Out-Law News 3 min. read
16 Oct 2012, 1:45 pm
The Personal Data Protection Bill (83-page / 222KB PDF) does not apply to Government agencies in Singapore.
In a speech, Singapore's Minister for Information, Communications and the Arts, Dr Yaacob Ibrahim, said that it was "inevitable" that there would be "some costs" to businesses in complying with the new legislation.
However, multinationals looking to set up business or process personal data on servers based in Singapore will be less affected by the costs of compliance than small and medium sized firms, said data protection law specialist Rosemary Lee from Pinsent Masons MPillay, the Singapore joint law venture. Pinsent Masons is the law firm behind Out-Law.com.
"Multinationals and large corporations operating on a global basis will likely be less affected by the impending data protection law since they tend to be already compliant with stringent European data protection standards or are subject to Binding Corporate Rules (BCRs), which permit intra-organisational transfers of personal data," Lee said.
"Small and medium enterprises however may face increased costs in ensuring their business practices and operations are compliant with the new data protection requirements, as well as uncertainty in determining the appropriate security arrangements to be implemented. The Personal Data Protection Commission will be issuing advisory and compliance guidelines which would assist organisations in working towards compliance during the sunrise period," she added.
The Personal Data Protection Commission is a body which is to be set up under the new Bill. The Commission would be responsible for promoting awareness of data protection in the country, and administering and enforcing the proposed law, among other things.
The Commission's powers would include being able to fine businesses up to SIN$100,000 for obstructing its performance of duties. Businesses that falsify personal data records, or information regarding the collection, use or disclosure of personal data, will face fines of up to SIN$50,000.
Under the new laws organisations will generally be required to obtain individuals' consent in order to collect, use or disclose their personal data. However, there are exceptions to the rule that allow organisations to legitimately carry out any of those activities without consent.
Collecting personal data without consent is legitimate if it is in the national interests, if it is in order to recover debts, to be used by the media for its news operations or to allow employers to manage the "employment relationship" with staff, among other examples.
Personal data can be used or disclosed without the consent of individuals for "research purposes" under certain conditions, according to one of the number of exceptions to the consent requirement rule.
The collection, use or disclosure of personal data must in all cases be "for purposes that a reasonable person would consider appropriate in the circumstances" and providing the individual to whom the information relates is informed about those purposes prior to the collection, use or disclosure taking place.
"Today, nothing prevents organisations from freely collecting, using, sharing or selling consumers’ personal data without consent," Dr Ibrahim said in his speech. "The Bill imposes the necessary requirements on how organisations may collect, use or disclose personal data, so as to protect individuals from misuse of their personal data."
Acceptable timescales for retaining personal data are not proscribed by the Bill, but Dr Ibrahim said that organisations must not retain the information "when such retention no longer serves the purposes for which the data was collected".
The new law also provides for the establishment of a new 'Do Not Call Register'. Individuals would be able to apply to have their telephone number added to the register in order to opt out of receiving "specified messages" from marketers. Organisations would generally be barred from sending specified messages to individuals listed on the register. Those that fail to comply with the protocol around specified messages face being fined up to SIN$10,000.
However, Dr Ibrahim pointed out that the Do Not Call Registry would not apply to organisations, "so as not to unduly hinder business-to-business marketing".
The Ministry of Information, Communications and the Arts (MICA) has proposed a 'sunrise' period of at least 18 months in order that that companies be given time to update the way they work in order to comply with the new law.
According to a Singapore Law Watch report, the Personal Data Protection Bill is "tentatively slated" to be formally enacted in January 2013.
