Advisory Guidelines PDPA Publication (6 November · PDF fileYour Guide to the Personal Data...

A Supplement: FAQs on the Advisory Guidelines for Key Concepts and Selected Topics

Your Guide to the

Personal Data Protection Act 2012

A Supplement: FAQs on the Advisory Guidelines for

Key Concepts and Selected Topics

All enquiries should be addressed to:

Lim Chong Kin

Director & Head, Telecommunications, Media and Technology Practice Group

10 Collyer Quay #10-01 Ocean Financial Centre

Singapore 049315

Tel: +65 6531 4110

Fax: +65 6535 4864

Email: [email protected]

COPYRIGHT

© 2013 Drew & Napier LLC

First Published 2013

All rights reserved. No part of this publication may be reproduced, stored in any retrieval

system, or transmitted, in any form or by any means, whether electronic or mechanical,

including photocopying and recording, without the permission of the copyright holder.

IMPORTANT DISCLAIMER: We have sought to state the law as at 6 November 2013. Drew &

Napier LLC accepts no liability for, and does not guarantee the accuracy of, information or

opinion contained in this document. This document covers a wide range of topics and is not

intended to be a comprehensive study of the subjects covered, nor is it intended to provide

legal advice. It should not be treated as a substitute for specific advice on specific situations.

Published by

10 Collyer Quay #10-01

Ocean Financial Centre

Singapore 049315

Printed in Singapore

Your Guide to the

Personal Data Protection Act

2012

A Supplement: FAQs on the Advisory Guidelines for

Key Concepts and Selected Topics

Editors:

LIM Chong Kin Director, Head (Telecoms, Media and Technology Law

Practice Group)

and Co-Head (Competition Law & Regulatory Practice

Group)

LL.B. (Hons); LL.M. (NUS); Advocate and Solicitor (Singapore)

Admitted to the Roll of Solicitors (England & Wales)

Charmian AW Associate Director

LL.B. (Hons) (NUS); Advocate and Solicitor (Singapore)

About Drew & Napier LLC

Drew & Napier has provided exceptional legal advice and representation to discerning clients

since 1889. We are one of the largest law firms in Singapore.

The calibre of our work is acknowledged internationally at the highest levels of government

and industry, and marks us as Singapore’s world class law firm.

We are trusted by our clients to solve their most challenging problems, advance their interests,

and show them the way forward. Our lawyers and senior counsel are the preferred choice

when the stakes are high and the issues complex.

Our clients consistently vote our lawyers to the highest ranks of their practice areas. Chambers

& Partners recently named us National Law Firm of the Year.

We stay at the forefront of the industry by cultivating talent and maintaining the family

atmosphere that is distinctly Drew. In the Thomson Reuters’ Asian Legal Business survey, our

colleagues voted Drew the top Employer of Choice.

For more information on Drew & Napier LLC, please visit www.drewnapier.com.

Drew & Napier’s expertise in Data Protection Law – How We Can Help You

We regularly advise and assist MNC clients on data protection concerns in respect of their

Singapore operations. Our MNC clients include telco operators and Internet companies

(ranging from the world’s leading social networking site to mobile device manufacturers to

software developers (SAP and Microsoft)). Our work for clients includes:

• Adapting global policies for data privacy and consumer protection for clients’

Singapore operations and offices.

• Wide-ranging advice on the existing Singapore data protection regime.

• Advising on ad-hoc queries relating to potential or actual privacy breaches and the

necessary disclosure requirements and remedial actions in Singapore.

• Advising on data protection concerns relating to the introduction of novel

telecommunication services in the Singapore market.

We are also regularly engaged by MNCs as well as local clients across industries (including

airlines, manufacturing, entertainment, and fast-moving consumer goods), telcos and Internet

companies to conduct regulatory risk audits of their business operations to highlight potential

areas of non-compliance and to assist in the rectification of any problematic agreements and

conduct. In the past six years, we have gained considerable first-hand expertise in compliance

audits, in particular, to ensure compliance with newly-introduced legal and regulatory

obligations, for instance, competition law in Singapore. Our team of lawyers is also

experienced in conducting compliance audits of business practices, existing legal

agreements, and informal business arrangements. The team recently assisted our MNC clients

with regulatory audits across several jurisdictions, including Singapore, Malaysia, Indonesia,

Thailand, India and the Philippines (in respect of intellectual property, competition and anti-

corruption laws).

In developing compliance programmes for our clients, we further value-add by creating

manageable, staff-level compliance manuals and training programmes to ensure that our

clients are in a position to operationalise their compliance procedures on a day-to-day basis,

and will only need to rely on external counsel under exceptional instances.

About the Telecommunications, Media and Technology (TMT) Practice Group

Drew & Napier’s Telecommunications, Media & Technology (TMT) Practice Group is consistently

ranked as the leading IT, telecoms, broadcasting and multimedia legal practice in Singapore.

The firm possesses unparalleled transactional, licensing and regulatory experience in the TMT

and postal sectors in Singapore. The strength of our team, headed by Director Lim Chong Kin,

lies in a carefully-selected mix of more than 10 lawyers and paralegals familiar with infocomms

law, data protection, and sector-specific and general competition law. The team is supported

by in-house competition and regulatory economists led by Ng Ee Kia, who was previously

Director of Economics at the Competition Commission of Singapore (CCS).

A trailblazer in the telecommunications and media competition law scene, the TMT Practice

Group has constantly worked on every significant development in the Singapore TMT market. In

1999, Chong Kin was the lead Singapore counsel appointed by the Info-communications

Development Authority (IDA) to draft the Telecom Competition Code (TCC), the first industry-

wide competition legislation in Singapore and precursor to the country’s general competition

regime. In 2004 and again in 2009-12, Chong Kin was reappointed to revise the TCC as part of

its first and second triennial review exercises. In the media scene, Chong Kin was appointed as

lead Singapore counsel by the Media Development Authority (MDA) in drafting the Media

Market Conduct Code in 2003. Today, the team continues to advise the MDA on enforcement,

licensing, regulatory and market access issues, in particular the implementation of novel

regulatory measures relating to cross-carriage of content by pay-TV operators. Chong Kin also

led the drafting of the Postal Competition Code in 2007 to facilitate liberalisation of the postal

industry in Singapore.

In addition to conceptualising and drafting of regulatory frameworks, the TMT Practice Group

routinely assists regulators to enforce and implement their directions, regulations and decisions

against licensees, mandating market access and addressing unfair competition issues. More

recently, Chong Kin and his team advised IDA on the enforcement and implementation of

licensees’ obligations, for example in respect of licensees’ ability to roll-out fibre-to-the-home

networks. The Practice Group has also advised IDA on all competition and regulatory issues in

three groundbreaking infrastructure development initiatives – the establishment of the Next

Generation Nationwide Broadband Network (NGNBN), Singapore Internet Exchange, and the

National Authentication Framework. In numerous instances, the Practice Group has also been

involved in defending regulators against ministerial appeals filed by licensees. Recently, Chong

Kin and his team successfully defended MDA in respect of its decision to impose a mandatory

pay-TV cross-carriage requirement on its licensees. Chong Kin and his team have also advised

Singapore regulators on their international obligations and interactions with regulators of other

countries.

Today, the TMT Practice Group acts for a broad range of clients – from established fast-moving

consumer goods MNCs to technology start-ups, to sectoral regulators (both local and foreign):

• We regularly act for technology leaders and start-ups in information technology, data

privacy and protection and commercial matters (including Research-in-

Motion/Blackberry);

• We are routinely consulted on commercial, licensing and regulatory matters by global

clients, including regional telecommunication service providers (including AT&T, Pacnet,

Sprint and Globe and international broadcasters (including Discovery, ESPN, MGM and

Sony); and

• We are often called upon to provide high-level advisory and consultancy services to

various regulators, including IDA, MDA, CCS and most recently, the telecoms regulator of

Sri Lanka.

In 2012, for the 14th consecutive year, Drew & Napier’s TMT Practice Group has been retained

as IDA’s external legal and regulatory advisors, a record which speaks volumes for its proven

ability to deliver effective, timely and commercially-relevant solutions to its clients.

The TMT Practice Group is also particularly experienced in a wide range of technology law

issues. Clients who trust Drew & Napier on technology matters include MNCs, public listed

companies, statutory boards and some of the most established names in Singapore. We have

advised and acted for clients in drafting, reviewing and/or negotiating various technology

contracts relating to consultancy and project management, website service agreements

(including privacy policies and data management procedures), outsourcing, software

integration, bespoke hardware and software, and hardware/software maintenance. The firm’s

broad client base allows it to offer unique insights on the TMT industry from all perspectives.

Our recent accolades bear testimony to the quality of the Practice Group:

• Chambers Asia: standalone Band 1 TMT firm in Singapore for 2013, 2012, 2011, 2010, 2009,

2008

• Asia Pacific Legal 500: Tier 1 TMT practice for 2013/2014, 2012/2013, 2011/2012,

2010/2011, 2009/2010, 2008/2009

• AsiaLaw Profiles: Highly Recommended Practice (IT, Telecoms & Media) for 2013; Tier 1

(IT, Telecoms & Media) for 2012 & 2011

• The International Who’s Who of Regulatory Communications Lawyers 2013 and The

International Who’s Who of Competition Lawyers and Economists 2013 both recognise

Chong Kin as a leading lawyer in regulatory and competition advisory work

FAQs to the Advisory Guidelines to the PDPA

www.drewnapier.com 8

CONTENTS

Introduction to the Advisory Guidelines to the Personal Data Protection Act 2012 ................................. 12

1. Are the Guidelines legally binding? .................................................................................................... 12

2. How will the PDPA affect organisations? ........................................................................................... 12

3. Will the PDPA prevent organisations from collecting, using and/or disclosing data relating to

individuals? ..................................................................................................................................................... 13

4. How do the Data Protection Provisions interact with existing laws concerning personal data

protection? ...................................................................................................................................................... 13

Important Terms used in the PDPA ................................................................................................................. 13

5. The PDPA is only concerned with the personal data of “individuals”. Who are considered

“individuals”? .................................................................................................................................................. 13

6. What types of “personal data” are covered under the PDPA? ........................................................ 14

7. What types of “personal data” are not covered under the PDPA? ................................................. 14

8. Are IP addresses considered “personal data”? .................................................................................. 15

9. Are cookies considered “personal data”?........................................................................................... 15

10. Is anonymised data regarded as “personal data” for the purposes of the PDPA? ................... 15

11. Does the PDPA confer property or ownership rights of personal data in an individual or an

organisation? .................................................................................................................................................. 16

12. Which organisations are included, and which are excluded from the operation of the Data

Protection Provisions? ................................................................................................................................... 16

13. The Data Protection Provisions only apply to a limited extent to a “data intermediary”. What

is a “data intermediary”? ............................................................................................................................... 17

14. What constitutes “collection, “use” and “disclosure” of personal data? .................................... 17

15. Some Data Protection Provisions refer to the “purpose” for which an organisation collects,

uses or discloses personal data. How is such “purpose” defined? .......................................................... 18

16. How is the concept of “reasonableness” defined in the PDPA? ................................................. 18

17. What are the main data protection obligations contained under the PDPA? .......................... 18

The Consent Obligation..................................................................................................................................... 18

18. What do organisations have to comply with under the Consent Obligation? ......................... 18

19. How can organisations obtain consent from individuals? ........................................................... 19

20. When is an individual considered not to have validly given consent? ...................................... 19

21. When is an individual deemed to have given consent? .............................................................. 20

22. Where an individual provides his personal data as part of his job application, is this

considered deemed consent? ...................................................................................................................... 20


9 www.drewnapier.com

23. How should organisations deal with a job applicant’s personal data, after a decision has

been made on whether to hire such job applicant? .................................................................................. 20

24. Is it necessary to obtain consent from users when an organisation employs the use of

cookies? ........................................................................................................................................................... 20

25. Can an organisation obtain personal data from third party sources with the consent of the

individual? ....................................................................................................................................................... 21

26. Can an organisation collect and use personal data of a job applicant from social networking

sources? ........................................................................................................................................................... 22

27. Can an organisation collect and use information on business cards for recruitment?............ 22

28. What should organisations do to ensure that the third party sources can validly provide the

personal data? ................................................................................................................................................ 22

29. Can an organisation obtain personal data from third party sources without the consent of

the individual? ................................................................................................................................................ 22

30. Organisations can collect, use and disclose personal data without consent if it is publicly

available. What is the definition of “publicly available” data? .................................................................. 23

31. What practical steps should organisations take to allow individuals to withdraw their

consent? .......................................................................................................................................................... 24

32. How should organisations respond when they receive a notice from an individual to

withdraw consent? ......................................................................................................................................... 25

33. Are organisations required to accede to an individual’s request to delete CCTV footage? ... 25

34. What do organisations have to comply with under the Purpose Limitation Obligation? ....... 25

35. If an organisation captures CCTV footage beyond the boundaries of their own premises,

does that go beyond the Purpose Limitation Obligation? ....................................................................... 26

36. Can organisations collect NRIC cards? ........................................................................................... 26

37. For what business purposes are organisations allowed to use NRIC numbers? ...................... 26

38. Can organisations publish NRIC numbers for purposes such as the results of lucky draws? . 26

The Notification Obligation .............................................................................................................................. 26

39. What do organisations have to comply with under the Notification Obligation? ................... 26

40. How should organisations notify individuals of the purpose for the collection, use and

disclosure of their personal data? ................................................................................................................ 27

41. Can organisations use a Data Protection Policy to notify individuals of the purposes for

which it collects, uses and discloses personal data? ................................................................................. 27

42. What level of detail is required when notifying individuals of the purposes for which their

personal data is collected, used and disclosed? ........................................................................................ 28

43. Can organisations use and disclose personal data for a different purpose from which it was

collected? ........................................................................................................................................................ 28

44. Is it always necessary for an organisation notify individuals prior to collecting, using or

disclosing their personal data for research and analytics activities? ....................................................... 28



45. Do organisations always need to notify individuals when CCTVs are deployed? .................... 29

46. Do recruitment agencies always need to notify individuals before collecting, using or

disclosing their personal data? .................................................................................................................... 29

47. Do employers need to notify and obtain consent from employees in respect of collecting,

using or disclosing their personal data for employment purposes? ....................................................... 29

The Accuracy Obligation ................................................................................................................................... 30

48. What do organisations have to comply with under the Accuracy Obligation? ........................ 30

49. In complying with the Accuracy Obligation, can a different level of care be adopted when

the personal data is obtained directly from the individual compared to when it is obtained from

third party sources? ....................................................................................................................................... 31

The Protection Obligation ................................................................................................................................. 32

50. What does it mean to make “reasonable security arrangements to protect personal data”? 32

51. What types of security arrangements can an organisation put in place? ................................. 32

52. Are organisations responsible if their employees do not comply with the PDPA? .................. 33

The Retention Limitation Obligation ............................................................................................................... 33

53. How long should an organisation retain personal data?............................................................. 33

54. What are some recommended best practices in relation to the retention of personal data? 33

55. How long can organisations continue to hold personal data of former employees? ............. 33

56. What does it mean to “cease to retain” personal data? .............................................................. 34

The Openness Obligation .................................................................................................................................. 34

57. What is the Openness Obligation? ................................................................................................. 34

58. Are there any requirements as to whom an organisation may designate as its data

protection officer? ......................................................................................................................................... 35

59. Will the Openness Obligation require organisations to accede to an individual’s request to

access CCTV footage? ................................................................................................................................... 35

60. Are there any specific requirements that organisations need to comply with, when acceding

to an individual’s request to access CCTV footage? .................................................................................. 35

61. Can individuals make joint access requests for CCTV footage containing their images, if they

consent to their own images being viewed by the others making the joint request?.......................... 35

62. Can job applicants ask an organisation to reveal how much information the organisation has

about them, or find out why they were not selected? .............................................................................. 36

Other Important Concepts ................................................................................................................................ 36

63. What does it mean to anonymise personal data? ........................................................................ 36

64. How can personal data be anonymised? ....................................................................................... 36

65. What are some challenges and limitations in anonymising data? ............................................. 37

66. Under what circumstances might data be considered to have been re-identified? ................ 37



67. How can organisations assess the risk of re-identification? ....................................................... 38

68. Will the Commission penalise organisations for inadequate risk assessments in relation to

re-identification? ............................................................................................................................................ 39

69. What is the co-relation between the motivation for re-identification and the risk of re-

identification? ................................................................................................................................................. 39

70. How can organisations lower the risk of re-identification? ......................................................... 40

Scope of The DNC Provisions ........................................................................................................................... 40

71. To whom are the DNC Provisions applicable? .............................................................................. 40

72. The DNC Provisions apply to “specified messages”. What are “specified messages”? ............ 41

73. The DNC Provisions apply to “senders”. Who are “senders”? ..................................................... 42

74. When might a person be responsible under the DNC Provisions for a specified message that

he is not actively involved in sending? ........................................................................................................ 42

75. Do the DNC Provisions only apply to specified messages sent to a Singapore telephone

number? .......................................................................................................................................................... 43

Obligations and Duties under the DNC Provisions ........................................................................................ 43

76. What does a person need to do before sending a specified message? .................................... 43

77. Is it necessary to check the DNC Register every time a specified message is proposed to be

sent? ............................................................................................................................................................ 43

78. What happens when a person who had previously given consent to receive specified

messages, subsequently withdraws such consent? ................................................................................... 44

79. A person has previously given consent to receive specified messages, but subsequently

registers his/her telephone number on a DNC Register. Is the consent still valid? Can specified

messages be sent to such person? .............................................................................................................. 44

80. Who can withdraw consent in respect of a telephone number? ................................................ 44

81. What would constitute valid consent for the purposes of the DNC Provisions?...................... 44

82. If consent has been obtained from a person before the DNC Provisions come into effect (2

January 2014), is such consent still valid? ................................................................................................... 45

The Drew & Napier TMT Team .......................................................................................................................... 46

Lim Chong Kin, Director, Head (Telecoms, Media & Technology) ............................................................. 46

Charmian Aw, Associate Director .................................................................................................................. 46



Advisory Guidelines to the Personal Data

Protection Act 2012 This publication is meant to supplement and be

read together with Drew & Napier’s “Your

Guide to the Personal Data Protection Act

2012”, as published in 2013.

INTRODUCTION TO THE ADVISORY

GUIDELINES ON THE PERSONAL DATA

PROTECTION ACT 2012

On 24 September 2013, the Personal Data

Protection Commission (Commission) issued

the following sets of Advisory Guidelines on

the Personal Data Protection Act 2012 (PDPA):

(a) Advisory Guidelines on Key Concepts in

the Personal Data Protection Act (Key

Concepts Guidelines); and

(b) Advisory Guidelines on the Personal Data

Protection Act for Selected Topics

(Selected Topics Guidelines)

(collectively, the Guidelines).

The Guidelines are meant to provide a further

understanding of the provisions of the PDPA

as they elaborate and provide interpretations

on specific requirements and obligations

under the PDPA. The Guidelines took into

consideration public feedback submitted

during the public consultation conducted by

the Commission from February to April 2013.

The following is a series of key questions and

answers to help you understand the impact of

the Guidelines on your business.

1. Are the Guidelines legally binding?

The Guidelines are advisory in nature and are

not legally binding on the Commission or any

other party. The Guidelines will not limit or

restrict the Commission’s administration and

enforcement of the PDPA, and the provisions

of the PDPA and any regulations or rules

issued thereunder will prevail over the

Guidelines in the event of any inconsistency.

2. How will the PDPA affect organisations?

The data protection provisions in Parts III to VII

of the PDPA (Data Protection Provisions) are

anticipated to come into operation on 2 July

2014.

As such, organisations can generally continue

to use personal data that was collected before

2 July 2014 for the purposes for which such

personal data was collected, without a need to

obtain fresh consent from the individual.

However, if an individual has withdrawn

his/her consent, fresh consent will need to be

obtained.

Even if it is not clear what the purposes any

personal data had been collected (before 2

July 2014) are for, it is not strictly necessary for

such purposes to be specified or notified to

the individuals concerned on or after 2 July

2014. In such cases, however, the Commission

recommends that the organisation should

consider documenting the purposes so that it

will have such information readily available if a

questions arises as to whether the organisation

is complying with the Data Protection

Provisions (such as the requirement to obtain

valid consent pursuant to the PDPA prior to

collection, use and disclosure of personal

data).



Additionally, should an organisation wish to

use or disclose personal data which it has

collected prior to 2 July 2014 for new purposes

(i.e. purposes which the individual concerned

had not consented to), the organisation will

need to obtain consent from the individual

concerned for these new purposes.

Organisations will also need to assess whether

their contractual obligations need to be

amended to comply with the Data Protection

Provisions. It should be noted that compliance

with contractual obligations entered into prior

to 2 July 2014 is not an excuse for failure to

comply with the Data Protection Provisions.

The Do Not Call provisions (DNC Provisions),

which are set out in Part IX of the PDPA, are

expected to come into effect on 2 January

2014. Please refer to question 71 et seq for a

further discussion on the DNC Provisions.

3. Will the PDPA prevent organisations

from collecting, using and/or disclosing

data relating to individuals?

The PDPA will not strictly prohibit

organisations from collecting, using or

disclosing data relating to individuals.

However, where an organisation wishes to

collect, use or disclose personal data (as

defined in the PDPA, see question 6 below), it

will be required to comply with the Data

Protection Provisions (see question 2 above).

Accordingly, organisations may wish to opt to

collect or use anonymised data instead, where

individuals need not be identifiable for the

organisation’s purposes, as the Data Protection

Provisions will not apply to anonymised data

(see question 63 below on what anonymised

data means).

4. How do the Data Protection Provisions

interact with existing laws concerning

personal data protection?

The Data Protection Provisions will not affect

any existing authority, right, privilege,

immunity, obligation or limitation arising

under existing law. The PDPA also specifically

provides that the provisions of other written

law will prevail over the Data Protection

Provisions, but only to the extent that there is

an inconsistency.

As such, sector-specific legislation should not

be regarded as a blanket override of the Data

Protection Provisions.

For example, pursuant to Section 47 of the

Banking Act (Cap. 19), a bank can disclose

customer information to such persons and for

purposes that are specified in the Third

Schedule of the Banking Act, subject to the

conditions specified therein. However, the

Data Protection Provisions of the PDPA may be

inconsistent with Section 47 of the Banking

Act, as the former may not specifically allow

the bank to disclose such customer

information without prior consent of the

customer concerned. In such case, Section 47

of the Banking Act will prevail in respect of

those exceptions under the Third Schedule of

the Banking Act, but the bank must continue

to comply with the Data Protection Provisions

in respect of any purposes which, or persons

who, are not specified in the Third Schedule of

the Banking Act.

IMPORTANT TERMS USED IN THE PDPA

5. The PDPA is only concerned with the

personal data of “individuals”. Who are

considered “individuals”?

The PDPA defines an individual as “a natural

person, whether living or deceased.” The term

“natural person” refers to a human being, and

does not refer to other legal persons or

unincorporated entities (e.g. a company or a

registered society). Accordingly, the PDPA only

protects personal data of natural persons.

The term “individual” includes both living and

deceased individuals. However, the PDPA

applies to a limited extent in respect of the

personal data of deceased individuals.



6. What types of “personal data” are

covered under the PDPA?

The term “personal data” covers all types of

data from which an individual can be

identified, regardless of its veracity or whether

it is in electronic or other form.

Data about an individual

Personal data has to be data about an

individual. Some data will, on its own, relate to

an individual e.g. an individual’s name. Other

data may not, on its own, relate to an

individual. The latter type of data would not

constitute personal data unless it is made to

relate to a particular individual. For example, a

residential address by itself may not relate to

an individual because there may be several

individuals residing there. However, if the

residential address is associated with a

particular identifiable individual, it would be

considered personal data.

Generic information that does not relate to a

particular individual may also form part of an

individual’s personal data if an individual can

be identified when combined with other

information. For example, generic information

such as “male” and “aged 21” is provided as

part of a membership form which also

identifies the individual’s full name, such

general characteristics will also constitute part

of the individual’s personal data because the

generic information would have been related

to the specific individual.

Even if the information is not directly

identifying data, it may still be considered

personal data if the organisation has access to

other information that, when taken together

with the data, will allow the individual to be

identified. For example, if a company

anonymises data collected from a customer

survey by replacing the respondents’ names

with randomly generated number tags, but the

company still holds the key that can reverse

the randomisation process, the collected data

will still be able to identify individuals with the

aid of the key and will thus be considered

personal data. (See question 63 for more

details on what it means to anonymise

personal data.)

Some examples of personal data listed in the

Key Concepts Guidelines include an

individual’s full name, NRIC number, passport

number, photograph, video image, mobile

telephone number, personal email address,

thumbprint, DNA profile and, name when used

in conjunction with a residential address.

False personal data

Data which is false can also be part of an

individual’s personal data. An individual may

have appropriate reasons for using data that is

not strictly true, for example, when an

individual uses a fictitious name or nickname

as part of his personal email address.

7. What types of “personal data” are not

covered under the PDPA?

The PDPA does not apply to the following

categories of personal data:

(a) business contact information;

(b) personal data that is contained in a record

that has been in existence for at least 100

years; and

(c) personal data about a deceased individual

who has been dead for more than 10

years.

Business contact information

Business contact information refers to an

individual’s name, position name or title,

business telephone number, business address,

business electronic mail address, business fax

number and any other similar information

about the individual, not provided by the

individual solely for his/her personal purposes.

The purpose for which the individual provides

the work-related contact information is

important, because any work-related contact

information provided solely for personal

purposes (e.g. signing up for a gym



membership) would not constitute business

contact information. However, in most

circumstances, the Commission is likely to

consider personal data provided on

business/name cards as business contact

information.

Since sole proprietorships and partnerships are

also businesses, the contact information of

sole proprietors and partners is considered

business contact information where such

information has not been provided solely for

personal purposes.

8. Are IP addresses considered “personal

data”?

IP address in isolation

The Commission generally takes the view that

IP addresses or network identifiers such as an

IMEI number may not be personal data when

viewed in isolation, as they would serve to

identify a particular networked device under

such circumstances.

IP address combined with other information

Where IP addresses are combined with other

traces of information that are collected, or left

behind, by a device (such as cookies), it may

be possible in some cases to identify an

individual from his device’s IP address.

Tracking of IP addresses

Organisations may collect data points tied to

an IP address for purposes such as to

determine the number of unique visitors to a

website in a month, or the number of unique

responses to a once-off online survey about

consumer preferences, and consequently track

activities tied to an IP address. The

Commission takes the view that such tracking

may not result in the collection of personal

data, if the organisation is unable to identify

an individual from the data collected or from

that data and other information that the

organisation has or is likely to have access.

However, the more data points that an

organisation collects which is associated to a

unique IP address, the more likely that the

data collected may constitute personal data.

For example, if an organisation profiles the

websites visited by an IP address, the items

purchased by the same IP address and other

online activities associated to the IP address

for a long period of time, and is able to

ascertain that the particular IP address is

associated with a unique person with a specific

surfing profile, the organisation may be found

to have collected personal data.

9. Are cookies considered “personal data”?

Cookies1 are not personal data. However,

cookies may collect personal data.

Where cookies are employed by an

organisation to collect personal data of a user,

the PDPA will require that the organisation

obtain the user’s consent to collect, use and

disclose personal data of the user. See

question 24 below.

10. Is anonymised data regarded as

“personal data” for the purposes of the

PDPA?

Generally, anonymised data alone will not

constitute personal data.

However, if the anonymised data, together

with any other information that an

organisation has or is likely to have access, can

be used to identify a particular individual,

these data and information taken together will


1 Cookies are text files created on a client computer

when its web browser loads a website or web

application, and which are generally used to store

information for performing certain functions such as

completing forms, facilitating website navigation,

authentication and enabling advertising technology.



11. Does the PDPA confer property or

ownership rights of personal data in an

individual or an organisation?

The PDPA does not confer any property or

ownership rights on personal data per se to

individuals or organisations and also does not

affect existing property rights in items in which

personal data may be captured or stored.

Thus, if an organisation takes a photograph of

an individual, the individual would not be

conferred ownership rights to that photograph

under the PDPA even though it would be part

of his personal data. Instead, ownership would

depend on existing laws such as property law

and copyright law. Regardless of ownership

rights, the organisation must comply with the

PDPA if it intends to collect, use or disclose the

photograph.

12. Which organisations are included, and

which are excluded from the operation

of the Data Protection Provisions?

The Data Protection Provisions apply to all

organisations, with certain exceptions.

“Organisation” is defined broadly to include

any individual, company, association or body

of persons, corporate or unincorporated,

whether or not:

(a) formed or recognised under the law of

Singapore; or

(b) resident or having an office or place of

business in Singapore.

The Data Protection Provisions do not apply

to:

(a) individuals acting in a personal or

domestic capacity;

(b) employees acting in the course of their

employment with an organisation;

(c) public agencies, or organisations acting on

behalf of a public agency in relation to the

collection, use or disclosure of personal

data; and

(d) other organisations as may be prescribed

by the Minister.

Individuals acting in a personal or domestic

capacity

An individual acts in a “personal or domestic”

capacity when undertaking activities for his

home or family; for example, by opening joint

bank accounts between two or more family

members.

Individuals acting as employees

Employees are excluded from the application

of the Data Protection Provisions. The PDPA

defines an employee to include a volunteer.

Hence, individuals who undertake work

without an expectation of payment would fall

within the exclusion for employees.

Even though employees are excluded from the

application of the PDPA, organisations remain

responsible for the actions of the employees

which result in a contravention of the Data

Protection Provisions.

Public agencies and organisations acting on

behalf of public agencies

Section 2 of the PDPA defines a public agency

to include:

(a) the Government, including any ministry,

department, agency, or organ of State;

(b) any tribunal appointed under any written

law; or

(c) any statutory body specified by the

Minister by notice in the Gazette.

To date, the Minister has gazetted 66 statutory

bodies as public agencies pursuant to the

Personal Data Protection (Statutory Bodies)

Notification 2013.

While organisations acting on behalf of a

public agency in relation to the collection, use



or disclosure of personal data are excluded

from the application of the Data Protection

Provisions when they are so acting, they still

have to comply with the Data Protection

Provisions in relation to other aspects of their

business not related to the public agency, for

example, in relation to their employees’

personal data or personal data of other

customers.

13. The Data Protection Provisions only

apply to a limited extent to a “data

intermediary”. What is a “data

intermediary”?

Where data intermediaries process personal

data on behalf of another organisation (the

principal organisation) pursuant to a written

contract, they will only be subject to the Data

Protection Provisions relating to protection

and retention of personal data.

The PDPA defines “processing” as “the carrying

out of any operation or set of operations in

relation to the personal data, and includes any

of the following: (i) recording; (ii) holding; (iii)

organisation, adaptation or alteration; (iv)

retrieval; (v) combination; (vi) transmission; (vii)

erasure or destruction.”

If a data intermediary uses or discloses

personal data in a manner which goes beyond

the processing required by the principal

organisation under the contract, it will not be

considered a data intermediary in respect of

such use or disclosure. It will therefore have to

comply fully with the Data Protection

Provisions in relation to such use or disclosure.

In a similar vein, while an organisation may be

considered a data intermediary in respect of a

set of personal data, it may at the same time

be bound by all Data Protection Provisions in

relation to other sets of personal data used for

activities which do not fall within the definition

of “processing” as a data intermediary (e.g. in

relation to personal data of its own

employees).

An organisation may be considered a data

intermediary to more than one principal

organisation. In such cases, all the principal

organisations are responsible for compliance

with the Data Protection Provisions in relation

to the personal data processed on their behalf.

An organisation may be a data intermediary of

another even if the written contract between

the organisations does not clearly identify the

data intermediary as such. The Commission

therefore notes that it is important for an

organisation to be clear as to its rights and

obligations when dealing with another

organisation. Where appropriate, the written

contract should clearly set out each

organisation’s responsibilities and liabilities in

relation to the personal data in question, and

expressly note whether one organisation is

processing personal data on behalf of and for

the purposes of another organisation.

14. What constitutes “collection, “use” and

“disclosure” of personal data?

In general, the terms “collection”, “use” and

“disclosure” have the following meanings:

(a) Collection refers to any act or set of acts

through which an organisation obtains

control over or possession of personal

data.

(b) Use refers to any act or set of acts by

which an organisation employs personal

data. A particular use of personal data may

occasionally involve collection or

disclosure that is necessarily part of the

use.

(c) Disclosure refers to any act or set of acts

by which an organisation discloses,

transfers or otherwise makes available

personal data that is under its control or in

its possession to any other organisation.

While collection, use and disclosure may take

place actively (e.g. a sales person asking the

individual for personal information) or

passively (e.g. an individual writes his name in

an unattended guestbook placed near the

entrance), both forms of collection, use and



disclosure will be subject to the same

obligations under the PDPA.

15. Some Data Protection Provisions refer

to the “purpose” for which an

organisation collects, uses or discloses

personal data. How is such “purpose”

defined?

The term “purpose” does not refer to activities

which an organisation may intend to

undertake but rather to its objectives or

reasons. Hence, when specifying its purposes

relating to personal data, an organisation is

not required to specify every activity which it

may undertake, but its objectives or reasons

relating to personal data.

16. How is the concept of “reasonableness”

defined in the PDPA?

The test for reasonableness is what a

reasonable person would consider appropriate

in the circumstances. A “reasonable person” is

judged based on an objective standard and

can be said to be a person who exercises the

appropriate care and judgment in the

particular circumstances.

In determining what a reasonable person

would consider appropriate in the

circumstances, an organisation should

consider the particular circumstances it is

facing. Taking those circumstances into

consideration, the organisation should

determine what would be the appropriate

course of action to take in order to comply

with its obligations under the PDPA based on

what a reasonable person would consider

appropriate. In other words, a possible step

that an organisation could take is to view the

situation from the perspective of the individual

and consider what the individual would think

as fair.

The Commission notes that the standard of

reasonableness is expected to be evolutionary.

17. What are the main data protection

obligations contained under the PDPA?

The PDPA contains 9 main data protection

obligations that apply to organisations for

persona data in their possession or under their

control:

(a) the Consent Obligation (sections 13 to 17

of the PDPA);

(b) the Purpose Limitation Obligation (Section

18 of the PDPA);

(c) the Notification Obligation (Section 20 of

the PDPA);

(d) the Access and Correction Obligation

(Sections 21 and 22 of the PDPA);

(e) the Accuracy Obligation (Section 23 of the

PDPA);

(f) the Protection Obligation (Section 24 of

the PDPA);

(g) the Retention Limitation Obligation

(Section 25 of the PDPA);

(h) the Transfer Limitation Obligation (Section

26 of the PDPA); and

(i) the Openness Obligation (Sections 11 and

12 of the PDPA).

THE CONSENT OBLIGATION

18. What do organisations have to comply

with under the Consent Obligation?

Under the Consent Obligation, organisations

are required to obtain consent from the

individual before they can collect, use or

disclose the individual’s personal data. This

requirement does not apply where collection,

use or disclosure of an individual’s personal

data is required or authorised under the PDPA

or any other written law.

An individual has not given consent unless the

he has been notified of the purposes for which

his personal data will be collected, used or

disclosed and he has provided his consent for



those purposes. If an organisation fails to

inform the individual of the purposes for which

his personal data will be collected, used and

disclosed, any consent given by the individual

would not amount to consent.

19. How can organisations obtain consent

from individuals?

As a good practice, an organisation should

obtain consent in writing or recorded in a

manner that is accessible for future reference.

An organisation may also obtain consent

verbally although it may be more difficult for

an organisation to prove that it had obtained

consent. It would therefore be prudent for the

organisation to document the consent in some

way, for example, by noting the fact that oral

consent was provided by an individual for

certain purposes together with the date and

time of such consent, or by following up the

verbal consent by confirming the consent in

writing with the individual.

Opt-in method of consent

Organisations can obtain the individual’s

consent through a positive action of the

individual (e.g. by requiring the individual to

check a box indicating consent).

Opt-out method of consent

The Commission’s view is that a failure to opt

out (e.g. by deeming that an individual has

given his consent through inaction on his part

by not checking a box indicating his non-

consent) will not be regarded as consent in all

situations. Whether or not a failure to opt out

can be regarded as consent will depend on the

actual circumstances and facts of the case

because there are many methods and variants

to opting out, and depending on its

implementation, some could be more likely

than others to constitute consent.

20. When is an individual considered not to

have validly given consent?

Section 14(2) of the PDPA provides that

consent is not validly given if it is:

(a) obtained as a condition of the provision of

the product or service to the individual,

beyond what is reasonable to provide the

product or service; and

(b) obtained by providing false or misleading

information or using deceptive or

misleading practices.

Consent obtained as a condition of providing

the product/service

An organisation may require an individual to

consent to the collection, use or disclosure of

his personal data as a condition of providing a

product or service where it is reasonably

required in order to provide the product or

service. However, if the consent is obtained as

a condition of providing such product or

services beyond what is reasonable for the

provision of such products or services, such

consent is invalid.

Organisations are not, however, prohibited

from providing offers, discounts or lucky draw

opportunities to individuals that are

conditional on the collection, use or disclosure

of their personal data for specified purposes

because such offers, discounts or lucky draws

are not considered products or services.

The Commission recommends that when

organisations collect personal data through a

form, it is a good practice to indicate which

fields that collect personal data are

compulsory and which are optional, and to

state the purposes for which such personal

data will be collected, used and/or disclosed.

This avoids potential problems as to whether

consent was validly given because it makes

clear whether the individual’s consent was

made a condition to the provision of products

or service.

Consent obtained by false/misleading

information or deceptive/misleading practices

Consent obtained by providing false or

misleading information to the individual, or by



using deceptive or misleading practices, is not

validly given. Such practices may include

situations where the purposes are stated in

vague or inaccurate terms, in an illegible font,

or placed in an obscure area of a document or

a location that is difficult to access.

21. When is an individual deemed to have

given consent?

Section 15 of the PDPA provides two situations

where an individual may be deemed to

consent even if he has not actually given

consent:

(a) where an individual voluntarily provides

the personal data to the organisation for a

purpose and it is reasonable that the he

would do so, the individual is deemed to

consent to the collection, use and

disclosure for that purpose; and

(b) where an individual consents or is deemed

to have consented to the disclosure of his

personal data by one organisation to

another (B), the individual is deemed to

consent to the collection, use or disclosure

of his personal data by B for that purpose.

Relying on deemed consent requires an

organisation to be able to establish the

following:

(a) an individual voluntarily provided his

personal data;

(b) the individual was aware of the purpose

for which the personal data was provided;

and

(c) the circumstances are such that it is

reasonable for the individual to have

provided his personal data.

It is good practice for an organisation to

review its business processes to determine the

situations where it should obtain actual

consent instead of relying on deemed consent.

This is especially pertinent in situations where

it is not clear whether the deemed consent

provision applies. Obtaining consent from the

individual would avoid disputes where an

individual claims that he did not consent to

the collection of his personal data for a

purpose and that he did not voluntarily

provide personal data for the purpose.

22. Where an individual provides his

personal data as part of his job

application, is this considered deemed

consent?

When an individual voluntarily provides his

personal data to an organisation in the form of

a job application, for example, in response to a

recruitment advertisement, he may be deemed

to consent to the organisation collecting, using

and disclosing the personal data for the

purpose of assessing his job application.

23. How should organisations deal with a

job applicant’s personal data, after a

decision has been made on whether to

hire such job applicant?

Where the organisation decides not to hire the

individual, it should only keep such individual’s

personal data for as long as is necessary for

business or legal purposes (see questions 53

to 56 below).

Where a job applicant is employed by an

organisation, it would be good practice for the

organisation to obtain consent from an

employee, upon appointment or hiring of such

employee, for the maintenance of such

employee’s employment records (see question

47 below).

24. Is it necessary to obtain consent from

users when an organisation employs the

use of cookies?

Yes, if the cookies are used to collect personal

data.

It should be noted that the obligation to

obtain an individual’s consent for the

collection of his personal data rests with the

organisation that is collecting the personal



data, whether by itself or through its data

intermediaries. Accordingly, if an organisation

operates a website which a third party uses to

collect personal data, and the website operator

itself is not collecting such personal data, the

obligation is on the third party organisation to

obtain the consent required to collect the

personal data.

For Internet activities that the user has clearly

requested (e.g. transmitting personal data for

effecting online communications and storing

information that the user enters in a web form

to facilitate an online purchase), it may not be

strictly necessary to seek consent for the use

of cookies to collect, use, and disclose

personal data where the individual is aware of

the purposes for such collection, use or

disclosure and voluntarily provided his

personal data for such purposes.

For activities that cannot take place without

cookies that collect, use or disclose personal

data, consent may be deemed if the user

voluntarily provides the personal data for that

purpose of the activity, and it is reasonable

that he would do so.

The Selected Topics Guidelines provides that

consent may be reflected in the way a user

configures his interaction with the Internet. For

instance, if the user configures his browser to

accept certain cookies but rejects others, he

may be regarded as having consented to the

collection, use and disclosure of his personal

data by the cookies that he has chosen to

accept. However, the mere failure of a user to

actively manage his browser settings does not

always imply that the individual has consented

to the collection, use and disclosure of his

personal data by all websites for their stated

purpose.

25. Can an organisation obtain personal

data from third party sources with the

consent of the individual?

There are two situations in which organisations

may obtain personal data about an individual

from a third party source, with the consent of

the individual:

(a) where the third party source can validly

give consent to the collection, use and

disclosure of the individual’s personal data

(under Section 14(4) of the PDPA); or

(b) where the individual has consented, or is

deemed to have consented, to the

disclosure of his or her personal data by

the third party source (under Section

15(2) of the PDPA).

Consent given by a third party source

In relation to (a), the Commission has noted

that regulations will be issued under the PDPA

providing for some specific situations in which

a person may give consent on behalf of

another individual.

The Key Concepts Guidelines provides as an

example of validly obtaining personal data

from a third party source, a situation where

personal data is obtained via the purchase of a

database containing personal data from a

database reseller who has obtained consent

from the individual for the disclosure of the

personal data. Another example is where one

organisation in a corporate group has validly

obtained consent to the collection, use and

disclosure of an individual’s personal data for

the purposes of other organisations in the

group.

An organisation collecting personal data from

a third party source is required to notify the

source of the purposes for which it will be

collecting, using and disclosing the personal

data.

Deemed consent

An example of where an individual may be

deemed to have consented to disclosure of his

or her personal data by a third party source is

where a prospective employer seeks to obtain

a reference from a his or her former employer

to determine his or her suitability for

employment by the prospective employer.



26. Can an organisation collect and use

personal data of a job applicant from

social networking sources?

To the extent the information on social

networking sources are publicly available,

organisations can collect personal data about

a job applicant without his consent. The PDPA

does not require organisations to obtain the

consent of individuals when collecting

personal data that is available publicly, for

instance, in newspapers, telephone directories

and websites containing information that is

generally available to the public.

Where the personal data is not publicly

available, but is voluntarily made available by

an individual on a job-search portal for being

contacted for prospective job opportunities,

the individual may be deemed to have

consented to the collection, use and disclosure

of his personal data for such purpose.

27. Can an organisation collect and use

information on business cards for

recruitment?

Where an individual provides his business card

to an organisation for purposes other than

solely for personal purposes, it is possible for

the organisation to use the information on the

business card for recruitment or other

purposes. This is because the Data Protection

Provisions do not apply to business contact

information.

However, if the business card is provided by an

individual purely for personal purposes, then

the organisation will not be permitted to use

the personal data contained in the business

card for any purposes for which it has not

obtained the individual’s consent.

28. What should organisations do to ensure

that the third party sources can validly

provide the personal data?

Organisations obtaining personal data from

third party sources should check and ensure

that the third party source can validly give

consent for the collection, use and disclosure

of personal data on behalf of the individual or

that the source had obtained consent for

disclosure of the personal data.

Organisations (A) obtaining personal data

from third party sources (B) may consider

adopting the following due diligence

measures, as appropriate:

(a) seek an undertaking from B through a

term of contract between A and B that the

disclosure to A for A’s purposes is within

the scope of the consent given by the

individual to B;

(b) obtain confirmation in writing from B;

(c) obtain, and document in an appropriate

form, verbal confirmation from B; or

(d) obtain a copy of the document(s)

containing or evidencing the consent

given by the individuals’ concerned to B to

disclose the personal data.

In the event the third party source could not

validly give consent or had not obtained

consent for disclosure to the collecting

organisation, but concealed this from the

collecting organisation, the actions taken by

the collecting organisation to verify such

matters before collecting the personal data

from the third party source would be

considered a possible mitigating factor by the

Commission should there be a breach of the

PDPA relating to such collection or the

collecting organisation’s use or subsequent

disclosure of the personal data.

29. Can an organisation obtain personal

data from third party sources without

the consent of the individual?

An organisation (A) may collect personal data

from a third party source (B) without the

consent of the individual in the circumstances

described in the Second Schedule to the PDPA.

These circumstances include where:



(a) the collection is necessary to respond to

an emergency that threatens the life,

health or safety of the individual or

another individual;

(b) the personal data is publicly available; and

(c) the collection is necessary for evaluative

purposes.

At the same time, B would only be able to

disclose the personal data without the consent

of the individual in any of the circumstances

set out in the Fourth Schedule of the PDPA.

These circumstances include, for example,

where:

(a) the disclosure is necessary to respond to

an emergency that threatens the life,

health or safety of the individual or

another individual;

(b) the personal data is publicly available; and

(c) the disclosure is for the purpose of

contacting the next-of-kin or a friend of

any injured, ill or deceased individual.

B would need to know the purpose for which A

is collecting the personal data in order to

determine if its disclosure of the data to the

organisation falls into the Fourth Schedule

exceptions set out in the PDPA. Section 20(2)

of the PDPA therefore requires A to provide B

with sufficient information regarding its

purpose for collecting the personal data, to

allow B to determine whether disclosure would

be in accordance with the PDPA.

30. Organisations can collect, use and

disclose personal data without consent

if it is publicly available. What is the

definition of “publicly available” data?

The term “publicly available” refers to personal

data that is generally available to the public,

including personal data which can be observed

by reasonably expected means at a location or

an event at which the individual appears and

that is open to the public. Personal data is

generally available to the public if any member

of the public could obtain or access the data

with few or no restrictions.

However, in some situations, the existence of

restrictions may not prevent the data from

being publicly available. For example, if

personal data is disclosed to a closed online

group but membership in the group is

relatively open and members of the public

could join with minimal effort, then the

disclosure may amount to making the data

publicly available.

Time in determining public availability

Personal data that is publicly available at one

point in time may no longer be publicly

available after that time. For example, users of

social networking sites may change their

privacy settings from time to time, which

would have an impact on whether their

personal data would be considered publicly

available.

Because it would be excessively burdensome

for organisations to constantly verify that the

data remains publicly available, especially in

situations where the use or disclosure happens

sometime after the collection of the personal

data, the Commission has adopted the

position that so long as the personal data in

question was publicly available at the point of

collection, organisations will be able to use

and disclose personal data without consent

under the corresponding exceptions,

notwithstanding that the personal data may no

longer be publicly available at the point in

time when it is used or disclosed.

Personal data observed in public

For data observed in the public to constitute

publicly available data, two requirements must

be met:

(a) the personal data must be observed by

reasonably expected means; and

(b) the personal data must be observed at a

location or event at which the individual

appears and that is open to the public.



Personal data is observed by reasonably

expected means if individuals ought to

reasonably expect their personal data to be

collected in that particular manner at that

location or event. This test is an objective one,

considering what individuals ought reasonably

to expect instead of what a particular

individual actually expects.

A location or event would be considered

“open to the public” if members of the public

can enter or access the location with few or no

restrictions. Generally speaking, the more

restrictions there are for access to a particular

location (e.g. physical barriers such as fences,

walls and gates, employment of security

systems, sentries and patrols aimed at

restricting entry), the less likely it would be

considered “open to the public”.

However, the mere existence of some

restrictions is not sufficient to prevent the

location from being regarded as open to the

public. For example, events that may be

entered only upon payment of a fee by a

member of the public may still be considered

to be open to the public. Similarly, special

events for members of a retailer’s loyalty

programme may also be considered open to

the public, depending on relevant factors such

as whether the event was open to a large

number of members.

A location is not open to the public merely

because members of the public may look into

the location. For example, if members of the

public are not able to enter residential

premises that are closed for a private event,

their ability to observe what is happening

inside would not make the premises open to

the public.

The Commission also recognises that while a

location may generally be open to the public,

it may at times become a private space (e.g. a

restaurant is booked for a private function). In

such situations, as members of the public

cannot enter the location during the event, the

event is not open to the public.

31. What practical steps should

organisations take to allow individuals

to withdraw their consent?

Section 16 of the PDPA provides that

individuals may at any time withdraw any

consent given or deemed to have been given

under the PDPA in respect of the collection,

use or disclosure of their personal data for any

purpose by an organisation.

In order to enable and facilitate withdrawal,

the Commission advises organisations to make

an appropriate consent withdrawal policy

easily accessible to the individuals concerned.

This withdrawal policy should, for example:

(a) advise the individuals on the form and

manner to submit a notice to withdraw

their consent for specific purposes;

(b) indicate the person to whom, or the

means by which, the notice to withdraw

consent should be submitted;

(c) distinguish between purposes which are

necessary and those which are optional to

the provision of goods or services; and

(d) allow individuals to withdraw consent for

optional purposes without concurrently

withdrawing consent for the necessary

purposes.

An organisation must not prohibit an

individual from withdrawing his consent to the

collection, use or disclosure of personal data

about the individual himself. If the collection,

use or disclosure of his personal data is

necessary for the provision of the goods or

services, the organisation can termination the

provision of such goods and services on the

individual’s withdrawal of consent and shall

have recourse to any legal rights and remedies

accruing to it (e.g. early termination fees), but

the organisation cannot prohibit the individual

from withdrawing such consent.



32. How should organisations respond

when they receive a notice from an

individual to withdraw consent?

Once an organisation has received a notice to

withdraw consent, the organisation should

highlight to the individual concerned of the

likely consequences of withdrawing his

consent, even if those consequences have

previously been set out somewhere else (e.g.

in the service contract between the

organisation and the individual).

With regard to personal data that is already in

an organisation’s possession, withdrawal of

consent would only apply to an organisation’s

continued use or future disclosure of the

personal data concerned. Upon receipt of a

notice of withdrawal of consent, the

organisation must inform its data

intermediaries and agents about the

withdrawal and ensure that they cease

collecting, using or disclosing the personal

data for the organisation’s purposes.

Apart from its data intermediaries and agents,

an organisation is not required to inform other

organisations to which it has disclosed an

individual’s personal data of the individual’s

withdrawal of consent. The individual retains

the option of requesting the organisation to

provide information on the ways in which his

personal data has been disclosed, and upon

finding out which other organisations his

personal data may have been disclosed to,

approach these other organisations directly to

withdraw consent.

Organisations are not required to delete or

destroy an individual’s personal data when he

has withdrawn consent. Organisations may

retain personal data in its documents and

records in accordance with the Retention

Limitation Obligation (see below).

33. Are organisations required to accede to

an individual’s request to delete CCTV

footage?

No. Organisations are not required to delete

video footage collected from their closed-

circuit television cameras (CCTVs) upon

request by an individual.

However, before providing a copy of CCTV

footage to any persons (upon their request),

the organisation should mask the images of

other individuals who may be present in the

CCTV footage. This is because the PDPA does

not permit the organisation from disclosing

personal data (such as video images) of other

individuals present in the CCTV footage, where

consent of those individuals for such

disclosure has not been obtained.


with under the Purpose Limitation

Obligation?

Under the Purpose Limitation Obligation,

organisations may collect, use or disclose

personal data about an individual only for

purposes:

(a) that a reasonable person would consider

appropriate in the circumstances; and

(b) where applicable, that the individual has

been informed of by the organisation

pursuant to the Notification Obligation

(see below).

Whether a purpose is reasonable depends on

whether a reasonable person would consider it

appropriate in the circumstances. Hence the

particular circumstances involved need to be

taken into account in determining whether the

purpose of such collection, use or disclosure is

reasonable.

More generally, organisations should avoid

over-collecting personal data such as NRIC

numbers, where this is not required for their

business or legal purposes. Organisations

should also consider whether there may be

alternatives available that address their

requirements.



35. If an organisation captures CCTV

footage beyond the boundaries of their

own premises, does that go beyond the

Purpose Limitation Obligation?

Organisations are not strictly prohibited from

installing CCTVs that collect footage beyond

the boundaries of their premises. However,

organisations will need to consider whether

the extent of the coverage is reasonable for

the purpose of installing the CCTVs.

Organisations should also place appropriate

notification in all areas where personal data

would be collected by the CCTVs and obtain

consent for such collection, unless one of the

exceptions under the PDPA applies.

On a related note, organisations should be

aware of other restrictions (including legal

limits on the filming of restricted areas) that

may affect their ability to collect CCTV footage

of areas beyond their premises.

36. Can organisations collect NRIC cards?

Yes. However, organisations will need to

exercise caution when handling NRIC cards, as

they contain personal data and such personal

data will be subject to the Data Protection

Provisions.

37. For what business purposes are

organisations allowed to use NRIC

numbers?

This depends on the purposes (which should

be reasonable) for which consent to collect,

use and disclose the NRIC numbers has been

obtained by the organisation.

Organisations should note that, where NRIC

numbers are used as membership numbers or

user names, the disclosure of such

membership numbers or user names may also

result in the disclosure of NRIC numbers. In

this regard, the organisation will need to

consider whether it is reasonable to use the

NRIC numbers as the membership number or

user name, and also whether valid consent has

been obtained from the individual concerned.

38. Can organisations publish NRIC

numbers for purposes such as the

results of lucky draws?

Yes, provided that valid consent has been

obtained from the individuals concerned.

That said, the Commission has noted that it is

good practice for organisations to publish only

as much personal data as necessary to fulfil

the relevant purpose. With regard to NRIC

numbers, it would be sufficient in most cases

to publish only a portion of the NRIC number

such as the last three digits and the alphabet.

The full NRIC number should only be used if

necessary, for example, to confirm the identity

of the person coming forth to receive the lucky

draw prize.

THE NOTIFICATION OBLIGATION


with under the Notification Obligation?

Organisations must inform individuals of the

purposes for which their personal data will be

collected, used and disclosed in order to

obtain their consent. This is important because

the organisation’s collection, use and

disclosure is limited to the purposes for which

notification has been made to the individuals

concerned (i.e. the Purpose Limitation

Obligation).

In particular, organisations have to inform the

individual of:

(a) the purposes for the collection, use and

disclosure of his personal data, on or

before collecting the personal data; or

(b) any purpose for use or disclosure of

personal data which has not been

informed under (a), before such use or

disclosure of personal data for that

purpose.



40. How should organisations notify

individuals of the purpose for the

collection, use and disclosure of their

personal data?

While no manner or form of notification is

mandated, organisations should determine the

best way to notify the individual, such that he

is provided with all the required information to

understand the purposes for which his

personal data is collected, used or disclosed.

Relevant factors to consider in such a

determination include:

(a) the circumstances in which it will be

collecting the personal data;

(b) the amount of personal data to be

collected;

(c) the frequency at which the personal data

will be collected; and

(d) the medium through which the

notification is provided (e.g. face-to-face

or through a telephone conversation).

It is generally good practice for an

organisation to state its purposes in a written

form (electronically or otherwise) so that the

individual is clear about its purposes and both

parties will be able to refer to a clearly

documented statement of the organisation’s

purposes in the event of any dispute.

The Commission has also suggested several

best practices that organisations can adopt:

(a) Organisations should draft notices that are

easy to understand and appropriate to the

intended audience, providing headings or

clear indications of where the individuals

should look to determine the purposes for

which their personal data would be

collected, used or disclosed, and avoiding

legalistic terminology that would confuse

or mislead individuals reading it;

(b) Organisations should provide the most

important or basic information (e.g.

contact details of the organisation’s Data

Protection Officer) more prominently (e.g.

on the first page of an agreement) and

more detailed information elsewhere;

(c) Organisations should consider if some

purposes may be of special concern or be

unexpected to the individual given the

context of the transaction, and whether

those purposes should be highlighted in

an appropriate manner;

(d) Organisations should select the most

appropriate medium(s) to provide the

notification (e.g. in writing through a form,

on a website, or orally in person); and

(e) Organisations should develop processes to

regularly review the effectiveness and

relevance of the notification policies and

practices.

41. Can organisations use a Data Protection

Policy to notify individuals of the

purposes for which it collects, uses and

discloses personal data?

Organisations may choose to notify individuals

of the purposes for which it collects, uses and

discloses personal data through its Data

Protection Policy, which is a document setting

out the organisation’s policies and procedures

for complying with the PDPA.

The Data Protection Policy may be provided to

individuals as required, in the form of a

physical document, on the organisation’s

website or some other manner. However, the

Commission recommends that where the

policy is not made available to an individual as

a physical document, the organisation should

provide the individual with an opportunity to

view its Data Protection Policy before

collecting the individual’s personal data.

If an organisation’s Data Protection Policy sets

out its purposes in very general terms, the

organisation may need to provide a more

specific description of its purposes to a

particular individual who will be providing his

personal data in a particular situation, to

provide clarity to the individual on how his



personal data would be collected, used or

disclosed.

42. What level of detail is required when

notifying individuals of the purposes

for which their personal data is

collected, used and disclosed?

The Key Concepts Guidelines provide that an

organisation should state its purposes at an

appropriate level of detail for the individual to

determine the reasons for which the

organisation will be collecting, using or

disclosing his personal data. An organisation

need not specify every activity it will undertake

in relation to collecting, using and/or

disclosing personal data when notifying

individuals of its purposes, and may have

regard to the following to determine the level

of specificity to provide:

(a) whether the purpose is stated clearly and

concisely;

(b) whether the purpose is required for the

provision of products or services (as

distinct from optional purposes);

(c) if the personal data will be disclosed to

other organisations, how the organisations

should be made known to the individuals;

(d) whether stating the purpose to a greater

degree of specificity would be a help or

hindrance to the individual understanding

the purpose(s) for which his personal data

would be collected, used, or disclosed; and

(e) what degree of specificity would be

appropriate in light of the organisation’s

business processes.

43. Can organisations use and disclose

personal data for a different purpose

from which it was collected?

The organisation should first determine

whether or not the ‘different’ purpose actually

falls within the scope of the purposes for

which the individual concerned had originally

been informed. If the purpose does fall within

scope of the original purposes, there is no

need to obtain fresh consent.

If, however, the organisation determines that

the different purpose does not fall within the

scope of the original purpose, the organisation

needs to inform the individual of those new

purposes and obtain fresh consent.

44. Is it always necessary for an

organisation notify individuals prior to

collecting, using or disclosing their

personal data for research and analytics

activities?

It will not be strictly necessary to obtain

consent from an individual to use their

personal data for a research purpose as set out

in paragraph 1(i) of the Third Schedule of the

PDPA, if all the conditions in paragraph 2 of

the Third Schedule of the PDPA are satisfied,

that is:

(a) the research purpose cannot reasonably

be accomplished unless the personal data

is provided in an individually identifiable

form;

(b) it is impracticable for the organisation to

seek the consent of the individual for the

use;

(c) the personal data will not be used to

contact persons to ask them to participate

in the research; and

(d) linkage of the personal data to other

information is not harmful to the

individuals identified by the personal data

and the benefits to be derived from the

linkage are clearly in the public interest.

Generally and where the exception does not

apply, organisations will need to:

(a) specify research and analytics as a purpose

for which consent of an individual is

sought, and obtain the individual’s consent

for collection, use and/or disclosure for

such purpose;



(b) rely on consent that has been given by an

individual for a purpose that does not

explicitly cover analytics and research if

the purpose of the analytics and research

falls within the original purpose for which

consent was given; or

(c) use anonymous or anonymised data to

conduct the research or analytics activities

(see questions 63 and 64 for more details

on anonymisation).

45. Do organisations always need to notify

individuals when CCTVs are deployed?

Generally, yes. Individuals will need to be

notified that CCTVs are operating in the

premises, as well as for what purposes, if this

may not be obvious to individuals). This is

because organisations will generally need to

get their consent for the collection, use or

disclosure of CCTV footage. Where there may

be exceptions to the requirement to obtain

consent from individuals for the collection, use

or disclosure of their personal data (e.g. where

the personal data is publicly available), the

Commission recommends that organisations

still provide notification, as a matter of best

practices, where CCTVs are deployed.

While the PDPA does not prescribe the

content of the notification required,

organisations should put up notices or other

forms of notifications, for example, at points of

entry or prominent locations in a venue or a

vehicle to notify individuals that CCTVs have

been deployed in the premises. It is not

necessary for the placement or content of

notifications to reveal the exact location of the

CCTVs.

46. Do recruitment agencies always need to

notify individuals before collecting,

using or disclosing their personal data?

Recruitment companies, employment

agencies, headhunters and similar

organisations will generally need to notify

individuals before collecting, using or

disclosing their personal data, unless one of

the exceptions under the PDPA applies.

There may be some cases, however, where a

recruitment agency acts only as a data

intermediary (see question 13 above). In these

cases, the recruitment agency that is a data

intermediary would only be subject to the

provisions in the PDPA relating to the

safeguarding and retention of personal data in

respect of the processing of personal data on

behalf of and for the purposes of the

organisation (for which it is acting as a data

intermediary), pursuant to a contract with such

organisation which is evidenced or made in

writing.

47. Do employers need to notify and obtain

consent from employees in respect of

collecting, using or disclosing their

personal data for employment

purposes?

This will depend on what are the precise scope

and nature of these employment purposes.

The PDPA does not prescribe the form or

manner in which organisations are to provide

an individual with the required information

that allows him to understand the purposes for

which his personal data would be collected,

used and disclosed in the employment

context. In this regard, it is possible for

organisations to inform their employees of

these purposes through employment

contracts, employee handbooks, or notices in

the company intranet (for instance).

Managing or terminating the employment

relationship

Generally, it would be reasonable for an

organisation to continue to use personal data

provided by an employee in a job application

form, for the purpose of managing the

employment relationship with the individual.

The PDPA allows employers to collect personal

data from their employees, insofar as it is

reasonable for the purpose of managing or

terminating their employment relationships,

and to use or disclose of such employees’



personal data for consistent purposes, without

their consent.

Importantly, however, while consent is not

required, employers will need to notify

employees where they are collecting the

employees’ personal data for purposes of

managing or terminating the employment

relationship. This is in contrast to situations

where the employer may be collecting

employee personal data for evaluative

purposes (see below).

The Selected Topics Guidelines provides that

the purposes of “managing and terminating an

employment relationship” include the

following:

• using the employee’s bank account details

to issue salaries;

• monitoring how the employee uses

company computer network resources;

• posting employees’ photographs on the

staff directory page on the company

intranet; and

• managing staff benefit schemes like

training or educational subsidies.

However, as a matter of best practices,

organisations should, upon appointment or

hiring of an employee, obtain consent from

the employee to maintain such employee’s

employment records.

Further, should the organisation require

additional personal data or intends to use or

disclose the employee’s personal data for

other purposes during the course of the

employment relationship, it will also be

necessary to obtain relevant consent from the

employee.

Where an organisation has sufficiently

provided a general notification to employees

on the purposes for which their personal data

may be collected, used and disclosed, for

example, for performance appraisals, the

Commission does not expect organisations to

notify employees of the same purpose prior to

each time that the organisation engages in

such activities.

Evaluative purposes

An employer need not obtain consent from, or

notify, an employee or prospective employee

when collecting, using or disclosing personal

data for evaluative purposes. Such evaluative

purposes include:

(a) where an employer seeks to obtain a

reference from a prospective employee’s

former employer to determine his

suitability, eligibility or qualifications for

employment; and

(b) where an employer seeks to obtain

performance records or other relevant

information or opinions to determine the

performance of an employee, or for

promotion in employment or continuance

in employment.

Other purposes

In relation to the collection, use or disclosure

of employee personal data for other purposes

that are not relevant to the management or

termination of the employment relationship,

and where no other exception under the PDPA

applies, an employer organisation will need to

obtain consent from the employee.

This includes where the employer collects, uses

or discloses employee personal data for

business or client purposes not related to

managing or terminating an employment

relationship. For instance, if an organisation

provides the full name and NRIC number of an

employee for purposes of allowing a courier

company to enter its office premises, the

organisation will need to obtain the

employee’s consent prior to disclosing the

employee’s personal data. Such consent can

be obtained on a case-by-case basis, or once-

off through the employment contract or other

appropriate means.

THE ACCURACY OBLIGATION


with under the Accuracy Obligation?



The Accuracy Obligation requires

organisations to make reasonable efforts to

ensure that personal data collected is accurate

and complete, if it is likely that the personal

data will be used to make a decision that

affects the individual to whom the personal

data relates, or the personal data is likely to be

disclosed to another organisation.

In order to ensure that personal data is

accurate and complete, an organisation must

make a reasonable effort to ensure that:

(a) it accurately records personal data which it

collects (whether directly from the

individual concerned or through another

organisation);

(b) personal data it collects includes all

relevant parts thereof (so that it is

complete);

(c) it has taken the appropriate (reasonable)

steps in the circumstances to ensure the

accuracy and correctness of the personal

data; and

(d) it has considered whether it is necessary to

update the information.

In determining what may be considered a

reasonable effort, an organisation should take

into account factors such as the following:

(a) the nature of the data and its significance

to the individual concerned (e.g. whether

the data relates to an important aspect of

the individual such as his health);

(b) the purpose for which the data is

collected, used or disclosed;

(c) the reliability of the data (e.g. whether it

was obtained from a reliable source or

through reliable means);

(d) the currency of the data (that is, whether

the data is recent or was first collected

some time ago); and

(e) the impact on the individual concerned if

the personal data is inaccurate or

incomplete.

The Commission has noted that an

organisation may not be required to check the

accuracy and completeness of an individual’s

personal data each and every time it makes a

decision, or is likely to make a decision, about

the individual.

49. In complying with the Accuracy

Obligation, can a different level of care

be adopted when the personal data is

obtained directly from the individual

compared to when it is obtained from

third party sources?

Personal Data collected from the individual

Organisations may presume that personal data

provided directly by the individual concerned

is accurate in most circumstances. When in

doubt, organisations can consider requiring

the individual to make a verbal or written

declaration that the personal data provided is

accurate and complete.

Additionally, where the currency of the

personal data is important, the organisation

should take steps to verify that the personal

data provided by the individual is up to date

(for example, by requesting a more updated

copy of the personal data before making a

decision that will significantly impact the

individual).

Personal Data collected from third party sources

An organisation should be more careful when

collecting personal data from a source other

than the individual in question. It is allowed to

take differing approaches to ascertain the

accuracy and completeness of personal data it

collects depending on the reliability of the

source of the data. For example, the

organisation may obtain confirmation from the

source of the personal data that the source

had verified the accuracy and completeness of

that personal data. It may also conduct further



independent verification if it deems prudent to

do so.

THE PROTECTION OBLIGATION

50. What does it mean to make “reasonable

security arrangements to protect

personal data”?

To determine what may be reasonable and

appropriate, the organisation should take into

consideration:

(a) what type of personal data it has in its

possession or under its control;

(b) what medium the personal data has been

collected (e.g. hardcopy or softcopy);

(c) who has access to the personal data;

(d) whether any personal data is or will be

held or used by third parties on behalf of

the organisation;

(e) what possible harm might arise from a

security breach, (e.g. what consequences

there might be to the individual concerned

if his/her personal data is obtained,

modified or disposed by an unauthorised

person); and

(f) who will be responding to information

security breaches.

An organisation may wish to put in place

different levels of security according to the

level of sensitivity of the personal data.

51. What types of security arrangements

can an organisation put in place?

A combination of administrative, physical and

technical or other measures may be used,

depending on what is reasonable and

appropriate for an organisation (see questions

48 and 49 above).

Some examples include:

• Setting out confidentiality obligations in all

staff employment contracts;

• Implementing staff policies and manuals

on personal data protection;

• Conducting regular staff training on how

to handle personal data and updates on

what types of potential threats there may

be to personal data;

• Taking disciplinary action against staff who

breach confidentiality obligations;

• Limiting the amount of personal data

collected by the organisation to what is

necessary (i.e. avoid holding excessive

personal data);

• Marking documents as “confidential”;

• Storing confidential documents under

lock;

• Limiting staff access to confidential

documents on a need-to-know basis;

• Using privacy filters on laptops and

computers;

• Shredding confidential documents when

no longer needed, or by other means of

secure destruction;

• Using registered post instead of normal

post when delivering confidential

documents;

• Creating different layers of access to

documents which contain personal data,

so that personal data is accessed only

when necessary;

• Confirming the identity of an individual

prior to disclosing any personal data to

such individual to ensure that the

individual is the correct recipient;

• Encrypting personal data;

• Using self-locking mechanisms for

computer screens after a certain period of

inactivity;

• Wiping personal data from IT devices

before they are disposed, sold or recycled;

• Using the appropriate email security

setting when sending or receiving highly

confidential emails;

• Regular updating of computer and IT

security equipment and software; and

• Engaging IT service providers which are

able to provide the requisite standard of IT

security.



52. Are organisations responsible if their

employees do not comply with the

PDPA?

Yes, insofar as the act done or conduct

engaged in by the employee was in the course

of his employment. The PDPA will treat such

act or conduct as having been done or

engaged in by the employer, irrespective of

whether it was done or engaged in with the

employer’s knowledge or approval.

That said, an organisation may not be liable for

offences under the PDPA by an employee of

an organisation, if it took such steps as were

practicable to prevent the employee from

doing the act or engaging in the conduct that

constitutes the offence.

It should be noted that, for the purposes of

the PDPA, an “employee” includes a volunteer,

and an employment relationship will include

an unpaid volunteer work relationship.

THE RETENTION LIMITATION OBLIGATION

53. How long should an organisation retain

personal data?

Organisations should assess the reasons for

which it retains personal data, and regularly

assess whether personal data still needs to be

retained.

Generally, organisations should only retain

personal data:

(a) if it is necessary for the purposes for which

the personal data was collected; or

(b) for business or legal purposes.

With regard to (a) above, for instance, if an

organisation has only obtained valid consent

from an individual to collect personal data for

a certain purpose (i.e. purpose A), it must not

keep that personal data “just in case” it may be

needed for any purposes other than purpose

A.

With regard to (b) above, some examples of

legal or business purposes include:

• for ongoing legal action involving the

organisation;

• to comply with applicable laws,

regulations, whether in Singapore or

outside of Singapore, including

international or regional standards; and

• to generate the organisation’s annual

reports, performance forecasts, etc.

54. What are some recommended best

practices in relation to the retention of

personal data?

The Commission recommends that

organisations should draw up policies which

set out the retention periods for personal data.

Such policies may provide for varying

retention periods in respect of different types

of personal data held by the organisation.

As a guide, organisations may wish to retain

documents regarding its contracts for 7 years

from the date of termination of the contract,

as actions founded on contract will generally

need to be brought within 6 years from the

date on which the cause of action accrued.

However, it may be necessary to retain such

contracts for a longer period if there are

ongoing legal proceedings or investigations

regarding these contracts.

55. How long can organisations continue to

hold personal data of former

employees?

As mentioned in question 53 above,

organisations may continue to retain personal

data about former employees that were

collected during their respective employment

periods for as long as there is a valid business

or legal purpose.

The Commission has clarified that

organisations which have a policy of retaining

personal data of former employees for the

purpose of considering them for future job

opportunities can continue to do so as a valid



business purpose. However, organisations

should not retain personal data without a

clearly defined purpose.

56. What does it mean to “cease to retain”

personal data?

There are various ways in which an

organisation may cease to retain personal

data.

The Commission has indicated that it will

consider whether an organisation has ceased

to retain personal data, in light of the

following factors:

(a) whether the organisation has any intention

to use or access the personal data;

(b) how much effort and resources would the

organisation need to expend to use or

access the personal data again;

(c) whether any third parties have been given

access to the personal data; and

(d) whether the organisation has made a

reasonable attempt to completely destroy,

dispose of or delete the personal data

permanently.

Some ways in which an organisation may

cease to retain personal data include:

(a) returning those documents containing

personal data to the individual concerned;

(b) transferring those documents containing

personal data to another person, if

instructed by the individual concerned;

(c) shredding those documents containing

personal data; and

(d) anonymising the personal data, such that

the remaining data can no longer be used

to identify any particular individual (see

questions 63 to 65 for more details on

anonymisation).

THE OPENNESS OBLIGATION

57. What is the Openness Obligation?

The Openness Obligation is a term coined by

the Commission, which generally refers to the

requirement for organisations to make their

data protection policies and practices available

to those individuals whose personal data they

collect.

This also refers to the Data Protection

Provisions which make organisations

accountable to individuals and the

Commission for compliance with the Data

Protection Provisions, by the following means:

(a) giving the right to individuals to request

for access to their personal data held in

the possession or under the control of an

organisation, to find out whether and what

type of their personal data are held by the

organisation, and how the organisation is

using their personal data;

(b) giving the right to individuals to submit

complaints to the Commission regarding

an organisation’s conduct and compliance

with the Data Protection Provisions;

(c) giving the right to individuals who suffer

loss or damage directly as a result of an

organisation’s contravention of the Data

Protection Provisions to commence civil

proceedings against the organisation; and

(d) empowering the Commission to take

enforcement action against an

organisation which has contravened any of

the Data Protection Provisions.

For the purpose of ensuring that they comply

with the Data Protection Provisions,

organisations are required to designate one or

more individuals who will take on the

responsibility for ensuring such compliance.

Importantly, organisations should note that

such designation of responsibility does not

pass legal responsibility to the individual. The

organisation itself remains legally responsible



for compliance with the Data Protection

Provisions.

58. Are there any requirements as to whom

an organisation may designate as its

data protection officer?

The PDPA requires that an organisation must

make available the business contact

information of at least one individual

designated by the organisation, who is able to

answer on behalf of the organisation, any

questions relating to the collection, use or

disclosure of personal data.

There is no strict necessity for an individual

designated by an organisation to be an

employee of the organisation, or for such

individual to be physically based in Singapore.

It is also generally open to the designated

individual to delegate the responsibility to

another individual.

Notwithstanding, the Commission

recommends that the business contact

information of the individual whom an

organisation designates should be: (a) a

Singapore phone number; (b) operational

during Singapore business hours; and (c)

readily accessible from Singapore.

59. Will the Openness Obligation require

organisations to accede to an

individual’s request to access CCTV

footage?

Yes, unless a relevant exception in the Fifth

Schedule of the PDPA applies (e.g. the request

is frivolous or vexatious, or if the burden or

expense of providing access would be

unreasonable to the organisation or

disproportionate to the individual’s interests).

The Selected Topics Guidelines suggests that

harming an organisation’s competitive

position, or compromising an organisation’s

security arrangements (e.g. where the

provision of the personal data in the CCTV

footage could reasonably be expected to

threaten the safety of another individual),

could be a sufficient reason to deny access to

CCTV footage. In such case, the organisation

will need to ensure that it has strong

justifications and supporting evidence to

justify its decision to reject the individual’s

request for access to the CCTV footage.

60. Are there any specific requirements that

organisations need to comply with,

when acceding to an individual’s

request to access CCTV footage?

Where an individual requests for access to

CCTV footage, the organisation concerned

should provide a copy of the CCTV footage to

the individual. While the PDPA does not

prescribe any minimum resolution for CCTV

footage that is requested to be provided to

individuals, given that the requirement is for

the organisation to provide the personal data

in its possession or under its control, the

organisation should provide the CCTV footage

in the form and of the resolution it holds for its

purposes.

In providing the individual a copy of the CCTV

footage, the organisation should generally

seek to mask images of other individuals who

may be present in the CCTV footage.

Organisations have the option of requiring

that individuals pay a minimal fee before

acceding to any such request for a copy of the

CCTV footage.

On a related note, organisations may require

that the individual, to whom it provides a copy

of CCTV footage, sign a contract to agree not

to disclose to any third party the CCTV footage

provided to him. However, organisations

should note that individuals acting in a

personal or domestic capacity are not subject

to the Data Protection Provisions of the PDPA.

61. Can individuals make joint access

requests for CCTV footage containing

their images, if they consent to their

own images being viewed by the others

making the joint request?



Yes. The Commission has expressed its views

that it would be reasonable for certain groups

of individuals (e.g. a married couple, or parents

of a class of students) to jointly make an

access request to view CCTV footage.

62. Can job applicants ask an organisation

to reveal how much information the

organisation has about them, or find

out why they were not selected?

Generally, yes. A job applicant would have the

right to request for access to their personal

data held in the possession or under the

control of an organisation, to find out whether

and what type of their personal data are held

by the organisation, and how the organisation

is using their personal data.

However, the PDPA provides for certain

exceptions where an organisation need not

accede to such request by a job applicant. For

example, if the personal data in question is

opinion data kept solely for an evaluative

purpose (e.g. opinions of management staff of

the organisation which were formed about the

job applicant in the course of determining his

suitability and eligibility for the job), the

organisation will not be required to provide

such information to the individual.

OTHER IMPORTANT CONCEPTS

63. What does it mean to anonymise

personal data?

For the purposes of the PDPA, personal data

may be anonymised by removing all

information that can be used to identify a

particular individual.

In other words, where the remaining

information, whether alone or together with

any other information that an organisation has

or is likely to have access, can no longer be

used to identify a particular individual, such

information may be said to have been

anonymised.

64. How can personal data be anonymised?

The Commission has provided the following

suggestions on how data may be anonymised:

(a) Pseudonymisation: by replacing personal

identifiers (such as a person’s full name)

with other references (such as a randomly

generated reference number);

(b) Aggregation: by displaying only total

values rather than individual values which

could identify an individual (e.g. displaying

the sum of individual ages of the total

number of individuals in a group, rather

than the age of each individual

specifically);

(c) Replacement: by replacing specific values

or subset of specific values with a

computed average or a number derived

from the specific values (e.g. instead of

referring to 3 individuals aged 15, 18 and

20 years old, to make reference to 3

individuals aged approximately 17 years

old);

(d) Data reduction: by removing values that

are not required for the purpose (e.g.

removing an individual’s ethnicity from a

data set of the individual’s attributes);

(e) Data suppression: by banding or hiding

the value within a given range (e.g.

replacing the age ‘41’ with the range ’40-

50’);

(f) Data shuffling: by mixing up or replacing

values with those of the same type so that

information looks similar but is unrelated

to the actual details; and

(g) Masking: by removing certain details while

preserving the look and feel of the data

(e.g. representing an NRIC number as

‘S0XXXX45A’ instead of ‘S0122445A’).

It should be noted, however, that the

application of the above anonymisation

techniques may not render a data set fully

anonymised, or anonymised in perpetuity and



there remains a risk that anonymised data can

be used to re-identify particular individuals

(see question 65 below).

Where there is more than a trivial possibility of

so-called anonymised data being re-identified,

such data may still be regarded by the

Commission as personal data (see questions

65 and 66 below).

65. What are some challenges and

limitations in anonymising data?

Reduced functionality or usefulness of data

When data is stripped of too many personal

identifiers, the data may lose its usefulness,

and an organisation may be denied the

potential uses for the data which it has

collected.

Accordingly, before anonymising data, an

organisation should consider whether the

anonymised data would still be suitable for its

intended purposes.

Risk of re-identification

It should be noted that the application of the

anonymisation techniques (such as those

described in question 64 above) may not

render a data set fully anonymised, or

anonymised in perpetuity.

There remains a risk that anonymised data can

be used to re-identify particular individuals,

when it is combined with other information

that the organisation has or is likely to have

access.

Generally, re-identification involves identifying

an individual beyond doubt.

Where data is capable of re-identification, it

will generally be considered as personal data,

and will be subject to the Data Protection

Provisions.

By way of illustration, while a resultant data set

derived from the application of anonymisation

techniques may itself be anonymised for the

time being, if such resultant data set can still

be combined with other information that an

organisation has or is likely to have access to

identify particular individuals, the combination

of this resultant data set and the other

information will, when taken together, still

constitute personal data. In such case, given

that the organisation retains the ability to re-

identify individuals from the de-identified data,

the organisation will be considered to be

holding personal data.

Likewise, where an anonymised resultant data

set is disclosed to another organisation, and

that other organisation is able to combine the

data set it has received with other information

that it has, or is likely to have access, to

identify/re-identify particular individuals, the

anonymised data set and the other

information will, when taken together, still


66. Under what circumstances might data

be considered to have been re-

identified?

While various factors, such as educated

guessing, cross-relating information in

anonymised data sets, public knowledge or

information about groups of people, may

increase the possibility of re-identification, it

does not necessarily follow that the

Commission will always consider the data

concerned as personal data.

Importantly, if there remains only a trivial risk

of re-identification, the data concerned will not

be considered as personal data.

Educated guessing

The fact that a person making an educated

guess, by matching public or established

information with anonymised data, can narrow

down the possible identities of particular

individuals and potentially make a successful

guess may not in itself mean that the data is

personal data.

For instance, an organisation publishes a list of

masked NRIC numbers of the winners of a



lucky draw which reveal only the first 3 digits

of the NRIC numbers. Since the first two digits

typically reveals one’s birth year, it could be

ascertained that one of the winners was 22

years of age. On the same day, it is reported in

the newspapers that the two youngest

participants in the lucky draw were both 22

years of age. By matching these information, a

person may therefore make an educated guess

that one of these two participants was the

lucky draw winner. However, to the extent that

it is unclear which of these two participants

might have been the lucky draw winner, there

is no re-identification.

Cross-relating information in anonymised data

sets

A person may be able identify an individual by

cross-relating information from two separate

anonymised data sets which contain similar

information. However, if such individual

ultimately remains as an unknown individual,

there would be no re-identification and the

data will not be regarded as personal data.

For instance, Data Set A refers to an individual

#10147, who has the following characteristics:

male, blood type A, age 45, weight 88.8kg,

height 1.89m. Data Set B refers to an individual

#58965, who has the following characteristics:

male, blood type A, weight 88.8kg, height

189cm, suffering from hypertension. In such

case, however, while a person having access to

both data sets may be able to cross-relate the

information in these two data sets and

establish that the two data sets relate to the

same individual, such person is unable to

identify who that individual actually is.

Accordingly, there is no re-identification and

the data will not be regarded as personal data.

Public knowledge

In ascertaining the re-identification risks of an

anonymised data set, it will be important to

take into account the use of public knowledge

(such as established facts) or information that

is readily available to the public (such as

information in telephone directories or society

membership listings).

If an individual can be easily re-identified when

public knowledge/information is combined

with anonymised data, this will present

significant re-identification risks.

Personal knowledge

Having personal knowledge would not

generally amount to a high re-identification

risk for an anonymised data set.

The Specific Topics Guidelines states that, just

because an individual himself or someone

close to him is able to identify him from an

anonymised data set, this does not necessarily

mean that that anonymised data set is

personal data.

Information about groups of people

Information about groups of people may not

constitute personal data if it does not identify

any particular individual within the group.

However, such information may reveal the

personal data of an individual when combined

with other information, and thereby present

re-identification risks.

For example, an anonymised data set relating

to a group of individuals living within a postal

code reveals that they are all HIV-positive.

While no individual was identified, the

information reveals the personal data of one of

the individuals known to be living there.

Hence, if it becomes known that a person

(person A) lives in that postal code, then it

would also be known that person A is HIV-

positive. In such case, the anonymised data set

relating to this group of individuals will be

considered as personal data, when its

combination with other information or

knowledge can reveal personal data of an

individual.

67. How can organisations assess the risk of

re-identification?

As a guide, the Commission has suggested

that some factors which organisations should

consider in assessing whether anonymised or



de-identified data may be subsequently used

to re-identify individuals include:

(a) the type of data de-identified;

(b) the amount of alteration the data has been

subject to in the course of anonymisation;

(c) the degree and standard of the

anonymisation process;

(d) whether the data is disclosed to a specific

recipient whose motivations, re-

identification capabilities, and other

information in possession of that recipient

are known or can be reasonably inferred;

(e) the ease of access to, and volume of, other

information (such as complementary

information) available or likely to be

available;

(f) the organisation’s capability to re-identify

individuals (e.g. computing power and

availability of data-linking techniques,

having access to complementary

information or having specialised skills or

technologies that enable re-identification);

(g) the motivations for re-identification (in this

regard, the Commission has suggested

that it may be useful for organisations to

apply a ‘motivated intruder test’); and

(h) other risks that subject the data to re-

identification risks, including ‘residual’ risks

that are not directly related to a recipient’s

motivation and capability to re-identify

(e.g. risks of the data being compromised

or mistakenly disclosed to unintended

recipients such as people with better

ability of re-identification).

Motivated intruder test

The motivated intruder test considers whether

individuals can be re-identified from

anonymised data by someone who is

motivated, reasonably competent, has access

to standard resources such as the Internet and

published information such as public

directories or national archives, and employs

standard investigative techniques such as

making enquiries of people who may have

additional knowledge of the identity of the

data subject.

The motivated intruder test assumes that no

particular individual has been targeted for

identification and that the intruder does not

resort to criminality or any specialist

equipment or skills.

68. Will the Commission penalise

organisations for inadequate risk

assessments in relation to re-

identification?

At this stage, organisations are expected to

perform reasonable assessments of re-

identification risks if they are intending to

disclose any anonymised data sets. Such risk

assessments must be commensurate with the

nature of the data being anonymised and

other relevant factors (see question 67 above).

The Commission does not, however, expect

organisations to anticipate what is yet

unknown in such risk assessments.

Accordingly, should an organisation breach

the PDPA as a result of re-identification, the

Commission may be prepared to take into

consideration an organisation’s efforts to

reduce re-identification risks as a mitigating

factor in assessing its liability for such breach.

69. What is the co-relation between the

motivation for re-identification and the

risk of re-identification?

In the scenario where two organisations have

similar motivations for re-identification of

certain data, the organisation (Organisation A)

that possesses complementary information,

specialised skills or technologies would more

likely be capable of re-identifying individuals

from that data (and thereby have a higher risk

of re-identifying the data) than the other

organisation (Organisation B) that does not

have access to these information, skills or



technologies. In such case, there is a higher

risk of re-identification by Organisation A.

However, it may not necessarily follow that the

risk of re-identification will be higher where an

organisation has the requisite skills and

information for re-identification.

In a different scenario, Organisation A may

have little motivation to re-identify an

individual owing to disincentives, such as

regulatory or other legal (e.g. contractual)

obligations or consequences for re-identifying

individuals from the data which will serve to

negate any incentive or benefit that

Organisation A may derive when it re-identifies

an individual. Here, although Organisation A

may possess complementary information,

specialised skills or technologies which may

make it more capable of re-identifying

individuals, this may not necessarily mean that

the risk of re-identification by Organisation A

will be higher than Organisation B which may

be highly motivated to carry out re-

identification.

70. How can organisations lower the risk of

re-identification?

Broadly speaking, the impracticality of re-

identification can act as a deterrent to any

motivation for re-identifying anonymised data,

and may consequently lower the risk of re-

identification.

The risks of re-identification of data may be

lowered in various ways, including:

(a) by employing robust anonymisation

techniques;

(b) by limiting the number of people to whom

the anonymised data is disclosed;

(c) by imposing additional enforceable

restrictions on the use and subsequent

disclosure of the anonymised data;

(d) by implementing processes to govern

proper use of the anonymised data in line

with the restrictions (e.g. access

restrictions); and

(e) by implementing processes and measures

for the destruction of anonymised data as

soon as they no longer serve any business

or legal purpose.

SCOPE OF THE DNC PROVISIONS

71. To whom are the DNC Provisions

applicable?

The Do Not Call provisions, which are set out

in Part IX of the PDPA apply to all persons. This

includes individuals, companies, associations

and any incorporated or unincorporated

bodies of persons.

Generally, the DNC Provisions apply to a

person sending a “specified message” if that

person is a “sender” (see questions 72 and 73

below), and:

(a) sends the specified message when they

are in Singapore at the time the message

is sent; or

(b) sends the specified message to a recipient

who is in Singapore at the time the

message is accessed.

If the sender(s) and recipient are both not in

Singapore at the time the message is sent and

accessed respectively, the DNC Provisions will

not apply.

For instance, in the scenario where an

individual is subscribed to a Singapore

telecoms service provider and, when he travels

to London, receives a specified message from

a London telecoms operator, the DNC

Provisions will not apply.

In the scenario where the same individual

travels to London and receives a specified

message from his bank which is in Singapore,

the DNC Provisions will apply to the sending of

such specified message by the bank.



In the scenario where the same individual,

while in Singapore, receives a specified

message from his bank which is in Singapore

through an overseas number, but which has

outsourced its marketing operations to an

overseas call centre and authorised such

overseas call centre to send the specified

message, the DNC Provisions will apply to the

sending of such specified message by the bank

using the overseas number.

72. The DNC Provisions apply to “specified

messages”. What are “specified

messages”?

Generally, specified messages are messages

which have one or more of the following

purposes:

(a) to advertise, promote or offer to supply or

provide: (i) goods or services, (ii) an

interest in land; or (iii) a business or

investment opportunity;

(b) to advertise or promote a

supplier/provider or prospective

supplier/provider of: (i) goods or services,

(ii) an interest in land; or (iii) a business or

investment opportunity; or

(c) any other purposes as may be prescribed

under the PDPA (at a later stage) which are

related to obtaining or providing

information.

Importantly, a message can constitute a

specified message even if:

(a) the above-mentioned goods, services,

land, interest in land and/or business or

investment opportunity do not exist; or

(b) it may be unlawful to acquire such goods,

services, land or interest or take up the

opportunity referred to in the message.

To determine whether the message is being

sent for any of the above purposes, a person

should take into consideration the content and

presentation of the message. This includes the

telephone number from which the message

was sent, as well as any content that may be

obtained through the message, such as any

numbers, URLs or contact information which

are set out in the message.

Exclusions

It should be noted, however, that certain

categories of messages are expressly excluded

from the definition of “specified messages”.

These exceptions are set out in the Eighth

Schedule of the PDPA, and include:

(a) messages sent by a public agency (e.g.

Government ministries, tribunals

appointed under written law and certain

statutory bodies) under, or to promote,

any programme carried out by any public

agency which is not for a commercial

purpose;

(b) messages sent by an individual acting in a

personal or domestic capacity;

(c) messages which are necessary to respond

to an emergency that threatens the life,

health or safety of any individual;

(d) messages which have, as their sole

purpose:

i. the facilitation, completion or

confirmation of a transaction that the

recipient has previously agreed to enter

into with the sender;

ii. the provision of warranty information,

product recall information or security

information with respect to a product

or service purchased or used by the

recipient of the message;

iii. the delivery of goods or services,

including any product updates or

upgrades, that the recipient of the

message is entitled to receive under the

terms of a transaction that the recipient

has previously agreed to enter into with

the sender;



iv. the notification of any change in the

terms/feature of, or standing/status of

the recipient of the message with

respect to, a subscription, membership,

account, loan or comparable ongoing

commercial relationship involving the

ongoing purchase or use by the

recipient of the goods or services

offered by the sender;

v. the provision, at regular periodic

intervals, of account balance

information or other types of account

statements with respect to a

subscription, membership, account,

loan or comparable ongoing

commercial relationship involving the

ongoing purchase or use by the

recipient of the goods or services

offered by the sender; or

vi. the conduct of market research or

market survey; and

(e) messages sent to an organisation (as

opposed to an individual in a personal or

domestic capacity) for any purpose of the

receiving organisation (e.g. business to

business (B2B) marketing messages).

It may also be noted that, based on guidance

provided by the Commission in its Selected

Topics Guidelines, a message that is sent solely

to promote an employment opportunity would

not be regarded as a specified message.

B2B marketing messages

Regarding B2B marketing messages, these

generally include the marketing of goods and

services by one company to another company.

For instance, organisation A may call an

employee of organisation B using the business

contact details of such employee which it

obtained from B’s website. Such message

would generally fall within exception (e) above,

and would not constitute a specified message

for the purposes of the DNC Provisions.

However, if organisation A, while speaking

with the employee of organisation B, asks such

employee whether he/she may be interested in

purchasing another product for his/her

personal use, such a message would constitute

a specified message for the purposes of the

DNC Provisions.

73. The DNC Provisions apply to “senders”.

Who are “senders”?

A sender refers to any person who:

(a) actually sends or makes a voice call

containing a message;

(b) causes a message to be sent or a voice call

containing a message to be made; or

(c) authorises the sending of a message, or

making of a voice call containing a

message.

74. When might a person be responsible

under the DNC Provisions for a

specified message that he is not actively

involved in sending?

Deeming provisions under the PDPA

A person (i.e. person A) might be deemed to

be responsible for a specified message that he

is not actively involved in sending where he

has authorised another person (i.e. person B)

to promote his goods, services, land, interest

in land and/or business or investment

opportunity (i.e. send a specified message).

However, if person A takes reasonable steps to

prevent person B from sending any specified

message for the purpose of promoting person

A’s goods, services, land, interest in land

and/or business or investment opportunity,

person A may not be deemed under the PDPA

to have authorised person B to send the

specified message for those purposes.

The question of whether reasonable steps

have been taken by person A will depend on

the specific facts. For instance, in a contract

between person A and person B, if it is

expressly stated that person B “shall not send



any message, whether in sound, text, visual or

other form, to a Singapore telephone number to

promote A’s services unless expressly permitted

in writing by A”, this could be regarded as a

reasonable step taken by person A to prevent

person B from sending a specified message.

Express exclusions under the PDPA

The PDPA provides certain express exclusions,

where a person who is not actively involved in

sending a specified message will, by default,

not be presumed to have sent such message.

Under the PDPA, the following persons are

presumed not to have sent or authorised a

sending of a message, unless otherwise

proved:

(a) telecoms service providers who merely

provide a service that enables the sending

of a specified message; and

(b) owners or authorised users of a telecoms

device, service or network that was used to

send a specified message, if that device,

service or network was controlled by a

person without the knowledge of the

owner or authorised users at the relevant

time.

Defence for employees

On a related note, an employee who sends a

specified message in contravention of the DNC

Provisions may have a defence under the

PDPA, if such employee can prove that he

acted or engaged in conduct in good faith in

the course of his employment, or in

accordance with instructions given to him by

or on behalf of his employer in the course of

his employment.

75. Do the DNC Provisions only apply to

specified messages sent to a Singapore

telephone number?

Currently, yes. The Minister may, however,

prescribe other telephone numbers to be

subject to the DNC Provisions.

It should be noted that the messages sent to a

“Singapore telephone number” includes voice

calls, SMS or any data applications (such as

Whatsapp, Viber, iMessage) which use a

Singapore telephone number.

OBLIGATIONS AND DUTIES UNDER THE

DNC PROVISIONS

76. What does a person need to do before

sending a specified message?

Generally, a person that intends to send a

specified message to a Singapore telephone

number should check the relevant DNC

Register before sending such message (see

question 77 below), and confirm that the

Singapore telephone number is not listed the

DNC Register before sending such message.

However, it will not be necessary to check the

DNC registry if valid, clear and unambiguous

consent of the user of the subscriber of the

telephone number has been provided to allow

the person to send the specified message to

that telephone number (see question 81 for

more details).

The above requirements will take effect from 2

January 2014.

77. Is it necessary to check the DNC

Register every time a specified message

is proposed to be sent?

No. Generally, after a person has checked

whether a number is registered on a DNC

Register, these results will be valid for a certain

period (validity period), as follows:

(a) for results received between 2 January

2014 and 31 May 2014 – these results will

be valid for 60 days;

(b) for results received between 1 June 2014

and 1 July 2014 – these results will be valid

until 31 July 2014; and



(c) for results received from 2 July 2014 –

these results will be valid for 30 days.

Hence, if a person wishes to send a specified

message to the same telephone number (that

it has confirmed is not registered on the DNC

Register) during the validity period, it will not

be necessary to re-check if the telephone

number is registered on the DNC Register,

until the expiry of the validity period.

Further, as mentioned above, it is generally not

necessary to check the DNC registry if clear

and unambiguous consent of the user of the

subscriber of the telephone number has been

provided to allow the person to send the

specified message to that telephone number.

78. What happens when a person who had

previously given consent to receive

specified messages, subsequently

withdraws such consent?

From 2 January 2014 onwards, the withdrawal

of consent must be effected within the

following time periods:

(a) for withdrawal of consent between 2

January 2014 to 1 July 2014, it must be

effected within 60 days; and

(b) for withdrawal of consent from 2 July 2014

onwards, it must be effected within 30

days.

Therefore, even if a specified message is sent

to a user or subscriber of a telephone number

a few days after such user/subscriber has

withdrawn his/her consent to receive specified

messages, this may not amount to a

contravention of the DNC Provisions.

79. A person has previously given consent

to receive specified messages, but

subsequently registers his/her

telephone number on a DNC Register. Is

the consent still valid? Can specified

messages be sent to such person?

Yes. It is possible to send specified messages

to a telephone number, without first checking

the relevant DNC Register, where the user or

subscriber of that telephone number has

previously given clear and unambiguous

consent to receive specified messages which

can continue be relied upon.

Therefore, if a user/subscriber of a telephone

number no longer wishes to receive specified

messages from a particular person to whom

such user/subscriber had previously given

his/her consent, it would not be sufficient to

register that telephone number on the relevant

DNC Register.

80. Who can withdraw consent in respect of

a telephone number?

Either a user or subscriber of a telephone

number may withdraw consent to receive

specified messages using that telephone

number.

In cases where the user of the telephone

number is not the subscriber of the telephone

number, the subscriber may withdraw consent

which had been given by the user of the

telephone number.

81. What would constitute valid consent for

the purposes of the DNC Provisions?

Requirements regarding consent

In order for consent to be regarded as valid, it

must satisfy the following conditions:

(a) if the consent was sought as a condition

for supplying goods, services, land, interest

in land and/or business or investment

opportunity, the consent sought must not

have been more than what is reasonable

to provide such goods, services, land,

interest in land and/or business or

investment opportunity to that

subscriber/user;

(b) it must not have been obtained by

providing false or misleading information



or by using deceptive or misleading

practices; and

(c) it must be clear and unambiguous (see

below).

Consent from a user/subscriber will no longer

be regarded as valid if the user/subscriber was

prohibited from withdrawing his/her consent.

Clear and unambiguous consent

The Key Concepts Guidelines provides that the

following facts will need to be considered to

determine if the consent is, in fact, clear and

unambiguous:

(a) whether the person had notified the user

or subscriber clearly and specifically that

specified messages would be sent to his or

her Singapore telephone number; and

(b) whether the user or subscriber gave

consent to receive specified messages

through some form of positive action.

The failure to opt out through inaction on

the part of the user or subscriber would

not usually be enough to amount to

taking positive action (see question 19

above).

The Commission recommends that “clear and

unambiguous” consent would generally

require that the consent be evidenced:

(a) in writing – such as using a physical or

electronic form; or

(b) in a form that is accessible for future

reference – for instance, by capturing the

consent given in an audio or video

recording. The consent must be captured

in a manner or form that can be retrieved

and reproduced at a later time in order to

confirm that such consent was obtained.

82. If consent has been obtained from a

person before the DNC Provisions come

into effect (2 January 2014), is such

consent still valid?

Yes, such consent would be valid and would

exempt a person from having to check the

DNC Register prior to sending a specified

message, provided that:

(a) the consent has not been withdrawn; and

(b) the consent is valid and is clear and

unambiguous (see question 81 above).

Advisory Guidelines PDPA Publication (6 November · PDF fileYour Guide to the Personal Data...

Documents

Transcript of Advisory Guidelines PDPA Publication (6 November · PDF fileYour Guide to the Personal Data...