The Singaporean Parliament has passed a Personal Data Protection Act.
One feature of the Bill is the establishment of the Personal Data Protection Commission. It will be responsible for promoting awareness of data protection in the country, and administering and enforcing the law. It’s powers would include being able to fine businesses up to SIN$100,000 for obstructing its performance of duties. Businesses that falsify personal data records, or information regarding the collection, use or disclosure of personal data, will face fines of up to SIN$50,000.
Under the new law organisations will generally be required to obtain individuals’ consent in order to collect, use or disclose their personal data. However, there are exceptions to the rule that allow organisations to legitimately carry out any of those activities without consent.
Collecting personal data without consent is legitimate if it is in the national interests, if it is in order to recover debts, to be used by the media for its news operations or to allow employers to manage the “employment relationship” with staff, among other examples.
Personal data can be used or disclosed without the consent of individuals for “research purposes” under certain conditions, according to one of the number of exceptions to the consent requirement rule.
The collection, use or disclosure of personal data must in all cases be “for purposes that a reasonable person would consider appropriate in the circumstances” and providing the individual to whom the information relates is informed about those purposes prior to the collection, use or disclosure taking place.
The Act establishes a new ‘Do Not Call Register’. Individuals would be able to apply to have their telephone number added to the register in order to opt out of receiving “specified messages” from marketers. Organisations would generally be barred from sending specified messages to individuals listed on the register. Those that fail to comply with the protocol around specified messages face being fined up to SIN$10,000. It will not apply to organisations, “so as not to unduly hinder business-to-business marketing”.
The Ministry of Information, Communications and the Arts (MICA) has proposed a ‘sunrise’ period of at least 18 months in order that that companies be given time to update the way they work in order to comply with the new law.
Interestingly and, not surprising given it is Singapore, the Act does not cover government agencies. Quite a gap.
The Closing speech provides:
Mr Speaker, Sir, I thank the many Members of this House for their support for this Bill, and for sharing their thoughts on important issues that this piece of legislation seeks to address.
2. Members have raised many different scenarios about the protection of individuals and the concerns of organisations. The Bill is drafted to apply to all sectors in the economy and necessarily contains broad and general principles. It will therefore not be possible to give a definitive answer to each and every scenario, as this would require an assessment of all the facts of the specific case.
Key Themes
3. With this in mind, let me address the key themes and questions that Members have brought up.
Compliance costs
4. One of the key issues that Members have brought up is the issue of compliance costs, especially for SMEs. This is a key consideration for us in developing this Bill. We have sought to mitigate compliance costs for businesses where possible. Several requirements have been adjusted to take into account the feedback and suggestions received from the businesses during the public consultations period.
5. For example, the law will impose fewer obligations on organisations known as ‘data intermediaries’, which process personal data on behalf of other organisations. Measures are also in place to mitigate organisations’ costs for handling access requests. Business-to-business marketing calls and messages are also excluded from the Do Not Call registry so as not to unduly hinder business-to-business marketing.
6. I would like to assure Members that we have been mindful to ensure the Bill does not impose overly onerous requirements on businesses, while maintaining an adequate level of protection for our consumers.
7. Nonetheless, some costs are inevitable in complying with any new piece of legislation or regulation. Mr Zaqy Mohamad and Ms Low Yen Ling asked about training and financial assistance to help SMEs comply with the Act. To ease organisations into the new law, the Bill provides a transition period of 12 and 18 months for organisations to adjust their practices to comply with the DNC registry and data protection requirements, respectively. During this period, the Personal Data Protection Commission (PDPC) will focus on building up the capabilities of organisations to comply with the Act. The PDPC will issue advisory guidelines, provide educational materials as well as conduct education and outreach activities to help both organisations and individuals better understand the Act. These education and outreach activities will continue beyond the transition period because it is in our interest to ensure that everybody knows the act.
8. There are also existing industry assistance schemes, such as IDA’s iSprint scheme and SPRING’s Innovation and Capability Voucher scheme, that companies can tap on to help defray costs in upgrading their systems or processes to comply with the Act.
Economic benefits
9. Mr David Ong and Ms Jessica Tan rightly pointed out the need for a framework that balances innovation and flexibility with the need to ensure good governance. A data protection regime can help promote business innovation and enhance competitiveness. It was also observed that consumer data, if appropriately used, can lead to better services and products that help local businesses become more competitive. The Bill also supports Singapore’s development as a global data hub by providing a conducive environment for global data management industries, such as cloud computing and business analytics, to operate in Singapore.
Concurrent application
10. Mr Desmond Lee asked how the Bill is envisaged to operate in relation to common law principles. The Bill does not seek to change any right or obligation conferred by or imposed under the common law, including the common law principles of confidentiality and consent. The Bill does address a number of issues that are not covered under the common law today. For example, the common law does not have a general requirement that consent must be obtained for the purposes for which personal data is collected, used or disclosed.
11. The Bill is a baseline legislation that will operate concurrently with other legislative and regulatory frameworks. Taking the example of the health sector, medical records that contain personal data are covered under the Bill. This includes personal data contained in electronic health records. Doctors will need to follow the rules for collection, use, disclosure, access and correction, and care when dealing with personal data in medical records. In addition, other relevant laws, such as those under the purview of the Ministry of Health, may also apply.
Definition of personal data
12. Several Members commented on the definition of personal data. Mr Zaqy Mohamad raised the concern that the definition is broad and vague and may not cover information such as a person’s salary and religious preferences. As one can tell from the different situations that Members have raised, it is necessary for the definition to be sufficiently broad to allow the Bill to apply to differing circumstances. The definition adopted in the Bill encompasses any data that can identify an individual, and it will cover the examples cited by the Member. The definition also covers personal data recorded in both electronic and non-electronic formats.
CCTV recordings
13. Mr Ang Wei Neng spoke about CCTVs. The Bill covers CCTV recordings to the extent that images of identifiable people are captured. However, imagery captured by CCTV in public places may be considered ‘publicly available’ personal data, and can be collected, used or disclosed without consent. However, for CCTV surveillance at private premises, consent would generally be required unless other exceptions apply. In such cases, it may suffice to notify individuals through the placement of signs that CCTVs are monitoring the premises. The PDPC will provide more detailed guidance on the use of CCTV and surveillance cameras in due course.
Online platforms
14. Several Members asked how the Bill will apply to personal data posted online, such as social networking sites and blogs. Online sites, including social networking sites and blogs, may be considered ‘publicly available’ sources depending on the circumstances. The collection, use or disclosure of ‘publicly available’ data will not require the consent of the individual concerned.
15. On Mr Zaqy Mohamad’s suggestion to cover cyber-bullying and other undesirable online behaviour, the Bill is concerned with regulating the management and the protection of personal data. It does not govern other actions of individuals online. This would be more appropriately addressed by other laws.
Foreign organisations and cross-border transfers
16. Several Members asked about the application of the Bill to foreign organisations operating in Singapore, and ensuring personal data transferred overseas is accorded the same level of protection. The Bill will apply to any organisation that collects, uses or discloses personal data in Singapore. This includes foreign companies operating in Singapore.
17. We are not adopting a prescriptive approach of restricting transfers of personal data to countries that have an adequate level of data protection. Instead, the Bill adopts a “principle-based” approach, where the onus will be on the organisation in Singapore to put in place measures, such as contractual arrangements, to ensure a comparable standard of protection is accorded to personal data transferred overseas. Therefore, there is no need to further burden organisations with disclosing to consumers where copies of their personal data will be transferred to.
Public sector exclusion
18. The Bill applies to all organisations across the private sector, regardless of whether they have commercial or non-commercial aims (such as NTUC). This is important as it will assure the public that there is a minimum set of data protection rules applied consistently across the private sector and foster greater trust.
19. The Bill does not cover the public sector as it already has its own set of data protection rules that all public officers must comply with. These rules are guided broadly by the same principles under the Bill. Statutory provisions in several Acts also regulate the collection, use and disclosure of information by the public sector. These ensure that public agencies and officials are subject to responsibilities to maintain confidentiality and protection of personal data, while enabling them to carry out their statutory functions in an effective and accountable manner.
20. All Ministries, Statutory Boards and Organs of State are required to comply with the public sector rules with regard to Data Protection. The Government takes steps to ensure that officers comply with Government policies and regulations, including Data Protection, for example audits may be carried out, and where there are cases raised to the Government, these will be investigated and officers who are found to have violated these regulations may be disciplined according to the Public Service Disciplinary Regulations. Agencies have mechanisms and processes in place to receive and address complaints or enquiries about Government’s policies and procedures relating to the handling of personal data. In relation to individual’s access and correction rights, individuals can also request.
21. I understand that individuals may also request Government agencies to correct inaccurate personal information held by the agencies. I would also like to reiterate that personal data held by Government agencies are protected by appropriate security safeguards against accidental or unlawful loss, as well as unauthorised access, use or disclosure. This is regardless of the format in which the personal data is kept.
Application to Members of Parliament
22. Mr Ang Wei Neng touched on how the Bill will apply to Members of Parliament, or MPs. In general, MPs are required to comply with the requirements under the Bill when collecting, using or disclosing personal data in the course of their work. In certain cases where an individual voluntarily provides his personal data to the MP for a purpose, such as for the MP’s assistance, consent may be deemed to be given for the MP to pass the personal data to a relevant organisation for the purpose of providing assistance. Where the MP is acting on behalf of a public agency, the public sector rules will apply.
Exceptions
23. Mr Desmond Lee asked about the exceptions provided in the Second to Fourth Schedules. These are based on the overarching intent of ensuring adequate protection for individuals without placing onerous burdens on organisations to comply with the law. They also take into account international practice and Singapore’s context. For example, exceptions apply in certain circumstances or situations where obtaining consent for the collection, use or disclosure of personal data may not be feasible. Such situations include collection of personal data for life-threatening emergencies. Exceptions are also nnecessary to enable certain organisations to effectively perform their functions, such as investigations or legal proceedings.
Specific scenarios
24. Let me now address some of the queries on specific situations.
25. As I mentioned earlier, how the Bill applies will depend on the facts and circumstances of the case. In the example of the lucky draw forms that Mr Patrick Tay brought up, if the organisation had clearly stated on the lucky draw form that the personal data provided would be used for the purposes of contacting the individual to market certain products, then the organisation would be able to use it for those purposes. If, however, there was no mention of the marketing purpose, then it is likely the organisation will be in breach of the provisions if they use the data for marketing activities.
26. Likewise, for the example of the use of the NRIC details raised by Dr Fatimah Lateef, organisations should consider if collecting a person’s NRIC number is reasonable for the purpose, and obtain the individual’s consent. For example, if the organisation needs to verify the individual’s identity to provide certain services, such as for admission to a hospital or to check on his health insurance, it may be reasonable to require the individual to provide his NRIC details to prove his identity.
Special groups
27. Several Members raised the need to provide for special groups of people, such as children and the mentally incapacitated. Members may wish to note that the details of persons who may act for minors, and the extent to which they can exercise the rights or powers of such individuals, will be set out in subsidiary legislation subsequently. The Bill is designed to allow sectoral legislation to provide higher level of protection on top of its baseline requirements. Additional protection for other special groups that require it can thus be catered for by sector-specific laws. I take Ms Low Yen Ling and Ms Fatimah Lateef’s point that children’s personal data will be an increasingly important issue as tools and platforms for collecting children’s data become more prevalent. The Bill is a first step in putting in place a basic personal data protection regime for Singapore. We will continue to review and adjust the legislation to address additional areas of concern, where necessary.
Do Not Call registry
28. Several Members raised queries about the Do Not Call, or DNC, registry. Allow me to clarify some of these concernss.
29. Mr Dhinakaran raised concerns about the DNC registry’s impact on organisations’ practices. Today, nothing prevents organisations from freely collecting, using, sharing or selling consumers’ personal data without consent. The Bill imposes the necessary requirements on how organisations may collect, use or disclose personal data, so as to protect individuals from misuse of their personal data.
30. To clarify a point mentioned by Mr Dhinakaran, the Bill does not prohibit the sharing of personal data between entities, so long as consent is obtained. This approach strikes a balance between allowing organisations to share personal data, and allowing individuals to decide how their data may be used. The Bill also does not prescribe a retention period for personal data. It only states that organisations should not retain personal data when such retention no longer serves the purposes for which the data was collected. It does not make business sense, if you don’t use it, delete it. This is in recognition that the appropriate retention period will vary according to the legal or business needs of each organisation.
31. The requirements of the DNC registry are not as complex as some Members may perceive. Organisations that send marketing messages must check their contact lists with the DNC registry within the prescribed period before sending the message. A 60 day checking interval will be prescribed for the first six months of the DNC registry’s operations. Thereafter, we will reduce the checking interval to 30 days. An organisation will not be in breach of the rules if it sends marketing messages to individuals who register their numbers within the interval period after the organisation has checked with the DNC registry. So if you check on day one, his number is not there you can send it to him. In day two he enters, it is still within the period to prescribe to. However, these individuals should not receive any marketing messages after the 60 or 30 day interval.
32. Organisations may still send marketing messages to registered numbers if they have obtained clear and unambiguous consent to do so, in written or other accessible form. In the examples raised by Members, seeking consent to use personal data using a general or vaguely-worded clause buried within pages of other terms and conditions is unlikely to be considered clear and unambiguous consent. This may not comply with the requirement to notify individuals of the purposes for collecting, using or disclosing their personal data, and could also be considered a misleading or deceptive practice prohibited under the Bill. Organisations should also maintain the records of consent that its customers have given to indicate that they can be contacted for telemarketing. This is a practical way for organisations to demonstrate that they are compliant with the law.
33. Mr Zaqy Mohamad and Mr Lim Biow Chuan made a valid observation about telemarketing calls originating overseas. Similar concerns on the abuse of personal data by overseas organisations were also raised. While the PDPC may seek to enforce the Act against overseas organisations, in reality, it may be difficult to investigate and proceed with any enforcement action against such organisations. Recognising this limitation, Clause 37 provides the ability to enforce against any local organisation that authorised the sending of the marketing message. This will mitigate the problem as marketing messages targeted at Singapore telephone numbers are likely to involve goods and services by organisations with a local presence. The Bill also contemplates that the PDPC may establish arrangements with foreign data protection regulators, which may include cross-border cooperation.
34. Mr Eugene Tan asked about covering e-mails under the scope of the DNC registry. We have decided not to include e-mails as unsolicited e-mails can be blocked through email filters and cause less of a nuisance to delete when received, as compared to phone calls, SMS and fax messages, which are more difficult for the individual to filter. A significant proportion of spam emails also originate from overseas, which makes it difficult for any enforcement action to be taken even if email messages were to be included.
35. I take the point raised by Mr Dhinakaran that the DNC registry may lead to more organisations using mass marketing channels, such as direct mailers and flyers. I would suggest that the DNC registry will better focus organisations’ telemarketing efforts. This is because the DNC registry allows them to effectively target a group of consumers who are genuinely interested in receiving information on products and services, and eliminate time and resources wasted on those who do not wish to receive such information.
36. Individuals who change their minds can withdraw their numbers from the DNC registry using a similar method as registration. The process could be as simple as calling a number using the phone of which the telephone number is to be registered or de-registered, or filling up an online form.
Existing personal data
37. Several Members raised the possibility of organisations taking advantage of the transition period to collect and use personal data. The Bill has taken the approach of protecting individuals’ personal data without imposing overly onerous requirements on organisations. Requiring organisations to notify or obtain consent from individuals for all personal data previously collected would be too onerous. The Bill therefore takes a balanced approach by allowing organisations to use the personal data collected before the appointed day for the purposes for which it was collected, provided the purposes are reasonable. After the law comes into effect, individuals can withdraw consent that was previously given. These measures will help protect consumers from those who seek to use the transition period to misuse personal data collected before the law comes into effect.
38. Several Members also requested for staggered transition periods. Ms Jessica Tan proposed different ‘sunrise’ periods of 12 months for large business and 2 years for small business. We have proposed a single ‘sunrise’ period of at least 18 months for all organisations, regardless of size, in order to minimise confusion and keep implementation simple. Differential treatment for small companies in some jurisdictions was found to have added to the complexities of implementation. During the “sunrise” period, the PDPC will conduct awareness-building activities for both businesses and consumers, in relation to their rights and obligations under the regime. These activities will be targeted at enhancing organisations’ ability to comply with the PDPA when it comes into effect.
Enforcement and implementation
39. Several Members touched on the issue of enforcement and implementation. The Bill provides the PDPC with a range of powers to enforce the Act effectively. It adopts a complaints-based approach to enforcement, and the PDPC will have the powers to initiate investigations or investigate if a complaint is lodged. It will have the power to investigate potential non-compliance and the power to issue directions to organisations to correct their non-compliance. In enforcing the law, the PDPC is expected to act on cases in a timely manner and may issue advisory guidelines on its procedures and associated timelines in due course.
40. Mr Desmond Lee express concerned about the dispute resolution and appeal process being cumbersome. The approach takes into consideration that a large majority of cases are likely to be resolved early, which may not require a decision by the PDPC. However, in instances where the PDPC is required to investigate and take enforcement action against an organisation, the appeals process allows for quicker resolution through reconsideration, while providing aggrieved parties the appropriate avenue to appeal to an independent appeal body. Further appeals to the High Court and Court of Appeal are allowed on points of law or on the amount of financial penalty imposed. This is in line with other laws, such as the Competition Act.
41. Mr Patrick Tay and Ms Jessica Tan spoke on the role and composition of the PDPC. As mentioned in my earlier speech, the PDPC will serve as Singapore’s main authority on matters relating to personal data protection. It will also undertake education and outreach activities to promote public awareness of personal data protection in Singapore.
42. An Advisory Committee will be appointed to provide advice to the PDPC. It will comprise members of the industry, members of the public and civil society. The exact composition of the PDPC and the Advisory Committee will be firmed up and announced in due course, if the Bill is passed.
43. The Bill is not intended to be overly prescriptive, as it is applied to all sectors of the economy. To provide greater clarity on the interpretation and application of the Act, the PDPC will issue advisory guidelines, which will be developed in consultation with the industry. Public education will also be key, as some Members have highlighted. In this regard, the PDPC will reach out to the public, including young children in schools, to raise awareness of the importance of personal data protection. While the Bill will put in place safeguards to protect consumers’ personal data, ultimately, individuals will have to take responsibility for their own personal data.
44. So, as you can see from the broad range of issues raised members of the House, you can appreciate the complexity of the issue of personal data protection and the importance of striking a balance in the various considerations. The issues the members have raised are among the myriad of issues that we have considered to formulate a model that takes into account the interests of the different stakeholders and Singapore’s needs. We also recognise that the interest and circumstances may change and will therefore need to review and adjust the laws to address new and emerging issues. As the Chinese proverb says, and I have to say this in English, that the journey of a thousand miles begins with one step. Members of the House will agree that this is an important legistration and a significant step forward for Singapore and I hope we can support the Bill. Thank you.