What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Personal Data Protection Act 2012 (PDPA) sets the baseline requirements for data privacy in Singapore. The PDPA governs the collection, use and disclosure of individual’s personal data by private sector organizations, whether in paper or electronic form.
In addition to the PDPA, Singapore has additional subsidiary Regulations along with advisory Guidelines relating to different aspects of the Act. There are also sector-specific frameworks, such as the Private Hospitals and Medical Clinics Act (Cap. 248), which contains confidentiality and retention provisions for medical records.
Personal data under the PDPA is defined as data about an individual who can be identified from that information, or from that data in conjunction with other information that the organization has or can access (regardless of whether the data is accurate).
The PDPA is based on the concepts of consent, purpose and reasonableness. Businesses may only process an individual’s data with that person’s knowledge and consent, with some exceptions. The data can only be collected/used/disclosed with advanced notice and for a purpose that a reasonable person would consider appropriate, based on the circumstances.
One key exception to the requirement of consent relates to personal data that’s collected, used and/or disclosed in the context of employment. Consent is not necessary when “the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual” (PDPA, Second Schedule, O). Even when consent is not required, employees must still be notified of the purpose of the collection, use, and/or disclosure.
Unlike other jurisdictions such as the UK or Canada, in the PDPA, there is no formal distinction between the sensitivity of different kinds of data. That said, the Personal Data Protection Commission has taken the position that a higher standard of data protection is required for more sensitive personal data in a number of enforcement decisions.
Examples of data that is considered to be more sensitive in nature includes: national identification numbers; personal financial details (such as bank account details and transaction summaries); insurance data; drug use or infidelity history; sensitive medical conditions; and, the personal information of minors.
Employers should take note that in terms of the obligation to protect personal data, the more sensitive the data, the greater the need to ensure that employee data is secured. For example, it would be reasonable to expect a greater level of security for highly confidential employee appraisals as compared to more general information about the projects an employee has worked on.
In terms of international standards, Singapore has joined the Asia Pacific Economic Corporation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems. This enables personal data transfers between Singapore and other APEC Privacy Framework members (including Australia, Chinese Taipei, Japan, the Republic of Korea, the USA, Canada and Mexico).
The current authority responsible for enforcement of data privacy law and regulations in Singapore is the:
Personal Data Protection Commission
Sector-specific privacy regulations are separately enforced by the applicable sectoral regulators.