a supplement: faqs on the advisory guidelines for key ... · faqs to the advisory guidelines to the...

2017 Revised Edition

A Supplement: FAQs on the Advisory Guidelines for Key Concepts and Selected Topics

FAQs on the Advisory Guidelines to the PDPA

www.drewnapier.com

FAQs to the Advisory Guidelines to the PDPA

www.drewnapier.com

Your Guide to the

Personal Data Protection Act 2012

A Supplement: FAQs on the Advisory Guidelines to the PDPA


www.drewnapier.com

All enquiries should be addressed to:

Lim Chong Kin Director & Head, Telecommunications, Media and Technology Practice Group

10 Collyer Quay #10-01

Ocean Financial Centre

Singapore 049315

Tel: +65 6531 4110

Fax: +65 6535 4864

Email: [email protected]

COPYRIGHT

© 2017 Drew & Napier LLC

First Published 2013

Second Edition Published 2017

All rights reserved. No part of this publication may be reproduced, stored in any retrieval system, or

transmitted, in any form or by any means, whether electronic or mechanical, including photocopying

and recording, without the permission of the copyright holder.

IMPORTANT DISCLAIMER: We have sought to state the law as at 6 February 2017. Drew & Napier LLC

accepts no liability for, and does not guarantee the accuracy of, information or opinion contained in

this document. This document covers a wide range of topics and is not intended to be a

comprehensive study of the subjects covered, nor is it intended to provide legal advice. It should not

be treated as a substitute for specific advice on specific situations.

Published by

10 Collyer Quay #10-01

Ocean Financial Centre

Singapore 049315

Printed in Singapore


www.drewnapier.com

Your Guide to the

Personal Data Protection Act

2012

A Supplement: FAQs on the Advisory Guidelines to the PDPA

Editors:

LIM Chong Kin

Director, Head (Telecoms, Media and Technology Law Practice Group)

and Head (Competition and Regulatory

(Contentious and Non-contentious) Practice Group)

LL.B. (Hons), LL.M. (NUS); Advocate and Solicitor (Singapore)

Admitted to the Roll of Solicitors (England & Wales)

Charmian AW

Director

LL.B. (Hons) (NUS); Advocate and Solicitor (Singapore)

Certified Information Privacy Professional (Asia) (CIPP/A)

Certified Information Privacy Professional (Europe) (CIPP/E)

Certified Information Privacy Professional (US) (CIPP/US)

2017 Revised Edition


www.drewnapier.com

About Drew & Napier LLC

Drew & Napier LLC has provided exceptional legal advice and representation to discerning clients

since 1889 and is one of the leading and largest law firms in Singapore.

The calibre of our work is acknowledged internationally at the highest levels of government and

industry. Our lawyers and senior counsel are the preferred choice when the stakes are high and the

issues complex.

The firm possesses unparalleled transactional, licensing and regulatory experience in data protection

law as well as the Telecommunication, Media and Technology, and postal sectors in Singapore, which

it attributes to its Telecommunications, Media and Technology Practice Group, led by Lim Chong Kin.

Drew & Napier assists clients in a wide range of data protection matters including data protection

review; training; compliance audits; and advisory. Since 2013, the firm has been appointed by the

Personal Data Protection Commission as its external legal and regulatory advisors, which speaks

volumes for its proven ability to deliver effective, timely and commercially-relevant solutions to its

clients.

For more information on Drew & Napier LLC, please visit www.drewnapier.com.


www.drewnapier.com

Drew & Napier’s expertise in Data Protection Law – How We Can Help You

We regularly advise and assist MNC clients on data protection concerns in respect of their Singapore

operations. Our MNC clients include telco operators and Internet companies (ranging from social

networking sites to mobile device manufacturers to software developers). Our work for clients includes:

• Adapting global policies for data privacy and consumer protection for clients’ Singapore

operations and offices.

• Wide-ranging advice on the existing Singapore data protection regime.

• Advising on ad-hoc queries relating to potential or actual privacy breaches and the necessary

disclosure requirements and remedial actions in Singapore.

• Advising on data protection concerns relating to the introduction of novel telecommunication

services in the Singapore market.

We are also regularly engaged by MNCs as well as local clients across industries (including airlines,

manufacturing, entertainment, and fast-moving consumer goods), telcos and Internet companies to

conduct regulatory risk audits of their business operations to highlight potential areas of non-

compliance and to assist in the rectification of any problematic agreements and conduct. Our team

of lawyers is also experienced in conducting compliance audits of business practices, existing legal

agreements, and informal business arrangements.

In developing compliance programmes for our clients, we further value-add by creating manageable,

staff-level compliance manuals and training programmes to ensure that our clients are in a position to

operationalise their compliance procedures on a day-to-day basis.


www.drewnapier.com

Contents

Introduction to the Advisory Guidelines on the Personal Data Protection Act

2012 .......................................................................................................................................... 1

1. Are the Guidelines legally binding? ................................................................................... 1

2. How will the PDPA affect organisations? .......................................................................... 1

3. Will the PDPA prevent organisations from collecting, using and/or

disclosing data relating to individuals? ............................................................................. 2

4. How do the Data Protection Provisions interact with existing laws

concerning personal data protection? .............................................................................. 2

Important Terms used in the PDPA ....................................................................................... 2

5. The PDPA is only concerned with the personal data of “individuals”. Who

are considered “individuals”? .............................................................................................. 2

6. What types of “personal data” are covered under the PDPA? ....................................... 3

7. What types of “personal data” are not covered under the PDPA? ................................ 4

8. Are IP addresses considered “personal data”? ................................................................. 5

9. Are cookies considered “personal data”?.......................................................................... 5

10. Is anonymised data regarded as “personal data” for the purposes of the

PDPA?..................................................................................................................................... 5

11. Does the PDPA confer property or ownership rights of personal data in an

individual or an organisation? ............................................................................................ 5

12. Which organisations are included, and which are excluded from the

operation of the Data Protection Provisions? .................................................................. 5

13. The Data Protection Provisions only apply to a limited extent to a “data

intermediary”. What is a “data intermediary”? ................................................................. 6

14. What constitutes “collection, “use” and “disclosure” of personal data? ....................... 7

15. Some Data Protection Provisions refer to the “purpose” for which an

organisation collects, uses or discloses personal data. How is such “purpose”

defined? ................................................................................................................................. 7

16. How is the concept of “reasonableness” defined in the PDPA? .................................... 7

17. What are the main data protection obligations contained under the PDPA? ............. 8

18. Do Data Protection Provisions apply to personal data that has been

collected overseas and subsequently transferred into Singapore? ............................... 8

The Consent Obligation .......................................................................................................... 8


www.drewnapier.com

19. What do organisations have to comply with under the Consent Obligation? ............ 8

20. How can organisations obtain consent from individuals? .............................................. 9

21. When is an individual considered not to have validly given consent? ......................... 9

22. When is an individual deemed to have given consent? ................................................ 10

23. When is a minor deemed to have given consent?......................................................... 10

24. Where an individual provides his personal data as part of his job application, is

this considered deemed consent?...................................................................................... 11

25. How should organisations deal with a job applicant’s personal data, after a

decision has been made on whether to hire the job applicant? .................................. 11

26. Is it necessary to obtain consent from users when an organisation employs

the use of cookies?............................................................................................................. 11

27. Can an organisation obtain personal data from third party sources with the

consent of the individual? ................................................................................................. 12

28. Can an organisation collect and use personal data of a job applicant from

social networking sources? ............................................................................................... 12

29. Can an organisation collect and use information on business cards for

recruitment? ........................................................................................................................ 12

30. What should organisations do to ensure that the third party sources can

validly provide the personal data? ................................................................................... 13

31. Can an organisation obtain personal data from third party sources without

the consent of the individual? .......................................................................................... 13

32. Organisations can collect, use and disclose personal data without consent if

it is publicly available. What is the definition of “publicly available” data? ................ 14

33. What practical steps should organisations take to allow individuals to

withdraw their consent? .................................................................................................... 15

34. What is the effect of a notice from an individual to withdraw consent? .................... 15

35. How should organisations respond when they receive a notice from an

individual to withdraw consent? ...................................................................................... 15

36. Should an individual’s consent be obtained in the context of photography

or videography? .................................................................................................................. 16

37. Is an individual’s consent required for photography or videography in a

public place? ....................................................................................................................... 16

38. How may an individual’s consent be obtained for photography or

videography in a private space or event? ....................................................................... 16


www.drewnapier.com

39. Is an individual’s consent required if he or she is caught in the background

of a photograph or video recording? .............................................................................. 16

40. Does the exception for collecting personal data for “artistic or literary

purposes” apply to photographs or video recordings? ................................................ 17

41. Are organisations required to accede to an individual’s request to prevent

or remove the publication of a photograph or video recording? ............................... 17

42. Does the PDPA affect the organisation’s copyright in the photograph or

video recording? ................................................................................................................. 17

43. Are organisations required to accede to an individual’s request to delete

CCTV footage? .................................................................................................................... 17

The Purpose Limitation Obligation ..................................................................................... 17

44. What do organisations have to comply with under the Purpose Limitation

Obligation? .......................................................................................................................... 17

45. If an organisation captures CCTV footage beyond the boundaries of their

own premises, does that go beyond the Purpose Limitation Obligation? ................. 18

46. Can organisations collect NRIC cards? ............................................................................ 18

47. For what business purposes are organisations allowed to use NRIC

numbers? ............................................................................................................................. 18

48. Can organisations publish NRIC numbers for purposes such as the results of

lucky draws? ........................................................................................................................ 18

The Notification Obligation ................................................................................................. 18

49. What do organisations have to comply with under the Notification

Obligation? .......................................................................................................................... 18

50. How should organisations notify individuals of the purpose for the

collection, use and disclosure of their personal data? .................................................. 19

51. Can organisations use a Data Protection Policy to notify individuals of the

purposes for which it collects, uses and discloses personal data? .............................. 19

52. What level of detail is required when notifying individuals of the purposes

for which their personal data is collected, used and disclosed? .................................. 20

53. Can organisations use and disclose personal data for a different purpose

from which it was collected? ............................................................................................. 20

54. Is it always necessary for an organisation to notify individuals prior to

collecting, using or disclosing their personal data for research and analytics

activities? ............................................................................................................................. 20


www.drewnapier.com

55. Do organisations always need to notify individuals when CCTVs are

deployed? ............................................................................................................................ 21

56. Do organisations need to notify individuals when drones used are likely to

capture personal data? ...................................................................................................... 21

57. Do recruitment agencies always need to notify individuals before

collecting, using or disclosing their personal data? ................................................... 21

58. Do employers need to notify and obtain consent from employees in respect

of collecting, using or disclosing their personal data for employment

purposes?............................................................................................................................. 21

The Access and Correction Obligations .............................................................................. 23

59. What do organisations have to comply with under the Access and

Correction Obligations? ..................................................................................................... 23

60. What should organisations do to ensure that the individual can validly make

an access request?.............................................................................................................. 23

61. Are organisations obliged to comply with Access and Correction Obligations

if an individual’s personal data is not in its possession but with a data

intermediary? ....................................................................................................................... 23

62. Do organisations have to comply with Access Obligations with regards to

personal data embedded in emails? ................................................................................ 24

63. What is the level of detail required when providing a response to an access

request? ............................................................................................................................... 24

64. When are organisations not required to accept an individual’s access

request? ............................................................................................................................... 25

65. How long should organisations take in responding to an access request? ............... 25

66. Can organisations charge fees for an individual’s access to personal data? ............. 25

67. How should organisations deal with access requests relating to the

disclosure to a prescribed law enforcement agency? ................................................... 26

68. How should organisations deal with an individual’s personal data when an

access request is received? ............................................................................................... 26

69. How should organisations reject an access request? .................................................... 26

70. Will the Access Obligation require organisations to accede to an individual’s

request to access CCTV footage? ..................................................................................... 27

71. Are there any specific requirements that organisations need to comply with,

when acceding to an individual’s request to access CCTV footage? .......................... 27


www.drewnapier.com

72. Can individuals make joint access requests for CCTV footage containing

their images, if they consent to their own images being viewed by the

others making the joint request? ..................................................................................... 27

73. Can job applicants ask an organisation to reveal how much information the

organisation has about them, or find out why they were not selected? .................... 27

74. When are organisations not required to accept an individual’s correction

request? ............................................................................................................................... 28

75. How should organisations reject a correction request?................................................ 28

76. How long should organisations take in responding to a correction request? ........... 28

The Accuracy Obligation ...................................................................................................... 28

77. What do organisations have to comply with under the Accuracy Obligation? ......... 28

78. In complying with the Accuracy Obligation, can a different level of care be

adopted when the personal data is obtained directly from the individual

compared to when it is obtained from third party sources? ........................................ 29

79. Should organisations take extra measures to verify the accuracy of personal

data of minors? ................................................................................................................... 29

The Protection Obligation .................................................................................................... 29

80. What does it mean to make “reasonable security arrangements to protect

personal data”? ................................................................................................................... 29

81. What types of security arrangements can an organisation put in place? .................. 30

82. Are organisations responsible if their employees do not comply with the

PDPA?................................................................................................................................... 31

The Retention Limitation Obligation .................................................................................. 31

83. How long should an organisation retain personal data? .............................................. 31

84. What are some recommended best practices in relation to the retention of

personal data? .................................................................................................................... 32

85. How long can organisations continue to hold personal data of former

employees? ......................................................................................................................... 32

86. What does it mean to “cease to retain” personal data? ................................................ 32

The Transfer Limitation Obligation ..................................................................................... 33

87. What is the Transfer Limitation Obligation? ................................................................... 33

88. What are the conditions that organisations have to satisfy before

transferring personal data overseas? ............................................................................... 33


www.drewnapier.com

The Openness Obligation ..................................................................................................... 34

89. What is the Openness Obligation? .................................................................................. 34

90. Are there any requirements as to whom an organisation may designate as

its data protection officer? ................................................................................................ 34

Other Important Concepts ................................................................................................... 34

91. What does it mean to anonymise personal data? ......................................................... 34

92. How can personal data be anonymised? ........................................................................ 35

93. What are some challenges and limitations in anonymising data? .............................. 35

94. Under what circumstances might data be considered to have been re-

identified? ............................................................................................................................ 36

95. How can organisations assess the risk of re-identification? ......................................... 37

96. Will the Commission penalise organisations for inadequate risk assessments

in relation to re-identification? ......................................................................................... 38

97. What is the co-relation between the motivation for re-identification and the

risk of re-identification?..................................................................................................... 38

98. How can organisations lower the risk of re-identification? .......................................... 38

Scope of The DNC Provisions ............................................................................................... 39

99. To whom are the DNC Provisions applicable? ............................................................... 39

100. The DNC Provisions apply to “specified messages”. What are “specified

messages”? .......................................................................................................................... 39

101. The DNC Provisions apply to “senders”. Who are “senders”? ...................................... 41

102. When might a person be responsible under the DNC Provisions for a

specified message that he is not actively involved in sending? ................................... 41

103. Do the DNC Provisions only apply to specified messages sent to a

Singapore telephone number? ......................................................................................... 42

Obligations and Duties under the DNC Provisions ............................................................ 42

104. What does a person need to do before sending a specified message? ..................... 42

105. Is it necessary to check the DNC Register every time a specified message is

proposed to be sent? ......................................................................................................... 43

106. What happens when a person who had previously given consent to receive

specified messages, subsequently withdraws such consent? ...................................... 43


www.drewnapier.com

107. A person has previously given consent to receive specified messages, but

subsequently registers his or her telephone number on a DNC Register. Is

the consent still valid? Can specified messages be sent to such person? .................. 43

108. Who can withdraw consent in respect of a telephone number? ................................. 43

109. What would constitute valid consent for the purposes of the DNC

Provisions? ........................................................................................................................... 44

110. If consent has been obtained from a person before the DNC Provisions

come into effect (2 January 2014), is such consent still valid? ..................................... 44

The Drew & Napier TMT Team ................................................................................................. 46

Lim Chong Kin, Director, Head (Telecoms, Media & Technology) .............................................. 46

Charmian Aw, Director .................................................................................................................. 46


www.drewnapier.com 1

Advisory Guidelines to the Personal Data

Protection Act 2012

This publication is meant to supplement and be

read together with Drew & Napier’s “Your

Guide to the Personal Data Protection Act

2012”, as published in 2013, and updated in

2017.

INTRODUCTION TO THE ADVISORY

GUIDELINES ON THE PERSONAL DATA

PROTECTION ACT 2012

The Personal Data Protection Commission

(Commission) issued the following sets of

Advisory Guidelines on the Personal Data

Protection Act 2012 (PDPA), including but not

limited to:

(a) Advisory Guidelines on Key Concepts in

the Personal Data Protection Act (Key

Concepts Guidelines) issued on 23

September 2013, and most recently

revised on 27 July 2017;

(b) Advisory Guidelines on the Personal Data

Protection Act for Selected Topics

(Selected Topics Guidelines), issued on 24

September 2013, and most recently

revised on 28 March 2017; and

(c) Advisory Guidelines on the Do Not Call

Provisions (DNC Guidelines), issued on 26

December 2013, and most recently revised

on 27 July 2017

(collectively, the Guidelines).

The Commission has also issued other

guidelines including:

(a) Sector Specific Advisory Guidelines;

(b) Industry-led Guidelines; and

(c) Other Guides such as the Guide to

Disposal of Personal Data on Physical

Medium.

Generally, the Guidelines are meant to provide

a further understanding of the provisions of

the PDPA as they elaborate and provide

interpretations on specific requirements and

obligations under the PDPA. The Guidelines

have since been updated and revised, as

appropriate and necessary, by the

Commission.

The following is a series of key questions and

answers to help you understand the impact of

the Guidelines on your business.

1. Are the Guidelines legally binding?

The Guidelines are advisory in nature and are

not legally binding on the Commission or on

any other party. The Guidelines will not limit or

restrict the Commission’s administration and

enforcement of the PDPA, and the provisions

of the PDPA and any regulations or rules

issued thereunder will prevail over the

Guidelines in the event of any inconsistency.

2. How will the PDPA affect organisations?

The data protection provisions in Parts III to VII

of the PDPA (Data Protection Provisions)

came into operation on 2 July 2014.

As such, organisations can generally continue

to use personal data that was collected before

2 July 2014 for the purposes for which such

personal data was collected, without a need to

obtain fresh consent from the individual.

However, if an individual has withdrawn his or

her consent, fresh consent will need to be

obtained.


2 www.drewnapier.com

Even if it is not clear what the purposes any

personal data had been collected (before 2

July 2014) are for, it is not strictly necessary for

such purposes to be specified or notified to

the individuals concerned on or after 2 July

2014. In such cases, however, the Commission

recommends that the organisation should

consider documenting the purposes so that it

will have such information readily available if a

question arises as to whether the organisation

is complying with the Data Protection

Provisions (such as the requirement to obtain

valid consent pursuant to the PDPA prior to

collection, use and disclosure of personal

data).

Additionally, should an organisation wish to

use or disclose personal data which it had

collected prior to 2 July 2014 for new purposes

(i.e. purposes which the individual concerned

had not consented to), the organisation will

need to obtain consent from the individual

concerned for these new purposes.

Organisations will also need to assess whether

their contractual obligations need to be

amended to comply with the Data Protection

Provisions. It should be noted that compliance

with contractual obligations entered into prior

to 2 July 2014 is not an excuse for the failure

to comply with the Data Protection Provisions.

The Do Not Call provisions (DNC Provisions),

which are set out in Part IX of the PDPA, came

into effect on 2 January 2014. Please refer to

question 99 et seq for a further discussion on

the DNC Provisions.

3. Will the PDPA prevent organisations

from collecting, using and/or disclosing

data relating to individuals?

The PDPA will not strictly prohibit

organisations from collecting, using and/or

disclosing data relating to individuals.

However, where an organisation wishes to

collect, use and/or disclose personal data (as

defined in the PDPA, see question 6 below), it

will be required to comply with the Data

Protection Provisions (see question 2 above).

Accordingly, organisations may wish to collect

or use anonymised data instead, where

individuals need not be identifiable for the

organisation’s purposes, as the Data Protection

Provisions will not apply to anonymised data

(see question 91 below on what anonymised

data means).

4. How do the Data Protection Provisions

interact with existing laws concerning

personal data protection?

The Data Protection Provisions will not affect

any existing authority, right, privilege,

immunity, obligation or limitation arising

under existing law. The PDPA also specifically

provides that the provisions of other written

law will prevail over the Data Protection

Provisions, but only to the extent that there is

an inconsistency.

As such, sector-specific legislation should not

be regarded as a blanket override of the Data

Protection Provisions.

For example, pursuant to Section 47 of the

Banking Act (Cap. 19), a bank can disclose

customer information to such persons and for

purposes that are specified in the Third

Schedule of the Banking Act, subject to the

conditions specified therein. However, the

Data Protection Provisions of the PDPA may be

inconsistent with Section 47 of the Banking

Act, as the former may not specifically allow

the bank to disclose such customer

information without prior consent of the

customer concerned. In such a case, Section 47

of the Banking Act will prevail in respect of

those exceptions under the Third Schedule of

the Banking Act, but the bank must continue

to comply with the Data Protection Provisions

in respect of any purposes which, or persons

who, are not specified in the Third Schedule of

the Banking Act.

IMPORTANT TERMS USED IN THE PDPA

5. The PDPA is only concerned with the

personal data of “individuals”. Who are

considered “individuals”?



The PDPA defines an individual as “a natural

person, whether living or deceased.” The term

“natural person” refers to a human being, and

does not refer to other legal persons or

unincorporated entities (e.g. a company or a

registered society). Accordingly, the PDPA only

protects the personal data of natural persons.

The term “individual” includes both living and

deceased individuals. However, the PDPA

applies to a limited extent in respect of the

personal data of deceased individuals.

6. What types of “personal data” are

covered under the PDPA?

The term “personal data” covers all types of

data from which an individual can be identified

(i.e. the ability to distinguish one individual

from others based on the data that an

organisation has), regardless of its veracity or

whether it is in electronic or other form.

Data about an individual

Personal data has to be data about an

individual. Some examples of data that is

about an individual include information about

an individual’s health, educational and

employment background, as well as an

individual’s activities such as spending

patterns.

Some data will by its nature, identify an

individual e.g. an individual’s name. Other data

which does not identify an individual will only

constitute personal data if it is associated with

a particular individual. For example, a

residential address by itself may not identify an

individual because there may be several

individuals residing there. However, if the

residential address is associated with a

particular identifiable individual, it would still

be considered as personal data. Thus, whether

a piece of information is considered personal

data is context-specific.

Similarly, the content of individuals’

communications, such as email messages and

text messages, in and of themselves may not

be considered personal data, unless they

contain information about an individual that

can identify the individual.

Individual can be identified from that data on

its own

Certain types of data can, on its own, identify

an individual, for instance biometric identifiers

which are inherently distinctive to an

individual, such as the face geometry of an

individual. Similarly, data that has been

assigned to an individual for the purposes of

identifying the individual (e.g. NRIC number of

an individual) would be able to identify the

individual from that data alone.

Such data which, on its own, constitutes

personal data is referred to as a “unique

identifier” in the Key Concepts Guidelines.

Some examples of data that the Commission

generally considers unique identifiers include

an individual’s full name, NRIC number or FIN

(Foreign Identification Number), passport

number, personal mobile telephone number,

facial image of an individual (e.g. in a

photograph or video recording), voice of an

individual (e.g. in a voice recording),

fingerprint, iris image, and DNA profile. For

example, a passer-by picks up a passport

photograph which clearly shows the facial

image of an identifiable individual. The

photograph is considered to constitute

personal data of the individual, even though

the passer-by does not know who the

individual is.

Individual can be identified from that data and

other information to which the organisation has

or is likely to have access

Generic information, such as gender,

nationality, age or blood group, alone is not

usually able to identify a particular individual

(e.g. gender alone cannot identify the

individual). Nevertheless, such information

may constitute part of the individual’s personal

data if it is combined with a unique identifier

or other information such that it can be

associated with, or made to relate to, an

identifiable individual.

Whether any data or dataset constitutes

personal data would depend on the specific



facts of each case. Data or datasets that may

identify an individual in a certain situation may

not identify an individual in another situation.

An organisation should consider the

availability of other information it has or is

likely to have access to, among other

considerations.

However, if an organisation conducts a street

intercept survey and collects information from

passers-by that include age range, gender,

occupation, and place of work, although each

of these data points, on its own, would not be

able to identify an individual, the organisation

should be mindful that such dataset may be

able to identify the respondent. Given that

some of the respondents’ datasets are likely to

identify the respondents, the organisation

should treat the datasets as personal data and

ensure they comply with the Data Protection

Provisions.

In other words, generic information that does

not relate to a particular individual may also

form part of an individual’s personal data if an

individual can be identified when combined

with other information. For example, generic

information such as “male” and “aged 21” is

provided as part of a membership form in

addition to information such as the individual’s

full name. In such a situation, the general

characteristics will constitute part of the

individual’s personal data because the generic

information would have been related to the

specific individual.

Even if the information is not directly

identifying data, it may still be considered

personal data if the organisation has access to

other information that, when taken together

with the data, will allow the individual to be

identified. For example, if a company

anonymises data collected from a customer

survey by replacing the respondents’ names

with randomly generated number tags, but the

company still holds the key that can reverse

the randomisation process, the collected data

will still be able to identify individuals with the

aid of the key and will thus be considered

personal data. (See question 91 for more

details on what it means to anonymise

personal data.)

False personal data

Data which is false can also be part of an

individual’s personal data. An individual may

have appropriate reasons for using data that is

not strictly true, for example, when an

individual uses a fictitious name or nickname

as part of his personal email address.

7. What types of “personal data” are not

covered under the PDPA?

The PDPA does not apply to the following

categories of personal data:

(a) business contact information;

(b) personal data that is contained in a record

that has been in existence for at least 100

years; and

(c) personal data about a deceased individual

who has been dead for more than 10

years.

Business contact information

Business contact information refers to an

individual’s name, position name or title,

business telephone number, business address,

business electronic mail address, business fax

number and any other similar information

about the individual, not provided by the

individual solely for his or her personal

purposes.

The purpose for which the individual provides

the work-related contact information is

important, because any work-related contact

information provided solely for personal

purposes (e.g. signing up for a gym

membership) would not constitute business

contact information. However, in most

circumstances, the Commission is likely to

consider personal data provided on business

or name cards as business contact information.

Since sole proprietorships and partnerships are

also businesses, the contact information of

sole proprietors and partners is considered

business contact information where such



information has not been provided solely for

personal purposes.

8. Are IP addresses considered “personal

data”?

IP addresses in isolation

The Commission generally takes the view that

IP addresses or network identifiers such as an

IMEI number may not be personal data when

viewed in isolation, as they would serve to

identify a particular networked device rather

than a particular individual under such

circumstances.

IP addresses combined with other information

It may be possible in some cases to identify an

individual from his device’s IP address when

they are combined with other traces of

information that are collected, or left behind,

by a device (such as cookies).

Tracking of IP addresses

Organisations may collect data points tied to

an IP address for purposes such as to

determine the number of unique visitors to a

website in a month, or the number of unique

responses to a once-off online survey about

consumer preferences, and consequently track

activities tied to an IP address. The

Commission takes the view that such tracking

may not result in the collection of personal

data, if the organisation is unable to identify

an individual from the data collected or from

that data and other information that the

organisation has or is likely to have access to.

However, the more data points that an

organisation collects which is associated to a

unique IP address, the more likely that the

data collected may constitute personal data.

For example, if an organisation profiles the

websites visited by an IP address, the items

purchased by the same IP address and other

online activities associated with the IP address

for a long period of time, and is able to

ascertain that the particular IP address is

associated with a unique person with a specific

surfing profile, the organisation may be found

to have collected personal data.

9. Are cookies considered “personal data”?

Cookies are not personal data. However,

cookies may collect personal data.

Where cookies are employed by an

organisation to collect personal data of a user,

the PDPA will require that the organisation

obtain the user’s consent to collect, use and/or

disclose personal data of the user. See

question 26 below.

10. Is anonymised data regarded as

“personal data” for the purposes of the

PDPA?

Generally, anonymised data alone will not

constitute personal data.

However, if the anonymised data, together

with any other information that an

organisation has or is likely to have access to,

can be used to identify a particular individual,

these data and information taken together will

constitute personal data.

11. Does the PDPA confer property or

ownership rights to personal data on an

individual or an organisation?

The PDPA does not confer any property or

ownership rights to personal data per se on

individuals or organisations and also does not

affect existing property rights in items in which

personal data may be captured or stored.

Thus, if an organisation takes a photograph of

an individual, the individual would not be

conferred ownership rights to that photograph

under the PDPA even though it would be part

of his personal data. Instead, ownership would

depend on existing laws such as property law

and copyright law. Regardless of ownership

rights, the organisation must comply with the

PDPA if it intends to collect, use or disclose the

photograph.

12. Which organisations are included, and

which are excluded from the operation

of the Data Protection Provisions?



The Data Protection Provisions apply to all

organisations, with certain exceptions.

Organisations required to comply with the

PDPA should be able to demonstrate its

compliant practices with evidence.

“Organisation” is defined broadly to include

any individual, company, association or body

of persons, corporate or unincorporated,

whether or not:

(a) formed or recognised under the law of

Singapore; or

(b) resident or having an office or place of

business in Singapore.

The Data Protection Provisions do not apply

to:

(a) individuals acting in a personal or

domestic capacity;

(b) employees acting in the course of their

employment with an organisation;

(c) public agencies, or organisations acting on

behalf of a public agency in relation to the

collection, use or disclosure of personal

data; and

(d) other organisations as may be prescribed

by the Minister.

Individuals acting in a personal or domestic

capacity

An individual acts in a “personal or domestic”

capacity when undertaking activities for his

home or family; for example, by opening joint

bank accounts between two or more family

members.

Individuals acting as employees

Employees are excluded from the application

of the Data Protection Provisions. The PDPA

defines an employee to include a volunteer.

Hence, individuals who undertake work

without an expectation of payment would fall

within the exclusion for employees.

Even though employees are excluded from the

application of the PDPA, organisations remain

responsible for the actions of the employees

which contravene the Data Protection

Provisions.

Public agencies and organisations acting on

behalf of public agencies

Section 2 of the PDPA defines a public agency

to include:

(a) the Government, including any ministry,

department, agency, or organ of State;

(b) any tribunal appointed under any written

law; or

(c) any statutory body specified by the

Minister by notice in the Gazette.

To date, the Minister has gazetted 62 statutory

bodies as public agencies pursuant to the

Personal Data Protection (Statutory Bodies)

Notification 2013.

While organisations acting on behalf of a

public agency in relation to the collection, use

and/or disclosure of personal data are

excluded from the application of the Data

Protection Provisions when they are so acting, they still have to comply with the Data

Protection Provisions in relation to other

aspects of their business not related to the

public agency, for example, in relation to their

employees’ personal data or the personal data

of other customers.

13. The Data Protection Provisions only

apply to a limited extent to a “data

intermediary”. What is a “data

intermediary”?

Where data intermediaries process personal

data on behalf of another organisation (the

principal organisation) pursuant to a written

contract, they will only be subject to the Data

Protection Provisions relating to the protection

and retention of personal data.

The PDPA defines “processing” as “the carrying

out of any operation or set of operations in



relation to the personal data, and includes any

of the following: (i) recording; (ii) holding; (iii)

organisation, adaptation or alteration; (iv)

retrieval; (v) combination; (vi) transmission; (vii)

erasure or destruction.

If a data intermediary uses or discloses

personal data in a manner which goes beyond

the processing required by the principal

organisation under the contract, it will not be

considered a data intermediary in respect of

such use or disclosure. It will therefore have to

comply fully with the Data Protection

Provisions in relation to such use or disclosure.

In a similar vein, while an organisation may be

considered a data intermediary in respect of a

set of personal data, it may at the same time

be bound by all Data Protection Provisions in

relation to other sets of personal data used for

activities which do not fall within the definition

of “processing” as a data intermediary (e.g. in

relation to personal data of its own

employees).

An organisation may be considered a data

intermediary to more than one principal

organisation. Any person who acts on behalf

of an organisation (e.g. an agent) will have to

comply with all obligations of the PDPA unless

they are explicitly considered data

intermediaries.

In any case, principal organisations will have

the same obligations under the PDPA

regarding personal data processed on its

behalf by a data intermediary as if the personal

data were processed by the organisation itself.

An organisation may be a data intermediary of

another even if the written contract between

the organisations does not clearly identify the

data intermediary as such. The Commission

therefore highlights the importance of an

organisation’s clarity as to its own rights and

obligations when dealing with another

organisation. Where appropriate, the written

contract should clearly set out each

organisation’s responsibilities and liabilities in

relation to the personal data in question, and

expressly note whether one organisation is

processing personal data on behalf of and for

the purposes of another organisation.

14. What constitutes “collection, “use” and

“disclosure” of personal data?

In general, the terms “collection”, “use” and

“disclosure” have the following meanings:

(a) Collection refers to any act or set of acts

through which an organisation obtains

control over or possession of personal

data.

(b) Use refers to any act or set of acts by

which an organisation employs personal

data. A particular use of personal data may

occasionally involve collection or

disclosure that is necessarily part of the

use.

(c) Disclosure refers to any act or set of acts

by which an organisation discloses,

transfers or otherwise makes available

personal data that is under its control or in

its possession to any other organisation

While collection, use and disclosure may take

place actively (e.g. a sales person asking the

individual for personal information) or

passively (e.g. an individual writes his name in

an unattended guestbook placed near the

entrance), both forms of collection, use and

disclosure will be subject to the same

obligations under the PDPA.

15. Some Data Protection Provisions refer to

the “purpose” for which an organisation

collects, uses or discloses personal data.

How is such “purpose” defined?

The term “purpose” does not refer to activities

which an organisation may intend to

undertake but rather to its objectives or

reasons. Hence, when specifying its purposes

relating to personal data, an organisation is

not required to specify every activity which it

may undertake, but its objectives or reasons

relating to personal data.

16. How is the concept of “reasonableness”

defined in the PDPA?



The test for reasonableness is what a

reasonable person would consider appropriate

in the circumstances. A “reasonable person” is

judged based on an objective standard and

can be said to be a person who exercises

appropriate care and judgment in the

particular circumstances.

In determining what a reasonable person would

consider appropriate in the circumstances, an

organisation should consider the particular

circumstances that it is facing. Taking those

circumstances into consideration, the

organisation should determine what would be

the appropriate course of action to take in

order to comply with its obligations under the

PDPA based on what a reasonable person

would consider appropriate. In other words, a

possible step that an organisation could take is

to view the situation from the perspective of the

individual and consider what the individual

would think as fair.

The Commission notes that the standard of

reasonableness is expected to be evolutionary.

17. What are the main data protection

obligations contained under the PDPA?

The PDPA contains 9 main data protection

obligations that apply to organisations for

personal data in their possession or under

their control:

(a) the Consent Obligation (Sections 13 to 17

of the PDPA);

(b) the Purpose Limitation Obligation (Section

18 of the PDPA);

(c) the Notification Obligation (Section 20 of

the PDPA);

(d) the Access and Correction Obligation

(Sections 21 and 22 of the PDPA);

(e) the Accuracy Obligation (Section 23 of the

PDPA);

(f) the Protection Obligation (Section 24 of

the PDPA);

(g) the Retention Limitation Obligation

(Section 25 of the PDPA);

(h) the Transfer Limitation Obligation (Section

26 of the PDPA); and

(i) the Openness Obligation (Sections 11 and

12 of the PDPA).

The Data Protection Provisions described

above apply to the collection, use and/or

disclosure of personal data in Singapore – this

means that even when an organisation collects

personal data from outside Singapore and

processes such personal data in Singapore, the

organisation has to comply with the PDPA.

18. Do Data Protection Provisions apply to

personal data that has been collected

overseas and subsequently transferred

into Singapore?

Yes, the Data Protection Provisions apply when

organisations collect, use or disclose personal

data for its own purposes in Singapore, unless

the exemptions to the Data Protection

Provisions apply. Where personal data is

collected in a foreign country or territory with

its own data protection laws, the Commission

will take into account the manner in which the

personal data was collected in compliance with

such data protection laws, in determining

whether the organisation has complied with its

Notification and Consent Obligations.

THE CONSENT OBLIGATION

19. What do organisations have to comply

with under the Consent Obligation?

Under the Consent Obligation, organisations

are required to obtain consent from the

individual before they can collect, use or

disclose the individual’s personal data. This

requirement does not apply where the

collection, use or disclosure of an individual’s

personal data is required or authorised under

the PDPA or any other written law.

An individual has not given consent unless he

or she has been notified of the purposes for



which his or her personal data will be

collected, used or disclosed and he or she has

provided his or her consent for those

purposes. If an organisation fails to inform the

individual of the purposes for which his or her

personal data will be collected, used and

disclosed, any consent given by the individual

would not amount to consent.

20. How can organisations obtain consent

from individuals?

As good practice, an organisation should

obtain consent that is in writing or recorded in

a manner that is accessible for future

reference.

An organisation may also obtain consent

verbally although it may be more difficult for

an organisation to prove that it had obtained

consent. It would therefore be prudent for the

organisation to document the consent in some

way, for example, by noting the fact that oral

consent was provided by an individual for

certain purposes together with the date and

time of such consent, or by following up the

verbal consent by confirming the consent in

writing with the individual.

Opt-in method of consent

Organisations can obtain the individual’s

consent through a positive action of the

individual (e.g. by requiring the individual to

check a box indicating consent).

Opt-out method of consent

The Commission’s view is that a failure to opt

out (e.g. by deeming that an individual has

given his or her consent through inaction on

his or her part by not checking a box

indicating his or her non-consent) will not be

regarded as consent in every situation.

Whether or not a failure to opt out can be

regarded as consent will depend on the actual

circumstances and facts of the case because

there are many methods and variants to

opting out, and depending on its

implementation, some could be more likely

than others to constitute consent.

21. When is an individual considered not to

have validly given consent?

Section 14(2) of the PDPA provides that

consent is not validly given if it is:

(a) obtained as a condition of the provision of

the product or service to the individual,

beyond what is reasonable to provide the

product or service; and

(b) obtained by providing false or misleading

information or using deceptive or

misleading practices.

Consent obtained as a condition of providing

the product or service

An organisation may require an individual to

consent to the collection, use or disclosure of

his or her personal data as a condition of

providing a product or service where it is

reasonably required in order to provide the

product or service. However, if the consent is

obtained as a condition of providing such

products or services beyond what is

reasonable for the provision of such products

or services, such consent is invalid.

Organisations are not, however, prohibited

from providing offers, discounts or lucky draw

opportunities to individuals that are

conditional on the collection, use or disclosure

of their personal data for specified purposes

because such offers, discounts or lucky draws

are not considered products or services.

Similarly, organisations are allowed to collect,

use or disclose personal data for purposes

beyond those that are reasonable for provision

of the service if they obtain additional valid

consent in accordance with the PDPA, but this

cannot be conditional on the provision of the

service itself.

The Commission recommends that when

organisations collect personal data through a

form, it is a good practice to indicate which

fields that collect personal data are

compulsory and which are optional, and to

state the purposes for which such personal

data will be collected, used and/or disclosed.



This avoids potential problems as to whether

consent was validly given because it makes

clear whether the individual’s consent was

made a condition to the provision of products

or service.

Consent obtained by false or misleading

information or deceptive or misleading practices

Consent obtained by providing false or

misleading information to the individual, or by

using deceptive or misleading practices, is not

validly given. Such practices may include

situations where the purposes are stated in

vague or inaccurate terms, in an illegible font,

or placed in an obscure area of a document or

a location that is difficult to access.

22. When is an individual deemed to have

given consent?

Section 15 of the PDPA provides two situations

where an individual may be deemed to

consent even if he or she has not actually

given consent:

(a) where an individual voluntarily provides

the personal data to the organisation for a

purpose and it is reasonable that he or she

would do so, the individual is deemed to

consent to the collection, use and

disclosure for that purpose; or

(b) where an individual consents or is deemed

to have consented to the disclosure of his

personal data by one organisation to

another organisation, the individual is

deemed to consent to the collection, use

or disclosure of his personal data by that

other organisation for that purpose.

Relying on deemed consent requires an

organisation to be able to establish the

following:

(a) an individual voluntarily provided his or

her personal data;

(b) the individual was aware of the purpose

for which the personal data was provided;

and

(c) the circumstances are such that it is

reasonable for the individual to have

provided his or her personal data.

It is good practice for an organisation to

review its business processes to determine the

situations where it should obtain actual

consent instead of relying on deemed consent.

This is especially pertinent in situations where

it is not clear whether the deemed consent

provision applies. Obtaining consent from the

individual would avoid disputes where an

individual claims that he or she did not

consent to the collection of his or her personal

data for a purpose and that he or she did not

voluntarily provide personal data for the

purpose.

23. When is a minor deemed to have given

consent?

The same principles for deemed consent in

relation to individuals similarly applies to

minors. However, in considering whether the

minor has voluntarily provided his personal

data, the Commission would consider various

factors, including (but not limited to):

(a) the minor’s understanding of the purpose

for which his or her personal data is

provided;

(b) the minor’s understanding of the effect of

giving his or her personal data for that

purpose; and

(c) whether there was any undue influence on

the minor with respect to the provision of

his or her personal data.

The Commission would, as a general guide,

consider a minor who is at least 13 years of

age to have the sufficient understanding of

the purposes for which his or her personal

data is provided, unless the organisation is

aware of contrary facts or circumstances. As a

matter of good practice, the Commission

suggests that organisations which provide

services targeted at minors could state the

terms and conditions in a language that is

readily understandable by minors, or use

visual aids to make their terms and conditions



more readily understandable. Other good

practices could include placing additional

safeguards against unauthorised disclosure

of, or unauthorised access to, personal data

of minors, or anonymising personal data of

minors before disclosure, where feasible.

24. Where an individual provides his personal

data as part of his job application, is this

considered deemed consent?

When an individual voluntarily provides his or

her personal data to an organisation in the

form of a job application, for example, in

response to a recruitment advertisement, he or

she may be deemed to consent to the

organisation collecting, using and disclosing

the personal data for the purpose of assessing

his or her job application.

25. How should organisations deal with a

job applicant’s personal data, after a

decision has been made on whether to

hire the job applicant?

Where the organisation decides not to hire the

individual, it should only keep such individual’s

personal data for as long as is necessary for

business or legal purposes (see questions 83

to 86 below).

Where a job applicant is employed by an

organisation, it would be good practice for the

organisation to obtain consent from the

employee, upon appointment or hiring of the

individual, for the maintenance of such

employee’s employment records (see question

58 below).

26. Is it necessary to obtain consent from

users when an organisation employs the

use of cookies?

Yes, if the cookies are used to collect personal

data. Consent for session cookies, which

usually collect or store technical data in order

to facilitate certain web applications, is not

required, because these types of cookies do

not collect personal data.

It should be noted that the obligation to

obtain an individual’s consent for the

collection of his or her personal data rests with

the organisation that is collecting the personal

data, whether by itself or through its data

intermediaries. Accordingly, if an organisation

operates a website which a third party uses to

collect personal data, and the website operator

itself is not collecting such personal data, the

obligation is on the third party organisation to

obtain the consent required to collect the

personal data.

For Internet activities that the user has clearly

requested (e.g. transmitting personal data for

effecting online communications and storing

information that the user enters in a web form

to facilitate an online purchase), it may not be

strictly necessary to seek consent for the use

of cookies to collect, use, and disclose

personal data where the individual is aware of

the purposes for such collection, use or

disclosure and voluntarily provided his or her

personal data for such purposes.

For activities that cannot take place without

cookies that collect, use or disclose personal

data, consent may be deemed if the user

voluntarily provides the personal data for that

purpose of the activity, and it is reasonable

that he or she would do so.

The Selected Topics Guidelines provides that

consent may be reflected in the way a user

configures his or her interaction with the

Internet. For instance, if the user configures his

or her browser to accept certain cookies but

rejects others, he or she may be regarded as

having consented to the collection, use and

disclosure of his or her personal data by the

cookies that he or she has chosen to accept.

However, the mere failure of a user to actively

manage his or her browser settings does not

always imply that the individual has consented

to the collection, use and disclosure of his or

her personal data by all websites for their

stated purpose.

When organisations use cookies in behavioural

targeting processes that involve the collection

and use of personal data, organisations will be

required to obtain an individual’s consent.



27. Can an organisation obtain personal

data from third party sources with the

consent of the individual?

There are two situations in which organisations

may obtain personal data about an individual

from a third party source, with the consent of

the individual:

(a) where the third party source can validly

give consent to the collection, use and

disclosure of the individual’s personal data

(under Section 14(4) of the PDPA); or

(b) where the individual has consented, or is

deemed to have consented, to the

disclosure of his or her personal data by

the third party source (under Section 15(2)

of the PDPA).

Consent given by a third party source

In relation to (a), the Commission has noted

that regulations will be issued under the PDPA

providing for some specific situations in which

a person may give consent on behalf of

another individual.

The Key Concepts Guidelines provides as an

example of validly obtaining personal data

from a third party source, a situation where

personal data is obtained via the purchase of a

database containing personal data from a

database reseller who has obtained consent

from the individual for the disclosure of the

personal data. Another example is where one

organisation in a corporate group has validly

obtained consent to the collection, use and

disclosure of an individual’s personal data for

the purposes of other organisations in the

group.

An organisation collecting personal data from

a third party source is required to notify the

source of the purposes for which it will be

collecting, using and disclosing the personal

data.

Deemed consent

An example of where an individual may be

deemed to have consented to the disclosure of

his or her personal data by a third party source

is where a prospective employee seeks to

obtain a reference from his or her former

employer to determine his or her suitability for

employment by the prospective employer.

In both cases, the Key Concepts Guidelines

sets out that organisations are to exercise

sufficient due diligence in ensuring that third

party sources of personal data can validly give

consent for the collection, use or disclosure on

behalf of the individuals concerned.

28. Can an organisation collect and use

personal data of a job applicant from

social networking sources?

To the extent the information on social

networking sources are publicly available (see

question 32 below), organisations can collect

personal data about a job applicant without

his or her consent. The PDPA does not require

organisations to obtain the consent of

individuals when collecting personal data that

is available publicly, for instance, in

newspapers, telephone directories and

websites containing information that is

generally available to the public.

Where the personal data is not publicly

available, but is voluntarily made available by

an individual on a job-search portal for being

contacted for prospective job opportunities,

the individual may be deemed to have

consented to the collection, use and disclosure

of his or her personal data for such purpose.

29. Can an organisation collect and use

information on business cards for

recruitment?

Where an individual provides his or her

business card to an organisation for purposes

other than solely for personal purposes, it is

possible for the organisation to use the

information on the business card for

recruitment or other purposes. This is because

the Data Protection Provisions do not apply to

business contact information.

However, if the business card is provided by an

individual purely for personal purposes, then



the organisation will not be permitted to use

the personal data contained in the business

card for any purposes for which it has not

obtained the individual’s consent.

30. What should organisations do to ensure

that the third party sources can validly

provide the personal data?

Organisations obtaining personal data from

third party sources should check and ensure

that the third party source can validly give

consent for the collection, use and disclosure

of personal data on behalf of the individual or

that the source had obtained consent for

disclosure of the personal data.

Organisations (A) obtaining personal data

from third party sources (B) may consider

adopting the following due diligence

measures, as appropriate:

(a) seek an undertaking from B through a

term of contract between A and B that the

disclosure to A for A’s purposes is within

the scope of the consent given by the

individual to B;

(b) obtain confirmation in writing from B;

(c) obtain, and document in an appropriate

form, verbal confirmation from B; or

(d) obtain a copy of the document(s)

containing or evidencing the consent

given by the individuals concerned to B to

disclose the personal data.

In the event the third party source could not

validly give consent or had not obtained

consent for disclosure to the collecting

organisation, but concealed this from the

collecting organisation, the actions taken by

the collecting organisation to verify such

matters before collecting the personal data

from the third party source would be

considered a possible mitigating factor by the

Commission should there be a breach of the

PDPA relating to such collection or the

collecting organisation’s use or subsequent

disclosure of the personal data.

31. Can an organisation obtain personal

data from third party sources without

the consent of the individual?

An organisation (A) may collect personal data

from a third party source (B) without the

consent of the individual in the circumstances

described in the Second Schedule to the PDPA.

These circumstances include, for example,

where:

(a) the collection is necessary to respond to

an emergency that threatens the life,

health or safety of the individual or

another individual;

(b) the personal data is publicly available; or

(c) the collection is necessary for evaluative

purposes.

At the same time, B would only be able to

disclose the personal data without the consent

of the individual in any of the circumstances

set out in the Fourth Schedule of the PDPA.

These circumstances include, for example,

where:

(a) the disclosure is necessary to respond to

an emergency that threatens the life,

health or safety of the individual or

another individual;

(b) the personal data is publicly available; or

(c) the disclosure is for the purpose of

contacting the next-of-kin or a friend of

any injured, ill or deceased individual.

B would need to know the purpose for which A

is collecting the personal data in order to

determine if its disclosure of the data to the

organisation falls into the Fourth Schedule

exceptions set out in the PDPA. Section 20(2)

of the PDPA therefore requires A to provide B

with sufficient information regarding its

purpose for collecting the personal data, to

allow B to determine whether disclosure would

be in accordance with the PDPA.



32. Organisations can collect, use and

disclose personal data without consent

if it is publicly available. What is the

definition of “publicly available” data?

The term “publicly available” refers to personal

data that is generally available to the public,

including personal data which can be observed

by reasonably expected means at a location or

an event at which the individual appears and

that is open to the public. Personal data is

generally available to the public if any member

of the public could obtain or access the data

with few or no restrictions.

However, in some situations, the existence of

restrictions may not prevent the data from

being publicly available. For example, if

personal data is disclosed to a closed online

group but membership in the group is

relatively open and members of the public

could join with minimal effort, then the

disclosure may amount to making the data

publicly available.

Time in determining public availability

Personal data that is publicly available at one

point in time may no longer be publicly

available after that time. For example, users of

social networking sites may change their

privacy settings from time to time, which

would have an impact on whether their

personal data would be considered publicly

available.

Because it would be excessively burdensome

for organisations to constantly verify that the

data remains publicly available, especially in

situations where the use or disclosure happens

sometime after the collection of the personal

data, the Commission has adopted the

position that so long as the personal data in

question was publicly available at the point of

collection, organisations will be able to use

and disclose personal data without consent

under the corresponding exceptions,

notwithstanding that the personal data may no

longer be publicly available at the point in

time when it is used or disclosed.

Personal data observed in public

For data observed in the public to constitute

publicly available data, two requirements must

be met:

(a) the personal data must be observed by

reasonably expected means; and

(b) the personal data must be observed at a

location or event at which the individual

appears and that is open to the public.

Personal data is observed by reasonably

expected means if individuals ought to

reasonably expect their personal data to be

collected in that particular manner at that

location or event. This test is an objective one,

considering what individuals ought reasonably

to expect instead of what a particular

individual actually expects.

A location or event would be considered

“open to the public” if members of the public

can enter or access the location with few or no

restrictions. Generally speaking, the more

restrictions there are for access to a particular

location (e.g. physical barriers such as fences,

walls and gates, employment of security

systems, sentries and patrols aimed at

restricting entry), the less likely it would be

considered “open to the public”.

However, the mere existence of some

restrictions is not sufficient to prevent the

location from being regarded as open to the

public. For example, events that may be

entered only upon payment of a fee by a

member of the public may still be considered

to be open to the public. Similarly, special

events for members of a retailer’s loyalty

programme may also be considered open to

the public, depending on relevant factors such

as whether the event was open to a large

number of members.

A location is not open to the public merely

because members of the public may look into

the location. For example, if members of the

public are not able to enter residential premises

that are closed for a private event, their ability

to observe what is happening inside would not

make the premises open to the public.



The Commission also recognises that while a

location may generally be open to the public,

it may at times become a private space (e.g. a

restaurant is booked for a private function). In

such situations, as members of the public

cannot enter the location during the event, the

event is not open to the public.

33. What practical steps should

organisations take to allow individuals

to withdraw their consent?

Section 16 of the PDPA provides that

individuals may at any time withdraw any

consent given or deemed to have been given

under the PDPA in respect of the collection,

use or disclosure of their personal data for any

purpose by an organisation.

In order to enable and facilitate withdrawal,

the Commission advises organisations to make

an appropriate consent withdrawal policy

easily accessible to the individuals concerned.

This withdrawal policy should, for example:

(a) advise the individuals on the form and

manner to submit a notice to withdraw

their consent for specific purposes;

(b) indicate the person to whom, or the

means by which, the notice to withdraw

consent should be submitted;

(c) distinguish between purposes which are

necessary and those which are optional to

the provision of goods or services; and

(d) allow individuals to withdraw consent for

optional purposes without concurrently

withdrawing consent for the necessary

purposes.

An organisation must not prohibit an

individual from withdrawing his or her consent

to the collection, use or disclosure of personal

data about himself or herself. If the collection,

use or disclosure of his or her personal data is

necessary for the provision of the goods or

services, the organisation can terminate the

provision of such goods and services on the

individual’s withdrawal of consent (and have

recourse under the law), but cannot prohibit

the individual from withdrawing his or her

consent.

34. What is the effect of a notice from an

individual to withdraw consent?

In determining the precise scope and effect of

a notice to withdraw consent, the Commission

would examine the facts of the situation. This

includes matters such as:

(a) the actual content of the notice of

withdrawal;

(b) whether the intent to withdraw consent

was clearly expressed; and

(c) the channel through which the notice was

sent.

When the organisation provides an option to

withdraw consent (e.g. an “unsubscribe” link

within an email message), consent is deemed

to be withdrawn for the same channel as the

option to withdraw (e.g. email notifications),

unless the withdrawal option states otherwise.

35. How should organisations respond

when they receive a notice from an

individual to withdraw consent?

Once an organisation has received a notice to

withdraw consent, the organisation should

highlight to the individual concerned the likely

consequences of withdrawing his or her

consent, even if those consequences have

previously been set out somewhere else (e.g.

in the service contract between the

organisation and the individual).

With regard to personal data that is already in

an organisation’s possession, withdrawal of

consent would only apply to an organisation’s

continued use or future disclosure of the

personal data concerned. Upon receipt of a

notice of withdrawal of consent, the

organisation must inform its data

intermediaries and agents about the

withdrawal and ensure that they cease

collecting, using or disclosing the personal

data for the organisation’s purposes.



Apart from its data intermediaries and agents,

an organisation is not required to inform other

organisations to which it has disclosed an

individual’s personal data that the individual

has withdrawn his or her consent. The

individual retains the option of requesting the

organisation to provide information on the

ways in which his or her personal data has

been disclosed, and upon finding out which

other organisations his or her personal data

may have been disclosed to, approach these

other organisations directly to withdraw

consent.

Organisations are not required to delete or

destroy an individual’s personal data when he

or she has withdrawn consent. Organisations

may retain personal data in its documents and

records in accordance with the Retention

Limitation Obligation (see below).

36. Should an individual’s consent be

obtained in the context of photography

or videography?

Individual consent is required for the

collection, use or disclosure of personal data.

In this regard, organisations (or independent

professionals) that intend to take photographs

or video recordings of an individual in the

course of business will need to obtain the

individual’s consent if those photographs or

video recordings can identify an individual.

However, photography or videography taken

in a personal or domestic capacity is exempt

from the requirement to obtain consent.

An individual is deemed to give his or her

consent if he or she permits the photograph or

video recording to be taken of him or her, and

it is reasonable for him or her to do so.

37. Is an individual’s consent required for

photography or videography in a public

place?

As a general rule, an organisation that takes

photographs or video recordings of an

individual in the course of business will need

to obtain the individual’s consent if he or she

can be identified from those sources. However,

the individual’s consent is not required if his or

her personal data is publicly available, for

example, when the individual is at a place that

is open to public. In this regard, the more

access restrictions a location has, the less likely

it is considered to be “open to public” (see

question 32 above for discussion on “public

place”).

38. How may an individual’s consent be

obtained for photography or

videography in a private space or

event?

In a private setting, an individual may be

deemed to give his or her consent by

permitting a photograph or video recording to

be taken of him or her for the organisation’s

intended purpose. Deemed consent may be

obtained in the following ways (not

exhaustive):

(a) communicate the purpose of the photo-

taking or videography at the event via the

invitation sent to clients;

(b) place prominent notices near the entrance

to the event, informing participants that

photos or videos may be taken for the

intended purpose;

(c) secure written consent via a confirmation

of attendance form or letter which guests

sign, where the form indicates that photos

and videos may be taken for the intended

purpose; or

(d) the photographer may obtain verbal

consent before he or she takes each

picture by notifying participants of the

purpose of the photo-taking.

39. Is an individual’s consent required if he

or she is caught in the background of a

photograph or video recording?

As a general rule, organisations are required to

obtain the consent of individuals who are

identifiable in the photograph or video

recording. For individuals who are in the

background of the photograph or video



recording, consent is not required only if the

identity of the individuals cannot be

ascertained from the photograph or video

recording (i.e. they are too small or

obscured).

40. Does the exception for collecting

personal data for “artistic or literary

purposes” apply to photographs or

video recordings? Literary or artistic purposes are not defined

under the PDPA. However, as a matter of good

practice, the Commission recommends that

organisations obtain the consent of individuals

before taking the photographs or video

recordings.

41. Are organisations required to accede to

an individual’s request to prevent or

remove the publication of a photograph

or video recording?

Yes. Organisations are required to accede to

an individual’s request to prevent the

publication of a photograph or video

recording, or remove a photograph or video

recording that has been published.

Nevertheless, the organisation does not

require the individual’s consent only if the

publication is authorised under the law, or the

consent of the individual is not required due to

an exception (for general principles on

withdrawal of consent, see question 35 above).

If an individual requests that the organisation

deletes the photograph or video recording

containing his or her personal data, the

organisation is not strictly obliged to do so.

However, the organisation should be reminded

of its Retention Limitation Obligation, and can

only retain the personal data where necessary

for legal or business purposes.

42. Does the PDPA affect the organisation’s

copyright in the photograph or video

recording?

No. The PDPA does not affect any right or

obligation imposed under other laws,

including the Copyright Act (Cap. 63) (see

question 4 above for general principles).

Hence, the PDPA does not affect copyright

subsisting in a photograph, video recording or

any item protected by copyright.

43. Are organisations required to accede to

an individual’s request to delete CCTV

footage?

No. Organisations are not required to delete

video footage collected from their closed-

circuit television cameras (CCTVs) upon

request by an individual.

However, before providing a copy of CCTV

footage to any person (upon their request), the

organisation should mask the images of other

individuals who may be present in the CCTV

footage. This is because the PDPA does not

permit the organisation from disclosing

personal data (such as video images) of other

individuals present in the CCTV footage, where

consent of those individuals for such

disclosure has not been obtained.

THE PURPOSE LIMITATION OBLIGATION


with under the Purpose Limitation

Obligation?

Under the Purpose Limitation Obligation,

organisations may collect, use or disclose

personal data about an individual only for

purposes that a reasonable person would

consider appropriate in the circumstances. The

particular circumstances involved need to be

taken into account in determining whether the

purpose of such collection, use or disclosure is

reasonable.

More generally, organisations should avoid

over-collecting personal data such as NRIC

numbers, where this is not required for their

business or legal purposes. The Commission

notes that there are situations where the

collection of NRIC numbers for verification or

identification purposes leads to a reduced

need to collect other forms of personal data.



Such situations would also be in line with the

good practice of not over-collecting data.

Organisations should also consider whether

there may be alternatives available that

address their requirements.

45. If an organisation captures CCTV

footage beyond the boundaries of their

own premises, does that go beyond the

Purpose Limitation Obligation?

Organisations are not strictly prohibited from

installing CCTVs that collect footage beyond

the boundaries of their premises. However,

organisations will need to consider whether

the extent of the coverage is reasonable for

the purpose of installing the CCTVs.

Organisations should also place appropriate

notification in all areas where personal data

would be collected by the CCTVs and obtain

consent for such collection, unless one of the

exceptions under the PDPA applies.

On a related note, organisations should be

aware of other restrictions (including legal

limits on the filming of restricted areas) that

may affect their ability to collect CCTV footage

of areas beyond their premises.

46. Can organisations collect NRIC cards?

Yes. However, organisations will need to

exercise caution when handling NRIC cards, as

they contain personal data and such personal

data will be subject to the Data Protection

Provisions.

47. For what business purposes are

organisations allowed to use NRIC

numbers?

This depends on the purposes (which should

be reasonable) for which consent to collect,

use and disclose the NRIC numbers has been

obtained by the organisation.

Organisations should note that, where NRIC

numbers are used as membership numbers or

user names, the disclosure of such

membership numbers or user names may also

result in the disclosure of NRIC numbers. In

this regard, the organisation will need to

consider whether it is reasonable to use the

individual’s NRIC number as the membership

number or user name, and also whether valid

consent has been obtained from the individual

concerned.

48. Can organisations publish NRIC

numbers for purposes such as the

results of lucky draws?

Yes, provided that valid consent has been

obtained from the individuals concerned.

That said, the Commission has noted that it is

good practice for organisations to publish only

as much personal data as necessary to fulfil

the relevant purpose. With regard to NRIC

numbers, it would be sufficient in most cases

to publish only a portion of the NRIC number

such as the last three digits and the alphabet.

The full NRIC number should only be used if

necessary, for example, to confirm the identity

of the person coming forth to receive the lucky

draw prize.

THE NOTIFICATION OBLIGATION


with under the Notification Obligation?

Organisations must inform individuals of the

purposes for which their personal data will be

collected, used and disclosed in order to

obtain their consent. This is important because

the organisation’s collection, use or disclosure

of personal data is limited to the purposes for

which the individuals concerned have been

notified (i.e. the Purpose Limitation

Obligation).

In particular, organisations have to inform the

individual of:

(a) the purposes for the collection, use or

disclosure of his or her personal data, on

or before collecting the personal data; or



(b) any purpose for use or disclosure of

personal data which has not been

informed under (a), before such use or

disclosure of personal data for that

purpose.

50. How should organisations notify

individuals of the purpose for the

collection, use and disclosure of their

personal data?

While no manner or form of notification is

mandated, organisations should determine the

best way to notify the individual, such that he

or she is provided with all the required

information to understand the purposes for

which his or her personal data is collected,

used or disclosed. Relevant factors to consider

in such a determination include:

(a) the circumstances in which it will be

collecting the personal data;

(b) the amount of personal data to be

collected;

(c) the frequency at which the personal data

will be collected; and

(d) the medium through which the

notification is provided (e.g. face-to-face

or through a telephone conversation).

It is generally good practice for an

organisation to state its purposes in a written

form (electronically or otherwise) so that the

individual is clear about its purposes and both

parties will be able to refer to a clearly

documented statement of the organisation’s

purposes in the event of any dispute.

The Commission has also suggested several

best practices that organisations can adopt:

(a) organisations should draft notices that are

easy to understand and appropriate to the

intended audience, provide headings or

clear indications of where the individuals

should look to determine the purposes for

which their personal data would be

collected, used or disclosed, and avoid

legalistic terminology that would confuse

or mislead individuals reading it;

(b) organisations should provide the most

important or basic information (e.g.

contact details of the organisation’s Data

Protection Officer) more prominently (e.g.

on the first page of an agreement) and

more detailed information elsewhere;

(c) organisations should consider if some

purposes may be of special concern or be

unexpected to the individual given the

context of the transaction, and whether

those purposes should be highlighted in

an appropriate manner;

(d) organisations should select the most

appropriate medium(s) to provide the

notification (e.g. in writing through a form,

on a website, or orally in person); and

(e) organisations should develop processes to

regularly review the effectiveness and

relevance of the notification policies and

practices.

51. Can organisations use a Data Protection

Policy to notify individuals of the

purposes for which it collects, uses and

discloses personal data?

Organisations may choose to notify individuals

of the purposes for which it collects, uses and

discloses personal data through its Data

Protection Policy, which is a document setting

out the organisation’s policies and procedures

for complying with the PDPA.

The Data Protection Policy may be provided to

individuals as required, in the form of a

physical document, on the organisation’s

website or some other manner. However, the

Commission recommends that where the

policy is not made available to an individual as

a physical document, the organisation should

provide the individual with an opportunity to

view its Data Protection Policy before

collecting the individual’s personal data.

If an organisation’s Data Protection Policy sets

out its purposes in very general terms, the

organisation may need to provide a more



specific description of its purposes to a

particular individual who will be providing his

or her personal data in a particular situation, to

provide clarity to the individual on how his or

her personal data would be collected, used or

disclosed.

52. What level of detail is required when

notifying individuals of the purposes

for which their personal data is

collected, used and disclosed?

The Key Concepts Guidelines provide that an

organisation should state its purposes at an

appropriate level of detail for the individual to

determine the reasons for which the organisation

will be collecting, using or disclosing his or her

personal data. An organisation need not specify

every activity it will undertake in relation to

collecting, using and/or disclosing personal data

when notifying individuals of its purposes, and

may have regard to the following to determine

the level of specificity to provide:

(a) whether the purpose is stated clearly and

concisely;

(b) whether the purpose is required for the

provision of products or services (as

distinct from optional purposes);

(c) if the personal data will be disclosed to

other organisations, how the organisations

should be made known to the individuals;

(d) whether stating the purpose to a greater

degree of specificity would be a help or

hindrance to the individual understanding

the purpose(s) for which his or her personal

data would be collected, used, or disclosed;

and

(e) what degree of specificity would be

appropriate in light of the organisation’s

business processes.

53. Can organisations use and disclose

personal data for a different purpose

from which it was collected?

The organisation should first determine

whether or not the ‘different’ purpose actually

falls within the scope of the purposes for

which the individual concerned had originally

been informed.

If not, whether consent can be deemed to

have been given in respect of use or disclosure

for that purpose. Failing which, the

organisation may determine whether the

purpose falls within the exceptions from

consent in the Third and Fourth Schedules of

the PDPA. If the purpose does fall within these

categories, there is no need to obtain fresh

consent.

If, however, the organisation determines that

the different purpose does not fall within these

categories, the organisation needs to inform

the individual of the new purpose and obtain

fresh consent.

54. Is it always necessary for an

organisation to notify individuals prior

to collecting, using or disclosing their

personal data for research and analytics

activities?

It will not be strictly necessary to obtain

consent from an individual to use their

personal data for a research purpose as set out

in paragraph 1(i) of the Third Schedule of the

PDPA, if all the conditions in paragraph 2 of

the Third Schedule of the PDPA are satisfied,

that is:

(a) the research purpose cannot reasonably

be accomplished unless the personal data

is provided in an individually identifiable

form;

(b) it is impracticable for the organisation to

seek the consent of the individual for the

use;

(c) the personal data will not be used to

contact persons to ask them to participate

in the research; and

(d) linkage of the personal data to other

information is not harmful to the

individuals identified by the personal data

and the benefits to be derived from the

linkage are clearly in the public interest.



Generally and where the exception does not

apply, organisations will need to:

(a) specify research and analytics as a purpose

for which consent of an individual is

sought, and obtain the individual’s consent

for collection, use and/or disclosure for

such purpose;

(b) rely on consent that has been given by an

individual for a purpose that does not

explicitly cover analytics and research if

the purpose of the analytics and research

falls within the original purpose for which

consent was given; or

(c) use anonymous or anonymised data to

conduct the research or analytics activities

(see questions 91 and 92 for more details

on anonymisation).

55. Do organisations always need to notify

individuals when CCTVs are deployed?

Generally, yes. Individuals will need to be

notified that CCTVs are operating in the

premises, as well as for what purposes, if this

may not be obvious to individuals. This is

because organisations will generally need to

get their consent for the collection, use or

disclosure of CCTV footage. Where there may

be exceptions to the requirement to obtain

consent from individuals for the collection, use

or disclosure of their personal data (e.g. where

the personal data is publicly available), the

Commission recommends that organisations

still provide notification, as a matter of best

practices, where CCTVs are deployed.

While the PDPA does not prescribe the content

of the notification required, organisations

should put up notices or other forms of

notifications, for example, at points of entry or

prominent locations in a venue or a vehicle to

notify individuals that CCTVs have been

deployed in the premises. It is not necessary for

the placement or content of notifications to

reveal the exact location of the CCTVs.

56. Do organisations need to notify

individuals when drones used are likely

to capture personal data?

Generally, yes. Organisations need to notify

individuals that the drones are capturing

personal data (e.g. photographs or video

recordings) in the area, as well as the purposes

for the collection, use or disclosure of personal

data captured by its drones. Where exceptions

to the requirement to obtain consent apply,

the organisation is not obliged to notify the

individuals, although the Commission

recommends that notice is given as a matter of

good practice.

The Guidelines suggest that notifications may

be placed at entry points to the operation

area, prominent locations along the flight path

or at the launch site.

57. Do recruitment agencies always need

to notify individuals before collecting,

using or disclosing their personal

data?

Recruitment companies, employment

agencies, headhunters and similar

organisations will generally need to notify

individuals before collecting, using or

disclosing their personal data, unless one of

the exceptions under the PDPA applies.

There may be some cases, however, where a

recruitment agency acts only as a data

intermediary (see question 13 above). In these

cases, the recruitment agency that is a data

intermediary would only be subject to the

provisions in the PDPA relating to the

safeguarding and retention of personal data in

respect of the processing of personal data on

behalf of and for the purposes of the

organisation (for which it is acting as a data

intermediary), pursuant to a contract with such

organisation which is evidenced or made in

writing.

58. Do employers need to notify and obtain

consent from employees in respect of

collecting, using or disclosing their

personal data for employment purposes?



This will depend on what are the precise scope

and nature of these employment purposes.

The PDPA does not prescribe the form or

manner in which organisations are to provide

an individual with the required information

that allows him or her to understand the

purposes for which his or her personal data

would be collected, used and disclosed in the

employment context. In this regard, it is

possible for organisations to inform their

employees of these purposes through

employment contracts, employee handbooks,

or notices in the company intranet (for

instance).

Managing or terminating the employment

relationship

Generally, it would be reasonable for an

organisation to continue to use personal data

provided by an employee in a job application

form, for the purpose of managing the

employment relationship with the individual.

The PDPA allows employers to collect personal

data from their employees, insofar as it is

reasonable for the purpose of managing or

terminating their employment relationships,

and to use or disclose of such employees’

personal data for consistent purposes, without

their consent.

Importantly, however, while consent is not

required, employers will need to notify

employees where they are collecting the

employees’ personal data for purposes of

managing or terminating the employment

relationship. This is in contrast to situations

where the employer may be collecting

employee personal data for evaluative

purposes (see below).

The Selected Topics Guidelines provides that

the purposes of “managing and terminating an

employment relationship” include the following:

(a) using the employee’s bank account details

to issue salaries;

(b) monitoring how the employee uses

company computer network resources;

(c) posting employees’ photographs on the

staff directory page on the company

intranet; and

(d) managing staff benefit schemes like

training or educational subsidies.

However, as a matter of best practices,

organisations should, upon appointment or

hiring of an employee, obtain consent from

the employee to maintain such employee’s

employment records.

Further, should the organisation require

additional personal data or intends to use or

disclose the employee’s personal data for other

purposes during the course of the employment

relationship, it will also be necessary to obtain

relevant consent from the employee.

Where an organisation has sufficiently provided

a general notification to employees on the

purposes for which their personal data may be

collected, used and disclosed, for example, for

performance appraisals, the Commission does

not expect organisations to notify employees of

the same purpose prior to each time that the

organisation engages in such activities.

Evaluative purposes

An employer need not obtain consent from, or

notify, an employee or prospective employee

when collecting, using or disclosing personal

data for evaluative purposes. Such evaluative

purposes include:

(a) where an employer seeks to obtain a

reference from a prospective employee’s

former employer to determine his or her

suitability, eligibility or qualifications for

employment; and

(b) where an employer seeks to obtain

performance records or other relevant

information or opinions to determine the

performance of an employee, or for

promotion in employment or continuance

in employment.

Other purposes

In relation to the collection, use or disclosure

of employee personal data for other purposes



that are not relevant to the management or

termination of the employment relationship,

and where no other exception under the PDPA

applies, an employer organisation will need to

inform individuals of those purposes and

obtain consent from the employee.

This includes where the employer collects, uses

or discloses employee personal data for

business or client purposes not related to

managing or terminating an employment

relationship. For instance, if an organisation

provides the full name and NRIC number of an

employee for purposes of allowing a courier

company to enter its office premises, the

organisation will need to obtain the

employee’s consent prior to disclosing the

employee’s personal data. Such consent can

be obtained on a case-by-case basis, or once-

off through the employment contract or other

appropriate means.

THE ACCESS AND CORRECTION

OBLIGATIONS


with under the Access and Correction

Obligations?

Under the Access Obligation, upon the request

of an individual, an organisation is required to

provide the individual with the following as

soon as reasonably possible:

(a) personal data about the individual that is

in the possession or under the control of

the organisation; and

(b) information about how the personal data

has been or may have been used or

disclosed by the organisation within a year

before the individual’s request.

Under the Correction Obligation, upon receipt

of a correction request, an organisation should:

(a) correct the personal data as soon as

practicable; and

(b) send the corrected personal data to every

other organisation to which the personal

data was disclosed to by the organisation

within a year before the correction

request, unless that other organisation

does not need the corrected personal data

for any legal or business purpose;

unless it is satisfied on reasonable grounds

that the correction should not be made.

These obligations are collectively referred to as

Access and Correction Obligations in the

Guidelines, as they operate together to

provide individuals with an ability to verify

their personal data.

60. What should organisations do to ensure

that the individual can validly make an

access request?

An organisation should exercise due diligence

to verify an individual’s identity when it

receives an access request, and are

encouraged to keep documentary evidence of

the verification. To facilitate the process, the

organisation may set out standard operating

procedures on the verification process when

receiving requests for access. For example, the

organisation may have a list of questions for

its employee to verify the identity of the

individual when handling access requests.

When a third party is making an access request

on behalf of an individual, organisations

receiving the access request should exercise

due diligence to ensure that the third party has

the legal authority to validly act on behalf of

the individual.

Where two or more individuals make an access

request at the same time for their respective

personal data captured in the same set of

records, the organisation may obtain consent

from the respective individuals to disclose their

personal data to each other. If such consent

cannot be obtained, an organisation may

provide access to the personal date to the

individuals separately.

61. Are organisations obliged to comply

with Access and Correction Obligations if

an individual’s personal data is not in its

possession but with a data intermediary?



The Access and Correction Obligations relate

to personal data in an organisation’s

possession as well as personal data that is

under its control (which may not be in its

possession). For example, this includes a data

intermediary that is processing the personal

data under the control of the organisation.

In relation to data intermediaries, they are not

subject to Access and Correction Obligations

under the PDPA to the extent that the personal

data that is being processed on behalf of

another organisation. In this regard,

organisations that engage the data

intermediary remain responsible for ensuring

compliance with the Access and Correction

Obligations under the PDPA.

Note also that a DI is not obligated to forward

an individual’s access or correction request to

the organisation that controls the personal

data.

62. Do organisations have to comply with

Access Obligations with regards to

personal data embedded in emails?

An organisation’s obligation to provide access

to personal data extends to personal data that

has been captured in unstructured forms.

Hence, personal data embedded in emails are

protected under the Access obligations.

However, organisations are not required to

provide access if the burden or expense of

providing access is unreasonable to the

organisation, disproportionate to the

individual’s interest, or if the request is

otherwise frivolous or vexatious.

63. What is the level of detail required

when providing a response to an access

request?

Request for an individual’s personal data

To be clear, an organisation is not required to

provide access to the documents (or systems)

which do not comprise or contain the personal

data in question, as long as the organisation

provides the individual with the personal data

that the individual requested and is entitled to

have access to.

Generally, the organisation’s actual response

would depend on the individual’s specific

request. Under section 21(1) of the PDPA, an

individual is entitled to request for some or all

of his or her personal data. Although the PDPA

does not require that an access request be

accompanied by further details clarifying the

request, an organisation may in good faith ask

the applicant to be more specific as to what

type of personal data he or she requires to

facilitate the organisation’s level of response. If

the individual is unable or unwilling to provide

more details, the organisation should make an

attempt to respond to the access request as

accurately and completely as reasonably

possible in the circumstances.

Request for information about the ways

personal data has been used or disclosed

As stated in section 21(1) of the PDPA, an

organisation is required to provide information

relating to how the personal data has been or

may have been used or disclosed within the

past year upon the individual’s request. In this

regard, the organisation may develop a

standard list of all possible third parties to

whom personal data may have been disclosed

by the organisation, as an alternative to

providing a specific set of third parties to

whom the personal data has been disclosed.

Nevertheless, if a standard list is used, the

organisation should update the list regularly

and ensure that the information is accurate

before providing the list to the individual.

Generally, in responding to a request for

information on third parties to which personal

data has been disclosed, the organisation

should individually identify each possible third

party, instead of simply providing general

categories of organisations to which personal

data has been disclosed. This would allow

individuals to directly approach the third party

organisation to which his or her personal data

has been disclosed.

In specifying how the personal data has been

or may have been used or disclosed within the

past year, organisations may provide

information on the purposes rather than the

specific activities for which the personal data

may have been used or disclosed. For example,

in the case of an audit, an organisation may



state that the personal data was disclosed for

the purposes of audit, rather than describing

all the instances of which the personal data

has been disclosed.

When acceding to the access request,

organisations are prohibited from disclosing

the personal data of other individuals.

64. When are organisations not required to

accept an individual’s access request?

Exceptions that are not mandatory

Under the PDPA, an organisation is not

required to accede to an access request in the

following non-exhaustive list of matters:

(a) examination scripts or results;

(b) a document related to a prosecution if all

proceedings have not yet been completed;

(c) personal data which is subject to legal

privilege;

(d) confidential commercial information that

could harm the competitive position of the

organisation; or

(e) any request -

i. that would unreasonably interfere with

the operations of the organisation

because of the repetitious or

systematic nature of the requests;

ii. if the burden or expense of providing

access would be unreasonable to the

organisation or disproportionate to

the individual’s interests;

iii. for information that does not exist or

cannot be found;

iv. for information that is trivial; or

v. that is otherwise frivolous or vexatious.

Exceptions that are mandatory

Under the PDPA, an organisation is prohibited

from granting an access request in the

following non-exhaustive list of matters where

access would:

(a) threaten the safety or physical or mental

health of another individual;

(b) cause immediate or grave harm to the

safety or physical or mental health of the

requesting individual;

(c) reveal personal data about another

individual (without satisfying the Consent

Obligations);

(d) reveal the identity of an individual who has

provided personal data about another

individual and the former does not

consent to the disclosure of their identity;

or

(e) be contrary to the national interest.

65. How long should organisations take in

responding to an access request?

An organisation must respond to an access

request as soon as reasonably possible from

the time the access request is received. If an

organisation is unable to respond to an access

request within 30 calendar days after receiving

the request, the organisation shall inform the

individual in writing within 30 days of the time

by which it will be able to respond to the

request.

66. Can organisations charge fees for an

individual’s access to personal data?

Organisations may charge an individual a

reasonable fee for access to personal data

about the individual. The chargeable fee may

take into account the incremental costs of

responding to the access request. An example

of such incremental costs is the cost of

producing a physical copy of the personal

data. In addition, the chargeable fee can reflect

the time and effort required to respond to the

request. However, costs incurred in capital

purchases, such as the purchase of new

equipment to facilitate access to the requested

personal data, should not be charged.



The Commission may review a fee charged by

an organisation upon the application of an

individual. In reviewing a fee, the Commission

may consider the relevant circumstances,

including the following factors:

(a) the absolute amount of the fee;

(b) the effort and materials required to

provide the response;

(c) similar fees charged in the industry; and

(d) the incremental cost of providing access.

If the organisation decides to charge a fee to

fulfill the access request, the organisation must

give the individual a written estimate of the fee.

If the organisation wishes to charge a fee higher

than the original written estimate, it must

inform the individual in writing of the increased

fee. The organisation may refuse to provide

access to the individual’s personal data if the

individual declines to pay the access fee.

For the correction of personal data,

organisations are not entitled to impose a

charge on the individual.

67. How should organisations deal with

access requests relating to the

disclosure to a prescribed law

enforcement agency?

For situations where an organisation has

disclosed the personal data of an individual to

a prescribed law enforcement agency without

the consent of the individual, as permitted

under the PDPA, the organisation is prohibited

from informing the individual that disclosure

has been made.

68. How should organisations deal with an

individual’s personal data when an

access request is received?

Processing the access request

The organisation should first ensure that the

individual’s personal data is not disposed of. If

an organisation has scheduled periodic

disposal or deletion of personal data, the

organisation is to identify the requested

personal data as soon as reasonably possible

after receiving the access request, and

preserve the requested personal data while the

organisation processes the access request.

However, organisations should generally be

mindful not to unnecessarily preserve personal

data “just in case” to meet possible access

requests, and should be minded of their

Retention Limitation Obligation (i.e. not to

retain personal data indefinitely when there is

no business or legal purpose to do so).

Rejecting the access request

If an organisation determines that it is

appropriate to withhold requested personal

data from an individual under the PDPA, the

organisation should first keep the withheld

personal data for minimally 30 days or longer

after rejecting the access request. This is to

allow the individual time to seek a review of

the organisation’s decision. In the event the

organisation receives a Notice of Review from

the Commission, the organisation should

preserve the withheld data until the

Commission’s review is concluded and any

right of the individual to apply for

reconsideration and appeal is exhausted.

For the purpose of responding to access and

correction requests in writing, at least one of

the business contact information of this

designated individual should be a mailing

address or an electronic mailing address.

69. How should organisations reject an

access request?

If an organisation determines that it is

appropriate under the PDPA to reject the

request for personal data, the organisation

should provide a reply to the individual. As a

matter of good practice, the organisation

should inform the individual of the relevant

reason(s), so that the individual is aware and

understands the organisation’s reason(s) for its

decision. Similarly, as a matter of good

practice, the organisation should also keep a

record of all access requests received and



processed, and document clearly whether the

requested access was provided or rejected.

70. Will the Access Obligation require

organisations to accede to an

individual’s request to access CCTV

footage?

Yes, unless a relevant exception in the Fifth

Schedule of the PDPA applies (e.g. the request

is frivolous or vexatious, or if the burden or

expense of providing access would be

unreasonable to the organisation or

disproportionate to the individual’s interests).

The Selected Topics Guidelines suggests that

harming an organisation’s competitive

position, or compromising an organisation’s

security arrangements (e.g. where the

provision of the personal data in the CCTV

footage could reasonably be expected to

threaten the safety of another individual),

could be a sufficient reason to deny access to

CCTV footage. In such a case, the organisation

will need to ensure that it has strong

justifications and supporting evidence to

justify its decision to reject the individual’s

request for access to the CCTV footage.

71. Are there any specific requirements that

organisations need to comply with,

when acceding to an individual’s

request to access CCTV footage?

Where an individual requests for access to

CCTV footage, the organisation concerned

should provide a copy of the CCTV footage to

the individual. While the PDPA does not

prescribe any minimum resolution for CCTV

footage that is requested to be provided to

individuals, given that the requirement is for

the organisation to provide the personal data

in its possession or under its control, the

organisation should provide the CCTV footage

in the form (i.e. still frames or actual footage)

and of the resolution it holds for its purposes.

In providing the individual a copy of the CCTV

footage, the organisation should generally

seek to mask images of other individuals who

may be present in the CCTV footage. There are

three common types of masking: (i) solid

coloured masking; (ii) blurred masking; or (iii)

pixelated masking. When solid coloured

masking is used, no details in the masked area

can be seen. Blurred or pixelated masking

methods enable a partial outline to be seen

but obscures the detailed features of the area.

Although blurred or pixelated masking

methods preserve the original feel of the

image, individuals may still be identifiable.

Organisations have the option of requiring

that individuals pay a minimal fee before

acceding to any such request for a copy of the

CCTV footage.

On a related note, organisations may require

that the individual, to whom it provides a copy

of CCTV footage, sign a contract to agree not

to disclose to any third party the CCTV footage

provided to him or her. However,

organisations should note that individuals

acting in a personal or domestic capacity are

not subject to the Data Protection Provisions

of the PDPA.

72. Can individuals make joint access

requests for CCTV footage containing

their images, if they consent to their

own images being viewed by the others

making the joint request?

Yes. The Commission has expressed its views

that it would be reasonable for certain groups

of individuals (e.g. a married couple, or parents

of a class of students) to jointly make an

access request to view CCTV footage.

In which case, where consent has been

obtained from the individuals requesting the

footage, no masking is required.

73. Can job applicants ask an organisation

to reveal how much information the

organisation has about them, or find

out why they were not selected?

Generally, yes. A job applicant would have the

right to request for access to their personal

data held in the possession or under the

control of an organisation, to find out whether

and what type of their personal data are held



by the organisation, and how the organisation

is using their personal data.

However, the PDPA provides for certain

exceptions where an organisation need not

accede to such request by a job applicant. For

example, if the personal data in question is

opinion data kept solely for an evaluative

purpose (e.g. opinions of management staff of

the organisation which were formed about the

job applicant in the course of determining his

or her suitability and eligibility for the job), the

organisation will not be required to provide

such information to the individual.

74. When are organisations not required to

accept an individual’s correction

request?

Under the PDPA, an organisation is not

required to accede to a correction request in

the following non-exhaustive list of matters:

(a) the opinion data is kept solely for an

evaluative purpose;

(b) examination scripts or results;

(c) the personal data of the beneficiaries of a

private trust kept solely for the purpose of

administering the trust;

(d) a document related to a prosecution if all

proceedings have not yet been completed;

and

(e) personal data kept by an arbitral or

mediation institute for the purposes of

proceedings conducted within that

institute.

75. How should organisations reject a

correction request?

If an organisation rejects a correction request,

the organisation is required to make a note to

the personal data indicating that a correction

was requested but was not made. As a matter

of good practice, the organisation should

inform the individual of the relevant reason(s)

why the correction should not be made.

76. How long should organisations take in

responding to a correction request?

An organisation must respond to a correction

request as soon as practicable from the time

the correction request is received. If an

organisation is unable to respond to a

correction request within 30 days after

receiving the request, the organisation shall

inform the individual in writing within 30 days

of the time by which it will be able to respond

to the request.

THE ACCURACY OBLIGATION


with under the Accuracy Obligation?

The Accuracy Obligation requires

organisations to make reasonable efforts to

ensure that personal data collected is accurate

and complete, if it is likely that the personal

data will be used to make a decision that

affects the individual to whom the personal

data relates, or the personal data is likely to be

disclosed to another organisation.

In order to ensure that personal data is

accurate and complete, an organisation must

make a reasonable effort to ensure that:

(a) it accurately records personal data which it

collects (whether directly from the

individual concerned or through another

organisation);

(b) personal data it collects includes all

relevant parts thereof (so that it is

complete);

(c) it has taken the appropriate (reasonable)

steps in the circumstances to ensure the

accuracy and correctness of the personal

data; and

(d) it has considered whether it is necessary to

update the information.

Depending on the exact circumstances at

hand, in determining what may be considered



a reasonable effort, an organisation should

take into account factors such as the following:

(a) the nature of the data and its significance

to the individual concerned (e.g. whether

the data relates to an important aspect of

the individual such as his or her health);

(b) the purpose for which the data is

collected, used or disclosed;

(c) the reliability of the data (e.g. whether it

was obtained from a reliable source or

through reliable means);

(d) the currency of the data (that is, whether

the data is recent or was first collected

some time ago); and

(e) the impact on the individual concerned if

the personal data is inaccurate or

incomplete. (e.g. based on the probable

use of the data by the organisation or

another organisation to whom the first

organisation has disclosed the data to)

The Commission has noted that an

organisation may not be required to check the

accuracy and completeness of an individual’s

personal data each and every time it makes a

decision, or is likely to make a decision, about

the individual. Organisations should perform

their own risk assessments to ensure accuracy

and completeness.

78. In complying with the Accuracy

Obligation, can a different level of care

be adopted when the personal data is

obtained directly from the individual

compared to when it is obtained from

third party sources?

Personal Data collected from the individual

Organisations may presume that personal data

provided directly by the individual concerned

is accurate in most circumstances. When in

doubt, organisations can consider requiring

the individual to make a verbal or written

declaration that the personal data provided is

accurate and complete.

Additionally, where the currency of the personal

data is important, the organisation should take

steps to verify that the personal data provided

by the individual is up to date (for example, by

requesting a more updated copy of the

personal data before making a decision that will

significantly impact the individual).

Personal Data collected from third party sources

An organisation should be more careful when

collecting personal data from a source other

than the individual in question. It is allowed to

take differing approaches to ascertain the

accuracy and completeness of personal data it

collects depending on the reliability of the

source of the data. For example, the

organisation may obtain confirmation from the

source of the personal data that the source

had verified the accuracy and completeness of

that personal data. It may also conduct further

independent verification if it deems prudent to

do so.

Similar considerations apply when deciding

whether personal data should be updated.

While not all types of personal data require

updates, where the use of outdated personal

data in a decision-making process could affect

the individual, then it would be prudent for the

organisation to update such personal data.

79. Should organisations take extra

measures to verify the accuracy of

personal data of minors?

Organisations should consider taking extra

steps to verify the accuracy of personal data

about a minor when establishing measures to

comply with the Accuracy Obligation under

the PDPA, particularly in cases where such

inaccuracy may have severe consequences for

the minor.

THE PROTECTION OBLIGATION

80. What does it mean to make “reasonable

security arrangements to protect

personal data”?



To determine what may be reasonable and

appropriate, the organisation should take into

consideration:

(a) what type of personal data it has in its

possession or under its control;

(b) what medium the personal data has been

collected (e.g. hardcopy or softcopy);

(c) who has access to the personal data;

(d) whether any personal data is or will be

held or used by third parties on behalf of

the organisation;

(e) what possible harm might arise from a

security breach (e.g. what consequences

there might be to the individual concerned

if his or her personal data is obtained,

modified or disposed by an unauthorised

person); and

(f) who will be responding to information

security breaches.

An organisation may wish to put in place

different levels of security according to the

level of sensitivity of the personal data.

In practice, an organisation should:

(a) design and organise its security

arrangements to fit the nature of the

personal data held by the organisation

and the possible harm that might

result from a security breach;

(b) identify reliable and well-trained

personnel responsible for ensuring

information security;

(c) implement robust policies and

procedures for ensuring appropriate

levels of security for personal data of

varying levels of sensitivity; and

(d) be prepared and able to respond to

information security breaches

promptly and effectively.

81. What types of security arrangements

can an organisation put in place?

A combination of administrative, physical and

technical or other measures may be used,

depending on what is reasonable and

appropriate for an organisation (see questions

77 and 78 above).

Some examples include:

(a) setting out confidentiality obligations in all

staff employment contracts;

(b) implementing staff policies and manuals

on personal data protection;

(c) conducting regular staff training on how

to handle personal data and updates on

what types of potential threats there may

be to personal data;

(d) taking disciplinary action against staff who

breach confidentiality obligations;

(e) limiting the amount of personal data

collected by the organisation to what is

necessary (i.e. avoid holding excessive

personal data);

(f) marking documents as “confidential”;

(g) storing confidential documents under lock;

(h) limiting staff access to confidential

documents on a need-to-know basis;

(i) using privacy filters on laptops and

computers;

(j) shredding confidential documents when

no longer needed, or by other means of

secure destruction;

(k) using registered post instead of normal

post when delivering confidential

documents;

(l) creating different layers of access to

documents which contain personal data,

so that personal data is accessed only

when necessary;



(m) confirming the identity of an individual

prior to disclosing any personal data to

such individual to ensure that the

individual is the correct recipient;

(n) Ensuring computer networks are secure;

(o) Adopting appropriate access controls (e.g.

considering stronger authentication

measures where appropriate);

(p) encrypting personal data;

(q) using self-locking mechanisms for

computer screens after a certain period of

inactivity;

(r) installing appropriate computer security

software and using suitable computer

security settings;

(s) wiping personal data from IT devices

before they are disposed, sold or recycled;

(t) using the appropriate email security

setting when sending or receiving highly

confidential emails;

(u) regular updating of computer and IT

security equipment and software; and

(v) engaging IT service providers which are

able to provide the requisite standard of IT

security.

Additionally, it might be useful for

organisations to undertake a risk assessment

exercise to ascertain whether their information

security arrangements are adequate.

82. Are organisations responsible if their

employees do not comply with the

PDPA?

Yes, insofar as the act done or conduct

engaged in by the employee was in the course

of his or her employment. The PDPA will treat

such act or conduct as having been done or

engaged in by the employer, irrespective of

whether it was done or engaged in with the

employer’s knowledge or approval.

That said, an organisation may not be liable for

offences under the PDPA by an employee of

an organisation, if it took such steps as were

practicable to prevent the employee from

doing the act or engaging in the conduct that

constitutes the offence.

It should be noted that, for the purposes of

the PDPA, an “employee” includes a volunteer,

and an employment relationship will include

an unpaid volunteer work relationship.

THE RETENTION LIMITATION OBLIGATION

83. How long should an organisation retain

personal data?

Organisations should assess the reasons for

which it retains personal data, and regularly

assess whether personal data still needs to be

retained. While the Retention Limitation

Obligation does not specify a fixed duration

time for which an organisation can retain

personal data, the retention duration is

assessed on a standard of reasonableness.

It should be noted that although the PDPA

does not prescribe a specific retention period

for personal data, organisations would need to

comply with any legal or specific industry-

standard requirements that may apply.

Generally, organisations should only retain

personal data:

(a) if it is necessary for the purposes for which

the personal data was collected; or

(b) for business or legal purposes.

With regard to (a) above, for instance, if an

organisation has only obtained valid consent

from an individual to collect personal data for a

certain purpose (i.e. purpose A), it must not

keep that personal data “just in case” it may be

needed for any purposes other than purpose A.

With regard to (b) above, some examples of

legal or business purposes include:

(a) for ongoing legal action involving the

organisation;



(b) to comply with applicable laws,

regulations, whether in Singapore or

outside of Singapore, including

international or regional standards; and

(c) to generate the organisation’s annual

reports, performance forecasts, etc.

84. What are some recommended best

practices in relation to the retention of

personal data?

The Commission recommends that

organisations should draw up policies which

set out the retention periods for personal data.

Such policies may provide for varying

retention periods in respect of different types

of personal data held by the organisation.

As a guide, organisations may wish to retain

documents regarding its contracts for 7 years

from the date of termination of the contract,

as actions founded on contract will generally

need to be brought within 6 years from the

date on which the cause of action accrued.

However, it may be necessary to retain such

contracts for a longer period if there are

ongoing legal proceedings or investigations

regarding these contracts.

85. How long can organisations continue to

hold personal data of former

employees?

As mentioned in question 83 above,

organisations may continue to retain personal

data about former employees that were

collected during their respective employment

periods for as long as there is a valid business

or legal purpose.

The Commission has clarified that

organisations which have a policy of retaining

personal data of former employees for the

purpose of considering them for future job

opportunities can continue to do so as a valid

business purpose. However, organisations

should not retain personal data without a

clearly defined purpose.

86. What does it mean to “cease to retain”

personal data?

There are various ways in which an

organisation may cease to retain personal

data.

The mere locking of documents in a cabinet or

archiving personal data in electronic form(s) is

considered to be retaining the documents. As

far as possible, organisations should cease to

retain documents such that it renders them

completely irretrievable of inaccessible to the

organisation.

The Commission has indicated that it will

consider whether an organisation has ceased

to retain personal data, in light of the

following factors:

(a) whether the organisation has any intention

to use or access the personal data;

(b) how much effort and resources would the

organisation need to expend to use or

access the personal data again;

(c) whether any third parties have been given

access to the personal data; and

(d) whether the organisation has made a

reasonable attempt to completely destroy,

dispose of or delete the personal data

permanently.

Some ways in which an organisation may

cease to retain personal data include:

(a) returning those documents containing

personal data to the individual concerned;

(b) transferring those documents containing

personal data to another person, if

instructed by the individual concerned;

(c) shredding those documents containing

personal data; and

anonymising the personal data, such that the

remaining data can no longer be used to

identify any particular individual (see questions

91 to 93 for more details on anonymisation).



THE TRANSFER LIMITATION OBLIGATION

87. What is the Transfer Limitation

Obligation?

The Transfer Limitation Obligation refers to the

requirement not to transfer personal data

unless the transfer is made in accordance with

the requirements prescribed under the PDPA.

This is to ensure that organisations provide a

standard of protection to personal data that

has been transferred overseas, one which is

comparable with the protection provided

under the PDPA.

The requirements as to which an organisation

may transfer personal data overseas are

specified in the regulations issued under the

PDPA. In essence, an organisation may transfer

personal data overseas if it has taken

appropriate steps to ensure that it will comply

with the PDPA while the personal data is in its

possession or under its control. If the personal

data is transferred to a recipient in a country

or territory outside of Singapore, the recipient

has to be bound by legally enforceable

obligations to provide that the personal data

so transferred is under a standard of

protection that is comparable to that under

the PDPA.

In this regard legally enforceable obligations

include obligations imposed on the recipient

under any law, contracts, binding corporate

rules, or any other legally binding instrument.

88. What are the conditions that

organisations have to satisfy before

transferring personal data overseas?

Organisations that intend to transfer personal

data overseas must first satisfy the following

conditions:

(a) ensure that the organisation complies with

the PDPA while the personal data remain

under its possession or control; and

(b) ensure the foreign recipient is bound by

legally enforceable obligations to provide

a standard of protection that is

comparable to that under the PDPA

To ensure that the recipient provides a

standard of protection that is comparable to

that under the PDPA, the transferring

organisation should contract for protections

regarding the various Obligations set out

under the PDPA.

An organisation transferring personal data

overseas is assumed to have taken appropriate

steps to ensure that the recipient is bound by

legally enforceable obligations to provide a

standard of protection comparable to that

under the PDPA to personal data if:

(a) the individual whose personal data is

to be transferred gives his consent to

the transfer (organisation should

provide the individual with a

reasonable summary in writing of the

extent to which the personal data

transferred to those countries will be

protected);

(b) transfer is necessary for the

performance of a contract between

the organisation and the individual

(for example, if the organisation is a

data intermediary of the individual

pursuant to a contract between them

in relation to the transfer), or to do

with the individual entering a contract

with the organisation;

(c) transfer is necessary for the conclusion

or performance of a contract between

the organisation and a third party

which is entered into at the

individual’s request, or which a

reasonable person would consider to

be in the individual’s interest;

(d) transfer is necessary for a use or

disclosure in certain situations where

the consent of the individual is not

required under the PDPA. The

organisation is required to take

reasonable steps to ensure that the

personal data will not be used or

disclosed by the recipient for any

other purpose before transferring

personal data;



(e) the personal data is data in transit (e.g.

data that only passes through servers

within Singapore but is enroute to a

destination overseas); or

(f) the personal data is publicly available

in Singapore.

THE OPENNESS OBLIGATION

89. What is the Openness Obligation?

The Openness Obligation is a term coined by

the Commission, which generally refers to the

requirement for organisations to make their

data protection policies and practices available

to those individuals whose personal data they

collect.

This also refers to the Data Protection

Provisions which make organisations

accountable to individuals and the

Commission for compliance with the Data

Protection Provisions, by the following means:

(a) giving the right to individuals to request

for access to their personal data held in

the possession or under the control of an

organisation, to find out whether and what

type of their personal data are held by the

organisation, and how the organisation is

using their personal data;

(b) giving the right to individuals to submit

complaints to the Commission regarding

an organisation’s conduct and compliance

with the Data Protection Provisions;

(c) giving the right to individuals who suffer

loss or damage directly as a result of an

organisation’s contravention of the Data

Protection Provisions to commence civil

proceedings against the organisation; and

(d) empowering the Commission to take

enforcement action against an

organisation which has contravened any of

the Data Protection Provisions.

For the purpose of ensuring that they comply

with the Data Protection Provisions,

organisations are required to designate one or

more individuals who will take on the

responsibility for ensuring such compliance.

Importantly, organisations should note that

such designation of responsibility does not

pass legal responsibility to the individual. The

organisation itself remains legally responsible

for compliance with the Data Protection

Provisions.

90. Are there any requirements as to whom

an organisation may designate as its

data protection officer?

The PDPA requires that an organisation must

make available the business contact

information of at least one individual

designated by the organisation, who is able to

answer on behalf of the organisation, any

questions relating to the collection, use or

disclosure of personal data.

There is no strict necessity for an individual

designated by an organisation to be an

employee of the organisation, or for such

individual to be physically based in Singapore.

It is also generally open to the designated

individual to delegate the responsibility to

another individual.

Notwithstanding, the Commission

recommends that the business contact

information of the individual whom an

organisation designates should be:

(a) a Singapore phone number;

(b) operational during Singapore business

hours; and

(c) readily accessible from Singapore.

OTHER IMPORTANT CONCEPTS

91. What does it mean to anonymise

personal data?

For the purposes of the PDPA, personal data

may be anonymised by removing all



information that can be used to identify a

particular individual.

In other words, where the remaining

information, whether alone or together with

any other information that an organisation has

or is likely to have access to, can no longer be

used to identify a particular individual, such

information may be said to have been

anonymised.

92. How can personal data be anonymised?

The Commission has provided the following

suggestions on how personal data may be

anonymised:

(a) pseudonymisation: by replacing personal

identifiers (such as a person’s full name)

with other references (such as a randomly

generated reference number);

(b) aggregation: by displaying only total

values rather than individual values which

could identify an individual (e.g. displaying

the sum of individual ages of the total

number of individuals in a group, rather

than the age of each individual

specifically);

(c) replacement: by replacing specific values

or subset of specific values with a

computed average or a number derived

from the specific values (e.g. instead of

referring to 3 individuals aged 15, 18 and

20 years old, to make reference to 3

individuals aged approximately 17 years

old);

(d) data suppression: by removing values that

are not required for the purpose (e.g.

removing an individual’s ethnicity from a

data set of the individual’s attributes);

(e) data recoding or generalisation: by

banding into broader categories (e.g. K1,

Primary 3), or hiding the value within a

given range (e.g. replacing the age ‘41’

with the range ’40-50’);

(f) data shuffling: by mixing up or replacing

values with those of the same type so that

information looks similar but is unrelated

to the actual details; and

(g) masking: by removing certain details while

preserving the look and feel of the data

(e.g. representing an NRIC number as

‘S0XXXX45A’ instead of ‘S0122445A’).

It should be noted, however, that the

application of the above anonymisation

techniques may not render a data set fully

anonymised, or anonymised in perpetuity and

there remains a risk that anonymised data can

be used to re-identify particular individuals

(see question 93 below).

Where there is more than a trivial possibility of

so-called anonymised data being re-identified,

such data may still be regarded by the

Commission as personal data (see questions

93 and 94 below).

93. What are some challenges and

limitations in anonymising data?

Reduced functionality or usefulness of data

When data is stripped of too many personal

identifiers, the data may lose its usefulness,

and an organisation may be denied the

potential uses for the data which it has

collected.

Accordingly, before anonymising data, an

organisation should consider whether the

anonymised data would still be suitable for its

intended purposes.

Risk of re-identification

It should be noted that the application of the

anonymisation techniques (such as those

described in question 92 above) may not

render a data set fully anonymised, or

anonymised in perpetuity.

There remains a risk that anonymised data can

be used to re-identify particular individuals,

when it is combined with other information

that the organisation has or is likely to have

access to.



Generally, re-identification involves identifying

an individual beyond doubt.

Where data is capable of re-identification, it

will generally be considered as personal data,

and will be subject to the Data Protection

Provisions.

By way of illustration, while a resultant data set

derived from the application of anonymisation

techniques may itself be anonymised for the

time being, if such resultant data set can still

be combined with other information that an

organisation has or is likely to have access to

identify particular individuals, the combination

of this resultant data set and the other

information will, when taken together, still

constitute personal data. In such a case, given

that the organisation retains the ability to re-

identify individuals from the de-identified data,

the organisation will be considered to be

holding personal data.

Likewise, where an anonymised resultant data

set is disclosed to another organisation, and

that other organisation is able to combine the

data set that it has received with other

information that it has, or is likely to have

access to, to identify/re-identify particular

individuals, the anonymised data set and the

other information will, when taken together,

still constitute personal data.

94. Under what circumstances might data

be considered to have been re-

identified?

While various factors, such as educated

guessing, cross-relating information in

anonymised data sets, public knowledge or

information about groups of people, may

increase the possibility of re-identification, it

does not necessarily follow that the

Commission will always consider the data

concerned as personal data.

Importantly, if there remains only a trivial risk

of re-identification, the data concerned will not

be considered as personal data.

Educated guessing

The fact that a person making an educated

guess, by matching public or established

information with anonymised data, can narrow

down the possible identities of particular

individuals and potentially make a successful

guess may not in itself mean that the data is

personal data.

For instance, an organisation publishes a list of

masked NRIC numbers of the winners of a

lucky draw which reveal only the first 3 digits

of the NRIC numbers. Since the first two digits

typically reveals one’s birth year, it could be

ascertained that one of the winners was 22

years of age. On the same day, it is reported in

the newspapers that the two youngest

participants in the lucky draw were both 22

years of age. By matching these information, a

person may therefore make an educated guess

that one of these two participants was the

lucky draw winner. However, to the extent that

it is unclear which of these two participants

might have been the lucky draw winner, there

is no re-identification.

Cross-relating information in anonymised data

sets

A person may be able to identify an individual

by cross-relating information from two

separate anonymised data sets which contain

similar information. However, if such an

individual ultimately remains as an unknown

individual, there would be no re-identification

and the data will not be regarded as personal

data.

For instance, Data Set A refers to an individual

#10147, who has the following characteristics:

male, blood type A, age 45, weight 88.8kg,

height 1.89m. Data Set B refers to an individual

#58965, who has the following characteristics:

male, blood type A, weight 88.8kg, height

189cm, suffering from hypertension. In such a

case, however, while a person having access to

both data sets may be able to cross-relate the

information in these two data sets and

establish that the two data sets relate to the

same individual, such a person is unable to

identify who that individual actually is.

Accordingly, there is no re-identification and

the data will not be regarded as personal data.



Public knowledge

In ascertaining the re-identification risks of an

anonymised data set, it will be important to

take into account the use of public knowledge

(such as established facts) or information that

is readily available to the public (such as

information in telephone directories or society

membership listings).

If an individual can be easily re-identified when

public knowledge or information is combined

with anonymised data, this will present

significant re-identification risks.

Personal knowledge

Having personal knowledge would not

generally amount to a high re-identification

risk for an anonymised data set.

The Specific Topics Guidelines states that, just

because an individual himself or herself, or

someone close to him or her is able to identify

him or her from an anonymised data set, this

does not necessarily mean that that

anonymised data set is personal data.

However, the risk of a person with special

knowledge re-identifying any individual from

the data must still be accounted for in the risk

assessment exercise.

Information about groups of people

Information about groups of people may not

constitute personal data if it does not identify

any particular individual within the group.

However, such information may reveal the

personal data of an individual when combined

with other information, and thereby present

re-identification risks.

For example, an anonymised data set relating

to a group of individuals living within a postal

code reveals that they are all HIV-positive.

While no individual was identified, the

information reveals the personal data of one of

the individuals known to be living there.

Hence, if it becomes known that a person

(person A) lives in that postal code, then it

would also be known that person A is HIV-

positive. In such a case, the anonymised data

set relating to this group of individuals will be

considered as personal data, when its

combination with other information or

knowledge can reveal personal data of an

individual.

95. How can organisations assess the risk of

re-identification?

As a guide, the Commission has suggested

that some factors which organisations should

consider in assessing whether anonymised or

de-identified data may be subsequently used

to re-identify individuals include:

(a) the type of data de-identified;

(b) the amount of alteration the data has been

subject to in the course of anonymisation;

(c) the degree and standard of the

anonymisation process;

(d) whether the data is disclosed to a specific

recipient whose motivations, re-

identification capabilities, and other

information in possession of that recipient

are known or can be reasonably inferred;

(e) the ease of access to, and volume of, other

information (such as complementary

information) available or likely to be

available;

(f) the organisation’s capability to re-identify

individuals (e.g. computing power and

availability of data-linking techniques,

having access to complementary

information or having specialised skills or

technologies that enable re-identification);

(g) the motivations for re-identification (in this

regard, the Commission has suggested

that it may be useful for organisations to

apply a ‘motivated intruder test’); and

(h) other risks that subject the data to re-

identification risks, including ‘residual’ risks

that are not directly related to a recipient’s

motivation and capability to re-identify

(e.g. risks of the data being compromised

or mistakenly disclosed to unintended



recipients such as people with better

ability of re-identification).

Motivated intruder test

The motivated intruder test considers whether

individuals can be re-identified from

anonymised data by someone who is

motivated, reasonably competent, has access

to standard resources such as the Internet and

published information such as public

directories or national archives, and employs

standard investigative techniques such as

making enquiries of people who may have

additional knowledge of the identity of the

data subject.

The motivated intruder test assumes that no

particular individual has been targeted for

identification and that the intruder does not

resort to criminality or any specialist

equipment or skills.

The test should accommodate the features of

the intended recipient organisation and assess

the totality of the risk management controls

applicable to the recipient organisation. This

refers to both technical measures as well as

legal, regulatory or organisational measures.

96. Will the Commission penalise

organisations for inadequate risk

assessments in relation to re-

identification?

At this stage, organisations are expected to

perform reasonable assessments of re-

identification risks if they are intending to

disclose any anonymised data sets. Such risk

assessments must be commensurate with the

nature of the data being anonymised and

other relevant factors (see question 95 above).

The Commission does not, however, expect

organisations to anticipate what is yet

unknown in such risk assessments.

Accordingly, should an organisation breach

the PDPA as a result of re-identification, the

Commission may be prepared to take into

consideration an organisation’s efforts to

reduce re-identification risks as a mitigating

factor in assessing its liability for such breach.

97. What is the co-relation between the

motivation for re-identification and the

risk of re-identification?

In the scenario where two organisations have

similar motivations for re-identification of

certain data, the organisation (Organisation

A) that possesses complementary information,

specialised skills or technologies would more

likely be capable of re-identifying individuals

from that data (and thereby have a higher risk

of re-identifying the data) than the other

organisation (Organisation B) that does not

have access to these information, skills or

technologies. In such case, there is a higher

risk of re-identification by A.

However, it may not necessarily follow that the

risk of re-identification will be higher where an

organisation has the requisite skills and

information for re-identification.

In a different scenario, Organisation A may have

little motivation to re-identify an individual

owing to disincentives, such as regulatory or

other legal (e.g. contractual) obligations or

consequences for re-identifying individuals

from the data which will serve to negate any

incentive or benefit that Organisation A may

derive when it re-identifies an individual. Here,

although Organisation A may possess

complementary information, specialised skills or

technologies which may make it more capable

of re-identifying individuals, this may not

necessarily mean that the risk of re-

identification by Organisation A will be higher

than Organisation B which may be highly

motivated to carry out re-identification.

98. How can organisations lower the risk of

re-identification?

Broadly speaking, the impracticality of re-

identification can act as a deterrent to any

motivation for re-identifying anonymised data,

and may consequently lower the risk of re-

identification.



The risks of re-identification of data may be

lowered in various ways, including:

(a) by employing robust anonymisation

techniques;

(b) by limiting the number of people to whom

the anonymised data is disclosed;

(c) by imposing additional enforceable

restrictions on the use and subsequent

disclosure of the anonymised data;

(d) by implementing processes to govern

proper use of the anonymised data in line

with the restrictions (e.g. access

restrictions); and

(e) by implementing processes and measures

for the destruction of anonymised data as

soon as they no longer serve any business

or legal purpose.

(f) by putting place controls to limit the data

users’ or recipients’ access to “other

information” that could re-identify the

anonymised data.

SCOPE OF THE DNC PROVISIONS

99. To whom are the DNC Provisions

applicable?

The Do Not Call provisions, which are set out

in Part IX of the PDPA apply to all persons. This

includes individuals, companies, associations

and any incorporated or unincorporated

bodies of persons.

Generally, the DNC Provisions apply to a

person sending a “specified message” if that

person is a “sender” (see questions 100 and

101 below), and:

(a) sends the specified message when they

are in Singapore at the time the message

is sent; or

(b) sends the specified message to a recipient

who is in Singapore at the time the

message is accessed.

If the sender and recipient are both not in

Singapore at the time the message is sent and

accessed respectively, the DNC Provisions will

not apply.

For instance, in the scenario where an

individual is subscribed to a Singapore

telecoms service provider and, when he or she

travels to London, receives a specified

message from a London telecoms operator,

the DNC Provisions will not apply.

In the scenario where the same individual

travels to London and receives a specified

message from his bank which is located in

Singapore, the DNC Provisions will apply to

the sending of such specified message by the

bank.

In the scenario where the same individual,

while in Singapore, receives a specified

message from his bank which is located in

Singapore through an overseas number, but

which has outsourced its marketing operations

to an overseas call centre and authorised such

overseas call centre to send the specified

message, the DNC Provisions will apply to the

sending of such specified message by the bank

using the overseas number.

100. The DNC Provisions apply to

“specified messages”. What are

“specified messages”?

Generally, specified messages are messages

which have one or more of the following

purposes:

(a) to advertise, promote or offer to supply or

provide: (i) goods or services, (ii) land or an

interest in land; or (iii) a business or

investment opportunity;

(b) to advertise or promote a supplier or

provider, or a prospective supplier or

provider of: (i) goods or services, (ii) an

interest in land; or (iii) a business or

investment opportunity; or

(c) any other purposes as may be prescribed

under the PDPA which are related to

obtaining or providing information.



Notably, a message can constitute a specified

message even if:

(a) the above-mentioned goods, services,

land, interest in land and/or business or

investment opportunity do not exist; or

(b) it may be unlawful to acquire such goods,

services, land or interest or take up the

opportunity referred to in the message.

To determine whether the message is being

sent for any of the above purposes, a person

should take into consideration the content and

presentation of the message. This includes the

telephone number from which the message

was sent, as well as any content that may be

obtained through the message, such as any

numbers, URLs or contact information which

are set out in the message.

Exclusions

It should be noted, however, that certain

categories of messages are expressly excluded

from the definition of “specified messages”.

These exceptions are set out in the Eighth

Schedule of the PDPA, and include:

(a) messages sent by a public agency (e.g.

Government ministries, tribunals

appointed under written law and certain

statutory bodies) under, or to promote,

any programme carried out by any public

agency which is not for a commercial

purpose;

(b) messages sent by an individual acting in a

personal or domestic capacity;

(c) messages which are necessary to respond

to an emergency that threatens the life,

health or safety of any individual;

(d) messages which have, as their sole

purpose to provide for:

i. the facilitation, completion or

confirmation of a transaction that the

recipient has previously agreed to

enter into with the sender;

ii. the provision of warranty information,

product recall information or security

information with respect to a product

or service purchased or used by the

recipient of the message;

iii. the delivery of goods or services,

including any product updates or

upgrades, that the recipient of the

message is entitled to receive under

the terms of a transaction that the

recipient has previously agreed to

enter into with the sender;

iv. the notification of any change in the

terms or feature of, or standing or

status of the recipient of the message

with respect to, a subscription,

membership, account, loan or

comparable ongoing commercial

relationship involving the ongoing

purchase or use by the recipient of the

goods or services offered by the

sender;

v. the provision, at regular periodic

intervals, of account balance

information or other types of account

statements with respect to a

subscription, membership, account,

loan or comparable ongoing

commercial relationship involving the

ongoing purchase or use by the

recipient of the goods or services

offered by the sender; or

vi. the conduct of market research or

market survey;

vii. the sending of a message with the

sole purpose of responding to a

request from an individual for

information about a good or service;

and

(e) messages sent to an organisation (as

opposed to an individual in a personal or

domestic capacity) for any purpose of the

receiving organisation (e.g. business to

business (“B2B”) marketing messages)

It may also be noted that messages that are

sent solely to promote an employment



opportunity, to solicit donations for a

charitable cause or to promote a political

cause, and without any marketing elements,

would not be regarded as a specified message.

B2B marketing messages

As one of the excluded messages specified in

the Eighth Schedule relates to messages sent

to an organisation other than an individual

acting in a personal or domestic capacity, for

any purpose of the receiving organisation, this

exclusion addresses B2B marketing messages

which generally include the sending of

messages relating to the marketing of goods

and services by one company to another

company.

For instance, organisation A may call an

employee of organisation B using the business

contact details of such employee which it

obtained from B’s website to promote

organisation A’s product. Such a message

would generally fall within exception (e) above,

and would not constitute a specified message

for the purposes of the DNC Provisions.

However, if organisation A, while speaking

with the employee of organisation B, asks such

employee whether he or she may be interested

in purchasing another of organisation A’s

product for his or her personal use, such a

message would constitute a specified message

for the purposes of the DNC Provisions.

Surveys and market research

The Commission notes in the DNC Guidelines

that persons who conduct market research or

market surveys may wish to provide some

form of gift as a form of reward or expression

of thanks to individuals participating in the

survey. In this regard, the Commission is

generally prepared to accept that the offer or

provision of a gift does not constitute an offer

to supply goods or services. Persons should

act in good faith and not attempt to disguise a

specified message in the form of the provision

of a “gift”.

Ongoing Relationship

An ongoing relationship between the

individual and the sender could be in the form

of commercial or non-commercial

relationships. Factors that can be taken into

account when determing an ongoing

relationship could include the frequency of

visits and whether the individual has signed up

for a package. It should be noted that once-off

transactions are insufficient to establish an

ongoing relationship.

Responding to Information Requests

Where the request for information is from a

third party, the person should, as good

practice, exercise the appropriate due

diligence to confirm that the individual had

made such a request for information (e.g.

through written confirmation or reasonable

conclusion due to circumstances). If such

confirmation cannot be obtained and

therefore consent is not clear and

unambiguous, the person must comply with

the DNC Registry provisions if it wishes to

send specified messages.

101. The DNC Provisions apply to

“senders”. Who are “senders”?

A sender refers to any person who:

(a) actually sends or makes a voice call

containing a message;

(b) causes a message to be sent or a voice call

containing a message to be made; or

(c) authorises the sending of a message, or

making of a voice call containing a

message.

102. When might a person be responsible

under the DNC Provisions for a

specified message that he is not

actively involved in sending?

In addition to the person who actually sends

the message or makes the call containing the

message, persons who cause or authorise the

sending of the message or the making of the

call are also senders for the purposes of the

DNC Provisions.



Deeming provisions under the PDPA

A person (i.e. person A) might be deemed to

be responsible for a specified message that he

or she is not actively involved in sending

where he or she has authorised another

person (i.e. person B) to promote his or her

goods, services, land, interest in land and/or

business or investment opportunity (i.e. send a

specified message).

However, if person A takes reasonable steps to

prevent person B from sending any specified

message for the purpose of promoting person

A’s goods, services, land, interest in land

and/or business or investment opportunity,

person A may not be deemed under the PDPA

to have authorised person B to send the

specified message for those purposes.

The question of whether reasonable steps

have been taken by person A will depend on

the specific facts. For instance, in a contract

between person A and person B, if it is

expressly stated that person B “shall not send

any message, whether in sound, text, visual or

other form, to a Singapore telephone number to

promote A’s services unless expressly permitted

in writing by A”, this could be regarded as a

reasonable step taken by person A to prevent

person B from sending a specified message.

Express exclusions under the PDPA

The PDPA provides certain express exclusions,

where a person who is not actively involved in

sending a specified message will, by default,

not be presumed to have sent such message.

Under the PDPA, the following persons are

presumed not to have sent or authorised a

sending of a message, unless otherwise

proved:

(a) telecoms service providers who merely

provide a service that enables the sending

of a specified message; and

(b) owners or authorised users of a telecoms

device, service or network that was used to

send a specified message, if that device,

service or network was controlled by a

person without the knowledge of the

owner or authorised users at the relevant

time.

Defence for employees

On a related note, an employee who sends a

specified message in contravention of the DNC

Provisions may have a defence under the

PDPA, if such an employee can prove that he

or she acted or engaged in conduct in good

faith in the course of his or her employment,

or in accordance with instructions given to him

or her, by or on behalf of his or her employer

in the course of his or her employment. The

defence is not available to an “officer” of an

organisation that may have committed an

offence under the DNC Provisions.

103. Do the DNC Provisions only apply to

specified messages sent to a

Singapore telephone number?

Currently, yes. The Minister may, however,

prescribe other telephone numbers to be

subject to the DNC Provisions.

It should be noted that the messages sent to a

“Singapore telephone number” include voice

calls, text messages or any data applications

(such as Whatsapp, Viber, iMessage) which use

a Singapore telephone number.

OBLIGATIONS AND DUTIES UNDER THE

DNC PROVISIONS

104. What does a person need to do before

sending a specified message?

Generally, a person that intends to send a

specified message to a Singapore telephone

number should check the relevant DNC

Register before sending such message (see

question 105 below), and confirm that the

Singapore telephone number is not listed in

the DNC Register before sending such

message.

However, it will not be necessary to check the

DNC registry if valid, clear and unambiguous

consent of the user or the subscriber of the

telephone number has been provided to allow

the person to send the specified message to



that telephone number (see question 109 for

more details).

Furthermore, in instances where the Singapore

telephone number was obtained through third

party sources, a person that intends to send a

specified message could obtain from the third

party source evidence of clear and

unambiguous consent given by the individual.

105. Is it necessary to check the DNC

Register every time a specified

message is proposed to be sent?

No. Generally, after a person has checked

whether a number is registered on a DNC

Register, these results will be valid for a certain

period (“Validity Period”), as follows:

(a) for results received between 2 January

2014 and 31 May 2014 (both dates

inclusive) – these results will be valid for 60

days from the receipt of the results;

(b) for results received between 1 June 2014

and 1 July 2014 (both dates inclusive) –

these results will be valid until 31 July

2014; and

(c) for results received from 2 July 2014

onwards – these results will be valid for 30

days from the receipt of the results.

Hence, if a person wishes to send a specified

message to the same telephone number (that

it has confirmed is not registered on the DNC

Register) during the Validity Period, it will not

be necessary to re-check if the telephone

number is registered on the DNC Register,

until the expiry of the Validity Period.

Further, as mentioned above, it is generally not

necessary to check the DNC registry if clear

and unambiguous consent of the user or the

subscriber of the telephone number has been

provided to allow the person to send the

specified message to that telephone number.

106. What happens when a person who

had previously given consent to

receive specified messages,

subsequently withdraws such

consent?

The withdrawal of any consent given by a user

or subscriber of a Singapore telephone

number for the purposes of the DNC

Provisions on or after 2 July 2014 must be

effected within 30 days.

Therefore, even if a specified message is sent

to a user or subscriber of a Singapore

telephone number a few days after such user

or subscriber has withdrawn his or her consent

to receive specified messages, this may not

amount to a contravention of the DNC

Provisions.

107. A person has previously given consent

to receive specified messages, but

subsequently registers his or her

telephone number on a DNC Register.

Is the consent still valid? Can specified

messages be sent to such person?

Yes, the consent is still valid. It is possible to

send specified messages to a Singapore

telephone number, without first checking the

relevant DNC Register, where the user or

subscriber of that telephone number has

previously given clear and unambiguous

consent to receive specified messages which

can continue to be relied upon.

Therefore, if a user or subscriber of a

telephone number no longer wishes to receive

specified messages from a particular person to

whom such user or subscriber had previously

given his or her consent, it would not be

sufficient to register that telephone number on

the relevant DNC Register as the addition of

the telephone number is not regarded as a

withdrawal of consent for the purposes of the

DNC Provisions.

A user or subscriber may withdraw clear and

unambiguous consent by providing notice to

the person who must effect a withdrawal of

consent within the prescribed period.

108. Who can withdraw consent in respect

of a telephone number?



Either a user or subscriber of a Singapore

telephone number may withdraw consent to

receive specified messages using that

telephone number.

In cases where the user of the telephone

number is not the subscriber of the Singapore

telephone number, the subscriber may

withdraw consent which had been given by the

user of the telephone number.

109. What would constitute valid consent

for the purposes of the DNC

Provisions?

Requirements regarding consent

In order for consent to be regarded as valid, it

must satisfy the following conditions:

(a) if the consent was sought as a condition

for supplying goods, services, land, interest

in land and/or business or investment

opportunity, the consent sought must not

have been more than what is reasonable

to provide such goods, services, land,

interest in land and/or business or

investment opportunity to that user or

subscriber;

(b) it must not have been obtained by

providing false or misleading information

or by using deceptive or misleading

practices; and

(c) it must be clear and unambiguous (see

below).

Consent from a user or subscriber will no

longer be regarded as valid if the user or

subscriber was prohibited from withdrawing

his or her consent.

Clear and unambiguous consent

The DNC Guidelines provides that the

following facts will need to be considered to

determine if the consent is, in fact, clear and

unambiguous:

(a) whether the person had notified the user

or subscriber clearly and specifically that

specified messages would be sent to his or

her Singapore telephone number; and

(b) whether the user or subscriber gave

consent to receive specified messages

through some form of positive action.

For the latter, the failure to opt out through

inaction on the part of the user or subscriber

would not usually be enough to amount to

taking positive action (see question 20 above).

The Commission recommends that “clear and

unambiguous” consent would generally

require that the consent be evidenced:

(a) in writing – such as using a physical or

electronic form; or

(b) in a form that is accessible for future

reference – for instance, by capturing the

consent given in an audio or video

recording. The consent must be captured

in a manner or form that can be retrieved

and reproduced at a later time in order to

confirm that such consent was obtained.

110. If consent has been obtained from a

person before the DNC Provisions

come into effect (2 January 2014), is

such consent still valid?

Yes, such consent would be valid and would

exempt a person from having to check the

DNC Register prior to sending a specified

message, provided that:

(a) the consent has not been withdrawn; and

(b) the consent is valid and is clear and

unambiguous and evidenced in written or

other form (see question 109 above).

10 Collyer Quay #10-01 Ocean Financial Centre Singapore 049315

Tel: +65 6535 0733 Fax: +65 6535 4906 www.drewnapier.com

The Drew & Napier TMT Team Lim Chong Kin, Director, Head (Telecoms, Media & Technology)

Chong Kin practices corporate and commercial law with strong emphasis in

the specialist areas of TMT law and competition law. He regularly advises

on regulatory, licensing, competition and market access issues. Apart from

his expertise in drafting “first-of-its-kind” competition legislation, Chong

Kin also has broad experience in corporate and commercial transactions

including mergers and acquisitions. He is widely regarded as a pioneer in

competition practice in Singapore and the leading practitioner on TMT and regulatory

work. Chong Kin has won plaudits for “[understanding] regulatory thinking like no other

lawyer in the field” (Asia Pacific Legal 500); has been recognised as “incisive, insightful and

knowledgeable” (Chambers Asia Pacific 2017: Band 1 for TMT); and has been endorsed for

his excellence in regulatory work and competition matters: Practical Law Company’s

Which Lawyer Survey 2011/2012; Who’s Who Legal: TMT 2016 and Who’s Who Legal:

Competition 2016. Asialaw Profiles 2016 notes: “Lim Chong Kin’s work is consistently

exceptional.”

Tel: +65 6531 4110 • Fax: +65 6535 4864 • Email: [email protected]

Charmian Aw, Director

Charmian is a Director in Drew & Napier’s TMT Practice Group. She is

frequently involved in advising companies on a wide range of corporate,

commercial and regulatory issues in Singapore. Charmian has also been

actively involved in assisting companies on Singapore data protection law

compliance, including reviewing contractual agreements and policies,

conducting trainings and audits, as well as advising on enforcement issues

relating to security, access, monitoring, and data breaches. She is also a co-chair of the

International Association of Privacy Professionals (IAPP) KnowledgeNet chapter in

Singapore, and is a Certified Information Privacy Professional for Europe, the United

States, and Asia (CIPP/E, CIPP/US, CIPP/A). Charmian is recommended for corporate-

related TMT and data privacy work by The Asia Pacific Legal 500, and Who’s Who Legal:

TMT.

Tel: +65 6531 2235 • Fax: +65 6535 4864 • Email: [email protected]

a supplement: faqs on the advisory guidelines for key ... · faqs to the advisory guidelines to the...

Documents