Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

New regulator will take 'pragmatic' approach to data protection compliance in Singapore

A new Personal Data Protection Commission (PDPC) has been launched in Singapore in advance of new data protection rules taking effect in the country from next year.15 May 2013

Leong Keng Thai, chairman of the PDPC, said that the Commission would take a "pragmatic approach" to regulating the Personal Data Protection Act (PDPA). The Act was introduced into law earlier this year, although Leong announced that final regulations and accompanying guidance for complying with the regime will not be published until the third quarter of 2013 in advance of the provisions taking effect from next year.

"As the Commission carries out its work, we are mindful that we need to make our data protection regime work in our local context and at the same time, be on par with international standards," Leong said in a speech (3-page / 186KB PDF) on Wednesday. "To help us achieve this, the Commission aims to adopt a balanced and pragmatic approach in administering the Act."

"The PDPA is a baseline and principles-based law that regulates the proper management of personal data by organisations in Singapore; gives individuals better understanding of how their personal data is used; and in the process strengthens the trust and confidence between organisations and their customers whenever personal data is transacted," he said.

"The Commission recognises that organisations need to collect and use data for legitimate purposes and to better serve their customers. We also understand the challenges some organisations may face in preparing to comply with the PDPA. I want to assure you that the Commission is committed to working with the industry to address the opportunities and challenges that arise with the implementation of personal data protection," Leong added.

Under the PDPA the collection, use or disclosure of personal data must in all cases be "for purposes that a reasonable person would consider appropriate in the circumstances" and providing the individual to whom the information relates is informed about those purposes prior to the collection, use or disclosure taking place.

Collecting personal data without consent is legitimate if it is in the national interests, if it is in order to recover debts, to be used by the media for its news operations or to allow employers to manage the "employment relationship" with staff, among other examples.

Personal data can be used or disclosed without the consent of individuals for "research purposes" under certain conditions, according to one of the number of exceptions to the consent requirement rule.

"Quite apart from powers to issue directions, to conduct investigations, and to impose financial penalties on organisations for non-compliance, the PDPC is also tasked with conducting public outreach and awareness and educational efforts," data protection law specialist Rosemary Lee of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said. "In no way is the new law structured to have a chilling effect on businesses."

The PDPC also launched a consultation on the operation of a new 'Do Not Call Registry' (37-page / 523KB PDF) which is to be established under the terms of the PDPA. The planned launch of the Registry is 2 January 2014, with the associated "personal data protection requirements" taking effect from 2 July 2014, Singapore's Minister for Information, Communications and the Arts, Dr Yaacob Ibrahim, said in a speech. The Registry would allow individuals to add their telephone number to the register in order to opt out of receiving "specified messages" from marketers. Organisations would generally be barred from sending specified messages to individuals listed on the register. Those that fail to comply with the protocol around specified messages face being fined up to SIN$10,000 (£5,000).

Bryan Tan of Pinsent Masons MPillay said that businesses in Singapore would welcome the certainty of knowing when the new Registry is going to launch as some firms have shown "a growing sense of urgency" on the issue of compliance, according to a report by ZDNet.