Caroline Berube, BCL, LL.B
HJM Asia Law & Co LLC
In October 2012, the Singapore parliament passed the Personal Data Protection Act 2012 (“PDPA”) that governs the collection, use and disclosure of personal data of an individual by organizations. It established Personal Data Protection Commission (“PDPC”) as a watchdog to ensure a baseline standard of protection for personal data across the economy. The organisations would have to comply with the PDPA, relevant regulations and guidelines as well as the common law and other relevant laws that are applied to the specific industry that they belong to. The public consultation on the positions proposed for the relevant regulations and guidelines was closed on April 1st, 2013.
The PDPA was introduced following acknowledgment by the government that there is a pressing need for a general data protection framework to ensure that individuals have more control over their personal data and are kept informed of the purposes for which organizations collect, use or disclose their information. This would also ensure that the collection, usage or disclosure of personal data would be for legitimate and reasonable purposes and would be advantageous to the organisations because practising good personal data management can increase business efficiency and effectiveness, boost customer confidence, and enhance its public image.
On 2nd January 2013, some the provisions came into effect as part of the government’s plan to implement them in phases. Provisions relating to Do Not Call registry allow individuals to opt out of unsolicited marketing communications, and the provisions relating to the protection of personal data will come into force in 2014. Under the PDPA, organizations would have to inform individuals of the purpose and obtain their consent for the collection, use and disclosure of the personal data unless the deemed provision(s) on consent or the circumstances specified in the schedule apply. The organizations would not, as a condition of supplying a products or services, require the individuals to consent to the collection, use or disclosure of personal data beyond what is reasonable for the provision of that products or services.
The PDPA also mandates that organisations would have to appoint at least one data protection officer to ensure compliance with the requirements that would include taking reasonable efforts to ensure that the personal data collected is accurate and complete and is secured from any unauthorized use. On a request from the individual concerned, organisations would have to ensure that any request for access is attended to and questions about the collection, use or disclosure of the personal data are answered unless the stipulated exceptions apply. If the request includes correction of an error or omission in the individual’s personal data, the organization shall, unless there are reasonable grounds not to do so, correct the data as soon as practicable. Any request for withdrawal of consent in relation to the collection, use or disclosure of all or some of the individual’s personal data for certain purposes would have to be attended to after explanation of the consequences of the withdrawal has been proffered.
If an individual suspects that a particular organisation is not following the rules of the PDPA, he is encouraged by the PDPC to contact the organization concerned to find out more about its data protection practices, and clarify his doubts on whether his personal data has been misused. The individual may also lodge formal complaints with the organization concerned or PDPC. If PDPC finds that the organisation is in breach of any of the data protection provisions, it may direct the organisation to stop the illegal collection, usage or disclosure of personal data, destroy the personal data collected illegally, provide access to the personal data or pay financial penalty of an amount not exceeding S$1 million.
The PDPA will enhance Singapore’s competitiveness and strengthen its position as a trusted business hub. It put Singapore on par with others that have already enacted data protection legislation, such as Canada, New Zealand, Hong Kong.