It’s important to understand what kind of data you are collecting, and how easy it is to access
Lawyer Jeremiah Chew shared practical tips for Startups and SMEs on the Personal Data Protection Act (PDPA) during a Facebook Live Q&A with AsiaLawNetwork and our partners e27 and General Assembly.
Below are the edited excerpts.
Let’s talk about the history of the PDPA and some of the core rules around it
The PDPA stands for the Personal Data Protection Act which was passed in parliament in 2012. The Personal Data Protection Commission (PDPC) is the agency that enforces the PDPA in Singapore.
The PDPA is a complaint-based regime. The PDPC will investigate into any potential breach after somebody has made a complaint. Customer management is therefore important. Firms who inform the customers about the type of data they are collecting and the ways in which they are going to use the data are less likely to receive complaints.
The PDPC recently released a number of decisions relating to breaches of the PDPA by businesses. Some of the organizations received a fine while others got a warning. All these decisions are published on the PDPC website and are public.
Why is the PDPA important?
We are living in an increasingly interdependent world. Every organization will come into contact with personal data at some point in time.
For example, one of the recent decisions by the PDPC relates to the security measures of a condominium.
The security guards at the condominium had a log book that guests are required to fill in. The log book contained personal data about names, contact details and car plate numbers.
It was left unattended at certain periods of time. After a resident complained to the PDPC, the PDPC investigated and issued a warning to the managing agent. This just emphasizes the importance of personal data protection for all types of organizations
If I am a consumer facing company, but I work with many freelance contractors and a fully own subsidiary, what is the exposure if the subsidiary commits a breach on personal data with customers of the main company?
The PDPA provides for a certain class of organization as data intermediaries, who process personal data on behalf of another organization. In this case, the subsidiary or the contractors are likely data intermediaries of the company.
The PDPA states that a company remains responsible for acts carried out by data intermediaries. You are advised to put measures in place to make sure that any personal data you transfer to them is going to be well-protected. You should at least have a contract with the subsidiary and freelance contractors that obliges those parties to comply with the PDPA.
A practical example of data intermediary management involved the SGX and a printing company.
Also Read: This Indonesian novel can also be enjoyed as VR content
The printing company was a data intermediary of SGX and printed wrong details in the statements, which were then also disclosed to the wrong customers. Although the PDPC found that the printing company was in breach of the PDPA, SGX was not found to be guilty.
This was because SGX had a secure structure and had clear contractual clauses obliging its intermediary to abide by the PDPA.
What are some practical tips for companies putting information on the cloud?
You should be very careful of the information placed on the cloud. If you create a Google document with a shareable URL, it is technically a public document since anyone who knows the actual url will be able to access the document.
I suggest that you should put an additional level of security to such documents. This could be in the form of encryption or password-protection.
The PDPC has taken action against organizations for such cases of ‘public documents’. For example, one organization had a membership system where members could access their membership details and personal data.
A customer from the organization found that by changing the string of numbers at the end of the URL, he could access another person’s data. The organization was eventually given a warning.
If I set up a Singapore company but my operations are in another country, how does the PDPA affect my company?
As long as you are collecting some sort of personal data from Singapore, you are required to follow the PDPA. The only exception is if you are not collecting, using or disclosing personal data from anybody in Singapore.
Different countries may have different data privacy rules. If you operate in different jurisdictions, you are required to comply with these different data protection laws.
What are the countries in Asia that are more stringent when it comes to Personal Data Protection?
In Southeast Asia, Singapore is one of the frontrunners and one of the first to implement data privacy law. Hong Kong has also recently come up with their own data protection law.
Do we need to use a server or something that is located in Singapore if we are collecting personal data in Singapore?
There is no need to use a server in Singapore. However, if you do want to store personal data from people in Singapore in a server overseas, you will be required to comply with the storage requirements of the PDPA.
Also Read: India’s Hyperloop experiment is a victory for moonshots across Asia
The PDPA has a transfer limitation obligation and you need to make sure that data transferred to another country is protected to standard required by the PDPA. A good practice is to actually tell your customers where you are planning to store the data (e.g. on the server in X, Y, Z country).
How should companies structure their terms of use and privacy policy?
There is no one-size-fits-all solution when it comes to having a privacy policy. It is important to consider the following things when crafting your privacy policy
- What types of personal data are you collecting
- What purposes are you collecting this personal data for?
- How are you going to treat this personal data?
In the privacy policy, you are required to put in the contact of a representative that people approach if they have questions about the PDPA. This representative is known as the data protection officer.
In my article, I mentioned in greater detail some other practices that companies can adopt.
How often should companies update their privacy policy?
My preference is to do it once and do it good. Take for example, my own firm Lee & Lee. I crafted the privacy policy for the website and it has been there for the past 3 years and we’ve seen no need to change it.
However, if there is a change in circumstances of the kind of activities you are undertaking or the types of data you are collecting, you are advised to change your privacy policy to reflect those changes.
Let’s talk about Push Notifications and how they relate to PDPA
It is important to get consent from your customers before you send them push notifications. This should be done from the very start when customers download the app. Under the PDPA, you must also allow customers to withdraw their consent.
The easier it is to facilitate the withdrawal of consent, I think the less likely that somebody is going to lodge a complaint against your company.
Is creating a Whatsapp or social media group where phone numbers are exposed a breach of the PDPA?
It depends on who is creating the Whatsapp or social media group. The PDPA does not apply to people acting in a personal or domestic capacity.
Also Read: Startupbootcamp sets foot in China to make it more e-healthy
But if you are organization and you are creating a Whatsapp or social media group for a related purposes, you should definitely seek your customer’s consent before adding them to a group.
Can my company store NRIC numbers of students for attendance-taking purposes?
There are sector-specific guidelines published by the PDPC. You should take a look at the guidelines for the education sector for more details.
The PDPA mentions that you should only collect personal data for purposes that are reasonable in the circumstances. You should also consider if you really need to have the NRIC numbers for attendance-purposes or if the name of the students will suffice.
—
You can watch this Facebook Live interview HERE on YouTube and learn more about Jeremiah HERE.
The post Pro Bono: Practical legal advice for navigating Singapore’s data privacy laws appeared first on e27.