6 Steps to Comply with Singapore PDPA Obligations by 2 July 2014

May 7, 2014

Personal Data Protection Act Update (Part 1)

The Personal Data Protection Act (PDPA) will come into operation and be enforced in phases. The provisions relating to the DNC Registry came into effect on 2 January 2014 and the provisions relating to the main data protection will come into force on 2 July 2014.

If you are a business or individual whose business involves collecting, storing, managing and/or dealing with personal data of individuals (including employees, customers, and other third parties), you will need to comply with these requirements by 2 July 2014.

We suggest six practical steps on how your business can comply with the PDPA.

Part I of this note deals with Steps 1 to 3. PDPA Part 2 deals with Steps 4 to 6.PDPA

Step 1:     Start preparing an inhouse PDPA Policy Document

Section 12 of the PDPA provides that an organisation must:

a. develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under the PDPA;

b. develop a process to receive and respond to complaints that may arise with respect to the application of the PDPA;

c. communicate to its staff information about the organisation’s policies and practices referred to in the first bullet point; and

d. make information available on request about  the above policies and practices and complaint process.

The effect of section 12 PDPA is that it is compulsory for all organisations to develop and implement policies as well as to train its staff about their policies.

Because of the requirement to produce copies of these policies and practices for inspection by anyone who asks (including government agencies), organisations cannot “close one eye” and pretend to have a policy when it does not. The truth will find you out !

Step 2:  Appoint and train your inhouse PDPA Compliance Officer

To ensure an organisation plays by the rules, Section 11 PDPA makes it compulsory for you to designate an employee to be responsible for ensuring that the organisation complies with the PDPA requirements.

The business contact information of this person must be made available to the public so it will not do to appoint a phantom PDPA Compliance Officer who does not actually exist!

Equip this employee with sufficient empowerment and training so that he can in turn train and manage the employees under your care on PDPA issues.

Step 3:     Be aware of your responsibility for your employees’ breach of the PDPA and minimise the risks of liability

The PDPA treats any act done or conduct engaged in by an employee as if it was done or engaged in by his/her employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or approval (section 53(1) PDPA).

Organisations will therefore be responsible for any breach of the PDPA provisions even if the breach arose from acts or omissions by employees.

The only defence cited by the PDPA against criminal sanctions for employees’ infractions is for the employer to prove that he had already taken such steps as were practicable to prevent the employee from doing the act or engaging in the conduct (section 53(2) PDPA).

To avail this defence, organisations will have to show that they have taken practical steps to formulate a corporate policy, communicate and train all employees in this policy and implement practical safeguards to ensure the policy is observed and complied with.

Therefore take your obligation to do up a good inhouse PDPA programme seriously! Invest in structures or IT systems which allow you to monitor and protect personal data against unauthorised use. Show that good and practical steps have been taken and that it is not only “for show”. Enforce infractions internally and store personal data securely. Simply pasting warning stickers on the office wall, filing cabinets or telephone sets will not do !Singapore PDPA

If despite these measures, the employees still breach the PDPA requirements, the PDPA affords the employer a good defence against criminal sanctions under the PDPA.

[to continue reading about the next 3 steps, read more about PDPA steps Part 2]

Should you have any queries or comments on the above note, kindly contact gluu@gluu.asia.

If you like to continue receiving our regular updates, please “like” our Facebook page at https://www.facebook.com/gluu.asia or drop us an email to indicate your wish to subscribe at gluu@gluu.asia.

Important Notice: The contents of this note are owned by its author and subject to copyright protection and, through international treaties, other countries. No part of this note may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means) without the prior written permission of Gluu.

While the information in this note is correct to the best of the author’s knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action. Should you intend to rely on the contents of this note, please seek legal advice applicable to your specific situation.

Share This

Hey, like this post? Why not share it with a buddy?

More Posts