Only half of businesses feel ready for new Singapore data protection regime

Out-Law News | 26 Jun 2014 | 10:03 am | 2 min. read

Only half of the businesses operating in Singapore feel suitably prepared to comply with a new data protection regime set to come fully into force next week, according to a new survey.

The Personal Data Protection Commission (PDPC), which commissioned the survey and which will monitor and enforce compliance with the new Personal Data Protection Act (PDPA) , said just one in two businesses in Singapore said they think they have adequate measures in place to address the imminent changes in the law.

The survey was conducted between February and April this year. At that stage 70% of respondents said they were aware of their obligations under the PDPA and 70% also agreed that compliance with the new rules would "result in building consumer confidence", the PDPC said.

Just over two thirds of the organisations surveyed (68%) said the PDPA would also facilitate "safe and protected cross-border transfer of information", whilst 58% of respondents said compliance with the rules would improve corporate governance, the regulator said.

Data protection law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said the main finding from the survey was not surprising.

"The businesses that are really concerned have been preparing for this for some time," Tan said. "A number of other organisations, for various reasons, have chosen to adopt a wait and see attitude. Unfortunately, although the PDPA is intended to allow personal data to be legitimately used, the legislation does require some modification of business processes and attitudes because of past business practices which had scant regard for personal data protection. There is also no magic bullet for those seeking quick-fire solutions."

The PDPA is Singapore's first overarching piece of legislation on data protection. Some provisions took effect earlier this year and generally prohibit businesses from sending marketing messages to individuals whose telephone numbers are included on a new Do Not Call Registry.

However, the remainder of the rules have effect from 2 July and include, among other things, new obligations for businesses in relation to how they collect, use or disclose individuals' personal data. Under the new rules, organisations will generally be required to obtain individuals' consent before collecting, using or disclosing their data, although a number of exceptions to this rule apply.

Collecting personal data without consent is legitimate if it is in the national interests, if it is in order to recover debts, to be used by the media for its news operations or to allow employers to manage the "employment relationship" with staff, among other examples.

Personal data can be used or disclosed without the consent of individuals for "research purposes" under certain conditions, according to one of the number of exceptions to the consent requirement rule.

The collection, use or disclosure of personal data must in all cases be "for purposes that a reasonable person would consider appropriate in the circumstances" and providing the individual to whom the information relates is informed about those purposes prior to the collection, use or disclosure taking place.

Government departments in Singapore are exempt from the new rules.