In response to the rising need to keep personal information secure to counter cybercrime and data theft, Singapore passed the Personal Data Protection Act (PDPA) on 15th October 2012, based on OECD guidelines on the Protection of Privacy and Transborder Flow of Personal Data and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. The PDPA covers the rules designed to control the collection, use, disclosure, and care of personal data, allowing personal data collected to be protected against unlawful use. The balance between two sets of acknowledged rights – the rights of individuals to protect their personal data and the rights of businesses to use personal data for legitimate purposes – is a key consideration of the Act. The Act also has an extraterritorial reach and applies to organisations collecting personal data from individuals in Singapore, whether the companies are located locally or not. However, it does not apply to the public sector which is governed by other rules.
The PDPA is a necessary step toward making Singapore a leader in digital information management policies and reinforcing its status as a world-class business hub for investors interested to open new company in Singapore.
Singapore Company Setup
Personal data is data about an individual, not an organisation. Therefore, business contact information provided by an individual for business purposes, such as a job title, a business telephone number, or a business address, does not apply. Details, when gathered, that can identify a real-life person such as:
- personal phone number
- home phone number
- residential address
- personal email address
- NRIC or passport number
- date of birth
- personal photograph or video image
are protected by the Act against unlawful, unauthorised use.
For business operators with Singapore company setup in mind, special attention should be paid to the Act’s 9 Obligations, which are:
- Consent obligation
- Purpose limitation obligation
- Notification obligation
- Access and correction obligation
- Accuracy obligation
- Protection obligation
- Retention limitation obligation
- Transfer limitation obligation
- Openness obligation
to ensure the Act is not violated while dealing with collected personal data, electronic or non-electronic. More information can be found HERE.
Deemed Consent has to be granted by an individual before the collection, usage and disclosure of personal data can proceed.
Effective November 2020, some key updates to the Act include:
- Remove exclusion for agents of Government and criminalise egregious mishandling of personal data
- All private sector organisations are subject to the PDPA, even when they are acting on behalf of public agencies
- The new amendments also include new offences made by an individual who mishandle data such as:
- Disclosure of personal data
- User of personal data that results in personal gain for the offender or another person
- Harm of loss to another person
- Re-identification of anonymised information
- Related amendments will also be made to the Public Sector (Governance) Act and Monetary Authority of Singapore Act to align the public and private sector data regimes
- Increase financial penalty cap for organisations
- Maximum financial penalty to be increased to 10% of an organisation’s annual turnover in Singapore or S$1 million, whichever is higher
- Addition to DNC provisions
- The new inclusion prohibits the use of dictionary attacks and address-harvesting software when sending messages to telephone numbers
- Maximum financial penalty that may be imposed on an organisation is 5% of annual turnover in Singapore or S$1 million, whichever is higher, and S$200, 000 for an individual
- Expand “deemed consent” to cater for more scenarios or purposes
- Contractual performance: Multiple layers of contracting and outsourcing are common in modern commercial arrangements. The amendment therefore expands deemed consent to cater for scenarios where personal data is passed from an organisation to successive layers of contractors for the organisation to fulfil the contract with its customer
- By notification: Organisations may notify their customers of the new purpose and provide a reasonable period for them to opt out. Before doing so, organisations must conduct a risk assessment and conclude that the collection, use or disclosure of personal data in this manner will not likely have an adverse effect on the individual.
- 8. Expand “exception” for processing of personal data
- Legitimate interests exception: To rely on this exception, organisations must conduct an assessment to eliminate or reduce risks associated with the collection, use or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual. To ensure transparency, organisations must disclose when they rely on this exception.
- Business improvement exception: Purposes include (a) operational efficiency and service improvements; (b) developing or enhancing products or services; and (c) knowing the organisations’ customers. As a safeguard, this exception can be relied upon only for purposes that a reasonable person may consider appropriate in the circumstances, and where the purpose cannot be achieved without the use of the personal data.
- This exception also applies to entities within a group as they may consolidate corporate or administrative functions or concentrate research and development expertise in a single unit. The Bill provides for additional safeguards for intra-group sharing by requiring related corporations to be bound by a contract, agreement or binding corporate rules to implement and maintain appropriate safeguards for the personal data.
- Research and development exception: Current research exceptions have also been revised to support commercial research and development that is not immediately directed at productization. This could apply to research institutes carrying out scientific research and development, educational institutes embarking on social sciences research, and organisations conducting market research to identify and understand potential customer segments.