Guide to PDPA Assessment Tool for Organisations (PATO) Part II

The 9 Data Protection Obligations

The Personal Data Protection Act (PDPA) was enacted in October 2012 to govern the collection, use and disclosure of personal data. Following the amendments made to the Personal Data Protection (Amendment) Act 2020, the PDPA has established nine data protection obligations that an organisation ought to act in compliance with. In an effort to assist these organisations in evaluating whether its data protection policies satisfy the obligations stated in the PDPA, the Personal Data Protection Commission (PDPC) has produced a PDPA Assessment Tool for Organisations (PATO). The PATO serves as a questionnaire which consists of several prompts and information pertinent to the 9 principal categories which reflect the salient obligations that an organisation will have to act in accordance with.

This article will deal with the last 4 Personal Data Protection Obligations and “Do Not Call”

 

I. Protection

  1. Your organisation has in place appropriate technical security measures to protect personal data within your organisation’s possession or control
  • Organisations must make reasonable security arrangements for the protection of personal data in their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

 

  1. Your organisation has in place appropriate physical security measures to protect personal data in your organisation’s possession or control
  • Organisations are required to take reasonable security measures to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use disclosure, copying, modification, disposal or risks of a similar nature.

 

  1. Your organisation has in place appropriate administrative measures to protect personal data in your organisation’s possession or control
  • Organisations must take reasonable security measures to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use disclosure, copying, modification, disposal or risks of a similar nature.

 

  1. Your organisation conducts risk assessments to determine appropriate security measures in efforts to protect personal data in your organisation’s possession or control
  • Organisations must make reasonable security arrangements to protect personal data within their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or risks of a similar nature.

 

  1. Your organisation has measures in place to prevent the accidental disclosure of personal data
  • Organisations must make reasonable security arrangements to protect personal data within their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or risks of a similar nature

 

  1. Your organisation ensures that appointed information and communications technology (“ICT”) service providers are able to provide adequate levels of protection and security to protect personal data in your organisation’s possession or control.
  • Organisations often outsource ICT security requirements to be met by third party service providers.
  • It should be noted that both an organisation and its service providers are responsible for the protection of personal data dealt by the organisation’s ICT systems.

 

  1. Your organisation ensures that the ready-made software used is capable of meeting and providing adequate levels of security to protect personal data in your organisation’s possession or control
  • Organisations often procure “commercial off-the-shelf” software to be adopted by the organisation. Organisations should ensure sufficient protection for the parts for which they possess control.

 

  1. Your organisation ensures that third party service providers that process personal data on behalf of your organisation, protects personal data in accordance with the PDPA.
  • Organisations retain the same obligations under the PDPA for the personal data processed by a third party, including arranging reasonable security measures to protect personal data.
  • Therefore, organisations should ensure that their service agreements impose sufficient obligations to ensure the organisation’s own compliance with the PDPA when engaging data intermediaries.

 

II. Retention Limitation

  1. Your organisation stops retaining personal data when there is legal or business reasons to do so.
  • Organisations must stop retaining documents containing personal data, or remove the means by which the personal data may be associated with particular individuals, as soon as it is reasonable to assume that the purposes for which the personal data was collected is no longer of being served by the retention of the personal data and the retention is no longer needed for legal or business purposes.

 

  1. Your organisation has defined the retention period and disposal requirements for third party service providers that process personal data on behalf of your organisation
  • Organisations are considered to have stop retention of documents containing personal data when it, its agents and third parties that process personal data on its behalf no long possess access to those documents and the personal data which they contain.

 

III. Transfer Limitation

  1. Your organisation ensures that personal data is only transferred to organisations in overseas jurisdictions that have a comparable standard of data protection as the PDPA and PDP regulations.
  • Organisations can transfer personal data overseas if it has taken appropriate measures in order to ensure that it will act in compliance with Data protection Provisions in respect of the transferred personal data while under its possession or control, and if the overseas recipient is bound by legally enforceable obligations to provide a comparable standard of data protection to that under the PDPA.

 

IV. Openness

  1. Your organisation has appointed a data protection officer (DPO) or office
  • It is a requirement for organisations to appoint at least one individual, known as the Data Protection Officer (DPO), to be responsible for ensuring that the organisation acts in compliance with the PDPA.

 

  1. Your organisation’s DPO business contact information is available to the public
  • It is a requirement for organisations to make available the business contact information (BCI) of at least one individual who can handle queries on the organisation’s collection, use or disclosure of personal data.

 

  1. Your organisation has developed and adopted policies and practices to act in accordance with the PDPA
  • It is a requirement for organisations to develop and adopt policies and practices needed to meet their obligations outlined in the PDPA.

 

  1. Your organisation has policies and practices in place to respond to queries and complaints in regard to personal data protection
  • It is a requirement for organisations to have a complaint-handling process in place.

 

  1. Your organisation has policies and practices to respond to data breaches in relation to personal data protection
  • Data breaches are expensive security failures. They may potentially lead to financial losses, and cause consumers to lose faith in an organisation.
  • The PDPC therefore encourages organisations to proactively adopt a data breach management and response plan.

 

  1. Your organisation has clear reporting channels on personal data protection issues under the organisation
  • Organisations should establish a governance structure that outlines roles and responsibilities in regard to personal data protection.

 

  1. Your organisation educates its staff on the organisation’s personal data protection policies and practices
  • It is required of organisations to communicate to its staff information regarding the organisation’s data protection policies and practices.

 

Do Not Call

  1. Your organisation adheres to Do Not Call (DNC) requirements when telemarketing messages are sent to Singapore telephone numbers
  • It is advised for organisations that send telemarketing messages to a Singapore telephone number to:
  • Give clear and accurate information on its identity and contact details within the message.
  • Make sure that the information provided in the message is reasonably likely to be valid for at least 30 days upon sending the message.
  • Ensure its calling line identity is not concealed or withheld (for voice calls) from the recipient.

 

  1. Your organisation checks the DO Not Call (DNC) Registry before sending telemarketing messages
  • DNC Registers are available for voice calls, text messages and fax messages.

 

  1. Your organisation conducts documents checks made against the DNC Registry.
  • Organisations are advised to maintain an internal DNC Record that includes the results of DNC Registry checks, DNC expiry dates, and details of individuals who have provided or withdrawn consent to receive telemarketing messages.

 

  1. Your organisation has obtained and documented clear and unambiguous consent from individuals to send them telemarketing messages without checking the DNC Registry
  • Confirm if your organisation has sought and documented clear and unambiguous consent from individuals to send them telemarketing messages without checking the DNC Registry.

 

  1. Your organisation ensures that third party service providers engaged for telemarketing activities adhere to DNC requirements
  • Organisations should exercise due diligence to ensure that third party service providers engaged in telemarketing activities adhere to the DNC requirements when doing so. This is inclusive of third parties that check the DNC registry on behalf of others, and purchasing databases that contain contact information from third parties for the purposes of conducting telemarketing activities.

 

Others

  1. Your organisation has documented how personal data is collected, used or disclosed, in addition to how it is protected
  • Knowing how personal data is collected and handled helps organisations identify potential gaps in existing data protection measures is good practice.

 

  1. Your organisation regularly reviews its personal data protection policies and practices to ensure compliance with the PDPA
  • Organisations are encouraged to regularly review personal data protection policies and practices to ensure they remain relevant.

 

  1. Your organisation conducts regular audits on your organisation’s personal data protection policies and practices
  • Organisations are encouraged to conduct audits to assess compliance to the PDPA as it highlights potential personal data protection problems, risks or gaps.

 

  1. Your organisation ensures that third party service providers engaged to process personal data on your organisation’s behalf
  • An organisation holds the same obligations under the PDPA as a third party processing on its behalf would.

 

If you require assistance regarding an identical issue or have any questions regarding your PDPA Policies or Assessment Tool for your organisation, please contact us.

Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at walter@silvesterlegal.com.

 

Read More

Guide to PDPA Assessment Tool for Organisations (PATO) Part I

The 9 Data Protection Obligations

The Personal Data Protection Act (PDPA) was enacted in October 2012 to govern the collection, use and disclosure of personal data. Following the amendments made to the Personal Data Protection (Amendment) Act 2020, the PDPA has established nine data protection obligations that an organisation ought to act in compliance with. In an effort to assist these organisations in evaluating whether its data protection policies satisfy the obligations stated in the PDPA, the Personal Data Protection Commission (PDPC) has produced a PDPA Assessment Tool for Organisations (PATO). The PATO serves as a questionnaire which consists of several prompts and information pertinent to the 9 principal categories which reflect the salient obligations that an organisation will have to act in accordance with.

This article will deal with the first 5 Personal Data Protection Obligations.

 

I. Consent

  1. Your organisation seeks consent from individuals for the collection, use or disclosure of their personal data.
  • It is required for organisations to obtain consent of the individual prior to the collection, use or disclosure of their personal data for a purpose.
  • Organisations must not:
  • as a condition for the provision of a product or service, require an individual to consent to the collection, use or disclosure of their personal data beyond what is reasonable; or
  • obtain or attempt to obtain consent before collecting, using or disclosing individual’s personal data by providing false or misleading information or using deceptive or misleading practices.
  • Consent is only valid when the individual is notified of the purpose of the collection, use or disclosure of their personal data.

 

  1. Your organisation notifies and seeks fresh consent from individuals when personal data for a new or different purpose is used.
  • For an organisation to obtain consent from individuals to collect, use or disclose their personal data, they must inform individuals of the purpose(s) for which organisations collect, use or disclose their personal data or before collecting the data.
  • If an organisation intends to use or disclose the personal data collected for purposes which it has not yet informed the individual, or for which it has not obtained the individual’s consent, organisations are required to notify the individuals of these purposes and obtain fresh consent before using or disclosing the data.
  • If an organisation fails to inform the individual of the purposes for which it intends to use or disclose the personal data for, it must notify the individual of these purposes and obtain fresh consent before using or disclosing the data.

 

  1. Your organisation responds to withdrawal of consent requests by individuals
  • Individuals are allowed to withdraw their consent given or deemed to have been given in accordance with the PDPA in respect of the collection, use or disclosure of their personal data at any time.
  • After being given reasonable notice, organisations are required to permit individuals to withdraw consent, and inform them of the likely consequences of the withdrawal. Once consent is withdrawn, organisations will have to stop collecting, using or disclosing the personal data. Upon receiving a withdrawal of consent request, organisations must inform the individual regarding the likely consequence of withdrawing consent, and organisations must cease collection, use or disclosure of the personal data belonging to that individual.

 

  1. Your organisation ensures that the person providing consent on behalf of an individual is validly acting on behalf of that individual
  • Consent may be given, or deemed to have been given, by any person validly acting on behalf of the individual for the collection, use or disclosure of the individual’s personal data.
  • Organisations should therefore implement appropriate measures to ensure that the person is legally authorised to act on behalf of the individual.

 

  1. Your organisation ensures that third party sources which your organisation obtained personal data from, had obtained valid consent from individuals.
  • Organisations that obtain personal data from third party sources ought to exercise the appropriate due diligence to confirm and ensure that the third-party source can validly provide consent for the collection, use and disclosure of personal data on behalf of the individual, or that the source had obtained consent for disclosure of the personal data.

 

II. Purpose Limitation

  1. Your organisation only collects, uses or discloses personal data for reasonable purposes that individuals had been informed and had consented to
  • An organisation can collect, use or disclose personal data regarding an individual only for purposes that a reasonable would deem to be appropriate in the circumstances and that the individual has been informed by the organisation as expressed in the notification obligation.
  • Whether a purpose is reasonable is dependent on whether a reasonable person would consider it appropriate in the circumstance.

 

III. Notification

  1. Your organisation informs individuals of the purposes for the collection, use or disclosure of their personal data on or prior to the collection of data.
  • Organisations are obliged to inform individuals of the purposes for collecting, using or disclosing their personal data on or prior to the collection of data.
  • Organisations should know that failure to inform the individual of the purposes would not amount to consent under the PDPA.

 

IV. Access & Correction

  1. Your organisation responds to access requests made by individuals as soon as reasonably possible
  • Organisations must, upon request made by an individual, as soon as reasonably possible, provide the individual with their personal data in their possession or under their control, and information about the manner in which the personal data has been or will be used or disclosed during the past year.

 

  1. Your organisation informs the individual making the access request of any fees that is associated with processing the request
  • Organisations are permitted to charge a reasonable fee to recover the incremental costs that may be incurred for responding to an individual’s access request.
  • Organisations that charge a reasonable fee must provide the individual with a written estimate of fee.

 

  1. Your organisation responds to requests by individuals to rectify their personal data as soon as practicable.
  • An individual may request an organisation to rectify an effort or omission in the individual’s personal data that is in the possession or under the control of the organisation.

 

  1. Your organisation informs the individual of the time needed to respond to an access or correction request.
  • Under the PDPA, the onus remains on the organisation to provide access as soon as reasonably possible to make the relevant corrections to the personal data as soon as practicable.
  • Organisations should respond to requests made by individuals for access or correction of personal within 30 calendar days.

 

  1. Before responding to an access or correction request, your organisation exercises due diligence to confirm the identity of the individual making the request or confirm that the third party is legally authorised to act on behalf of the individual
  • Once a submission is made by an individual for access request and before processing the access request, the organisation must verify the identity of the applicant. This could be executed in the form of a staff member requesting answers from the applicant to a set of questions so as to verify the applicant’s identity
  • If a third party makes an access and/or correction request on behalf of the individual, the organisation should confirm that the third party is legally authorised to carry out the activity on the individual’s behalf.

 

V. Accuracy

  1. Your organisation verifies that personal data collected from individuals is accurate and complete.
  • Organisations must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data
  • might be made use of by the organisation to make a decision that may affect the individual to whom the personal data pertains to; or
  • might be disclosed by the organisation to another organisation.

 

  1. Your organisation ensures that personal data of individuals collected from a third-party source is accurate and complete
  • Organisations are obligated to make reasonable efforts to ensure that personal data collected on behalf of the organisation is accurate and complete

 

If you require assistance regarding an identical issue or have any questions regarding preparation of a Notice of Revision, please contact us.

Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at walter@silvesterlegal.com.

Read More

Renegotiation of Contracts: Re-Align Framework

The Re-Align Framework announced by the Ministry of Law on 10 December 2020 will allow small and micro businesses significantly affected by the COVID-19 pandemic to renegotiate certain types of contracts with their counterparties (the “other party”). If parties are unable to successfully renegotiate, the framework provides for the termination of the contract.

 

When will you be entitled to relief?

If your business (including companies and Limited Liability Partnerships) has

  1. annual revenue not more than $30 million dollars at a global group level; and
  2. experienced at least a 70% fall in monthly average gross income between July to December 2020 compared to between July to December 201s

 

For Non-Profit Organisations, relief is available to you if your NPO falls under the following categories:

  • A registered or exempt charity;
  • A member of the National Council of Social Service;
  • A national sports association;
  • A national disability sports association;
  • A specified arts and culture society; or
  • A specified trade association

 

Conditions:

  1. The contract is governed by Singapore law;
  2. The contract is entered into before 25 March 2020;
  3. One party to the contract has a place of business in Singapore; and
  4. The contract is a specified contract which has substantial obligations that require renegotiation or restructuring

 

Your contract is a specified contract if it falls under the following categories:

  • A lease or licence for non-residential immovable property which have a term of not more than 5 years.
  • A hire-purchase and conditional sale agreement for commercial equipment or vehicles. (Excluding those entered into with banks and finance companies).
  • A rental agreement for commercial equipment or vehicles.
  • The contract is for the supply of goods and services.

Contracts not falling within the above categories are excluded from the framework. These include consumer contracts, employment contracts, insurance contracts, etc.

 

Relief provided and how to apply for relief

If you think you are eligible, please serve the Notice of Negotiation (“NoN”) on the other party to the contract and all other required parties between 15 January to 26 February 2021. After which, there would be a 4-week Negotiation Period (“Negotiation Period”) starting the date of the NoN where parties can renegotiate terms of the contract or the terms of termination of the contract.

Following successful renegotiation, the terms of the contract may be amended or termination of the contract on the agreed terms.

 

Unsuccessful Renegotiation of terms of contract

If the renegotiation of terms is unsuccessful, there are three courses of action which can be taken by the other party can take during a 2-week Objection Period (“Objection Period”) following the end of the Negotiation Period.

 

a). The other party may object your eligibility for relief

The other party may lodge and serve a Notice of Objection on 1 of the following grounds:

  1. The contract is not a specified contract or is a contract of national interest
  2. You do not satisfy the eligibility criteria for relief
  3. The NoN was not served in the proper manner
  4. If the other party is a landlord, he may wish to seek compensation from you

 

b). The other party may lodge and serve a Notice for Compensation on the relevant parties.

The other party does not object to your eligibility for relief

 

c). Where the other party accepts your eligibility for relief under the Framework, he does not need to serve and lodge a Notice of Objection. If nothing is served and lodged, the contract is deemed terminated 2 days after the end of the Objection Period or on a mutually agreed date.

If the contract is terminated under the framework, a set of default terms applies. This would generally include that you will not be liable for future obligations after the date of termination, subject to exceptions. However, accrued obligations are not discharged.

In the event the parties are unable to agree on the terms of termination under the contract, the procedure is stated in the next paragraph.

 

Unsuccessful negotiation of terms of termination of contract

If the parties are unable to agree on the consequences of termination, either party may serve and lodge a Notice of Adjustment within the specified time to seek an Assessor’s determination on the adjustment of rights and obligations under the contract on a just and fair basis.

After the Assessor has made a determination, it cannot be appealed against and it is binding on all parties to the contract and their assignees.

 

Contract Affecting Essential Services and National Interest

A contract Affecting Essential Services and National Interest cannot be terminated under the Framework. However, renegotiation of the price of the contract is still available by serving a Notice of Negotiation for Contract of National Interest. Where renegotiation fails, the party seeking renegotiation may lodge a Notice of Repricing with the Registrar to seek an adjustment of the price by an Assessor.

A contract is considered Affecting Essential Services and National Interest:

  • If the contract is terminated, it will likely affect essential services or the Government or public authority’s ability to carry out its functions; and
  • The contract is certified as a Contract of National Interest by the relevant Minister

The process for serving and lodging a Notice of Negotiation for Contract of National Interest can be found here: https://www.mlaw.gov.sg/realign/process-essential-services

 

Landlord Hardship Relief

In the event of an early lease termination by a tenant under the Framework, the landlord is eligible for hardship relief/compensation if:

  1. The landlord is an individual, a sole proprietor or a holding company of individual(s) and/or sole proprietor(s).
  2. The landlord depends on rent for a significant portion of his income, such that the average monthly rental income from the property is more than 50% of his monthly average income.
  3. The landlord’s annual individual income does not exceed S$107,500.

If you think you are eligible for the hardship relief and has been served with the Notice of Negotiation, you may serve and lodge a Notice for Compensation.

 

Repayment Scheme for hirers and renters of commercial equipment

The repayment scheme is available to hirers and renters of commercial equipment and vehicles to pay outstanding arrears and instalments under the Framework as an alternative to termination. The following are eligible contracts:

  • A hire-purchase or conditional sales agreement for commercial equipment or commercial vehicles which are not entered into with a bank or finance company
  • A rental agreement for commercial equipment or commercial vehicles.

 

Do note that if you believe you are eligible for the repayment scheme, you may serve the Notice of Revision on your financing or leasing company and required parties between 15 January to 26 February 2021.

 

If you require assistance regarding an identical issue or have any questions regarding preparation of a Notice of Revision, please contact us.

 

 

Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at walter@silvesterlegal.com.

Read More

Applying for an Urgent Injunction – Monies transferred to hacker’s bank account as a result of fraud

An injunction is a legal remedy that compels a party to perform or refrain from performing certain acts. An article reflective of the information pertaining to injunctions may be found here; https://singaporelegaladvice.com/law-articles/types-of-injunctions-in-singapore/

In December 2020, Silvester Legal LLC represented a Middle Eastern company for the application of an injunction to freeze a Singapore based bank account.

The agreement had been established by the client and a Singaporean company. The scope of service and remuneration that was to be paid by the client and the local company was also agreed upon. The client then arranged for a considerable payment to be made to the local company via bank transfer. It was later discovered that the email account of the local company had been hacked by an unidentifiable hacker who impersonated the authorised representative of the local company by using an email address with a similar domain and subsequently provided instructions for the incoming funds to instead be transferred to an alternative bank account. The client obliged and the funds were successfully paid to the bank account belonging to the hacker in Singapore.

A case of this nature would typically require the company or organisation to lodge a police report and escalate the matter to the Commercial Affairs Department (CAD), which was done in this case.

Silvester Legal LLC drafted and sent out a letter to the legal department of the said bank and sought assistance in freezing the account that belonged to the unidentifiable hacker.

Since banks only provide general helpline information to forward queries and other forms of correspondence to, it is advised to make a personal visit to the bank to ensure that the matter is dealt with immediately.

Silvester Legal successfully applied for the injunction supported by the affidavit of the client’s director on an urgent basis. This order was granted by a senior judge of the High court and duly served on the bank and the hacker’s address.

If you encounter an issue of a similar nature, Silvester Legal would remind you that time is of the essence and if you suspect that you may be a victim of online fraud or phishing scams, the following steps should be taken without any delay:

 

  1. Lodge a police report and escalate the matter to the CAD. A report in-person supported by the relevant documentation would be the best way to do this. Obtain the name and contact number of the CAD officer in charge of your case and follow up with them expeditiously.
  2. Report the matter to the bank the monies were transferred to. Again, a report in-person supported by the relevant documentation would be the best way to do this. Obtain the name and contact number of the bank officer in-charge of your case and follow up with them expeditiously.
  3. Instruct your solicitors to commence a claim seeking the recovery of the monies.
  4. File an injunction to ‘freeze’ the movement of finds in the bank account.

 

With the prevalence of cross-border commercial transactions, online fraud and phishing scams are on the rise. The progressive sophistication of crimes that hackers commit would make anyone vulnerable to becoming a victim. Silvester Legal would suggest you to be extra cautious when dealing with instructions regarding bank transfer provided via email and verify its contents by ensuring that the party providing the transfer details is aware of what has been sent. It is also essential that you confirm the legitimacy of the sender’s email address.

If you require assistance regarding an identical issue or have any questions regarding the remedy of injunction, please contact us.

 

Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at walter@silvesterlegal.com.

Read More
  • hongquan
  • PDPA
  • December 7, 2020

201201 Updates to the Personal Data Protection Act

The Personal Data Protection (Amendment) Bill 2020 was passed on 2 November 2020. As compared to when the PDPA first came into force in 2014 giving organisations a generous grace period, the updates to the PDPA have no grace period and require organisations to immediately comply upon its enactment by gazette.

Silvester Legal will explore some of the salient features of the amendments in this issue that will be pertinent to you.

 

A mandatory obligation to notify individuals and the Personal Data Protection Commission in the event of a data breach.

Organisations must notify the PDPC of any data breach that: (i) results in, or is likely to result in, significant harm to the affected individuals; or (ii) is of a significant scale. Affected individuals must be notified if the data breach is likely to result in significant harm to them.

Once an organisation has credible grounds to believe that a data breach has occurred, the organisation is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA, usually within 30 days.

 

Enhanced Framework for Collection, Use and Disclosure of Personal Data,

Among other things, the Enhanced Framework introduces two new forms of deemed consent:

  • Deemed consent by contractual necessity. Consent is deemed for the disclosure of personal data from one organisation to another for the necessary conclusion or performance of a contract/transaction between the individual and the organisation he had originally provided the personal data to; and
  • Deemed consent by notification. Where a notification is in compliance with certain requirements, consent is deemed from an individual’s acquiescence after notification, provided that individual had reasonable opportunity to opt-out.

 

Exceptions to Obligation to obtain Consent

There are now new exceptions to the express consent requirement under legitimate interests and business improvements.

  • Legitimate interests” generally refer to any lawful interests of an organisation or other person (including other organisations). An organisation need not obtain consent if they have “legitimate interests”. This requires them to articulate the situation or purpose that qualifies as a legitimate interest and conduct assessments to determine that the legitimate interests of the organisation or other person (including other organisations) outweigh any likely residual adverse effect to the individual. Legitimate interests cannot be used to justify sending direct marketing messages.
  • Business Improvements”. Organisations need not obtain consent if they obtain personal data for “Business Improvements” which are any of the following purposes:
    1. Improving, enhancing or developing new goods or services;
    2. Improving, enhancing or developing new methods or processes for business operations in relation to the organisations’ goods and services;
    3. Learning or understanding behaviour and preferences of individuals (including groups of individuals segmented by profile); or
    4. Identifying goods or services that may be suitable for individuals (including groups of individuals segmented by profile) or personalising or customising any such goods or services for individuals.

However, the Business Improvement exception applies only if the data cannot reasonably be achieved without using the personal data in an individually identifiable form, and is a reasonably appropriate in the circumstances.

 

New Offences

New offences will be introduced under the PDPA to hold individuals accountable for egregious mishandling of personal data in the possession of or under the control of an organisation (including a public agency). The offences are for:

  1. a) Knowing or reckless unauthorised disclosure of personal data;
  2. b) Knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; and
  3. c) Knowing or reckless unauthorised re-identification of anonymised data.

 

Increased financial penalty

The new bill increases the possible financial penalty of up to 10% of the annual turnover of the organization with an annual turnover exceeding USD10 million, or USD1 million, whichever is higher.

 

Final Comments

Businesses that make use of personal data may well benefit from the enhanced framework for collection, use and disclosure of personal data and the newly fashioned exceptions to obligations to obtain consent. At the same time, such enhancements should not be treated as carte blanche permissions to send direct marketing messages. Moreover, businesses ought to be more vigilant in their data protection obligations.

Businesses are encouraged to review their internal personal data obligations or their contracts with data intermediaries alongside existing legislation. Let our skilled team of experts provide you employment law services with timely, relevant advice. We offer a broad range of solutions that can be customised to the unique needs of an individual or business. Leave the legal worries to us so that you can focus on your business.

Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at walter@silvesterlegal.com.

 

 

Read More
  • Walter Silvester
  • Article
  • November 24, 2020

Businesses would do well to budget for increased legal costs post Covid-19

Many SME businesses used to see legal fees paid to law firms for reviewing contracts as unnecessary business expenses. A dollar saved on such unnecessary costs is a dollar more for profits. Then, there is also the view that paying for lawyers to draft contracts may not add much value since many contracts are based on existing templates which are readily available on the internet.

Then came the onslaught of the Covid-19 outbreak. Businesses were forced to shut down operations and supply chains were disrupted in April 2020 and May 2020. Imagine a hypothetical scenario in which Company X finds that the costs of procuring goods from an overseas supplier for redelivery to a buyer in Singapore has effectively more than tripled. However, the obligation to deliver to the end buyer remains. The end buyer demands delivery, refuses to pay more for his consignment and has threatened to commence proceedings for non-delivery. Company X seeks legal advice and is informed that the company could seek to rely on the force majeure clause or the doctrine of frustration. However, it is difficult to make out a strong case of frustration and there is no force majeure or similar clause in the 2-page ‘contract’ which was drafted by using templates and not vetted by lawyers. If Company X is unable to deliver the goods, it is likely required to pay a significant sum as damages for breach of contract. Alternatively, Company X can procure substitute goods from a local supplier and may incur some losses but at least the hefty costs of litigation may be avoided. Either way, it is really choosing between a rock and a hard place. If only, there is an applicable force majeure clause in Company X’s contract.

Does Company X’s predicament sound too familiar? Is your company experiencing a similar situation? It is still not too late to take measures to prevent history from repeating itself. It is hoped that the lessons learnt from the Covid-19 disruption will create a rethink on the mentality that legal costs are unnecessary and merely eat away at profits. At Silvester Legal LLC, we work with you to identify loopholes and put in safeguard measures to ensure that you can rest easy in the event of another similar crisis or in the event of a resurgence of the Covid-19 pandemic.

 

Services that we offer

We will review your existing contracts and advise on the steps that you may take to mitigate your risks. For future contracts, we are also able to represent you during pre-contractual negotiations and ensure that amongst other clauses protecting your rights, purposefully-drafted force majeure clauses and similar contractual provisions are in place to carve out an ‘emergency exit plan’ during contingencies and unexpected disruptions in the supply chain.

If you are unable to perform your contractual obligations and intend to apply for relief under the Covid-19 (Temporary Measures Act) 2020, be prepared that the other party may also dispute your eligibility for relief. In the converse scenario, you may also wish to challenge a notification for relief that is served on you by another party. We are able to assess and advise on the merits of your position and knowing how strong your case is would allow you to make an informed decision whether to make concessions or to apply for an Assessor’s Determination which carries the risk of an unfavourable but binding determination being made against you.

Apart from ad hoc services, we offer monthly retainer services that reduces your legal costs in the long run. Put simply, a retainer is an arrangement wherein you pay a fixed fee every month for us to offer specific legal services. Procuring legal representation on a monthly retainer is generally much more cost-effective as we do not charge strictly by the hour but instead charge for a pre-agreed scope of work. Learn more about our monthly retainer fees and scope of the retainer here.

Read More