The Personal Data Protection Act (PDPA) regulates the collection, use and disclosure of personal information by companies in Singapore. Recently, the PDPC has made changes to the Act that have made the PDPA more stringent. Hence, this is the right time for companies to learn more about personal data protection and how to comply.
Firstly, the PDPA protects consumers through two main channels — general data protection provisions and the Do Not Call (DNC) Registry. Here we’ll discuss these two central tenets and how they relate to personal protection. Furthermore, we’ll discuss the scope of the PDPA, what it covers and how it affects companies and businesses in Singapore.
Overview of Personal Data Protection
Here are the significant details to know:
What is the Personal Data Protection Act (PDPA)?
The Personal Data Protection Act 2012 (PDPA) is a legislation that governs the use, disclosure and collection of personal data. It passed in October 2012. However, under the guidance of the PDPC, it really came into force between January 2013 and July 2014.
The PDPA recognises and regulates the right of all individuals to protect and determine the way their personal data is used. Furthermore, it also recognises why companies need to collect and disclose data for appropriate purposes. It is the combination of these needs that form the basis for regulations put forward by the PDPC.
What is personal data?
Under the PDPA, personal data refers to any information companies can use to identify the individual who owns the info. Examples include:
- Biometric identifiers
- Voice profile
- DNA info
- Name and NRIC number
Furthermore, companies need to know that the PDPC also regulates the use of personal data belonging to those who have been dead for a decade or less. The provisions under the Personal Data Protection Act also apply to them.
Are there exceptions to personal data regulated by the PDPA?
Some data types which are not covered under the PDPA include:
- Personal info that has existed for over 100 years
- Personal info belonging to a person deceased for over 10 years
- Business contact information such as name, business address, business title and business number
How does the PDPA work?
For companies who have little to no info about how the PDPA works, the best source of info may be from a personal data protection officer. What is a personal data protection officer? Typically, they are professionals who work with companies to help ensure they are PDPA compliant.
Short of consulting with a personal data protection officer, we can help by discussing the details companies need to know. The PDPA enforces a standard for data protection across the country by making sure companies comply with laws specific to their industry as well as PDPC laws.
To do that, the PDPC takes into account the following:
- Consent: Companies can only collect, disclose or use personal data with the knowledge and express consent of the individual involved.
- Purpose: Companies can use, collect or disclose personal data only if they have previously explained the purpose of the collection and use to the individual.
- Reason: Companies can use or disclose personal data only for purposes considered reasonable and appropriate under the law.
How Does the PDPA Relate to Businesses and Companies?
For companies, there are obligations they need to meet when collecting, disclosing and using data. Some of these obligations intersect with the GDPR, but we’ll provide a breakdown to help companies understand what they need to do.
The individual who provides the personal data has to give consent for the use, and disclosure of their data. The concept under the PDPA is similar to the “Right To Be Forgotten” law under the GDPR. This means that individuals can withdraw their consent and approval at any point in time.
Companies can only collect and use personal data for the purpose they got consent for. This means companies in Singapore can’t redirect data for other purposes. For companies looking to collect data for different purposes, they have to be sure to get consent for each purpose.
If there’s any change in the way companies want to use data, they have to notify the owner of the personal information. This can significantly impact the speed and management of operations. However, it is a must. Companies have to notify the data owners every time.
In terms of the way the PDPA affects companies, they have to give individuals access to their data. Individuals retain the right to request to know how much data companies have. Furthermore, they can ask for details about how the company uses, discloses and collects their personal data.
For companies who do business in Singapore, it means they need to have an open channel of communication for individuals. In fact, they may have to create a department that answers to this need.
For those wondering what how the PDPA affects companies, here’s a major talking point. Companies need to direct reasonable resources and effort to ensure the customer data they collect is accurate.
This becomes especially important if this data will be used to make crucial decisions that may impact the individual. It’s also crucial if the data will be disclosed to other organisations. Companies can’t just receive data and pass it on. There has to be a collation, organisation and quality assurance step.
Security measures have to be a part of company operations. Technical, cyber and organisational measures have to be in place to protect all personal data.
How to Comply With Personal Data Protection
A personal data protection officer can help companies identify the areas where they need to make changes to satisfy PDPC compliance. Here are the steps company may need to implement:
Implement security mechanisms
To ensure personal data protection, companies must take stringent security measures. This may mean limiting the collection of data and deleting personal data companies have used.
If there’s a need, companies need to encrypt the personal data and also restrict access to the data. This is necessary for the following types of personal data:
- Data related or political, ethnic, philosophical or religious opinions
- Genetic data
- Biometric data
- Health-related information
- Sexual orientation
Security policies that may need to be enacted include passwords, two-factor authentication, VPNs etc.
Procedure for working with other companies
Companies need to create stringent data protection contacts when working with third parties. These include companies responsible for analytics, emails and cloud management. There’s a need to review agreements with companies that may be involved in the handling and management of customer data.
Companies with over 250 employees must document the following:
- The purpose of processing the data
- The kind of data
- All personnel who access the data
- All third parties who handle the data
- Protective measures and how they are managed
- Timelines for erasing the data if necessary
Report personal data breaches
Companies must record all personal data protection breaches to relevant state authorities and the PDPC. This must be done within 3 days.
Appointing a Personal Data Protection Officer
This is an important part of how to comply with personal data protection. As to who a personal data protection officer is, they are experts tasked with the monitoring of personal data. Their job will be to assess risk, monitor compliance and ensure cooperation with regulators from the PDPC.
Ongoing Changes to Personal Data Protection & Breaches Regulations
The PDPA has been in existence for over eight years now. It’s only normal that there will be updates to the act. Back in May 2020, a public consultation paper with details about the changes to the Personal Data Protection Act. Some of the proposed changes include:
Increased penalties for non-compliance
There will be an increase in the financial penalties the PDPC can mandate for companies who don’t comply with personal data protection policies. Previously, there was a maximum limit of SGD 1 million.
Data breach notifications
All data breaches must be reported to affected individuals and the PDPC, regardless of how minute it may seem.
Revisions to the consent framework
Consent from personal data owners may not be necessary for legitimate interests and making improvements to business operations.
Data portability obligations
As part of the changes to the personal data protection act, citizens now have the right to ask for the transfer of their personal data to a different service provider.
Now, there are strict penalties for the following:
- Unauthorised disclosure of personal data that happens recklessly or knowingly
- Unauthorised data disclosure that leads to wrongful gain or loss for the owners
- Unauthorised data re-identification for anonymous data
To Cap It Off
Data protection laws in the country are stringent and mostly in place for the protection of the average citizen. This means companies working in Singapore have to take detailed measures to ensure they comply with all PDPC enforced regulations where personal data is concerned.
For the best results, it is recommended that companies hire a data protection officer. They have the experience and know-how to ensure that companies comply with all personal data protection policies. Consulti can help with personal data compliance issues. Contact us today to get started.