The 9 Data Protection Obligations
The Personal Data Protection Act (PDPA) was enacted in October 2012 to govern the collection, use and disclosure of personal data. Following the amendments made to the Personal Data Protection (Amendment) Act 2020, the PDPA has established nine data protection obligations that an organisation ought to act in compliance with. In an effort to assist these organisations in evaluating whether its data protection policies satisfy the obligations stated in the PDPA, the Personal Data Protection Commission (PDPC) has produced a PDPA Assessment Tool for Organisations (PATO).
The PATO serves as a questionnaire which consists of several prompts and information pertinent to the 9 principal categories which reflect the salient obligations that an organisation will have to act in accordance with.
This article will deal with the last 4 Personal Data Protection Obligations and “Do Not Call”
I. Protection
1. Your organisation has in place appropriate technical security measures to protect personal data within your organisation’s possession or control
- Organisations must make reasonable security arrangements for the protection of personal data in their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
2. Your organisation has in place appropriate physical security measures to protect personal data in your organisation’s possession or control
- Organisations are required to take reasonable security measures to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use disclosure, copying, modification, disposal or risks of a similar nature.
3. Your organisation has in place appropriate administrative measures to protect personal data in your organisation’s possession or control
- Organisations must take reasonable security measures to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use disclosure, copying, modification, disposal or risks of a similar nature.
4. Your organisation conducts risk assessments to determine appropriate security measures in efforts to protect personal data in your organisation’s possession or control
- Organisations must make reasonable security arrangements to protect personal data within their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or risks of a similar nature.
5. Your organisation has measures in place to prevent the accidental disclosure of personal data
- Organisations must make reasonable security arrangements to protect personal data within their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or risks of a similar nature
6. Your organisation ensures that appointed information and communications technology (“ICT”) service providers are able to provide adequate levels of protection and security to protect personal data in your organisation’s possession or control.
- Organisations often outsource ICT security requirements to be met by third party service providers.
- It should be noted that both an organisation and its service providers are responsible for the protection of personal data dealt by the organisation’s ICT systems.
7. Your organisation ensures that the ready-made software used is capable of meeting and providing adequate levels of security to protect personal data in your organisation’s possession or control
- Organisations often procure “commercial off-the-shelf” software to be adopted by the organisation. Organisations should ensure sufficient protection for the parts for which they possess control.
8. Your organisation ensures that third party service providers that process personal data on behalf of your organisation, protects personal data in accordance with the PDPA.
- Organisations retain the same obligations under the PDPA for the personal data processed by a third party, including arranging reasonable security measures to protect personal data.
- Therefore, organisations should ensure that their service agreements impose sufficient obligations to ensure the organisation’s own compliance with the PDPA when engaging data intermediaries.
II. Retention Limitation
1. Your organisation stops retaining personal data when there is legal or business reasons to do so.
- Organisations must stop retaining documents containing personal data, or remove the means by which the personal data may be associated with particular individuals, as soon as it is reasonable to assume that the purposes for which the personal data was collected is no longer of being served by the retention of the personal data and the retention is no longer needed for legal or business purposes.
2. Your organisation has defined the retention period and disposal requirements for third party service providers that process personal data on behalf of your organisation
- Organisations are considered to have stop retention of documents containing personal data when it, its agents and third parties that process personal data on its behalf no long possess access to those documents and the personal data which they contain.
III. Transfer Limitation
1. Your organisation ensures that personal data is only transferred to organisations in overseas jurisdictions that have a comparable standard of data protection as the PDPA and PDP regulations.
- Organisations can transfer personal data overseas if it has taken appropriate measures in order to ensure that it will act in compliance with Data protection Provisions in respect of the transferred personal data while under its possession or control, and if the overseas recipient is bound by legally enforceable obligations to provide a comparable standard of data protection to that under the PDPA.
IV. Openness
1. Your organisation has appointed a data protection officer (DPO) or office
- It is a requirement for organisations to appoint at least one individual, known as the Data Protection Officer (DPO), to be responsible for ensuring that the organisation acts in compliance with the PDPA.
2. Your organisation’s DPO business contact information is available to the public
- It is a requirement for organisations to make available the business contact information (BCI) of at least one individual who can handle queries on the organisation’s collection, use or disclosure of personal data.
3. Your organisation has developed and adopted policies and practices to act in accordance with the PDPA
- It is a requirement for organisations to develop and adopt policies and practices needed to meet their obligations outlined in the PDPA.
4. Your organisation has policies and practices in place to respond to queries and complaints in regard to personal data protection
- It is a requirement for organisations to have a complaint-handling process in place.
5. Your organisation has policies and practices to respond to data breaches in relation to personal data protection
- Data breaches are expensive security failures. They may potentially lead to financial losses, and cause consumers to lose faith in an organisation.
- The PDPC therefore encourages organisations to proactively adopt a data breach management and response plan.
6. Your organisation has clear reporting channels on personal data protection issues under the organisation
- Organisations should establish a governance structure that outlines roles and responsibilities in regard to personal data protection.
7. Your organisation educates its staff on the organisation’s personal data protection policies and practices
- It is required of organisations to communicate to its staff information regarding the organisation’s data protection policies and practices.
Do Not Call
1. Your organisation adheres to Do Not Call (DNC) requirements when telemarketing messages are sent to Singapore telephone numbers
- It is advised for organisations that send telemarketing messages to a Singapore telephone number to:
- Give clear and accurate information on its identity and contact details within the message.
- Make sure that the information provided in the message is reasonably likely to be valid for at least 30 days upon sending the message.
- Ensure its calling line identity is not concealed or withheld (for voice calls) from the recipient.
2. Your organisation checks the DO Not Call (DNC) Registry before sending telemarketing messages
- DNC Registers are available for voice calls, text messages and fax messages.
3. Your organisation conducts documents checks made against the DNC Registry.
- Organisations are advised to maintain an internal DNC Record that includes the results of DNC Registry checks, DNC expiry dates, and details of individuals who have provided or withdrawn consent to receive telemarketing messages.
4. Your organisation has obtained and documented clear and unambiguous consent from individuals to send them telemarketing messages without checking the DNC Registry
- Confirm if your organisation has sought and documented clear and unambiguous consent from individuals to send them telemarketing messages without checking the DNC Registry.
5. Your organisation ensures that third party service providers engaged for telemarketing activities adhere to DNC requirements
- Organisations should exercise due diligence to ensure that third party service providers engaged in telemarketing activities adhere to the DNC requirements when doing so. This is inclusive of third parties that check the DNC registry on behalf of others, and purchasing databases that contain contact information from third parties for the purposes of conducting telemarketing activities.
Others
1. Your organisation has documented how personal data is collected, used or disclosed, in addition to how it is protected
- Knowing how personal data is collected and handled helps organisations identify potential gaps in existing data protection measures is good practice.
2. Your organisation regularly reviews its personal data protection policies and practices to ensure compliance with the PDPA
- Organisations are encouraged to regularly review personal data protection policies and practices to ensure they remain relevant.
3. Your organisation conducts regular audits on your organisation’s personal data protection policies and practices
- Organisations are encouraged to conduct audits to assess compliance to the PDPA as it highlights potential personal data protection problems, risks or gaps.
4. Your organisation ensures that third party service providers engaged to process personal data on your organisation’s behalf
- An organisation holds the same obligations under the PDPA as a third party processing on its behalf would.
If you require assistance regarding an identical issue or have any questions regarding your PDPA Policies or Assessment Tool for your organisation, please contact us.
Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at walter@silvesterlegal.com.