security.
A notable case is the September 2014 leak of the personal data of 317,000 customers of karaoke bar chain K Box, for which the firm was later fined $50,000 for lax security measures.
Question 5: Can I send all my clients email blasts or mass Whatsapp messages to advertise my services?
Organisations are required to check the Do Not Call Registry first unless the clients have expressly and unambiguously consented to receiving such marketing messages. An organisation must obtain the individual’s consent before using his personal data by informing the individual that his email or handphone number was collected for marketing purposes.
Please also note there are exceptions – if the message falls within an exclusion in the Eighth Schedule to the PDPA (for example, the message was sent solely for the purpose of conducting a market survey or the message was sent by an individual acting in a personal or domestic capacity) or if the organisation is able to rely on the Personal Data Protection (Exemption from Section 43) Order 2013 to send the message.
As for emails, organisations are required by the Spam Control Act to provide an unsubscribe facility within the email messages and include a header in the subject field of the message or where there is no subject field, as the first words in the message.
Question 6: My company is part of a group of corporate companies. Can I share personal data that my company has obtained, with the other companies so long as they belong to the same corporate group of companies?
No, unless you have obtained the individual’s consent to disclose to the other companies. Each company is a separate legal entity. The organisation has to inform the individual of the purposes for the collection, use or disclosure of the personal data, on or before collecting the personal data.
Question 7: Can I collect the personal information of job candidates from LinkedIn?
An organisation may collect personal data about an individual without the consent of the individual or from a source other than the individual in the event the personal data is publicly available.
Question 8: At networking events, I receive business cards from other people, and in return I give them my business card. Do I need to safeguard the personal data (phone numbers, email address) in the business card?
You are not obliged to safeguard such business contact information as the PDPA does not apply to such information.
Question 9: Can I contact a prospective job candidate’s previous employer to obtain a reference? Is this personal data?
Yes, you may contact the former employer. The PDPA has an express exception to provide that an organisation may collect personal data about an individual without the consent of the individual or from a source other than the individual if the collection is necessary for evaluative purposes.
Question 10: My condominium management committee has put up on a notice board, details of the annual general meeting. My personal details are found on the notice board which is placed in a common area in the condominium. Is this allowed under the PDPA?
In a decision made in June this year under the Exceltec case  PDPC 8, the Personal Data Protection Commission was of the view that the disclosures that were made by the Management Corporation Strata Title and managing agents have not breached the Consent and Notification Obligations under the PDPA in relation to the disclosure of personal data in the voter lists.
In this case, the relevant information that was disclosed consisted of the (i) names, (ii) unit numbers and, (iii) the voting shares of residents. The Commission was of the view that all these three types of personal data were generally available to the public for the following reasons. First, the information can be found in the strata roll, which is generally available to the public. Second, some of this information may already be found on the Singapore Land Authority Registry, which the public would generally have access to.
Have a question on the PDPA?
If you have any questions about the PDPA, you can get a Quick Consult with Lau Kah Mei or other lawyers for a transparent, flat fee of S$49. You can expect a call back within 1-2 days on the phone to get legal advice and have your questions answered.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.