Singapore Unit 2B Appln and Scope II Flashcards
What is the concept of reasonableness in Singapore?
Reasonableness — The “Reasonable Person” test
- The term reasonableness appears 47 times in the Act
- The checks and balances in connection with the requirements of the Act are decided based on a “reasonable person” test
- Importance of context of CUD
- Similar to PIPEDA in Canada (Personal Information Protection and Electronic Documents Act)
Section 3 — “The purpose of the Act is to govern the collection, use and disclosure (CUD) of personal data by organisations in a manner that recognises both:
- The right of individuals to protect their personal data and
- The need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances”
What is the scope and application of SG PDPA? Which entities have to comply with PDPA and which do not?
The PDPA applies to every single private organisation which includes:
- Private schools
- Voluntary welfare organisations
- B2B and B2C companies
- Freelance contractors such as property agents and financial advisors
The PDPA does not apply to public agencies, and individuals acting in personal or domestic capacity or as an employee.
What are the extraterritorial reach of SG PDPA?
Definition of “organisations” under the PDPA include:
- Any individual, company, association or body of persons, corporate or unincorporated,
- Whether or not: formed or recognised under the law of Singapore
- Or resident, or having an office or a place of business in Singapore
So, the PDPA has extraterritorial reach because, for example:
- A company incorporated in Singapore is an organisation even if it carries on business outside Singapore only
- A company incorporated outside Singapore is an organisation if it has a business presence in Singapore
This means that foreign companies which do not have a physical presence in Singapore can still be liable under the PDPA, but only for actions which take place in SG such as collection or disclosure of personal information.
Which obligations do Organisations have to comply with? Which obligations do Data Intermediaries have to comply with?
Organisations must comply with all obligations. Data intermediaries must comply with 3 obligations: Protection, retention limitation and data breach notification.
How does SG PDPA apply to deceased and records more than 100 yrs old?
Only the disclosure provisions and the obligation to protect it apply to personal data of a deceased person who has been dead for 10 years or fewer. The rights of the deceased person may be exercised by their personal representative (for example, the executor of their will).
The PDPA does not apply to personal data in a record that is more than 100 years old.
What is the DNC? What is covered, what is not? What does org need to do when doing telemarketing?
The Do-Not-Call (DNC) Registry enables individuals to opt out of receiving marketing messages addressed to Singapore telephone numbers — including, for example, via voice calls, SMS/WhatsApp and fax.
Persons — both corporates and individuals — are prohibited from making telemarketing calls or sending commercial messages (specified messages) to consumers if their Singapore telephone number is registered with the registry.
Organisations’ key obligations:
- Check against DNC registry within 21 days before doing marketing unless they have clear and unambiguous consent in evidential form
- Display their ID, contact info and (for phone calls) originating number
From 1 February 2021, persons are prohibited from using dictionary attacks or address harvesting software to derive Singapore telephone numbers.
Scope:
Covered - B2C marketing messages
- E.g. Offer to supply, advertise or promote (suppliers of) goods or services
- Advertise/promote land, interests in land, business/investment opportunities, etc.
Excluded - Eighth Schedule of the PDPA
- B2B Marketing
- Personal calls & SMSes
- Market research/surveys
- Messages by public agencies for non-commercial programmes
- Servicing messages
- Customer services (appointments)
Exemptions apply to voice calls, text and fax messages:
- Current on-going relationship with recipient - Past relationships or one-off transactions not included
- Message relates to subject of on-going relationship
- Unrelated messages not exempted
Who or What are exceptions to SG PDPA?
Exceptions to the PDPA:
1) Individual - Acting in personal, family or household affairs
2) Employee - Acting in the course of his / her employment with an organization (including volunteers, interns, trainees)
3) Public agencies - Government, ministry, department, agency or organ of State, tribunal under written law or statutory body found in Personal Data Protection (Statutory Bodies) Notification 2013
4) Business contact information - individual’s name, position name or title, business telephone number, business address, business electronic mail address not provided by individual solely for his personal purposes
Common exemptions in 2nd Schedule (3PIE)
- Publicly available data
- Payment or debt collection
- Disclosure to public agency
- Public Interest
- Legitimate Interest
- Biz Improvement
- Emergency
- Evaluative purpose (Consent, Notification not required)
- Employment purpose (Consent not required, Notification required)