Personal Data Protection Law
As a result of recent regulations, Singapore companies are required to obtain the consent of an individual before they can collect, use, or disclose any personal information related to that individual. The Personal Data Protection Act (or PDPA) relies on two main pillars for protecting consumers: the Do Not Call (DNC) Registry and general data protection provisions. If you manage a company based in Singapore, you should understand the scope of this regulation and its possible impact on the operations of your firm. This article provides such an overview of the PDPA.
Singapore citizens have the option of registering their telephone and/or fax numbers with the Do Not Call Registry if they do not want to be subject to unsolicited marketing over these communication channels. To comply with the law, Singapore businesses have to check their phone or fax based marketing efforts against the DNC Registry before engaging in marketing or else risk fines. The government has set up a Personal Data Protection Commission specifically to ensure that this law is adhered to.
The other general provisions of the PDPA legally obligate businesses to use personal data responsibly; the law requires companies to inform citizens why their data is being used, obtain their consent for the use of data and only store the data for as long there is a legitimate, reasonable business or legal case to do so. Corporations must nominate an in-house designated data protection officer to oversee all compliance activity.
History of the Law
The increasing reliance on cloud hosted information storage raises questions for both businesses and governments about how best to protect the privacy of consumer data. In the years prior to 2012, Singapore-based businesses saw an increased reliance on collecting, using, and storing personal data as part of their operations. In response to local and global concerns over the use of such data, the Singapore government examined other jurisdictions that have established comprehensive data protection laws, particularly the UK, the EU and Commonwealth countries. The government also studied the OECD guidelines on the Protection of Privacy and Transborder Flow of Personal Data and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. Following three public consultations in 2011 and 2012, the Personal Data Protection Act (PDPA) was passed on 15th October 2012 as the 26th Act of that year. The full text of the Act is available online.
After receiving presidential assent on 20th November 2012, the law was introduced in four phases so as to allow time for businesses to gradually bring their internal personal data protection policies into compliance with the law.
- In the first phase, the government set up a Personal Data Protection Commission to administer and enforce the law, as well as an Appeal Panel. This phase was completed in time for the subsequent parts of the law to enter into force on 2nd January 2013.
- Commencing on 2nd December 2013, organisations were able to create an online account with the Do Not Call (DNC) Registry.
- The provisions relating to the DNC Registry came into effect on 2nd January 2014.
- Finally, the other general provisions relating to personal data protection came into force on 2nd July 2014.
The PDPA comprises various rules that govern the collection, use, disclosure and care of personal data. It recognises the rights of individuals to protect their personal data, as well as the rights of businesses to use personal data for legitimate purposes. The law is designed to provide a balance between these two sets of rights. By regulating personal data, the PDPA sets out to make Singapore a leader in digital information management policies and solidify its status as a world-class location for doing business.
Personal data is defined as data about an individual, as opposed to data about an organisation. Thus, the PDPA does not apply to business contact information provided by an individual exclusively for business purposes, such as a job title, a business telephone number or business address; the data must be personal in nature, such as a personal cell phone or home phone number. In order for the data to be categorised as personal, it should be possible to identify from the data the individual to whom it refers. Other examples of personal data include passport number, date of birth, fingerprints, and DNA profiles. The PDPA covers both digital and analog data.
The PDPA establishes two separate mechanisms for the protection of personal data in Singapore: the DNC Registry and the data protection provisions.
The DNC Registry consists of three separate registers covering telephone calls, text messages and faxes. If an individual records a Singapore number with any of these registers, businesses are prohibited from contacting that individual for marketing purposes using that medium. To get round this regulation, the business must obtain express consent from the individual that allows the business to contact the person over the channel that has been registered in the DNC Registry. The business must be able to provide regulators with evidence of such consent, such as a signed letter.
The other data protection provisions in the PDPA are based on the following principles:
- Consent: Organisations may collect, use and disclose personal data only with the consent of the individual concerned. An individual is deemed to have provided consent if he or she voluntarily hands over personal data to an organisation. Individuals can withdraw this consent at any time, and organisations are prohibited from stopping them from doing so.
- Purpose: Organisations may collect, use and disclose personal data only after they have informed the individual about the purpose of such data collection activities. In other words, organisations can not collect personal information merely because they have access to such data; there should be an explicit business purpose to such collection.
- Reasonableness: An organization’s purpose for data collection must pass the reasonable test i.e. such a purpose must be considered appropriate by a reasonable person.
- Accuracy: If any data is to be used to make a decision affecting the individual concerned, or the data is to be disclosed to another organisation, businesses should ensure that all such personal data is accurate and complete. The aim of this provision is to ensure that individuals do not suffer from incorrect decisions by organizations due to inaccurate or incomplete data (such as denial of credit due to erroneous past credit history information).
- Transferability: Personal data must not be transferred outside Singapore if the jurisdiction to which the data is being transferred does not provide legal protections that are comparable to the PDPA for the individual concerned.
- Retention: Data should only be held by companies for as long as there is a business or legal reason for doing so.
The regulations provide for some exceptions to the requirements of the PDPA. Data arising from an individual’s family, personal or domestic affairs is exempted (for example, when an individual keeps a database of friends’ and relatives’ contact information for personal use). Similarly, data collection performed by employees as part of their regular employment duties. In this case, it is the employer who has to comply with the PDPA, not the employee. Also excluded are any business data provided by an individual for a business purpose, such as a business fax number. As this law relates to personal data, B2B data is not regulated as part of the PDPA. Government agencies are excluded, too. Finally, the PDPA does not apply to any data that is more than 100 years old, or individuals who have been dead for longer than 10 years.
Recommendations for Compliance
The Singapore government has published a set of advisory guidelines and it provides informal guidance for compliance with the PDPA. The following is a layperson’s summary of these guidelines.
It is obvious that all businesses need to check against the DNC Registry before they engage in any relevant marketing activities. If you are unable to obtain prior consent to use a customer’s communication channel, you will need to check against the DNC Registry to ensure that the marketing channel that you plan to use is not registered there. To do this, go to their website and apply for a DNC checking account at the cost of S$30 (or S$60 if your business is based overseas). After your account is approved, submit a list of telephone numbers you plan on contacting.
Businesses are entitled to 500 free individual number searches per year, but after that, each individual number search costs one credit. There are two ways of purchasing credits: pay as you go and pre-paid. You can find the most up-to-date fees by checking out the User Guide for Organisations on the DNC Registry homepage.
After the Registry replies to your query, you have 30 days to contact customers. After 30 days, you will have to check with the Registry again to get permission to market to the same customers. You are therefore advised to contact customers quickly to mitigate costs associated with the DNC Registry check. Avoid making queries that are so large that your business cannot contact all the customers within 30 days.
To reduce this overhead, consider whether you can avoid the DNC Registry altogether by using email marketing since email are not included within the scope of the DNC Registry (this is also true of mail delivered by post). If you have an ongoing relationship with the customer, you might also be able to send a text or fax without requiring the customer’s consent, if you draw on the Personal Data Protection (Exemption from Section 43) Order 2013.
Note also that you cannot avoid the DNC Registry by calling from another country, as the regulations affect all telemarketing to Singapore numbers.
Businesses should also ensure that their marketing messages clearly identify the business. Depending on the medium, this could mean attaching contact details to the signature at the end of a text message, or not concealing the number of the phone you use to make the marketing calls. Even though email is not covered by the DNC Registry, it is a good practice to include contact information in marketing emails and providing the email recipient the option to unsubscribe from receiving emails from your business in the future.
DATA PROTECTION PROVISIONS
Entrepreneurs should be aware that all businesses, even sole proprietorships, are legally required to designate a data protection officer (DPO) to ensure that their company complies with the PDPA. The contact details of this individual should be made available to the public. The DPO can be someone whose sole job is related to data protection, someone who takes on this role as one of multiple responsibilities, or a third party designated by your business. The Singapore government has set out guidelines for DPOs here.
Larger companies might also consider appointing a data controller to decide how data will be used within the organization. If you have a designated IT department, they should create a personal data inventory map that is specific to the requirements of your business. Encrypting emails and encrypting stored personal data are additional measures for protecting customer data. Microsoft has published a detailed white paper about the broader IT implications of the PDPA.
More generally, entrepreneurs moving to Singapore should be aware that there may be costs associated with complying with the PDPA, particularly if your business does not have existing data protection policies. The cost to SMEs should be minimal unless your business uses large amounts of personal data. Singapore is a very business-friendly country and it has devised the PDPA keeping in mind the need to minimise the compliance costs. The government even offers entrepreneurs highly-subsidised compliance courses to help them ramp up.
For a detailed guide on compliance, see our article on complying with the Personal Data Act of Singapore.
Enforcement and Penalties
The Personal Data Protection Commission is allowed to take the following measures to ensure compliance:
- Enter business premises to gain access to information related to an investigation.
- Compel a business to stop collecting, using or disclosing personal data that contravenes the PDPA.
- Destroy personal data collected by a business in contravention of the PDPA.
- Compel a business to pay a fine, the size of which is chosen by the Commission at its sole discretion (maximum: S$ 1 million, or S$10,000 for breaches of the DNC registry)
The Commission has been fairly strict in enforcing the PDPC since its adoption. In August 2014, a tuition agency and its director were both fined S$39,000 for sending unwanted SMS messages to individuals who had registered with the DNC Registry. At the time of writing, the Commission is in the process of investigating smartphone maker Xiaomi. Given the size of Xiaomi and the relative youth of the PDPA, the outcome of the investigation will set useful precedents.
Singapore’s commitment to data protection is part of a larger effort to stay on the cutting edge of digital policies while keeping it as business-friendly as possible. The law incentivises entrepreneurs to take customer data seriously by appointing data officers, respecting the right of customers not to be marketed to, and storing personal data with care.