Out-Law News 1 min. read
02 Jul 2014, 12:52 pm
The Personal Data Protection Act (PDPA) contains new rules on the collection, use or disclosure of individuals' personal data and imposes a number of additional requirements on businesses operating in the country, including a general obligation to provide individuals with access to their own data upon request.
A range of other rules are also contained in the PDPA and require organisations to take steps to ensure the accuracy of the personal data they hold, protect it from unauthorised access and other security risks and delete personal data after retention of the data is no longer necessary. The Act also requires businesses to appoint a designated data protection officer and it also contains specific provisions to govern how personal data can be transferred lawfully from Singapore to other countries, for example from one company in a group to a sister organisation based elsewhere.
Data protection law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said the new regime "is a case of better late and never". He said most organisations have spent at least six months preparing for complying with the PDPA.
"The companies would have carried out data flow mapping, process re-engineering, examined consent language, prepared data transfer agreements and introduced document retention schedules," Tan said. "At this stage, organisations will be putting on the finishing touches and need to focus on finalising the essential public-facing documents."
"This will include, displaying their policies on how they treat - collect, use and disclose - personal data; appoint a data protection officer and display his business contact information; have processes which allow data subjects to make access and correction requests and to withdraw consent; train staff to handle data and deal with public queries," he said.
A Personal Data Protection Commission has been set up to monitor and enforce compliance with the PDPA. A survey it conducted earlier this year suggested as many as half of Singaporean businesses were not prepared for the new regime.
"Organisations engaging in data activities in Singapore that do not comply with the PDPA may be issued a financial penalty not exceeding $1 million," the Commission said in a statement. "They must also take remedial actions to ensure compliance with the PDPA. In the event of any investigation when the law comes into force, the Commission will provide opportunities for organisations to provide their account of the matter, and seek to ensure that any action taken will be proportionate, taking all circumstances and factors into consideration."