Out-Law / Your Daily Need-To-Know

New data protection guidelines issued for businesses operating in Singapore

Out-Law News | 24 Sep 2013 | 2:36 pm | 5 min. read

Businesses in Singapore can process personal data of individuals where those individuals fail to opt out from that activity, according to new guidelines.

The Personal Data Protection Commission (PDPC) in the country, which only began operating earlier this year, has said that a failure to opt out can signal individuals' consent to processing in certain circumstances. 

"The PDPC recognises that failure to opt out can be a valid manner of consent in some situations," the PDPC said in a new guidance note (18-page / 133KB PDF). "Failure to opt out could constitute valid consent in limited circumstances where: i) the organisation has met the Notification Obligation and clearly notified the individual the purpose(s) for which his personal data is being collected, used or disclosed, and ii) it is clear that the individual’s failure to opt out is not due to an inability to give consent, lack of awareness that he is required to give consent, or similar circumstances." 

The guidelines have been set out to complement the Personal Data Protection Act (PDPA) which was introduced into law in Singapore in January. The Act does not fully come into effect until 2 July 2014. 

"With the issuance of these Advisory Guidelines, the whistle has blown for organisations to kick-off their compliance programs if they have not done so," technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said. "There is absolutely no more reason to wait any longer." 

Under the PDPA, organisations are generally required to obtain individuals' consent in order to collect, use or disclose their personal data, the government previously said. However, there are exceptions to the rule that allow organisations to legitimately carry out any of those activities without consent. 

The PDPC, which was set up to promote awareness of data protection and to administer and enforce the PDPA, said that businesses will have freedom to choose how they obtain individuals' consent to collect, use or disclose personal data. 

However, it said that "good practice" for organisations would be for them to "obtain consent from an individual through a positive action of the individual to consent to the collection, use and disclosure of his personal data for the stated purposes". 

Businesses operating in Singapore will also be required to appoint at least one data protection officer to oversee their compliance with the PDPA. 

Data protection law expert Rosemary Lee of Pinsent Masons MPillay said that the obligation should lead businesses to start assessing their whole organisational structure so as to best "determine the best way to allocate roles and responsibilities for implementing and ensuring compliance". 

"The new PDPA requirements will have an impact on the way business functions, such as HR, IT, Marketing, conduct their day-to-day operations," Lee said. "In order to devise and implement an effective PDPA-compliant regime, companies need to get relevant stakeholders on board and also figure out who is taking ownership and what is the kind of support and contribution required from business functions to reach the finish line well before 2 July 2014." 

"Moving forward, it is also important for companies to create a sound governance structure to manage its compliance with PDPA requirements – for example, organisation practices and polices tend to change over time so on-going monitoring would be essential in ensuring and maintaining PDPA compliance," she said. 

The PDPC's guidance explained to businesses that they may need internet users' specific consent in order to serve them with 'cookies' – small text files that can record internet users' online activity. 

"For Internet activities that the user has clearly requested, there may not be a need to seek consent for the use of cookies to collect, use, and disclose personal data where the individual is aware of the purposes for such collection, use or disclosure and voluntarily provided his personal data for such purposes," the PDPC said. "Such activities include (but are not limited to) transmitting personal data for effecting online communications and storing information that the user enters in a web form to facilitate an online purchase." 

"For activities that cannot take place without cookies that collect, use or disclose personal data, consent may be deemed if the individual voluntarily provides the personal data for that purpose of the activity, and it is reasonable that he would do so," it said. 

The PDPC said that the way an individual "configures his interaction with the Internet" can signify whether they consent to the collection, use and disclosure of their personal data. "However, the mere failure of an individual to actively manage his browser settings does not imply that the individual has consented to the collection, use and disclosure of his personal data by all websites for their stated purpose", it added. 

Businesses conducting online behavioural advertising require individuals' consent before collecting and using their personal data, it said. 

The PDPC also urged all organisations to anonymise personal data of individuals (40-page / 168KB PDF) either when collecting or disclosing the information when it was not necessary for those individuals to be identifiable. It warned organisations to "consider the risk of re-identification if it intends to publish or disclose" apparently anonymised personal data to a third party. 

"While data can be anonymised, it is not guaranteed that data will stay anonymised," it said. "Re-identification of individuals by combining anonymised datasets with other information presents a significant challenge to the protection of personal data." 

Businesses should consider the "capabilities and resources" of organisations that they are disclosing anonymised data to, as well as their "motivation to re-identify data" in order to ascertain whether that information should be considered to be personal data, it said. 

The PDPC said it had adapted guidance issued by the UK's Information Commissioner's Office on anonymisation, and called on businesses to test anonymised datasets for the possibility of re-identification before disclosing the information. 

"Re-identification risks may be lowered in the following ways: Employing robust anonymisation techniques; Limiting the number of people the information is disclosed to; Imposing additional enforceable restrictions on the use and subsequent disclosure of the data; Implementing processes, including access restrictions, to govern proper use of the anonymised data in line with the restrictions; and Implementing processes and measures for the destruction of data as soon as they no longer serve any business or legal purpose," it said. 

The PDPC also explained how organisations can go about meeting their security obligations under the PDPA (105-page / 330KB PDF). Under the Act organisations are required to put in place reasonable security arrangements to protect personal data they possess or are in control of from unauthorised access, collection, use, disclosure, copying, modification, disposal or other similar risks. 

"In practice, an organisation should: design and organise its security arrangements to fit the nature of the personal data held by the organisation and the possible harm that might result from a security breach; identify reliable and well-trained personnel responsible for ensuring information security; implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity; and be prepared and able to respond to information security breaches promptly and effectively," the Commission advised. 

Businesses should conduct a risk assessment of their security provisions to ensure they are adequate, it said. 

Further advisory guidelines relating to businesses' access and correction obligations, international data transfers and when individuals act for others under the PDPA are to be released at a future date.