Putting it simply: the Personal Data Protection Act, 2012 (PDPA) provides a framework for companies to follow for personal data protection. It comprises various rules governing the collection, use, disclosure, and care of personal data. PDPA makes it mandatory for every organization to have privacy and internal data security policies.
PDPA is administered and enforced by the Personal Data Protection Commission (PDPC). The PDPC represents the Singapore Government and serves as the main authority dealing with matters related to personal data protection. This governing body is entrusted with the task of formulating and implementing policies related to the protection of personal data.
By regulating the flow of personal data among organizations, PDPA also has an important mission to maintain Singapore’s position as a trusted, world-class hub for businesses.
Here are the 5 PDPA facts you should know in order to be compliant with this Singaporean regulation:
#1: The nine PDPA obligations explained
When it comes to data protection, PDPA imposes nine obligations on organizations:
Consent:
Organizations must only collect, use or disclose personal data for purposes for which an individual gives expressed or deemed consent. Organizations must also provide the notification for the purpose. Individuals must be allowed to withdraw consent.
Purpose:
PDPA states that an organization may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances; and that the individual has been informed of.
Notification:
Organizations must notify individuals of the purposes for which their data is collected, used, or disclosed on or before such collection, use or disclosure. The breach notification obligation is still under review in the case of PDPA.
Access and correction:
Upon request made by an individual, organizations should make corrections to the data or inform individuals about the details of the data collected.
Openness:
Organizations must make information about data protection policies, practices, and complaints processes available on request. It must also designate one or more individuals as a Data Protection Officer to ensure that the organization complies with the PDPA.
Protection:
Organizations should take reasonable security arrangements to protect the personal data that they possess or control to prevent unauthorized access, collection, use, disclosure, or similar risks.
Accuracy;
Organizations should take reasonable efforts to ensure that the personal data collected is accurate and complete.
Retention:
Organizations should cease retention of personal data or anonymize the personal data when it is no longer necessary for any business or legal purpose.
Transfer:
Organizations must transfer personal data to another country only according to the requirements prescribed under PDPA.
#2: Both external and internal data matters to PDPA
Organizations, as employers, must take reasonable steps while dealing with their employee’s personal data by having an internal data management system.
To illustrate the importance of protecting internal data, let’s use the example of the Re Executive Coach International Pte Ltd [2017] SGPDPC 3 case: a director of an organization disclosed sensitive personal data regarding an employee on a WhatsApp group chat with other employees. The PDPC held this organization liable for breach of PDPA.
On the other hand, PDPC puts a lot of emphasis on an organization’s responsibility while handling customer data. In the case of In re SLF Green Maid Agency[2018] SGPDPC 27, an organization’s staff, while interacting with prospective customers, reused scrap and discarded paper containing the personal data of individuals including photocopies of their national registration identity cards, foreign identity numbers, passport information, and signatures. PDPC ruled that the organization breached PDPA and this created a lot of reputational damage to the organization.
The above examples show that the organization must provide training on PDPA to its staff to avoid financial and reputational damages.
#3: The PDPA Privacy Policy explained
Under PDPA, every organization must provide a privacy policy and must take, either explicit or deemed, consent prior to collecting its customer’s data. A privacy policy must include the following in order to comply with the following requirements:
- The nature and type of data collected;
- Purpose of data collection;
- How is the data used, collected and disclosed;
- Procedure for withdrawal of consent;
- Access to and correction of personal data;
- Measures taken to protect personal data;
- Accuracy of personal data;
- Retention of personal data;
- Deletion of personal data;
- Transfer of personal data;
- Details regarding data protection officer in case the customer want to make a complaint;
- Effect of notice and change to notice;
#4: PDPA requires companies to have a Data Protection Management Program (DPMP)
In order to have a good management system, PDPC recommends that organizations must:
(i) Appoint a Data Protection Officer (“DPO”), preferably from senior management, who can effectively direct and oversee data protection initiatives,
(ii) endorse a Data Protection Management Program (DPMP)
(iii) establish a risk management framework and reporting mechanisms
(iv) Create and communicate a data security policy that specifies the organization’s approach to handling personal data.
In order to comply with the recommendation (ii) listed above, PDPA requires a Data Protection Management Program (DPMP). Not only multinational companies (MNCs) but also many SMEs are directed to implement a DPMP.
A DPMP is a systematic framework to help organizations establish a robust data protection infrastructure. It covers management policies and processes for the handling of personal data as well as defines the roles and responsibilities of the people in the organization in relation to personal data protection.
#5: The Data Protection Officer (DPO) role in PDPA
A competent Data Protection Officer is the key to prevent non-compliance with PDPA. Although the DPO is responsible for ensuring compliance, many organizations have a team consisting of senior management and personnel from other departments to assist in personal data-related matters. An organization shall make available to the public the business contact information of the DPO. However, this shall not free the organization of its obligations.
The DPO designated by an organization should be sufficiently skilled and knowledgeable. Also, organizations should ensure that individuals appointed as DPO are trained and certified.
Ensure PDPA compliance with Compliance Readiness
In order to drive awareness and proper training to your workforce to handle both internal and external personal data, you should look for a smart solution to help you drive meaningful and long-lasting policy compliance awareness within your organization. Schedule a demo with us and learn how Compliance Readiness can help your company’s assigned Data Protection Officer save time and resources when dealing with the PDPA regulations.
Check out our blog post “10 Steps to be Compliant with PDPA” to get an overview of the PDPA checklist.
DISCLAIMER: The information provided by Right-Hand is for general information purposes only to permit you to learn more about our products and services. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. The information provided is accurate and useful to the best of our knowledge. However, the information may not be current and is subject to change without notice. No one should act, or refrain from acting, based solely upon the information provided herein without first seeking appropriate legal or other professional advice. No attorney-client or confidential relationship exists or will be formed between you and Right-Hand or any of our representatives.
