Singapore: Personal Data Protection Act

The Singapore Personal Data Protection Act of 2012, Act 26 of 2012 (PDPA) was enacted at the end of 2012 and parts relating to the administration of the PDPA came into force on 2 January 2013. The main data protection rules will take effect in mid-2014. There are also specific exemptions which apply in relation to personal data which has been collected in relation to employment. Penalties for breach of the PDPA can be severe including fines of up to SGD1 million.

Background

The PDPA establishes various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data (including rights of access and correction) as well as the needs of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

New overseas transfers provision

Further to our report last year on the specific implications for employers under the Personal Data Protection Bill (see  earlier post), a point of note is the introduction in the PDPA of a new requirement in relation to transfer of personal data overseas. The PDPA requires organisations to ensure that any transfer of personal data outside of Singapore meets the minimum standards prescribed under the PDPA.

This will have an impact on large multinational employers who routinely transfer employee data between entities and third parties in other jurisdictions. However, given that many employers with operations in Europe will already have had to comply with similar (and likely more stringent) provisions under these data protection regimes, the PDPA requirements are unlikely to cause too many problems.

Implications for employers

Unlike many of its European legislative counterparts, the PDPA does not place overly restrictive obstacles in the way of employers carrying out day-to-day employee data processing activities. With a ‘sunrise’ period of up to mid-2014 before the main data protection rules take effect, employers have time to give careful consideration to implementation.

However, data protection shouldn’t drop off the ‘to-do’ list altogether as the penalties for breaches of the PDPA are severe with fines of up to SGD1 million as well as criminal offences for individuals in some cases.

This article was written by Celia Yuen, Executive Counsel with the assistance of Kwok Hon Yee, Of Counsel and Cui Xian Yap, Associate.