Guest Article: Singapore Passes Personal Data Protection Act

This article comes from our friends at Lee & Lee. Zech Chan of that firm has shared that Singapore now has a Personal Data Protection Act ("PDP Act"), passed this October, to be implemented in phases. The PDP Act regulates the collection, use, disclosure and retention of personal data, and imposes obligations on organizations subject to Singapore jurisdiction on how to manage personal data. The focus of the Act is to notify individuals of the collection, use or disclosure of personal data, and the purpose thereof. It also provides a framework for individuals to access or correct their data and to withdraw consent, as well as restricts the unnecessary retention of personal data. The Act is intended to set a minimum standard of personal data protection in Singapore and restricts transmission to other countries unless they meet the standards set by the Act. These data protection provisions will come into effect in 18 months, and will be enforced by the Singapore Data Protection Commission. The Act also introduces a "Do Not Call" Registry, which allows individuals to register themselves not to receive marketing or promotional calls and text messages. The onus is on businesses to ensure that phone numbers registered on the registry are not contacted. The registry provisions will come into effect after a 12 months transition period. The Act does provide for certain exceptions, including exempting data intermediaries from consent, access, correction and care requirements. This may be useful for Internet Service Providers, telecommunications companies, and in situations of outsourcing, as well as any other scenario where companies simply process data for another organization. The Act also does not require employers to seek consent for the collection of personal data for the purpose of hiring or terminating an employee's employment. Violations of the PDP Act may attract civil and criminal liability, including fines and imprisonment.

TIP: Companies that may be subject to Singapore law should begin now to ensure that they are familiar with – and have taken appropriate steps to be compliant with – the country's new laws on data protection before they go into effect in 2014. Companies that send marketing messages should also be prepared to begin checking against the Do Not Call Registry when it goes into effect next year.

These tips have been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.