Singapore's Data Protection Authority Clarifies Data Protection Approach

Author:Ms Cynthia O'Donoghue
Profession:Reed Smith

In 2012, Singapore enacted the new Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA). Before the main provisions come into force, which is planned for July 2014, Singapore's Personal Data Protection Commission (PDPC) issued public consultations, or requests for comment, on a proposed regulation and two guidelines. While the PDPC is still reviewing the comments received, the proposals are a strong indication of how Singapore's data protection law is likely to apply.

The proposed regulations include binding directives on how to comply with the PDPA:

The regulations specify that individuals' requests for access to their data should be in writing and sufficiently detailed. Controllers must respond to those access requests within 30 days, but are entitled to charge a minimal fee and to require a deposit. Any mechanism used for transferring data outside Singapore will be flexible, but must contain sufficient protection and be legally binding, either through use of contractual clauses or binding corporate rules, similar to that of the EU transfer mechanism. The regulations also discuss allowing a person acting on behalf of the data subject - for example, in cases of minors and deceased individuals - to provide consent. By contrast, the EU Directive applies only to living individuals. The PDPC advisory guidelines on key PDPA concepts discuss the main obligations under the Act, and recommend that:

Prior to obtaining consent, notice should be provided regarding which data is compulsory and which is optional. Failure to opt-out would not be deemed consent, but consent will be implied where the individual voluntarily provides data for a known purpose. No consent is required when data is publicly available. Data can be processed only for specified appropriate purposes disclosed in writing prior to collection. Reasonable efforts are made to ensure accuracy of data when disclosed to other organisations. Data is retained based on legal or industry standards. A person(s) responsible for ensuring compliance should be designated to satisfy the openness...

To continue reading