PDPA For Companies: Compliance Guide For Singapore Business

• 04 September, 2020
• No Comments

PDPA For Companies: Compliance Guide For Singapore Business

The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA for companies was passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.

The PDPA recognizes both:

• The right of individuals (natural persons, whether living or dead) to protect their personal data; and
• The need of organisations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or resident outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (see below).

What is Personal Data?

Personal data means:

• Data about an individual who can be identified from that data itself; or
• Data about an individual who can be identified from that data and other information to which your business has or is likely to have access

Examples of personal data that can, on its own, identify an individual include:

• Biometric identifiers (face geometry or fingerprints)
• Name and NRIC number
• Photograph or video image of an individual
• Voice of an individual
• DNA profile

Note that the PDPA also protects, to a limited extent, the personal data of individuals who have been dead for less than 10 years. For such personal data, only the provisions relating to the disclosure and protection of personal data will apply.

What are the Types of Personal Data the PDPA For Companies Does Not Apply to?

The PDPA for companies does not apply to the following categories of personal data:

• Personal data that is contained in a record that has been in existence for at least 100 years; and
• Personal data about a deceased individual who has been dead for more than 10 years
• Business contact information, which includes an individual’s:
  • Name;
  • Business title;
  • Business telephone number; and
  • Business address and e-mail

Who is Not Obliged to Comply with the PDPA For Companies?

The PDPA for companies imposes obligations on organisations in respect of the collection, use and disclosure of personal data in Singapore.

The following persons, however, do not have to comply with these obligations:

1. Any individual acting in a personal or domestic capacity;
2. Any public agency; and
3. Any organisation in the course of acting on behalf of a public agency in relation to the collection, use and disclosure of the personal data.

Employees acting in the course of their employment with an organisation will have to adhere to their organisation’s policies for ensuring the organisation’s compliance with the PDPA for companies. However, they themselves cannot be held personally liable for actions resulting in their organisation breaching the PDPA for companies.

Additionally, organisations which are data intermediaries are partially excluded from these obligations.

The PDPA for companies defines “data intermediary” as an organisation that processes personal data on behalf of another organisation. However, this definition does not include employees of the organisation (for which the data is being processed).

What are Your Business Obligations Under the PDPA For Companies?

The 9 main obligations under the PDPA for companies are:

1. Consent Obligation: your business can only collect, use and/or disclose the personal data of individuals who have consented to such collection, use and/or disclosure.

2. Purpose Limitation Obligation: your business can only collect, use and/or disclose personal data of individuals for the purpose(s) for which consent have been given by these individuals.

3. Notification Obligation: your business must inform individuals of the purpose(s) for which their personal data is being collected, used and/or disclosed.

4. Access and Correction Obligation: your business is obliged to provide information to individuals, upon request and as soon as reasonably possible, on:

• What personal data of theirs is in your business’s possession or under its control; and
• How such personal data has been used or disclosed within 1 year before the date of the request

Your business must also correct errors or omissions in the personal data that is in its possession upon request, unless it is reasonable to not make the correction.

5. Accuracy Obligation: your business must make a reasonable effort to ensure that the personal data collected by the business is accurate and complete, if the personal data is likely to be:

• Used by your business to make a decision that affects the individual to whom the personal data relates; or
• Disclosed by your business to another organisation

6. Protection Obligation: your business must put in place reasonable security measures to protect the personal data in its possession or control. This is to prevent risks such as the unauthorised access, collection, use and/or disclosure of such data.

7. Retention Limitation Obligation: your business should retain the personal data for only as long as is necessary for business or legal purposes.

8. Transfer Limitation Obligation:  if your business is transferring the personal data overseas, such as storing the data in the cloud, ensure that the transfer meets the PDPA’s data protection requirements. This is to ensure that the data being transferred is offered a comparable level of data protection as is provided by the PDPA for companies.

9. Openness Obligation: your business must implement the necessary policies and procedures to fulfil its PDPA for companies obligation. It must make information about such policies and procedures publicly available.

PDPA Obligations Applied in Practice

To what extent can your business collect individuals’ personal data?

Pursuant to the Purpose Limitation Obligation (see above), your business may collect, use or disclose personal data about an individual:

• Only for purposes that a reasonable person would consider appropriate in the circumstances; and
• Your business has informed the individual of these purposes (where applicable under the Notification Obligation (see above)).

What is considered “Appropriate in the Circumstances”?

The particular circumstances need to be taken into account in determining whether the purpose of such collection, use or disclosure of personal data is reasonable.

For example, a purpose that is illegal or would harm the individual concerned is unlikely to be considered appropriate by a reasonable person.

Also read: Top 25 Data Protection Statistics That You Must Be Informed

Ensuring compliance with PDPA obligations

If your business regularly collects personal data, it is important to keep track of:

• What personal data is being collected
  • For compliance with the Protection Obligation
  • Being aware of the types of personal data being collected will allow you to have a better picture of the type of protective measures needed and evaluate if the purposes for which such data is being collected are best served by the data collection.
• For what purposes the personal data is being collected
  • For compliance with the Purpose Limitation Obligation and the Retention Limitation Obligation
• Who is collecting the personal data
  • For compliance with the Consent Obligation and Notification Obligation
  • Only authorised personnel who have received appropriate training in PDPA for companies compliance should be involved in the collection process
• Where the personal data is stored
  • For compliance with the Protection Obligation
• To whom the personal data is disclosed
  • For compliance with the Access and Correction Obligation and Protection Obligation
  • While your business has to provide access to the personal data of an individual who requests for it, you should verify the identity of the individual. For example, by requesting for appropriate identification documents before providing such access. This would in turn prevent inadvertent leaks of personal data.

1. Implementing Data Protection Policies

In order for your business to be in compliance with the Protection Obligation, it is critical to implement personal data protection policies and communicate such policies to your employees.

For example, your business could implement physical and technical data protection measures.

Physical measures include providing personal data access only to authorised personnel and ensuring that physical records (such as printed documents containing employees’ NRIC numbers and home addresses) are held in a secured location. For example, a locked filing cabinet.

Technical measures range from installing anti-virus software on computer systems to maintaining a strong password for electronic files containing personal data.

2. Utilising Tools to Assess Your Business’ Compliance with the PDPA

The PDPA Assessment Toolkit available on the Personal Data Protection Commission’s (PDPC) webpage may be helpful in identifying the areas in which your business is not PDPA for companies compliant.

It provides a guided questionnaire on your business’ personal data protection and policies. It can therefore serve as a handy checklist of your business’ compliance with the PDPA obligations.

3. Appointing a Data Protection Officer (DPO)

It is also compulsory under the PDPA for companies to appoint one or more Data Protection Officer(s) (DPO) to supervise your business’ collection, usage and disclosure of personal data. The DPO is accordingly responsible for ensuring that your business complies with the PDPA.

Your DPO is also required to review and update your business’ PDPA for companies policies and processes in line with the latest regulatory developments.

This is to ensure that your business remains PDPA for companies compliant in light of changes to the relevant data protection rules.

Finally, your business’ DPO will serve as a point of contact for individuals to get in touch with your business for PDPA-related matters.

Read our other article for more information on appointing a Data Protection Officer.

Consequences of Non-Compliance with the PDPA

Your business is accountable for its PDPA compliance in various ways.

For example, individuals may request for access to their personal data held by your business (see the Access and Correction Obligation above). They may also submit a complaint to the PDPC which will investigate your business’ conduct and compliance with the PDPA for companies.

If it is found that your business is not PDPA-compliant, the PDPC may:

• impose a financial penalty of up to $1 million
• Direct your business to stop collecting, using or disclosing personal data in contravention of the PDPA
• Direct your business to destroy personal data collected in contravention of the PDPA

In April 2016, the Business Times reported that 11 companies, including Challenger Technologies and K Box Entertainment Group (K Box), had been fined for breaching data protection obligations under the PDPA.

K Box, in particular, was fined $50,000 for failing to implement adequate security measures to protect the personal data of its members.

What Should You Do If You Collect, Use or Disclose Individuals’ Personal Data Throughout the Course of Your Business?

• If your business wants to store personal data in the cloud, you should take appropriate steps to ensure that the transfer of data to the cloud complies with the PDPA’s data protection laws.
• If your business issues newsletters through email, you should ensure that the creation and sending of your newsletter as well as the management of your subscriber list complies with the PDPA for companies and other applicable laws.
• Should your business be involved in telemarketing, you should ensure that the relevant regulations, including those relating to the Do Not Call (DNC) Registry are complied with The DNC regime established under the PDPA, prohibits organisations from sending marketing messages to Singapore telephone numbers registered with the DNC Registry.
• If your business maintains physical or electronic records of personal data, these records have to be disposed of, using appropriate methods, as stipulated in the PDPA.
• From 1 Sep 2019 onwards, businesses will also not be allowed to make copies of individuals’ NRICs, or collect, use or disclose NRIC numbers, unless this is required by law or required to verify an individual’s identity to a “high degree of fidelity”.

To prevent thefts and leaks of personal data, and monetary penalties as a result, it is important to have a clear understanding of the business’ PDPA obligations.

Also read: How Being Data Protection Trained Can Help With Job Retention