Fundamentals of the Personal Data Protection Act (PDPA) 2020 (PDF)

Summary

This document provides a brief overview of the fundamentals of the Personal Data Protection Act (PDPA) 2020 in Singapore. It outlines the key takeaways, including the Do Not Call (DNC) and Data Protection (DP) provisions, as well as the data protection obligations for organizations.

Full Transcript

1. FUNDAMENTALS OF THE PERSONAL DATA PROTECTION ACT (PDPA) 2020
(WSQ) – A BRIEF RECAP

The key ‘takeaways’ from this chapter are that:

(a) the Personal Data Protection Act 2012 of Singapore (PDPA) has two main sets
of provisions, namely:

(i) the Do Not Call (DNC) provisions, which came into operation on
2 January 2014 and

(ii) the Data Protection (DP) provisions, which came into operation on 2 July
2014

(b) this course focuses on the DP provisions, but it also recaps the DNC provisions

(c) the DP provisions are comprised of eleven data protection obligations

(d) all organisations are required to designate one or more individuals (e.g. data
protection officer (DPO) to be responsible for ensuring that the organisation
complies with the PDPA

23
1.1 The DP provisions in the Personal Data Protection Act

_________________________________________________________________________

1.1.1 The PDPA ensures a baseline standard of protection for personal data across the
economy by complementing sector-specific legislative and regulatory frameworks.
This means that organisations will have to comply with the PDPA as well as the
common law and other relevant laws that are applied to the specific industry that they
belong to, when handling personal data in their possession.

1.1.2 The PDPA takes into account the following concepts:

(a) Consent – Organisations may collect, use or disclose personal data with the
individual’s knowledge and consent (with some exceptions)

(b) Purpose – Organisations may collect, use or disclose personal data in an
appropriate manner for the circumstances, and only if they have informed the
individual of purposes for the collection, use or disclosure; and

(c) Reasonableness – Organisations may collect, use or disclose personal data
only for purposes that would be considered appropriate to a reasonable person
in the given circumstances.

1.1.3 The diagram below provides an overview of the various parts of the PDPA which may
be relevant to organisations. Generally, there are 2 main sets of provisions that
organisations are required to comply with – the Data Protection (DP) provisions and
Do Not Call (DNC) Provisions.

Purpose of Act
‘To govern the collection, use and disclosure of personal data by organisations in a manner that recognises
both the right of individuals to protect their personal data and the need of organisations to collect, use or
disclose personal data for purposes that a reasonable person would consider appropriate in the
circumstances’
Accountability is a fundamental principle of the Personal Data Protection Act (“PDPA”) which
involves a risk-based approach to identifying, monitoring and responding to personal data risks.
2 Main Sets of Provisions

DNC Provisions
Data Protection Provisions (Parts III - VIB) (Part IX - IXA)

General Rules Collection, Access and Care (Part Others (Parts DNC Registry
(Part III) Use and Correction VI) VIA -VIB) (Parts IX - IXA)
- Protection and Disclosure (Part V) - Accuracy - Data
(Part IV) - Meaning of
Accountability - Access - Protection Portability ‘specified message’
- Compliance with - Consent - Data Breach
- Correction - Retention - Application
Act - Purpose Notification
Exceptions: - Transfer Exceptions:
- Policies and Exceptions: outside -12th
practices - 5th and 6th Schedule - 8th Schedule
- 1st and 2nd Schedules Singapore
Schedules - Dictionary attacks
and address-
harvesting software

24
1.1.4 For the PDPA, ‘organisation’ includes any individual, company, association or body of
persons, corporate or unincorporated, whether or not:

(a) formed or recognised under the law of Singapore or

(b) resident, or having an office or a place of business, in Singapore

1.1.5 The following diagram shows the scope of application of the PDPA

Definition Covers electronic
‘Personal data’ refers to data about an & non-electronic
individual who can be identified from that data;
data; or from that data & other info that the Focuses on
organisation has or is likely to have access. protection of
personal data,
regardless of
whether data is
true or false and is
contained in a
Personal Only disclosure &
record that has
Data of safeguarding rules apply
been in existence
Deceased Protection for up to 10
for less than 100
Individuals years after death
years

1.1.6 The DP provisions cover electronic data and physical data. This electronic data may
be in an organisation’s IT system, it may be stored in the cloud or it may be simply on
the hard disks or external storage devices of the organisation’s employees, contractors
and other individuals. The DP provisions also cover non-electronic data in physical
records (mainly paper records).

1.1.7 The DP provisions protect personal data whether it is true or not. The DP provisions
do not apply to an individual who is acting in a personal or domestic capacity, an
employee in the course of their employment1, business contact information, and any
public agency.

1.1.8 The DP provisions do not apply fully to personal data about individuals who are
deceased. Only the rules about safeguarding personal data and about disclosing
personal data apply to personal data about deceased individuals and only for the first
10 years after their death.

1Nonetheless, Part VIIIA of the PDPA provides for certain offences to hold individuals (who may
be employees) accountable for the egregious mishandling of personal data in the possession of
or under the control of an organisation (including a public agency).

25
1.2 The eleven obligations in the DP provisions

_________________________________________________________________________

1.2.1 The DP provisions include eleven obligations that organisations must comply with in
connection with personal data in their possession or under their control. Here is a brief
summary of the eleven obligations:

(1) the Accountability Obligation: Accountability is a fundamental principle of the
Personal Data Protection Act (“PDPA”). Organisation is required to develop
and implement policies and practices that are necessary for the organisation to
meet its obligations under the PDPA and to make information about their data
protection policies and practices available. In particular, organisation is
required to designate at least one individual (data protection officer or ‘DPO’)
to be responsible for ensuring its compliance:

appoint one or more individuals;

designated individual may delegate responsibility conferred to another
individual;

designation of an individual does not relieve organisation of any of its
obligations under the PDPA; and

make available Business Contact Information of a DPO or an individual
to whom the DPO’s responsibility has been delegated.

(2) the Notification Obligation: Organisation must notify the individual of the
purpose(s) for which it intends to collect, use or disclose the individual’s
personal data on or before such collection, use or disclosure of the personal
data

(3) the Consent Obligation: Organisation must obtain consent of the individual to
the collection, use or disclosure of his or her personal data (PD). No consent
unless the individual has been notified of the purpose.

a. The Enhanced Consent Framework has been expanded to include new
exceptions (Legitimate Interest, Business Interest and Research &
Development) to emphasise the importance of these, to enable data use
and innovation in a way that is meaningful to the customer.

(4) the Purpose Limitation Obligation: Organisation may collect, use or disclose
personal data about an individual only for purposes that a reasonable person
would consider appropriate in the circumstances and, if applicable, have been
notified to the individual concerned

(5) the Accuracy Obligation: Organisation must make a reasonable effort to
ensure that personal data collected by or on behalf of the organisation is
accurate and complete if the personal data is likely to be: used by organisation

26
 to make a decision that affects the individual concerned; or disclosed by the
organisation to another organisation

(6) the Protection Obligation: Organisation must protect personal data in its
possession or under its control by making reasonable security arrangements to
prevent (i) unauthorised access, collection, use, disclosure, copying,
modification, disposal or similar risks; and (ii) the loss of any storage medium
or device on which personal data is stored

(7) the Retention Limitation Obligation: Organisation must cease to retain
documents containing personal data or remove the means by which the
personal data can be associated with particular individuals as soon as it is
reasonable to assume that: purpose for which the personal data was collected
is no longer being served by retention of the personal data; and retention is no
longer necessary for legal or business purposes

(8) the Transfer Limitation Obligation: Organisation may transfer personal data
overseas if it has taken appropriate steps to ensure that it will comply with Data
Protection Provisions in respect of the transferred personal data while under its
possession or control, and if the overseas recipient is bound by legally
enforceable obligations (e.g. any law, binding corporate rules, contractual
agreements) to provide a comparable standard of data protection to that under
the PDPA. If the overseas recipient is processing personal data on behalf of
the organisation (i.e. a data intermediary), organisation should also note that
they have the same obligations under the PDPA for the personal data
processed by its data intermediary

(9) the Access and Correction Obligation: upon request by an individual, an
organisation shall provide the individual with the following as soon as
reasonably possible: personal data about the individual that is in the
possession or under the control of the organisation; and information about
the ways in which that personal data has been or may have been used
or disclosed by the organisation within a year before the date of the
individual’s request

(10) the Data Breach Notification Obligation: Organisations are required in the
event of a data breach to assess whether a data breach is notifiable and, if so,
to notify the PDPC and, in certain circumstances, the affected individuals, within
the specified timeframe.

(11) the Data Portability Obligation: Organisations are required to, at the request
of an individual, transmit personal data that is in the organisation’s possession
or under its control, to another organisation in accordance with any prescribed
requirements.

For further information about the above eleven obligations see the PDPC’s Advisory
Guidelines on Key Concepts in the Personal Data Protection Act (updated February
2021 - available at https://www.pdpc.gov.sg/ag)

27
1.3 The Do Not Call (DNC) provisions

_________________________________________________________________________

1.3.1 The DNC provisions apply to persons including individuals as well as companies,
associations and other bodies of persons, corporate or unincorporated. The DNC
provisions contain a number of obligations that apply in relation to persons sending
specified messages to Singapore telephone numbers. In brief, such persons are
required to comply with the following obligations:

(a) Duty to check the DNC Register – before a person sends a specified message
to a Singapore telephone number, the person must obtain valid confirmation
that the Singapore telephone number is not listed with the DNC Registry
established by the Commission under the PDPA (the ‘DNC Registry’), unless
the person has obtained clear and unambiguous consent in evidential form from
the user or subscriber of the number (section 43 of the PDPA);

(b) Duty to identify the sender of a message – when sending a specified message
to a Singapore telephone number, the person must:

(i) include information identifying the sender and how the recipient can
contact the sender (section 44 of the PDPA); and

(ii) for voice calls, the sender must not conceal or withhold from the
recipient the sender’s calling line identity (section 45 of the PDPA); and

(c) Duty to not send, cause to be sent, or authorise the sending of an applicable
message to any telephone number generated or obtained through the use of
(a) a dictionary attack; or (b) address-harvesting software (section 48C of the
PDPA).The Do Not Call provisions apply in relation to an organisation sending
specified messages to Singapore telephone numbers.

1.3.2 The Do Not Call provisions apply when:

(a) the sender of the specified message is in Singapore when the message is sent;
or

(b) the recipient of the specified message is in Singapore when the message is
accessed

1.3.3 The Do Not Call provisions do not apply if both the sender and the recipient are not in
Singapore when the message is sent and accessed respectively

1.3.4 The Do Not Call provisions also includes obligations on third-party checkers to
communicate accurate DNC Register query results to persons, and liability on these

28
 checkers for DNC infringements resulting from erroneous information provided by them
(section 43A of the PDPA).

Included in Not included in scope
scope of DNC of DNC

SMS / MMS / Messages that can
Voice calls Faxes be sent without
Texts
use of phone
numbers e.g. cell-
broadcast, emails Eighth
Sent to Singapore Phone Numbers: Schedule
Business number registration allowed and messages sent
Sending of specified messages to phone numbers to Instant
Messaging (IM) Exclusion
obtained through the use of dictionary attacks and from
address harvesting software is prohibited accounts, e.g.
Telegram. meaning of
“specified
message
Organisations’ key obligations:
check against DNC registry within 30 days before doing marketing
unless they have clear and unambiguous consent in evidential form;
display their ID, contact info and (for phone calls) originating number.

1.3.5 Specified Message Definition*

A message is a Specified Message if based on the circumstances (e.g. content,
presentation, and the content that is obtained through the numbers, URLs or contact
information in the message), the purpose of the message, or one of its purposes, is to
offer, supply, advertise or promote any goods, service, land, interest in land, business
opportunity or investment opportunity.

For further information about the DNC provisions see the PDPC’s Advisory Guidelines on the
Do Not Call Provisions (available at https://www.pdpc.gov.sg/ag)

29
1.4 Appointment and role of a Data Protection Officer

_________________________________________________________________________

1.4.1 The PDPA requires every organisation to designate one or more individuals to be
responsible for ensuring that it complies with the PDPA. Such a designated individual
is usually called a ‘Data Protection Officer’ (DPO). The individual can delegate such
responsibility to another individual. That designated individual need not be an
employee of the organisation. Appointing a DPO does not relieve the organisation of
any of the organisation’s obligations under the PDPA.

1.4.2 The approach taken by an organisation to appointment of a DPO depends on the size
and structure of the organisation and the extent to which it collects, uses, discloses
and stores personal data. A very small organisation might appoint a single individual
as DPO, adding the roles and responsibilities of a DPO to the individual’s primary role
with the organisation. A larger organisation might appoint a single individual as its
DPO as a stand-alone role.

1.4.3 An organisation that is large enough to have various departments (for example, Legal,
HR, Finance, Marketing, Risk, Operations, IT) might appoint a data protection
committee consisting of its various Heads of Department and led by the organisation’s
DPO. Alternatively, an organisation may outsource the role of DPO to a suitably
qualified service provider.

1.4.4 Given the significant contribution of a DPO and the seniority required to lead data
protection initiatives, a DPO should ideally be an appointment from senior
management. When outsourcing the DPO function, the organisation should still
ensure that an individual appointed from senior management remains responsible to
work with the outsourced DPO

1.4.5 The key roles and responsibilities of a DPO are as follows:

(a) ensure compliance with the PDPA when developing and implementing policies
and processes for handling personal data

(b) foster a personal data protection culture among employees and communicate
personal data protection policies to stakeholders

(c) manage personal data protection-related queries and complaints

(d) communicate to and train staff about the organisation’s personal data
protection policies and practices

(e) alert management to any risks that might arise with regard to personal data and

(f) liaise with the PDPC on personal data protection matters, if necessary.

1.4.6 Every organisation must make the business contact information of its DPO available
to the public.

30
Resources For Chapter 1 Recap Module A: Fundamentals Of The Personal Data
Protection Act (PDPA) 2020

For further information about the eleven obligations see the PDPC’s Advisory Guidelines
on Key Concepts in the Personal Data Protection Act (updated February 2021)
https://www.pdpc.gov.sg/ag

For further information about the DNC provisions see the PDPC’s Advisory Guidelines
on the Do Not Call Provisions https://www.pdpc.gov.sg/ag

31