Singapore's New Data Protection Regime – the Introduction of the Personal Data Protection Act
The PDP Bill sets out rules for collecting, processing and storing all personal data, whether in electronic or non-electronic form. This legislation has been eagerly awaited by both consumers and businesses in Singapore as this provides new safeguards over personal data and will bring Singapore's data protection law more in line with countries with well-established data protection regimes like the United States, the EU, Hong Kong, Australia and New Zealand.
From September to April 2012, three public consultation sessions were held by the Singapore Ministry of Information, Communications and the Arts (“MICA”) to obtain feedback on the proposed PDP Bill (a copy of the PDP Bill can be found here).
Most of the public agreed that the proposed data protection legislation is important and timely in protecting consumers’ personal data from misuse and the PDP Act will help strengthen Singapore’s reputation as a reliable and first rate global business hub.
Detailed public responses can be found here.
Overview of the PDP Bill
The main features of the PDP Act (based on the current PDP Bill) include:
- the application of the PDP Act to all private sector companies in Singapore as well as all companies located outside of Singapore that are engaged in data collection, processing or disclosure of such data within Singapore
- the requirement of at least one designated individual within each business organisation to be responsible for compliance with the PDP Act
- the requirement for business organisations to implement policies and practices to comply with the PDP Act - companies will have a "sunrise period" of at least 18 months from the date the PDP Act is enacted to put in place policies and practices that are necessary to comply with their obligations under the PDP Act
- the PDP Act imposes a general requirement to obtain consent for the collection, use and/or disclosure of personal data
- allowing individuals to request access to their personal data held by business organisations in order to find out how organisations have used or are using the personal data collected, to correct any inaccurate information collected and to seek redress for suspected breaches of the PDP Act, and to withdraw their consent from future use of their data
- the introduction of a national "Do Not Call" ("DNC Registry") registry which adopts an "opt-out” approach such that individuals who do not wish to receive marketing messages or "cold calls" can register their Singapore telephone numbers with the DNC Registry
- the establishment of a Data Protection Commission ("DPC") to administer and enforce the PDP Act – the DPC can issue fines to companies of up to S$50,000 for "wilfully" breaching the terms of the PDP Act in relation to the collection, use and disclosure of personal data. Individuals can be fined up to S$5,000. Enforcement of such fines can be made through the Singapore Courts.
The PDP Act, once enacted, will provide individual consumers with greater protection over their personal data and enhance Singapore's reputation as an international business hub with a trusted and reliable data protection regime.