By Benjamin Cheong and Justin Lee, Rajah & Tann Singapore LLP
Introduction to the PDPA
The PDPA is intended to be a baseline law for the protection of personal data in Singapore. It seeks to balance an individual’s right to protect his / her personal data versus the commercial or operational need of organisations to process personal data. The main objective of the PDPA is to regulate how organisations deal with or handle personal data including activities relating to the collection, use and disclosure of personal data. To this end, the Personal Data Protection Commission (“PDPC”) has been established in January 2013 to administer and enforce the PDPA.
Since the PDPA came into force, it has attracted much publicity in Singapore, as it imposes numerous obligations and minimum standards in relation to data protection that private organisations in Singapore must observe. The main provisions of the PDPA came into force on 2 July 2014. One specific provision relating to the Do Not Call Registry came into force on 2 January 2014.
General compliance obligations under the PDPA
Pursuant to the PDPA, all private organisations in Singapore must comply with the following general rules with respect to the protection of personal data :
(a) Appoint a Data Protection Officer (“DPO”): An organisation must designate one or more DPOs responsible for ensuring that the organisation complies with the PDPA.
(b) Develop policies and practices: An organisation must develop and implement necessary policies and practices to comply with its obligations under the PDPA.
(c) Dealing with complaints: An organisation must develop a process to receive and respond to complaints that may arise with respect to the application of the PDPA.
(d) Communicate to staff: An organisation must communicate to its staff information about the organisation’s policies and practices referred to in sub-point (b) above.
(e) Make information available: An organisation must make information available on request about the above-mentioned policies and practices and the complaint process.
Data protection principles
On 2 July 2014, the eight data protection (“DP”) principles under the PDPA came into force. Thus, all private organisations in Singapore have to be fully compliant with the eight DP principles. Briefly, the eight DP principles are :
(f) Consent: Organisations must obtain the consent of individuals before collecting, using or disclosing their personal data;
(g) Purpose: Organisations must inform individuals about the purposes for the collection, use or disclosure of their personal data;
(h) Access: Upon request of an individual, an organisation must provide the individual with personal data that is in the custody or control of the organisation and information about the use or disclosure of such data within a year before the date of the request;
(i) Correction: Upon request of an individual, an organisation must correct errors or omissions in the individual’s personal data;
(j) Accuracy: Organisations must ensure personal data collected is accurate and complete;
(k) Protection: Organisations must protect personal data by making reasonable security arrangements;
(l) Retention: Organisations must cease to retain or make anonymous any personal data as soon as retention is no longer required for legal or business purposes; and
(m) Transfer of personal data outside Singapore: Organisations must not transfer personal data out of Singapore except where there is a comparable standard of protection for personal data in the foreign country where the personal data is transferred to.
Do Not Call Regime
Under the PDPA, all private organisations in Singapore must also comply with three main obligations under the Do Not Call (“DNC”) Regime, if they engage in the sending of marketing messages via telephone calls, SMS/MMS or fax to Singapore telephone numbers. The three DNC obligations are:
(a) Duty to check register: Organisations must check the DNC Registers before sending marketing messages to a Singapore telephone number;
(b) Contact information: Marketing messages must contain clear and accurate contact information of the sender; and
(c) Calling line identity not to be concealed: Marketing messages must not conceal the calling line identity of the sender.
It should be noted that the DNC Regime has already come into force since 2 January 2014. In this regard, it is highlighted that the PDPC is extremely vigilant and is actively enforcing the DNC rules. In about one month since the DNC Regime came into effect, the PDPC reportedly received 1,500 complaints from the public against 580 organisations, some of which are already facing penalties for breaching the DNC rules. Furthermore, the PDPC has issued a stern warning that it will not hesitate to commence enforcement action against errant organisations. The first public prosecution for breach of the DNC rules was against Star Zest Home Tuition Agency. The director and the agency were fined a total of S$78,000.
Penalties for non-compliance and powers of the PDPC
Criminal and / or civil sanctions may be meted out for non-compliance with the DP principles. The PDPC may impose financial penalties of up to S$1 million. Further, officers of body corporates could be liable criminally for an offence committed by the body corporate, where that offence is committed with the consent, connivance, or neglect of the officer.
Organisations and persons in breach of the DNC obligations would be liable to penalties of up to S$10,000 per breach.
The PDPC is also conferred various powers under the PDPA, which include for instance: (a) the power to give directions to ensure an organisation complies with the PDPA; and (b) powers of investigation including the power to require documents or information from organisations that are being investigated, and the power to enter the premises of organisations with or without warrant (in appropriate circumstances) for inspection.
Examples of Enforcement Action by the PDPC
One of the more notable examples of enforcement action by the PDPC was against K Box Entertainment Group Pte Ltd (“K Box”), with the PDPC issuing a financial penalty of S$50,000 as well as other directions to ensure K Box’s compliance with the PDPA. The PDPC’s investigations revealed that K Box’s IT system security was severely lacking, including poor password protocols and a failure to update security software patches. As a result, external parties were able to install malware in the K Box IT system, ultimately resulting in a leak of the personal data of 317,000 K Box members. The PDPC also found that K Box had failed to adopt any adequate data protection policies.
The PDPC also separately imposed a financial penalty of S$10,000 against Finantech Holding Pte Ltd (“Finantech”), which was the service provider K Box had engaged at that time to develop, host and manage K Box’s ‘Content Management System’. The PDPC found that Finantech had failed to implement proper and sufficient security measures for the personal data stored in the data system it had developed and managed for K Box, thereby failing to comply with its obligations as a data intermediary under the PDPA. The enforcement action by the PDPC against Finantech is particularly notable, as it demonstrates that, unlike certain other jurisdictions, data intermediaries in Singapore are directly required to take active steps to comply with the relevant PDPA obligations.
In a similar vein, the PDPC has also issued directions and financial penalties ranging up to S$10,000 against seven other organisations for their failure to implement and maintain adequate security measures to protect and prevent the unauthorised disclosure of the personal data under their control.
In light of the above, organisations are strongly advised to take the necessary steps to ensure that their operations in Singapore are fully compliant with all PDPA obligations in order to avoid facing the above-mentioned penalties for non-compliance. Breaches may lead to and result in investigations and financial penalties. It may also cause reputational damage to the organisation.