On 2 July 2014 the Personal Data Protection Act came into effect in Singapore. What impact will this have on organizations?
The Personal Data Protection Act governs ‘the collection, use and disclosure’ of data stored in electronic and non-electronic forms that can be used to identify an individual. The Personal Data Protection Act is based on three main principles: (1) the organization has informed the individual about the purpose of the data collection, use or disclosure; (2) the purpose is considered to be reasonable, and (3) the individual has given their consent (unless the collection of data relates to national interests, debt recovery or use by the media).
Data protection in the European Union is based on the ethical principle of right of privacy. In contrast, in Singapore the data protection legislation only applies to businesses and focuses on addressing individual concerns about how businesses use personal data. The legislation applies to data exported from Singapore but not to data imported to Singapore. Personal data collected prior to the legislation coming into effect can be used, but only for the purpose for which the data were originally collected.
To comply with the Act organizations need to:
(1) Appoint a Data Protection Officer responsible for ensuring compliance and to respond to enquiries and complaints about data handling practices. The Data Protection Officer does not need to be employed by the organization but the officer’s contact details must be available to the public.
(2) Develop procedures to obtain the consent of an individual to collect, use or disclose personal data. Record that consent has been obtained in case proof of consent needs to be provided at a later date.
(3) Ensure that data requested from individuals are reasonable for the stated purpose. Singapore’s Data Protection Commission uses the example that when purchasing a product, it would be unreasonable to mandate that a customer discloses their annual income, but the data could be requested as an optional data entry field and collected with the customer’s consent.
(4) Develop procedures to respond to requests from an individual to access personal data collected unless the disclosure may cause harm, disclose data about another individual or be against national interest.
(5) Develop procedures to correct personal data when requested and to inform other organizations, with whom the data have been shared, within the previous 12 months of the correction.
(6) Although the act does not define data retention periods, organizations need to ensure data are securely destroyed when the data are no longer required.
(7) Develop documentation for employees, customers, suppliers and stakeholders to inform them about issues such as:
o What data will be collected?
o How will the data be used?
o Who will have access to the data?
o To whom the data may be disclosed?
o How long will the data be retained?
o How can access to the data be requested?
o How can a request to correct the data be made?
(8) Ensure staff, including subcontractors, are aware of the organization’s data policies, procedures and responsibilities.
The 2014 Personal Data Protection Act can be accessed here:
Personal Data Protection Act
Further Reading: ethical and legal issues are discussed in Chapter 5.
Please use the following to reference this blog post in your own work:
Cox, S. A., (2014), ‘Personal Data Protection Act’, 25 July 2014, http://www.managinginformation.org/personal-data-protection-act/, [Date accessed: dd:mm:yy]