Singapore: Data protection guidelines issued for Singapore

Following a public consultation conducted between February and April this year, Singapore's relatively newly formed Personal Data Protection Commission has issued two sets of advisory guidelines relating to the Personal Data Protection Act 2012 (which comes into effect in earnest in 2014). Singapore is not the only Asia-Pacific country where there have been developments in data protection and privacy over the past few years, such other countries including Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, the Philippines, the PRC, South Korea, Taiwan and Vietnam. These developments follow the introduction of the APEC Privacy Framework 2005 and APEC Data Privacy Pathfinder 2007.

Singapore’s developing regime

Singapore’s Personal Data Protection Act 2012 (No. 26 of 2012) was passed on 7 December 2012 (PDPA), but takes effect in three phases as follows:

• 2 January 2013 – formation of the regulator, the Personal Data Protection Commission (PDPC);
• 2 January 2014 – introduction of the do not call provisions; and
• 2 July 2014 – introduction of the main rules.

Since its establishment, the PDPC has conducted the following two public consultations:

• between February and April 2013 – on the (i) Proposed Regulations, (ii) Advisory Guidelines on Key Concepts in the PDPA and (iii) Advisory Guidelines on Selected Topics; and
• between May and June 2013 – on the Proposed Business Operation of the Do Not Call Registry.

While those consultations have closed, the responses to the Proposed Regulations and Proposed Business Operation of the Do Not Call Registry are still being considered by the PDPC.

However, on 24 September 2013, the PDPC issued two sets of Advisory Guidelines on:

• Key Concepts in the PDPA – which elaborates on and provides illustrations for the key obligations in the PDPA and interpretation of key terms in the PDPA in order to assist with understanding the PDPA; and
• Selected Topics – elaborating on how the PDPA applies to particular issues and areas in order to assist with understanding the PDPA in terms of those topics.

The guidelines are explained further below. The guidelines are advisory in nature and are not legally binding.

Key concepts

The Advisory Guidelines on Key Concepts in the PDPA provide (amongst other things):

• Important terms used in the PDPA: guidance on the terms individuals, personal data, organisations, collection, use, disclosure, purposes and reasonableness;
• The nine obligations: an overview of the key compliance requirements under the PDPA (with examples), summarised as follows:

1. the consent obligation (including verbal consent, failure to opt out, deemed consent, withdrawal of consent and exceptions to the consent obligation);
2. the purpose limitation obligation (relating to the purposes for collection, use or disclosure of personal data about an individual being those which a reasonable person would consider appropriate in the circumstances and, where applicable, the individual having been informed of those purposes);
3. the notification obligation (relating to individuals being informed of the purposes for which their personal data are collected, used and disclosed and the manner, form and content of that notification such as by way of a data protection policy);
4. the accuracy obligation (relating to using reasonable efforts to ensure that personal data are accurate and complete if the data are likely to be used to make decisions affecting the relevant individual or likely to be disclosed to another organisation);
5. the protection obligation (relating to reasonable security arrangements being made to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks);
6. the retention limitation obligation (relating to ceasing to retain documents containing personal data, or removing the means by which personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which the data were collected is no longer being served by retaining the data and retention is no longer necessary for legal or business purposes); and
7. the openness obligation (relating to developing and implementing policies and practices that are necessary to meet the obligations under the PDPA and to make information about those policies and practices available),

with the remaining obligations, the access and correction obligation and transfer limitation obligation, not being covered in detail in the Advisory Guidelines (having been removed from the draft of the Advisory Guidelines); and

• Do not call: an explanation of the do not call provisions of the PDPA, which are relating to sending specified messages (e.g. marketing messages of a commercial nature subject to certain exceptions) to Singapore telephone numbers and requiring (amongst other things):

1. the checking of the register (initially voice, text and fax), 60 days before sending such messages prior to 1 August 2014 but otherwise 30 days before, to confirm the number is not listed on the register (unless clear and unambiguous consent in evidential form has been obtained);
2. the inclusion of information identifying the sender and how to contact the sender; and
3. for voice calls, not concealing or withholding the calling line identity (caller ID) of the sender.

The guidelines also include an explanation of the grandfathering arrangements relating to personal data collected before the commencement of the relevant provisions of the PDPA.

Selected topics

The Advisory Guidelines on the PDPA for Selected Topics cover:

• analytics and research;
• anonymisation;
• CCTVs;
• employment;
• National Registration Identity Card (NRIC) numbers; and
• online activities.

Trend

The APEC Privacy Framework 2005 and APEC Data Privacy Pathfinder 2007, a co-operative project among participating APEC economies, has been influencing policy and legislative discussions of data protection and privacy issues between governments and regulators in the Asia-Pacific region.

In addition to Singapore, other Asia-Pacific countries where there have been developments in data protection and privacy over the past few years include Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, the Philippines, the PRC, South Korea, Taiwan and Vietnam.

Our information governance and privacy practice is one of the strongest and most versatile of any international firm and we are unusual in having dedicated expertise within a leading global full service law firm. Our lawyers have been involved in drafting legislation, formulating regulation and advising in the area since its inception.

Our approach is to find practical and commercially realistic solutions to privacy and data issues, with a focus on strategically maximising data value while minimising legal and reputational risks.

Article written by Mark Robinson; Kwok Hon Yee; and Peggy Chow