Singapore enacted its Personal Data Protection Act (PDPA) on 2 July 2014 comprising various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data as well as the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The trend of vast amounts of personal data being collected, used and even transferred to third-party organisations for a variety of reasons is expected to grow exponentially with increasingly sophisticated technology. With this trend comes growing concerns on the part of individuals about how their personal data is being used.
The PDPA presents a data protection regime to govern and address these concerns and to maintain individuals’ trust in organisations that manage individuals’ personal data.
By regulating the flow of personal data among organisations, the PDPA also aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.
Under the PDPA, there are nine primary data protection obligations with which organisations are required to comply.
Private organisations can only collect, use or disclose personal data when an individual has given consent. If consent is given, organisations must inform individuals of the consequences of their withdrawal of consent. In the event that consent is withdrawn, organisations must cease all collection, use and disclosure of that individual’s personal data.
Purpose Limitation Obligation
Organisations may collect, use or disclose personal data about an individual for the purposes for which he or she has given consent. Organisations must not use an individual’s personal data for any reasons other than for the specific purpose set out between the parties.
Organisations must state their purpose(s) for which they intend to collect, use or disclose individuals’ personal data, and communicate this clearly to an individual before commencing the process of data collection, use and disclosure.
Access and Correction Obligation
Individuals or subscribers of an organisation can request information on how their personal data has been used through the period that they have given their consent. Organisations cannot decline such a request, and they are required to correct any error or omission in an individual’s personal data upon such a request.
Personal data collected by or on behalf of the organisation must be accurate and complete as far possible. Necessary parameters must be set in place to prevent any errors upon consent submission.
When individuals have given organisations their trust, the latter should support and maintain that trust. This is done by setting up the necessary security measures to safeguard the information in the possession or control of the organisation so as to prevent any form of unauthorised access to such information.
Retention Limitation Obligation
Once an individual’s personal data is no longer necessary for any business or legal purposes, organisations must cease retention of the information or remove the means by which the personal data can be associated with an individual.
Transfer Limitation Obligation
In the event personal data is required to be transferred to another country for any reason, organisations should so do only according to the requirements prescribed under the regulations. Organisations should ensure that the standard of protection for any individual’s personal data transferred is comparable to the protection under the PDPA in Singapore.
The final obligation organisations must adhere to is to make information about their data protection policies, practices and complaints process available, either on request or publicly.
Organisations are required to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. In particular, organisations are required to designate at least one individual, known as the data protection officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA.
An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers.
The main responsibilities of an appointed DPO include:
The PDPA targets private organisations and emphasises good personal data management practice when collecting, using, disclosing and storing personal data about individuals. Compliance with the PDPA will increase an organisation’s business efficiency and effectiveness, boost customer confidence, and enhance its public image.
The Info-communications Media Development Authority has designated the Personal Data Protection Commission (PDPC) in Singapore, to be responsible for the administration of the PDPA.
The PDPC was established on 2 January 2013 and serves as the primary authority in Singapore dealing with the administration and enforcement of the PDPA. It seeks to balance the need for protection of individuals’ personal data and the needs of organisations to use personal data for proper and legitimate purposes.
The fundamental principle of the PDPA is accountability. Accountability is the undertaking and exhibition of responsibility for the personal data in the organisation’s possession. Sections 11 and 12 of the PDPA provides for the accountability of organisations to comply with the PDPA. An accountable organisation is answerable to the relevant regulatory authorities and individuals who entrust the organisation with their personal data.
In the event of any data breaches, the PDPC will be involved to resolve the issues in question. The next level in the hierarchy, where a party is aggrieved by the decision or direction of the PDPC, is to make an appeal to the Chairman of the Data Protection Appeal Panel under Section 34(1) of the PDPA. Should the party still be unsatisfied with the decision, he or she may appeal to the High Court and Court of Appeal on points of law.
The PDPC has various powers to enforce the provisions contained in the PDPA. These powers may be summarised according to the powers relating to: (i) alternative dispute resolution; (ii) reviews; and (iii) investigations, which will be discussed in more detail below. Whenever a complaint of a data protection breach is presented to the PDPC, the two objectives of the PDPC, in order to resolve the issue, are to: (i) facilitate the resolution of an individual’s complaint relating to an organisation’s alleged infringement of the relevant data protection provision(s); and (ii) to ensure that organisations comply with their obligations under the PDPA and, in the event of a non-compliance, to take the appropriate corrective measure(s) and other necessary action to ensure compliance.
In some cases, the PDPC may conduct a review or an investigation of the matters in question and, depending on the outcome of the review or investigation, can issue directions to the relevant organisation to take a certain course of action to rectify the issue(s).
Where a complaint is received, the PDPC may:
According to the Advisory Guidelines on Enforcement of the Data Protection Provisions, some of the measures that are undertaken by the PDPC include:
In some cases, the PDPC may, pursuant to Section 27(2) of the PDPA, direct either party or both parties to resolve the complaint in a manner directed by the PDPC. Other than issuing directions for alternative dispute resolution, the PDPC may also choose to conduct a review pursuant to Section 28 of the PDPA. In particular, the PDPC may review, on the application of an individual, matters such as:
In the event of a contravention of the PDPA, Section 50 of the PDPA confers powers of investigation upon the PDPC. Generally, the PDPC may commence an investigation on its own motion or via being presented with a complaint made against an organisation. It is worth reiterating that when the PDPC receives a complaint, or information of a similar nature, alleging a contravention of the PDPA provisions, the PDPC always considers if the underlying matter can be resolved using the methods stipulated above (ie, alternative dispute resolution) before initiating an investigation.
An aggrieved party (usually the complainant) can seek remedies in the following forms:
The PDPC has the power to issue directions as it deems fit to ensure compliance. These directions may include, but are not limited to, ordering organisations to cease collecting, using or disclosing the personal data of another or to destroy personal data in contravention of the PDPA. The PDPC can also direct organisations to perform the necessary corrections to personal data or fine infringing organisations up to SGD1 million.
Directions issued by the PDPC may be registered with, and enforced by, a District Court in Singapore. Aggrieved individuals are provided with the right to initiate civil proceedings against organisations for loss or damage suffered.
Prima facie, contravention of the PDPA will generally not amount to a criminal offence. However, the PDPA does provide criminal penalties in respect of “obstructive” actions, eg, refusing to correct personal data and/or falsifying, concealing or destroying information about the collection, use or disclosure of personal data.
Singapore supports open and transparent data flow across borders and data protection standards are in place to ensure that such exchanges occur in a responsive and protected environment.
On 20 February 2018, Singapore became the sixth Association of Southeast Asian Nations (ASEAN) economy to become part of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems alongside other countries such as the USA, Mexico, Canada, Japan and Korea. Singapore is also the second APEC economy to participate in the Privacy Recognition for Processors System alongside USA.
With the CBPR and PRP systems in place, organisations, after being certified by the PDPC, can exchange personal data with other certified organisations more efficiently, assuring consumers that cross-border transfer of their personal data is subject to high standards of data protection.
As Singapore is one of the European Union’s largest trading partners in the ASEAN, many organisations inevitably fall under the jurisdiction of the EU’s General Data Protection Regulation (GDPR). The GDPR protects personal data of data subjects in the EU and is enforced by supervisory authorities who are independent public authorities established in EU member states.
Singapore organisations outside the EU must exercise compliance with the GDPR if those organisations: (i) process personal data of individuals in the EU; or (ii) monitor the behaviour of individuals in the EU.
All NGOs and SROs in Singapore are subject to the same rules and regulations stipulated under the PDPA.
The PDPA has a limited scope of enforcement and the Act itself does not apply to all sectors. Notably, the PDPA does not apply to the public sector or government agencies. Public sector agencies are governed by the standards of data protection rules such as the Public Sector (Governance) Act 2018 (PSGA) and Government Instruction Manuals.
While a breach of any provision in the PDPA does not generally amount to a criminal offence, public officers who disregard the government’s data security rules may, if found liable under the PSGA, be subject to penalties including fines of up to SGD5,000 or a jail term of up to two years, or both. The potential criminal liability arrived at the point where it was thought meaningless "to impose huge financial penalties on public sector agencies because the cost of such penalties would ultimately have to be borne by the same public purse” according to Minister for Communications and Information S Iswaran.
Furthermore, the PDPA does not apply to business contact information (ie, an individual’s name, position or title, business contact number, business address, business email and any other similar corporate information) as this information is publicly available. Hence, organisations are not required to obtain consent for the collection, use or disclosure of (corporate) data.
Under the PDPA, Section 13 requires one to consent before personal data can be revealed, collected, use or disclosed. Section 14 provides that if consent is obtained without the accompanying purpose being made known to the individual, then that consent is invalid. Similarly, if false, misleading or deceptive practices have been utilised, then there is no consent. However, the actual stringent operations under Section 13 are mitigated by the provision provided in Section 15 – Deemed Consent. The provision provides that consent can be deemed valid if an individual voluntarily surrenders and/or provides the personal data to an organisation for a purpose, and it is reasonable that the individual would voluntarily provide the data, without actually having to give consent.
Professor Hannah YeeFen Lim, an Associate Professor at the National Technological University, says that the provision is aimed at “achieving operational efficiency” where it does not require consent to be expressed or verbalised.
Another area concerns the right to access personal data. The PDPA provides individuals with access rights that ensure organisations must provide the relevant information about an individual’s personal data and the purpose for the collection, use or disclosure of such data before, during and after such data is collected, use or disclosed. However, some organisations charge a (reasonable) administrative fee for such access.
One of the most notable developments in 2019 was the PDPC implementing stricter rules on the collection, use or disclosure of Singapore’s National Registration Identification Card (NRIC) numbers. In a release published on 26 August 2019, the PDPA announced that, with effect from 1 September 2019, it will be illegal for organisations to physically hold onto an individual’s NRIC and collect their full identification number, unless required to do so by law.
The new rules are targeted at restricting situations where organisations may collect and retain NRIC numbers without special regard to an individual’s rights to protect personal data. These rules stemmed from the recognition that NRIC numbers can be used to retrieve (personal) data relating to an individual. Moreover, an NRIC number is a permanent and irreplaceable identifier through which a large amount of an individual’s personal information can be revealed. Negligent handling of NRIC particulars may also be used for illegal activities such as fraud and identity theft. Hence, the PDPC declared that "there is a need to reduce indiscriminate or unjustified collection and negligent handling of NRIC numbers".
Notwithstanding these new rules, the PDPC recognises that there are certain exceptional situations which require the collection, use or disclosure of NRIC numbers. These exceptions include specific situations where verification or records maintenance is legally required, such as when one seeks medical treatment, enrols in an education institution or joins an organisation for employment. There are, in addition, rare situations where personal data can be collected, used or disclosed without the individual’s consent when an individual’s life, health or safety is under imminent threat.
More recently, as of 1 January 2020, Singapore has enacted new law around "doxxing" under the Protection from Harassment Act (POHA). Doxxing occurs when an individual or entity publishes the personal information of another individual or a group of people related to him or her (the person who created the post) in order to harass, threaten or facilitate violence against them. To a certain extent, it correlates with the PDPA in prohibiting the publication or misuse of personal information about an individual. However, the new laws are much narrower as, under the amended Section 3 of POHA, a person may be guilty of an offence if he or she publishes personal information about another person with the intention of causing distress, harassment or alarm, even though the personal information has not been shared among others.
Perhaps the personal data-related event drawing the most significant level of public attention was a data breach that occurred in Singapore in July 2018 involving a cyberattack on SingHealth, Singapore’s largest group of healthcare institutions. The PDPC meted out a hefty fine of SDG1 million in total; SDG750,000 to Integrated Health Information System (IHiS), Singapore’s central national IT agency for the public healthcare sector and SDG250,000 to SingHealth, respectively. In the unprecedented cyberattack, personal data of almost 1.5 million patients and outpatient records, including the records of the Prime Minister, were exfiltrated.
Prior to 2008, public healthcare institutions in Singapore were responsible for their own IT operations. They were required to implement their own system to store patients records, diagnoses, medical reports and other confidential information. However, this led to concerns over having too many independent systems to store confidential and important data. These systems in place are constantly susceptible to the risks of unauthorised access and security breaches. To tackle the vulnerabilities, the Ministry of Health (MOH) wanted to centralise all the stand-alone systems into a single entity. In July 2008, the MOH established the Integrated Health Information System. Its’ purpose was, inter alia, two-fold, to “(i) enable better alignment of IT strategies and integration of patient care across [public health institutions], and (ii) reduce the cybersecurity vulnerabilities inherent in a varied and fragmented IT landscape.”
Throughout the years, various resources were consolidated into IHiS. However, it was discovered that between June and July 2018, the personal data of some 1.4 million individuals was illegally accessed and copied from the centralised database. Forensic investigations revealed that access to the database was via an email phishing attack, which led to the inauguration of malware and hacking tools on a workstation which later infected other workstations. Upon the discovery of the unauthorised attempts to log in to the system, the relevant authorities worked together to conduct investigations, subdue the issue and strengthen cybersecurity measures.
The PDPC in this case had to consider, inter alia, whether the obligations under Section 24 of the PDPA were complied with in respect of the data breach. As a preliminary finding, it was determined that the leaked data (such as patients’ particulars and medical reports, etc) were personal data as defined under Section 2(1) of the PDPA. Ultimately, the PDPC held that the primary responsibility lay with SingHealth in ensuring that reasonable security measures were in place to safeguard the sensitive and confidential data in its possession and control. Consequently, SingHealth’s oversight of the IT security measures, alongside other evidence showing that proper reporting procedures to prevent a cyberattack were not fully complied with, led the PDPC proceeding to direct the respective fines as stated above.
A more recent development involved the PDPC presenting the second edition of the Model Artificial Intelligence (AI) Governance Framework. In 2019, some significant advances were witnessed in the use of artificial intelligence (AI). AI technology can boost productivity, transform businesses and enhance people’s lives. As Singapore develops its’ technological economy, it adopts the position that system decisions made by AI should be explainable, transparent and fair and that the AI systems should be human-centred. It should be a system where organisations can benefit from technological innovation while consumers are confident to adopt and use AI.
The PDPC released its first edition of the Model AI Governance Framework for broader public consultation, adoption and feedback on 23 January 2019. The first edition was released at the 2019 World Economic Forum Annual Meeting (WEFAM) in Davos, Switzerland. The framework explains in detail, the operations of AI systems, how good data accountability practices can be created and open and transparent communication provided for. Subsequently, on 21 January 2020, the PDPC released the second edition of the framework comprising of some of the key changes at the 2020 WEFAM also in Davos. The key changes include, inter alia, determining the level of human involvement in AI-augmented decision-making and operations management.
Whenever the PDPC seeks to introduce or amend provisions on privacy and data protection law, it carries out public consultations to obtain feedback from the public, relevant stakeholders and interested parties on the proposal before implementing changes.
Data Protection Officers (DPOs)
The data protection provisions of the PDPA, specifically Section 11(3) of the PDPA, require an organisation to designate one or more individuals to be responsible for ensuring compliance with the PDPA. Section 11(4) provides that a person responsible for compliance with the PDPA may delegate the responsibility to another individual. Section 11(6) states that the designation of an individual (or DPO) under Section 11(3) does not relieve the organisation of any of its obligations conferred by the PDPA. In other words, the legal responsibility for complying with data protection obligations remains with the organisation. The DPO(s) may be a person whose scope of work solely relates to data protection, or it can be a person in the organisation who takes on this role as an additional responsibility.
The PDPA does not prescribe where the DPO(s) should be based. He or she need not even be an employee of the organisation. Organisations may employ an outsourced DPO as a third party. Neither does the PDPA stipulate a deadline for an organisation to appoint a DPO. However, the PDPC encourages organisations to register their designated DPO at their earliest opportunity so the DPO can be kept abreast of the relevant data protection developments in Singapore.
DPO responsibilities include ensuring compliance with the PDPA, fostering a data protection culture among employees, managing personal data protection related queries and complaints and complying with the reporting procedure for risks that might arise with personal data matters.
Privacy by Design or by Default
The concepts of "privacy by design" and "privacy by default" were introduced by the GDPR and stem from as long ago as the 1970s. They make it compulsory for organisations to consider the ramifications of any personal data processing activities when developing a new or existing product or service.
Privacy by design holds that privacy should be an organisation’s first consideration, especially at the initial design stage and throughout the development process of new products or services that involve processing personal data. Privacy by default refers to a service offering choices for an individual to share how much personal data he or she wishes to offer to the world and ensuring that the default setting in that situation is the most privacy-friendly one.
These concepts prescribe that privacy should always be an organisation’s initial priority for every new product or service offered. However, they are rather difficult concept to apply, especially when a design is completed. Embedding privacy is technologically challenging, expensive or even arduous. With that being said, transparency is key when it comes to earning the trust of individuals to share their personal data in the first place. Therefore, many organisations have already embedded the necessary factors in their development processes.
One should note however, that the concepts of privacy by design and privacy by default are purely theoretical. Presently, there is no precedent for a breach in PDPA obligations pertaining to privacy by design default theory. Moreover, it would be difficult to assess, should a case of this nature arise.
Privacy Impact Analyses
While the role of DPO is becoming an important one in every organisation, it is not uncommon to see DPOs being appointed but with minimal knowledge of what the job truly entails. Although a DPO’s responsibility is overseeing an organisation’s entire data protection and privacy system, it would be helpful if he or she were equipped with skillsets in multiple domains such as legal, IT, administration, cybersecurity and business analytics.
Such skills are necessary for a DPO to conduct a data protection impact assessment (DPIA). Once completed, a DPIA essentially places an organisation in a better position to handle personal data in compliance with the PDPA, complementary to their in-house data protection practices. To execute a DPIA, the DPO should first identify, assess and address the risks associated with personal data collection, use or disclosure. After assessing the risks, proper techniques can be implemented to safeguard the personal data of others.
The main ingredients in a DIPA involve the identification of personal data, the reason or purpose for collecting that data, identifying the risks associated with the intended action, and addressing those risks before executing a data collection activity.
In the event that risks involving large-scale processing of data or automated processing cannot be mitigated, proper and necessary steps such as consultations with the relevant authorities must be taken by the DPO.
Understanding risks also give organisations room to experiment with new technologies and ways of protecting the personal data in their possession. Various regulatory sandbox methods are widely available, where organisations explore data sharing methods with less stringent rules within a controlled environment in order to better understand the implications of data collection. Singapore has always depended on the concept of “trusted data controllers” and recognition to give assurance to the public. For instance, organisations that have good data management platforms are often awarded trust certificates. These certificates strengthen the trust between the organisations and the public.
Anonymisation, De-identification and Pseudonymisation
In every organisation’s operational data systems, sensitive information may be found for business or legal reasons. Organisations should not discount the possibility of data breaches and unauthorised access to their information systems either from unknown external sources or, with malicious intent, internally.
Such data security risks may be mitigated through the use of anonymisation, de-identification and pseudonymisation methods. This article briefly discusses each of these methods.
Anonymisation is a process whereby personal data is transformed so that the information is not easily identifiable and linked to individuals. The anonymisation process is a set of risk management controls for mitigating personal data leakage and, in circumstances where individuals need not be identified for the purposes in question, it is usually a good practice to collect, use or disclose personal information in an anonymised form.
There are many ways to anonymise personal data. Examples include, inter alia, aggregation, replacement, data suppression, data shuffling and masking. However, the PDPC does not specifically recommend or endorse the use of the techniques mentioned above, so organisations should make their own independent assessment of the context in question before deciding to adopt one of the techniques. Not all information has to be, or can be, effectively anonymised.
Another important point to note is that, while they are in the process of anonymising their data, organisations should consider conducting a DIPA to ascertain any potential negative (or positive) impacts on individuals before anonymisation, after anonymisation and when they can be re-identified.
Another method, known as de-identification and similar to anonymisation, involves a range of techniques such as randomisation of sub-sampling or swapping. Simply put, it is removing personal data from a record. The removal process, however, is controlled. In this technique, organisations need only remove information that directly identifies an individual and in circumstances where there is a reasonable expectation that information about an individual could be used to identify that individual.
Finally, pseudonymisation involves replacing personal identifiers with other random references such as a reference number or a coded tag that has been randomly generated. It is the processing of data in a manner in which the data can no longer be attributed to a category without the provision of other related materials.
Pseudonymous data is suitable for a great range of analytical activities, research projects and for statistical purposes. Because not all personal data is exposed, it decreases the risk of abuse of the exposed data in the case of a data breach. Pseudonymising the data may provide a “suitable measure” to safeguard data subjects’ rights, freedoms and legitimate interests.
Injury or Harm
There is currently no requirement under the PDPA to prove “harm” or “injury” to establish wrongdoing. It is important to note that the data protection provisions under the PDPA do not affect any obligations or rights under other laws, neither do the PDPA provisions override or prevail over the other statutory provisions in Singapore. The PDPA shall not become a piece of legislation that prevents an individual from disclosing information if he or she is legally required (by other laws) to do so.
Leaking or disclosing personal data results in hefty fines under the PDPA. Certainly, like in the SingHealth case mentioned above, trust between members of the public and organisations will fall and corporate confidence will be lost. Consequently, the organisation would need time to “repair” the damage and recover the public's confidence.
The PDPC is set up to oversee these issues and try to mitigate the loss, in an expeditious manner, including reviewing complaints and carrying out investigations which in turn, assure individuals that actions are being taken pertaining to their complaints.
In 2018 and 2019, the PDPC has published over 40 enforcement decisions involving personal data breaches and has issued the appropriate fines. Some of these cases included GrabCar Pte Ltd, where the PDPC issued a fine of SGD16,000 to the organisation for failing to put in place reasonable data protection protocols to protect the personal data of its customers from unauthorised disclosure. Singapore company, WTS Automotive Services Pte Ltd was also fined SGD20,000 for allowing the unauthorised disclosure of some of its customers’ personal data.
The PDPA provisions provide a baseline standard of personal data protection policy across the board. This is achieved by complementing sector-specific regulatory policies, where organisations are required to comply with the PDPA as well as the common law and other relevant laws that are applied to the specific industry to which they belong, when collecting, using and disclosing personal data.
This is unlike other jurisdictions, such as the USA or the EU, where the sectoral issues concept originated and where they are extremely particular and sensitive to personal data regarding health records and numbers, personal rights, sexual orientation/preferences and trade union membership. In Singapore, the PDPA does not specify the issues or the records and numbers of personal data. However, Singapore has enacted laws tailored to certain categories of data such as financial, health, communications and employment.
For example, for financial data, there are several governmental bodies, such as the Ministry of Finance, the Accounting and Corporate Regulatory Authority, the Monetary Authority of Singapore, etc. For health, there is the Ministry of Health, and the different Acts that regulate personal data. There is also the Ministry of Manpower which oversees employment matters.
Lastly, for communications data, Singapore has enacted the Protection from Online Falsehoods and Manipulation Act (POFMA), which Act seeks to prevent electronic communication of falsehoods. Although it does not specifically regulate personal data per se, it complements the PDPA as its objectives sometimes require the content creator to remove certain sensitive or personal information published in public domains.
It is worth reiterating that the PDPA does not apply to governmental bodies as they are regulated by legislation that is stricter than the PDPA. Therefore, the various ministries have a wider scope of flexibility to oversee matters pertaining not only to personal data but an array of other issues.
Pursuant to the Protection Obligation, under Section 24 of the PDPA, organisations are required to make reasonable security arrangements to protect personal data and to prevent unauthorised access, collection, use, disclosure, leaks, etc. The PDPC has provided a guide titled “Guide to Securing Personal Data in Electronic Medium”. The guide provides information on topics related to security and protection of personal data in electronic form and practices that organisations can adopt to enhance their data protection policies.
The PDPC states that the guide is not a one-size-fits-all solution on which organisations should have full reliance. It merely acts as an accessory to support or strengthen the organisations’ existing data protection protocols because some organisations may adopt a different kind of electronic storage system to safeguard personal data. Security and data breaches involving personal data over the internet vary and can include, but are not limited to, hacking, gaining unauthorised access, phishing emails, malware, loss of hardware, compromised networks, unintended disclosure of personal data to a third party, etc.
The PDPC recommends that organisations manage their data protection policies using four governing principles: (i) accountability; (ii) standard, policies and procedures: (iii) risk management: and (iv) classification and tracking. The most relevant principle to this topic is classification and tracking. The PDPC recommends that organisations conduct periodic checks for personal data stored in electronic systems, conduct physical inventory and hardware checks regularly, update their anti-virus systems and ensure that their electronic means of storing personal data are up to date. Although this does not address personal data breaches directly, it is the organisations’ first line of defence against any unpredicted cyberattacks.
With respect to unsolicited telemarketing communication, the PDPC has set up the Do Not Call Registry (Registry). Members of the public are able to register their number with the Registry to avoid receiving unsolicited calls or texts and fax messages. Even though there is no cap on the number of registrants, not all private organisations are affected by this regulatory body. Organisations such as banks and telecommunication companies who have ongoing relationships with their customers are exempt from checking with the Registry in an intended marketing communication, as long as the customers are given the option to unsubscribe from the marketing content.
The Registry takes a serious view of unsolicited phone calls or text messages to those who have registered their numbers with the Registry to avoid just such unwanted marketing communications. It prevents telemarketers from calling and disturbing those already registered with the Registry. If they do, they risk a fine of SGD10,000 for each offence or face a maximum fine of SGD1 million.
Despite the good intentions of the DNC Registry, it has been reported that an estimated 600 organisations continue to text or call numbers listed without permission and at least 3,700 complaints have been filed with the Registry. It can be argued that, given the advanced state of contemporary communication technology, the Registry perhaps needs to work with other platforms, such as WhatsApp, Telegram or Facebook to minimise unsolicited marketing and advertisements.
Workplace privacy, including the rights of employers to monitor workplace communications are not specifically addressed by the PDPA. In Singapore, the Ministry of Manpower governs the collection and use of data relating to employments matters. Whistle-blower hotlines are not implemented in Singapore, save for a number of hotlines where members of the public can direct any complaints.
The PDPC is conferred with enforcement powers under the PDPA to rectify data protection violations.
When the PDPC receives a complaint from an individual, it will first review/address the individual’s concerns by facilitating communication between the individual and the organisation. The PDPC may exercise its enforcement power under Section 29 to direct parties to take a certain course of action after the PDPC has reviewed the dispute in question. If both parties are unable to procure a resolution, the PDPC may refer the matter to mediation, though only if both parties agree to this. The PDPC may also direct parties to resolve the issue through alternative dispute resolution until am amicable solution is achieved.
The general offences and penalties for violating a data protection provision are as follows:
Under Sections 51(3)(b) and (c) of the PDPA, it is an offence to:
Any organisation who violates the above-mentioned provision is liable:
When the PDPC decides to issue financial penalties, it refers to a non-exhaustive list of aggravating and mitigating factors to determine the weight of the intended penalty. Aggravating factors may include, but are not limited to, failure to actively resolve a dispute with an individual in an effective and prompt manner, intentional or repeated violations of the PDPA provisions, or failure to comply with the PDPC’s directions. Some examples of mitigating factors are early settlement of a dispute with the relevant individual, the organisation taking reasonable steps to reduce the harm resulting from the breach/violation, or voluntary disclosure to the PDPC of a breach at the earliest opportunity.
Apart from complaints received by the PDPC, there are no reported cases of private litigation cases taken out for privacy violations or personal data breaches.
Class actions are generally allowed in Singapore, only if approved, and after obtaining the necessary licences from the relevant authorities. However, if a class of individuals wish to pursue an action against SingHealth, for example (because of the data leak), it is unlikely to succeed in the Singapore Courts.
The handling of serious crimes by law enforcement agencies is excluded from PDPA coverage and its corresponding provisions with regards to data subjects’ rights to data privacy.
There is legislation that governs confidential information, anti-terrorism issues and other national security matters. These statutes include, but are not limited to, the Official Secrets Act, the 2012 Internal Security Act, the Serious Crimes and Counter-Terrorism (Miscellaneous Amendments) Act 2018, and the Terrorism (Suppression of Financing) Act.
There is no legislation in Singapore that requires additional authority for the government to access data for national security purposes.
The provisions of the PDPA do not provide for the invocation of foreign governments.
Since the PDPA came into full force, there have been a number of reports clarifying the rationale of government agencies being immune to the 2012 Act and the reasons why it does not apply equally to government organisations and private organisations. Privacy advocates have raised concerns about the lack of transparency of the public sector’s data security standards. One of the key recommendations brought up to improve transparency is to publish the government’s policies and standards relating to personal data protection and to provide an update on an annual basis.
As the government maintains that the public sector is governed by a different set of more stringent rules, privacy advocates are asserting that publishing the policies will allow the public to see for themselves if this is so, at the same time, they can be assured that their personal information is best protected. Another advocate asserts that publishing the standards which the government has adopted would allow private organisations to better understand the ideal standards that have to be met.
As much as the advocates hope for some public awareness about data protection standards, presently, there is no indication as to whether these ideal principles will be shared publicly. Meanwhile, private organisations are free to consult the PDPC for any data protection queries that they may have in the future. Similarly, the PDPC is constantly publishing reports on the latest updates on data protection which are equally beneficial to private organisations.
Under the data protection guidelines, both Section 26 of the PDPA and the Transfer Limitation Obligation limit the ability of an organisation to transfer personal data outside of Singapore. Section 26(1) of the PDPA expressly states that an organisation must not transfer personal data to a country or territory outside Singapore, except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so-transferred that is comparable to the protection under the PDPA.
There are no mechanisms applicable in Singapore to international data transfers. Safety data mechanisms should be developed between the private organisations and the intended recipients. The PDPA is silent as to whether such mechanisms should be adopted as part of its obligations.
Generally, there is no requirement for organisations to seek government approval to transfer data internationally as the local government does not rely on the PDPA provision, per se. Any data that is intended for a recipient based outside of Singapore must comply with the procedures set out under the PDPA.
For export and import purposes, there are a different set of laws (such as contract law or the Regulation of Imports and Exports Act) that regulate international transfers. However, personal data would not fall under this category.
India recently proposed, in their Personal Data Protection Bill 2019, (akin to the GDPR) that companies in India will be required to gather the consent of Indian citizens before their data can be collected and processed. At the same time, the new rules also state that companies would have to hand over the “non-personal” data of their users to the government, and New Delhi would also hold the power to collect any of the data of its citizens without their consent to serve the larger public interest.
In contrast, there are no such data localisation requirements under Singapore’s PDPA. Many organisations are also less supportive of data localisation. Ravi Menon, Managing Director of the Monetary Authority of Singapore, at the Singapore FinTech Festival of 2018, stated that “We need more data connectivity, and less data localisation. This is a serious risk.”
In the current digital era, big companies operate across digital borders by setting up cloud networks of data centres. This means that an individual’s data can reside anywhere and anytime. “Data localisation measures are on the rise around the world. If data cannot cross borders, the digital economy cannot cross borders and we will be poorer for it” said Menon.
The PDPA does not provide specifications or standards that enable international sharing of technical details in data protection issues.
Consular support and assistance are often provided to assist other jurisdictions in areas such as law enforcement, disaster response, etc. However, the PDPA is silent as to how local government might respond to a foreign government’s data request. Neither does Singapore report such foreign data requests publicly, partly because some of these requests (if they exist at all) are confidential by nature.
Singapore does not have specific "blocking" statutes but does have general statutory provisions that prevent the disclosure of matters relating to the national interest.
Big Data Analytics
Regulation of big data analysis relates to the consent obligation under the key principles of data protection, in particular, to the need to obtain consent before an organisation conducts analysis and research activities. It is true that any organisation intending to carry out research activities which require the collection, use or disclosure of personal data needs to comply with the PDPA. The participants should be informed of the purposes for which their personal data is collected, used and disclosed by the organisation.
Currently, organisations may use personal data without consent, if they do so for research purposes. This is reflected under paragraph 1(i) of the Third Schedule of the PDPA. More specifically, the paragraph states that an organisation may use the personal data of an individual without the consent of that individual if the personal data is used (solely) for research purposes. However, the provision shall not apply unless:
This also relates to obtaining consent at the initial stage, before automated algorithmic decisions can come into play. For AI to benefit organisations and businesses, additional principles ought to be incorporated into the AI governance framework.
Decisions made by or with the assistance of AI should be explainable, transparent and fair to sustain trust and confidence in those automated decisions. Also, decisions made by AI should be human-centric. The concept of human-centric refers to an approach that puts the individual in front of the design of the AI deployment. Organisations that are perceived to have caused harm to consumers as a result of their AI deployment do not inspire consumer trust and confidence. The key ingredient in having automated decision-making feature in a process is beneficence, or the “no harm” principle. The “no-harm” principle refers to decisions that should not cause foreseeable harm to any individual and decisions that should always strive to confer benefits or assistance instead of liability.
The PDPA in Singapore is silent on the creation of automated decision-making but expects organisations to actively initiate the appropriate framework for automated decision making features, while remaining fully compliance with the PDPA. This is the case for AI (including machine learning), autonomous decision-making (including autonomous vehicles) and data profiling.
Internet of Things (IoT)
IoT, thought by some to be the next big technological revolution, is the process in which devices like mobile phones and security cameras are connected to the web As Singapore aspires to be a "Smart Nation", it is already evident that the country’s cloud infrastructure, broadband service, the ease of conducting business and controlling the flow of traffic are facilitating the growth and advancement of the IoT.
The context of the IoT in Singapore is moving away from the idea of data protection and towards collection to improve the country’s efficacy and efficiency. Take for example, controlling the flow of traffic on a daily basis. Currently, the traffic is managed by electronic road pricing (ERP) systems, an electronic toll collection scheme and usage-based mechanism. The ERP system, apart from collecting tolls, also collects data – the number of cars that pass certain expressways daily. The relevant government agencies then use this anonymous data to enhance and improve their traffic management procedures. Recently, the Land Transport Authority of Singapore (LTA) announced a new implementation of ERP in which features will be added to improve the driving experience and better manage the daily road traffic condition.
The PDPA is silent as to the governance structure applicable to the IoT, rather, it is left to the respective organisations to decide where they intend to improve and enhance on their existing data protection protocols.
Facial recognition has become common in daily life, most notably through Apple’s face ID, as well as security counters at immigration checkpoints. Essentially, facial recognition is another form of verifying one’s identity. Singapore is taking a more progressive approach to technological advances in this area, which prompts the question: what are the implications of allowing such pervasive surveillance for the sake of convenience. Surely, facial recognition systems open new possibilities for potential abuses of power, profiling and non-consensual data collection.
Drones are used for (national) security reasons by the military and law enforcement officers. Organisations who wish to utilise drones should consider whether the drones deployed are likely to capture any personal data of individuals.
Organisations should be mindful that the use of drones with photography or videography capabilities is generally subject to obligations under the PDPA as well as guidelines and requirements of other laws. In the event that the drones utilised are likely to capture personal data, organisations should inform individuals of the purpose of their use and obtain the individual’s consent as well as adhere to all the provisions of the PDPA.
The word "reasonable" is mentioned approximately 48 times in the PDPA. This word implies that the PDPC requires organisations to put in place necessary and suitable data protection protections. Although there is no strict governing framework imposed on organisations to execute a certain course of action within a stipulated time, organisations are expected to take initiative(s) to handle their own protocols from the outset. The PDPC only gets involved when a complaint has been lodged.
Currently, all enforcements are performed by the PDPC. There is no real litigation per se – ie, an individual bringing an action against the state in relation to privacy laws.
The PDPA is an act that protects an individual’s personal data. It is not an act that allows individuals to bring an action against another individual or even against the state. As far as litigation is concerned, there are no reported cases where an applicant has successfully litigated on a privacy law matter and obtained redress or compensation.
With regard to corporate transactions, organisations are expected to perform their due diligence to ensure that every transaction, regardless of whether it contains data collection elements, is fully compliant with the relevant laws and/or procedures. Performing due diligence means to embark on a process of verification, investigation, audit and confirmation of all relevant facts and details. In essence, it is about doing ample and adequate research before entering into an agreement or completing a transaction.
Under the law, it is known as performing a legal health check. Due diligence is a risk assessment for organisations to adopt in order to address potential issues. The ultimate goal is to fully understand the legal situation of a company and the issues that company may face post-transaction.
The PDPC maintains a position of providing transparent and full public disclosure of its enforcement decisions. These decisions provide salient insights from which organisations are strongly encouraged to take guidance, and to implement measures to prevent similar occurrences. The publication of cases on the PDPC's website aims to promote accountability among organisations and to safeguard consumer interests and trust.
There are no other significant data protection and privacy issues in Singapore not already covered in this chapter.