Title of Show

Name of PresenterDate

Applying thePersonal Data Protection Act(Prepared for the Internet Society,

Singapore Chapter) Benjamin Ang

Lecturer, Law & Management, Temasek PolytechnicConsultant, Keystone Law Corporation

techmusicartandlaw.blogspot.com www.isoc.sg

Are these practices safe under the Act?

o NUTZ Supermarket runs a lucky draw contest and collects phone numbers and email addresses from 100,000 customers.

1. NUTZ hires a telemarketing company to call all the customers to offer them discount card membership

2. NUTZ shares the phone numbers with Krusty Cheese, a large supplier of NUTZ, so that Krusty can run a sales promotion

Are these practices safe under the Act?

3. Jacky, the former IT manager of NUTZ, leaves to start his own business, and sends SMS to all customers telling them of his new venture

4. In order to investigate CBT by Jacky, NUTZ hands over the customer data to the police

5. Customers call NUTZ to complain, and are left on hold because no department is prepared to handle them

QUICK REVISION

Personal Data Protection Act

o Controls the collection, storage, use and disclosure of personal data – • data about an individual who can be identified from that

data, or

• who can identified from that data + other information to which the organisation has or is likely to have access

o Does not apply to actions by individuals for personal use (s4)

o Does not apply to Business Contact Information

Business Contact Information

o Information not provided by the individual solely for his personal purposes e.g.

• name,

• position name or title,

• business telephone number,

• business address,

• business electronic mail address etc

Consent Required

o Section 13: Organizations need consent to• Collect personal data

• Use personal data

• Disclose personal data

o Section 14: Organizations cannot collect consent through deceptive or misleading practices

o Section 16: Individuals can withdraw consent that they have given to organizations

Where Consent is Not Required

o Section 21: Organizations are allowed to release personal data to law enforcement agencies

o No changes to other existing laws (e.g. search and seizure under the Criminal Procedure Code)

The Do Not Call Registry (Part IX)

o If a person signs up with the Do Not Call Registry, organizations cannot call or message that person to try to • sell products or services

• or offer business

• or investment opportunities

o unless the person has given consent

o Also covers SMS messages (Sections 36 and 37).

DNC Registry – persons responsible

o “sender”, means a person —

• sends the message / makes a call,

• causes the message to be sent / call to be made, or

• authorises the sending of the message / making of the call

DNC Registry - duties

o Duty to check the Register anytime within the period of 30 days before sending the message

o Calling line identity not to be concealed

o Clear and accurate information of persons who authorises the sending

o Contact information of individual/organisation

o Information provided to be reasonably for at least 30 days after message is sent

What organisations must do

o Develop policies and practices to ensure compliance

o Designation of key personnel to ensure compliance but organisation remains ultimately responsible

o Staff education

o Develop a complaints response process – e.g. a process to take in requests for correction of DP and withdrawal of consent

o Transparency to the public regarding information of designated personnels and complaints response process

o Seek legal advice

What individuals can do

o Make a complaint to the Personal Data Protection Commission, who can

• direct them to resolve it through mediation (Section 27),

• or make an order against the organization to stop what it’s doing, destroy the data, and pay a penalty of up to $1 million

o If the individual wants compensation,

• start civil proceedings in court (Section 32)

• seek compensation or an injunction

Are these practices safe under the Act?

o NUTZ Supermarket runs a lucky draw contest and collects phone numbers and email addresses from 100,000 customers.

1. NUTZ hires a telemarketing company to call all the customers to offer them discount card membership

2. NUTZ shares the phone numbers with Krusty Cheese, a large supplier of NUTZ, so that Krusty can run a sales promotion

3. Jacky, the former IT manager of NUTZ, leaves to start his own business, and sends SMS to all customers telling them of his new venture

4. In order to investigate CBT by Jacky, NUTZ hands over the customer data to the police

5. Customers call NUTZ to complain, and are left on hold because no department is prepared to handle them