Document Translation Services for Data Protection
We’ve blogged about corporate translation services for data protection and arbitration in the EU. The Singapore Ministry of Information, Communications and the Arts (MICA) recently finalized the much-needed Personal Data Protection Act (PDPA). Prior to this, Singapore did not have any legislation to protect personal data. Upon careful review it becomes clear that the PDPA is fairly ambitious in proposing to extend its provisions to international organizations that are not physically located in Singapore but nonetheless are engaged in data collection, processing or disclosure of such data within Singapore.
The main features of the PDPA are:
- The establishment of a Data Protection Commission (DPC) to administer and enforce the PDPA
- The application of the PDPA to all private sector organizations in Singapore, as well as all organizations located outside of Singapore, that are engaged in data collection, processing or disclosure of such data within Singapore
- The requirement of at least one designated individual within each organization to be responsible for compliance with the PDPA (Personal Data Officer)
- The requirement for organizations to implement policies and practices to comply with the PDPA
- Introduction of general rules and exclusions relating to the collection, use and/or disclosure of personal data
- To allow individuals to request access to their personal data held by an organization in order to find out how organizations have used or are using the personal data collected, to correct any inaccurate information collected and to seek redress for suspected breaches of the PDPA
- Introduction of a penalty and enforcement regime for breaches of the PDPA
- Introduction of the Do Not Call Registry (DNC Registry).
The law also outlines specific rules and exclusions relating to the collection, use and/or disclosure of personal data:
Requirement of Consent
The PDPA imposes a general requirement to obtain consent for the collection, use and/or disclosure of personal data. Although data that had been previously collected is exempt from this requirement, fresh consent is required for such data if there has been a change in the original purpose for which the data was collected.
The PDPA prohibits organizations from requiring an individual to consent to the collection, use and/or disclosure of personal data as a condition of supplying the product or service to the individual beyond what is reasonable to provide the product or service in question.
According to MICA, organizations are expected to clearly state the purpose(s) for which they propose to collect, use and/or disclose the personal data. The stated purpose(s) must be reasonable in scope and must not be overly broad. Consent may be deemed to have been given if the personal data was voluntarily provided and it is reasonable that the individual would have voluntarily provided the data. Critically, the failure by an individual to object to the collection, use and/or disclosure of personal data within a reasonable timeframe is not considered to be deemed consent.
Withdrawal of Consent
The PDPA provides that an individual may withdraw consent to the use and/or disclosure of personal data at any time. However, such withdrawal will only apply to the prospective use and/or disclosure of the data collected.
Access to Personal Data
The PDPA allows individuals the right to request access to their personal data held by organizations and to find out how the organizations have used or are using the personal data collected as well as to correct any inaccuracies in the data collected.
Where the personal data collected has been disclosed to a third party, the organization shall provide the individual with the list of third parties to which the personal data may have been disclosed. With regard to any inaccuracy in the data collected, an organization should take steps to correct such inaccuracy at the request of the individual concerned. The corrected data should then be sent to any other third party organization which the previous data had been disclosed to.
Penalty and Enforcement
The DPC has the power to review complaints made against organizations and to give the appropriate directions accordingly. The DPC has the power to direct a non-complying organization to pay a penalty of up to S$1 million.
Any individual who suffers loss or damage directly as a result of an organization contravening the provisions of the PDPA shall have a right to take civil action against the organization but only after the DPC’s decision on the said contravention has become final.