Embed Size (px)
Citation preview
Singapore data protection compliance
13 September 2012
www.olswang.com2
Singapore Personal Data Protection Bill
• Where are we?
• Revised bill published 10 Sept
• First reading in Parliament 11 Sept
• Expected to become law before end 2012
• s68 transitional provisions – up to 2 years for sunrise (18 months proposed)
• Why?
• Not driven by human rights (cf EU DP Law - Art 8 ECHR)
• Primary reason international competitiveness
• Need for ‘equivalency’ for art 27 transfers
• Plus some populist consumer protection measures: DNC
www.olswang.com3
The basics (s3)
• “collection, use and disclosure”
• key actions regulated by Act
• extra-territorial ‘link’ in prior draft now removed
• “organisation responsible for personal data under its possession or control” s11(2)
• “by organisation”
• entities formed or recognised by Singapore law; or
• Resident, having office or place of business in Singapore
• “of personal data”
• data about an individual who can be identified
• from that data
• from that data and other data available to organisation
• nb business contact exclusion
www.olswang.com4
Express obligations (s12)
Organisations shall:
(a) develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
(b) develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
(c) communicate to its staff information about the organisation’s policies and practices referred to in paragraph (a); and
(d) make information available on request about
(i) the policies and practices referred to in paragraph (a);
(ii) the complaint process referred to in paragraph (b).
• Designate individuals to be responsible for compliance - s 11(3)
www.olswang.com5
“Collection, use and disclosure”
• Collection
• Consent: express and ‘deemed’ (Part IV, Div 1)
• Use
• Purpose: reasonable and communicated (Part IV, Div 2)
• Individual access and correction (Part IV, Div 3)
• Ensure accuracy (s23)
• Protection: “reasonable security arrangements” (s24)
• Not retained longer than necessary (s25)
• Disclosure
• Not transferred outside Singapore unless ‘comparable protection’ (s26)
• More detail to follow. We expect outcome to be same as EU list. Otherwise Singapore won’t qualify for transfers from EU!
www.olswang.com6
Other provisions
• Officers of body corporate may be personally liable (s52)
• Vicarious liability of employers (s53)
• Fines $10,000, plus $1,000 per day. Imprisonment up to 3 years (s56)
• Data protection commission and admin body set up (Part II)
• Enforcement (Part VII)
• ADR may be used for individual complaints
• Commission directions, may be enforced in court
• Right of private action
• Appeal process (Part VIII)
• Do not call registry (Part IX)
• Specific rules for telemarketing
• Calls and texts
• Power of Commission to investigate (s50 and Schedule 9)
Ensuring compliance
www.olswang.com8
Keep it simple
Audit and analysis
Recommendations
Documents
Process changes
Training
