- consent for the collection, use, or disclosure cannot be obtained in a timely way; or
- the individual would not reasonably be expected to withhold consent;
An organization is further required to state the purposes for which it is collecting, using, or disclosing the data under the Notification Obligation (Sections 18 and 20 of the PDPA). Where the supply of a product or service is conditional upon consent being given by an individual, such consent must not extend beyond what is reasonable to provide that product or service.
Individuals can be deemed to have given consent when they voluntarily provide their personal data for a purpose, and it is reasonable that they would voluntarily provide such data. The PDPA provides for three different forms of deemed consent:
- deemed consent by conduct;
- deemed consent by contractual necessity; and
- deemed consent by notification.
Deemed consent by conduct
According to the PDPC's Key Concepts Guidelines, deemed consent by conduct applies to situations where the individual voluntarily provides their personal data to the organization. The purposes are limited to those that are objectively obvious and reasonably appropriate to the surrounding circumstances. Consent is deemed to be given to the extent that the individual intended to provide their personal data and had taken the action required for the data to be collected by the organization. The onus is on the organization to ensure that individuals are aware of the purposes for which their personal data is being collected, used, or disclosed.
Deemed consent by contractual necessity
Deemed consent by contractual necessity is where the disclosure of personal data from one organization A to another organization B is necessary for the conclusion or performance of a contract or transaction between the individual and organization A. Deemed consent by contractual necessity extends to disclosure by organization B to another downstream organization C where the disclosure by organization B (and collection by organization C) is reasonably necessary to fulfil the contract between the individual and organization A.
Deemed consent by notification
Under deemed consent by notification, an individual deemed to have consented to the collection, use, or disclosure of personal data for a purpose that the individual had been notified of, and where that individual has not taken any action to opt-out of the collection, use, or disclosure of their personal data. The Key Concepts Guidelines provide that deemed consent by notification is useful where the organization wishes to use or disclose existing data for secondary purposes that are different from the primary purposes for which it had originally collected the personal data, and it is unable to rely on any of the exceptions to consent for the intended secondary use.
Reliance on deemed consent by notification is subject to the organization assessing and determining whether certain prior conditions are met. First, an organization must conduct an assessment to determine that the proposed collection, use, or disclosure of personal data is not likely to have an adverse effect on the individual. Second, an organization must take reasonable steps to notify the individual of the organization's intention to collect, use, or disclose personal data and the purpose of such collection, use, or disclosure. Third, the organization must provide a reasonable period for the individual to opt-out before it proceeds to collect, use, or disclose the personal data. Consent for the collection, use, or disclosure of personal data is deemed to be given only after the opt-out period has lapsed. According to the Key Concepts Guidelines, deemed consent by notification should not be relied on where individuals would not have a reasonable opportunity and period to opt-out (e.g. security monitoring of premises using video cameras).
Individuals can generally withdraw any consent given or deemed to have been given at any time by giving a reasonable notice. On receipt of notice that an individual wishes to withdraw consent, the organization must inform the individual of the likely consequences of such a withdrawal of consent. While the organization may not prohibit an individual from withdrawing their consent, such withdrawal will not affect any legal consequences arising from such withdrawal (e.g. cessation of services provided by the organization). Withdrawal of consent applies prospectively and will only affect an organization's continued or future use of the personal data concerned. Organizations are also required to cause their agents and data intermediaries to cease collection, use, or disclosure of the individual's personal data when consent is withdrawn unless such collection, use, or disclosure without the individual’s consent is required or authorized under the PDPA or other written law.
An organization collecting personal data from a third-party source is required to notify the source of the purposes for which it will be collecting, using, and disclosing the personal data. Moreover, the organization should exercise the appropriate due diligence to check and ensure that the third-party source can validly give consent for the collection, use, and disclosure of personal data on behalf of the individuals or that the source had obtained consent for the disclosure of the personal data.
5.2. Contract with the data subject
Where an organization enters into a contract with an individual, the individual may be deemed to have given their consent for the collection, use, or disclosure of personal data (as the case may be), as detailed in the section on consent above.
5.3. Legal obligations
An organization is able to collect, use, and disclose personal data without consent where it is required or permitted under law. For example, under Paragraph 4, Part 3 of the Second Schedule to the PDPA, disclosure of personal data without consent is permitted where it is made to any officer of a prescribed law enforcement agency, upon production of written authorization signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer.
5.4. Interests of the data subject
An organization is able to collect, use, and disclose personal data where it is in the vital interests of the individual in question. Under Part 1 of the First Schedule to the PDPA, the collection, use, or disclosure of personal data is permitted without the consent of the individual where (amongst others):
- the disclosure is necessary for any purpose that is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way; or
- the disclosure is necessary to respond to an emergency that threatens the life, health, or safety of the individual or another individual.
5.5. Public interest
An organization is able to collect, use, and disclose personal data without consent where it is in the public interest. For example, under Paragraph 2, Part 2 of the First Schedule to the PDPA, the collection, use, or disclosure of personal data is permitted without the consent of the individual where the collection, use, or disclosure is necessary in the national interest.
5.6. Legitimate interests of the data controller
An organization is able to collect, use, and disclose personal data without consent where it is in the legitimate interests of the organization. Under Part 3 of the First Schedule to the PDPA, subject to certain requirements, organizations will be able to collect, use, and disclose (as the case may be) personal data about an individual if:
- it is in the legitimate interests of the organization or another person; and
- the legitimate interests of the organization or other person outweigh any adverse effect on the individual.
Before relying on the legitimate interests exception, an organization must conduct an assessment, i.e. a DPIA, in accordance with the prescribed requirements. The organization must, in respect of the DPIA, be able to:
- identify and be able to clearly articulate the situation or purpose that qualifies as a legitimate interest;
- identify and implement reasonable measures to eliminate and reduce the likelihood of the occurrence of, or mitigate the adverse effect of the processing of personal data on the individual; and
- comply with any prescribed requirements.
An organization relying on the legitimate interests exception to collect, use, or disclose personal data without consent must take reasonable steps to provide the individual with reasonable access to information that the organization is relying on the exception. The legitimate interests exception does not apply to the processing of personal data for the purposes of sending an individual a message for an 'applicable purpose' as prescribed in the Tenth Schedule to the PDPA.
5.7. Legal bases in other instances
In general, organizations may collect, use, or disclose personal data as long as an exception under the First Schedule or Second Schedule to the PDPA applies.
6. Principles
The Data Protection Provisions under the PDPA impose the following data protection obligations on organizations with respect to their data activities:
- Consent Obligation: An organization must obtain an individual's consent before collecting, using, or disclosing their personal data for a purpose (Sections 13 to 17 of the PDPA).
- Purpose Limitation Obligation: An organization may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (Section 18 of the PDPA).
- Notification Obligation: An organization must notify the individual of the purpose(s) for which it intends to collect, use, or disclose their personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes (Sections 18 and 20 of the PDPA).
- Access and Correction Obligation: An organization must, upon request, allow an individual to access and/or correct their personal data in its possession or under its control. In addition, the organization is obliged to provide the individual with information about the ways in which personal data may have been used or disclosed during the past year (Sections 21 and 22 of the PDPA).
- Accuracy Obligation: An organization must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned or disclose such personal data to another organization (Section 23 of the PDPA).
- Protection Obligation: An organization must protect personal data in its possession or under its control by making reasonable security arrangements to prevent: (a) unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored (Section 24 of the PDPA).
- Retention Limitation Obligation: An organization must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected and is no longer necessary for legal or business purposes (Section 25 of the PDPA).
- Transfer Limitation Obligation: An organization must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA (Section 26 of the PDPA).
- Accountability Obligation: An organization must appoint a person to be responsible for ensuring that it complies with the PDPA, typically referred to as a DPO, and develop and implement policies and practices that are necessary to meet its obligations under the PDPA, including a process to receive complaints. In addition, the organization is required to communicate to its staff information about such policies and practices and make information available upon request to individuals about such policies and practices (Sections 11 and 12 of the PDPA).
- Data Breach Notification Obligation: An organization must assess data breaches that have occurred affecting personal data in their possession or under their control, and are required to notify the PDPC, as well as affected individuals, of the occurrence of certain data breaches (notifiable data breaches) (Sections 26A to 26E of the PDPA).
In addition, the Amendment Act will also further introduce one more data protection obligation (which has yet to come into effect):
- Data Portability Obligation: Upon an organization's receipt of a data porting request from an individual, the porting organization must transmit the applicable data specified in the data porting request to the receiving organization in accordance with any prescribed requirements, such as requirements relating to technical, user experience, and consumer protection matters.
7. Controller and Processor Obligations
7.1. Data processing notification
There is no obligation imposed on an organization to notify or register with the PDPC before collecting, using, or disclosing any personal data in Singapore.
7.2. Data transfers
Organizations are subject to the Transfer Limitation Obligation. An organization must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA.
To do so, the organization must generally ensure that the recipients of such personal data are bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. These 'legally enforceable obligations' include those imposed under law, contract. Binding Corporate Rules ('BCRs'), or any other legally binding instrument.
In addition, organizations that hold a 'specified certification' that is granted or recognized under the law of the country or territory to which personal data is transferred will be taken to be bound by such legally enforceable obligations. Under the PDPR, a 'specified certification' refers to certifications under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') System and the APEC Privacy Recognition for Processors ('PRP') System. A recipient is taken to have satisfied the requirements under the Transfer Limitation Obligation if:
- it is receiving the personal data as an organization, and it holds a valid APEC CBPR certification; or
- it is receiving the personal data as a data intermediary, and it holds either a valid APEC PRP or CBPR certification or both.
A contract that is relied on as a legally enforceable obligation for the cross-border transfer of personal data must:
- require the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to that under the PDPA; and
- specify the countries and territories to which the personal data may be transferred under the contract.
Similarly, BCRs that are relied on as legally enforceable obligations for the cross-border transfer of personal data must:
- require every recipient of the transferred personal data to provide to the personal data a standard of protection that is at least comparable to the protection under the PDPA;
- specify the recipients of the transferred personal data to which the BCRs apply;
- specify the countries and territories to which the personal data may be transferred under the BCRs; and
- specify the rights and obligations provided by the BCRs.
BCRs may only be used for recipients that are related to the transferring organization. A recipient of personal data is considered 'related' to the transferring organization if:
- the recipient, directly or indirectly, controls the transferring organization;
- the recipient is, directly or indirectly, controlled by the transferring organization; or
- the recipient and the transferring organization are, directly or indirectly, under the control of a common person.
There are a few express situations whereby an organization can be taken to have satisfied the requirement of taking appropriate steps to ensure that the recipient outside Singapore is bound by legally enforceable obligations to protect personal data in accordance with comparable standards. These include:
- where the individual consents to, or is deemed to have consented to, the transfer of the personal data to the recipient in that country;
- where the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA, subject to the transferring organization taking reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose; and where the personal data is data in transit or publicly available in Singapore.
7.3. Data processing records
There is no obligation imposed on an organization to maintain any data processing records. However, all organizations should ensure that they comply with the Data Protection Provisions of the PDPA in carrying out their data activities.
7.4. Data protection impact assessment
Whilst there is no standalone obligation to conduct a DPIA under the PDPA, there are provisions in the PDPA that require organizations to conduct 'assessments' (which may be narrower in scope than a full DPIA) under certain circumstances. Specifically, the obligation to conduct certain assessments under the PDPA falls on organizations (Section 15A(4)(a) and Paragraph 1(2)(a), Part 3 of the First Schedule to the PDPA). In addition, the PDPC recommends that a DPIA is undertaken, as part of an organization's 'data protection management programme' and their obligation to develop and implement policies and practices that are necessary for the organization to comply with the PDPA (Page 5 of the DPIA Guide and Pages 12 to 13 of the Management Programme Guide). In particular, the conduct of a DPIA should be led by, among others, the project manager or person in charge of the project and the DPO, as well as senior management within an organization (Page 8 of the DPIA Guide).
Mandatory assessments
The PDPA requires an assessment to determine whether the proposed collection, use, or disclosure of personal data is likely to have an adverse effect on the individual concerned in the following circumstances:
- when the organization intends to rely on the individual's 'deemed consent by notification' under Section 15A of the PDPA (Section 15A(4)(a) of the PDPA); and
- when the collection, use, or disclosure of personal data is carried out in the legitimate interests of the organization or another person, pursuant to Paragraph 1, Part 3 of the First Schedule to the PDPA (Paragraph 1(2)(a), Part 3 of the First Schedule to the PDPA).
For purposes of 'deemed consent by notification,' an individual is 'deemed' to have provided consent to the processing of their personal data if (Section 15A(2) of the PDPA):
- the organization satisfies the requirements to conduct an assessment pursuant to Section 15A(4) of the PDPA; and
- the individual does not notify the organization, before the expiry of the period mentioned in the organization's notice to the individual, that the individual does not consent to the proposed collection, use, or disclosure of personal data by the organization.
Notably, where it is assessed that there are likely residual adverse effects to the individual after implementing the measures identified in the assessment, organizations will not be able to rely on deemed consent by notification to collect, use, or disclose personal data for the purpose (Section 12.57 of the Advisory Guidelines).
Conversely, however, organizations may still rely on legitimate interests to process personal data, if the assessment indicates that the legitimate interests outweigh any likely residual adverse effect to the individual (Section 12.57 of the Advisory Guidelines).
Where an assessment is required under the PDPA (i.e. for deemed consent or for processing based on the legitimate interests of the organization or another person), the organization must (Section 15A(5) of the PDPA and Paragraph 1(3), Part 3 of the First Schedule to the PDPA):
- identify any adverse effect that the proposed collection, use, or disclosure of the personal data for the purpose concerned is likely to have on the individual;
- identify and implement reasonable measures to:
- eliminate the adverse effect;
- reduce the likelihood that the adverse effect will occur; or
- mitigate the adverse effect; and
Assessments for the purposes of deemed consent
According to Regulation 14(2) of the PDPR, an assessment mentioned in Section 15A(4)(a) of the PDPA to determine whether the proposed processing activity is likely to have an adverse effect on an individual must specify all of the following information:
- the types and volume of personal data to be processed;
- the purpose or purposes for which the personal data will be processed;
- the method or methods by which the personal data will be processed;
- the mode by which the individual will be notified of the organization's proposed processing activities; and
- the period within which, and the mode by which, the individual may notify the organization that the individual does not consent to the organization's proposed processing activities, as well as the rationale for the same.
Assessments for the purposes of legitimate interests
According to the Regulation 15(2) of the Regulations, an assessment mentioned in Paragraph 1(2)(a), Part 3 of the First Schedule to the PDPA must:
- specify:
- the types and volume of personal data to be processed;
- the purpose or purposes for which the personal data will be processed; and
- the method or methods by which the personal data will be processed;
According to the Advisory Guidelines, the PDPC considers adverse effects to include any physical harm, harassment, serious alarm, or distress to the individual (Section 12.65 of the Advisory Guidelines). In considering the likely adverse effect, the organization should consider the following (Section 12.69 of the Advisory Guidelines):
- the impact of the collection, use, or disclosure of the personal data on the individual, including the severity and likelihood of an adverse effect and considering all reasonably foreseeable risks and effects;
- the nature and type of personal data, and whether the individuals belong to a vulnerable segment of the population;
- the extent of the collection, use, or disclosure of personal data, and how the personal data will be processed and protected;
- the reasonableness of the purpose of collection, use, or disclosure of personal data; and
- whether the predictions or decisions that may arise from the collection, use, or disclosure of the personal data are likely to cause physical harm, harassment, serious alarm, or distress to the individual.
Furthermore, in determining whether the measures implemented to eliminate or mitigate the likely adverse effects identified are appropriate, the PDPC adopts a commercially reasonable standard. Examples of reasonable measures and safeguards include (Section 12.66 of the Advisory Guidelines):
- minimizing the amount of personal data collected;
- encrypting or immediate deletion of personal data after use; and
- functional separation, access controls, and other technical or organizational measures that lower the risks of personal data being used in ways that may adversely impact the individual.
Recommended assessments
Separately, the PDPC outlines that a DPIA may be conducted where the system/process is (Page 7 of the DPIA Guide):
- new and in the process of being designed; or
- in the process of undergoing major changes.
Examples of when to conduct a DPIA include (Page 8 of the DPIA Guide):
- creating a new system that involves handling personal data;
- creating new processes, including manual processes, that involve handling personal data;
- changing the way existing systems or processes handle personal data;
- changes to the organizational structure that affects the department handling personal data; and
- collecting new types of personal data.
According to the DPIA Guide, the key tasks of a DPIA include (Page 7 of the DPIA Guide):
- identifying the personal data handled by the system or process, as well as the reasons for collecting the personal data;
- identifying how the personal data flows through the system or process;
- identifying data protection risks by analyzing the personal data handled and its data flows against PDPA requirements or data protection best practices;
- addressing the identified risks by amending the system or process design, or introducing new organization policies; and
- checking to ensure that identified risks are adequately addressed before the system or process is in effect or implemented.
In addition, the PDPC recommends that a DPIA is undertaken, as part of an organization's 'Data Protection Management Programme' and their obligation to develop and implement policies and practices that are necessary for the organization to comply with the PDPA (Page 5 of the DPIA Guide and Pages 12 to 13 of the Management Programme Guide).
The obligation to conduct certain assessments under the PDPA falls on organizations (Section 15A(4)(a) of the PDPA and Paragraph 1(2)(a), Part 3 of the First Schedule to the PDPA).
Separately, the recommendation to undertake a DPIA is also directed at organizations that are subject to the PDPA (Page 5 of the DPIA Guide). In particular, the conduct of a DPIA should be led by, among others, the project manager or person in charge of the project and the DPO, as well as senior management within an organization (Page 8 of the DPIA Guide).
How to conduct a DPIA
For the requirement to conduct an assessment under Section 15A(5) of the PDPA and Paragraph 1, Part 3 of the First Schedule to the PDPA, Annex B and Annex C of the Advisory Guidelines provide an assessment checklist for deemed consent by notification and legitimate interests respectively.
Separately, the DPIA Guide also includes a DPIA lifecycle which outlines the six phases of a DPIA:
- assessing the need for a DPIA;
- planning a DPIA;
- identifying personal data and personal data flows;
- identifying and assessing data protection risks;
- creating an action plan; and
- implementing and monitoring action plans.
In addition, it provides example scenarios of when organizations may decide to conduct a DPIA, sample DPIA questionnaires, and best practices (see Annexes A and B of the DPIA Guide).
Retention of assessments
Organizations must retain a copy of its assessment mentioned in Section 15A(4)(a) of the PDPA and Paragraph 1(3), Part 3 of the First Schedule to the PDPA throughout the period that the organization collects, uses, or discloses the related personal data (Regulations 14(3) and 15(3) of the Regulations).
Role of the DPO
The DPO has the following functions regarding DPIAs (Page 9 of the DPIA Guide):
- advising the DPIA lead throughout the DPIA process by:
- identifying and mitigating identified data protection risks by providing support based on best practices adapted to the organization's needs and circumstances;
- defining and applying the risk assessment framework;
- ensuring that DPIAs are conducted according to the organization's policies and recommending improvement to DPIA methodology based on industry best practices; and
- reviewing DPIA report prior to submission to management;
Data Protection by Design
The PDPC notes that a DPIA is also a key component of taking a Data Protection by Design approach, in which organizations consider the protection of personal data from the earliest possible design stage, and throughout the operational lifecycle, of the new system, process, product, or service. This way, the appropriate safeguards to protect personal data would have been embedded within (Page 5 of the DPIA Guide).
7.5. Data protection officer appointment
As part of the Accountability Obligation, it is mandatory for organizations to appoint a DPO, or a panel of individuals designated as the DPO, to be responsible for ensuring that the organization complies with the PDPA. DPOs can be registered with the PDPC via its website. The organization must make the business contact information of the DPO publicly available. The appointed DPO may delegate the responsibility conferred by this appointment to appropriate individuals, although, as mentioned previously, the organization remains ultimately responsible for complying with the PDPA (Sections 11(4) and 11(6) of the PDPA). Organizations that have not appointed a DPO are in breach of the Accountability Obligation and may be subject to a financial penalty. The PDPC may also issue directions to that organization to appoint a DPO.
Additionally, the PDPC has stated that recognition of the importance of data protection and the central role performed by a DPO has to come from the very top of an organization and ought to be part of enterprise risk management frameworks. This would allow the board of directors and C-level executives to be made cognizant of the risks of a data breach (see Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15).
The organization is also required to make available the business contact information of a person who is able to respond to questions relating to the collection, use, or disclosure of personal data on behalf of the organization under the Notification Obligation. This person may also be the designated DPO. Without limiting Section 11(5) of the PDPA, an organization is deemed to have satisfied that Section 11(5) of the PDPA if the organization makes available the business contact information of any individual mentioned in Section 11(3) of PDPA in any prescribed manner (Section 11(5A) of the PDPA). While there is no requirement that such a person must be located in Singapore, to facilitate prompt responses to queries or complaints, the PDPC recommends as good practice that the business contact information of this person should be readily accessible from Singapore, operational during Singapore business hours and if telephone numbers are used, they should be Singapore telephone numbers (the DPO Guide and the DPO FAQs).
In terms of choice of the DPO, the PDPC has stated that the DPO ought to be appointed from the ranks of senior management and be amply empowered to perform the tasks that are assigned to them. If the DPO is not one of the C-level executives, the DPO should have at least a direct line of communication with them. This level of access and empowerment will provide the DPO with the necessary wherewithal to perform their role and accomplish their functions (see Re M Stars Movers & Logistics Specialist Pte Ltd).
The responsibilities of a DPO may include, but are not limited to (the Data Protection Officers ('the Guide') and the Data Protection Officer Competency Framework and Training Roadmap ('the Framework')):
- ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data;
- fostering a data protection culture among employees and communicate personal data protection policies to stakeholders;
- managing personal data protection-related queries and complaints;
- alerting management to any risks that might arise with regard to personal data;
- liaising with the PDPC on data protection matters, if necessary;
- performing DPIAs to identify, assess and address business risks, based on the organization's functions, needs and processes;
- developing staff training programs;
- overseeing activities to foster awareness within the organization; and
- facilitating the implementation of data innovation by translating user's privacy and personal data protection requirements into the data-driven design thinking process.
In addition, the Framework provides further guidance and outlines two roles in addition to the DPO, namely the Data Protection Executive and the Regional DPO, both of which have different functions and competencies. The PDPA does not provide specific minimum requirements as to the qualifications of the DPO, nor does it stipulate a minimum age requirement. However, the appointed person is expected to have the appropriate expertise and knowledge to be able to ensure that the organization complies with the PDPA and develop a process to receive and respond to complaints with respect to the application of the PDPA (the FAQs).
Furthermore, the Guide outlines that in order to build personal data protection capabilities of DPOs and organization representatives engaged in data protection, a two-day course on the fundamentals of the PDPA has been developed under the Business Management Workforce Skill Qualifications framework. Finally, the Framework provides guidance on the ideal competency and proficiency level for each job function as well as the training roadmap recommended for the same. Relevant competencies include inter alia:
- data protection management;
- business risk management;
- cyber and data breach incident management; and
- stakeholder management.
An individual designated as a DPO may delegate to another individual the responsibilities conferred onto them (Section 11(4) of the PDPA). The designation of an individual by an organization under Section 11(3) of the PDPA does not relieve the organization of any of its obligations under the PDPA (Section 11(6) of the PDPA).
Notification
An organization must make available to the public the business contact information of at least one of the individuals designated under Section 11(3) of the PDPA or delegated under Section 11(4) of the PDPA (Section 11(5) of the PDPA). An organization is deemed to have satisfied this requirement if the organization makes available the business contact information in either of the following manners:
- in a record relating to the organization that is made available on the Internet website of the Accounting and Corporate Regulatory Authority; or
- in a readily accessible part of the organization's official website (Section 11(5A) of the PDPA read with Regulation 1A of the PDPR).
7.6. Data breach notification
The Amendment Act introduced a new Data Breach Notification Obligation under Part 6A of the PDPA, which came into effect on February 1, 2021. Under this Data Breach Notification Obligation, organizations are required to assess data breaches that have occurred affecting personal data in their possession or under their control, and to notify the PDPC, as well as affected individuals, of the occurrence of data breaches that meet certain thresholds (i.e. notifiable data breaches), unless an exception applies.
A 'data breach,' in relation to personal data, is defined as:
- the unauthorized access, collection, use, disclosure, copying, modification, or disposal of personal data; or
- the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorized access, collection, use, disclosure, copying, modification, or disposal of the personal data is likely to occur.
A notifiable data breach is a data breach that:
- results in, or is likely to result in, significant harm to any individual to whom any personal data affected by a data breach relates; or
- is, or is likely to be, of a significant scale (i.e. 500 or more individuals).
Section 26C of the PDPA provides for a duty to assess, which requires organizations to conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach, if it has reason to believe that a data breach has occurred affecting personal data in its possession or under its control.
Under Section 26D of the PDPA, where an organization assesses that a data breach is a notifiable data breach, the organization must notify the PDPC as soon as is practicable, but in any case no later than three calendar days after it makes the assessment.
Furthermore, unless an exception applies, organizations must, on or after notifying the PDPC, notify the individuals affected by a notifiable data breach, if the data breach results in, or is likely to result in, significant harm to an affected individual. The notification should be in the form and manner as prescribed and contain information to the best of the knowledge and belief of the organization at the time.
Under Regulation 3 of the Breach Notification Regulations, a data breach is deemed to result in significant harm to an individual if the data breach relates to:
- the individual's full name or alias or identification number, and any of the personal data or classes of personal data relating to the individual set out in Part 1 of the Schedule, subject to Part 2 of the Schedule; or
- all of the following personal data relating to an individual's account with an organization:
- the individual's account identifier such as an account name or number; and
- any password, security code, access code, response to a security question, biometric data, or other data that is used or required to allow access to or use of the individual's account.
The categories under Part 1 of the Schedule to the Breach Notification Regulations broadly include personal data in the following categories:
- financial information which is not publicly disclosed;
- personal data which would lead to the identification of vulnerable individuals (e.g. leading to identification of a minor who has been arrested for an offense);
- life, accident, and health insurance information which is not publicly disclosed;
- specified medical information, including the assessment and diagnosis of HIV infections;
- information related to adoption matters; and
- a private key used to authenticate any or digitally sign an electronic record or transaction.
One notable exception to the duty to notify is where a data breach takes place within an organization. A data breach that relates to the unauthorized access, collection, use, disclosure, copying, or modification of personal data only within an organization is deemed not to be a notifiable data breach (Section 26B(4) of the PDPA). The PDPC provides an example, in the Key Concepts Guidelines, of the HR department of an organization mistakenly sending an email attachment containing personal data to another department within the same organization that is not authorized to receive it. Since the data breach is contained within the organization, it is not a notifiable data breach and the data breach is not subject to the Data Breach Notification Obligation.
The PDPC has also reminded organizations of their general duty to preserve evidence, including but not limited to documents and records, in relation to an investigation by the PDPC (see Re NTUC Income Insurance Co-operative [2018] SGPDPC 10).
Where a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organization, the data intermediary must, without undue delay, notify that other organization of the occurrence of the data breach. The PDPC provides that, as a good practice, organizations should establish clear procedures for complying with the Data Breach Notification Obligation when entering into service agreements or contractual arrangements with their data intermediaries.
Additionally, organizations are also subject to the Protection Obligation. An organization must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks, and the loss of any storage medium or device on which personal data is stored. In this regard, the PDPC has published the Guide to Data Protection Practices for ICT Systems (including a Handbook on How to Guard Against Common Types of Data Breaches and Checklists to Guard Against Common Types of Data Breaches) and Guide to Managing and Notifying Data Breaches (revised on March 15, 2021), which is intended to help organizations to identify, prepare for, and manage data breaches.
Sectoral obligations
In relation to financial institutions ('FIs'), the Monetary Authority of Singapore ('MAS') has issued Notices on Technology Risk Management (complemented by the Guidelines on Outsourcing and the Technology Risk Management Guidelines ('the Risk Management Guidelines')), which require FIs to notify the MAS of, amongst others, breaches of security and confidentiality of the FI's customer information within the following timeframes:
- within an hour of the discovery of a 'Relevant Incident', which is defined as 'a system malfunction or IT security incident, which has a severe and widespread impact on the financial institution's operations or materially impacts the financial institution's service to its customers;' and
- 'as soon as possible of any adverse development arising from (their) outsourcing arrangements that could impact the institution' as well as any 'such adverse development encountered within the institution's group.'
The MAS has also issued Circular No. ID 03/23 to set out the following expectations for licensed insurers regarding notification to MAS of data breaches:
- the MAS should be concurrently notified of data breaches that are required to be notified to PDPC;
- the MAS should be notified of data breaches that meet the criteria under MAS Notice 127 and the Authority's Guidelines on Outsourcing, based on the timelines indicated within these instruments; and
- for data breaches that fall outside the circumstances above, the MAS should be notified of them on a consolidated basis, within three weeks from the last day of each quarter starting from 2023 first quarter. The breaches to be included should be those identified during the quarter, regardless of whether the breaches had occurred during or prior to the quarter.
7.7. Data retention
The Retention Limitation Obligation in the PDPA requires an organization to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and such retention is no longer necessary for legal or business purposes.
The PDPA does not prescribe a specific retention period for personal data, and the duration of time whereby an organization can retain personal data is assessed on a standard of reasonableness, having regard to the purposes for which the personal data was collected and retained. Accordingly, legal or specific industry-standard requirements in relation to the retention of personal data may apply.
Where there is no longer a need for an organization to retain personal data, the organization should cease to do so. An organization will be deemed to have ceased to retain personal data when it no longer has access to the documents and the personal data they contain, or when the personal data is otherwise inaccessible to or irretrievable by the organization. In addition, an organization will be considered to have ceased to retain personal data when it no longer has the means to associate the personal data with particular individuals (i.e. the personal data has been anonymized) (Paragraph 18.14 of the Key Concepts Guidelines).
In considering whether an organization has ceased to retain personal data the PDPC will consider the following factors in relation to the personal data (Paragraph 18.13 of the Key Concepts Guidelines):
- whether the organization has any intention to use or access the personal data;
- how much effort and resources the organization would need to expend in order to use or access the personal data again;
- whether any third parties have been given access to that personal data; and
- whether the organization has made a reasonable attempt to destroy, dispose of, or delete the personal data in a permanent and complete manner.
7.8. Children's data
There are no specific provisions regulating the processing of children's data. However, see the definition of 'sensitive data' under section on key definitions above.
Additionally, the PDPC has stated, in its Selected Topics Guidelines, that organizations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent in determining if the minor can effectively provide consent on their own behalf for the purposes of the PDPA.
The PDPC has also stated in the Selected Topics Guidelines that it would adopt the practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on their own behalf. However, it also states that where an organization has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organization should obtain consent from an individual who is legally able to provide consent on the minor's behalf, such as the minor's parent or guardian.
7.9. Special categories of personal data
See the definition of 'sensitive data' under section on key definitions above.
7.10. Controller and processor contracts
If an organization is not a data intermediary, it is subject to the full set of data protection obligations under the PDPA. In contrast, as elaborated on in section on personal scope above, other than the Protection Obligation, the Retention Limitation Obligation, and the duty to notify the organization/public agency it is processing data on behalf of a data breach under the Data Breach Notification Obligation, no other data protection obligations are imposed on a data intermediary, with respect to its processing of personal data for or on behalf of an organization pursuant to a contract in writing. Therefore, to avoid both parties having to answer to the Data Protection Provisions to the full extent, the contract should state clearly the relationship and the rights and obligations of both parties.
Even if an organization engages a data intermediary to process personal data on its behalf and for its purposes, Section 4(3) of the PDPA provides that it must have the same obligations as if the personal data were processed by the organization itself. Therefore, effectively, the organization will remain liable for the actions and omissions of the data intermediary for personal data that the data intermediary is processing on the organization's behalf.
In this regard, data intermediaries are typically subject to contractual obligations which necessitate compliance with the other obligations of the PDPA. According to the Key Concepts Guidelines, it is expected that organizations engaging data intermediaries would generally have imposed obligations that ensure protection in the relevant areas in the service agreement between the organization and the data intermediary.
On February 1, 2021, the PDPC released a revised version of its non-legally binding Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data, which provides sample data protection clauses that an organization purchasing services relating to the processing of personal data may include in the service agreements with the data intermediaries.
If the organization fails to put in place data protection clauses in such service agreements, the organization runs the risk of being in breach of its Protection Obligation by failing to take necessary actions and precautionary measures to protect such personal data.
8. Data Subject Rights
8.1. Right to be informed
While there is no standalone right to be informed under the PDPA, organizations are subject to several Data Protection Provisions under the PDPA which require them to provide notification to the individual data subject under certain circumstances.
First, under the Notification Obligation, the organization must notify the individual of the purpose(s) for which it intends to collect, use, or disclose their personal data on or before such collection, use, or disclosure. In addition, the organization is also obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year.
Second, under the Accountability Obligation, an organization must develop and implement policies and practices that are necessary for it to meet its key obligations under the PDPA and make information about such policies and practices available on request. Finally, under the Data Breach Notification Obligation, an organization that suffers a data breach is required to notify affected individuals of a data breach that results or is likely to result in significant harm to them, unless certain prescribed exceptions apply.
8.2. Right to access
Organizations are subject to the Access Obligation under the PDPA. An organization must allow an individual to access their personal data in its possession or under its control upon request.
The organization has a duty to respond to applicants' requests to access their personal data as accurately and completely as necessary and reasonably possible, subject to the prohibitions in Section 21 of the PDPA and exceptions in the Fifth Schedule to the PDPA. On receipt of individuals' requests, the organization is obliged to provide the individuals, as soon as reasonably possible, with:
- personal data about them that is in the possession or under the control of the organization; and
- information about the ways in which that personal data has been or may have been used or disclosed by the organization within a year before the date of the request.
An organization should provide a copy of each applicant's personal data in documentary form or any other form requested by the individual as is acceptable by the organization. If it is impracticable to do so, the organization may allow the individual a reasonable opportunity to examine the personal data.
Under the Access Obligation, organizations may charge applicants a reasonable fee to respond to access requests. In doing so, an organization must provide the applicant with a written estimate of the fee. If the organization wishes to charge a fee that is higher than the written estimate, it will need to notify the applicant in writing of the higher fee. An organization does not have to respond to an applicant's access request unless the applicant agrees to pay the fee.
Upon receipt of an access request, if the organization cannot comply within 30 days, it must inform the individual in writing of the time by which it will respond to the request.
Organizations are prohibited from granting access to an individual's personal data under certain circumstances, for instance, when such access will reveal personal data about another individual, or when such access will be contrary to the national interest.
Organizations may choose to withhold access to an individual's personal data under the circumstances stated in the Fifth Schedule to the PDPA. These include circumstances where the burden or expense of providing access would be unreasonable to the organization or disproportionate to the individual's interest, or if the request is otherwise frivolous or vexatious. Specific rules concerning the Access Obligation may be found in Part 2 of the PDPR.
Additionally, an organization which refuses to provide access to personal data requested by an individual under the Access Obligation must preserve a complete and accurate copy of the personal data concerned for not less than the prescribed period, which is generally 30 days after the date of refusal, or subject to the applications or appeals that have been made to the PDPC in relation to the organization's refusal.
8.3. Right to rectification
Organizations are subject to the Correction Obligation. An organization must allow an individual to correct their personal data in its possession or under its control upon request.
Individuals have the right to request an organization to correct any inaccurate data that is in the organization's control, subject to the exceptions in the Sixth Schedule to the PDPA. An organization may not make a requested correction if it is satisfied on reasonable grounds that a correction should not be made. If no correction is made, the organization must annotate the personal data in its possession or under its control with the correction that was requested but not made. Furthermore, organizations are required to send the corrected or updated personal data to specific organizations to which the personal data was disclosed within a year before the correction was made, unless those organizations do not need the corrected data for any legal or business purposes.
In contrast to access requests, organizations are not entitled to impose a fee for correction requests. Upon receipt of a correction request, if the organization cannot comply within 30 days, it must inform the individual in writing of the time by which it will respond to the request.
In addition to the Sixth Schedule to the PDPA, more specific rules concerning the Correction Obligation may be found in Part 2 of the PDPR.
8.4. Right to erasure
The PDPA does not provide individuals with a standalone right to request for an organization to destroy or delete the personal data in the organization's possession or control. However, under the Retention Limitation Obligation, organizations are required to cease to retain personal data if retention of such personal data is no longer necessary for legal or business purposes.
8.5. Right to object/opt-out
Individuals have the right to withdraw their consent to the collection, use, or disclosure of their personal data at any time by giving reasonable notice. However, the withdrawal of consent will not affect any legal consequences arising from such withdrawal.
With regard to the withdrawal of consent, data subjects should be cognizant of the fact that the withdrawal of certain types of consent may affect the ability of the organization to continue providing them with the requested services.
8.6. Right to data portability
At present, individuals do not have a right to data portability under the PDPA. However, once the changes relating to data portability introduced in the Amendment Act come into force, an individual may make a data porting request to a porting organization. Upon receiving the data porting request, the porting organization must (unless an exception applies) transmit the applicable data specified in the data porting request to the receiving organization in accordance with any prescribed requirements, such as requirements relating to technical, user experience, and consumer protection matters.
8.7. Right not to be subject to automated decision-making
The PDPA does not provide individuals with a right not to be subject to a decision based solely on automated processing.
8.8. Other rights
9. Penalties
The PDPC is responsible for enforcing the PDPA. Where the PDPC concludes that an organization has breached the Data Protection Provisions under the PDPA, the PDPC is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organization to:
- stop collecting, using, or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to or correct personal data; or
- pay a financial penalty of (approx. up to a maximum of 10% of the organization's annual turnover in Singapore (if its annual turnover in Singapore exceeds SGD 10 million (approx. $7,442,110) or up to SGD 1 million (approx. $744,220) in any other case.
An organization's annual turnover in Singapore will be ascertained from the most recent audited accounts of the organization that is available at the time the financial penalty is imposed.
In the course of its investigation, the PDPC may:
- by notice in writing, require an organization to produce any specified document or specified information or require any person within the limits of Singapore to attend before the PDPC;
- by giving at least two working days advance notice of intended entry, enter into an organization's premises without a warrant; and
- obtain a search warrant to enter an organization’s premises and take possession of, or remove, any document.
Non-compliance with certain provisions under the PDPA may also constitute an offense, for which a fine or a term of imprisonment may be imposed. The quantum of the fine and the length of imprisonment (if any) vary, depending on which provisions are breached. For instance, a person found guilty of making requests to obtain access to or correct the personal data of another without authority may be liable on conviction to a fine not exceeding SGD 5,000 (approx. $3,720) or to imprisonment for a term not exceeding 12 months, or both (Section 51(2) of the PDPA).
The Amendment Act has also introduced further offences under the PDPA. Under the new Section 48F, an individual commits an offence if they take any action to re-identify or cause re-identification of a person to whom anonymized information in the possession or under the control of an organization or a public agency relates, where the re-identification is not authorized by the organization or public agency, and the individual either knows that the re-identification is not authorized or is reckless as to whether the re-identification is or is not authorized. The penalty is a fine not exceeding SGD 5,000 (approx. $3,720) or imprisonment for a term not exceeding two years, or both.
An organization or a person who obstructs or impedes the PDPC or an authorized officer, or knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC in the exercise of their powers or performance of their duties under the PDPA, commits an offence for which that person would be liable upon conviction to a fine of up to SGD 10,000 (approx.$7,440) and/or to imprisonment for a term of up to 12 months (in the case of an individual), or a fine of up to SGD 100,000 (approx. $74,430) (in any other case) (Section 51(5) of the PDPA).
Additionally, an organization or person who neglects or refuses to comply with an order to appear before the PDPC, or without reasonable excuse neglects or refuses to furnish any information or produce any document specified in a written notice to produce information, will be guilty of an offence punishable by a fine not exceeding SGD 5,000 (approx. $3,720) or to imprisonment for a term not exceeding 12 months, or both (in the case of an individual), and in any other case, to a fine not exceeding SGD 10,000 (approx. $74,430).
An aggrieved individual or organization may make a written application to the PDPC to reconsider its direction or decision. Thereafter, any individual or organization aggrieved by the PDPC's reconsideration decision may lodge an appeal to the Data Protection Appeal Panel ('DPAP'). Alternatively, an aggrieved individual or organization may appeal directly to the DPAP without first submitting a reconsideration request. A direction or decision of the DPAP (via the Data Protection Appeal Committee) may be appealed to the High Court on a point of law or where such decision relates to the amount of a financial penalty. The decision of the High Court may be further appealed to the Court of Appeal.
An individual who suffers loss or damage directly as a result of a contravention of the provisions of the PDPA may also commence a private civil action. However, where the PDPC has made a decision in respect of such contravention, the right of private action is only exercisable after the relevant decision by the PDPC has become final as a result of there being no further right of appeal.
9.1 Enforcement decisions
Since 2016, the PDPC has released a series of enforcement decisions that are helpful in clarifying the requirements under the PDPA in respect of personal data protection. These enforcement decisions are generally accessible via the PDPC's website.
As of March 10, 2024, the PDPC has published a total of 246 grounds of decisions or summaries of grounds of decisions, with a significant majority of these cases relating to breaches of the Protection Obligation, under Section 24 of the PDPA. The most common types of breaches of the Protection Obligation involve the deliberate disclosure of personal data, poor technical security arrangements, poor physical security arrangements, errors in mass email and/or post, and insufficient data protection policies.
To date, the highest financial penalties that the PDPC has imposed on organizations are SGD 250,000 (approx. $186,060) and SGD 750,000 (approx. $558,170) on SingHealth Services Pte Ltd and Integrated Health Information Systems Pte Ltd respectively, for breaching their data protection obligations under the PDPA (see Re Singapore Health Services Pte Ltd and another [2019] SGPDPC 3). This unprecedented data breach which arose from a cyber-attack on SingHealth's patient database system, caused the personal data of some 1.5 million individuals to be compromised.
In addition to these enforcement decisions, the PDPC also publishes an annual Personal Data Protection Digest, which is a compendium comprising the PDPC's grounds of decisions, summaries of unpublished cases where a finding of no breach was found, and a collection of data protection-related articles contributed by data protection practitioners.
