a supplement: faqs on the advisory guidelines for key ... · faqs to the advisory guidelines to the...
TRANSCRIPT
2017 Revised Edition
A Supplement: FAQs on the Advisory Guidelines for Key Concepts and Selected Topics
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com
Your Guide to the
Personal Data Protection Act 2012
A Supplement: FAQs on the Advisory Guidelines to the PDPA
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com
All enquiries should be addressed to:
Lim Chong Kin Director & Head, Telecommunications, Media and Technology Practice Group
10 Collyer Quay #10-01
Ocean Financial Centre
Singapore 049315
Tel: +65 6531 4110
Fax: +65 6535 4864
Email: [email protected]
COPYRIGHT
© 2017 Drew & Napier LLC
First Published 2013
Second Edition Published 2017
All rights reserved. No part of this publication may be reproduced, stored in any retrieval system, or
transmitted, in any form or by any means, whether electronic or mechanical, including photocopying
and recording, without the permission of the copyright holder.
IMPORTANT DISCLAIMER: We have sought to state the law as at 6 February 2017. Drew & Napier LLC
accepts no liability for, and does not guarantee the accuracy of, information or opinion contained in
this document. This document covers a wide range of topics and is not intended to be a
comprehensive study of the subjects covered, nor is it intended to provide legal advice. It should not
be treated as a substitute for specific advice on specific situations.
Published by
10 Collyer Quay #10-01
Ocean Financial Centre
Singapore 049315
Printed in Singapore
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com
Your Guide to the
Personal Data Protection Act
2012
A Supplement: FAQs on the Advisory Guidelines to the PDPA
Editors:
LIM Chong Kin
Director, Head (Telecoms, Media and Technology Law Practice Group)
and Head (Competition and Regulatory
(Contentious and Non-contentious) Practice Group)
LL.B. (Hons), LL.M. (NUS); Advocate and Solicitor (Singapore)
Admitted to the Roll of Solicitors (England & Wales)
Charmian AW
Director
LL.B. (Hons) (NUS); Advocate and Solicitor (Singapore)
Certified Information Privacy Professional (Asia) (CIPP/A)
Certified Information Privacy Professional (Europe) (CIPP/E)
Certified Information Privacy Professional (US) (CIPP/US)
2017 Revised Edition
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com
About Drew & Napier LLC
Drew & Napier LLC has provided exceptional legal advice and representation to discerning clients
since 1889 and is one of the leading and largest law firms in Singapore.
The calibre of our work is acknowledged internationally at the highest levels of government and
industry. Our lawyers and senior counsel are the preferred choice when the stakes are high and the
issues complex.
The firm possesses unparalleled transactional, licensing and regulatory experience in data protection
law as well as the Telecommunication, Media and Technology, and postal sectors in Singapore, which
it attributes to its Telecommunications, Media and Technology Practice Group, led by Lim Chong Kin.
Drew & Napier assists clients in a wide range of data protection matters including data protection
review; training; compliance audits; and advisory. Since 2013, the firm has been appointed by the
Personal Data Protection Commission as its external legal and regulatory advisors, which speaks
volumes for its proven ability to deliver effective, timely and commercially-relevant solutions to its
clients.
For more information on Drew & Napier LLC, please visit www.drewnapier.com.
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com
Drew & Napier’s expertise in Data Protection Law – How We Can Help You
We regularly advise and assist MNC clients on data protection concerns in respect of their Singapore
operations. Our MNC clients include telco operators and Internet companies (ranging from social
networking sites to mobile device manufacturers to software developers). Our work for clients includes:
• Adapting global policies for data privacy and consumer protection for clients’ Singapore
operations and offices.
• Wide-ranging advice on the existing Singapore data protection regime.
• Advising on ad-hoc queries relating to potential or actual privacy breaches and the necessary
disclosure requirements and remedial actions in Singapore.
• Advising on data protection concerns relating to the introduction of novel telecommunication
services in the Singapore market.
We are also regularly engaged by MNCs as well as local clients across industries (including airlines,
manufacturing, entertainment, and fast-moving consumer goods), telcos and Internet companies to
conduct regulatory risk audits of their business operations to highlight potential areas of non-
compliance and to assist in the rectification of any problematic agreements and conduct. Our team
of lawyers is also experienced in conducting compliance audits of business practices, existing legal
agreements, and informal business arrangements.
In developing compliance programmes for our clients, we further value-add by creating manageable,
staff-level compliance manuals and training programmes to ensure that our clients are in a position to
operationalise their compliance procedures on a day-to-day basis.
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com
Contents
Introduction to the Advisory Guidelines on the Personal Data Protection Act
2012 .......................................................................................................................................... 1
1. Are the Guidelines legally binding? ................................................................................... 1
2. How will the PDPA affect organisations? .......................................................................... 1
3. Will the PDPA prevent organisations from collecting, using and/or
disclosing data relating to individuals? ............................................................................. 2
4. How do the Data Protection Provisions interact with existing laws
concerning personal data protection? .............................................................................. 2
Important Terms used in the PDPA ....................................................................................... 2
5. The PDPA is only concerned with the personal data of “individuals”. Who
are considered “individuals”? .............................................................................................. 2
6. What types of “personal data” are covered under the PDPA? ....................................... 3
7. What types of “personal data” are not covered under the PDPA? ................................ 4
8. Are IP addresses considered “personal data”? ................................................................. 5
9. Are cookies considered “personal data”?.......................................................................... 5
10. Is anonymised data regarded as “personal data” for the purposes of the
PDPA?..................................................................................................................................... 5
11. Does the PDPA confer property or ownership rights of personal data in an
individual or an organisation? ............................................................................................ 5
12. Which organisations are included, and which are excluded from the
operation of the Data Protection Provisions? .................................................................. 5
13. The Data Protection Provisions only apply to a limited extent to a “data
intermediary”. What is a “data intermediary”? ................................................................. 6
14. What constitutes “collection, “use” and “disclosure” of personal data? ....................... 7
15. Some Data Protection Provisions refer to the “purpose” for which an
organisation collects, uses or discloses personal data. How is such “purpose”
defined? ................................................................................................................................. 7
16. How is the concept of “reasonableness” defined in the PDPA? .................................... 7
17. What are the main data protection obligations contained under the PDPA? ............. 8
18. Do Data Protection Provisions apply to personal data that has been
collected overseas and subsequently transferred into Singapore? ............................... 8
The Consent Obligation .......................................................................................................... 8
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com
19. What do organisations have to comply with under the Consent Obligation? ............ 8
20. How can organisations obtain consent from individuals? .............................................. 9
21. When is an individual considered not to have validly given consent? ......................... 9
22. When is an individual deemed to have given consent? ................................................ 10
23. When is a minor deemed to have given consent?......................................................... 10
24. Where an individual provides his personal data as part of his job application, is
this considered deemed consent?...................................................................................... 11
25. How should organisations deal with a job applicant’s personal data, after a
decision has been made on whether to hire the job applicant? .................................. 11
26. Is it necessary to obtain consent from users when an organisation employs
the use of cookies?............................................................................................................. 11
27. Can an organisation obtain personal data from third party sources with the
consent of the individual? ................................................................................................. 12
28. Can an organisation collect and use personal data of a job applicant from
social networking sources? ............................................................................................... 12
29. Can an organisation collect and use information on business cards for
recruitment? ........................................................................................................................ 12
30. What should organisations do to ensure that the third party sources can
validly provide the personal data? ................................................................................... 13
31. Can an organisation obtain personal data from third party sources without
the consent of the individual? .......................................................................................... 13
32. Organisations can collect, use and disclose personal data without consent if
it is publicly available. What is the definition of “publicly available” data? ................ 14
33. What practical steps should organisations take to allow individuals to
withdraw their consent? .................................................................................................... 15
34. What is the effect of a notice from an individual to withdraw consent? .................... 15
35. How should organisations respond when they receive a notice from an
individual to withdraw consent? ...................................................................................... 15
36. Should an individual’s consent be obtained in the context of photography
or videography? .................................................................................................................. 16
37. Is an individual’s consent required for photography or videography in a
public place? ....................................................................................................................... 16
38. How may an individual’s consent be obtained for photography or
videography in a private space or event? ....................................................................... 16
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com
39. Is an individual’s consent required if he or she is caught in the background
of a photograph or video recording? .............................................................................. 16
40. Does the exception for collecting personal data for “artistic or literary
purposes” apply to photographs or video recordings? ................................................ 17
41. Are organisations required to accede to an individual’s request to prevent
or remove the publication of a photograph or video recording? ............................... 17
42. Does the PDPA affect the organisation’s copyright in the photograph or
video recording? ................................................................................................................. 17
43. Are organisations required to accede to an individual’s request to delete
CCTV footage? .................................................................................................................... 17
The Purpose Limitation Obligation ..................................................................................... 17
44. What do organisations have to comply with under the Purpose Limitation
Obligation? .......................................................................................................................... 17
45. If an organisation captures CCTV footage beyond the boundaries of their
own premises, does that go beyond the Purpose Limitation Obligation? ................. 18
46. Can organisations collect NRIC cards? ............................................................................ 18
47. For what business purposes are organisations allowed to use NRIC
numbers? ............................................................................................................................. 18
48. Can organisations publish NRIC numbers for purposes such as the results of
lucky draws? ........................................................................................................................ 18
The Notification Obligation ................................................................................................. 18
49. What do organisations have to comply with under the Notification
Obligation? .......................................................................................................................... 18
50. How should organisations notify individuals of the purpose for the
collection, use and disclosure of their personal data? .................................................. 19
51. Can organisations use a Data Protection Policy to notify individuals of the
purposes for which it collects, uses and discloses personal data? .............................. 19
52. What level of detail is required when notifying individuals of the purposes
for which their personal data is collected, used and disclosed? .................................. 20
53. Can organisations use and disclose personal data for a different purpose
from which it was collected? ............................................................................................. 20
54. Is it always necessary for an organisation to notify individuals prior to
collecting, using or disclosing their personal data for research and analytics
activities? ............................................................................................................................. 20
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com
55. Do organisations always need to notify individuals when CCTVs are
deployed? ............................................................................................................................ 21
56. Do organisations need to notify individuals when drones used are likely to
capture personal data? ...................................................................................................... 21
57. Do recruitment agencies always need to notify individuals before
collecting, using or disclosing their personal data? ................................................... 21
58. Do employers need to notify and obtain consent from employees in respect
of collecting, using or disclosing their personal data for employment
purposes?............................................................................................................................. 21
The Access and Correction Obligations .............................................................................. 23
59. What do organisations have to comply with under the Access and
Correction Obligations? ..................................................................................................... 23
60. What should organisations do to ensure that the individual can validly make
an access request?.............................................................................................................. 23
61. Are organisations obliged to comply with Access and Correction Obligations
if an individual’s personal data is not in its possession but with a data
intermediary? ....................................................................................................................... 23
62. Do organisations have to comply with Access Obligations with regards to
personal data embedded in emails? ................................................................................ 24
63. What is the level of detail required when providing a response to an access
request? ............................................................................................................................... 24
64. When are organisations not required to accept an individual’s access
request? ............................................................................................................................... 25
65. How long should organisations take in responding to an access request? ............... 25
66. Can organisations charge fees for an individual’s access to personal data? ............. 25
67. How should organisations deal with access requests relating to the
disclosure to a prescribed law enforcement agency? ................................................... 26
68. How should organisations deal with an individual’s personal data when an
access request is received? ............................................................................................... 26
69. How should organisations reject an access request? .................................................... 26
70. Will the Access Obligation require organisations to accede to an individual’s
request to access CCTV footage? ..................................................................................... 27
71. Are there any specific requirements that organisations need to comply with,
when acceding to an individual’s request to access CCTV footage? .......................... 27
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com
72. Can individuals make joint access requests for CCTV footage containing
their images, if they consent to their own images being viewed by the
others making the joint request? ..................................................................................... 27
73. Can job applicants ask an organisation to reveal how much information the
organisation has about them, or find out why they were not selected? .................... 27
74. When are organisations not required to accept an individual’s correction
request? ............................................................................................................................... 28
75. How should organisations reject a correction request?................................................ 28
76. How long should organisations take in responding to a correction request? ........... 28
The Accuracy Obligation ...................................................................................................... 28
77. What do organisations have to comply with under the Accuracy Obligation? ......... 28
78. In complying with the Accuracy Obligation, can a different level of care be
adopted when the personal data is obtained directly from the individual
compared to when it is obtained from third party sources? ........................................ 29
79. Should organisations take extra measures to verify the accuracy of personal
data of minors? ................................................................................................................... 29
The Protection Obligation .................................................................................................... 29
80. What does it mean to make “reasonable security arrangements to protect
personal data”? ................................................................................................................... 29
81. What types of security arrangements can an organisation put in place? .................. 30
82. Are organisations responsible if their employees do not comply with the
PDPA?................................................................................................................................... 31
The Retention Limitation Obligation .................................................................................. 31
83. How long should an organisation retain personal data? .............................................. 31
84. What are some recommended best practices in relation to the retention of
personal data? .................................................................................................................... 32
85. How long can organisations continue to hold personal data of former
employees? ......................................................................................................................... 32
86. What does it mean to “cease to retain” personal data? ................................................ 32
The Transfer Limitation Obligation ..................................................................................... 33
87. What is the Transfer Limitation Obligation? ................................................................... 33
88. What are the conditions that organisations have to satisfy before
transferring personal data overseas? ............................................................................... 33
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com
The Openness Obligation ..................................................................................................... 34
89. What is the Openness Obligation? .................................................................................. 34
90. Are there any requirements as to whom an organisation may designate as
its data protection officer? ................................................................................................ 34
Other Important Concepts ................................................................................................... 34
91. What does it mean to anonymise personal data? ......................................................... 34
92. How can personal data be anonymised? ........................................................................ 35
93. What are some challenges and limitations in anonymising data? .............................. 35
94. Under what circumstances might data be considered to have been re-
identified? ............................................................................................................................ 36
95. How can organisations assess the risk of re-identification? ......................................... 37
96. Will the Commission penalise organisations for inadequate risk assessments
in relation to re-identification? ......................................................................................... 38
97. What is the co-relation between the motivation for re-identification and the
risk of re-identification?..................................................................................................... 38
98. How can organisations lower the risk of re-identification? .......................................... 38
Scope of The DNC Provisions ............................................................................................... 39
99. To whom are the DNC Provisions applicable? ............................................................... 39
100. The DNC Provisions apply to “specified messages”. What are “specified
messages”? .......................................................................................................................... 39
101. The DNC Provisions apply to “senders”. Who are “senders”? ...................................... 41
102. When might a person be responsible under the DNC Provisions for a
specified message that he is not actively involved in sending? ................................... 41
103. Do the DNC Provisions only apply to specified messages sent to a
Singapore telephone number? ......................................................................................... 42
Obligations and Duties under the DNC Provisions ............................................................ 42
104. What does a person need to do before sending a specified message? ..................... 42
105. Is it necessary to check the DNC Register every time a specified message is
proposed to be sent? ......................................................................................................... 43
106. What happens when a person who had previously given consent to receive
specified messages, subsequently withdraws such consent? ...................................... 43
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com
107. A person has previously given consent to receive specified messages, but
subsequently registers his or her telephone number on a DNC Register. Is
the consent still valid? Can specified messages be sent to such person? .................. 43
108. Who can withdraw consent in respect of a telephone number? ................................. 43
109. What would constitute valid consent for the purposes of the DNC
Provisions? ........................................................................................................................... 44
110. If consent has been obtained from a person before the DNC Provisions
come into effect (2 January 2014), is such consent still valid? ..................................... 44
The Drew & Napier TMT Team ................................................................................................. 46
Lim Chong Kin, Director, Head (Telecoms, Media & Technology) .............................................. 46
Charmian Aw, Director .................................................................................................................. 46
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 1
Advisory Guidelines to the Personal Data
Protection Act 2012
This publication is meant to supplement and be
read together with Drew & Napier’s “Your
Guide to the Personal Data Protection Act
2012”, as published in 2013, and updated in
2017.
INTRODUCTION TO THE ADVISORY
GUIDELINES ON THE PERSONAL DATA
PROTECTION ACT 2012
The Personal Data Protection Commission
(Commission) issued the following sets of
Advisory Guidelines on the Personal Data
Protection Act 2012 (PDPA), including but not
limited to:
(a) Advisory Guidelines on Key Concepts in
the Personal Data Protection Act (Key
Concepts Guidelines) issued on 23
September 2013, and most recently
revised on 27 July 2017;
(b) Advisory Guidelines on the Personal Data
Protection Act for Selected Topics
(Selected Topics Guidelines), issued on 24
September 2013, and most recently
revised on 28 March 2017; and
(c) Advisory Guidelines on the Do Not Call
Provisions (DNC Guidelines), issued on 26
December 2013, and most recently revised
on 27 July 2017
(collectively, the Guidelines).
The Commission has also issued other
guidelines including:
(a) Sector Specific Advisory Guidelines;
(b) Industry-led Guidelines; and
(c) Other Guides such as the Guide to
Disposal of Personal Data on Physical
Medium.
Generally, the Guidelines are meant to provide
a further understanding of the provisions of
the PDPA as they elaborate and provide
interpretations on specific requirements and
obligations under the PDPA. The Guidelines
have since been updated and revised, as
appropriate and necessary, by the
Commission.
The following is a series of key questions and
answers to help you understand the impact of
the Guidelines on your business.
1. Are the Guidelines legally binding?
The Guidelines are advisory in nature and are
not legally binding on the Commission or on
any other party. The Guidelines will not limit or
restrict the Commission’s administration and
enforcement of the PDPA, and the provisions
of the PDPA and any regulations or rules
issued thereunder will prevail over the
Guidelines in the event of any inconsistency.
2. How will the PDPA affect organisations?
The data protection provisions in Parts III to VII
of the PDPA (Data Protection Provisions)
came into operation on 2 July 2014.
As such, organisations can generally continue
to use personal data that was collected before
2 July 2014 for the purposes for which such
personal data was collected, without a need to
obtain fresh consent from the individual.
However, if an individual has withdrawn his or
her consent, fresh consent will need to be
obtained.
FAQs on the Advisory Guidelines to the PDPA
2 www.drewnapier.com
Even if it is not clear what the purposes any
personal data had been collected (before 2
July 2014) are for, it is not strictly necessary for
such purposes to be specified or notified to
the individuals concerned on or after 2 July
2014. In such cases, however, the Commission
recommends that the organisation should
consider documenting the purposes so that it
will have such information readily available if a
question arises as to whether the organisation
is complying with the Data Protection
Provisions (such as the requirement to obtain
valid consent pursuant to the PDPA prior to
collection, use and disclosure of personal
data).
Additionally, should an organisation wish to
use or disclose personal data which it had
collected prior to 2 July 2014 for new purposes
(i.e. purposes which the individual concerned
had not consented to), the organisation will
need to obtain consent from the individual
concerned for these new purposes.
Organisations will also need to assess whether
their contractual obligations need to be
amended to comply with the Data Protection
Provisions. It should be noted that compliance
with contractual obligations entered into prior
to 2 July 2014 is not an excuse for the failure
to comply with the Data Protection Provisions.
The Do Not Call provisions (DNC Provisions),
which are set out in Part IX of the PDPA, came
into effect on 2 January 2014. Please refer to
question 99 et seq for a further discussion on
the DNC Provisions.
3. Will the PDPA prevent organisations
from collecting, using and/or disclosing
data relating to individuals?
The PDPA will not strictly prohibit
organisations from collecting, using and/or
disclosing data relating to individuals.
However, where an organisation wishes to
collect, use and/or disclose personal data (as
defined in the PDPA, see question 6 below), it
will be required to comply with the Data
Protection Provisions (see question 2 above).
Accordingly, organisations may wish to collect
or use anonymised data instead, where
individuals need not be identifiable for the
organisation’s purposes, as the Data Protection
Provisions will not apply to anonymised data
(see question 91 below on what anonymised
data means).
4. How do the Data Protection Provisions
interact with existing laws concerning
personal data protection?
The Data Protection Provisions will not affect
any existing authority, right, privilege,
immunity, obligation or limitation arising
under existing law. The PDPA also specifically
provides that the provisions of other written
law will prevail over the Data Protection
Provisions, but only to the extent that there is
an inconsistency.
As such, sector-specific legislation should not
be regarded as a blanket override of the Data
Protection Provisions.
For example, pursuant to Section 47 of the
Banking Act (Cap. 19), a bank can disclose
customer information to such persons and for
purposes that are specified in the Third
Schedule of the Banking Act, subject to the
conditions specified therein. However, the
Data Protection Provisions of the PDPA may be
inconsistent with Section 47 of the Banking
Act, as the former may not specifically allow
the bank to disclose such customer
information without prior consent of the
customer concerned. In such a case, Section 47
of the Banking Act will prevail in respect of
those exceptions under the Third Schedule of
the Banking Act, but the bank must continue
to comply with the Data Protection Provisions
in respect of any purposes which, or persons
who, are not specified in the Third Schedule of
the Banking Act.
IMPORTANT TERMS USED IN THE PDPA
5. The PDPA is only concerned with the
personal data of “individuals”. Who are
considered “individuals”?
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 3
The PDPA defines an individual as “a natural
person, whether living or deceased.” The term
“natural person” refers to a human being, and
does not refer to other legal persons or
unincorporated entities (e.g. a company or a
registered society). Accordingly, the PDPA only
protects the personal data of natural persons.
The term “individual” includes both living and
deceased individuals. However, the PDPA
applies to a limited extent in respect of the
personal data of deceased individuals.
6. What types of “personal data” are
covered under the PDPA?
The term “personal data” covers all types of
data from which an individual can be identified
(i.e. the ability to distinguish one individual
from others based on the data that an
organisation has), regardless of its veracity or
whether it is in electronic or other form.
Data about an individual
Personal data has to be data about an
individual. Some examples of data that is
about an individual include information about
an individual’s health, educational and
employment background, as well as an
individual’s activities such as spending
patterns.
Some data will by its nature, identify an
individual e.g. an individual’s name. Other data
which does not identify an individual will only
constitute personal data if it is associated with
a particular individual. For example, a
residential address by itself may not identify an
individual because there may be several
individuals residing there. However, if the
residential address is associated with a
particular identifiable individual, it would still
be considered as personal data. Thus, whether
a piece of information is considered personal
data is context-specific.
Similarly, the content of individuals’
communications, such as email messages and
text messages, in and of themselves may not
be considered personal data, unless they
contain information about an individual that
can identify the individual.
Individual can be identified from that data on
its own
Certain types of data can, on its own, identify
an individual, for instance biometric identifiers
which are inherently distinctive to an
individual, such as the face geometry of an
individual. Similarly, data that has been
assigned to an individual for the purposes of
identifying the individual (e.g. NRIC number of
an individual) would be able to identify the
individual from that data alone.
Such data which, on its own, constitutes
personal data is referred to as a “unique
identifier” in the Key Concepts Guidelines.
Some examples of data that the Commission
generally considers unique identifiers include
an individual’s full name, NRIC number or FIN
(Foreign Identification Number), passport
number, personal mobile telephone number,
facial image of an individual (e.g. in a
photograph or video recording), voice of an
individual (e.g. in a voice recording),
fingerprint, iris image, and DNA profile. For
example, a passer-by picks up a passport
photograph which clearly shows the facial
image of an identifiable individual. The
photograph is considered to constitute
personal data of the individual, even though
the passer-by does not know who the
individual is.
Individual can be identified from that data and
other information to which the organisation has
or is likely to have access
Generic information, such as gender,
nationality, age or blood group, alone is not
usually able to identify a particular individual
(e.g. gender alone cannot identify the
individual). Nevertheless, such information
may constitute part of the individual’s personal
data if it is combined with a unique identifier
or other information such that it can be
associated with, or made to relate to, an
identifiable individual.
Whether any data or dataset constitutes
personal data would depend on the specific
FAQs on the Advisory Guidelines to the PDPA
4 www.drewnapier.com
facts of each case. Data or datasets that may
identify an individual in a certain situation may
not identify an individual in another situation.
An organisation should consider the
availability of other information it has or is
likely to have access to, among other
considerations.
However, if an organisation conducts a street
intercept survey and collects information from
passers-by that include age range, gender,
occupation, and place of work, although each
of these data points, on its own, would not be
able to identify an individual, the organisation
should be mindful that such dataset may be
able to identify the respondent. Given that
some of the respondents’ datasets are likely to
identify the respondents, the organisation
should treat the datasets as personal data and
ensure they comply with the Data Protection
Provisions.
In other words, generic information that does
not relate to a particular individual may also
form part of an individual’s personal data if an
individual can be identified when combined
with other information. For example, generic
information such as “male” and “aged 21” is
provided as part of a membership form in
addition to information such as the individual’s
full name. In such a situation, the general
characteristics will constitute part of the
individual’s personal data because the generic
information would have been related to the
specific individual.
Even if the information is not directly
identifying data, it may still be considered
personal data if the organisation has access to
other information that, when taken together
with the data, will allow the individual to be
identified. For example, if a company
anonymises data collected from a customer
survey by replacing the respondents’ names
with randomly generated number tags, but the
company still holds the key that can reverse
the randomisation process, the collected data
will still be able to identify individuals with the
aid of the key and will thus be considered
personal data. (See question 91 for more
details on what it means to anonymise
personal data.)
False personal data
Data which is false can also be part of an
individual’s personal data. An individual may
have appropriate reasons for using data that is
not strictly true, for example, when an
individual uses a fictitious name or nickname
as part of his personal email address.
7. What types of “personal data” are not
covered under the PDPA?
The PDPA does not apply to the following
categories of personal data:
(a) business contact information;
(b) personal data that is contained in a record
that has been in existence for at least 100
years; and
(c) personal data about a deceased individual
who has been dead for more than 10
years.
Business contact information
Business contact information refers to an
individual’s name, position name or title,
business telephone number, business address,
business electronic mail address, business fax
number and any other similar information
about the individual, not provided by the
individual solely for his or her personal
purposes.
The purpose for which the individual provides
the work-related contact information is
important, because any work-related contact
information provided solely for personal
purposes (e.g. signing up for a gym
membership) would not constitute business
contact information. However, in most
circumstances, the Commission is likely to
consider personal data provided on business
or name cards as business contact information.
Since sole proprietorships and partnerships are
also businesses, the contact information of
sole proprietors and partners is considered
business contact information where such
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 5
information has not been provided solely for
personal purposes.
8. Are IP addresses considered “personal
data”?
IP addresses in isolation
The Commission generally takes the view that
IP addresses or network identifiers such as an
IMEI number may not be personal data when
viewed in isolation, as they would serve to
identify a particular networked device rather
than a particular individual under such
circumstances.
IP addresses combined with other information
It may be possible in some cases to identify an
individual from his device’s IP address when
they are combined with other traces of
information that are collected, or left behind,
by a device (such as cookies).
Tracking of IP addresses
Organisations may collect data points tied to
an IP address for purposes such as to
determine the number of unique visitors to a
website in a month, or the number of unique
responses to a once-off online survey about
consumer preferences, and consequently track
activities tied to an IP address. The
Commission takes the view that such tracking
may not result in the collection of personal
data, if the organisation is unable to identify
an individual from the data collected or from
that data and other information that the
organisation has or is likely to have access to.
However, the more data points that an
organisation collects which is associated to a
unique IP address, the more likely that the
data collected may constitute personal data.
For example, if an organisation profiles the
websites visited by an IP address, the items
purchased by the same IP address and other
online activities associated with the IP address
for a long period of time, and is able to
ascertain that the particular IP address is
associated with a unique person with a specific
surfing profile, the organisation may be found
to have collected personal data.
9. Are cookies considered “personal data”?
Cookies are not personal data. However,
cookies may collect personal data.
Where cookies are employed by an
organisation to collect personal data of a user,
the PDPA will require that the organisation
obtain the user’s consent to collect, use and/or
disclose personal data of the user. See
question 26 below.
10. Is anonymised data regarded as
“personal data” for the purposes of the
PDPA?
Generally, anonymised data alone will not
constitute personal data.
However, if the anonymised data, together
with any other information that an
organisation has or is likely to have access to,
can be used to identify a particular individual,
these data and information taken together will
constitute personal data.
11. Does the PDPA confer property or
ownership rights to personal data on an
individual or an organisation?
The PDPA does not confer any property or
ownership rights to personal data per se on
individuals or organisations and also does not
affect existing property rights in items in which
personal data may be captured or stored.
Thus, if an organisation takes a photograph of
an individual, the individual would not be
conferred ownership rights to that photograph
under the PDPA even though it would be part
of his personal data. Instead, ownership would
depend on existing laws such as property law
and copyright law. Regardless of ownership
rights, the organisation must comply with the
PDPA if it intends to collect, use or disclose the
photograph.
12. Which organisations are included, and
which are excluded from the operation
of the Data Protection Provisions?
FAQs on the Advisory Guidelines to the PDPA
6 www.drewnapier.com
The Data Protection Provisions apply to all
organisations, with certain exceptions.
Organisations required to comply with the
PDPA should be able to demonstrate its
compliant practices with evidence.
“Organisation” is defined broadly to include
any individual, company, association or body
of persons, corporate or unincorporated,
whether or not:
(a) formed or recognised under the law of
Singapore; or
(b) resident or having an office or place of
business in Singapore.
The Data Protection Provisions do not apply
to:
(a) individuals acting in a personal or
domestic capacity;
(b) employees acting in the course of their
employment with an organisation;
(c) public agencies, or organisations acting on
behalf of a public agency in relation to the
collection, use or disclosure of personal
data; and
(d) other organisations as may be prescribed
by the Minister.
Individuals acting in a personal or domestic
capacity
An individual acts in a “personal or domestic”
capacity when undertaking activities for his
home or family; for example, by opening joint
bank accounts between two or more family
members.
Individuals acting as employees
Employees are excluded from the application
of the Data Protection Provisions. The PDPA
defines an employee to include a volunteer.
Hence, individuals who undertake work
without an expectation of payment would fall
within the exclusion for employees.
Even though employees are excluded from the
application of the PDPA, organisations remain
responsible for the actions of the employees
which contravene the Data Protection
Provisions.
Public agencies and organisations acting on
behalf of public agencies
Section 2 of the PDPA defines a public agency
to include:
(a) the Government, including any ministry,
department, agency, or organ of State;
(b) any tribunal appointed under any written
law; or
(c) any statutory body specified by the
Minister by notice in the Gazette.
To date, the Minister has gazetted 62 statutory
bodies as public agencies pursuant to the
Personal Data Protection (Statutory Bodies)
Notification 2013.
While organisations acting on behalf of a
public agency in relation to the collection, use
and/or disclosure of personal data are
excluded from the application of the Data
Protection Provisions when they are so acting, they still have to comply with the Data
Protection Provisions in relation to other
aspects of their business not related to the
public agency, for example, in relation to their
employees’ personal data or the personal data
of other customers.
13. The Data Protection Provisions only
apply to a limited extent to a “data
intermediary”. What is a “data
intermediary”?
Where data intermediaries process personal
data on behalf of another organisation (the
principal organisation) pursuant to a written
contract, they will only be subject to the Data
Protection Provisions relating to the protection
and retention of personal data.
The PDPA defines “processing” as “the carrying
out of any operation or set of operations in
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 7
relation to the personal data, and includes any
of the following: (i) recording; (ii) holding; (iii)
organisation, adaptation or alteration; (iv)
retrieval; (v) combination; (vi) transmission; (vii)
erasure or destruction.
If a data intermediary uses or discloses
personal data in a manner which goes beyond
the processing required by the principal
organisation under the contract, it will not be
considered a data intermediary in respect of
such use or disclosure. It will therefore have to
comply fully with the Data Protection
Provisions in relation to such use or disclosure.
In a similar vein, while an organisation may be
considered a data intermediary in respect of a
set of personal data, it may at the same time
be bound by all Data Protection Provisions in
relation to other sets of personal data used for
activities which do not fall within the definition
of “processing” as a data intermediary (e.g. in
relation to personal data of its own
employees).
An organisation may be considered a data
intermediary to more than one principal
organisation. Any person who acts on behalf
of an organisation (e.g. an agent) will have to
comply with all obligations of the PDPA unless
they are explicitly considered data
intermediaries.
In any case, principal organisations will have
the same obligations under the PDPA
regarding personal data processed on its
behalf by a data intermediary as if the personal
data were processed by the organisation itself.
An organisation may be a data intermediary of
another even if the written contract between
the organisations does not clearly identify the
data intermediary as such. The Commission
therefore highlights the importance of an
organisation’s clarity as to its own rights and
obligations when dealing with another
organisation. Where appropriate, the written
contract should clearly set out each
organisation’s responsibilities and liabilities in
relation to the personal data in question, and
expressly note whether one organisation is
processing personal data on behalf of and for
the purposes of another organisation.
14. What constitutes “collection, “use” and
“disclosure” of personal data?
In general, the terms “collection”, “use” and
“disclosure” have the following meanings:
(a) Collection refers to any act or set of acts
through which an organisation obtains
control over or possession of personal
data.
(b) Use refers to any act or set of acts by
which an organisation employs personal
data. A particular use of personal data may
occasionally involve collection or
disclosure that is necessarily part of the
use.
(c) Disclosure refers to any act or set of acts
by which an organisation discloses,
transfers or otherwise makes available
personal data that is under its control or in
its possession to any other organisation
While collection, use and disclosure may take
place actively (e.g. a sales person asking the
individual for personal information) or
passively (e.g. an individual writes his name in
an unattended guestbook placed near the
entrance), both forms of collection, use and
disclosure will be subject to the same
obligations under the PDPA.
15. Some Data Protection Provisions refer to
the “purpose” for which an organisation
collects, uses or discloses personal data.
How is such “purpose” defined?
The term “purpose” does not refer to activities
which an organisation may intend to
undertake but rather to its objectives or
reasons. Hence, when specifying its purposes
relating to personal data, an organisation is
not required to specify every activity which it
may undertake, but its objectives or reasons
relating to personal data.
16. How is the concept of “reasonableness”
defined in the PDPA?
FAQs on the Advisory Guidelines to the PDPA
8 www.drewnapier.com
The test for reasonableness is what a
reasonable person would consider appropriate
in the circumstances. A “reasonable person” is
judged based on an objective standard and
can be said to be a person who exercises
appropriate care and judgment in the
particular circumstances.
In determining what a reasonable person would
consider appropriate in the circumstances, an
organisation should consider the particular
circumstances that it is facing. Taking those
circumstances into consideration, the
organisation should determine what would be
the appropriate course of action to take in
order to comply with its obligations under the
PDPA based on what a reasonable person
would consider appropriate. In other words, a
possible step that an organisation could take is
to view the situation from the perspective of the
individual and consider what the individual
would think as fair.
The Commission notes that the standard of
reasonableness is expected to be evolutionary.
17. What are the main data protection
obligations contained under the PDPA?
The PDPA contains 9 main data protection
obligations that apply to organisations for
personal data in their possession or under
their control:
(a) the Consent Obligation (Sections 13 to 17
of the PDPA);
(b) the Purpose Limitation Obligation (Section
18 of the PDPA);
(c) the Notification Obligation (Section 20 of
the PDPA);
(d) the Access and Correction Obligation
(Sections 21 and 22 of the PDPA);
(e) the Accuracy Obligation (Section 23 of the
PDPA);
(f) the Protection Obligation (Section 24 of
the PDPA);
(g) the Retention Limitation Obligation
(Section 25 of the PDPA);
(h) the Transfer Limitation Obligation (Section
26 of the PDPA); and
(i) the Openness Obligation (Sections 11 and
12 of the PDPA).
The Data Protection Provisions described
above apply to the collection, use and/or
disclosure of personal data in Singapore – this
means that even when an organisation collects
personal data from outside Singapore and
processes such personal data in Singapore, the
organisation has to comply with the PDPA.
18. Do Data Protection Provisions apply to
personal data that has been collected
overseas and subsequently transferred
into Singapore?
Yes, the Data Protection Provisions apply when
organisations collect, use or disclose personal
data for its own purposes in Singapore, unless
the exemptions to the Data Protection
Provisions apply. Where personal data is
collected in a foreign country or territory with
its own data protection laws, the Commission
will take into account the manner in which the
personal data was collected in compliance with
such data protection laws, in determining
whether the organisation has complied with its
Notification and Consent Obligations.
THE CONSENT OBLIGATION
19. What do organisations have to comply
with under the Consent Obligation?
Under the Consent Obligation, organisations
are required to obtain consent from the
individual before they can collect, use or
disclose the individual’s personal data. This
requirement does not apply where the
collection, use or disclosure of an individual’s
personal data is required or authorised under
the PDPA or any other written law.
An individual has not given consent unless he
or she has been notified of the purposes for
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 9
which his or her personal data will be
collected, used or disclosed and he or she has
provided his or her consent for those
purposes. If an organisation fails to inform the
individual of the purposes for which his or her
personal data will be collected, used and
disclosed, any consent given by the individual
would not amount to consent.
20. How can organisations obtain consent
from individuals?
As good practice, an organisation should
obtain consent that is in writing or recorded in
a manner that is accessible for future
reference.
An organisation may also obtain consent
verbally although it may be more difficult for
an organisation to prove that it had obtained
consent. It would therefore be prudent for the
organisation to document the consent in some
way, for example, by noting the fact that oral
consent was provided by an individual for
certain purposes together with the date and
time of such consent, or by following up the
verbal consent by confirming the consent in
writing with the individual.
Opt-in method of consent
Organisations can obtain the individual’s
consent through a positive action of the
individual (e.g. by requiring the individual to
check a box indicating consent).
Opt-out method of consent
The Commission’s view is that a failure to opt
out (e.g. by deeming that an individual has
given his or her consent through inaction on
his or her part by not checking a box
indicating his or her non-consent) will not be
regarded as consent in every situation.
Whether or not a failure to opt out can be
regarded as consent will depend on the actual
circumstances and facts of the case because
there are many methods and variants to
opting out, and depending on its
implementation, some could be more likely
than others to constitute consent.
21. When is an individual considered not to
have validly given consent?
Section 14(2) of the PDPA provides that
consent is not validly given if it is:
(a) obtained as a condition of the provision of
the product or service to the individual,
beyond what is reasonable to provide the
product or service; and
(b) obtained by providing false or misleading
information or using deceptive or
misleading practices.
Consent obtained as a condition of providing
the product or service
An organisation may require an individual to
consent to the collection, use or disclosure of
his or her personal data as a condition of
providing a product or service where it is
reasonably required in order to provide the
product or service. However, if the consent is
obtained as a condition of providing such
products or services beyond what is
reasonable for the provision of such products
or services, such consent is invalid.
Organisations are not, however, prohibited
from providing offers, discounts or lucky draw
opportunities to individuals that are
conditional on the collection, use or disclosure
of their personal data for specified purposes
because such offers, discounts or lucky draws
are not considered products or services.
Similarly, organisations are allowed to collect,
use or disclose personal data for purposes
beyond those that are reasonable for provision
of the service if they obtain additional valid
consent in accordance with the PDPA, but this
cannot be conditional on the provision of the
service itself.
The Commission recommends that when
organisations collect personal data through a
form, it is a good practice to indicate which
fields that collect personal data are
compulsory and which are optional, and to
state the purposes for which such personal
data will be collected, used and/or disclosed.
FAQs on the Advisory Guidelines to the PDPA
10 www.drewnapier.com
This avoids potential problems as to whether
consent was validly given because it makes
clear whether the individual’s consent was
made a condition to the provision of products
or service.
Consent obtained by false or misleading
information or deceptive or misleading practices
Consent obtained by providing false or
misleading information to the individual, or by
using deceptive or misleading practices, is not
validly given. Such practices may include
situations where the purposes are stated in
vague or inaccurate terms, in an illegible font,
or placed in an obscure area of a document or
a location that is difficult to access.
22. When is an individual deemed to have
given consent?
Section 15 of the PDPA provides two situations
where an individual may be deemed to
consent even if he or she has not actually
given consent:
(a) where an individual voluntarily provides
the personal data to the organisation for a
purpose and it is reasonable that he or she
would do so, the individual is deemed to
consent to the collection, use and
disclosure for that purpose; or
(b) where an individual consents or is deemed
to have consented to the disclosure of his
personal data by one organisation to
another organisation, the individual is
deemed to consent to the collection, use
or disclosure of his personal data by that
other organisation for that purpose.
Relying on deemed consent requires an
organisation to be able to establish the
following:
(a) an individual voluntarily provided his or
her personal data;
(b) the individual was aware of the purpose
for which the personal data was provided;
and
(c) the circumstances are such that it is
reasonable for the individual to have
provided his or her personal data.
It is good practice for an organisation to
review its business processes to determine the
situations where it should obtain actual
consent instead of relying on deemed consent.
This is especially pertinent in situations where
it is not clear whether the deemed consent
provision applies. Obtaining consent from the
individual would avoid disputes where an
individual claims that he or she did not
consent to the collection of his or her personal
data for a purpose and that he or she did not
voluntarily provide personal data for the
purpose.
23. When is a minor deemed to have given
consent?
The same principles for deemed consent in
relation to individuals similarly applies to
minors. However, in considering whether the
minor has voluntarily provided his personal
data, the Commission would consider various
factors, including (but not limited to):
(a) the minor’s understanding of the purpose
for which his or her personal data is
provided;
(b) the minor’s understanding of the effect of
giving his or her personal data for that
purpose; and
(c) whether there was any undue influence on
the minor with respect to the provision of
his or her personal data.
The Commission would, as a general guide,
consider a minor who is at least 13 years of
age to have the sufficient understanding of
the purposes for which his or her personal
data is provided, unless the organisation is
aware of contrary facts or circumstances. As a
matter of good practice, the Commission
suggests that organisations which provide
services targeted at minors could state the
terms and conditions in a language that is
readily understandable by minors, or use
visual aids to make their terms and conditions
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 11
more readily understandable. Other good
practices could include placing additional
safeguards against unauthorised disclosure
of, or unauthorised access to, personal data
of minors, or anonymising personal data of
minors before disclosure, where feasible.
24. Where an individual provides his personal
data as part of his job application, is this
considered deemed consent?
When an individual voluntarily provides his or
her personal data to an organisation in the
form of a job application, for example, in
response to a recruitment advertisement, he or
she may be deemed to consent to the
organisation collecting, using and disclosing
the personal data for the purpose of assessing
his or her job application.
25. How should organisations deal with a
job applicant’s personal data, after a
decision has been made on whether to
hire the job applicant?
Where the organisation decides not to hire the
individual, it should only keep such individual’s
personal data for as long as is necessary for
business or legal purposes (see questions 83
to 86 below).
Where a job applicant is employed by an
organisation, it would be good practice for the
organisation to obtain consent from the
employee, upon appointment or hiring of the
individual, for the maintenance of such
employee’s employment records (see question
58 below).
26. Is it necessary to obtain consent from
users when an organisation employs the
use of cookies?
Yes, if the cookies are used to collect personal
data. Consent for session cookies, which
usually collect or store technical data in order
to facilitate certain web applications, is not
required, because these types of cookies do
not collect personal data.
It should be noted that the obligation to
obtain an individual’s consent for the
collection of his or her personal data rests with
the organisation that is collecting the personal
data, whether by itself or through its data
intermediaries. Accordingly, if an organisation
operates a website which a third party uses to
collect personal data, and the website operator
itself is not collecting such personal data, the
obligation is on the third party organisation to
obtain the consent required to collect the
personal data.
For Internet activities that the user has clearly
requested (e.g. transmitting personal data for
effecting online communications and storing
information that the user enters in a web form
to facilitate an online purchase), it may not be
strictly necessary to seek consent for the use
of cookies to collect, use, and disclose
personal data where the individual is aware of
the purposes for such collection, use or
disclosure and voluntarily provided his or her
personal data for such purposes.
For activities that cannot take place without
cookies that collect, use or disclose personal
data, consent may be deemed if the user
voluntarily provides the personal data for that
purpose of the activity, and it is reasonable
that he or she would do so.
The Selected Topics Guidelines provides that
consent may be reflected in the way a user
configures his or her interaction with the
Internet. For instance, if the user configures his
or her browser to accept certain cookies but
rejects others, he or she may be regarded as
having consented to the collection, use and
disclosure of his or her personal data by the
cookies that he or she has chosen to accept.
However, the mere failure of a user to actively
manage his or her browser settings does not
always imply that the individual has consented
to the collection, use and disclosure of his or
her personal data by all websites for their
stated purpose.
When organisations use cookies in behavioural
targeting processes that involve the collection
and use of personal data, organisations will be
required to obtain an individual’s consent.
FAQs on the Advisory Guidelines to the PDPA
12 www.drewnapier.com
27. Can an organisation obtain personal
data from third party sources with the
consent of the individual?
There are two situations in which organisations
may obtain personal data about an individual
from a third party source, with the consent of
the individual:
(a) where the third party source can validly
give consent to the collection, use and
disclosure of the individual’s personal data
(under Section 14(4) of the PDPA); or
(b) where the individual has consented, or is
deemed to have consented, to the
disclosure of his or her personal data by
the third party source (under Section 15(2)
of the PDPA).
Consent given by a third party source
In relation to (a), the Commission has noted
that regulations will be issued under the PDPA
providing for some specific situations in which
a person may give consent on behalf of
another individual.
The Key Concepts Guidelines provides as an
example of validly obtaining personal data
from a third party source, a situation where
personal data is obtained via the purchase of a
database containing personal data from a
database reseller who has obtained consent
from the individual for the disclosure of the
personal data. Another example is where one
organisation in a corporate group has validly
obtained consent to the collection, use and
disclosure of an individual’s personal data for
the purposes of other organisations in the
group.
An organisation collecting personal data from
a third party source is required to notify the
source of the purposes for which it will be
collecting, using and disclosing the personal
data.
Deemed consent
An example of where an individual may be
deemed to have consented to the disclosure of
his or her personal data by a third party source
is where a prospective employee seeks to
obtain a reference from his or her former
employer to determine his or her suitability for
employment by the prospective employer.
In both cases, the Key Concepts Guidelines
sets out that organisations are to exercise
sufficient due diligence in ensuring that third
party sources of personal data can validly give
consent for the collection, use or disclosure on
behalf of the individuals concerned.
28. Can an organisation collect and use
personal data of a job applicant from
social networking sources?
To the extent the information on social
networking sources are publicly available (see
question 32 below), organisations can collect
personal data about a job applicant without
his or her consent. The PDPA does not require
organisations to obtain the consent of
individuals when collecting personal data that
is available publicly, for instance, in
newspapers, telephone directories and
websites containing information that is
generally available to the public.
Where the personal data is not publicly
available, but is voluntarily made available by
an individual on a job-search portal for being
contacted for prospective job opportunities,
the individual may be deemed to have
consented to the collection, use and disclosure
of his or her personal data for such purpose.
29. Can an organisation collect and use
information on business cards for
recruitment?
Where an individual provides his or her
business card to an organisation for purposes
other than solely for personal purposes, it is
possible for the organisation to use the
information on the business card for
recruitment or other purposes. This is because
the Data Protection Provisions do not apply to
business contact information.
However, if the business card is provided by an
individual purely for personal purposes, then
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 13
the organisation will not be permitted to use
the personal data contained in the business
card for any purposes for which it has not
obtained the individual’s consent.
30. What should organisations do to ensure
that the third party sources can validly
provide the personal data?
Organisations obtaining personal data from
third party sources should check and ensure
that the third party source can validly give
consent for the collection, use and disclosure
of personal data on behalf of the individual or
that the source had obtained consent for
disclosure of the personal data.
Organisations (A) obtaining personal data
from third party sources (B) may consider
adopting the following due diligence
measures, as appropriate:
(a) seek an undertaking from B through a
term of contract between A and B that the
disclosure to A for A’s purposes is within
the scope of the consent given by the
individual to B;
(b) obtain confirmation in writing from B;
(c) obtain, and document in an appropriate
form, verbal confirmation from B; or
(d) obtain a copy of the document(s)
containing or evidencing the consent
given by the individuals concerned to B to
disclose the personal data.
In the event the third party source could not
validly give consent or had not obtained
consent for disclosure to the collecting
organisation, but concealed this from the
collecting organisation, the actions taken by
the collecting organisation to verify such
matters before collecting the personal data
from the third party source would be
considered a possible mitigating factor by the
Commission should there be a breach of the
PDPA relating to such collection or the
collecting organisation’s use or subsequent
disclosure of the personal data.
31. Can an organisation obtain personal
data from third party sources without
the consent of the individual?
An organisation (A) may collect personal data
from a third party source (B) without the
consent of the individual in the circumstances
described in the Second Schedule to the PDPA.
These circumstances include, for example,
where:
(a) the collection is necessary to respond to
an emergency that threatens the life,
health or safety of the individual or
another individual;
(b) the personal data is publicly available; or
(c) the collection is necessary for evaluative
purposes.
At the same time, B would only be able to
disclose the personal data without the consent
of the individual in any of the circumstances
set out in the Fourth Schedule of the PDPA.
These circumstances include, for example,
where:
(a) the disclosure is necessary to respond to
an emergency that threatens the life,
health or safety of the individual or
another individual;
(b) the personal data is publicly available; or
(c) the disclosure is for the purpose of
contacting the next-of-kin or a friend of
any injured, ill or deceased individual.
B would need to know the purpose for which A
is collecting the personal data in order to
determine if its disclosure of the data to the
organisation falls into the Fourth Schedule
exceptions set out in the PDPA. Section 20(2)
of the PDPA therefore requires A to provide B
with sufficient information regarding its
purpose for collecting the personal data, to
allow B to determine whether disclosure would
be in accordance with the PDPA.
FAQs on the Advisory Guidelines to the PDPA
14 www.drewnapier.com
32. Organisations can collect, use and
disclose personal data without consent
if it is publicly available. What is the
definition of “publicly available” data?
The term “publicly available” refers to personal
data that is generally available to the public,
including personal data which can be observed
by reasonably expected means at a location or
an event at which the individual appears and
that is open to the public. Personal data is
generally available to the public if any member
of the public could obtain or access the data
with few or no restrictions.
However, in some situations, the existence of
restrictions may not prevent the data from
being publicly available. For example, if
personal data is disclosed to a closed online
group but membership in the group is
relatively open and members of the public
could join with minimal effort, then the
disclosure may amount to making the data
publicly available.
Time in determining public availability
Personal data that is publicly available at one
point in time may no longer be publicly
available after that time. For example, users of
social networking sites may change their
privacy settings from time to time, which
would have an impact on whether their
personal data would be considered publicly
available.
Because it would be excessively burdensome
for organisations to constantly verify that the
data remains publicly available, especially in
situations where the use or disclosure happens
sometime after the collection of the personal
data, the Commission has adopted the
position that so long as the personal data in
question was publicly available at the point of
collection, organisations will be able to use
and disclose personal data without consent
under the corresponding exceptions,
notwithstanding that the personal data may no
longer be publicly available at the point in
time when it is used or disclosed.
Personal data observed in public
For data observed in the public to constitute
publicly available data, two requirements must
be met:
(a) the personal data must be observed by
reasonably expected means; and
(b) the personal data must be observed at a
location or event at which the individual
appears and that is open to the public.
Personal data is observed by reasonably
expected means if individuals ought to
reasonably expect their personal data to be
collected in that particular manner at that
location or event. This test is an objective one,
considering what individuals ought reasonably
to expect instead of what a particular
individual actually expects.
A location or event would be considered
“open to the public” if members of the public
can enter or access the location with few or no
restrictions. Generally speaking, the more
restrictions there are for access to a particular
location (e.g. physical barriers such as fences,
walls and gates, employment of security
systems, sentries and patrols aimed at
restricting entry), the less likely it would be
considered “open to the public”.
However, the mere existence of some
restrictions is not sufficient to prevent the
location from being regarded as open to the
public. For example, events that may be
entered only upon payment of a fee by a
member of the public may still be considered
to be open to the public. Similarly, special
events for members of a retailer’s loyalty
programme may also be considered open to
the public, depending on relevant factors such
as whether the event was open to a large
number of members.
A location is not open to the public merely
because members of the public may look into
the location. For example, if members of the
public are not able to enter residential premises
that are closed for a private event, their ability
to observe what is happening inside would not
make the premises open to the public.
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 15
The Commission also recognises that while a
location may generally be open to the public,
it may at times become a private space (e.g. a
restaurant is booked for a private function). In
such situations, as members of the public
cannot enter the location during the event, the
event is not open to the public.
33. What practical steps should
organisations take to allow individuals
to withdraw their consent?
Section 16 of the PDPA provides that
individuals may at any time withdraw any
consent given or deemed to have been given
under the PDPA in respect of the collection,
use or disclosure of their personal data for any
purpose by an organisation.
In order to enable and facilitate withdrawal,
the Commission advises organisations to make
an appropriate consent withdrawal policy
easily accessible to the individuals concerned.
This withdrawal policy should, for example:
(a) advise the individuals on the form and
manner to submit a notice to withdraw
their consent for specific purposes;
(b) indicate the person to whom, or the
means by which, the notice to withdraw
consent should be submitted;
(c) distinguish between purposes which are
necessary and those which are optional to
the provision of goods or services; and
(d) allow individuals to withdraw consent for
optional purposes without concurrently
withdrawing consent for the necessary
purposes.
An organisation must not prohibit an
individual from withdrawing his or her consent
to the collection, use or disclosure of personal
data about himself or herself. If the collection,
use or disclosure of his or her personal data is
necessary for the provision of the goods or
services, the organisation can terminate the
provision of such goods and services on the
individual’s withdrawal of consent (and have
recourse under the law), but cannot prohibit
the individual from withdrawing his or her
consent.
34. What is the effect of a notice from an
individual to withdraw consent?
In determining the precise scope and effect of
a notice to withdraw consent, the Commission
would examine the facts of the situation. This
includes matters such as:
(a) the actual content of the notice of
withdrawal;
(b) whether the intent to withdraw consent
was clearly expressed; and
(c) the channel through which the notice was
sent.
When the organisation provides an option to
withdraw consent (e.g. an “unsubscribe” link
within an email message), consent is deemed
to be withdrawn for the same channel as the
option to withdraw (e.g. email notifications),
unless the withdrawal option states otherwise.
35. How should organisations respond
when they receive a notice from an
individual to withdraw consent?
Once an organisation has received a notice to
withdraw consent, the organisation should
highlight to the individual concerned the likely
consequences of withdrawing his or her
consent, even if those consequences have
previously been set out somewhere else (e.g.
in the service contract between the
organisation and the individual).
With regard to personal data that is already in
an organisation’s possession, withdrawal of
consent would only apply to an organisation’s
continued use or future disclosure of the
personal data concerned. Upon receipt of a
notice of withdrawal of consent, the
organisation must inform its data
intermediaries and agents about the
withdrawal and ensure that they cease
collecting, using or disclosing the personal
data for the organisation’s purposes.
FAQs on the Advisory Guidelines to the PDPA
16 www.drewnapier.com
Apart from its data intermediaries and agents,
an organisation is not required to inform other
organisations to which it has disclosed an
individual’s personal data that the individual
has withdrawn his or her consent. The
individual retains the option of requesting the
organisation to provide information on the
ways in which his or her personal data has
been disclosed, and upon finding out which
other organisations his or her personal data
may have been disclosed to, approach these
other organisations directly to withdraw
consent.
Organisations are not required to delete or
destroy an individual’s personal data when he
or she has withdrawn consent. Organisations
may retain personal data in its documents and
records in accordance with the Retention
Limitation Obligation (see below).
36. Should an individual’s consent be
obtained in the context of photography
or videography?
Individual consent is required for the
collection, use or disclosure of personal data.
In this regard, organisations (or independent
professionals) that intend to take photographs
or video recordings of an individual in the
course of business will need to obtain the
individual’s consent if those photographs or
video recordings can identify an individual.
However, photography or videography taken
in a personal or domestic capacity is exempt
from the requirement to obtain consent.
An individual is deemed to give his or her
consent if he or she permits the photograph or
video recording to be taken of him or her, and
it is reasonable for him or her to do so.
37. Is an individual’s consent required for
photography or videography in a public
place?
As a general rule, an organisation that takes
photographs or video recordings of an
individual in the course of business will need
to obtain the individual’s consent if he or she
can be identified from those sources. However,
the individual’s consent is not required if his or
her personal data is publicly available, for
example, when the individual is at a place that
is open to public. In this regard, the more
access restrictions a location has, the less likely
it is considered to be “open to public” (see
question 32 above for discussion on “public
place”).
38. How may an individual’s consent be
obtained for photography or
videography in a private space or
event?
In a private setting, an individual may be
deemed to give his or her consent by
permitting a photograph or video recording to
be taken of him or her for the organisation’s
intended purpose. Deemed consent may be
obtained in the following ways (not
exhaustive):
(a) communicate the purpose of the photo-
taking or videography at the event via the
invitation sent to clients;
(b) place prominent notices near the entrance
to the event, informing participants that
photos or videos may be taken for the
intended purpose;
(c) secure written consent via a confirmation
of attendance form or letter which guests
sign, where the form indicates that photos
and videos may be taken for the intended
purpose; or
(d) the photographer may obtain verbal
consent before he or she takes each
picture by notifying participants of the
purpose of the photo-taking.
39. Is an individual’s consent required if he
or she is caught in the background of a
photograph or video recording?
As a general rule, organisations are required to
obtain the consent of individuals who are
identifiable in the photograph or video
recording. For individuals who are in the
background of the photograph or video
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 17
recording, consent is not required only if the
identity of the individuals cannot be
ascertained from the photograph or video
recording (i.e. they are too small or
obscured).
40. Does the exception for collecting
personal data for “artistic or literary
purposes” apply to photographs or
video recordings? Literary or artistic purposes are not defined
under the PDPA. However, as a matter of good
practice, the Commission recommends that
organisations obtain the consent of individuals
before taking the photographs or video
recordings.
41. Are organisations required to accede to
an individual’s request to prevent or
remove the publication of a photograph
or video recording?
Yes. Organisations are required to accede to
an individual’s request to prevent the
publication of a photograph or video
recording, or remove a photograph or video
recording that has been published.
Nevertheless, the organisation does not
require the individual’s consent only if the
publication is authorised under the law, or the
consent of the individual is not required due to
an exception (for general principles on
withdrawal of consent, see question 35 above).
If an individual requests that the organisation
deletes the photograph or video recording
containing his or her personal data, the
organisation is not strictly obliged to do so.
However, the organisation should be reminded
of its Retention Limitation Obligation, and can
only retain the personal data where necessary
for legal or business purposes.
42. Does the PDPA affect the organisation’s
copyright in the photograph or video
recording?
No. The PDPA does not affect any right or
obligation imposed under other laws,
including the Copyright Act (Cap. 63) (see
question 4 above for general principles).
Hence, the PDPA does not affect copyright
subsisting in a photograph, video recording or
any item protected by copyright.
43. Are organisations required to accede to
an individual’s request to delete CCTV
footage?
No. Organisations are not required to delete
video footage collected from their closed-
circuit television cameras (CCTVs) upon
request by an individual.
However, before providing a copy of CCTV
footage to any person (upon their request), the
organisation should mask the images of other
individuals who may be present in the CCTV
footage. This is because the PDPA does not
permit the organisation from disclosing
personal data (such as video images) of other
individuals present in the CCTV footage, where
consent of those individuals for such
disclosure has not been obtained.
THE PURPOSE LIMITATION OBLIGATION
44. What do organisations have to comply
with under the Purpose Limitation
Obligation?
Under the Purpose Limitation Obligation,
organisations may collect, use or disclose
personal data about an individual only for
purposes that a reasonable person would
consider appropriate in the circumstances. The
particular circumstances involved need to be
taken into account in determining whether the
purpose of such collection, use or disclosure is
reasonable.
More generally, organisations should avoid
over-collecting personal data such as NRIC
numbers, where this is not required for their
business or legal purposes. The Commission
notes that there are situations where the
collection of NRIC numbers for verification or
identification purposes leads to a reduced
need to collect other forms of personal data.
FAQs on the Advisory Guidelines to the PDPA
18 www.drewnapier.com
Such situations would also be in line with the
good practice of not over-collecting data.
Organisations should also consider whether
there may be alternatives available that
address their requirements.
45. If an organisation captures CCTV
footage beyond the boundaries of their
own premises, does that go beyond the
Purpose Limitation Obligation?
Organisations are not strictly prohibited from
installing CCTVs that collect footage beyond
the boundaries of their premises. However,
organisations will need to consider whether
the extent of the coverage is reasonable for
the purpose of installing the CCTVs.
Organisations should also place appropriate
notification in all areas where personal data
would be collected by the CCTVs and obtain
consent for such collection, unless one of the
exceptions under the PDPA applies.
On a related note, organisations should be
aware of other restrictions (including legal
limits on the filming of restricted areas) that
may affect their ability to collect CCTV footage
of areas beyond their premises.
46. Can organisations collect NRIC cards?
Yes. However, organisations will need to
exercise caution when handling NRIC cards, as
they contain personal data and such personal
data will be subject to the Data Protection
Provisions.
47. For what business purposes are
organisations allowed to use NRIC
numbers?
This depends on the purposes (which should
be reasonable) for which consent to collect,
use and disclose the NRIC numbers has been
obtained by the organisation.
Organisations should note that, where NRIC
numbers are used as membership numbers or
user names, the disclosure of such
membership numbers or user names may also
result in the disclosure of NRIC numbers. In
this regard, the organisation will need to
consider whether it is reasonable to use the
individual’s NRIC number as the membership
number or user name, and also whether valid
consent has been obtained from the individual
concerned.
48. Can organisations publish NRIC
numbers for purposes such as the
results of lucky draws?
Yes, provided that valid consent has been
obtained from the individuals concerned.
That said, the Commission has noted that it is
good practice for organisations to publish only
as much personal data as necessary to fulfil
the relevant purpose. With regard to NRIC
numbers, it would be sufficient in most cases
to publish only a portion of the NRIC number
such as the last three digits and the alphabet.
The full NRIC number should only be used if
necessary, for example, to confirm the identity
of the person coming forth to receive the lucky
draw prize.
THE NOTIFICATION OBLIGATION
49. What do organisations have to comply
with under the Notification Obligation?
Organisations must inform individuals of the
purposes for which their personal data will be
collected, used and disclosed in order to
obtain their consent. This is important because
the organisation’s collection, use or disclosure
of personal data is limited to the purposes for
which the individuals concerned have been
notified (i.e. the Purpose Limitation
Obligation).
In particular, organisations have to inform the
individual of:
(a) the purposes for the collection, use or
disclosure of his or her personal data, on
or before collecting the personal data; or
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 19
(b) any purpose for use or disclosure of
personal data which has not been
informed under (a), before such use or
disclosure of personal data for that
purpose.
50. How should organisations notify
individuals of the purpose for the
collection, use and disclosure of their
personal data?
While no manner or form of notification is
mandated, organisations should determine the
best way to notify the individual, such that he
or she is provided with all the required
information to understand the purposes for
which his or her personal data is collected,
used or disclosed. Relevant factors to consider
in such a determination include:
(a) the circumstances in which it will be
collecting the personal data;
(b) the amount of personal data to be
collected;
(c) the frequency at which the personal data
will be collected; and
(d) the medium through which the
notification is provided (e.g. face-to-face
or through a telephone conversation).
It is generally good practice for an
organisation to state its purposes in a written
form (electronically or otherwise) so that the
individual is clear about its purposes and both
parties will be able to refer to a clearly
documented statement of the organisation’s
purposes in the event of any dispute.
The Commission has also suggested several
best practices that organisations can adopt:
(a) organisations should draft notices that are
easy to understand and appropriate to the
intended audience, provide headings or
clear indications of where the individuals
should look to determine the purposes for
which their personal data would be
collected, used or disclosed, and avoid
legalistic terminology that would confuse
or mislead individuals reading it;
(b) organisations should provide the most
important or basic information (e.g.
contact details of the organisation’s Data
Protection Officer) more prominently (e.g.
on the first page of an agreement) and
more detailed information elsewhere;
(c) organisations should consider if some
purposes may be of special concern or be
unexpected to the individual given the
context of the transaction, and whether
those purposes should be highlighted in
an appropriate manner;
(d) organisations should select the most
appropriate medium(s) to provide the
notification (e.g. in writing through a form,
on a website, or orally in person); and
(e) organisations should develop processes to
regularly review the effectiveness and
relevance of the notification policies and
practices.
51. Can organisations use a Data Protection
Policy to notify individuals of the
purposes for which it collects, uses and
discloses personal data?
Organisations may choose to notify individuals
of the purposes for which it collects, uses and
discloses personal data through its Data
Protection Policy, which is a document setting
out the organisation’s policies and procedures
for complying with the PDPA.
The Data Protection Policy may be provided to
individuals as required, in the form of a
physical document, on the organisation’s
website or some other manner. However, the
Commission recommends that where the
policy is not made available to an individual as
a physical document, the organisation should
provide the individual with an opportunity to
view its Data Protection Policy before
collecting the individual’s personal data.
If an organisation’s Data Protection Policy sets
out its purposes in very general terms, the
organisation may need to provide a more
FAQs on the Advisory Guidelines to the PDPA
20 www.drewnapier.com
specific description of its purposes to a
particular individual who will be providing his
or her personal data in a particular situation, to
provide clarity to the individual on how his or
her personal data would be collected, used or
disclosed.
52. What level of detail is required when
notifying individuals of the purposes
for which their personal data is
collected, used and disclosed?
The Key Concepts Guidelines provide that an
organisation should state its purposes at an
appropriate level of detail for the individual to
determine the reasons for which the organisation
will be collecting, using or disclosing his or her
personal data. An organisation need not specify
every activity it will undertake in relation to
collecting, using and/or disclosing personal data
when notifying individuals of its purposes, and
may have regard to the following to determine
the level of specificity to provide:
(a) whether the purpose is stated clearly and
concisely;
(b) whether the purpose is required for the
provision of products or services (as
distinct from optional purposes);
(c) if the personal data will be disclosed to
other organisations, how the organisations
should be made known to the individuals;
(d) whether stating the purpose to a greater
degree of specificity would be a help or
hindrance to the individual understanding
the purpose(s) for which his or her personal
data would be collected, used, or disclosed;
and
(e) what degree of specificity would be
appropriate in light of the organisation’s
business processes.
53. Can organisations use and disclose
personal data for a different purpose
from which it was collected?
The organisation should first determine
whether or not the ‘different’ purpose actually
falls within the scope of the purposes for
which the individual concerned had originally
been informed.
If not, whether consent can be deemed to
have been given in respect of use or disclosure
for that purpose. Failing which, the
organisation may determine whether the
purpose falls within the exceptions from
consent in the Third and Fourth Schedules of
the PDPA. If the purpose does fall within these
categories, there is no need to obtain fresh
consent.
If, however, the organisation determines that
the different purpose does not fall within these
categories, the organisation needs to inform
the individual of the new purpose and obtain
fresh consent.
54. Is it always necessary for an
organisation to notify individuals prior
to collecting, using or disclosing their
personal data for research and analytics
activities?
It will not be strictly necessary to obtain
consent from an individual to use their
personal data for a research purpose as set out
in paragraph 1(i) of the Third Schedule of the
PDPA, if all the conditions in paragraph 2 of
the Third Schedule of the PDPA are satisfied,
that is:
(a) the research purpose cannot reasonably
be accomplished unless the personal data
is provided in an individually identifiable
form;
(b) it is impracticable for the organisation to
seek the consent of the individual for the
use;
(c) the personal data will not be used to
contact persons to ask them to participate
in the research; and
(d) linkage of the personal data to other
information is not harmful to the
individuals identified by the personal data
and the benefits to be derived from the
linkage are clearly in the public interest.
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 21
Generally and where the exception does not
apply, organisations will need to:
(a) specify research and analytics as a purpose
for which consent of an individual is
sought, and obtain the individual’s consent
for collection, use and/or disclosure for
such purpose;
(b) rely on consent that has been given by an
individual for a purpose that does not
explicitly cover analytics and research if
the purpose of the analytics and research
falls within the original purpose for which
consent was given; or
(c) use anonymous or anonymised data to
conduct the research or analytics activities
(see questions 91 and 92 for more details
on anonymisation).
55. Do organisations always need to notify
individuals when CCTVs are deployed?
Generally, yes. Individuals will need to be
notified that CCTVs are operating in the
premises, as well as for what purposes, if this
may not be obvious to individuals. This is
because organisations will generally need to
get their consent for the collection, use or
disclosure of CCTV footage. Where there may
be exceptions to the requirement to obtain
consent from individuals for the collection, use
or disclosure of their personal data (e.g. where
the personal data is publicly available), the
Commission recommends that organisations
still provide notification, as a matter of best
practices, where CCTVs are deployed.
While the PDPA does not prescribe the content
of the notification required, organisations
should put up notices or other forms of
notifications, for example, at points of entry or
prominent locations in a venue or a vehicle to
notify individuals that CCTVs have been
deployed in the premises. It is not necessary for
the placement or content of notifications to
reveal the exact location of the CCTVs.
56. Do organisations need to notify
individuals when drones used are likely
to capture personal data?
Generally, yes. Organisations need to notify
individuals that the drones are capturing
personal data (e.g. photographs or video
recordings) in the area, as well as the purposes
for the collection, use or disclosure of personal
data captured by its drones. Where exceptions
to the requirement to obtain consent apply,
the organisation is not obliged to notify the
individuals, although the Commission
recommends that notice is given as a matter of
good practice.
The Guidelines suggest that notifications may
be placed at entry points to the operation
area, prominent locations along the flight path
or at the launch site.
57. Do recruitment agencies always need
to notify individuals before collecting,
using or disclosing their personal
data?
Recruitment companies, employment
agencies, headhunters and similar
organisations will generally need to notify
individuals before collecting, using or
disclosing their personal data, unless one of
the exceptions under the PDPA applies.
There may be some cases, however, where a
recruitment agency acts only as a data
intermediary (see question 13 above). In these
cases, the recruitment agency that is a data
intermediary would only be subject to the
provisions in the PDPA relating to the
safeguarding and retention of personal data in
respect of the processing of personal data on
behalf of and for the purposes of the
organisation (for which it is acting as a data
intermediary), pursuant to a contract with such
organisation which is evidenced or made in
writing.
58. Do employers need to notify and obtain
consent from employees in respect of
collecting, using or disclosing their
personal data for employment purposes?
FAQs on the Advisory Guidelines to the PDPA
22 www.drewnapier.com
This will depend on what are the precise scope
and nature of these employment purposes.
The PDPA does not prescribe the form or
manner in which organisations are to provide
an individual with the required information
that allows him or her to understand the
purposes for which his or her personal data
would be collected, used and disclosed in the
employment context. In this regard, it is
possible for organisations to inform their
employees of these purposes through
employment contracts, employee handbooks,
or notices in the company intranet (for
instance).
Managing or terminating the employment
relationship
Generally, it would be reasonable for an
organisation to continue to use personal data
provided by an employee in a job application
form, for the purpose of managing the
employment relationship with the individual.
The PDPA allows employers to collect personal
data from their employees, insofar as it is
reasonable for the purpose of managing or
terminating their employment relationships,
and to use or disclose of such employees’
personal data for consistent purposes, without
their consent.
Importantly, however, while consent is not
required, employers will need to notify
employees where they are collecting the
employees’ personal data for purposes of
managing or terminating the employment
relationship. This is in contrast to situations
where the employer may be collecting
employee personal data for evaluative
purposes (see below).
The Selected Topics Guidelines provides that
the purposes of “managing and terminating an
employment relationship” include the following:
(a) using the employee’s bank account details
to issue salaries;
(b) monitoring how the employee uses
company computer network resources;
(c) posting employees’ photographs on the
staff directory page on the company
intranet; and
(d) managing staff benefit schemes like
training or educational subsidies.
However, as a matter of best practices,
organisations should, upon appointment or
hiring of an employee, obtain consent from
the employee to maintain such employee’s
employment records.
Further, should the organisation require
additional personal data or intends to use or
disclose the employee’s personal data for other
purposes during the course of the employment
relationship, it will also be necessary to obtain
relevant consent from the employee.
Where an organisation has sufficiently provided
a general notification to employees on the
purposes for which their personal data may be
collected, used and disclosed, for example, for
performance appraisals, the Commission does
not expect organisations to notify employees of
the same purpose prior to each time that the
organisation engages in such activities.
Evaluative purposes
An employer need not obtain consent from, or
notify, an employee or prospective employee
when collecting, using or disclosing personal
data for evaluative purposes. Such evaluative
purposes include:
(a) where an employer seeks to obtain a
reference from a prospective employee’s
former employer to determine his or her
suitability, eligibility or qualifications for
employment; and
(b) where an employer seeks to obtain
performance records or other relevant
information or opinions to determine the
performance of an employee, or for
promotion in employment or continuance
in employment.
Other purposes
In relation to the collection, use or disclosure
of employee personal data for other purposes
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 23
that are not relevant to the management or
termination of the employment relationship,
and where no other exception under the PDPA
applies, an employer organisation will need to
inform individuals of those purposes and
obtain consent from the employee.
This includes where the employer collects, uses
or discloses employee personal data for
business or client purposes not related to
managing or terminating an employment
relationship. For instance, if an organisation
provides the full name and NRIC number of an
employee for purposes of allowing a courier
company to enter its office premises, the
organisation will need to obtain the
employee’s consent prior to disclosing the
employee’s personal data. Such consent can
be obtained on a case-by-case basis, or once-
off through the employment contract or other
appropriate means.
THE ACCESS AND CORRECTION
OBLIGATIONS
59. What do organisations have to comply
with under the Access and Correction
Obligations?
Under the Access Obligation, upon the request
of an individual, an organisation is required to
provide the individual with the following as
soon as reasonably possible:
(a) personal data about the individual that is
in the possession or under the control of
the organisation; and
(b) information about how the personal data
has been or may have been used or
disclosed by the organisation within a year
before the individual’s request.
Under the Correction Obligation, upon receipt
of a correction request, an organisation should:
(a) correct the personal data as soon as
practicable; and
(b) send the corrected personal data to every
other organisation to which the personal
data was disclosed to by the organisation
within a year before the correction
request, unless that other organisation
does not need the corrected personal data
for any legal or business purpose;
unless it is satisfied on reasonable grounds
that the correction should not be made.
These obligations are collectively referred to as
Access and Correction Obligations in the
Guidelines, as they operate together to
provide individuals with an ability to verify
their personal data.
60. What should organisations do to ensure
that the individual can validly make an
access request?
An organisation should exercise due diligence
to verify an individual’s identity when it
receives an access request, and are
encouraged to keep documentary evidence of
the verification. To facilitate the process, the
organisation may set out standard operating
procedures on the verification process when
receiving requests for access. For example, the
organisation may have a list of questions for
its employee to verify the identity of the
individual when handling access requests.
When a third party is making an access request
on behalf of an individual, organisations
receiving the access request should exercise
due diligence to ensure that the third party has
the legal authority to validly act on behalf of
the individual.
Where two or more individuals make an access
request at the same time for their respective
personal data captured in the same set of
records, the organisation may obtain consent
from the respective individuals to disclose their
personal data to each other. If such consent
cannot be obtained, an organisation may
provide access to the personal date to the
individuals separately.
61. Are organisations obliged to comply
with Access and Correction Obligations if
an individual’s personal data is not in its
possession but with a data intermediary?
FAQs on the Advisory Guidelines to the PDPA
24 www.drewnapier.com
The Access and Correction Obligations relate
to personal data in an organisation’s
possession as well as personal data that is
under its control (which may not be in its
possession). For example, this includes a data
intermediary that is processing the personal
data under the control of the organisation.
In relation to data intermediaries, they are not
subject to Access and Correction Obligations
under the PDPA to the extent that the personal
data that is being processed on behalf of
another organisation. In this regard,
organisations that engage the data
intermediary remain responsible for ensuring
compliance with the Access and Correction
Obligations under the PDPA.
Note also that a DI is not obligated to forward
an individual’s access or correction request to
the organisation that controls the personal
data.
62. Do organisations have to comply with
Access Obligations with regards to
personal data embedded in emails?
An organisation’s obligation to provide access
to personal data extends to personal data that
has been captured in unstructured forms.
Hence, personal data embedded in emails are
protected under the Access obligations.
However, organisations are not required to
provide access if the burden or expense of
providing access is unreasonable to the
organisation, disproportionate to the
individual’s interest, or if the request is
otherwise frivolous or vexatious.
63. What is the level of detail required
when providing a response to an access
request?
Request for an individual’s personal data
To be clear, an organisation is not required to
provide access to the documents (or systems)
which do not comprise or contain the personal
data in question, as long as the organisation
provides the individual with the personal data
that the individual requested and is entitled to
have access to.
Generally, the organisation’s actual response
would depend on the individual’s specific
request. Under section 21(1) of the PDPA, an
individual is entitled to request for some or all
of his or her personal data. Although the PDPA
does not require that an access request be
accompanied by further details clarifying the
request, an organisation may in good faith ask
the applicant to be more specific as to what
type of personal data he or she requires to
facilitate the organisation’s level of response. If
the individual is unable or unwilling to provide
more details, the organisation should make an
attempt to respond to the access request as
accurately and completely as reasonably
possible in the circumstances.
Request for information about the ways
personal data has been used or disclosed
As stated in section 21(1) of the PDPA, an
organisation is required to provide information
relating to how the personal data has been or
may have been used or disclosed within the
past year upon the individual’s request. In this
regard, the organisation may develop a
standard list of all possible third parties to
whom personal data may have been disclosed
by the organisation, as an alternative to
providing a specific set of third parties to
whom the personal data has been disclosed.
Nevertheless, if a standard list is used, the
organisation should update the list regularly
and ensure that the information is accurate
before providing the list to the individual.
Generally, in responding to a request for
information on third parties to which personal
data has been disclosed, the organisation
should individually identify each possible third
party, instead of simply providing general
categories of organisations to which personal
data has been disclosed. This would allow
individuals to directly approach the third party
organisation to which his or her personal data
has been disclosed.
In specifying how the personal data has been
or may have been used or disclosed within the
past year, organisations may provide
information on the purposes rather than the
specific activities for which the personal data
may have been used or disclosed. For example,
in the case of an audit, an organisation may
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 25
state that the personal data was disclosed for
the purposes of audit, rather than describing
all the instances of which the personal data
has been disclosed.
When acceding to the access request,
organisations are prohibited from disclosing
the personal data of other individuals.
64. When are organisations not required to
accept an individual’s access request?
Exceptions that are not mandatory
Under the PDPA, an organisation is not
required to accede to an access request in the
following non-exhaustive list of matters:
(a) examination scripts or results;
(b) a document related to a prosecution if all
proceedings have not yet been completed;
(c) personal data which is subject to legal
privilege;
(d) confidential commercial information that
could harm the competitive position of the
organisation; or
(e) any request -
i. that would unreasonably interfere with
the operations of the organisation
because of the repetitious or
systematic nature of the requests;
ii. if the burden or expense of providing
access would be unreasonable to the
organisation or disproportionate to
the individual’s interests;
iii. for information that does not exist or
cannot be found;
iv. for information that is trivial; or
v. that is otherwise frivolous or vexatious.
Exceptions that are mandatory
Under the PDPA, an organisation is prohibited
from granting an access request in the
following non-exhaustive list of matters where
access would:
(a) threaten the safety or physical or mental
health of another individual;
(b) cause immediate or grave harm to the
safety or physical or mental health of the
requesting individual;
(c) reveal personal data about another
individual (without satisfying the Consent
Obligations);
(d) reveal the identity of an individual who has
provided personal data about another
individual and the former does not
consent to the disclosure of their identity;
or
(e) be contrary to the national interest.
65. How long should organisations take in
responding to an access request?
An organisation must respond to an access
request as soon as reasonably possible from
the time the access request is received. If an
organisation is unable to respond to an access
request within 30 calendar days after receiving
the request, the organisation shall inform the
individual in writing within 30 days of the time
by which it will be able to respond to the
request.
66. Can organisations charge fees for an
individual’s access to personal data?
Organisations may charge an individual a
reasonable fee for access to personal data
about the individual. The chargeable fee may
take into account the incremental costs of
responding to the access request. An example
of such incremental costs is the cost of
producing a physical copy of the personal
data. In addition, the chargeable fee can reflect
the time and effort required to respond to the
request. However, costs incurred in capital
purchases, such as the purchase of new
equipment to facilitate access to the requested
personal data, should not be charged.
FAQs on the Advisory Guidelines to the PDPA
26 www.drewnapier.com
The Commission may review a fee charged by
an organisation upon the application of an
individual. In reviewing a fee, the Commission
may consider the relevant circumstances,
including the following factors:
(a) the absolute amount of the fee;
(b) the effort and materials required to
provide the response;
(c) similar fees charged in the industry; and
(d) the incremental cost of providing access.
If the organisation decides to charge a fee to
fulfill the access request, the organisation must
give the individual a written estimate of the fee.
If the organisation wishes to charge a fee higher
than the original written estimate, it must
inform the individual in writing of the increased
fee. The organisation may refuse to provide
access to the individual’s personal data if the
individual declines to pay the access fee.
For the correction of personal data,
organisations are not entitled to impose a
charge on the individual.
67. How should organisations deal with
access requests relating to the
disclosure to a prescribed law
enforcement agency?
For situations where an organisation has
disclosed the personal data of an individual to
a prescribed law enforcement agency without
the consent of the individual, as permitted
under the PDPA, the organisation is prohibited
from informing the individual that disclosure
has been made.
68. How should organisations deal with an
individual’s personal data when an
access request is received?
Processing the access request
The organisation should first ensure that the
individual’s personal data is not disposed of. If
an organisation has scheduled periodic
disposal or deletion of personal data, the
organisation is to identify the requested
personal data as soon as reasonably possible
after receiving the access request, and
preserve the requested personal data while the
organisation processes the access request.
However, organisations should generally be
mindful not to unnecessarily preserve personal
data “just in case” to meet possible access
requests, and should be minded of their
Retention Limitation Obligation (i.e. not to
retain personal data indefinitely when there is
no business or legal purpose to do so).
Rejecting the access request
If an organisation determines that it is
appropriate to withhold requested personal
data from an individual under the PDPA, the
organisation should first keep the withheld
personal data for minimally 30 days or longer
after rejecting the access request. This is to
allow the individual time to seek a review of
the organisation’s decision. In the event the
organisation receives a Notice of Review from
the Commission, the organisation should
preserve the withheld data until the
Commission’s review is concluded and any
right of the individual to apply for
reconsideration and appeal is exhausted.
For the purpose of responding to access and
correction requests in writing, at least one of
the business contact information of this
designated individual should be a mailing
address or an electronic mailing address.
69. How should organisations reject an
access request?
If an organisation determines that it is
appropriate under the PDPA to reject the
request for personal data, the organisation
should provide a reply to the individual. As a
matter of good practice, the organisation
should inform the individual of the relevant
reason(s), so that the individual is aware and
understands the organisation’s reason(s) for its
decision. Similarly, as a matter of good
practice, the organisation should also keep a
record of all access requests received and
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 27
processed, and document clearly whether the
requested access was provided or rejected.
70. Will the Access Obligation require
organisations to accede to an
individual’s request to access CCTV
footage?
Yes, unless a relevant exception in the Fifth
Schedule of the PDPA applies (e.g. the request
is frivolous or vexatious, or if the burden or
expense of providing access would be
unreasonable to the organisation or
disproportionate to the individual’s interests).
The Selected Topics Guidelines suggests that
harming an organisation’s competitive
position, or compromising an organisation’s
security arrangements (e.g. where the
provision of the personal data in the CCTV
footage could reasonably be expected to
threaten the safety of another individual),
could be a sufficient reason to deny access to
CCTV footage. In such a case, the organisation
will need to ensure that it has strong
justifications and supporting evidence to
justify its decision to reject the individual’s
request for access to the CCTV footage.
71. Are there any specific requirements that
organisations need to comply with,
when acceding to an individual’s
request to access CCTV footage?
Where an individual requests for access to
CCTV footage, the organisation concerned
should provide a copy of the CCTV footage to
the individual. While the PDPA does not
prescribe any minimum resolution for CCTV
footage that is requested to be provided to
individuals, given that the requirement is for
the organisation to provide the personal data
in its possession or under its control, the
organisation should provide the CCTV footage
in the form (i.e. still frames or actual footage)
and of the resolution it holds for its purposes.
In providing the individual a copy of the CCTV
footage, the organisation should generally
seek to mask images of other individuals who
may be present in the CCTV footage. There are
three common types of masking: (i) solid
coloured masking; (ii) blurred masking; or (iii)
pixelated masking. When solid coloured
masking is used, no details in the masked area
can be seen. Blurred or pixelated masking
methods enable a partial outline to be seen
but obscures the detailed features of the area.
Although blurred or pixelated masking
methods preserve the original feel of the
image, individuals may still be identifiable.
Organisations have the option of requiring
that individuals pay a minimal fee before
acceding to any such request for a copy of the
CCTV footage.
On a related note, organisations may require
that the individual, to whom it provides a copy
of CCTV footage, sign a contract to agree not
to disclose to any third party the CCTV footage
provided to him or her. However,
organisations should note that individuals
acting in a personal or domestic capacity are
not subject to the Data Protection Provisions
of the PDPA.
72. Can individuals make joint access
requests for CCTV footage containing
their images, if they consent to their
own images being viewed by the others
making the joint request?
Yes. The Commission has expressed its views
that it would be reasonable for certain groups
of individuals (e.g. a married couple, or parents
of a class of students) to jointly make an
access request to view CCTV footage.
In which case, where consent has been
obtained from the individuals requesting the
footage, no masking is required.
73. Can job applicants ask an organisation
to reveal how much information the
organisation has about them, or find
out why they were not selected?
Generally, yes. A job applicant would have the
right to request for access to their personal
data held in the possession or under the
control of an organisation, to find out whether
and what type of their personal data are held
FAQs on the Advisory Guidelines to the PDPA
28 www.drewnapier.com
by the organisation, and how the organisation
is using their personal data.
However, the PDPA provides for certain
exceptions where an organisation need not
accede to such request by a job applicant. For
example, if the personal data in question is
opinion data kept solely for an evaluative
purpose (e.g. opinions of management staff of
the organisation which were formed about the
job applicant in the course of determining his
or her suitability and eligibility for the job), the
organisation will not be required to provide
such information to the individual.
74. When are organisations not required to
accept an individual’s correction
request?
Under the PDPA, an organisation is not
required to accede to a correction request in
the following non-exhaustive list of matters:
(a) the opinion data is kept solely for an
evaluative purpose;
(b) examination scripts or results;
(c) the personal data of the beneficiaries of a
private trust kept solely for the purpose of
administering the trust;
(d) a document related to a prosecution if all
proceedings have not yet been completed;
and
(e) personal data kept by an arbitral or
mediation institute for the purposes of
proceedings conducted within that
institute.
75. How should organisations reject a
correction request?
If an organisation rejects a correction request,
the organisation is required to make a note to
the personal data indicating that a correction
was requested but was not made. As a matter
of good practice, the organisation should
inform the individual of the relevant reason(s)
why the correction should not be made.
76. How long should organisations take in
responding to a correction request?
An organisation must respond to a correction
request as soon as practicable from the time
the correction request is received. If an
organisation is unable to respond to a
correction request within 30 days after
receiving the request, the organisation shall
inform the individual in writing within 30 days
of the time by which it will be able to respond
to the request.
THE ACCURACY OBLIGATION
77. What do organisations have to comply
with under the Accuracy Obligation?
The Accuracy Obligation requires
organisations to make reasonable efforts to
ensure that personal data collected is accurate
and complete, if it is likely that the personal
data will be used to make a decision that
affects the individual to whom the personal
data relates, or the personal data is likely to be
disclosed to another organisation.
In order to ensure that personal data is
accurate and complete, an organisation must
make a reasonable effort to ensure that:
(a) it accurately records personal data which it
collects (whether directly from the
individual concerned or through another
organisation);
(b) personal data it collects includes all
relevant parts thereof (so that it is
complete);
(c) it has taken the appropriate (reasonable)
steps in the circumstances to ensure the
accuracy and correctness of the personal
data; and
(d) it has considered whether it is necessary to
update the information.
Depending on the exact circumstances at
hand, in determining what may be considered
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 29
a reasonable effort, an organisation should
take into account factors such as the following:
(a) the nature of the data and its significance
to the individual concerned (e.g. whether
the data relates to an important aspect of
the individual such as his or her health);
(b) the purpose for which the data is
collected, used or disclosed;
(c) the reliability of the data (e.g. whether it
was obtained from a reliable source or
through reliable means);
(d) the currency of the data (that is, whether
the data is recent or was first collected
some time ago); and
(e) the impact on the individual concerned if
the personal data is inaccurate or
incomplete. (e.g. based on the probable
use of the data by the organisation or
another organisation to whom the first
organisation has disclosed the data to)
The Commission has noted that an
organisation may not be required to check the
accuracy and completeness of an individual’s
personal data each and every time it makes a
decision, or is likely to make a decision, about
the individual. Organisations should perform
their own risk assessments to ensure accuracy
and completeness.
78. In complying with the Accuracy
Obligation, can a different level of care
be adopted when the personal data is
obtained directly from the individual
compared to when it is obtained from
third party sources?
Personal Data collected from the individual
Organisations may presume that personal data
provided directly by the individual concerned
is accurate in most circumstances. When in
doubt, organisations can consider requiring
the individual to make a verbal or written
declaration that the personal data provided is
accurate and complete.
Additionally, where the currency of the personal
data is important, the organisation should take
steps to verify that the personal data provided
by the individual is up to date (for example, by
requesting a more updated copy of the
personal data before making a decision that will
significantly impact the individual).
Personal Data collected from third party sources
An organisation should be more careful when
collecting personal data from a source other
than the individual in question. It is allowed to
take differing approaches to ascertain the
accuracy and completeness of personal data it
collects depending on the reliability of the
source of the data. For example, the
organisation may obtain confirmation from the
source of the personal data that the source
had verified the accuracy and completeness of
that personal data. It may also conduct further
independent verification if it deems prudent to
do so.
Similar considerations apply when deciding
whether personal data should be updated.
While not all types of personal data require
updates, where the use of outdated personal
data in a decision-making process could affect
the individual, then it would be prudent for the
organisation to update such personal data.
79. Should organisations take extra
measures to verify the accuracy of
personal data of minors?
Organisations should consider taking extra
steps to verify the accuracy of personal data
about a minor when establishing measures to
comply with the Accuracy Obligation under
the PDPA, particularly in cases where such
inaccuracy may have severe consequences for
the minor.
THE PROTECTION OBLIGATION
80. What does it mean to make “reasonable
security arrangements to protect
personal data”?
FAQs on the Advisory Guidelines to the PDPA
30 www.drewnapier.com
To determine what may be reasonable and
appropriate, the organisation should take into
consideration:
(a) what type of personal data it has in its
possession or under its control;
(b) what medium the personal data has been
collected (e.g. hardcopy or softcopy);
(c) who has access to the personal data;
(d) whether any personal data is or will be
held or used by third parties on behalf of
the organisation;
(e) what possible harm might arise from a
security breach (e.g. what consequences
there might be to the individual concerned
if his or her personal data is obtained,
modified or disposed by an unauthorised
person); and
(f) who will be responding to information
security breaches.
An organisation may wish to put in place
different levels of security according to the
level of sensitivity of the personal data.
In practice, an organisation should:
(a) design and organise its security
arrangements to fit the nature of the
personal data held by the organisation
and the possible harm that might
result from a security breach;
(b) identify reliable and well-trained
personnel responsible for ensuring
information security;
(c) implement robust policies and
procedures for ensuring appropriate
levels of security for personal data of
varying levels of sensitivity; and
(d) be prepared and able to respond to
information security breaches
promptly and effectively.
81. What types of security arrangements
can an organisation put in place?
A combination of administrative, physical and
technical or other measures may be used,
depending on what is reasonable and
appropriate for an organisation (see questions
77 and 78 above).
Some examples include:
(a) setting out confidentiality obligations in all
staff employment contracts;
(b) implementing staff policies and manuals
on personal data protection;
(c) conducting regular staff training on how
to handle personal data and updates on
what types of potential threats there may
be to personal data;
(d) taking disciplinary action against staff who
breach confidentiality obligations;
(e) limiting the amount of personal data
collected by the organisation to what is
necessary (i.e. avoid holding excessive
personal data);
(f) marking documents as “confidential”;
(g) storing confidential documents under lock;
(h) limiting staff access to confidential
documents on a need-to-know basis;
(i) using privacy filters on laptops and
computers;
(j) shredding confidential documents when
no longer needed, or by other means of
secure destruction;
(k) using registered post instead of normal
post when delivering confidential
documents;
(l) creating different layers of access to
documents which contain personal data,
so that personal data is accessed only
when necessary;
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 31
(m) confirming the identity of an individual
prior to disclosing any personal data to
such individual to ensure that the
individual is the correct recipient;
(n) Ensuring computer networks are secure;
(o) Adopting appropriate access controls (e.g.
considering stronger authentication
measures where appropriate);
(p) encrypting personal data;
(q) using self-locking mechanisms for
computer screens after a certain period of
inactivity;
(r) installing appropriate computer security
software and using suitable computer
security settings;
(s) wiping personal data from IT devices
before they are disposed, sold or recycled;
(t) using the appropriate email security
setting when sending or receiving highly
confidential emails;
(u) regular updating of computer and IT
security equipment and software; and
(v) engaging IT service providers which are
able to provide the requisite standard of IT
security.
Additionally, it might be useful for
organisations to undertake a risk assessment
exercise to ascertain whether their information
security arrangements are adequate.
82. Are organisations responsible if their
employees do not comply with the
PDPA?
Yes, insofar as the act done or conduct
engaged in by the employee was in the course
of his or her employment. The PDPA will treat
such act or conduct as having been done or
engaged in by the employer, irrespective of
whether it was done or engaged in with the
employer’s knowledge or approval.
That said, an organisation may not be liable for
offences under the PDPA by an employee of
an organisation, if it took such steps as were
practicable to prevent the employee from
doing the act or engaging in the conduct that
constitutes the offence.
It should be noted that, for the purposes of
the PDPA, an “employee” includes a volunteer,
and an employment relationship will include
an unpaid volunteer work relationship.
THE RETENTION LIMITATION OBLIGATION
83. How long should an organisation retain
personal data?
Organisations should assess the reasons for
which it retains personal data, and regularly
assess whether personal data still needs to be
retained. While the Retention Limitation
Obligation does not specify a fixed duration
time for which an organisation can retain
personal data, the retention duration is
assessed on a standard of reasonableness.
It should be noted that although the PDPA
does not prescribe a specific retention period
for personal data, organisations would need to
comply with any legal or specific industry-
standard requirements that may apply.
Generally, organisations should only retain
personal data:
(a) if it is necessary for the purposes for which
the personal data was collected; or
(b) for business or legal purposes.
With regard to (a) above, for instance, if an
organisation has only obtained valid consent
from an individual to collect personal data for a
certain purpose (i.e. purpose A), it must not
keep that personal data “just in case” it may be
needed for any purposes other than purpose A.
With regard to (b) above, some examples of
legal or business purposes include:
(a) for ongoing legal action involving the
organisation;
FAQs on the Advisory Guidelines to the PDPA
32 www.drewnapier.com
(b) to comply with applicable laws,
regulations, whether in Singapore or
outside of Singapore, including
international or regional standards; and
(c) to generate the organisation’s annual
reports, performance forecasts, etc.
84. What are some recommended best
practices in relation to the retention of
personal data?
The Commission recommends that
organisations should draw up policies which
set out the retention periods for personal data.
Such policies may provide for varying
retention periods in respect of different types
of personal data held by the organisation.
As a guide, organisations may wish to retain
documents regarding its contracts for 7 years
from the date of termination of the contract,
as actions founded on contract will generally
need to be brought within 6 years from the
date on which the cause of action accrued.
However, it may be necessary to retain such
contracts for a longer period if there are
ongoing legal proceedings or investigations
regarding these contracts.
85. How long can organisations continue to
hold personal data of former
employees?
As mentioned in question 83 above,
organisations may continue to retain personal
data about former employees that were
collected during their respective employment
periods for as long as there is a valid business
or legal purpose.
The Commission has clarified that
organisations which have a policy of retaining
personal data of former employees for the
purpose of considering them for future job
opportunities can continue to do so as a valid
business purpose. However, organisations
should not retain personal data without a
clearly defined purpose.
86. What does it mean to “cease to retain”
personal data?
There are various ways in which an
organisation may cease to retain personal
data.
The mere locking of documents in a cabinet or
archiving personal data in electronic form(s) is
considered to be retaining the documents. As
far as possible, organisations should cease to
retain documents such that it renders them
completely irretrievable of inaccessible to the
organisation.
The Commission has indicated that it will
consider whether an organisation has ceased
to retain personal data, in light of the
following factors:
(a) whether the organisation has any intention
to use or access the personal data;
(b) how much effort and resources would the
organisation need to expend to use or
access the personal data again;
(c) whether any third parties have been given
access to the personal data; and
(d) whether the organisation has made a
reasonable attempt to completely destroy,
dispose of or delete the personal data
permanently.
Some ways in which an organisation may
cease to retain personal data include:
(a) returning those documents containing
personal data to the individual concerned;
(b) transferring those documents containing
personal data to another person, if
instructed by the individual concerned;
(c) shredding those documents containing
personal data; and
anonymising the personal data, such that the
remaining data can no longer be used to
identify any particular individual (see questions
91 to 93 for more details on anonymisation).
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 33
THE TRANSFER LIMITATION OBLIGATION
87. What is the Transfer Limitation
Obligation?
The Transfer Limitation Obligation refers to the
requirement not to transfer personal data
unless the transfer is made in accordance with
the requirements prescribed under the PDPA.
This is to ensure that organisations provide a
standard of protection to personal data that
has been transferred overseas, one which is
comparable with the protection provided
under the PDPA.
The requirements as to which an organisation
may transfer personal data overseas are
specified in the regulations issued under the
PDPA. In essence, an organisation may transfer
personal data overseas if it has taken
appropriate steps to ensure that it will comply
with the PDPA while the personal data is in its
possession or under its control. If the personal
data is transferred to a recipient in a country
or territory outside of Singapore, the recipient
has to be bound by legally enforceable
obligations to provide that the personal data
so transferred is under a standard of
protection that is comparable to that under
the PDPA.
In this regard legally enforceable obligations
include obligations imposed on the recipient
under any law, contracts, binding corporate
rules, or any other legally binding instrument.
88. What are the conditions that
organisations have to satisfy before
transferring personal data overseas?
Organisations that intend to transfer personal
data overseas must first satisfy the following
conditions:
(a) ensure that the organisation complies with
the PDPA while the personal data remain
under its possession or control; and
(b) ensure the foreign recipient is bound by
legally enforceable obligations to provide
a standard of protection that is
comparable to that under the PDPA
To ensure that the recipient provides a
standard of protection that is comparable to
that under the PDPA, the transferring
organisation should contract for protections
regarding the various Obligations set out
under the PDPA.
An organisation transferring personal data
overseas is assumed to have taken appropriate
steps to ensure that the recipient is bound by
legally enforceable obligations to provide a
standard of protection comparable to that
under the PDPA to personal data if:
(a) the individual whose personal data is
to be transferred gives his consent to
the transfer (organisation should
provide the individual with a
reasonable summary in writing of the
extent to which the personal data
transferred to those countries will be
protected);
(b) transfer is necessary for the
performance of a contract between
the organisation and the individual
(for example, if the organisation is a
data intermediary of the individual
pursuant to a contract between them
in relation to the transfer), or to do
with the individual entering a contract
with the organisation;
(c) transfer is necessary for the conclusion
or performance of a contract between
the organisation and a third party
which is entered into at the
individual’s request, or which a
reasonable person would consider to
be in the individual’s interest;
(d) transfer is necessary for a use or
disclosure in certain situations where
the consent of the individual is not
required under the PDPA. The
organisation is required to take
reasonable steps to ensure that the
personal data will not be used or
disclosed by the recipient for any
other purpose before transferring
personal data;
FAQs on the Advisory Guidelines to the PDPA
34 www.drewnapier.com
(e) the personal data is data in transit (e.g.
data that only passes through servers
within Singapore but is enroute to a
destination overseas); or
(f) the personal data is publicly available
in Singapore.
THE OPENNESS OBLIGATION
89. What is the Openness Obligation?
The Openness Obligation is a term coined by
the Commission, which generally refers to the
requirement for organisations to make their
data protection policies and practices available
to those individuals whose personal data they
collect.
This also refers to the Data Protection
Provisions which make organisations
accountable to individuals and the
Commission for compliance with the Data
Protection Provisions, by the following means:
(a) giving the right to individuals to request
for access to their personal data held in
the possession or under the control of an
organisation, to find out whether and what
type of their personal data are held by the
organisation, and how the organisation is
using their personal data;
(b) giving the right to individuals to submit
complaints to the Commission regarding
an organisation’s conduct and compliance
with the Data Protection Provisions;
(c) giving the right to individuals who suffer
loss or damage directly as a result of an
organisation’s contravention of the Data
Protection Provisions to commence civil
proceedings against the organisation; and
(d) empowering the Commission to take
enforcement action against an
organisation which has contravened any of
the Data Protection Provisions.
For the purpose of ensuring that they comply
with the Data Protection Provisions,
organisations are required to designate one or
more individuals who will take on the
responsibility for ensuring such compliance.
Importantly, organisations should note that
such designation of responsibility does not
pass legal responsibility to the individual. The
organisation itself remains legally responsible
for compliance with the Data Protection
Provisions.
90. Are there any requirements as to whom
an organisation may designate as its
data protection officer?
The PDPA requires that an organisation must
make available the business contact
information of at least one individual
designated by the organisation, who is able to
answer on behalf of the organisation, any
questions relating to the collection, use or
disclosure of personal data.
There is no strict necessity for an individual
designated by an organisation to be an
employee of the organisation, or for such
individual to be physically based in Singapore.
It is also generally open to the designated
individual to delegate the responsibility to
another individual.
Notwithstanding, the Commission
recommends that the business contact
information of the individual whom an
organisation designates should be:
(a) a Singapore phone number;
(b) operational during Singapore business
hours; and
(c) readily accessible from Singapore.
OTHER IMPORTANT CONCEPTS
91. What does it mean to anonymise
personal data?
For the purposes of the PDPA, personal data
may be anonymised by removing all
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 35
information that can be used to identify a
particular individual.
In other words, where the remaining
information, whether alone or together with
any other information that an organisation has
or is likely to have access to, can no longer be
used to identify a particular individual, such
information may be said to have been
anonymised.
92. How can personal data be anonymised?
The Commission has provided the following
suggestions on how personal data may be
anonymised:
(a) pseudonymisation: by replacing personal
identifiers (such as a person’s full name)
with other references (such as a randomly
generated reference number);
(b) aggregation: by displaying only total
values rather than individual values which
could identify an individual (e.g. displaying
the sum of individual ages of the total
number of individuals in a group, rather
than the age of each individual
specifically);
(c) replacement: by replacing specific values
or subset of specific values with a
computed average or a number derived
from the specific values (e.g. instead of
referring to 3 individuals aged 15, 18 and
20 years old, to make reference to 3
individuals aged approximately 17 years
old);
(d) data suppression: by removing values that
are not required for the purpose (e.g.
removing an individual’s ethnicity from a
data set of the individual’s attributes);
(e) data recoding or generalisation: by
banding into broader categories (e.g. K1,
Primary 3), or hiding the value within a
given range (e.g. replacing the age ‘41’
with the range ’40-50’);
(f) data shuffling: by mixing up or replacing
values with those of the same type so that
information looks similar but is unrelated
to the actual details; and
(g) masking: by removing certain details while
preserving the look and feel of the data
(e.g. representing an NRIC number as
‘S0XXXX45A’ instead of ‘S0122445A’).
It should be noted, however, that the
application of the above anonymisation
techniques may not render a data set fully
anonymised, or anonymised in perpetuity and
there remains a risk that anonymised data can
be used to re-identify particular individuals
(see question 93 below).
Where there is more than a trivial possibility of
so-called anonymised data being re-identified,
such data may still be regarded by the
Commission as personal data (see questions
93 and 94 below).
93. What are some challenges and
limitations in anonymising data?
Reduced functionality or usefulness of data
When data is stripped of too many personal
identifiers, the data may lose its usefulness,
and an organisation may be denied the
potential uses for the data which it has
collected.
Accordingly, before anonymising data, an
organisation should consider whether the
anonymised data would still be suitable for its
intended purposes.
Risk of re-identification
It should be noted that the application of the
anonymisation techniques (such as those
described in question 92 above) may not
render a data set fully anonymised, or
anonymised in perpetuity.
There remains a risk that anonymised data can
be used to re-identify particular individuals,
when it is combined with other information
that the organisation has or is likely to have
access to.
FAQs on the Advisory Guidelines to the PDPA
36 www.drewnapier.com
Generally, re-identification involves identifying
an individual beyond doubt.
Where data is capable of re-identification, it
will generally be considered as personal data,
and will be subject to the Data Protection
Provisions.
By way of illustration, while a resultant data set
derived from the application of anonymisation
techniques may itself be anonymised for the
time being, if such resultant data set can still
be combined with other information that an
organisation has or is likely to have access to
identify particular individuals, the combination
of this resultant data set and the other
information will, when taken together, still
constitute personal data. In such a case, given
that the organisation retains the ability to re-
identify individuals from the de-identified data,
the organisation will be considered to be
holding personal data.
Likewise, where an anonymised resultant data
set is disclosed to another organisation, and
that other organisation is able to combine the
data set that it has received with other
information that it has, or is likely to have
access to, to identify/re-identify particular
individuals, the anonymised data set and the
other information will, when taken together,
still constitute personal data.
94. Under what circumstances might data
be considered to have been re-
identified?
While various factors, such as educated
guessing, cross-relating information in
anonymised data sets, public knowledge or
information about groups of people, may
increase the possibility of re-identification, it
does not necessarily follow that the
Commission will always consider the data
concerned as personal data.
Importantly, if there remains only a trivial risk
of re-identification, the data concerned will not
be considered as personal data.
Educated guessing
The fact that a person making an educated
guess, by matching public or established
information with anonymised data, can narrow
down the possible identities of particular
individuals and potentially make a successful
guess may not in itself mean that the data is
personal data.
For instance, an organisation publishes a list of
masked NRIC numbers of the winners of a
lucky draw which reveal only the first 3 digits
of the NRIC numbers. Since the first two digits
typically reveals one’s birth year, it could be
ascertained that one of the winners was 22
years of age. On the same day, it is reported in
the newspapers that the two youngest
participants in the lucky draw were both 22
years of age. By matching these information, a
person may therefore make an educated guess
that one of these two participants was the
lucky draw winner. However, to the extent that
it is unclear which of these two participants
might have been the lucky draw winner, there
is no re-identification.
Cross-relating information in anonymised data
sets
A person may be able to identify an individual
by cross-relating information from two
separate anonymised data sets which contain
similar information. However, if such an
individual ultimately remains as an unknown
individual, there would be no re-identification
and the data will not be regarded as personal
data.
For instance, Data Set A refers to an individual
#10147, who has the following characteristics:
male, blood type A, age 45, weight 88.8kg,
height 1.89m. Data Set B refers to an individual
#58965, who has the following characteristics:
male, blood type A, weight 88.8kg, height
189cm, suffering from hypertension. In such a
case, however, while a person having access to
both data sets may be able to cross-relate the
information in these two data sets and
establish that the two data sets relate to the
same individual, such a person is unable to
identify who that individual actually is.
Accordingly, there is no re-identification and
the data will not be regarded as personal data.
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 37
Public knowledge
In ascertaining the re-identification risks of an
anonymised data set, it will be important to
take into account the use of public knowledge
(such as established facts) or information that
is readily available to the public (such as
information in telephone directories or society
membership listings).
If an individual can be easily re-identified when
public knowledge or information is combined
with anonymised data, this will present
significant re-identification risks.
Personal knowledge
Having personal knowledge would not
generally amount to a high re-identification
risk for an anonymised data set.
The Specific Topics Guidelines states that, just
because an individual himself or herself, or
someone close to him or her is able to identify
him or her from an anonymised data set, this
does not necessarily mean that that
anonymised data set is personal data.
However, the risk of a person with special
knowledge re-identifying any individual from
the data must still be accounted for in the risk
assessment exercise.
Information about groups of people
Information about groups of people may not
constitute personal data if it does not identify
any particular individual within the group.
However, such information may reveal the
personal data of an individual when combined
with other information, and thereby present
re-identification risks.
For example, an anonymised data set relating
to a group of individuals living within a postal
code reveals that they are all HIV-positive.
While no individual was identified, the
information reveals the personal data of one of
the individuals known to be living there.
Hence, if it becomes known that a person
(person A) lives in that postal code, then it
would also be known that person A is HIV-
positive. In such a case, the anonymised data
set relating to this group of individuals will be
considered as personal data, when its
combination with other information or
knowledge can reveal personal data of an
individual.
95. How can organisations assess the risk of
re-identification?
As a guide, the Commission has suggested
that some factors which organisations should
consider in assessing whether anonymised or
de-identified data may be subsequently used
to re-identify individuals include:
(a) the type of data de-identified;
(b) the amount of alteration the data has been
subject to in the course of anonymisation;
(c) the degree and standard of the
anonymisation process;
(d) whether the data is disclosed to a specific
recipient whose motivations, re-
identification capabilities, and other
information in possession of that recipient
are known or can be reasonably inferred;
(e) the ease of access to, and volume of, other
information (such as complementary
information) available or likely to be
available;
(f) the organisation’s capability to re-identify
individuals (e.g. computing power and
availability of data-linking techniques,
having access to complementary
information or having specialised skills or
technologies that enable re-identification);
(g) the motivations for re-identification (in this
regard, the Commission has suggested
that it may be useful for organisations to
apply a ‘motivated intruder test’); and
(h) other risks that subject the data to re-
identification risks, including ‘residual’ risks
that are not directly related to a recipient’s
motivation and capability to re-identify
(e.g. risks of the data being compromised
or mistakenly disclosed to unintended
FAQs on the Advisory Guidelines to the PDPA
38 www.drewnapier.com
recipients such as people with better
ability of re-identification).
Motivated intruder test
The motivated intruder test considers whether
individuals can be re-identified from
anonymised data by someone who is
motivated, reasonably competent, has access
to standard resources such as the Internet and
published information such as public
directories or national archives, and employs
standard investigative techniques such as
making enquiries of people who may have
additional knowledge of the identity of the
data subject.
The motivated intruder test assumes that no
particular individual has been targeted for
identification and that the intruder does not
resort to criminality or any specialist
equipment or skills.
The test should accommodate the features of
the intended recipient organisation and assess
the totality of the risk management controls
applicable to the recipient organisation. This
refers to both technical measures as well as
legal, regulatory or organisational measures.
96. Will the Commission penalise
organisations for inadequate risk
assessments in relation to re-
identification?
At this stage, organisations are expected to
perform reasonable assessments of re-
identification risks if they are intending to
disclose any anonymised data sets. Such risk
assessments must be commensurate with the
nature of the data being anonymised and
other relevant factors (see question 95 above).
The Commission does not, however, expect
organisations to anticipate what is yet
unknown in such risk assessments.
Accordingly, should an organisation breach
the PDPA as a result of re-identification, the
Commission may be prepared to take into
consideration an organisation’s efforts to
reduce re-identification risks as a mitigating
factor in assessing its liability for such breach.
97. What is the co-relation between the
motivation for re-identification and the
risk of re-identification?
In the scenario where two organisations have
similar motivations for re-identification of
certain data, the organisation (Organisation
A) that possesses complementary information,
specialised skills or technologies would more
likely be capable of re-identifying individuals
from that data (and thereby have a higher risk
of re-identifying the data) than the other
organisation (Organisation B) that does not
have access to these information, skills or
technologies. In such case, there is a higher
risk of re-identification by A.
However, it may not necessarily follow that the
risk of re-identification will be higher where an
organisation has the requisite skills and
information for re-identification.
In a different scenario, Organisation A may have
little motivation to re-identify an individual
owing to disincentives, such as regulatory or
other legal (e.g. contractual) obligations or
consequences for re-identifying individuals
from the data which will serve to negate any
incentive or benefit that Organisation A may
derive when it re-identifies an individual. Here,
although Organisation A may possess
complementary information, specialised skills or
technologies which may make it more capable
of re-identifying individuals, this may not
necessarily mean that the risk of re-
identification by Organisation A will be higher
than Organisation B which may be highly
motivated to carry out re-identification.
98. How can organisations lower the risk of
re-identification?
Broadly speaking, the impracticality of re-
identification can act as a deterrent to any
motivation for re-identifying anonymised data,
and may consequently lower the risk of re-
identification.
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 39
The risks of re-identification of data may be
lowered in various ways, including:
(a) by employing robust anonymisation
techniques;
(b) by limiting the number of people to whom
the anonymised data is disclosed;
(c) by imposing additional enforceable
restrictions on the use and subsequent
disclosure of the anonymised data;
(d) by implementing processes to govern
proper use of the anonymised data in line
with the restrictions (e.g. access
restrictions); and
(e) by implementing processes and measures
for the destruction of anonymised data as
soon as they no longer serve any business
or legal purpose.
(f) by putting place controls to limit the data
users’ or recipients’ access to “other
information” that could re-identify the
anonymised data.
SCOPE OF THE DNC PROVISIONS
99. To whom are the DNC Provisions
applicable?
The Do Not Call provisions, which are set out
in Part IX of the PDPA apply to all persons. This
includes individuals, companies, associations
and any incorporated or unincorporated
bodies of persons.
Generally, the DNC Provisions apply to a
person sending a “specified message” if that
person is a “sender” (see questions 100 and
101 below), and:
(a) sends the specified message when they
are in Singapore at the time the message
is sent; or
(b) sends the specified message to a recipient
who is in Singapore at the time the
message is accessed.
If the sender and recipient are both not in
Singapore at the time the message is sent and
accessed respectively, the DNC Provisions will
not apply.
For instance, in the scenario where an
individual is subscribed to a Singapore
telecoms service provider and, when he or she
travels to London, receives a specified
message from a London telecoms operator,
the DNC Provisions will not apply.
In the scenario where the same individual
travels to London and receives a specified
message from his bank which is located in
Singapore, the DNC Provisions will apply to
the sending of such specified message by the
bank.
In the scenario where the same individual,
while in Singapore, receives a specified
message from his bank which is located in
Singapore through an overseas number, but
which has outsourced its marketing operations
to an overseas call centre and authorised such
overseas call centre to send the specified
message, the DNC Provisions will apply to the
sending of such specified message by the bank
using the overseas number.
100. The DNC Provisions apply to
“specified messages”. What are
“specified messages”?
Generally, specified messages are messages
which have one or more of the following
purposes:
(a) to advertise, promote or offer to supply or
provide: (i) goods or services, (ii) land or an
interest in land; or (iii) a business or
investment opportunity;
(b) to advertise or promote a supplier or
provider, or a prospective supplier or
provider of: (i) goods or services, (ii) an
interest in land; or (iii) a business or
investment opportunity; or
(c) any other purposes as may be prescribed
under the PDPA which are related to
obtaining or providing information.
FAQs on the Advisory Guidelines to the PDPA
40 www.drewnapier.com
Notably, a message can constitute a specified
message even if:
(a) the above-mentioned goods, services,
land, interest in land and/or business or
investment opportunity do not exist; or
(b) it may be unlawful to acquire such goods,
services, land or interest or take up the
opportunity referred to in the message.
To determine whether the message is being
sent for any of the above purposes, a person
should take into consideration the content and
presentation of the message. This includes the
telephone number from which the message
was sent, as well as any content that may be
obtained through the message, such as any
numbers, URLs or contact information which
are set out in the message.
Exclusions
It should be noted, however, that certain
categories of messages are expressly excluded
from the definition of “specified messages”.
These exceptions are set out in the Eighth
Schedule of the PDPA, and include:
(a) messages sent by a public agency (e.g.
Government ministries, tribunals
appointed under written law and certain
statutory bodies) under, or to promote,
any programme carried out by any public
agency which is not for a commercial
purpose;
(b) messages sent by an individual acting in a
personal or domestic capacity;
(c) messages which are necessary to respond
to an emergency that threatens the life,
health or safety of any individual;
(d) messages which have, as their sole
purpose to provide for:
i. the facilitation, completion or
confirmation of a transaction that the
recipient has previously agreed to
enter into with the sender;
ii. the provision of warranty information,
product recall information or security
information with respect to a product
or service purchased or used by the
recipient of the message;
iii. the delivery of goods or services,
including any product updates or
upgrades, that the recipient of the
message is entitled to receive under
the terms of a transaction that the
recipient has previously agreed to
enter into with the sender;
iv. the notification of any change in the
terms or feature of, or standing or
status of the recipient of the message
with respect to, a subscription,
membership, account, loan or
comparable ongoing commercial
relationship involving the ongoing
purchase or use by the recipient of the
goods or services offered by the
sender;
v. the provision, at regular periodic
intervals, of account balance
information or other types of account
statements with respect to a
subscription, membership, account,
loan or comparable ongoing
commercial relationship involving the
ongoing purchase or use by the
recipient of the goods or services
offered by the sender; or
vi. the conduct of market research or
market survey;
vii. the sending of a message with the
sole purpose of responding to a
request from an individual for
information about a good or service;
and
(e) messages sent to an organisation (as
opposed to an individual in a personal or
domestic capacity) for any purpose of the
receiving organisation (e.g. business to
business (“B2B”) marketing messages)
It may also be noted that messages that are
sent solely to promote an employment
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 41
opportunity, to solicit donations for a
charitable cause or to promote a political
cause, and without any marketing elements,
would not be regarded as a specified message.
B2B marketing messages
As one of the excluded messages specified in
the Eighth Schedule relates to messages sent
to an organisation other than an individual
acting in a personal or domestic capacity, for
any purpose of the receiving organisation, this
exclusion addresses B2B marketing messages
which generally include the sending of
messages relating to the marketing of goods
and services by one company to another
company.
For instance, organisation A may call an
employee of organisation B using the business
contact details of such employee which it
obtained from B’s website to promote
organisation A’s product. Such a message
would generally fall within exception (e) above,
and would not constitute a specified message
for the purposes of the DNC Provisions.
However, if organisation A, while speaking
with the employee of organisation B, asks such
employee whether he or she may be interested
in purchasing another of organisation A’s
product for his or her personal use, such a
message would constitute a specified message
for the purposes of the DNC Provisions.
Surveys and market research
The Commission notes in the DNC Guidelines
that persons who conduct market research or
market surveys may wish to provide some
form of gift as a form of reward or expression
of thanks to individuals participating in the
survey. In this regard, the Commission is
generally prepared to accept that the offer or
provision of a gift does not constitute an offer
to supply goods or services. Persons should
act in good faith and not attempt to disguise a
specified message in the form of the provision
of a “gift”.
Ongoing Relationship
An ongoing relationship between the
individual and the sender could be in the form
of commercial or non-commercial
relationships. Factors that can be taken into
account when determing an ongoing
relationship could include the frequency of
visits and whether the individual has signed up
for a package. It should be noted that once-off
transactions are insufficient to establish an
ongoing relationship.
Responding to Information Requests
Where the request for information is from a
third party, the person should, as good
practice, exercise the appropriate due
diligence to confirm that the individual had
made such a request for information (e.g.
through written confirmation or reasonable
conclusion due to circumstances). If such
confirmation cannot be obtained and
therefore consent is not clear and
unambiguous, the person must comply with
the DNC Registry provisions if it wishes to
send specified messages.
101. The DNC Provisions apply to
“senders”. Who are “senders”?
A sender refers to any person who:
(a) actually sends or makes a voice call
containing a message;
(b) causes a message to be sent or a voice call
containing a message to be made; or
(c) authorises the sending of a message, or
making of a voice call containing a
message.
102. When might a person be responsible
under the DNC Provisions for a
specified message that he is not
actively involved in sending?
In addition to the person who actually sends
the message or makes the call containing the
message, persons who cause or authorise the
sending of the message or the making of the
call are also senders for the purposes of the
DNC Provisions.
FAQs on the Advisory Guidelines to the PDPA
42 www.drewnapier.com
Deeming provisions under the PDPA
A person (i.e. person A) might be deemed to
be responsible for a specified message that he
or she is not actively involved in sending
where he or she has authorised another
person (i.e. person B) to promote his or her
goods, services, land, interest in land and/or
business or investment opportunity (i.e. send a
specified message).
However, if person A takes reasonable steps to
prevent person B from sending any specified
message for the purpose of promoting person
A’s goods, services, land, interest in land
and/or business or investment opportunity,
person A may not be deemed under the PDPA
to have authorised person B to send the
specified message for those purposes.
The question of whether reasonable steps
have been taken by person A will depend on
the specific facts. For instance, in a contract
between person A and person B, if it is
expressly stated that person B “shall not send
any message, whether in sound, text, visual or
other form, to a Singapore telephone number to
promote A’s services unless expressly permitted
in writing by A”, this could be regarded as a
reasonable step taken by person A to prevent
person B from sending a specified message.
Express exclusions under the PDPA
The PDPA provides certain express exclusions,
where a person who is not actively involved in
sending a specified message will, by default,
not be presumed to have sent such message.
Under the PDPA, the following persons are
presumed not to have sent or authorised a
sending of a message, unless otherwise
proved:
(a) telecoms service providers who merely
provide a service that enables the sending
of a specified message; and
(b) owners or authorised users of a telecoms
device, service or network that was used to
send a specified message, if that device,
service or network was controlled by a
person without the knowledge of the
owner or authorised users at the relevant
time.
Defence for employees
On a related note, an employee who sends a
specified message in contravention of the DNC
Provisions may have a defence under the
PDPA, if such an employee can prove that he
or she acted or engaged in conduct in good
faith in the course of his or her employment,
or in accordance with instructions given to him
or her, by or on behalf of his or her employer
in the course of his or her employment. The
defence is not available to an “officer” of an
organisation that may have committed an
offence under the DNC Provisions.
103. Do the DNC Provisions only apply to
specified messages sent to a
Singapore telephone number?
Currently, yes. The Minister may, however,
prescribe other telephone numbers to be
subject to the DNC Provisions.
It should be noted that the messages sent to a
“Singapore telephone number” include voice
calls, text messages or any data applications
(such as Whatsapp, Viber, iMessage) which use
a Singapore telephone number.
OBLIGATIONS AND DUTIES UNDER THE
DNC PROVISIONS
104. What does a person need to do before
sending a specified message?
Generally, a person that intends to send a
specified message to a Singapore telephone
number should check the relevant DNC
Register before sending such message (see
question 105 below), and confirm that the
Singapore telephone number is not listed in
the DNC Register before sending such
message.
However, it will not be necessary to check the
DNC registry if valid, clear and unambiguous
consent of the user or the subscriber of the
telephone number has been provided to allow
the person to send the specified message to
FAQs on the Advisory Guidelines to the PDPA
www.drewnapier.com 43
that telephone number (see question 109 for
more details).
Furthermore, in instances where the Singapore
telephone number was obtained through third
party sources, a person that intends to send a
specified message could obtain from the third
party source evidence of clear and
unambiguous consent given by the individual.
105. Is it necessary to check the DNC
Register every time a specified
message is proposed to be sent?
No. Generally, after a person has checked
whether a number is registered on a DNC
Register, these results will be valid for a certain
period (“Validity Period”), as follows:
(a) for results received between 2 January
2014 and 31 May 2014 (both dates
inclusive) – these results will be valid for 60
days from the receipt of the results;
(b) for results received between 1 June 2014
and 1 July 2014 (both dates inclusive) –
these results will be valid until 31 July
2014; and
(c) for results received from 2 July 2014
onwards – these results will be valid for 30
days from the receipt of the results.
Hence, if a person wishes to send a specified
message to the same telephone number (that
it has confirmed is not registered on the DNC
Register) during the Validity Period, it will not
be necessary to re-check if the telephone
number is registered on the DNC Register,
until the expiry of the Validity Period.
Further, as mentioned above, it is generally not
necessary to check the DNC registry if clear
and unambiguous consent of the user or the
subscriber of the telephone number has been
provided to allow the person to send the
specified message to that telephone number.
106. What happens when a person who
had previously given consent to
receive specified messages,
subsequently withdraws such
consent?
The withdrawal of any consent given by a user
or subscriber of a Singapore telephone
number for the purposes of the DNC
Provisions on or after 2 July 2014 must be
effected within 30 days.
Therefore, even if a specified message is sent
to a user or subscriber of a Singapore
telephone number a few days after such user
or subscriber has withdrawn his or her consent
to receive specified messages, this may not
amount to a contravention of the DNC
Provisions.
107. A person has previously given consent
to receive specified messages, but
subsequently registers his or her
telephone number on a DNC Register.
Is the consent still valid? Can specified
messages be sent to such person?
Yes, the consent is still valid. It is possible to
send specified messages to a Singapore
telephone number, without first checking the
relevant DNC Register, where the user or
subscriber of that telephone number has
previously given clear and unambiguous
consent to receive specified messages which
can continue to be relied upon.
Therefore, if a user or subscriber of a
telephone number no longer wishes to receive
specified messages from a particular person to
whom such user or subscriber had previously
given his or her consent, it would not be
sufficient to register that telephone number on
the relevant DNC Register as the addition of
the telephone number is not regarded as a
withdrawal of consent for the purposes of the
DNC Provisions.
A user or subscriber may withdraw clear and
unambiguous consent by providing notice to
the person who must effect a withdrawal of
consent within the prescribed period.
108. Who can withdraw consent in respect
of a telephone number?
FAQs on the Advisory Guidelines to the PDPA
44 www.drewnapier.com
Either a user or subscriber of a Singapore
telephone number may withdraw consent to
receive specified messages using that
telephone number.
In cases where the user of the telephone
number is not the subscriber of the Singapore
telephone number, the subscriber may
withdraw consent which had been given by the
user of the telephone number.
109. What would constitute valid consent
for the purposes of the DNC
Provisions?
Requirements regarding consent
In order for consent to be regarded as valid, it
must satisfy the following conditions:
(a) if the consent was sought as a condition
for supplying goods, services, land, interest
in land and/or business or investment
opportunity, the consent sought must not
have been more than what is reasonable
to provide such goods, services, land,
interest in land and/or business or
investment opportunity to that user or
subscriber;
(b) it must not have been obtained by
providing false or misleading information
or by using deceptive or misleading
practices; and
(c) it must be clear and unambiguous (see
below).
Consent from a user or subscriber will no
longer be regarded as valid if the user or
subscriber was prohibited from withdrawing
his or her consent.
Clear and unambiguous consent
The DNC Guidelines provides that the
following facts will need to be considered to
determine if the consent is, in fact, clear and
unambiguous:
(a) whether the person had notified the user
or subscriber clearly and specifically that
specified messages would be sent to his or
her Singapore telephone number; and
(b) whether the user or subscriber gave
consent to receive specified messages
through some form of positive action.
For the latter, the failure to opt out through
inaction on the part of the user or subscriber
would not usually be enough to amount to
taking positive action (see question 20 above).
The Commission recommends that “clear and
unambiguous” consent would generally
require that the consent be evidenced:
(a) in writing – such as using a physical or
electronic form; or
(b) in a form that is accessible for future
reference – for instance, by capturing the
consent given in an audio or video
recording. The consent must be captured
in a manner or form that can be retrieved
and reproduced at a later time in order to
confirm that such consent was obtained.
110. If consent has been obtained from a
person before the DNC Provisions
come into effect (2 January 2014), is
such consent still valid?
Yes, such consent would be valid and would
exempt a person from having to check the
DNC Register prior to sending a specified
message, provided that:
(a) the consent has not been withdrawn; and
(b) the consent is valid and is clear and
unambiguous and evidenced in written or
other form (see question 109 above).
10 Collyer Quay #10-01 Ocean Financial Centre Singapore 049315
Tel: +65 6535 0733 Fax: +65 6535 4906 www.drewnapier.com
The Drew & Napier TMT Team Lim Chong Kin, Director, Head (Telecoms, Media & Technology)
Chong Kin practices corporate and commercial law with strong emphasis in
the specialist areas of TMT law and competition law. He regularly advises
on regulatory, licensing, competition and market access issues. Apart from
his expertise in drafting “first-of-its-kind” competition legislation, Chong
Kin also has broad experience in corporate and commercial transactions
including mergers and acquisitions. He is widely regarded as a pioneer in
competition practice in Singapore and the leading practitioner on TMT and regulatory
work. Chong Kin has won plaudits for “[understanding] regulatory thinking like no other
lawyer in the field” (Asia Pacific Legal 500); has been recognised as “incisive, insightful and
knowledgeable” (Chambers Asia Pacific 2017: Band 1 for TMT); and has been endorsed for
his excellence in regulatory work and competition matters: Practical Law Company’s
Which Lawyer Survey 2011/2012; Who’s Who Legal: TMT 2016 and Who’s Who Legal:
Competition 2016. Asialaw Profiles 2016 notes: “Lim Chong Kin’s work is consistently
exceptional.”
Tel: +65 6531 4110 • Fax: +65 6535 4864 • Email: [email protected]
Charmian Aw, Director
Charmian is a Director in Drew & Napier’s TMT Practice Group. She is
frequently involved in advising companies on a wide range of corporate,
commercial and regulatory issues in Singapore. Charmian has also been
actively involved in assisting companies on Singapore data protection law
compliance, including reviewing contractual agreements and policies,
conducting trainings and audits, as well as advising on enforcement issues
relating to security, access, monitoring, and data breaches. She is also a co-chair of the
International Association of Privacy Professionals (IAPP) KnowledgeNet chapter in
Singapore, and is a Certified Information Privacy Professional for Europe, the United
States, and Asia (CIPP/E, CIPP/US, CIPP/A). Charmian is recommended for corporate-
related TMT and data privacy work by The Asia Pacific Legal 500, and Who’s Who Legal:
TMT.
Tel: +65 6531 2235 • Fax: +65 6535 4864 • Email: [email protected]