All You Need to Know about Singapore’s PDPA
Singapore adopted its Personal Data Protection Act (PDPA) way back in 2012 before the EU’s General Data Protection Regulation (GDPR) made its appearance on the legal stage. It came into full force on 2 July 2014 and governs the collection, use, disclosure and care of personal data. It also regulates telemarketing practices through the Do Not Call registry which allows Singaporeans who sign up for it to opt out of marketing messages on their telephones, mobile phones and fax machines.
While it may be considered progressive for its time and contains much of the same jargon that has now become the staple of data protection regulations across the world, the PDPA falls short of the GDPR’s hard line approach to privacy and personal data protection. It was criticized for its many exemption clauses and does not have any requirements for special categories of sensitive data such as those relating to health, race, ethnicity etc.
This particular failing was not without its consequences: in June 2018, Singapore suffered its worst data breach to date when the personal data of 1.5 million healthcare patients including that of its Prime Minister, Lee Hsien Loong, was compromised. The Personal Data Protection Committee (PDPC) tasked with enforcing the PDPA fined Integrated Health Information Systems (IHIS), the technology agency running the healthcare institutions’ IT systems, S$750,000 (approx. $540,000) and SingHealth, the data controller, S$250,000 (approx. $181,000). A probe report found that the data breach was primarily caused by weak cybersecurity practices.
The PDPC has since announced its intention to update the PDPA’s requirements, most notably, adding mandatory data breach notifications and data portability to the legislation. It also issued a number of guides to assist organizations in understanding its approach to regulating Singapore’s personal data protection regime. Its most recent, released on 22 May 2019, cover data protection management, active enforcement and managing data breaches.
Who does the PDPA apply to?
The PDPA has an extraterritorial reach and applies to organizations collecting personal data from individuals in Singapore, whether the companies are located in the country or not. The Act does not apply to the public sector which is governed by other rules.
What is personal information under the PDPA?
Personal data under the PDPA is defined as data that, whether true or not, can be used to identify an individual by itself or together with other information to which the organization has or is likely to have access to.
Business contact information, when used for business purposes and not in a personal capacity, is not protected by the PDPA. Neither is personal data about an individual that has been in existence for at least 100 years or personal data about individuals that have been deceased for over 10 years.
As previously mentioned, the PDPA does not include special requirements for sensitive data. However, the PDPC has recently issued new guidelines for the protection of National Registration Identification Card (NRIC) numbers and similar national identification numbers. When it comes into force on 1 September 2019, it will make it illegal for organizations to collect, use or disclose NRIC numbers or to make copies of identity cards, except under specifically permitted situations such as legal requirements, if a consent exception under the PDPA applies or it is necessary to accurately establish or verify an individual’s identity to a high degree of fidelity.
The thorny issue of consent
The PDPA’s consent requirements are much more relaxed than those of more recently adopted regulations such as the CCPA and GDPR. It requires express consent from individuals to collect personal data, but includes no less than 18 exemptions to the rule, which allow organizations to collect personal data without consent. While some of these are familiar, for example in case personal data is publically available, is being collected for national security purposes or for journalistic reasons, it also includes other, more contentious exemptions such as data collected for evaluative purposes or in the interest of the individual. When it comes to using personal data without consent, there are 10 exemptions and for disclosure without consent, 19 exemptions.
The PDPA goes a step further than exemptions and also accepts deemed consent as valid consent. Deemed consent is essentially data provided voluntarily by an individual to an organization when it is reasonable for the individual to do so. This voluntarily provided data can then be passed on to another organization for a particular purpose.
Singaporeans have the option of withdrawing consent, even in the case of deemed consent. However, any legal consequences of the withdrawal have to be borne by the individual who must be informed of these likely consequences by the organization from whom they request the withdrawal. Companies are also not obligated to inform third parties of consent withdrawals, so it falls to the individual to seek them out and withdraw consent from them as well. The withdrawal of consent cannot be requested if the collection, use or disclosure of the information is required by law, or if it is necessary for legal or business purposes.
The PDPA offers limited rights of access and correction of information collected by organizations. Individuals can request access to personal data held by an organization and information concerning its use or disclosure in the last year, but this right is subject to exceptions. While individuals can request that organizations make corrections to their personal data, companies can decide, on reasonable grounds, not to apply them.
The PDPA does not currently include any right to be forgotten or data portability among its requirements. However, the PDPC recently started a six-week public consultation to seek views on proposals to introduce data portability and data innovation provisions in the PDPA.
Cross-border data transfers
Organizations can transfer personal information from Singapore to other countries only in compliance with the PDPA or if they have applied for and received exemption from the PDPC. Those that need to transfer data across borders in accordance with the PDPA, must ensure that the country to which the data is being transferred has a comparable level of data protection to the standards set forth by the PDPA.
Data can also be transferred to other countries if organizations have received consent from the individual to do so, if data transfer agreements have been put in place or transfers are necessary for certain prescribed circumstances.
If organizations tamper with personal data or hide information concerning its collection, use or disclosure, they face a fine not exceeding S$50,000 (approx. $36,000). Any attempts to hinder a PDPC investigation can lead to a fine of not more than S$100,000 (approx. $72,000). Companies are also liable for their employees’ actions in the eyes of the PDPA, whether they are aware of them or not.
The maximum penalty allowed by the PDPA is of S$1,000,000 (approx. $725,000) and, as shown in the case of the SingHealth data breach, the PDPC is not shy about issuing it.