The provisions within the Personal Data Protection Act (the “PDPA”) apply to all organisations, with certain exceptions.
“Organisation” is defined at section 2(1) of the PDPA very broadly. It is an inclusive definition and not exclusion. Hence, it is stated that an “organisation” would include any individual, company, association or body of persons, corporate or unincorporated, whether or not:
(a) formed or recognised under the law of Singapore; or
(b) resident or having an office or place of business in Singapore.
If you are a business entity or if you are doing business on a personal basis (e.g. hawker, taxi driver), the PDPA will apply to you. Lest you think you can get around it by forming an organisation overseas, it is clear from the wording of section 2(1) that the PDPA compliance applies even to organisations that are not formed or recognised under Singapore law (a foreign entity) and even if they reside overseas.
You will not therefore be able to get around the PDPA compliance by forming a company in Timbuktu and using that company to collect data from Singapore individuals via your Timbuktu website. Nice try.
There are however exceptions. The PDPA provides at section 4(1) that it has no application to:
(a) individuals acting in a personal or domestic capacity;
(b) employees acting in the course of their employment with an organisation;
(c) public agencies, or organisations acting on behalf of a public agency in relation to the
collection, use or disclosure of personal data; and
(d) other organisations as may be prescribed by the Minister.
An individual acts in a “personal or domestic” capacity when undertaking activities for himself, his home or family. For example, the individual acts in a personal capacity if he collects and stores contact details in his smart phone or posts photos of his friends (which is personal data caught under the PDPA) on his Facebook page. But if he starts using these contact details for his business e.g. sending emails to these contacts to sell his products or services, he will have to comply with the PDPA provisions.
Employees are excluded from the application of the Data Protection provisions. The PDPA defines an employee to include a volunteer. Hence, individuals who undertake work without an expectation of payment would fall within the exclusion for employees.
Even though employees are personally excluded from the application of the PDPA, it is important to know that organisations which employ them remain responsible for the actions of the employees. Hence, if your employee does an act which results in a contravention of the Data Protection Provisions, he will not be liable for the consequences (as long as he is acting within the scope of his employment) but the organisation which employs him will be.
This is why it is important to ensure that an organisation possesses a Corporate PDPA Policy and that all its employment contracts include such policy terms to make it clear to its employees that he cannot act in contravention of the PDPA and that any such act does not form part of his scope of employment.
Section 2(1) of the PDPA defines a public agency to include:
(a) the Government including any ministry, department agency, or organ of State;
(b) any tribunal appointed under any written law; or (c) any statutory body specified by the
Minister by notice in the Gazette.
To date, the Minister has gazetted 66 statutory bodies as public agencies pursuant to the
Personal Data Protection (Statutory Bodies) Notification 2013. So these bodies will be exempted. If you are an organisation providing services to one of these public agencies, you will also be exempted from the PDPA in respect of and limited to the work you do for these public agencies. But it is not a blanket exemption. You will remain liable to comply with the PDPA for other aspects of your business which do not relate to these public agencies.
For more information on the Personal Data Protection Act, read those of our blog posts which relate to this topic including our post summarising the six steps organisations should take to comply with the PDPA. Alternatively, you may wish to consider signing up for our PDPA Quick-Start Programme.
Should you have any queries or comments on the above note, kindly contact email@example.com.
If you like to continue receiving our regular updates, please “like” our Facebook page at https://www.facebook.com/gluu.asia or drop us an email to indicate your wish to subscribe at firstname.lastname@example.org.
Important Notice: The contents of this note are owned by its author and subject to copyright protection in Singapore and, through international treaties, other countries. No part of this note may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means) without the prior written permission of Gluu.
While the information in this note is correct to the best of the author’s knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action. Should you intend to rely on the contents of this note, please seek legal advice applicable to your specific situation.