This is the last articles in this series which looked at the main data protection obligations set out by the Personal Data Protection Act (“PDPA”). 1 These obligations were termed the Main Data Protection Obligations by the Personal Data Protection Commission and the purpose of it is to allow for individuals or organisations to better understand the obligations and guidelines that they have to adhere to in order to comply with the requirements set out by the PDPA. In this article, we will discuss the last two main data protection obligations; the Transfer Limitation Obligation and the Openness Obligation.
Transfer Limitation Obligation (Section 26)
The eighth main data protection obligation would be the transfer limitation obligation. To satisfy this obligation, organisations have to take precautions to ensure that the requirements set out within the PDPA are met when personal data is being transferred to a country or territory outside of Singapore. This obligation ensures that the personal data of individuals is still protected to the degree accorded by the PDPA even when the data is to be transferred out of Singapore.
However, notwithstanding this obligation, it is still possible to apply to the PDPC for an exemption of the requirement set out in the previous paragraph. However, the Commission is able to exercise its own discretion to determine whether an application should be allowed or denied, and it is entirely dependent on the circumstances of each application. Even when an application is allowed, the exemption may still be subject to certain conditions that the Commission will specify in writing.
Openness Obligation (Sections 11 and 12)
Lastly, the ninth main data protection obligation would be the openness obligation. Organisations are required to provide information about the data protection policies as well as any other information about how to file a complaint upon request by an individual. Thus, it is advisable to ensure that the data protection policies that are in use are constantly kept up-to-date and accurate. This will help facilitate the process when requests are made to learn more about an organisation’s data protection policies.
Section 11(3) of the PDPA also states that there is a need for organisations to designate an individual within the organisation to be the “Data Protection Officer” whose job is to ensure that the organisations complies with the requirements set out by the PDPA. However, this delegation does not have to be restricted to only one individual but instead it can be delegated to multiple individuals in order to ensure that the task is done properly. The Advisory Guidelines also states that there is no need for the designated individual to be an employee of the organisation that he is acting for.
Essentially, the nine main data protection obligations highlighted in this series of articles exist to help guide individuals and organisations and help them comply with the requirements set by the PDPA. However, although the nine obligations can be considered comprehensive to a certain extent, there are still other general principles and restrictions set out by the PDPA that are not explicitly covered by these obligations. Thus, it is important to constantly stay updated with the changes made to the PDPA to reduce the likelihood of contravening the Act. It is also essential to monitor changes as the changes may have a significant impact on how you or your organisation operates. For example, recently there was a restriction set in place by the PDPA for the collection of NRIC/NRIC numbers. This is despite the longstanding practice of using NRIC/NRIC numbers as a form of verification and thus just because it has been practised for a long time, it does not mean that there will be no changes in the future. We have also written an article which covers the recent restrictions to the collection, use and disclosure of NRIC/NRIC numbers of individuals which can be found here.
Lastly, as data protection concerns are constantly evolving and there are always unique circumstances for every case, it is advisable to seek legal advice when there are pressing concerns regarding the PDPA and how it may be applicable to you or your organisation.
Please note that this article does not constitute express or implied legal advice, whether in whole or in part. For PDPA obligations, Silvester Legal LLC is regularly engaged assisted our clients to review their data collection policies and websites to ensure that they are in compliance with the PDPA. If you have any queries or require legal advice, please contact me at firstname.lastname@example.org.