Data Protected - Singapore

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Personal Data Protection Act 2012 (“PDPA”).

In addition, certain sector-specific laws such as the Banking Act (Cap. 19) and the Securities and Futures Act (Cap. 289) include provisions relating to the protection of certain personal data (such as particulars of accounts of customers of a bank). Companies in industries such as telecommunications may also be subject to Codes of Practice which impose data protection-related obligations. This summary does not consider these sector-specific laws and codes. Further, common law duties of confidentiality may also apply under certain circumstances.

Entry into force

The provisions in the PDPA relating to the Do Not Call Register (see below) came into force on 2 January 2014, and the main provisions in the PDPA relating to the collection, use and disclosure of personal data came into force on 2 July 2014.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Personal Data Protection Commission (the “Commission”)
460 Alexandra Road #10-02
PSA Building
Singapore
119963

www.pdpc.gov.sg

The Info-communications Development Authority of Singapore supports the Commission in administering compliance with the PDPA.

Notification or registration scheme and timing

The PDPA does not include a general notification or registration scheme.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PDPA does not contain express provisions on territorial effect. However, the PDPA is likely to apply to the collection, use and/or disclosure of personal data within Singapore, even if any remaining part(s) of the data processing takes place somewhere else in the world.

Is there a concept of a controller and a processor?

The PDPA applies to any individual, company, association or body of persons, corporate or unincorporated, whether located in or outside Singapore (“organisations”).

It also contains the concept of data intermediaries (a concept similar to that of processors). Where a data intermediary processes personal data under a contract in writing with an organisation and for the purposes of that organisation, it will be largely exempt from the PDPA and only subject to the security and retention obligations therein.

Are both manual and electronic records subject to data protection legislation?

Data is not specifically defined in the PDPA to include both manual and electronic records. However, guidelines issued by the Commission clarify that personal data can be data that exists in electronic or other format and therefore both manual and electronic records will be subject to the PDPA as long as they contain personal data.

Are there any national derogations?

The PDPA’s main obligations do not apply to public agencies (which include Government ministries and organisations) and organisations acting on behalf of public agencies.

Organisations may collect, use and disclose personal data without consent if one of the statutory exceptions in the PDPA apply including where the collection, use or disclosure is necessary to the national interest or for any investigation or proceedings. The PDPA defines “national interest” to include national defence, national security, public security, the maintenance of essential services and the conduct of international affairs. However, these are not general derogations, but simply exemptions to the obligation to obtain consent for the collection, use and disclosure of personal data.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data is data, whether true or not, about an individual who can be identified: (i) from that data; or (ii) from that data and other information to which the organisation has or is likely to have access.

Business contact information (unless provided solely for personal purposes) is largely exempt from the provisions of the PDPA.

Is information about legal entities personal data?

No.

What are the rules for processing personal data?

The PDPA regulates the collection, use and disclosure of personal data by organisations (as defined below). The main provisions governing the collection, use and disclosure of personal data will not apply to any individual acting in a personal or domestic capacity, or to any public agencies.

The collection, use and disclosure of personal data is permitted where: (i) the individual has consented; or (ii) those activities are required by law. Alternatively, the collection, use or disclosure of personal data can be carried out without consent if a condition in Schedules 2, 3 and 4 to the PDPA respectively is satisfied. There are different conditions depending on whether the organisation is collecting, using or disclosing the relevant personal data. Those conditions are similar to the conditions for processing personal data but are much more extensive.

There is an overriding obligation on the organisation to collect, use and disclose personal data in a manner a reasonable person would consider appropriate in all the circumstances. The PDPA includes obligations to ensure that certain personal data it holds is accurate, and to retain personal data for no longer than necessary. The organisation must also implement appropriate data protection policies and processes and make available information on the same.

Are there any formalities to obtain consent to process personal data?

Consent can be expressly given or deemed to be given. Express consent will only be valid if the individual has been provided with certain information about the purpose of collection and the consent cannot be made a condition of the provision of a product or service (beyond what would be reasonable for the provision of that product or service).

Deemed consent will arise when an individual voluntarily provides personal data for a particular purpose and it is reasonable for such provision of personal data to take place.

Consent can be obtained in a number of ways, and there is no general requirement that consents be in writing although it is recommended by the Commission that organisations should obtain consents in writing or recorded in a manner that is accessible for subsequent reference. Guidelines issued by the Commission provide that an opt-in would be considered consent for the purposes of the PDPA and that a failure to opt-out may not always be sufficient to constitute consent (e.g. the individual’s failure to opt-out may have been due to reasons other than the individual’s desire to give consent).

The Commission has also released guidelines on best practices and examples that organisations may adopt regarding how to phrase consent notifications, what layout organisations should use for their notifications, and where these notifications should be positioned on forms, websites or mobile applications.

Are there any special rules when processing personal data about children?

Guidelines published by the Commission set out additional non-binding requirements that apply when processing personal data about children. The Commission is of the view that organisations should consider if the minor understands the nature and consequences of giving consent when determining whether consent is valid. The age threshold of a minor is not mandated in the guidelines, but the Commission adopts a practical rule of thumb that a minor, who is at least 13 years old, will have sufficient understanding to give consent, while parents or legal guardians may give consent on behalf of minors under this age.

Additionally, the guidelines advise organisations to consider putting in place precautions when collecting, using or disclosing a minor’s personal data (e.g. ensuring the language is clear and understandable) and to take extra steps to verify the accuracy of personal data, especially where an inaccuracy may have severe consequences for the minor.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The PDPA does not include a separate category of sensitive personal data.

Are there additional rules for processing sensitive personal data?

Not applicable.

Are there additional rules for processing information about criminal offences?

 

No.

 

Are there any formalities to obtain consent to process sensitive personal data?

Not applicable.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

An organisation (as defined below) must appoint one or more individuals to be responsible for that organisation’s compliance with the PDPA. The contact details of at least one such individual must be made available to the public.

What are the duties of a data protection officer?

An organisation’s data protection officer is generally responsible for ensuring its compliance with the PDPA. These responsibilities may extend to: (i) ensuring that any of the organisation’s policies and processes developed or implemented for handling personal data are compliant with the PDPA; (ii) fostering a data protection culture among employees; (iii) managing personal data protection related queries (e.g. access or correction requests) and complaints from the public; (iv) alerting management to any risks that might arise with regard to personal data; and (v) being the point of contact for the Commission on any data protection matters.

The legal responsibility of complying with the PDPA remains with the organisation and does not pass to the data protection officer.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The PDPA requires organisations to develop and implement policies and practices that are necessary for them to meet their obligations under the PDPA.

Are privacy impact assessments mandatory?

No. However, the Commission has, as part of a public consultation in July 2017, proposed several amendments to the PDPA, including the introduction of two new bases for collecting, using and disclosing personal data without consent. Under the proposal, both of these new bases for collection, use and disclosure would require the organisation to conduct a privacy impact assessment before being able to rely on them. It is not certain at the time of publication whether and when these proposed amendments will come into force.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Organisations should provide individuals with details of the purposes for which their personal data is collected, used or disclosed. This obligation arises when seeking express consent from them or when the use or disclosure of their personal data is for a purpose other than that for which it was originally envisaged and notified to the individual. 

Individuals can also request contact details for an organisation’s data protection officer.

Rights to access information

Individuals have a right of access to their personal data and to details of the way in which their personal data has been or may have been used or disclosed within one year prior to the request of access. There are a wide range of exemptions to this right, for example where there would be disclosure of personal data about another individual. There is a general duty imposed on organisations to respond to each access request as accurately and completely as necessary and reasonably possible, and as soon as reasonably possible. If an organisation is unable to provide the individual with the information requested within 30 days of receiving the request, the organisation must within that time inform the individual in writing of the time by which it will respond to his/her request. Organisations may charge an individual a minimal fee in order to recover the costs of responding to the access request, but must provide the applicant with a written estimate of the fee.

The Commission has released guidelines on how organisations should handle access requests. For example, the Commission has suggested that organisations develop standard operating procedures to conduct verification when processing access requests, and to keep a record of all access requests received and processed, documenting clearly whether the requested access was provided or rejected. The Commission has also released sample access request forms and sample acknowledgement forms that organisations can use to process access requests.

Rights to data portability

There is no right to data portability.

Right to be forgotten

There is no express right to be forgotten.

Objection to direct marketing and profiling

There is no general right to object to direct marketing. However, individuals can withdraw consent to the collection, use and disclosure of their personal data at any time and there are specific direct marketing restrictions under the Do Not Call Register (see below).

Other rights

Individuals have a right to ask organisations to correct their personal data. Individuals also have a right, on reasonable notice to the organisation, to withdraw their consent to the collection, use or disclosure of their personal data, in which case the organisation must inform the individual of the likely consequences of such withdrawal of consent and cease collecting, using and disclosing that individual’s personal data except to the extent required or authorised under law.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Organisations must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks.

Specific rules governing processing by third party agents (processors)

Organisations are responsible for any processing carried out by their data intermediaries.

Data intermediaries who process personal data under a contract in writing with an organisation and for the purposes of that organisation will be largely exempt from the PDPA and only subject to the security and retention obligations therein. The Commission has released a guide containing sample data protection clauses which organisations engaging services relating to the processing of personal data (e.g. hosting or storage of data) may include in their service agreements.

Notice of breach laws

There is currently no mandatory notification requirement imposed on organisations involved in a data breach. However, the Commission has released some guidance on recommended steps to take in the event an organisation suffers a data breach. In particular, where the data breach involves personal data that is sensitive in nature, the Commission recommends that immediate notification be made to the Commission, the affected individuals, and any other interested third parties (e.g. the Monetary Authority of Singapore).

Additionally, the Commission has proposed amendments (as part of a public consultation exercise in July 2017) that would make data breach notifications mandatory in most cases, and a proposed Cybersecurity Bill, tabled for 2018, contains notification requirements for cybersecurity incidents that occur in respect of critical information infrastructure. It is not certain at the time of publication whether and when these notification requirements will come into force.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

An organisation may only transfer personal data outside Singapore if it has taken appropriate steps to ensure that: (i) it will comply with the PDPA obligations in respect of the transferred personal data while it remains in its possession or under its control; and (ii) the recipient outside of Singapore is bound by legally enforceable obligations to provide a standard of protection to the personal data transferred that is comparable to that under the PDPA.

In this regard, “legally enforceable obligations” would include obligations imposed on the recipient: (i) under law (e.g. the recipient’s relevant national data privacy legislation); (ii) under any contract: (a) requiring the recipient to provide a standard of protection to the personal data transferred that is at least comparable to the protection under the PDPA; and (b) specifying the countries and territories to which the personal data may be transferred under the contract; (iii) under binding corporate rules (see below); or (iv) any other legally binding instrument.

An organisation will, however, be taken to have satisfied the second requirement of ensuring that the recipient outside of Singapore is bound by legally enforceable obligations if the individual whose personal data is being transferred consents to the transfer of the personal data to the recipient in that country or territory, subject to such consent satisfying certain prescribed conditions.

Notification and approval of national regulator (including notification of use of Model Contracts)

The Commission has the power to exempt an organisation from any prescribed requirements.

Use of binding corporate rules

For intra-corporate transfers of data overseas, binding corporate rules would be an acceptable form of legally enforceable obligations to be imposed on the receiving organisation. These binding corporate rules must require every recipient to provide to it a standard of protection to the personal data transferred that is at least comparable to the protection under the PDPA. These binding corporate rules must also specify: (i) the recipients of the transferred personal data to which the binding corporate rules apply; (ii) the countries and territories to which the personal data may be transferred under the binding corporate rules; and (iii) the rights and obligations provided by the binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

The Commission has a range of powers under the PDPA including directing an organisation pay a financial penalty of up to S$1million.

Imprisonment

The PDPA contains various criminal offences including: (i) unauthorised access to, or alteration of, personal data; (ii) alteration, falsification, concealment or destruction of personal data with the intent of evading an access or correction request; (iii) obstructing or impeding the Commission; and (iv) knowingly or recklessly making false statements to the Commission. The penalty for an offence includes fines of up to S$100,000 and imprisonment for up to three years.

Compensation

A person who suffers loss as a result of breach of the rules on collection, use and disclosure, as well as access to, correction and care of personal data, shall have a right of action in civil proceedings in court. The court may award damages, injunctions or other remedies as it sees fit.

Other powers

The Commission has a range of powers under the PDPA including directing an organisation to: (i) stop collecting, using or disclosing personal data; (ii) destroy personal data; or (iii) comply with any directions from the Commission.

Practice

As of November 2017, the Commission has published more than 30 enforcement actions against organisations for breach of their data protection obligations under the PDPA. These cases involved various contraventions of the PDPA, a majority of which related to unauthorised access or disclosure of personal data. The penalties that the Commission issued against these organisations varied and included administrative fines, directions and warnings. The severity of the Commission’s directions depended on several factors, including the scale of the breach, remedial actions taken and the relevant organisation’s cooperation with the Commission in its investigations. Financial penalties were generally imposed on organisations involved in larger scale breaches or on those that were uncooperative with the Commission.

The calibrated approach to these enforcement actions taken by the Commission reflects its overarching policy that organisations should feel free to continue processing personal data, while taking appropriate actions to keep it secure.

In addition to the above, the Commission has issued sanctions including fines and warnings against organisations for failing to comply with the provisions in relation to the Do Not Call Register.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The PDPA contains provisions relevant to telephone (calls, SMS and MMS) and fax marketing. Pursuant to the PDPA, the Commission set up a national Do Not Call Registry, which comprises three registers: (i) a No Voice Call Register; (ii) a No Text Message Register; and (iii) a No Fax Message Register. Individuals may register their numbers in any or all of the relevant registers to prevent calls from telemarketers. The rules apply to “specified messages” which are messages from organisations to consumers the purpose of which is to offer or advertise goods, services, land or investment opportunities. There are a number of exemptions to the term “specified messages” set out in the schedule to the PDPA including messages sent to a business for a purpose of that business.

The rules relevant to direct marketing by email, text and multi-media marketing are generally set out in the Spam Control Act (Cap 311A) (the “SCA”).

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

Consent is not needed for cookies that do not collect personal data, and may not be needed where the use of cookies to collect data pertains to internet activities which the individual has clearly requested. Where an individual has configured his or her browser to accept certain cookies but reject others, consent may be deemed to have been given. Where cookies for behavioural targeting actually collect personal data, the individual’s consent is required.

Regulatory guidance on the use of cookies

The publication titled “Advisory Guidelines on Selected Topics” made available by the Commission clarifies that the PDPA applies to the collection, use, or disclosure of personal data using cookies.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

It is possible to send commercial e-mails “in bulk”, each addressed to individual or corporate subscribers, if they consent.

Conditions for direct marketing by e-mail to corporate subscribers

It is possible to send commercial e-mails “in bulk”, each addressed to individual or corporate subscribers, if they consent.

Exemptions and other issues

It is also possible to send such bulk e-mail without consent if: (i) the e-mail complies with particular requirements set out in the SCA, including a labelling requirement and a requirement to provide an unsubscribe facility; (ii) the subscriber does not “unsubscribe”; and (iii) the relevant e-mail address was not obtained through dictionary attack or address harvesting.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

A person may only send a “specified message” to a Singapore telephone number that is listed on the Do Not Call Register if the relevant subscriber or user has given clear and unambiguous consent. Guidelines issued by the Commission specify that a failure to opt-out will not be sufficient to constitute clear and unambiguous consent.

Marketing by text message is subject to these rules and is also subject to the rules on marketing by e-mail (see above).

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

No person shall send a “specified message” to a Singapore telephone number that is listed on the Do Not Call Register unless the relevant subscriber or user has given clear and unambiguous consent. If the Singapore telephone number is considered business contact information and the information is not provided by the individual solely for his personal purposes, organisations may contact the individual for business marketing purposes (but not consumer marketing purposes) notwithstanding that the number is listed on the Do Not Call Register, without seeking consent.

Marketing by text message is subject to these rules and is also subject to the rules on marketing by e-mail (see above).

Exemptions and other issues

Any consent must be clear and unambiguous and in writing or other form so as to be accessible for subsequent reference. Consent cannot be made a condition to the supply of goods, services, land, interests, or opportunities beyond what is reasonable for purposes of the same.

Where the individual has an ongoing commercial relationship with the organisation, the organisation may send “specified messages” to the individual relating to the ongoing relationship via fax message or text message (but not voice calls) regardless of whether the individual’s fax or telephone number is listed in the relevant Do Not Call Register unless and until the individual withdraws consent or informs the organisation that he/she no longer wishes to receive such communications.

Any person sending a specified message, whether under the general rules or any applicable exemption, must: (i) identify the person who sent or authorised the sending of that message; (ii) include contact details; and (iii) contain such other information as may be set out by regulation from time to time. Where the specified message is a voice call, the person making the call must not conceal or withhold their calling line identity.

Marketing by text message is subject to these rules and is also subject to the rules on marketing by e-mail (see above).

_____________________________________________________________________ Top