1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
Singapore enacted its Personal Data Protection Act (PDPA) on 2 July 2014, comprising various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA takes into account the following concepts:
- Consent: Organisations may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions);
- Purpose: Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and
- Reasonableness: Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.
These concepts are encapsulated into nine primary obligations with which organisations are required to comply:
- consent obligation;
- purpose limitation obligation;
- notification obligation;
- access and correction obligation;
- accuracy obligation;
- protection obligation;
- retention limitation obligation;
- transfer limitation obligation; and
- accountability obligation.
The PDPA separately provides for the creation of a ‘do not call' registry. Consumers may register with this registry to opt out of receiving certain marketing messages (in the form of voice calls, text or fax messages) to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
The PDPA has no special data protection regimes for specific sectors. The PDPA prescribes a baseline standard of protection of personal data by complementing sector-specific legislative and regulatory frameworks. Organisations must comply with the PDPA as well as the common law and other relevant laws that apply to the specific industry in which they operate when handling personal data in their possession.
Examples of other statutes regulating the handling of personal data include:
- the Computer Misuse and Cybersecurity Act, which criminalises unauthorised access to data, but does not regulate or address lawful collection of data;
- numerous laws relating to the processing of personal data in the public sector that apply to everyone, including secrecy and disclosure laws in the Official Secrets Act, the Statistics Act, the Statutory Bodies and Government Companies (Protection of Secrecy) Act and the Electronic Transactions Act; and
- laws that regulate data held by private sector entities including the Banking Act, and the Telecommunications Act.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
Singapore supports open and transparent data flow across borders and data protection standards are in place to ensure that such exchanges occur in a responsive and protected environment.
On 20 February 2018, Singapore became the sixth Association of Southeast Asian Nations (ASEAN) economy to become part of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems alongside other countries such as the United States, Mexico, Canada, Japan and Korea. Singapore is also the second APEC economy to participate in the Privacy Recognition for Processors System alongside the United States.
With the CBPR and PRP systems in place, organisations, after being certified by the Personal Data Protection Commission (PDPC), can exchange personal data with other certified organisations more efficiently, assuring consumers that cross-border transfers of their personal data are subject to high standards of data protection.
As Singapore is one of the European Union's largest trading partners in ASEAN, many organisations inevitably fall under the jurisdiction of the EU General Data Protection Regulation (GDPR). The GDPR protects personal data of data subjects in the European Union and is enforced by supervisory authorities which are independent public authorities established in EU member states.
Singapore organisations outside the European Union must exercise compliance with the GDPR if those organisations process personal data of individuals in the European Union or monitor the behaviour of individuals in the European Union.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The Info-communications Media Development Authority has designated the PDPC in Singapore to be responsible for the administration of the PDPA. The PDPC was established on 2 January 2013 and serves as the primary authority in Singapore dealing with the administration and enforcement of the PDPA.
The PDPC has various powers to enforce the provisions contained in the PDPA. These powers relate to alternative dispute resolution, reviews and investigations. When a complaint of a data protection breach is presented to the PDPC, two objectives are commonly set to resolve the issue:
- facilitate the resolution of an individual's complaint relating to an organisation's alleged infringement, of the relevant data protection provision(s); and
- ensure that the organisation complies with its obligations under the PDPA and, in the event of non-compliance, prescribe appropriate corrective measure(s) and other necessary action to ensure compliance.
In some cases, the PDPC may conduct a review or an investigation of the matters in question and, depending on the outcome of the review or investigation, issue directions to the relevant organisation to take a certain course of action to rectify the issue(s).
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
The PDPC publishes a range of advisory guidelines (grouped under "Sector-specific", "Industry-specific" and "Practical" categories) to:
- advocate data protection best practices;
- illustrate how the PDPA applies to certain issues and domains; and
- provide greater clarity on how the PDPC may interpret the provisions of the PDPA.
These advisory guidelines also elaborate on the PDPC's interpretation of enforcement on provisions relating to data protection under the PDPA.
The published grounds of decisions relating to organisations found to have contravened the data protection provisions under the PDPA frequently cite the failure of organisations to follow such guidelines in the relevant sector or industry.
Additionally, through public consultation exercises, the PDPC frequently provides opportunities for the public to submit comments and view responses on regulations, upcoming guidelines addressing specific data protection issues and proposed amendments to the PDPA. Responses from various industries and sectors will invariably lead to comparisons against industry standards, shaping downstream compliance and enforcement policies.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The Personal Data Protection Act (PDPA) applies to all organisations. An ‘organisation', for the purposes of the PDPA, is defined as any individual, company, association or body of persons, corporate or unincorporated. More importantly, the PDPA applies if the data was collected, used or disclosed in Singapore. It is immaterial that the organisation in question is not located or formed in Singapore.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
Certain specific organisations and persons are excluded:
- individuals acting in their own personal or domestic capacity;
- employees acting in the course of employment in an organisation;
- public agencies, such as statutory boards and government agencies; and
- any organisation as designated by the minister and notified to the public in the Gazette.
To a limited extent, news organisations are exempt from the requirement to obtain consent for the collection, but not the use of personal data for their news activities. ‘News organisations' are defined in the Second Schedule of the PDPA.
Some acts of collection, use and disclosure of personal data are specifically exempted from the requirements of the PDPA in the Second, Third and Fourth Schedules. These include acts:
- that are clearly in the interest of the individual and consent cannot be obtained in a timely way;
- in response to an emergency that are or necessary for the national interest;
- for an investigation or legal proceedings;
- for the collection of a debt;
- for the provision of legal services;
- for a research purpose, including historical or statistical research, if those acts satisfy the conditions set out in paragraph 1(i) of the Third Schedule of the PDPA; and
- for evaluative purposes as defined in Section 2(1) of the PDPA.
2.3 Does the data privacy regime have extra-territorial application?
The PDPA has no extra-territorial application outside of Singapore.
3 Definitions
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
‘Data processing' is defined in the Personal Data Protection Act (PDPA) as "the carrying out of any operation or set of operations in relation to the personal data", and includes any of the following:
- recording;
- holding;
- organisation, adaptation or alteration;
- retrieval;
- combination;
- transmission; and
- erasure or destruction.
(b) Data processor
The PDPA uses ‘data intermediary' instead of ‘data processor' to describe an organisation that processes personal data on behalf of another organisation.
A data intermediary that processes personal data on behalf of another organisation pursuant to a contract which is evidenced or made in writing will be subject to the provisions relating to protection of personal data (referred to in the PDPA as the ‘protection obligation') and the retention of personal data (the ‘retention limitation obligation'), and not any of the other data protection provisions.
(c) Data controller
The term ‘data controller' is not used in the PDPA. The more general term ‘organisation' is used when prescribing the data controller obligations required for compliance with the PDPA.
An ‘organisation' broadly covers natural persons, corporate bodies (eg, companies) and unincorporated bodies of persons, regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore.
(d) Data subject
In the context of the PDPA, ‘data subjects' are referred to as ‘individuals', defined as "natural persons, whether living or deceased".
The term ‘natural person' refers to a human being, distinguished from juridical persons or ‘legal persons', which are other entities that have their own legal personality and are capable of taking legal action in their own name. An example of such a ‘legal person' is a body corporate, such as a company.
The term ‘natural person' would also exclude unincorporated groups of individuals such as an association which may take legal action in its own name.
(e) Personal data
‘Personal data' is defined in the PDPA as data, whether true or not, about an individual who can be identified:
- from that data; or
- from that data and other information to which the organisation has or is likely to have access.
The term ‘personal data' is not intended to be narrowly construed and may cover different types of data about an individual and from which an individual can be identified, regardless of whether such data is true or false or whether the data exists in electronic or other form.
(f) Sensitive personal data
There is no category for sensitive personal data in the PDPA. Generally, some data types deemed to be of a more sensitive nature include:
- an individual's national identification number (eg, National Registration Identity Card);
- personal financial data (eg, transaction and summary details in bank accounts);
- an individual's personal history (eg, criminal convictions); and
- medical conditions.
(g) Consent
Section 13 of the PDPA prohibits organisations from collecting, using or disclosing an individual's personal data unless the individual gives, or is deemed to have given, his or her consent for the collection, use or disclosure of his or her personal data.
This requirement to obtain consent does not apply where the collection, use or disclosure of an individual's personal data without consent is required or authorised under the PDPA or any other written law. This obligation to obtain the individual's consent is referred to as the ‘consent obligation' in the PDPA.
There are two kinds of consent: deemed and actual. Consent is deemed if both:
- an individual, without actually giving consent, voluntarily provides the personal data to the organisation for the relevant purpose; and
- it is reasonable that the individual would voluntarily provide the data.
Consent (both actual and deemed) can be withdrawn by an individual at any time. Organisations are not permitted to prevent an individual from withdrawing his or her consent. However, organisations must inform the individual as to the legal and business consequences of the withdrawal. If consent is withdrawn, an organisation and its data intermediaries must stop collecting, using or disclosing personal information unless such collection, use or disclosure without the consent of the individual is required or authorised under the PDPA or other written law.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
The statement of the PDPA's purpose (Section 3) states:
The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. (Emphasis added)
From the above statement, the following additional terms should be noted:
- ‘collection, use and disclosure';
- ‘purposes'; and
- ‘reasonable'.
4 Registration
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
Registration of data controllers and processors (referred to as ‘organisations' and ‘data intermediaries') is not mandatory under the Personal Data Protection Act (PDPA) before collecting, using or disclosing any personal data in Singapore.
4.2 What is the process for registration?
Not applicable.
4.3 Is registered information publicly accessible?
Not applicable.
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
The concept of ‘lawful bases' for the processing of personal data rose to prominence under Article 6 of the EU General Data Protection Regulation. At least one of these must apply whenever an organisation process personal data:
- Consent: The individual has given clear consent for processing his or her personal data for a specific purpose.
- Contract: The processing is necessary for a contract with the individual, or because he or she has asked for specific steps to be taken before entering into a contract.
- Legal obligation: The processing is necessary to comply with the law (not including contractual obligations).
- Vital interests: The processing is necessary to protect someone's life.
- Public task: The processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
- Legitimate interests: The processing is necessary for legitimate interests of the individual or a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.
Singapore provides the equivalent in Parts 3 to 6 of the Personal Data Protection Act (PDPA):
- Part 3: General Rules with Respect to Protection of Personal Data;
- Part 4: Collection, Use and Disclosure of Personal Data;
- Part 5: Access to and Correction of Personal Data; and
- Part 6: Care of Personal Data.
These obligations of organisations associated with the above legal bases do not vary for different types of personal data processed.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
The key principles from the legal bases for the processing of personal data are further expounded as nine obligations under the PDPA, as follows:
- Consent obligation: Organisations can collect, use or disclose personal data only when an individual has given consent. Upon consent withdrawal, organisations must cease all collection, use and disclosure of that individual's personal data.
- Purpose limitation obligation: Organisations may collect, use or disclose personal data about an individual for the purposes for which he or she has given consent, and not for reasons other than the specific purpose set out between the parties.
- Notification obligation: Organisations must state and communicate clearly the purpose(s) for the collection, use and disclosure of personal data
- before commencing the data collection, usage and disclosure process.
- Access and correction obligation: Individuals may request information on how their personal data has been used through the period for which they have given their consent. Organisations cannot decline such a request and are required to correct any error or omission in an individual's personal data upon such request.
- Accuracy obligation: Personal data collected by or on behalf of the organisation must be accurate and complete as far possible. Necessary parameters must be set in place to prevent any errors upon consent submission.
- Protection obligation: Organisations must set up security measures to safeguard personal data in their possession to prevent any form of unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
- Retention limitation obligation: Organisations must cease retention or remove means by which personal data can be associated with particular individuals when no longer necessary for business or legal purposes.
- Transfer limitation obligation: In the event that personal data is transferred to another country, organisations should ensure that the standard of protection is comparable to the protection under the PDPA in Singapore.
- Accountability obligation: Organisations must make information about their data protection policies, practices and complaints process available, either on request or publicly.
These obligations do not vary for different types of personal data processed or for outsourced situations.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Organisations today operate in an increasingly connected and competitive digital economy, where individuals' online and real-world activities generate a burgeoning amount of data.
In such a competitive and evolving business environment, a ‘checkbox' compliance approach towards the handling of personal data is increasingly impractical and insufficient to keep pace with the developments in data processing activities.
Organisations that focus on compliance through such an approach may find themselves disadvantaged and unable to use data for innovation. Over time, with greater awareness of the risks surrounding the unauthorised collection, use and disclosure of personal data, consumers are increasingly cautious about how organisations are using and managing personal data, and place greater value on trust and accountability.
It is thus important for organisations to shift from a compliance-based approach to an accountability-based approach in managing personal data. This helps organisations to strengthen trust with the public, enhance business competitiveness and provide greater assurance to their customers – all of which are necessary factors for organisations to thrive in the digital economy.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
The transfer of data to third parties, equivalent to ‘data sharing' as defined by the Personal Data Protection Commission (PDPC) refers to the use and/or disclosure of personal data to one or more organisation(s) and the latter's collection of that personal data.
Data sharing with third parties may be with:
- a data intermediary, who processes data on behalf of another organisation; or
- one or more organisations.
An organisation may engage a data intermediary to process personal data on its behalf. The organisation should put in place a written contract for the data intermediary to process data in accordance with the organisation's instructions. Express consent is not necessary to disclose personal data to a data intermediary. However, the personal data should not be used by the data intermediary for other purposes without the consent of the individual.
An organisation that engages a data intermediary has the same obligations under the PDPA as if the personal data were processed by the organisation itself.
When sharing personal data with other organisations, the organisation should consider the intended purposes of the sharing, as well as the potential benefits and risks to the individuals that may arise from such sharing. Typical considerations include:
- the intended purposes of sharing (whether they are appropriate in the circumstances);
- the types of personal data to be shared (whether they are relevant for the intended purposes);
- whether anonymised data would suffice for the intended purposes;
- whether consent is needed for the sharing and whether an exception applies; and
- whether individuals must be notified of the purposes of the sharing even if consent is not needed.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Section 26 of the Personal Data Protection Act (PDPA) limits the ability of an organisation to transfer personal data outside Singapore, regardless of destination. In particular, Section 26(1) provides that an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA.
This requirement not to transfer personal data unless in accordance with the prescribed requirements is referred to as the ‘transfer limitation obligation' under the PDPA.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Regulations issued under the PDPA specify the conditions under which an organisation may transfer personal data overseas. In essence, an organisation may transfer personal data overseas if it has taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations to provide the transferred personal data a standard of protection that is comparable to that under the PDPA.
Legally enforceable obligations may be imposed in two ways. First, it may be imposed on the recipient organisation under:
- any law;
- any contract that imposes a standard of protection that is comparable to that under the PDPA, and specifies the countries and territories to which the personal data may be transferred under the contract;
- any binding corporate rules that require every recipient of the transferred personal data to provide a standard of protection for the transferred personal data that is comparable to that of the PDPA; or
- any other legally binding instrument.
Second, if the recipient organisation holds a ‘specified certification' that is granted or recognised under the law of that country or territory to which the personal data is transferred, the recipient organisation is taken to be bound by such legally enforceable obligations. Under the regulations, ‘specified certification' refers to certifications under the Asia Pacific Economic Cooperation Cross Border Privacy Rules System and the Asia Pacific Economic Cooperation Privacy Recognition for Processors System.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Data subjects (referred to as ‘individuals' in the Personal Data Protection Act (PDPA)) have the right to access their personal data held by an organisation. An organisation must provide information on how the data has been handled in the past year up until the date of the access request, as soon as reasonably possible (Section 21(1)).
This right is subject to some exceptions:
- Section 21(2) provides an exception in respect of matters specific in the Fifth Schedule of the PDPA. However, an organisation can decide to ignore the exception and provide the information.
- Sections 21(3) and 21(4) set out mandatory exceptions where the organisation must not provide information to an individual
- Section 21(3) includes situations where information provided could reasonably be expected to threaten the safety of another individual or be contrary to the national interest, among others.
- Section 21(4) states that an organisation must not inform any individual under Section 21(1) if the organisation had disclosed personal data to a prescribed law enforcement agency without the consent of the individual, under paragraph 1(f) or (n) of the Fourth Schedule of the PDPA.
Individuals also have the right to request corrections of omissions or errors in the personal data which the organisation is in possession or in control of (Section 22(1) of the PDPA). On receipt of a correction request, an organisation must consider whether the correction should reasonably be made. Corrections must be both made as soon as practicable.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
Organisations must develop policies and practices to meet their obligations under the PDPA and maintain a complaints process. In this regard, data subjects have the right to enquire and gain information on these policies, practices and complaints processes, on request to the organisation.
This is provided for under the ‘access and correction' and ‘accuracy' obligations of the PDPA.
7.3 What remedies are available to data subjects in case of breach of their rights?
The fundamental principle of the PDPA is accountability. Accountability is the undertaking and exhibition of responsibility for the personal data in the organisation's possession. Sections 11 and 12 of the PDPA provide for the accountability of organisations to comply with the PDPA. An accountable organisation is answerable to the relevant regulatory authorities and individuals who entrust the organisation with their personal data.
In the event of any data breaches or breaches of data subject rights, the Personal Data Protection Commission (PDPC) will be involved to resolve the issues in question. Some of the measures undertaken by the PDPC may include:
- encouraging self-resolution;
- referring a complaint to an organisation;
- facilitating resolution;
- referring a complaint to mediation; and
- directing parties to attempt to resolve the complaint.
The next level in the hierarchy, where a party is aggrieved by the decision or direction of the PDPC, is to make an appeal to the chairman of the Data Protection Appeal Panel under Section 34(1) of the PDPA. Should the party still be unsatisfied with the decision, he or she may appeal to the High Court and Court of Appeal on points of law.
8 Compliance
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
The data protection provisions of the Personal Data Protection Act (PDPA) – specifically, Section 11(3) of the PDPA – require an organisation to designate one or more individuals to be responsible for ensuring compliance with the PDPA. Section 11(4) provides that a person responsible for compliance with the PDPA may delegate this responsibility to another individual.
Section 11(6) states that the designation of an individual (the ‘data protection officer' (DPO)) under Section 11(3) does not relieve the organisation of any of its obligations conferred by the PDPA. In other words, the legal responsibility for complying with data protection obligations remains with the organisation. The DPO(s) may be a person whose scope of work solely relates to data protection or a person in the organisation who takes on this role as an additional responsibility.
The PDPA does not prescribe where the DPO(s) should be based. He or she need not even be an employee of the organisation. Organisations may employ an outsourced DPO to a third party. Neither does the PDPA stipulate a deadline for an organisation to appoint a DPO.
However, the failure to appoint a DPO constitutes a breach of Section 11(3) of the PDPA, as seen from previous Personal Data Protection Commission (PDPC) decisions arising from enforcement cases.
8.2 What qualifications or other criteria must the data protection officer meet?
The PDPA does not prescribe specific qualifications or criteria for a DPO. However, the PDPC recommends that organisations carefully assess their needs before appointing a person or persons suitable for the role of a DPO.
While the role of DPO is an important one in every organisation, it is not uncommon to see DPOs being appointed who have minimal knowledge of what the job truly entails. Although a DPO's responsibility to oversee an organisation's entire data protection and privacy programme, it would be helpful if he or she were equipped with skillsets in multiple domains, such as legal, IT, administration and cybersecurity and business analytics.
8.3 What are the key responsibilities of the data protection officer?
The main responsibilities of an appointed DPO include:
- ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data;
- developing policies to handle personal data in electronic or non-electronic forms;
- conducting risk assessment exercises to flag any potential data protection risks and putting in place data protection policies to mitigate those risks;
- keeping employees informed of internal personal data protection processes and policies; and
- developing processes for handling queries or complaints from the public.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Organisations with manpower or capability constraints can outsource all or part of the DPO function to a third-party service provider. However, the DPO function remains the organisation's responsibility and the outsourcing service should cover only the operational aspects of the DPO function.
The PDPA sets out an obligation for the business contact information of the DPO, whether internal to the organisation or outsourced, to be made available to the public. This person, or a team of persons, should be able to answer personal data-related queries and complaints on behalf of the organisation.
While the PDPC does not prescribe that the DPO should be based in Singapore, organisations need to ensure that the relevant person:
- is readily accessible from Singapore;
- is operational during Singapore business hours; and
- in the case of telephone numbers, has Singapore telephone numbers, to facilitate prompt response to queries or complaints.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
It is the responsibility of the DPO to create and maintain documentation on the organisation's privacy policies, data protection policies and internal guidelines in relation to the protection of personal data in possession by the organisation.
Such documentation includes:
- personal data inventory, including documenting personal data flows to understand how personal data is being collected, stored, used, disclosed and archived/disposed of;
- complaints and feedback processes;
- records of all training, instructions and guidance provided to staff;
- breach management plans; and
- retention policies.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
Organisations may consider the following steps to ensure that they apply sound data protection policies throughout the data lifecycle (from collecting personal data to archiving/disposing of personal data) and across their business processes, systems, products or services:
- Adopt accountability tools to identify key gaps and areas for improvement with respect to data protection.
- Incorporate data protection best practices into business processes, systems, products and services, including:
-
- adopting a data protection by design approach; and
- conducting data protection impact assessments of systems or processes that are new or undergoing major changes.
- Ensure compliance with the PDPA, using contractual clauses and conducting checks of compliance with such clauses.
- Establish a process for data breaches and use incident record logs to document incidents and post-breach response.
- Manage risk through an enterprise risk management framework with reporting mechanisms and conduct internal audits to monitor and evaluate the implementation of data protection policies and processes.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
With regard to the security of personal data, data controllers and processors (referred to as ‘organisations' and ‘data intermediaries' under the Personal Data Protection Act (PDPA)) are to comply with the following obligations.
Protection obligation: When individuals have given organisations their trust, the latter should support and maintain that trust. This is done by setting up the necessary security measures to safeguard the information in the possession or control of the organisation so as to prevent any form of unauthorised access to such information.
Retention limitation obligation: Once an individual's personal data is no longer necessary for any business or legal purpose, organisations must cease retention of the information or remove the means by which the personal data can be associated with an individual.
Transfer limitation obligation: In the event that personal data is required to be transferred to another country for any reason, organisations should so do only according to the requirements prescribed under the regulations. Organisations should ensure that the standard of protection for any individual's personal data transferred is comparable to the protection under the PDPA in Singapore.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
The PDPA generally does not prescribe an obligation to notify individuals in the event of a data breach.
Organisations are advised to notify the Personal Data Protection Commission (PDPC) as soon as possible of any data breaches that may potentially cause public concern, particularly if the breach involves sensitive personal data or there is a risk of harm to some affected individuals. Where criminal activity is suspected, organisations are advised to notify the police and preserve evidence for investigation.
In particular, the PDPC has reminded organisations of their general duty to preserve evidence, including but not limited to documents and records, in relation to an investigation by the PDPC.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
While the PDPA generally does not prescribe an obligation to notify individuals in the event of a data breach, the PDPC has stated that it is a good practice to notify the affected individuals of such data breaches, as this will encourage them to take the necessary preventive measures to reduce the impact of the breach and regain their trust.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
A ‘data breach' refers to an incident exposing personal data in an organisation's possession or under its control to the risks of unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Data breaches can occur due to various reasons, such as malicious activity, human error or computer system error. Planning to manage a data breach is best done early. Organisations that do not have a data breach management plan in place will find it chaotic and challenging when faced with an actual data breach. Having in place a robust data breach management plan helps organisations to manage and respond to data breaches more effectively. Such plans will need to take into account each organisation's business processes and needs.
A data breach management plan should set out the following:
- a clear explanation of what constitutes a data breach (both suspected and confirmed);
- how to report a data breach internally – the role of each employee is important in reporting data breaches. When an employee becomes aware of a potential or real data breach, he or she should know how and who to report the data breach to within the organisation; and
- how to respond to a data breach – the strategy for containing, assessing and managing data breaches should include roles and responsibilities of employees and the data breach management team.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Organisations should inform employees of the purposes for the collection, use and disclosure of their personal data and obtain the employees' consent prior to such collection, use and disclosure (as the case may be).
In many cases, consent may be obtained at the point of appointing the new employee. It may, however, also be necessary to obtain consent at various points during the employment relationship if the organisation requires more personal data or intends to use or disclose the employee's personal data for other purposes. However even if consent is given, employees may withdraw that consent under the Personal Data Protection Act (PDPA).
Employers should also note that even if an exception applies such that consent need not be sought, the exception does not affect the rights or obligations arising under any other law. Hence, even if an exception applies under the PDPA, employers must comply with their other legal obligations – for example, to protect confidential information of their employees or under the employment contract.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Workplace privacy, including the rights of employers to conduct surveillance or monitor workplace communications, is not specifically addressed by the PDPA.
In Singapore, the Ministry of Manpower governs the collection and use of data relating to employment matters. Whistleblower hotlines are not implemented in Singapore, save for a number of hotlines through which members of the public can direct complaints.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes. The term ‘evaluative purpose' is defined in section 2(1) of the PDPA and includes, among other things, determining the suitability, eligibility or qualifications of an individual for employment, promotion in employment or continuance in employment.
Hence, the evaluative purpose exception allows employers to collect, use and disclose personal data without the consent of the individual or employee concerned for various purposes that are common in the employment context – for example:
- obtaining a reference from a prospective employee's former employer to determine his or her suitability for employment; or
- obtaining performance records or other relevant information or opinions to determine the performance of an employee.
Under the PDPA, the collection by organisations of personal data from their employees that is reasonable for the purpose of managing or terminating their employment relationships, and the use or disclosure of such personal data for consistent purposes, does not require the consent of the employees. While consent is not required, employers are required to notify the employees of the purposes of such collection, use or disclosure.
The purposes that can fall within the purpose of managing or terminating an employment relationship can include:
- using the employee's bank account details to pay salaries;
- monitoring how the employee uses company computer network resources;
- posting employees' photographs on the staff directory page on the company intranet; and
- managing staff benefit schemes such as training or educational subsidies.
11 Online issues
11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?
Cookies are text files created on a client computer when its web browser loads a website or web application. Often encrypted for protection against unauthorised access, they are used to store information (possibly including personal data) to perform certain functions such as completing forms, facilitating website navigation, authenticating users and enabling advertising technology.
Depending on the purpose(s) for which they are used, the durations for which cookies are stored will differ. Session cookies typically expire at the end of a browser session, while persistent cookies can be stored for some duration in a browser folder until they are deleted. The type of information that they store will also depend on the purpose of the cookie.
Although it is silent on the specific use of cookies, the Personal Data Protection Act (PDPA) nonetheless applies to the collection, use and disclosure of personal data using cookies. Of primary interest is the issue of consent, which is handled with prominent ‘cookie notification' messages common in many online interfaces.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Cloud computing is a model that enables access to a shared pool of computing resources that can be rapidly provisioned and released.
With the proliferation of the use of cloud computing in the latest technology and gadgetry – from mobile cloud applications to cloud-based healthcare monitoring systems – data protection rules governing international data transfers have become increasingly important. It is reasonable to consider cloud computing as one of the factors leading to the increase in volume of personal data transfers internationally.
When using cloud services, the organisation is responsible for complying with all obligations under the PDPA in respect of personal data processed by the cloud service provider (CSP) on its behalf and for its purposes.
Where the CSP is processing personal data on behalf and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing, the CSP is considered a data intermediary and subject to the protection and retention limitation obligations under the PDPA. Its protection and retention limitation obligations extend to personal data that it processes or hosts for the organisation in data centres outside Singapore.
The CSP, as an organisation in its own right, remains responsible for complying with all data protection provisions in respect of its own activities which do not constitute processing of personal data under the contract.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
Today's children occupy a unique position in the marketing ecosystem. They are an extraordinarily powerful consumer group, equipped by technology to exercise commercial influence while also wielding persuasive influence over their parents' buying choices. Although they have become progressively impervious to traditional forms of advertising, their distrust does not extend to familiar online spaces.
With regard to marketing activities applied to a ‘minor' (defined in Singapore law as an individual who is less than 21 years of age), the PDPA is silent on the situations in which a minor can give consent for the purposes of the PDPA. In general, whether a minor can give such consent will depend on other legislation and the common law. In this regard, organisations should keep in mind that Parts 3 to 6 of the PDPA do not affect any legal rights or obligations under other laws.
The PDPC understands that in some countries, some kind of test of maturity is applied – taking into account factors such as the level of maturity of the minor and the minor's capacity to understand the nature of legal rights and whether there is any undue influence exerted on the minor –to determine whether the minor can exercise legal rights. In addition, some countries have enacted legislation to specifically protect minors below a certain age. For example, in the United States, the Children's Online Privacy Protection Act requires certain organisations to obtain verifiable parental consent to collect personal data from children under 13 years of age.
12 Disputes
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
When data privacy disputes occur, an aggrieved party (usually the complainant) can seek remedies in the following forms.
Administrative remedies: The Personal Data Protection Commission (PDPC) has the power to issue directions as it deems fit to ensure compliance. These directions may include, but are not limited to, ordering organisations to cease collecting, using or disclosing the personal data of another, or to destroy personal data in contravention of the Personal Data Protection Act (PDPA). The PDPC can also direct organisations to perform the necessary corrections to personal data or fine infringing organisations up to S$1 million.
Civil remedies: Directions issued by the PDPC may be registered with, and enforced by, a district court in Singapore. Aggrieved individuals are provided with the right to initiate civil proceedings against organisations for loss or damage suffered.
Criminal remedies: Prima facie, contravention of the PDPA will generally not amount to a criminal offence. However, the PDPA does provide criminal penalties in respect of ‘obstructive' actions – for example, refusing to correct personal data and/or falsifying, concealing or destroying information about the collection, use or disclosure of personal data.
12.2 What issues do such disputes typically involve? How are they typically resolved?
The PDPC may, pursuant to Section 27(2) of the PDPA, review disputes where an aggrieved party (usually the complainant) experiences a situation where an organisation:
- refuses to provide access to personal data requested by the applicant in a request under Section 21 of the PDPA or fails to provide such access within reasonable time;
- requests a fee in relation to the applicant's access request or a correction request; or
- refuses to correct personal data, as requested by the applicant, or fails to make the correction within reasonable time.
Some of the measures undertaken by PDPC include:
- resolving the complainant's complaint through dispute settlement resolutions such as mediation; and
- directing an organisation to take a certain course of action in relation to an individual's request, upon confirmation of the request in question.
12.3 Have there been any recent cases of note?
One of the most notable developments in 2019 was the PDPC implementing stricter rules on the collection, use or disclosure of Singapore's National Registration Identification Card (NRIC) numbers. In a release published on 26 August 2019, the PDPA announced that, with effect from 1 September 2019, it will be illegal for organisations to physically hold onto an individual's NRIC and collect his or her full identification number, unless required to do so by law.
This development has heightened public awareness of many organisations' existing practices in this area, resulting in a higher level of public scrutiny and complaints.
The PDPA has also been considered in the Singapore courts. On 19 February 2019, a state court dismissed a claim brought against the Singapore Swimming Club for defamation and breach of the PDPA. Although written grounds of judgment are not available, this case is significant as it appears to be the first time that the Singapore courts were asked to consider whether there was a breach of the PDPA and the PDPC made no decision in respect of any purported contravention of the PDPA.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The trend of vast amounts of personal data being collected, used and transferred to third-party organisations for a variety of reasons is expected to grow exponentially with increasingly sophisticated technology. As a result of this trend, individuals are becoming increasingly concerned about how their personal data is being used.
Artificial intelligence: A recent development involved the Personal Data Protection Commission (PDPC) presenting the second edition of the Model Artificial Intelligence (AI) Governance Framework. In 2019, some significant advances were witnessed in the use of AI. AI technology can boost productivity, transform businesses and enhance people's lives. As Singapore develops its technological economy, it adopts the position that system decisions made by AI should be explainable, transparent and fair, and that AI systems should be human-concentrated.
Internet of Things: The Internet of Things (IoT), hailed by some as the next big technological revolution, is the process through which devices such as mobile phones and security cameras are connected to the Internet. As Singapore aspires to be a ‘smart nation', it is already evident that the country's cloud infrastructure, broadband service and the ease of conducting business are facilitating the growth and advancement of the IoT.
The context of the IoT in Singapore is moving away from the idea of data protection and towards collection to improve the country's efficacy and efficiency. Take, for example, controlling the flow of traffic on a daily basis. Currently, road traffic is managed by electronic road pricing (ERP) systems, an electronic toll collection scheme and a usage-based mechanism. The ERP system, apart from collecting tolls, also collects data on the number of cars that pass certain expressways daily. The relevant government agencies then use this anonymous data to enhance and improve their traffic management procedures.
The PDPA is silent as to the governance structure applicable to the IoT; rather, it is left to the respective organisations to decide where they intend to improve and enhance on their existing data protection protocols.
Proposed Amendments to PDPA (2020): On 14 May 2020 Singapore's Ministry of Communications and Information and the Personal Data Protection Commission (PDPC) launched a public consultation on the proposed amendments to the Personal Data Protection Act (PDPA) and related amendments to the Spam Control Act.
This is the first comprehensive review since the enactment of the PDPA in 2012.
The key proposed amendments include:
- introducing a mandatory breach notification requirement;
- enhancing the framework for the collection, use and disclosure of personal data; and strengthening the PDPC's enforcement powers.
They also incorporate recommendations from the Public Sector Data Security Review Committee to ensure the accountability of third parties handling government personal data and introduce offences for egregious mishandling of personal data.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
An organisation may improve its personal data protection policies and practices through the implementation of a data protection management programme (DPMP): a systematic framework to establish a robust data protection infrastructure, covering management policies and processes for the handling of personal data, and defining the roles and responsibilities of the people in the organisation in relation to personal data protection.
Steps for implementing a DPMP include the following:
- Develop a data protection policy, setting the direction and course of action as part of corporate governance;
- Designate data protection roles and responsibilities of the people;
- Design and revise processes to operationalise data protection policies; and
- Monitor and maintain the relevancy of data protection related policies, processes and people.
Some common pitfalls in data protection include the following:
- Policies for the sake of policies: If policies are created, but not implemented, they become documents of little value other than as evidence in disciplinary procedures.
- Data protection for only IT and legal: The old paradigm of equating ‘data protection' to ‘IT security' or treating data protection legislation as the sole domain of the legal department avoids the reality of extending data protection efforts to existing structures and processes such as risk management, audit and reporting.
- Underestimating the impact of third-party contracts: While responsibility for operational data handling and processing has moved, accountability for compliance has not. Measures to impose controls on the service provider, such as the right to audit or access controls to personal data, are often neglected.
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
An organisation may improve its personal data protection policies and practices through the implementation of a data protection management programme (DPMP): a systematic framework to establish a robust data protection infrastructure, covering management policies and processes for the handling of personal data, and defining the roles and responsibilities of the people in the organisation in relation to personal data protection.
Steps for implementing a DPMP include the following:
- Develop a data protection policy, setting the direction and course of action as part of corporate governance;
- Designate data protection roles and responsibilities of the people;
- Design and revise processes to operationalise data protection policies; and
- Monitor and maintain the relevancy of data protection related policies, processes and people.
Some common pitfalls in data protection include the following:
- Policies for the sake of policies: If policies are created, but not implemented, they become documents of little value other than as evidence in disciplinary procedures.
- Data protection for only IT and legal: The old paradigm of equating ‘data protection' to ‘IT security' or treating data protection legislation as the sole domain of the legal department avoids the reality of extending data protection efforts to existing structures and processes such as risk management, audit and reporting.
- Underestimating the impact of third-party contracts: While responsibility for operational data handling and processing has moved, accountability for compliance has not. Measures to impose controls on the service provider, such as the right to audit or access controls to personal data, are often neglected.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.