The Personal Data Protection Act (PDPA) will come into operation and be enforced in phases. The provisions relating to the DNC Registry came into effect on 2 January 2014 and the provisions relating to the main data protection will come into force on 2 July 2014.
If you are a business or individual whose business involves collecting, storing, managing and/or dealing with personal data of individuals (including employees, customers, and other third parties), you will need to comply with these requirements by 2 July 2014.
We suggest six practical steps on how your business can comply with the PDPA.
PDPA Part I of this note dealt with Steps 1 to 3. Part 2 below deals with Steps 4 to 6.
Step 4: Review your methods and terms of interface/interaction with employees and branch offices
New PDPA compliant systems and employment terms will have to be in place to interact with employees and overseas HQ/branch offices. This is because under the PDPA:
a. the employee now has right to ensure their personal data is not only protected but also accessible and in some circumstances, subject to scrutiny as to its accuracy and where applicable, correction.
b. an organisation must not transfer any personal data outside of Singapore unless the overseas offices provide a similar standard of protection under the PDPA.
For a start, prepare the necessary forms for use by employees to comply with your need to obtain consent, provide access and correction to personal data. Revisions to employment contracts or HR staff manuals should also be considered to ensure your employees are aware of their rights and your inhouse procedure. Alert your overseas offices to the PDPA and afford them an opportunity to understand and disseminate its contents to overseas employees and officers.
Step 5: Review the methods and terms of your interface/interaction with customers and other third parties
Picture the following typical scenarios:
a. In the course of their business, Company X collects and makes use of personal data from customers and clients. These include photos and CCTV footage. They will need to make sure these are carried out in compliance with the consent, purpose limitation and notification obligations (see sections 13, 18 and 20(1)(a) PDPA).
b. Company X engages service providers which – in the course of providing their services – may have access to personal data of Company X’s employees, customers and clients e.g. HR or payroll consultants, accounting/finance professionals, website hosting companies, lawyers, marketing or advertising professionals, IT consultants which manage or maintain Company X’s systems…etc. Some of these service providers may be based overseas or allow its overseas offices access to Company X’s personal data.
c. Company outsources personal data collection, management, storage to third party contractors who may have to deal with such data in Singapore or overseas e.g. data storage companies, file storage companies, warehousing companies..etc.
In each of the above scenarios:
i. you must ensure that the collection, management and usage of personal data complies with the relevant obligations under the PDPA. Standard forms should be prepared for customers to sign and website terms will have to be reviewed.
ii. the obligation to comply with the requirements of the PDPA remain with Company X even though personal data (and the responsibility to handle them) rests elsewhere contractually. Hence, if a third party breaches certain PDPA obligations or transfers personal data overseas without regard to the standards of protection under the PDPA, Company X will be liable for any resultant breaches of the PDPA – even if the breaches were not actually committed by Company X.
All organisations will therefore do well to review their terms of engagement with third parties to ensure that they ring-fence and minimise the risks of being liable for PDPA offences due to acts or omissions of these third party service providers. Standard terms should be prepared for use with new engagements. Design into the system alerts which are triggered whenever certain personal data are accessed.
Step 6: Put in place a system to periodically review and update the PDPA policy statements and structures.
Business processes and personnel change. When you prepare or design your PDPA compliant systems, ensure that there are mechanisms to allow for periodic review and updates perhaps annually.
The steps highlighted in Parts 1 and 2 of this note are just broad summaries of some of the key measures for any organisation which wishes to comply with the PDPA obligations to consider. Within each broad heading are more specific obligations which are beyond the scope of this note to deal with. Each of the above steps will also have to be refined and tailored to suit the various different business processes and structures which may be applicable to each organisation.
Gluu is also launching a Singapore Personal Data Protection Act Quick-start programme. Should you have any queries or comments on the above note, kindly contact firstname.lastname@example.org or call us at 3151 7607.
Important Notice: The contents of this note are owned by its author and subject to copyright protection and, through international treaties, other countries. No part of this note may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means) without the prior written permission of Gluu.
While the information in this note is correct to the best of the author’s knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action. Should you intend to rely on the contents of this note, please seek legal advice applicable to your specific situation.