SME guide to the personal data protection act 2012

Similar documents
VMS Software Ltd- Data Protection Privacy Policy

STARHUB'S DATA PROTECTION POLICY PLEASE READ THESE TERMS CAREFULLY AS THEY MAY HAVE IMPORTANT CONSEQUENCES FOR YOU.

Personal Data Protection in the Workplace promoting the awareness of data protection in Singapore, and administrating and enforcing the PDPA.

GUIDE TO DATA PROTECTION IMPACT ASSESSMENTS. Published 1 NOVEMBER 2017

Nissa Consultancy Ltd Data Protection Policy

Privacy Policy. 1. Introduction

RAW MARKETING DATA PROTECTION POLICY

UNITED BANK FOR AFRICA (UK) LIMITED PRIVACY NOTICE

Preparing for the GDPR

Humber Information Sharing Charter

Standard Advisory London Limited Third Party Privacy Statement

Humber Information Sharing Charter

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

DATA PROTECTION POLICY

DATA PROTECTION POLICY

Middleton International School Personal Data Protection Statement

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

Marketing Code of Conduct

Contents. NRTT Proprietary and Confidential - Reproduction and distribution without prior consent is prohibited. 2

Auditing of Swedish Enterprises and Organisations

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

DATA PROTECTION POLICY

General Personal Data Protection Policy

Brasenose College Data Protection Policy Statement v1.2

University for the Creative Arts Application Declaration. Data Protection Privacy Notice

Security of Personal Data Policy and Guidelines

GDPR is coming in 108 days: Are you ready?

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR

Financial Markets Authority Website:

Data Protection Policy

The UK legislation is wholly retrospective and applies to all information held by public authorities regardless of its date.

ARTICLE 29 Data Protection Working Party

Privacy Policy 1. Introduction 2. What personal information does Paperless Warehousing collect and why?

Legal & General (Unit Trust Managers) Limited Privacy Policy

Gwybodaeth Dan Reolaeth. Gwynedd Council DATA PROTECTION POLICY FINAL 2.0. September Information Management Service. Approved

Personal Data Protection Act (PDPA)

Introduction. Welcome to the OAG Aviation Group privacy notice.

Data Protection/ Information Security Policy

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Employee Privacy Statement

Data Protection Policy

PRIVACY POLICY CARTERS PROFESSIONAL CORPORATION

St Mark s Church of England Academy Data Protection Policy

Data Protection Audit Self-assessment toolkit

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

OLA Privacy Policy for Australia

DATA PROTECTION POLICY

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

THE COMPETITION AND CONSUMER PROTECTION COMMISSION JOB APPLICANT PRIVACY NOTICE 1. INTRODUCTION... 2

(a) Candidates must be current students or graduates from one of our partner universities.

APES 320 QUALITY CONTROL FOR FIRMS

CERTIFICATE IN PEER SUPPORT Application Form

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

DELL BANK INTERNATIONAL D.A.C DATA PROTECTION STATEMENT - USE OF PERSONAL DATA 1

ARTICLE 29 DATA PROTECTION WORKING PARTY

Self-Assessment Questionnaire Controllers

Data Protection Policy

SCHOOL OPERATIONS POLICY 5010 PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS

Privacy Policy PURPOSE SCOPE POLICY. Data Collection

APS Bank plc Data Privacy Policy

DIOMED DEVELOPMENTS LIMITED DATA PRIVACY NOTICE FOR APPLICANTS

AMA SKILLS TRAINING. PRIVACY Policy & Procedure

1.3. We will post any changes we may make to our Notice on this Website or communicate them to you by .

Sample Data Management Policy Structure

closer look at Definitions The General Data Protection Regulation

SHENLEY BROOK END SCHOOL

This policy is a public document and has been prepared in light of National Privacy Principle 5, Openness.

St Michael s CE Primary School Data Protection Policy

External Supplier Control Obligations. Records Management

JIMMY CROW LIMITED ABN: NSX Code: JCC

Privacy and Data Protection Policy

CDMS Consulting Engineers Privacy Policy

The template uses the terms students / pupils to refer to the children or young people at the institution.

Privacy Statement. Information We Collect

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Introduction to the General Data Protection Regulation (GDPR)

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

POLICY. TITLE POLICY Records Management Policy. roxbycouncil POLICY RECORDS MANAGEMENT Policy Date Latest Review Changes

SAVINGS PRIVACY NOTICE YOUR PERSONAL INFORMATION AND WHAT WE DO WITH IT

PREPARING FOR THE GENERAL DATA PROTECTION REGULATION. SELF-ASSESSMENT QUESTIONNAIRE Data Controllers

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

POTRAZ Consumer Protection Guidelines

Celgene General Privacy Policy

Document Ref: Issue Date: March 2018 Review Date: March 2020 Policy Lead: Stephanie Vasey, Data Governance Manager

ARTICLE 29 Data Protection Working Party

University of Liverpool

PERSONAL DATA PROTECTION ACT (PDPA)

Australian Trusted Trader

Recruiting Ex-Offenders Policy

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

General Optical Council. Data Protection Policy

James Frost Data Compliance Manager. Privacy Notice (including for use on the company website)

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Data Privacy Policy for Employees and Employee Candidates in the European Union

Complete Funding Solutions Limited Privacy Notice

General Data Protection Regulation (GDPR) Frequently Asked Questions

BAYER AUSTRALIA POLICY PRIVACY

Broad Run Investment Management, LLC

Transcription:

SME guide to the personal data protection act 2012

All enquiries may be addressed to: Lim Chong Kin Director Head, Telecommunications, Media and Technology Practice Group Head, Competition & Regulatory Practice Group 10 Collyer Quay #10-01 Ocean Financial Centre Singapore 049315 Tel: +65 6531 4110 Fax: +65 6535 4864 Email: chongkin.lim@drewnapier.com Charmian Aw Director, Telecommunications, Media and Technology Practice Group 10 Collyer Quay #10-01 Ocean Financial Centre Singapore 049315 Tel: +65 6531 2235 Fax: +65 6535 4864 Email: charmian.aw@drewnapier.com COPYRIGHT 2015 Drew & Napier LLC First Published 2015 All rights reserved. No part of this publication may be reproduced, stored in any retrieval system, or transmitted, in any form or by any means, whether electronic or mechanical, including photocopying and recording, without the permission of the copyright holder. IMPORTANT DISCLAIMER: We have sought to state the law as at 7 December 2015. Drew & Napier LLC accepts no liability for, and does not guarantee the accuracy of, information or opinion contained in this document. This document covers a wide range of topics and is not intended to be a comprehensive study of the subjects covered, nor is it intended to provide legal advice. It should not be treated as a substitute for specific advice on specific situations. Published by 10 Collyer Quay #10-01 Ocean Financial Centre Singapore 049315 Printed in Singapore

introduction to the Personal Data Protection Act 2012 introduction The Personal Data Protection Act 2012 (PDPA) lays out a framework regarding personal data protection for private organisations. With the vast amount of personal data that organisations collect daily, it is important that organisations comply with the PDPA. Organisations may choose to engage external legal advice to ensure compliance with PDPA obligations. 1 There are nine obligations imposed by the Personal Data Protection Act 2012 (PDPA) that has to be adhered to by organisations. They do not, however, apply to the following: An individual acting in a personal or domestic capacity; An employee acting in the course of his or her employment with an organisation; and A public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. The DNC Provisions apply both to individuals and organisations, containing obligations pertaining to the sending of specific messages to Singapore telephone numbers. To manage unsolicited telemarketing phone calls, the DNC Registry was established. The PDPA is administered and enforced by the Personal Data Protection Commission (PDPC), which provides training materials and further guidelines on the PDPA. 2 1 Refer to list of resources below for the link to the Legal Advice Scheme by the Law Society of Singapore 2 Further materials can be found in the list of resources below Page 1

personal data protection obligations personal data protection obligations 1. Consent Obligation Prior consent must be obtained from the individual and allowed to withdraw such consent 2. Purpose Limitation Obligation Personal data can only be used for the purpose which was consented to by the individual 3. Notification Obligation Notify individuals of purpose for collecting personal data on or before collection 4. Access and Correction Obligation Provisions should be made to access and correct personal data 5. Accuracy Obligation Ensure that personal data is accurate and complete 6. Protection Obligation Make reasonable security arrangements to protect personal data 7. Retention Obligation Cease retention of personal data when there is no legal or business purpose 8. Transfer Limitation Obligation Personal data should only be transferred in accordance with the requirements of the PDPA 9. Openness Obligation Make personal data protection policies and complaint process publicly available Page 2

1, 2, & 3. consent, purpose limitation and notification obligations personal data protection obligations Individuals must have been notified and consented to the purposes for which his personal data is to be collected, used or disclosed. Illustration of personal data Personal data is any data, regardless of its accuracy, about an individual who can be identified from that data alone or with other information that an organisation has or is likely to have. These include: o NRIC or FIN number o Passport number o Photograph or video image of an individual o Mobile telephone number o Personal email address o Thumbprint o DNA profile o Name and residential address o Name and residential telephone number Business Contact Information (BCI) is excluded from the applicability of the PDPA. BCI refers to an individual s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his/her personal purposes. Best Practice Standards Prepare and regularly maintain an inventory map. It should include: o What personal data is collected and why o Who collects it o Where it is stored o Who it is disclosed to Personal data should only be collected, used or disclosed for Page 3

personal data protection obligations purposes consented to by relevant individuals. Data collection form should indicate fields that are compulsory and those that are optional. Where verbal consent is given, organisation should subsequently contact the individual and confirm his consent in writing. Where personal data is to be collected without consent of individual, organisation should first refer to the Second Schedule and ensure that it is permitted to do so. Where personal data is to be used without consent of individual, organisation should first refer to the Third Schedule and ensure that it is permitted to do so. Where personal data is to be disclosed without consent of individual, organisation should first refer to the Fourth Schedule and ensure that it is permitted to do so. Where a data intermediary is involved, organisation should ensure that the intermediary engaged complies with the PDPA obligations. A withdrawal of consent procedure should be implemented, including applicable timeframes, for which notice to withdraw consent can be served by an individual and processed by the organisation. The organisation must inform the individual of the likely consequences of withdrawal of consent, and should allow the individual to withdraw consent thereafter. Page 4

4. Access & Correction Obligation personal data protection obligations Facility must be provided for individuals to request access and to correct personal data in an organisation s possession or is under its control via an intermediary. Best Practice Standards Organisation should establish a procedure to handle requests for access and correction of personal data. Organisation should establish a procedure to send corrected personal data to third parties to which the personal data was disclosed in the last year. List of third party organisations to which personal data has been disclosed should be prepared and maintained. List should also include purpose of disclosure. A fee structure to defray costs of accommodating such requests should be developed and made available to the individual at the time of his request. Where request for access or correction is not to be acceded with, organisation should first refer to S21(3), the Fifth and Sixth Schedules to ensure that it is permitted to do so. Page 5

5. Accuracy Obligation personal data protection obligations Reasonable effort must be taken to ensure accuracy and completeness of personal data where it is likely to be used to make a decision affecting the individual, or to be disclosed to another organisation. Illustration of reasonable effort Effort required of organisation depends on circumstances at hand, and factors to be considered include: o Nature of personal data and its significance to individual o Purpose collected, used or disclosed o Reliability of personal data o Currency of personal data o Impact on individual concerned Best Practice Standards Reasonable effort must be taken to ensure that: o Personal data collected is accurately recorded o Personal data collected includes all relevant parts o Appropriate steps are taken to ensure accuracy and correctness of personal data Where personal data is collected from a third party source, confirmation should be obtained from the source that accuracy and completeness of personal data has been verified. To minimise errors in deciphering handwritten forms, switch to using computerised means such as electronic forms on computers or tablets. Page 6

6. Protection Obligation personal data protection obligations Reasonable security arrangements need to be in place to protect personal data. Illustration of reasonable security arrangements 3 Administrative measures o Conduct training sessions on personal data protection initiatives. o Ensure that all employees adhere to the personal data policy of the organisation. Physical measures o Provide personal data access only to authorised personnel on a need to know basis. o Ensure that computers containing personal data are locked when not in use. Technical measures o Ensure that computer systems are up-to-date and well- 3 Refer to section 17.5 of the Advisory Guidelines on Key Concepts in the PDPA, page 86 for further examples protected from system breaches and hacking. Install anti-virus, antispyware and personal firewall software on computer systems, and ensuring that scans are performed regularly. o Maintain a strong password for electronic files. Change the password periodically. Limit the number of failed logins. Hide password characters when keying in. Best Practice Standards Ensure that physical copies of personal data are securely locked up with controls in place. Request for access must be justified and granted only to authorised personnel. Keep a record of who has accessed the personal data, including how and when the personal data was used. Page 7

Schedule regular meetings and audits to keep tabs on personal data protection processes, bearing in mind o The size of the organisation and type of personal data stored o Who has access to the personal data Whether third parties have access to the personal data Ensure that in all outsourced contractual agreements with data intermediaries 4 recognised under the PDPA, there are safeguards in place to protect personal data. personal data protection obligations 4 Refer to Appendix 1 for what constitutes data intermediaries and the relevant obligations Page 8

7. Retention Limitation Obligation personal data protection obligations The organisation must destroy personal data or remove identifying information of the individual when the purpose for initially collecting the personal data is no longer necessary, and there is no legal or business purpose in retaining the personal data. Illustration of ceasing to retain personal data Destroy physical and electronic personal data completely when no longer in use. For example, archiving personal data does not constitute destruction. Best Practice Standards Conduct regular reviews of the personal data that the organisation holds to ensure that personal data is destroyed once there is no purpose for retention. Set out a personal data retention policy o Specifying varying retention periods for different types of personal data. o Including reasons for holding personal data for specific periods. Implement a standard operating procedure for destruction of personal data. For example, shredding the personal data before disposal etc. Send electronic storage devices for proper destruction and disposal. o Use specific software to overwrite files containing personal data. o Use specialised hardware such as degausser machines to destroy magnetically recorded personal data. Promptly destroy uncollected printouts and faxes containing personal data. Page 9

Ensure that data intermediaries 5 comply with the PDPA: o Review the contract with data intermediaries and ensure that they destroy personal data in accordance with the organisation policy. personal data protection obligations 5 Refer to Appendix 1 for what constitutes data intermediaries and the relevant obligations Page 10

8. Transfer Limitation Obligation personal data protection obligations Personal data should not be transferred overseas unless there is clear consent from the individual whose personal data it concerns, and the countries personal data protection provision must be comparable with Singapore s PDPA. Best Practice Standards The standard of protection should be legally binding and contain appropriate safeguards. 6 In contractual agreements or binding corporate rules 7 with overseas organisations, the obligation to ensure personal data protection should be included. 8 Protection should be made with regard to the purpose of collection, 6 According to the Public Consultation Paper on the Proposed Regulations on Personal Data Protection in Singapore, page 11 7 Internal rules which are legally enforceable and applicable to every organisation 8 In accordance with the Public Consultation Paper on the Proposed Regulations on Personal Data Protection in Singapore, pages 13-14 use and disclosure by recipient, accuracy, protection, retention limitation, policies on personal data protection, access and correction. 9 9 As listed in the table on page 97 of the Advisory Guidelines on Key Concepts in the PDPA Page 11

9. The Openness Obligation personal data protection obligations Appoint at least one individual in the organisation to be the data protection officer who is in charge of ensuring that the organisation is in compliance with the PDPA. The contact information of that individual should be made available to the public. Personal data protection policies including the complaint process should be made available to the public. Best Practice Standards Contact information of the data protection officer should be made readily accessible and operational during Singapore business hours. The data protection officer should be sufficiently equipped to answer any questions pertaining to the collection, use or disclosure of personal data collected by the organisation. The data protection officer should subscribe to the DPO newsletter to be kept updated on the efforts of the PDPC. 10 The duties of the data protection officer include o Implementing measures to tackle and handle complaints received o Communicating the organisation s personal data protection policy to all employees Employees should be aware of whom to direct queries to regarding personal data protection. Conduct training sessions to inform all employees of the organisation s data protection policies and their roles in safeguarding personal data. o These sessions should be conducted at briefings or employee orientation to allow employees to clarify any doubt and increase their understanding of the responsibilities involved. 10 Refer to the list of resources below for resources such as the DPO newsletter and PDP toolkit in dual languages Page 12

o Ensure that top management are also aware of their obligations. Formulate a compliance manual to assist employees in abiding with the PDPA. personal data protection obligations Page 13

do not call (DNC) provisions do not call provisions Page 14

The Do-Not-Call Obligation do not call provisions An organisation should not engage in telemarketing with a Singapore telephone number unless there has been clear consent by the individual, or the individual has not registered to opt out. Illustration of the Do-Not-Call Registry Ensure that all numbers in the marketing list have given clear and unambiguous consent to receiving telemarketing calls. o If no such consent is provided, the DNC Register should be checked to confirm that the number is not listed. Best Practice Standards Develop an internal process to regularly check the DNC Register. o Check against DNC registry within 30 days before telemarketing unless there is evidence of clear and unambiguous consent. Limit telemarketing activities to existing customers. Include information identifying the sender and do not conceal the calling line identity. If telemarketing calls are outsourced to third parties, ensure that they comply with the requirements of your organisation s policy and as set out in the PDPA. o Within the contractual agreement with third parties, include the obligation to adhere to your organisation s personal data protection policy. Page 15

DNC Flowchart 1. Is message sent or received in Singapore? no yes no 2. Is message a specified message? do not call provisions yes 3. Is there valid consent from recipient that is clear & unambiguous? no 4. Is recipient registered on the DNC register? yes 5. Is sender identity and contact information included? yes Message fails to comply with DNC provisions no no yes DNC provisions do not apply Message complies with DNC provisions if sent within 30 days of DNC registry check Page 16

appendix appendix Page 17

Appendix appendix Appendix 1 Dealing with Data Intermediaries What they are Data intermediaries are organisations engaged to process personal data for another organisation, not including an employee of the other organisation. For data intermediaries If your organisation is a data intermediary, only obligations 6 and 7 on protection and retention limitation would apply. However, you are still responsible for complying with all obligations in other aspects which does not include the scope of a data intermediary. For organisations engaging data intermediaries If your organisation engages data intermediaries, all obligations 1 to 9 will be relevant and must be adhered to. Ensure that data intermediaries comply with obligations 6 and 7. Appendix 2 Employment Best Practices Relevance of the PDPA in relation to employees personal data 1. Appoint an individual within your organisation to be the data protection officer. 2. The data protection officer should be well-informed of his or her roles in protecting the personal data of employees. 3. All employees should be asked to consent to allow the organisation to collect, use and disclose personal data of employees. 4. If personal data of other individuals are to be disclosed to the organisation, those individuals must have consented, ie personal data of family members. Page 18

5. The personal data of employees should only be accessed by authorised personnel. Request for access must be justified. 6. Employees personal data should not be disclosed to third parties. a. If the disclosure to a third party is necessary, ensure that the third party has signed a non-disclosure agreement of the personal data. 7. All employees should keep the data protection officer updated if there are any changes to their personal data, and are responsible for ensuring that the personal data is complete and accurate. 8. Regularly review personal data and ensure timely destruction of personal data that is no longer necessary. a. Employ proper methods of disposing employees personal data. appendix Page 19

resources resources Page 20

List of Resources resources 1. Personal Data Protection Act 2012 http://statutes.agc.gov.sg/aol/search/display/view.w3p;page=0;query=docid%3aea 8b8b45-51b8-48cf-83bf-81d01478e50b%20Depth%3A0%20Status%3Ainforce;rec=0 2. Personal Data Protection Commission https://www.pdpc.gov.sg/ 3. Personal Data Protection Commission Singapore, Advisory Guidelines on Key Concepts in the Personal Data Protection Act, (Issued 23 September 2013, Revised 8 May 2015) https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines/ advisory-guidelines-on-key-concepts-in-the-pdpa-(revised-8-may-2015).pdf?sfvrsn=2 4. Personal Data Protection Commission Singapore, Public Consultation paper on the Proposed Regulations on Personal Data Protection in Singapore, (5 February 2013) http://statutes.agc.gov.sg/aol/search/display/view.w3p;ident=b3fc0dc4-a0cb-4796- a91b-475957c03706;page=0;query=docid%3a8f282d86-5239-4511-9373- 3039b3dbc798%20Depth%3A0%20Status%3Ainforce;rec=0 5. Personal Data Protection Commission Singapore, When Business Gets Personal: A Quick Guide to the Personal Data Protection Act 2012 for Organisations http://www.pdpc.gov.sg/docs/default-source/publications-edu-materials/pdpccorporate-brochure.pdf?sfvrsn=0 6. Personal Data Protection Commission Singapore, Is Personal Data Safe with your Organisation? Electronic Personal Data Protection for Organisations http://www.pdpc.gov.sg/docs/default-source/publications-edu-materials/ispersonal-data-safe-with-your-organisation-v1-0.pdf?sfvrsn=2 7. Personal Data Protection Commission Singapore, Personal Data Protection Checklist for Organisations http://www.pdpc.gov.sg/docs/defaultsource/publications-edu-materials/pdpc-checklist-for-orgs-v2-0.pdf?sfvrsn=2 8. Personal Data Protection Commission Singapore, Personal Data Protection Toolkit in dual languages https://www.pdpc.gov.sg/docs/default-source/publications-edumaterials/pdp_toolkit.pdf?sfvrsn=8 9. Do-Not-Call Registry http://www.dnc.gov.sg/index.html 10. PDPA Legal Advice Scheme by the Law Society of Singapore http://www.lawsociety.org.sg/forpublic/pdpalegaladvicescheme.aspx 11. DPO Connect Newsletter https://www.pdpc.gov.sg/resources/dpo-connect Page 21

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback