Advisory Guidelines PDPA Publication (6 November · PDF fileYour Guide to the Personal Data...
Transcript of Advisory Guidelines PDPA Publication (6 November · PDF fileYour Guide to the Personal Data...
Your Guide to the
Personal Data Protection Act 2012
A Supplement: FAQs on the Advisory Guidelines for
Key Concepts and Selected Topics
All enquiries should be addressed to:
Lim Chong Kin
Director & Head, Telecommunications, Media and Technology Practice Group
10 Collyer Quay #10-01 Ocean Financial Centre
Singapore 049315
Tel: +65 6531 4110
Fax: +65 6535 4864
Email: [email protected]
COPYRIGHT
© 2013 Drew & Napier LLC
First Published 2013
All rights reserved. No part of this publication may be reproduced, stored in any retrieval
system, or transmitted, in any form or by any means, whether electronic or mechanical,
including photocopying and recording, without the permission of the copyright holder.
IMPORTANT DISCLAIMER: We have sought to state the law as at 6 November 2013. Drew &
Napier LLC accepts no liability for, and does not guarantee the accuracy of, information or
opinion contained in this document. This document covers a wide range of topics and is not
intended to be a comprehensive study of the subjects covered, nor is it intended to provide
legal advice. It should not be treated as a substitute for specific advice on specific situations.
Published by
10 Collyer Quay #10-01
Ocean Financial Centre
Singapore 049315
Printed in Singapore
Your Guide to the
Personal Data Protection Act
2012
A Supplement: FAQs on the Advisory Guidelines for
Key Concepts and Selected Topics
Editors:
LIM Chong Kin Director, Head (Telecoms, Media and Technology Law
Practice Group)
and Co-Head (Competition Law & Regulatory Practice
Group)
LL.B. (Hons); LL.M. (NUS); Advocate and Solicitor (Singapore)
Admitted to the Roll of Solicitors (England & Wales)
Charmian AW Associate Director
LL.B. (Hons) (NUS); Advocate and Solicitor (Singapore)
About Drew & Napier LLC
Drew & Napier has provided exceptional legal advice and representation to discerning clients
since 1889. We are one of the largest law firms in Singapore.
The calibre of our work is acknowledged internationally at the highest levels of government
and industry, and marks us as Singapore’s world class law firm.
We are trusted by our clients to solve their most challenging problems, advance their interests,
and show them the way forward. Our lawyers and senior counsel are the preferred choice
when the stakes are high and the issues complex.
Our clients consistently vote our lawyers to the highest ranks of their practice areas. Chambers
& Partners recently named us National Law Firm of the Year.
We stay at the forefront of the industry by cultivating talent and maintaining the family
atmosphere that is distinctly Drew. In the Thomson Reuters’ Asian Legal Business survey, our
colleagues voted Drew the top Employer of Choice.
For more information on Drew & Napier LLC, please visit www.drewnapier.com.
Drew & Napier’s expertise in Data Protection Law – How We Can Help You
We regularly advise and assist MNC clients on data protection concerns in respect of their
Singapore operations. Our MNC clients include telco operators and Internet companies
(ranging from the world’s leading social networking site to mobile device manufacturers to
software developers (SAP and Microsoft)). Our work for clients includes:
• Adapting global policies for data privacy and consumer protection for clients’
Singapore operations and offices.
• Wide-ranging advice on the existing Singapore data protection regime.
• Advising on ad-hoc queries relating to potential or actual privacy breaches and the
necessary disclosure requirements and remedial actions in Singapore.
• Advising on data protection concerns relating to the introduction of novel
telecommunication services in the Singapore market.
We are also regularly engaged by MNCs as well as local clients across industries (including
airlines, manufacturing, entertainment, and fast-moving consumer goods), telcos and Internet
companies to conduct regulatory risk audits of their business operations to highlight potential
areas of non-compliance and to assist in the rectification of any problematic agreements and
conduct. In the past six years, we have gained considerable first-hand expertise in compliance
audits, in particular, to ensure compliance with newly-introduced legal and regulatory
obligations, for instance, competition law in Singapore. Our team of lawyers is also
experienced in conducting compliance audits of business practices, existing legal
agreements, and informal business arrangements. The team recently assisted our MNC clients
with regulatory audits across several jurisdictions, including Singapore, Malaysia, Indonesia,
Thailand, India and the Philippines (in respect of intellectual property, competition and anti-
corruption laws).
In developing compliance programmes for our clients, we further value-add by creating
manageable, staff-level compliance manuals and training programmes to ensure that our
clients are in a position to operationalise their compliance procedures on a day-to-day basis,
and will only need to rely on external counsel under exceptional instances.
About the Telecommunications, Media and Technology (TMT) Practice Group
Drew & Napier’s Telecommunications, Media & Technology (TMT) Practice Group is consistently
ranked as the leading IT, telecoms, broadcasting and multimedia legal practice in Singapore.
The firm possesses unparalleled transactional, licensing and regulatory experience in the TMT
and postal sectors in Singapore. The strength of our team, headed by Director Lim Chong Kin,
lies in a carefully-selected mix of more than 10 lawyers and paralegals familiar with infocomms
law, data protection, and sector-specific and general competition law. The team is supported
by in-house competition and regulatory economists led by Ng Ee Kia, who was previously
Director of Economics at the Competition Commission of Singapore (CCS).
A trailblazer in the telecommunications and media competition law scene, the TMT Practice
Group has constantly worked on every significant development in the Singapore TMT market. In
1999, Chong Kin was the lead Singapore counsel appointed by the Info-communications
Development Authority (IDA) to draft the Telecom Competition Code (TCC), the first industry-
wide competition legislation in Singapore and precursor to the country’s general competition
regime. In 2004 and again in 2009-12, Chong Kin was reappointed to revise the TCC as part of
its first and second triennial review exercises. In the media scene, Chong Kin was appointed as
lead Singapore counsel by the Media Development Authority (MDA) in drafting the Media
Market Conduct Code in 2003. Today, the team continues to advise the MDA on enforcement,
licensing, regulatory and market access issues, in particular the implementation of novel
regulatory measures relating to cross-carriage of content by pay-TV operators. Chong Kin also
led the drafting of the Postal Competition Code in 2007 to facilitate liberalisation of the postal
industry in Singapore.
In addition to conceptualising and drafting of regulatory frameworks, the TMT Practice Group
routinely assists regulators to enforce and implement their directions, regulations and decisions
against licensees, mandating market access and addressing unfair competition issues. More
recently, Chong Kin and his team advised IDA on the enforcement and implementation of
licensees’ obligations, for example in respect of licensees’ ability to roll-out fibre-to-the-home
networks. The Practice Group has also advised IDA on all competition and regulatory issues in
three groundbreaking infrastructure development initiatives – the establishment of the Next
Generation Nationwide Broadband Network (NGNBN), Singapore Internet Exchange, and the
National Authentication Framework. In numerous instances, the Practice Group has also been
involved in defending regulators against ministerial appeals filed by licensees. Recently, Chong
Kin and his team successfully defended MDA in respect of its decision to impose a mandatory
pay-TV cross-carriage requirement on its licensees. Chong Kin and his team have also advised
Singapore regulators on their international obligations and interactions with regulators of other
countries.
Today, the TMT Practice Group acts for a broad range of clients – from established fast-moving
consumer goods MNCs to technology start-ups, to sectoral regulators (both local and foreign):
• We regularly act for technology leaders and start-ups in information technology, data
privacy and protection and commercial matters (including Research-in-
Motion/Blackberry);
• We are routinely consulted on commercial, licensing and regulatory matters by global
clients, including regional telecommunication service providers (including AT&T, Pacnet,
Sprint and Globe and international broadcasters (including Discovery, ESPN, MGM and
Sony); and
• We are often called upon to provide high-level advisory and consultancy services to
various regulators, including IDA, MDA, CCS and most recently, the telecoms regulator of
Sri Lanka.
In 2012, for the 14th consecutive year, Drew & Napier’s TMT Practice Group has been retained
as IDA’s external legal and regulatory advisors, a record which speaks volumes for its proven
ability to deliver effective, timely and commercially-relevant solutions to its clients.
The TMT Practice Group is also particularly experienced in a wide range of technology law
issues. Clients who trust Drew & Napier on technology matters include MNCs, public listed
companies, statutory boards and some of the most established names in Singapore. We have
advised and acted for clients in drafting, reviewing and/or negotiating various technology
contracts relating to consultancy and project management, website service agreements
(including privacy policies and data management procedures), outsourcing, software
integration, bespoke hardware and software, and hardware/software maintenance. The firm’s
broad client base allows it to offer unique insights on the TMT industry from all perspectives.
Our recent accolades bear testimony to the quality of the Practice Group:
• Chambers Asia: standalone Band 1 TMT firm in Singapore for 2013, 2012, 2011, 2010, 2009,
2008
• Asia Pacific Legal 500: Tier 1 TMT practice for 2013/2014, 2012/2013, 2011/2012,
2010/2011, 2009/2010, 2008/2009
• AsiaLaw Profiles: Highly Recommended Practice (IT, Telecoms & Media) for 2013; Tier 1
(IT, Telecoms & Media) for 2012 & 2011
• The International Who’s Who of Regulatory Communications Lawyers 2013 and The
International Who’s Who of Competition Lawyers and Economists 2013 both recognise
Chong Kin as a leading lawyer in regulatory and competition advisory work
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 8
CONTENTS
Introduction to the Advisory Guidelines to the Personal Data Protection Act 2012 ................................. 12
1. Are the Guidelines legally binding? .................................................................................................... 12
2. How will the PDPA affect organisations? ........................................................................................... 12
3. Will the PDPA prevent organisations from collecting, using and/or disclosing data relating to
individuals? ..................................................................................................................................................... 13
4. How do the Data Protection Provisions interact with existing laws concerning personal data
protection? ...................................................................................................................................................... 13
Important Terms used in the PDPA ................................................................................................................. 13
5. The PDPA is only concerned with the personal data of “individuals”. Who are considered
“individuals”? .................................................................................................................................................. 13
6. What types of “personal data” are covered under the PDPA? ........................................................ 14
7. What types of “personal data” are not covered under the PDPA? ................................................. 14
8. Are IP addresses considered “personal data”? .................................................................................. 15
9. Are cookies considered “personal data”?........................................................................................... 15
10. Is anonymised data regarded as “personal data” for the purposes of the PDPA? ................... 15
11. Does the PDPA confer property or ownership rights of personal data in an individual or an
organisation? .................................................................................................................................................. 16
12. Which organisations are included, and which are excluded from the operation of the Data
Protection Provisions? ................................................................................................................................... 16
13. The Data Protection Provisions only apply to a limited extent to a “data intermediary”. What
is a “data intermediary”? ............................................................................................................................... 17
14. What constitutes “collection, “use” and “disclosure” of personal data? .................................... 17
15. Some Data Protection Provisions refer to the “purpose” for which an organisation collects,
uses or discloses personal data. How is such “purpose” defined? .......................................................... 18
16. How is the concept of “reasonableness” defined in the PDPA? ................................................. 18
17. What are the main data protection obligations contained under the PDPA? .......................... 18
The Consent Obligation..................................................................................................................................... 18
18. What do organisations have to comply with under the Consent Obligation? ......................... 18
19. How can organisations obtain consent from individuals? ........................................................... 19
20. When is an individual considered not to have validly given consent? ...................................... 19
21. When is an individual deemed to have given consent? .............................................................. 20
22. Where an individual provides his personal data as part of his job application, is this
considered deemed consent? ...................................................................................................................... 20
FAQs to the Advisory Guidelines to the PDPA
9 www.drewnapier.com
23. How should organisations deal with a job applicant’s personal data, after a decision has
been made on whether to hire such job applicant? .................................................................................. 20
24. Is it necessary to obtain consent from users when an organisation employs the use of
cookies? ........................................................................................................................................................... 20
25. Can an organisation obtain personal data from third party sources with the consent of the
individual? ....................................................................................................................................................... 21
26. Can an organisation collect and use personal data of a job applicant from social networking
sources? ........................................................................................................................................................... 22
27. Can an organisation collect and use information on business cards for recruitment?............ 22
28. What should organisations do to ensure that the third party sources can validly provide the
personal data? ................................................................................................................................................ 22
29. Can an organisation obtain personal data from third party sources without the consent of
the individual? ................................................................................................................................................ 22
30. Organisations can collect, use and disclose personal data without consent if it is publicly
available. What is the definition of “publicly available” data? .................................................................. 23
31. What practical steps should organisations take to allow individuals to withdraw their
consent? .......................................................................................................................................................... 24
32. How should organisations respond when they receive a notice from an individual to
withdraw consent? ......................................................................................................................................... 25
33. Are organisations required to accede to an individual’s request to delete CCTV footage? ... 25
34. What do organisations have to comply with under the Purpose Limitation Obligation? ....... 25
35. If an organisation captures CCTV footage beyond the boundaries of their own premises,
does that go beyond the Purpose Limitation Obligation? ....................................................................... 26
36. Can organisations collect NRIC cards? ........................................................................................... 26
37. For what business purposes are organisations allowed to use NRIC numbers? ...................... 26
38. Can organisations publish NRIC numbers for purposes such as the results of lucky draws? . 26
The Notification Obligation .............................................................................................................................. 26
39. What do organisations have to comply with under the Notification Obligation? ................... 26
40. How should organisations notify individuals of the purpose for the collection, use and
disclosure of their personal data? ................................................................................................................ 27
41. Can organisations use a Data Protection Policy to notify individuals of the purposes for
which it collects, uses and discloses personal data? ................................................................................. 27
42. What level of detail is required when notifying individuals of the purposes for which their
personal data is collected, used and disclosed? ........................................................................................ 28
43. Can organisations use and disclose personal data for a different purpose from which it was
collected? ........................................................................................................................................................ 28
44. Is it always necessary for an organisation notify individuals prior to collecting, using or
disclosing their personal data for research and analytics activities? ....................................................... 28
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 10
45. Do organisations always need to notify individuals when CCTVs are deployed? .................... 29
46. Do recruitment agencies always need to notify individuals before collecting, using or
disclosing their personal data? .................................................................................................................... 29
47. Do employers need to notify and obtain consent from employees in respect of collecting,
using or disclosing their personal data for employment purposes? ....................................................... 29
The Accuracy Obligation ................................................................................................................................... 30
48. What do organisations have to comply with under the Accuracy Obligation? ........................ 30
49. In complying with the Accuracy Obligation, can a different level of care be adopted when
the personal data is obtained directly from the individual compared to when it is obtained from
third party sources? ....................................................................................................................................... 31
The Protection Obligation ................................................................................................................................. 32
50. What does it mean to make “reasonable security arrangements to protect personal data”? 32
51. What types of security arrangements can an organisation put in place? ................................. 32
52. Are organisations responsible if their employees do not comply with the PDPA? .................. 33
The Retention Limitation Obligation ............................................................................................................... 33
53. How long should an organisation retain personal data?............................................................. 33
54. What are some recommended best practices in relation to the retention of personal data? 33
55. How long can organisations continue to hold personal data of former employees? ............. 33
56. What does it mean to “cease to retain” personal data? .............................................................. 34
The Openness Obligation .................................................................................................................................. 34
57. What is the Openness Obligation? ................................................................................................. 34
58. Are there any requirements as to whom an organisation may designate as its data
protection officer? ......................................................................................................................................... 35
59. Will the Openness Obligation require organisations to accede to an individual’s request to
access CCTV footage? ................................................................................................................................... 35
60. Are there any specific requirements that organisations need to comply with, when acceding
to an individual’s request to access CCTV footage? .................................................................................. 35
61. Can individuals make joint access requests for CCTV footage containing their images, if they
consent to their own images being viewed by the others making the joint request?.......................... 35
62. Can job applicants ask an organisation to reveal how much information the organisation has
about them, or find out why they were not selected? .............................................................................. 36
Other Important Concepts ................................................................................................................................ 36
63. What does it mean to anonymise personal data? ........................................................................ 36
64. How can personal data be anonymised? ....................................................................................... 36
65. What are some challenges and limitations in anonymising data? ............................................. 37
66. Under what circumstances might data be considered to have been re-identified? ................ 37
FAQs to the Advisory Guidelines to the PDPA
11 www.drewnapier.com
67. How can organisations assess the risk of re-identification? ....................................................... 38
68. Will the Commission penalise organisations for inadequate risk assessments in relation to
re-identification? ............................................................................................................................................ 39
69. What is the co-relation between the motivation for re-identification and the risk of re-
identification? ................................................................................................................................................. 39
70. How can organisations lower the risk of re-identification? ......................................................... 40
Scope of The DNC Provisions ........................................................................................................................... 40
71. To whom are the DNC Provisions applicable? .............................................................................. 40
72. The DNC Provisions apply to “specified messages”. What are “specified messages”? ............ 41
73. The DNC Provisions apply to “senders”. Who are “senders”? ..................................................... 42
74. When might a person be responsible under the DNC Provisions for a specified message that
he is not actively involved in sending? ........................................................................................................ 42
75. Do the DNC Provisions only apply to specified messages sent to a Singapore telephone
number? .......................................................................................................................................................... 43
Obligations and Duties under the DNC Provisions ........................................................................................ 43
76. What does a person need to do before sending a specified message? .................................... 43
77. Is it necessary to check the DNC Register every time a specified message is proposed to be
sent? ............................................................................................................................................................ 43
78. What happens when a person who had previously given consent to receive specified
messages, subsequently withdraws such consent? ................................................................................... 44
79. A person has previously given consent to receive specified messages, but subsequently
registers his/her telephone number on a DNC Register. Is the consent still valid? Can specified
messages be sent to such person? .............................................................................................................. 44
80. Who can withdraw consent in respect of a telephone number? ................................................ 44
81. What would constitute valid consent for the purposes of the DNC Provisions?...................... 44
82. If consent has been obtained from a person before the DNC Provisions come into effect (2
January 2014), is such consent still valid? ................................................................................................... 45
The Drew & Napier TMT Team .......................................................................................................................... 46
Lim Chong Kin, Director, Head (Telecoms, Media & Technology) ............................................................. 46
Charmian Aw, Associate Director .................................................................................................................. 46
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 12
Advisory Guidelines to the Personal Data
Protection Act 2012 This publication is meant to supplement and be
read together with Drew & Napier’s “Your
Guide to the Personal Data Protection Act
2012”, as published in 2013.
INTRODUCTION TO THE ADVISORY
GUIDELINES ON THE PERSONAL DATA
PROTECTION ACT 2012
On 24 September 2013, the Personal Data
Protection Commission (Commission) issued
the following sets of Advisory Guidelines on
the Personal Data Protection Act 2012 (PDPA):
(a) Advisory Guidelines on Key Concepts in
the Personal Data Protection Act (Key
Concepts Guidelines); and
(b) Advisory Guidelines on the Personal Data
Protection Act for Selected Topics
(Selected Topics Guidelines)
(collectively, the Guidelines).
The Guidelines are meant to provide a further
understanding of the provisions of the PDPA
as they elaborate and provide interpretations
on specific requirements and obligations
under the PDPA. The Guidelines took into
consideration public feedback submitted
during the public consultation conducted by
the Commission from February to April 2013.
The following is a series of key questions and
answers to help you understand the impact of
the Guidelines on your business.
1. Are the Guidelines legally binding?
The Guidelines are advisory in nature and are
not legally binding on the Commission or any
other party. The Guidelines will not limit or
restrict the Commission’s administration and
enforcement of the PDPA, and the provisions
of the PDPA and any regulations or rules
issued thereunder will prevail over the
Guidelines in the event of any inconsistency.
2. How will the PDPA affect organisations?
The data protection provisions in Parts III to VII
of the PDPA (Data Protection Provisions) are
anticipated to come into operation on 2 July
2014.
As such, organisations can generally continue
to use personal data that was collected before
2 July 2014 for the purposes for which such
personal data was collected, without a need to
obtain fresh consent from the individual.
However, if an individual has withdrawn
his/her consent, fresh consent will need to be
obtained.
Even if it is not clear what the purposes any
personal data had been collected (before 2
July 2014) are for, it is not strictly necessary for
such purposes to be specified or notified to
the individuals concerned on or after 2 July
2014. In such cases, however, the Commission
recommends that the organisation should
consider documenting the purposes so that it
will have such information readily available if a
questions arises as to whether the organisation
is complying with the Data Protection
Provisions (such as the requirement to obtain
valid consent pursuant to the PDPA prior to
collection, use and disclosure of personal
data).
FAQs to the Advisory Guidelines to the PDPA
13 www.drewnapier.com
Additionally, should an organisation wish to
use or disclose personal data which it has
collected prior to 2 July 2014 for new purposes
(i.e. purposes which the individual concerned
had not consented to), the organisation will
need to obtain consent from the individual
concerned for these new purposes.
Organisations will also need to assess whether
their contractual obligations need to be
amended to comply with the Data Protection
Provisions. It should be noted that compliance
with contractual obligations entered into prior
to 2 July 2014 is not an excuse for failure to
comply with the Data Protection Provisions.
The Do Not Call provisions (DNC Provisions),
which are set out in Part IX of the PDPA, are
expected to come into effect on 2 January
2014. Please refer to question 71 et seq for a
further discussion on the DNC Provisions.
3. Will the PDPA prevent organisations
from collecting, using and/or disclosing
data relating to individuals?
The PDPA will not strictly prohibit
organisations from collecting, using or
disclosing data relating to individuals.
However, where an organisation wishes to
collect, use or disclose personal data (as
defined in the PDPA, see question 6 below), it
will be required to comply with the Data
Protection Provisions (see question 2 above).
Accordingly, organisations may wish to opt to
collect or use anonymised data instead, where
individuals need not be identifiable for the
organisation’s purposes, as the Data Protection
Provisions will not apply to anonymised data
(see question 63 below on what anonymised
data means).
4. How do the Data Protection Provisions
interact with existing laws concerning
personal data protection?
The Data Protection Provisions will not affect
any existing authority, right, privilege,
immunity, obligation or limitation arising
under existing law. The PDPA also specifically
provides that the provisions of other written
law will prevail over the Data Protection
Provisions, but only to the extent that there is
an inconsistency.
As such, sector-specific legislation should not
be regarded as a blanket override of the Data
Protection Provisions.
For example, pursuant to Section 47 of the
Banking Act (Cap. 19), a bank can disclose
customer information to such persons and for
purposes that are specified in the Third
Schedule of the Banking Act, subject to the
conditions specified therein. However, the
Data Protection Provisions of the PDPA may be
inconsistent with Section 47 of the Banking
Act, as the former may not specifically allow
the bank to disclose such customer
information without prior consent of the
customer concerned. In such case, Section 47
of the Banking Act will prevail in respect of
those exceptions under the Third Schedule of
the Banking Act, but the bank must continue
to comply with the Data Protection Provisions
in respect of any purposes which, or persons
who, are not specified in the Third Schedule of
the Banking Act.
IMPORTANT TERMS USED IN THE PDPA
5. The PDPA is only concerned with the
personal data of “individuals”. Who are
considered “individuals”?
The PDPA defines an individual as “a natural
person, whether living or deceased.” The term
“natural person” refers to a human being, and
does not refer to other legal persons or
unincorporated entities (e.g. a company or a
registered society). Accordingly, the PDPA only
protects personal data of natural persons.
The term “individual” includes both living and
deceased individuals. However, the PDPA
applies to a limited extent in respect of the
personal data of deceased individuals.
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 14
6. What types of “personal data” are
covered under the PDPA?
The term “personal data” covers all types of
data from which an individual can be
identified, regardless of its veracity or whether
it is in electronic or other form.
Data about an individual
Personal data has to be data about an
individual. Some data will, on its own, relate to
an individual e.g. an individual’s name. Other
data may not, on its own, relate to an
individual. The latter type of data would not
constitute personal data unless it is made to
relate to a particular individual. For example, a
residential address by itself may not relate to
an individual because there may be several
individuals residing there. However, if the
residential address is associated with a
particular identifiable individual, it would be
considered personal data.
Generic information that does not relate to a
particular individual may also form part of an
individual’s personal data if an individual can
be identified when combined with other
information. For example, generic information
such as “male” and “aged 21” is provided as
part of a membership form which also
identifies the individual’s full name, such
general characteristics will also constitute part
of the individual’s personal data because the
generic information would have been related
to the specific individual.
Even if the information is not directly
identifying data, it may still be considered
personal data if the organisation has access to
other information that, when taken together
with the data, will allow the individual to be
identified. For example, if a company
anonymises data collected from a customer
survey by replacing the respondents’ names
with randomly generated number tags, but the
company still holds the key that can reverse
the randomisation process, the collected data
will still be able to identify individuals with the
aid of the key and will thus be considered
personal data. (See question 63 for more
details on what it means to anonymise
personal data.)
Some examples of personal data listed in the
Key Concepts Guidelines include an
individual’s full name, NRIC number, passport
number, photograph, video image, mobile
telephone number, personal email address,
thumbprint, DNA profile and, name when used
in conjunction with a residential address.
False personal data
Data which is false can also be part of an
individual’s personal data. An individual may
have appropriate reasons for using data that is
not strictly true, for example, when an
individual uses a fictitious name or nickname
as part of his personal email address.
7. What types of “personal data” are not
covered under the PDPA?
The PDPA does not apply to the following
categories of personal data:
(a) business contact information;
(b) personal data that is contained in a record
that has been in existence for at least 100
years; and
(c) personal data about a deceased individual
who has been dead for more than 10
years.
Business contact information
Business contact information refers to an
individual’s name, position name or title,
business telephone number, business address,
business electronic mail address, business fax
number and any other similar information
about the individual, not provided by the
individual solely for his/her personal purposes.
The purpose for which the individual provides
the work-related contact information is
important, because any work-related contact
information provided solely for personal
purposes (e.g. signing up for a gym
FAQs to the Advisory Guidelines to the PDPA
15 www.drewnapier.com
membership) would not constitute business
contact information. However, in most
circumstances, the Commission is likely to
consider personal data provided on
business/name cards as business contact
information.
Since sole proprietorships and partnerships are
also businesses, the contact information of
sole proprietors and partners is considered
business contact information where such
information has not been provided solely for
personal purposes.
8. Are IP addresses considered “personal
data”?
IP address in isolation
The Commission generally takes the view that
IP addresses or network identifiers such as an
IMEI number may not be personal data when
viewed in isolation, as they would serve to
identify a particular networked device under
such circumstances.
IP address combined with other information
Where IP addresses are combined with other
traces of information that are collected, or left
behind, by a device (such as cookies), it may
be possible in some cases to identify an
individual from his device’s IP address.
Tracking of IP addresses
Organisations may collect data points tied to
an IP address for purposes such as to
determine the number of unique visitors to a
website in a month, or the number of unique
responses to a once-off online survey about
consumer preferences, and consequently track
activities tied to an IP address. The
Commission takes the view that such tracking
may not result in the collection of personal
data, if the organisation is unable to identify
an individual from the data collected or from
that data and other information that the
organisation has or is likely to have access.
However, the more data points that an
organisation collects which is associated to a
unique IP address, the more likely that the
data collected may constitute personal data.
For example, if an organisation profiles the
websites visited by an IP address, the items
purchased by the same IP address and other
online activities associated to the IP address
for a long period of time, and is able to
ascertain that the particular IP address is
associated with a unique person with a specific
surfing profile, the organisation may be found
to have collected personal data.
9. Are cookies considered “personal data”?
Cookies1 are not personal data. However,
cookies may collect personal data.
Where cookies are employed by an
organisation to collect personal data of a user,
the PDPA will require that the organisation
obtain the user’s consent to collect, use and
disclose personal data of the user. See
question 24 below.
10. Is anonymised data regarded as
“personal data” for the purposes of the
PDPA?
Generally, anonymised data alone will not
constitute personal data.
However, if the anonymised data, together
with any other information that an
organisation has or is likely to have access, can
be used to identify a particular individual,
these data and information taken together will
constitute personal data.
1 Cookies are text files created on a client computer
when its web browser loads a website or web
application, and which are generally used to store
information for performing certain functions such as
completing forms, facilitating website navigation,
authentication and enabling advertising technology.
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 16
11. Does the PDPA confer property or
ownership rights of personal data in an
individual or an organisation?
The PDPA does not confer any property or
ownership rights on personal data per se to
individuals or organisations and also does not
affect existing property rights in items in which
personal data may be captured or stored.
Thus, if an organisation takes a photograph of
an individual, the individual would not be
conferred ownership rights to that photograph
under the PDPA even though it would be part
of his personal data. Instead, ownership would
depend on existing laws such as property law
and copyright law. Regardless of ownership
rights, the organisation must comply with the
PDPA if it intends to collect, use or disclose the
photograph.
12. Which organisations are included, and
which are excluded from the operation
of the Data Protection Provisions?
The Data Protection Provisions apply to all
organisations, with certain exceptions.
“Organisation” is defined broadly to include
any individual, company, association or body
of persons, corporate or unincorporated,
whether or not:
(a) formed or recognised under the law of
Singapore; or
(b) resident or having an office or place of
business in Singapore.
The Data Protection Provisions do not apply
to:
(a) individuals acting in a personal or
domestic capacity;
(b) employees acting in the course of their
employment with an organisation;
(c) public agencies, or organisations acting on
behalf of a public agency in relation to the
collection, use or disclosure of personal
data; and
(d) other organisations as may be prescribed
by the Minister.
Individuals acting in a personal or domestic
capacity
An individual acts in a “personal or domestic”
capacity when undertaking activities for his
home or family; for example, by opening joint
bank accounts between two or more family
members.
Individuals acting as employees
Employees are excluded from the application
of the Data Protection Provisions. The PDPA
defines an employee to include a volunteer.
Hence, individuals who undertake work
without an expectation of payment would fall
within the exclusion for employees.
Even though employees are excluded from the
application of the PDPA, organisations remain
responsible for the actions of the employees
which result in a contravention of the Data
Protection Provisions.
Public agencies and organisations acting on
behalf of public agencies
Section 2 of the PDPA defines a public agency
to include:
(a) the Government, including any ministry,
department, agency, or organ of State;
(b) any tribunal appointed under any written
law; or
(c) any statutory body specified by the
Minister by notice in the Gazette.
To date, the Minister has gazetted 66 statutory
bodies as public agencies pursuant to the
Personal Data Protection (Statutory Bodies)
Notification 2013.
While organisations acting on behalf of a
public agency in relation to the collection, use
FAQs to the Advisory Guidelines to the PDPA
17 www.drewnapier.com
or disclosure of personal data are excluded
from the application of the Data Protection
Provisions when they are so acting, they still
have to comply with the Data Protection
Provisions in relation to other aspects of their
business not related to the public agency, for
example, in relation to their employees’
personal data or personal data of other
customers.
13. The Data Protection Provisions only
apply to a limited extent to a “data
intermediary”. What is a “data
intermediary”?
Where data intermediaries process personal
data on behalf of another organisation (the
principal organisation) pursuant to a written
contract, they will only be subject to the Data
Protection Provisions relating to protection
and retention of personal data.
The PDPA defines “processing” as “the carrying
out of any operation or set of operations in
relation to the personal data, and includes any
of the following: (i) recording; (ii) holding; (iii)
organisation, adaptation or alteration; (iv)
retrieval; (v) combination; (vi) transmission; (vii)
erasure or destruction.”
If a data intermediary uses or discloses
personal data in a manner which goes beyond
the processing required by the principal
organisation under the contract, it will not be
considered a data intermediary in respect of
such use or disclosure. It will therefore have to
comply fully with the Data Protection
Provisions in relation to such use or disclosure.
In a similar vein, while an organisation may be
considered a data intermediary in respect of a
set of personal data, it may at the same time
be bound by all Data Protection Provisions in
relation to other sets of personal data used for
activities which do not fall within the definition
of “processing” as a data intermediary (e.g. in
relation to personal data of its own
employees).
An organisation may be considered a data
intermediary to more than one principal
organisation. In such cases, all the principal
organisations are responsible for compliance
with the Data Protection Provisions in relation
to the personal data processed on their behalf.
An organisation may be a data intermediary of
another even if the written contract between
the organisations does not clearly identify the
data intermediary as such. The Commission
therefore notes that it is important for an
organisation to be clear as to its rights and
obligations when dealing with another
organisation. Where appropriate, the written
contract should clearly set out each
organisation’s responsibilities and liabilities in
relation to the personal data in question, and
expressly note whether one organisation is
processing personal data on behalf of and for
the purposes of another organisation.
14. What constitutes “collection, “use” and
“disclosure” of personal data?
In general, the terms “collection”, “use” and
“disclosure” have the following meanings:
(a) Collection refers to any act or set of acts
through which an organisation obtains
control over or possession of personal
data.
(b) Use refers to any act or set of acts by
which an organisation employs personal
data. A particular use of personal data may
occasionally involve collection or
disclosure that is necessarily part of the
use.
(c) Disclosure refers to any act or set of acts
by which an organisation discloses,
transfers or otherwise makes available
personal data that is under its control or in
its possession to any other organisation.
While collection, use and disclosure may take
place actively (e.g. a sales person asking the
individual for personal information) or
passively (e.g. an individual writes his name in
an unattended guestbook placed near the
entrance), both forms of collection, use and
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 18
disclosure will be subject to the same
obligations under the PDPA.
15. Some Data Protection Provisions refer
to the “purpose” for which an
organisation collects, uses or discloses
personal data. How is such “purpose”
defined?
The term “purpose” does not refer to activities
which an organisation may intend to
undertake but rather to its objectives or
reasons. Hence, when specifying its purposes
relating to personal data, an organisation is
not required to specify every activity which it
may undertake, but its objectives or reasons
relating to personal data.
16. How is the concept of “reasonableness”
defined in the PDPA?
The test for reasonableness is what a
reasonable person would consider appropriate
in the circumstances. A “reasonable person” is
judged based on an objective standard and
can be said to be a person who exercises the
appropriate care and judgment in the
particular circumstances.
In determining what a reasonable person
would consider appropriate in the
circumstances, an organisation should
consider the particular circumstances it is
facing. Taking those circumstances into
consideration, the organisation should
determine what would be the appropriate
course of action to take in order to comply
with its obligations under the PDPA based on
what a reasonable person would consider
appropriate. In other words, a possible step
that an organisation could take is to view the
situation from the perspective of the individual
and consider what the individual would think
as fair.
The Commission notes that the standard of
reasonableness is expected to be evolutionary.
17. What are the main data protection
obligations contained under the PDPA?
The PDPA contains 9 main data protection
obligations that apply to organisations for
persona data in their possession or under their
control:
(a) the Consent Obligation (sections 13 to 17
of the PDPA);
(b) the Purpose Limitation Obligation (Section
18 of the PDPA);
(c) the Notification Obligation (Section 20 of
the PDPA);
(d) the Access and Correction Obligation
(Sections 21 and 22 of the PDPA);
(e) the Accuracy Obligation (Section 23 of the
PDPA);
(f) the Protection Obligation (Section 24 of
the PDPA);
(g) the Retention Limitation Obligation
(Section 25 of the PDPA);
(h) the Transfer Limitation Obligation (Section
26 of the PDPA); and
(i) the Openness Obligation (Sections 11 and
12 of the PDPA).
THE CONSENT OBLIGATION
18. What do organisations have to comply
with under the Consent Obligation?
Under the Consent Obligation, organisations
are required to obtain consent from the
individual before they can collect, use or
disclose the individual’s personal data. This
requirement does not apply where collection,
use or disclosure of an individual’s personal
data is required or authorised under the PDPA
or any other written law.
An individual has not given consent unless the
he has been notified of the purposes for which
his personal data will be collected, used or
disclosed and he has provided his consent for
FAQs to the Advisory Guidelines to the PDPA
19 www.drewnapier.com
those purposes. If an organisation fails to
inform the individual of the purposes for which
his personal data will be collected, used and
disclosed, any consent given by the individual
would not amount to consent.
19. How can organisations obtain consent
from individuals?
As a good practice, an organisation should
obtain consent in writing or recorded in a
manner that is accessible for future reference.
An organisation may also obtain consent
verbally although it may be more difficult for
an organisation to prove that it had obtained
consent. It would therefore be prudent for the
organisation to document the consent in some
way, for example, by noting the fact that oral
consent was provided by an individual for
certain purposes together with the date and
time of such consent, or by following up the
verbal consent by confirming the consent in
writing with the individual.
Opt-in method of consent
Organisations can obtain the individual’s
consent through a positive action of the
individual (e.g. by requiring the individual to
check a box indicating consent).
Opt-out method of consent
The Commission’s view is that a failure to opt
out (e.g. by deeming that an individual has
given his consent through inaction on his part
by not checking a box indicating his non-
consent) will not be regarded as consent in all
situations. Whether or not a failure to opt out
can be regarded as consent will depend on the
actual circumstances and facts of the case
because there are many methods and variants
to opting out, and depending on its
implementation, some could be more likely
than others to constitute consent.
20. When is an individual considered not to
have validly given consent?
Section 14(2) of the PDPA provides that
consent is not validly given if it is:
(a) obtained as a condition of the provision of
the product or service to the individual,
beyond what is reasonable to provide the
product or service; and
(b) obtained by providing false or misleading
information or using deceptive or
misleading practices.
Consent obtained as a condition of providing
the product/service
An organisation may require an individual to
consent to the collection, use or disclosure of
his personal data as a condition of providing a
product or service where it is reasonably
required in order to provide the product or
service. However, if the consent is obtained as
a condition of providing such product or
services beyond what is reasonable for the
provision of such products or services, such
consent is invalid.
Organisations are not, however, prohibited
from providing offers, discounts or lucky draw
opportunities to individuals that are
conditional on the collection, use or disclosure
of their personal data for specified purposes
because such offers, discounts or lucky draws
are not considered products or services.
The Commission recommends that when
organisations collect personal data through a
form, it is a good practice to indicate which
fields that collect personal data are
compulsory and which are optional, and to
state the purposes for which such personal
data will be collected, used and/or disclosed.
This avoids potential problems as to whether
consent was validly given because it makes
clear whether the individual’s consent was
made a condition to the provision of products
or service.
Consent obtained by false/misleading
information or deceptive/misleading practices
Consent obtained by providing false or
misleading information to the individual, or by
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 20
using deceptive or misleading practices, is not
validly given. Such practices may include
situations where the purposes are stated in
vague or inaccurate terms, in an illegible font,
or placed in an obscure area of a document or
a location that is difficult to access.
21. When is an individual deemed to have
given consent?
Section 15 of the PDPA provides two situations
where an individual may be deemed to
consent even if he has not actually given
consent:
(a) where an individual voluntarily provides
the personal data to the organisation for a
purpose and it is reasonable that the he
would do so, the individual is deemed to
consent to the collection, use and
disclosure for that purpose; and
(b) where an individual consents or is deemed
to have consented to the disclosure of his
personal data by one organisation to
another (B), the individual is deemed to
consent to the collection, use or disclosure
of his personal data by B for that purpose.
Relying on deemed consent requires an
organisation to be able to establish the
following:
(a) an individual voluntarily provided his
personal data;
(b) the individual was aware of the purpose
for which the personal data was provided;
and
(c) the circumstances are such that it is
reasonable for the individual to have
provided his personal data.
It is good practice for an organisation to
review its business processes to determine the
situations where it should obtain actual
consent instead of relying on deemed consent.
This is especially pertinent in situations where
it is not clear whether the deemed consent
provision applies. Obtaining consent from the
individual would avoid disputes where an
individual claims that he did not consent to
the collection of his personal data for a
purpose and that he did not voluntarily
provide personal data for the purpose.
22. Where an individual provides his
personal data as part of his job
application, is this considered deemed
consent?
When an individual voluntarily provides his
personal data to an organisation in the form of
a job application, for example, in response to a
recruitment advertisement, he may be deemed
to consent to the organisation collecting, using
and disclosing the personal data for the
purpose of assessing his job application.
23. How should organisations deal with a
job applicant’s personal data, after a
decision has been made on whether to
hire such job applicant?
Where the organisation decides not to hire the
individual, it should only keep such individual’s
personal data for as long as is necessary for
business or legal purposes (see questions 53
to 56 below).
Where a job applicant is employed by an
organisation, it would be good practice for the
organisation to obtain consent from an
employee, upon appointment or hiring of such
employee, for the maintenance of such
employee’s employment records (see question
47 below).
24. Is it necessary to obtain consent from
users when an organisation employs the
use of cookies?
Yes, if the cookies are used to collect personal
data.
It should be noted that the obligation to
obtain an individual’s consent for the
collection of his personal data rests with the
organisation that is collecting the personal
FAQs to the Advisory Guidelines to the PDPA
21 www.drewnapier.com
data, whether by itself or through its data
intermediaries. Accordingly, if an organisation
operates a website which a third party uses to
collect personal data, and the website operator
itself is not collecting such personal data, the
obligation is on the third party organisation to
obtain the consent required to collect the
personal data.
For Internet activities that the user has clearly
requested (e.g. transmitting personal data for
effecting online communications and storing
information that the user enters in a web form
to facilitate an online purchase), it may not be
strictly necessary to seek consent for the use
of cookies to collect, use, and disclose
personal data where the individual is aware of
the purposes for such collection, use or
disclosure and voluntarily provided his
personal data for such purposes.
For activities that cannot take place without
cookies that collect, use or disclose personal
data, consent may be deemed if the user
voluntarily provides the personal data for that
purpose of the activity, and it is reasonable
that he would do so.
The Selected Topics Guidelines provides that
consent may be reflected in the way a user
configures his interaction with the Internet. For
instance, if the user configures his browser to
accept certain cookies but rejects others, he
may be regarded as having consented to the
collection, use and disclosure of his personal
data by the cookies that he has chosen to
accept. However, the mere failure of a user to
actively manage his browser settings does not
always imply that the individual has consented
to the collection, use and disclosure of his
personal data by all websites for their stated
purpose.
25. Can an organisation obtain personal
data from third party sources with the
consent of the individual?
There are two situations in which organisations
may obtain personal data about an individual
from a third party source, with the consent of
the individual:
(a) where the third party source can validly
give consent to the collection, use and
disclosure of the individual’s personal data
(under Section 14(4) of the PDPA); or
(b) where the individual has consented, or is
deemed to have consented, to the
disclosure of his or her personal data by
the third party source (under Section
15(2) of the PDPA).
Consent given by a third party source
In relation to (a), the Commission has noted
that regulations will be issued under the PDPA
providing for some specific situations in which
a person may give consent on behalf of
another individual.
The Key Concepts Guidelines provides as an
example of validly obtaining personal data
from a third party source, a situation where
personal data is obtained via the purchase of a
database containing personal data from a
database reseller who has obtained consent
from the individual for the disclosure of the
personal data. Another example is where one
organisation in a corporate group has validly
obtained consent to the collection, use and
disclosure of an individual’s personal data for
the purposes of other organisations in the
group.
An organisation collecting personal data from
a third party source is required to notify the
source of the purposes for which it will be
collecting, using and disclosing the personal
data.
Deemed consent
An example of where an individual may be
deemed to have consented to disclosure of his
or her personal data by a third party source is
where a prospective employer seeks to obtain
a reference from a his or her former employer
to determine his or her suitability for
employment by the prospective employer.
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 22
26. Can an organisation collect and use
personal data of a job applicant from
social networking sources?
To the extent the information on social
networking sources are publicly available,
organisations can collect personal data about
a job applicant without his consent. The PDPA
does not require organisations to obtain the
consent of individuals when collecting
personal data that is available publicly, for
instance, in newspapers, telephone directories
and websites containing information that is
generally available to the public.
Where the personal data is not publicly
available, but is voluntarily made available by
an individual on a job-search portal for being
contacted for prospective job opportunities,
the individual may be deemed to have
consented to the collection, use and disclosure
of his personal data for such purpose.
27. Can an organisation collect and use
information on business cards for
recruitment?
Where an individual provides his business card
to an organisation for purposes other than
solely for personal purposes, it is possible for
the organisation to use the information on the
business card for recruitment or other
purposes. This is because the Data Protection
Provisions do not apply to business contact
information.
However, if the business card is provided by an
individual purely for personal purposes, then
the organisation will not be permitted to use
the personal data contained in the business
card for any purposes for which it has not
obtained the individual’s consent.
28. What should organisations do to ensure
that the third party sources can validly
provide the personal data?
Organisations obtaining personal data from
third party sources should check and ensure
that the third party source can validly give
consent for the collection, use and disclosure
of personal data on behalf of the individual or
that the source had obtained consent for
disclosure of the personal data.
Organisations (A) obtaining personal data
from third party sources (B) may consider
adopting the following due diligence
measures, as appropriate:
(a) seek an undertaking from B through a
term of contract between A and B that the
disclosure to A for A’s purposes is within
the scope of the consent given by the
individual to B;
(b) obtain confirmation in writing from B;
(c) obtain, and document in an appropriate
form, verbal confirmation from B; or
(d) obtain a copy of the document(s)
containing or evidencing the consent
given by the individuals’ concerned to B to
disclose the personal data.
In the event the third party source could not
validly give consent or had not obtained
consent for disclosure to the collecting
organisation, but concealed this from the
collecting organisation, the actions taken by
the collecting organisation to verify such
matters before collecting the personal data
from the third party source would be
considered a possible mitigating factor by the
Commission should there be a breach of the
PDPA relating to such collection or the
collecting organisation’s use or subsequent
disclosure of the personal data.
29. Can an organisation obtain personal
data from third party sources without
the consent of the individual?
An organisation (A) may collect personal data
from a third party source (B) without the
consent of the individual in the circumstances
described in the Second Schedule to the PDPA.
These circumstances include where:
FAQs to the Advisory Guidelines to the PDPA
23 www.drewnapier.com
(a) the collection is necessary to respond to
an emergency that threatens the life,
health or safety of the individual or
another individual;
(b) the personal data is publicly available; and
(c) the collection is necessary for evaluative
purposes.
At the same time, B would only be able to
disclose the personal data without the consent
of the individual in any of the circumstances
set out in the Fourth Schedule of the PDPA.
These circumstances include, for example,
where:
(a) the disclosure is necessary to respond to
an emergency that threatens the life,
health or safety of the individual or
another individual;
(b) the personal data is publicly available; and
(c) the disclosure is for the purpose of
contacting the next-of-kin or a friend of
any injured, ill or deceased individual.
B would need to know the purpose for which A
is collecting the personal data in order to
determine if its disclosure of the data to the
organisation falls into the Fourth Schedule
exceptions set out in the PDPA. Section 20(2)
of the PDPA therefore requires A to provide B
with sufficient information regarding its
purpose for collecting the personal data, to
allow B to determine whether disclosure would
be in accordance with the PDPA.
30. Organisations can collect, use and
disclose personal data without consent
if it is publicly available. What is the
definition of “publicly available” data?
The term “publicly available” refers to personal
data that is generally available to the public,
including personal data which can be observed
by reasonably expected means at a location or
an event at which the individual appears and
that is open to the public. Personal data is
generally available to the public if any member
of the public could obtain or access the data
with few or no restrictions.
However, in some situations, the existence of
restrictions may not prevent the data from
being publicly available. For example, if
personal data is disclosed to a closed online
group but membership in the group is
relatively open and members of the public
could join with minimal effort, then the
disclosure may amount to making the data
publicly available.
Time in determining public availability
Personal data that is publicly available at one
point in time may no longer be publicly
available after that time. For example, users of
social networking sites may change their
privacy settings from time to time, which
would have an impact on whether their
personal data would be considered publicly
available.
Because it would be excessively burdensome
for organisations to constantly verify that the
data remains publicly available, especially in
situations where the use or disclosure happens
sometime after the collection of the personal
data, the Commission has adopted the
position that so long as the personal data in
question was publicly available at the point of
collection, organisations will be able to use
and disclose personal data without consent
under the corresponding exceptions,
notwithstanding that the personal data may no
longer be publicly available at the point in
time when it is used or disclosed.
Personal data observed in public
For data observed in the public to constitute
publicly available data, two requirements must
be met:
(a) the personal data must be observed by
reasonably expected means; and
(b) the personal data must be observed at a
location or event at which the individual
appears and that is open to the public.
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 24
Personal data is observed by reasonably
expected means if individuals ought to
reasonably expect their personal data to be
collected in that particular manner at that
location or event. This test is an objective one,
considering what individuals ought reasonably
to expect instead of what a particular
individual actually expects.
A location or event would be considered
“open to the public” if members of the public
can enter or access the location with few or no
restrictions. Generally speaking, the more
restrictions there are for access to a particular
location (e.g. physical barriers such as fences,
walls and gates, employment of security
systems, sentries and patrols aimed at
restricting entry), the less likely it would be
considered “open to the public”.
However, the mere existence of some
restrictions is not sufficient to prevent the
location from being regarded as open to the
public. For example, events that may be
entered only upon payment of a fee by a
member of the public may still be considered
to be open to the public. Similarly, special
events for members of a retailer’s loyalty
programme may also be considered open to
the public, depending on relevant factors such
as whether the event was open to a large
number of members.
A location is not open to the public merely
because members of the public may look into
the location. For example, if members of the
public are not able to enter residential
premises that are closed for a private event,
their ability to observe what is happening
inside would not make the premises open to
the public.
The Commission also recognises that while a
location may generally be open to the public,
it may at times become a private space (e.g. a
restaurant is booked for a private function). In
such situations, as members of the public
cannot enter the location during the event, the
event is not open to the public.
31. What practical steps should
organisations take to allow individuals
to withdraw their consent?
Section 16 of the PDPA provides that
individuals may at any time withdraw any
consent given or deemed to have been given
under the PDPA in respect of the collection,
use or disclosure of their personal data for any
purpose by an organisation.
In order to enable and facilitate withdrawal,
the Commission advises organisations to make
an appropriate consent withdrawal policy
easily accessible to the individuals concerned.
This withdrawal policy should, for example:
(a) advise the individuals on the form and
manner to submit a notice to withdraw
their consent for specific purposes;
(b) indicate the person to whom, or the
means by which, the notice to withdraw
consent should be submitted;
(c) distinguish between purposes which are
necessary and those which are optional to
the provision of goods or services; and
(d) allow individuals to withdraw consent for
optional purposes without concurrently
withdrawing consent for the necessary
purposes.
An organisation must not prohibit an
individual from withdrawing his consent to the
collection, use or disclosure of personal data
about the individual himself. If the collection,
use or disclosure of his personal data is
necessary for the provision of the goods or
services, the organisation can termination the
provision of such goods and services on the
individual’s withdrawal of consent and shall
have recourse to any legal rights and remedies
accruing to it (e.g. early termination fees), but
the organisation cannot prohibit the individual
from withdrawing such consent.
FAQs to the Advisory Guidelines to the PDPA
25 www.drewnapier.com
32. How should organisations respond
when they receive a notice from an
individual to withdraw consent?
Once an organisation has received a notice to
withdraw consent, the organisation should
highlight to the individual concerned of the
likely consequences of withdrawing his
consent, even if those consequences have
previously been set out somewhere else (e.g.
in the service contract between the
organisation and the individual).
With regard to personal data that is already in
an organisation’s possession, withdrawal of
consent would only apply to an organisation’s
continued use or future disclosure of the
personal data concerned. Upon receipt of a
notice of withdrawal of consent, the
organisation must inform its data
intermediaries and agents about the
withdrawal and ensure that they cease
collecting, using or disclosing the personal
data for the organisation’s purposes.
Apart from its data intermediaries and agents,
an organisation is not required to inform other
organisations to which it has disclosed an
individual’s personal data of the individual’s
withdrawal of consent. The individual retains
the option of requesting the organisation to
provide information on the ways in which his
personal data has been disclosed, and upon
finding out which other organisations his
personal data may have been disclosed to,
approach these other organisations directly to
withdraw consent.
Organisations are not required to delete or
destroy an individual’s personal data when he
has withdrawn consent. Organisations may
retain personal data in its documents and
records in accordance with the Retention
Limitation Obligation (see below).
33. Are organisations required to accede to
an individual’s request to delete CCTV
footage?
No. Organisations are not required to delete
video footage collected from their closed-
circuit television cameras (CCTVs) upon
request by an individual.
However, before providing a copy of CCTV
footage to any persons (upon their request),
the organisation should mask the images of
other individuals who may be present in the
CCTV footage. This is because the PDPA does
not permit the organisation from disclosing
personal data (such as video images) of other
individuals present in the CCTV footage, where
consent of those individuals for such
disclosure has not been obtained.
34. What do organisations have to comply
with under the Purpose Limitation
Obligation?
Under the Purpose Limitation Obligation,
organisations may collect, use or disclose
personal data about an individual only for
purposes:
(a) that a reasonable person would consider
appropriate in the circumstances; and
(b) where applicable, that the individual has
been informed of by the organisation
pursuant to the Notification Obligation
(see below).
Whether a purpose is reasonable depends on
whether a reasonable person would consider it
appropriate in the circumstances. Hence the
particular circumstances involved need to be
taken into account in determining whether the
purpose of such collection, use or disclosure is
reasonable.
More generally, organisations should avoid
over-collecting personal data such as NRIC
numbers, where this is not required for their
business or legal purposes. Organisations
should also consider whether there may be
alternatives available that address their
requirements.
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 26
35. If an organisation captures CCTV
footage beyond the boundaries of their
own premises, does that go beyond the
Purpose Limitation Obligation?
Organisations are not strictly prohibited from
installing CCTVs that collect footage beyond
the boundaries of their premises. However,
organisations will need to consider whether
the extent of the coverage is reasonable for
the purpose of installing the CCTVs.
Organisations should also place appropriate
notification in all areas where personal data
would be collected by the CCTVs and obtain
consent for such collection, unless one of the
exceptions under the PDPA applies.
On a related note, organisations should be
aware of other restrictions (including legal
limits on the filming of restricted areas) that
may affect their ability to collect CCTV footage
of areas beyond their premises.
36. Can organisations collect NRIC cards?
Yes. However, organisations will need to
exercise caution when handling NRIC cards, as
they contain personal data and such personal
data will be subject to the Data Protection
Provisions.
37. For what business purposes are
organisations allowed to use NRIC
numbers?
This depends on the purposes (which should
be reasonable) for which consent to collect,
use and disclose the NRIC numbers has been
obtained by the organisation.
Organisations should note that, where NRIC
numbers are used as membership numbers or
user names, the disclosure of such
membership numbers or user names may also
result in the disclosure of NRIC numbers. In
this regard, the organisation will need to
consider whether it is reasonable to use the
NRIC numbers as the membership number or
user name, and also whether valid consent has
been obtained from the individual concerned.
38. Can organisations publish NRIC
numbers for purposes such as the
results of lucky draws?
Yes, provided that valid consent has been
obtained from the individuals concerned.
That said, the Commission has noted that it is
good practice for organisations to publish only
as much personal data as necessary to fulfil
the relevant purpose. With regard to NRIC
numbers, it would be sufficient in most cases
to publish only a portion of the NRIC number
such as the last three digits and the alphabet.
The full NRIC number should only be used if
necessary, for example, to confirm the identity
of the person coming forth to receive the lucky
draw prize.
THE NOTIFICATION OBLIGATION
39. What do organisations have to comply
with under the Notification Obligation?
Organisations must inform individuals of the
purposes for which their personal data will be
collected, used and disclosed in order to
obtain their consent. This is important because
the organisation’s collection, use and
disclosure is limited to the purposes for which
notification has been made to the individuals
concerned (i.e. the Purpose Limitation
Obligation).
In particular, organisations have to inform the
individual of:
(a) the purposes for the collection, use and
disclosure of his personal data, on or
before collecting the personal data; or
(b) any purpose for use or disclosure of
personal data which has not been
informed under (a), before such use or
disclosure of personal data for that
purpose.
FAQs to the Advisory Guidelines to the PDPA
27 www.drewnapier.com
40. How should organisations notify
individuals of the purpose for the
collection, use and disclosure of their
personal data?
While no manner or form of notification is
mandated, organisations should determine the
best way to notify the individual, such that he
is provided with all the required information to
understand the purposes for which his
personal data is collected, used or disclosed.
Relevant factors to consider in such a
determination include:
(a) the circumstances in which it will be
collecting the personal data;
(b) the amount of personal data to be
collected;
(c) the frequency at which the personal data
will be collected; and
(d) the medium through which the
notification is provided (e.g. face-to-face
or through a telephone conversation).
It is generally good practice for an
organisation to state its purposes in a written
form (electronically or otherwise) so that the
individual is clear about its purposes and both
parties will be able to refer to a clearly
documented statement of the organisation’s
purposes in the event of any dispute.
The Commission has also suggested several
best practices that organisations can adopt:
(a) Organisations should draft notices that are
easy to understand and appropriate to the
intended audience, providing headings or
clear indications of where the individuals
should look to determine the purposes for
which their personal data would be
collected, used or disclosed, and avoiding
legalistic terminology that would confuse
or mislead individuals reading it;
(b) Organisations should provide the most
important or basic information (e.g.
contact details of the organisation’s Data
Protection Officer) more prominently (e.g.
on the first page of an agreement) and
more detailed information elsewhere;
(c) Organisations should consider if some
purposes may be of special concern or be
unexpected to the individual given the
context of the transaction, and whether
those purposes should be highlighted in
an appropriate manner;
(d) Organisations should select the most
appropriate medium(s) to provide the
notification (e.g. in writing through a form,
on a website, or orally in person); and
(e) Organisations should develop processes to
regularly review the effectiveness and
relevance of the notification policies and
practices.
41. Can organisations use a Data Protection
Policy to notify individuals of the
purposes for which it collects, uses and
discloses personal data?
Organisations may choose to notify individuals
of the purposes for which it collects, uses and
discloses personal data through its Data
Protection Policy, which is a document setting
out the organisation’s policies and procedures
for complying with the PDPA.
The Data Protection Policy may be provided to
individuals as required, in the form of a
physical document, on the organisation’s
website or some other manner. However, the
Commission recommends that where the
policy is not made available to an individual as
a physical document, the organisation should
provide the individual with an opportunity to
view its Data Protection Policy before
collecting the individual’s personal data.
If an organisation’s Data Protection Policy sets
out its purposes in very general terms, the
organisation may need to provide a more
specific description of its purposes to a
particular individual who will be providing his
personal data in a particular situation, to
provide clarity to the individual on how his
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 28
personal data would be collected, used or
disclosed.
42. What level of detail is required when
notifying individuals of the purposes
for which their personal data is
collected, used and disclosed?
The Key Concepts Guidelines provide that an
organisation should state its purposes at an
appropriate level of detail for the individual to
determine the reasons for which the
organisation will be collecting, using or
disclosing his personal data. An organisation
need not specify every activity it will undertake
in relation to collecting, using and/or
disclosing personal data when notifying
individuals of its purposes, and may have
regard to the following to determine the level
of specificity to provide:
(a) whether the purpose is stated clearly and
concisely;
(b) whether the purpose is required for the
provision of products or services (as
distinct from optional purposes);
(c) if the personal data will be disclosed to
other organisations, how the organisations
should be made known to the individuals;
(d) whether stating the purpose to a greater
degree of specificity would be a help or
hindrance to the individual understanding
the purpose(s) for which his personal data
would be collected, used, or disclosed; and
(e) what degree of specificity would be
appropriate in light of the organisation’s
business processes.
43. Can organisations use and disclose
personal data for a different purpose
from which it was collected?
The organisation should first determine
whether or not the ‘different’ purpose actually
falls within the scope of the purposes for
which the individual concerned had originally
been informed. If the purpose does fall within
scope of the original purposes, there is no
need to obtain fresh consent.
If, however, the organisation determines that
the different purpose does not fall within the
scope of the original purpose, the organisation
needs to inform the individual of those new
purposes and obtain fresh consent.
44. Is it always necessary for an
organisation notify individuals prior to
collecting, using or disclosing their
personal data for research and analytics
activities?
It will not be strictly necessary to obtain
consent from an individual to use their
personal data for a research purpose as set out
in paragraph 1(i) of the Third Schedule of the
PDPA, if all the conditions in paragraph 2 of
the Third Schedule of the PDPA are satisfied,
that is:
(a) the research purpose cannot reasonably
be accomplished unless the personal data
is provided in an individually identifiable
form;
(b) it is impracticable for the organisation to
seek the consent of the individual for the
use;
(c) the personal data will not be used to
contact persons to ask them to participate
in the research; and
(d) linkage of the personal data to other
information is not harmful to the
individuals identified by the personal data
and the benefits to be derived from the
linkage are clearly in the public interest.
Generally and where the exception does not
apply, organisations will need to:
(a) specify research and analytics as a purpose
for which consent of an individual is
sought, and obtain the individual’s consent
for collection, use and/or disclosure for
such purpose;
FAQs to the Advisory Guidelines to the PDPA
29 www.drewnapier.com
(b) rely on consent that has been given by an
individual for a purpose that does not
explicitly cover analytics and research if
the purpose of the analytics and research
falls within the original purpose for which
consent was given; or
(c) use anonymous or anonymised data to
conduct the research or analytics activities
(see questions 63 and 64 for more details
on anonymisation).
45. Do organisations always need to notify
individuals when CCTVs are deployed?
Generally, yes. Individuals will need to be
notified that CCTVs are operating in the
premises, as well as for what purposes, if this
may not be obvious to individuals). This is
because organisations will generally need to
get their consent for the collection, use or
disclosure of CCTV footage. Where there may
be exceptions to the requirement to obtain
consent from individuals for the collection, use
or disclosure of their personal data (e.g. where
the personal data is publicly available), the
Commission recommends that organisations
still provide notification, as a matter of best
practices, where CCTVs are deployed.
While the PDPA does not prescribe the
content of the notification required,
organisations should put up notices or other
forms of notifications, for example, at points of
entry or prominent locations in a venue or a
vehicle to notify individuals that CCTVs have
been deployed in the premises. It is not
necessary for the placement or content of
notifications to reveal the exact location of the
CCTVs.
46. Do recruitment agencies always need to
notify individuals before collecting,
using or disclosing their personal data?
Recruitment companies, employment
agencies, headhunters and similar
organisations will generally need to notify
individuals before collecting, using or
disclosing their personal data, unless one of
the exceptions under the PDPA applies.
There may be some cases, however, where a
recruitment agency acts only as a data
intermediary (see question 13 above). In these
cases, the recruitment agency that is a data
intermediary would only be subject to the
provisions in the PDPA relating to the
safeguarding and retention of personal data in
respect of the processing of personal data on
behalf of and for the purposes of the
organisation (for which it is acting as a data
intermediary), pursuant to a contract with such
organisation which is evidenced or made in
writing.
47. Do employers need to notify and obtain
consent from employees in respect of
collecting, using or disclosing their
personal data for employment
purposes?
This will depend on what are the precise scope
and nature of these employment purposes.
The PDPA does not prescribe the form or
manner in which organisations are to provide
an individual with the required information
that allows him to understand the purposes for
which his personal data would be collected,
used and disclosed in the employment
context. In this regard, it is possible for
organisations to inform their employees of
these purposes through employment
contracts, employee handbooks, or notices in
the company intranet (for instance).
Managing or terminating the employment
relationship
Generally, it would be reasonable for an
organisation to continue to use personal data
provided by an employee in a job application
form, for the purpose of managing the
employment relationship with the individual.
The PDPA allows employers to collect personal
data from their employees, insofar as it is
reasonable for the purpose of managing or
terminating their employment relationships,
and to use or disclose of such employees’
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 30
personal data for consistent purposes, without
their consent.
Importantly, however, while consent is not
required, employers will need to notify
employees where they are collecting the
employees’ personal data for purposes of
managing or terminating the employment
relationship. This is in contrast to situations
where the employer may be collecting
employee personal data for evaluative
purposes (see below).
The Selected Topics Guidelines provides that
the purposes of “managing and terminating an
employment relationship” include the
following:
• using the employee’s bank account details
to issue salaries;
• monitoring how the employee uses
company computer network resources;
• posting employees’ photographs on the
staff directory page on the company
intranet; and
• managing staff benefit schemes like
training or educational subsidies.
However, as a matter of best practices,
organisations should, upon appointment or
hiring of an employee, obtain consent from
the employee to maintain such employee’s
employment records.
Further, should the organisation require
additional personal data or intends to use or
disclose the employee’s personal data for
other purposes during the course of the
employment relationship, it will also be
necessary to obtain relevant consent from the
employee.
Where an organisation has sufficiently
provided a general notification to employees
on the purposes for which their personal data
may be collected, used and disclosed, for
example, for performance appraisals, the
Commission does not expect organisations to
notify employees of the same purpose prior to
each time that the organisation engages in
such activities.
Evaluative purposes
An employer need not obtain consent from, or
notify, an employee or prospective employee
when collecting, using or disclosing personal
data for evaluative purposes. Such evaluative
purposes include:
(a) where an employer seeks to obtain a
reference from a prospective employee’s
former employer to determine his
suitability, eligibility or qualifications for
employment; and
(b) where an employer seeks to obtain
performance records or other relevant
information or opinions to determine the
performance of an employee, or for
promotion in employment or continuance
in employment.
Other purposes
In relation to the collection, use or disclosure
of employee personal data for other purposes
that are not relevant to the management or
termination of the employment relationship,
and where no other exception under the PDPA
applies, an employer organisation will need to
obtain consent from the employee.
This includes where the employer collects, uses
or discloses employee personal data for
business or client purposes not related to
managing or terminating an employment
relationship. For instance, if an organisation
provides the full name and NRIC number of an
employee for purposes of allowing a courier
company to enter its office premises, the
organisation will need to obtain the
employee’s consent prior to disclosing the
employee’s personal data. Such consent can
be obtained on a case-by-case basis, or once-
off through the employment contract or other
appropriate means.
THE ACCURACY OBLIGATION
48. What do organisations have to comply
with under the Accuracy Obligation?
FAQs to the Advisory Guidelines to the PDPA
31 www.drewnapier.com
The Accuracy Obligation requires
organisations to make reasonable efforts to
ensure that personal data collected is accurate
and complete, if it is likely that the personal
data will be used to make a decision that
affects the individual to whom the personal
data relates, or the personal data is likely to be
disclosed to another organisation.
In order to ensure that personal data is
accurate and complete, an organisation must
make a reasonable effort to ensure that:
(a) it accurately records personal data which it
collects (whether directly from the
individual concerned or through another
organisation);
(b) personal data it collects includes all
relevant parts thereof (so that it is
complete);
(c) it has taken the appropriate (reasonable)
steps in the circumstances to ensure the
accuracy and correctness of the personal
data; and
(d) it has considered whether it is necessary to
update the information.
In determining what may be considered a
reasonable effort, an organisation should take
into account factors such as the following:
(a) the nature of the data and its significance
to the individual concerned (e.g. whether
the data relates to an important aspect of
the individual such as his health);
(b) the purpose for which the data is
collected, used or disclosed;
(c) the reliability of the data (e.g. whether it
was obtained from a reliable source or
through reliable means);
(d) the currency of the data (that is, whether
the data is recent or was first collected
some time ago); and
(e) the impact on the individual concerned if
the personal data is inaccurate or
incomplete.
The Commission has noted that an
organisation may not be required to check the
accuracy and completeness of an individual’s
personal data each and every time it makes a
decision, or is likely to make a decision, about
the individual.
49. In complying with the Accuracy
Obligation, can a different level of care
be adopted when the personal data is
obtained directly from the individual
compared to when it is obtained from
third party sources?
Personal Data collected from the individual
Organisations may presume that personal data
provided directly by the individual concerned
is accurate in most circumstances. When in
doubt, organisations can consider requiring
the individual to make a verbal or written
declaration that the personal data provided is
accurate and complete.
Additionally, where the currency of the
personal data is important, the organisation
should take steps to verify that the personal
data provided by the individual is up to date
(for example, by requesting a more updated
copy of the personal data before making a
decision that will significantly impact the
individual).
Personal Data collected from third party sources
An organisation should be more careful when
collecting personal data from a source other
than the individual in question. It is allowed to
take differing approaches to ascertain the
accuracy and completeness of personal data it
collects depending on the reliability of the
source of the data. For example, the
organisation may obtain confirmation from the
source of the personal data that the source
had verified the accuracy and completeness of
that personal data. It may also conduct further
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 32
independent verification if it deems prudent to
do so.
THE PROTECTION OBLIGATION
50. What does it mean to make “reasonable
security arrangements to protect
personal data”?
To determine what may be reasonable and
appropriate, the organisation should take into
consideration:
(a) what type of personal data it has in its
possession or under its control;
(b) what medium the personal data has been
collected (e.g. hardcopy or softcopy);
(c) who has access to the personal data;
(d) whether any personal data is or will be
held or used by third parties on behalf of
the organisation;
(e) what possible harm might arise from a
security breach, (e.g. what consequences
there might be to the individual concerned
if his/her personal data is obtained,
modified or disposed by an unauthorised
person); and
(f) who will be responding to information
security breaches.
An organisation may wish to put in place
different levels of security according to the
level of sensitivity of the personal data.
51. What types of security arrangements
can an organisation put in place?
A combination of administrative, physical and
technical or other measures may be used,
depending on what is reasonable and
appropriate for an organisation (see questions
48 and 49 above).
Some examples include:
• Setting out confidentiality obligations in all
staff employment contracts;
• Implementing staff policies and manuals
on personal data protection;
• Conducting regular staff training on how
to handle personal data and updates on
what types of potential threats there may
be to personal data;
• Taking disciplinary action against staff who
breach confidentiality obligations;
• Limiting the amount of personal data
collected by the organisation to what is
necessary (i.e. avoid holding excessive
personal data);
• Marking documents as “confidential”;
• Storing confidential documents under
lock;
• Limiting staff access to confidential
documents on a need-to-know basis;
• Using privacy filters on laptops and
computers;
• Shredding confidential documents when
no longer needed, or by other means of
secure destruction;
• Using registered post instead of normal
post when delivering confidential
documents;
• Creating different layers of access to
documents which contain personal data,
so that personal data is accessed only
when necessary;
• Confirming the identity of an individual
prior to disclosing any personal data to
such individual to ensure that the
individual is the correct recipient;
• Encrypting personal data;
• Using self-locking mechanisms for
computer screens after a certain period of
inactivity;
• Wiping personal data from IT devices
before they are disposed, sold or recycled;
• Using the appropriate email security
setting when sending or receiving highly
confidential emails;
• Regular updating of computer and IT
security equipment and software; and
• Engaging IT service providers which are
able to provide the requisite standard of IT
security.
FAQs to the Advisory Guidelines to the PDPA
33 www.drewnapier.com
52. Are organisations responsible if their
employees do not comply with the
PDPA?
Yes, insofar as the act done or conduct
engaged in by the employee was in the course
of his employment. The PDPA will treat such
act or conduct as having been done or
engaged in by the employer, irrespective of
whether it was done or engaged in with the
employer’s knowledge or approval.
That said, an organisation may not be liable for
offences under the PDPA by an employee of
an organisation, if it took such steps as were
practicable to prevent the employee from
doing the act or engaging in the conduct that
constitutes the offence.
It should be noted that, for the purposes of
the PDPA, an “employee” includes a volunteer,
and an employment relationship will include
an unpaid volunteer work relationship.
THE RETENTION LIMITATION OBLIGATION
53. How long should an organisation retain
personal data?
Organisations should assess the reasons for
which it retains personal data, and regularly
assess whether personal data still needs to be
retained.
Generally, organisations should only retain
personal data:
(a) if it is necessary for the purposes for which
the personal data was collected; or
(b) for business or legal purposes.
With regard to (a) above, for instance, if an
organisation has only obtained valid consent
from an individual to collect personal data for
a certain purpose (i.e. purpose A), it must not
keep that personal data “just in case” it may be
needed for any purposes other than purpose
A.
With regard to (b) above, some examples of
legal or business purposes include:
• for ongoing legal action involving the
organisation;
• to comply with applicable laws,
regulations, whether in Singapore or
outside of Singapore, including
international or regional standards; and
• to generate the organisation’s annual
reports, performance forecasts, etc.
54. What are some recommended best
practices in relation to the retention of
personal data?
The Commission recommends that
organisations should draw up policies which
set out the retention periods for personal data.
Such policies may provide for varying
retention periods in respect of different types
of personal data held by the organisation.
As a guide, organisations may wish to retain
documents regarding its contracts for 7 years
from the date of termination of the contract,
as actions founded on contract will generally
need to be brought within 6 years from the
date on which the cause of action accrued.
However, it may be necessary to retain such
contracts for a longer period if there are
ongoing legal proceedings or investigations
regarding these contracts.
55. How long can organisations continue to
hold personal data of former
employees?
As mentioned in question 53 above,
organisations may continue to retain personal
data about former employees that were
collected during their respective employment
periods for as long as there is a valid business
or legal purpose.
The Commission has clarified that
organisations which have a policy of retaining
personal data of former employees for the
purpose of considering them for future job
opportunities can continue to do so as a valid
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 34
business purpose. However, organisations
should not retain personal data without a
clearly defined purpose.
56. What does it mean to “cease to retain”
personal data?
There are various ways in which an
organisation may cease to retain personal
data.
The Commission has indicated that it will
consider whether an organisation has ceased
to retain personal data, in light of the
following factors:
(a) whether the organisation has any intention
to use or access the personal data;
(b) how much effort and resources would the
organisation need to expend to use or
access the personal data again;
(c) whether any third parties have been given
access to the personal data; and
(d) whether the organisation has made a
reasonable attempt to completely destroy,
dispose of or delete the personal data
permanently.
Some ways in which an organisation may
cease to retain personal data include:
(a) returning those documents containing
personal data to the individual concerned;
(b) transferring those documents containing
personal data to another person, if
instructed by the individual concerned;
(c) shredding those documents containing
personal data; and
(d) anonymising the personal data, such that
the remaining data can no longer be used
to identify any particular individual (see
questions 63 to 65 for more details on
anonymisation).
THE OPENNESS OBLIGATION
57. What is the Openness Obligation?
The Openness Obligation is a term coined by
the Commission, which generally refers to the
requirement for organisations to make their
data protection policies and practices available
to those individuals whose personal data they
collect.
This also refers to the Data Protection
Provisions which make organisations
accountable to individuals and the
Commission for compliance with the Data
Protection Provisions, by the following means:
(a) giving the right to individuals to request
for access to their personal data held in
the possession or under the control of an
organisation, to find out whether and what
type of their personal data are held by the
organisation, and how the organisation is
using their personal data;
(b) giving the right to individuals to submit
complaints to the Commission regarding
an organisation’s conduct and compliance
with the Data Protection Provisions;
(c) giving the right to individuals who suffer
loss or damage directly as a result of an
organisation’s contravention of the Data
Protection Provisions to commence civil
proceedings against the organisation; and
(d) empowering the Commission to take
enforcement action against an
organisation which has contravened any of
the Data Protection Provisions.
For the purpose of ensuring that they comply
with the Data Protection Provisions,
organisations are required to designate one or
more individuals who will take on the
responsibility for ensuring such compliance.
Importantly, organisations should note that
such designation of responsibility does not
pass legal responsibility to the individual. The
organisation itself remains legally responsible
FAQs to the Advisory Guidelines to the PDPA
35 www.drewnapier.com
for compliance with the Data Protection
Provisions.
58. Are there any requirements as to whom
an organisation may designate as its
data protection officer?
The PDPA requires that an organisation must
make available the business contact
information of at least one individual
designated by the organisation, who is able to
answer on behalf of the organisation, any
questions relating to the collection, use or
disclosure of personal data.
There is no strict necessity for an individual
designated by an organisation to be an
employee of the organisation, or for such
individual to be physically based in Singapore.
It is also generally open to the designated
individual to delegate the responsibility to
another individual.
Notwithstanding, the Commission
recommends that the business contact
information of the individual whom an
organisation designates should be: (a) a
Singapore phone number; (b) operational
during Singapore business hours; and (c)
readily accessible from Singapore.
59. Will the Openness Obligation require
organisations to accede to an
individual’s request to access CCTV
footage?
Yes, unless a relevant exception in the Fifth
Schedule of the PDPA applies (e.g. the request
is frivolous or vexatious, or if the burden or
expense of providing access would be
unreasonable to the organisation or
disproportionate to the individual’s interests).
The Selected Topics Guidelines suggests that
harming an organisation’s competitive
position, or compromising an organisation’s
security arrangements (e.g. where the
provision of the personal data in the CCTV
footage could reasonably be expected to
threaten the safety of another individual),
could be a sufficient reason to deny access to
CCTV footage. In such case, the organisation
will need to ensure that it has strong
justifications and supporting evidence to
justify its decision to reject the individual’s
request for access to the CCTV footage.
60. Are there any specific requirements that
organisations need to comply with,
when acceding to an individual’s
request to access CCTV footage?
Where an individual requests for access to
CCTV footage, the organisation concerned
should provide a copy of the CCTV footage to
the individual. While the PDPA does not
prescribe any minimum resolution for CCTV
footage that is requested to be provided to
individuals, given that the requirement is for
the organisation to provide the personal data
in its possession or under its control, the
organisation should provide the CCTV footage
in the form and of the resolution it holds for its
purposes.
In providing the individual a copy of the CCTV
footage, the organisation should generally
seek to mask images of other individuals who
may be present in the CCTV footage.
Organisations have the option of requiring
that individuals pay a minimal fee before
acceding to any such request for a copy of the
CCTV footage.
On a related note, organisations may require
that the individual, to whom it provides a copy
of CCTV footage, sign a contract to agree not
to disclose to any third party the CCTV footage
provided to him. However, organisations
should note that individuals acting in a
personal or domestic capacity are not subject
to the Data Protection Provisions of the PDPA.
61. Can individuals make joint access
requests for CCTV footage containing
their images, if they consent to their
own images being viewed by the others
making the joint request?
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 36
Yes. The Commission has expressed its views
that it would be reasonable for certain groups
of individuals (e.g. a married couple, or parents
of a class of students) to jointly make an
access request to view CCTV footage.
62. Can job applicants ask an organisation
to reveal how much information the
organisation has about them, or find
out why they were not selected?
Generally, yes. A job applicant would have the
right to request for access to their personal
data held in the possession or under the
control of an organisation, to find out whether
and what type of their personal data are held
by the organisation, and how the organisation
is using their personal data.
However, the PDPA provides for certain
exceptions where an organisation need not
accede to such request by a job applicant. For
example, if the personal data in question is
opinion data kept solely for an evaluative
purpose (e.g. opinions of management staff of
the organisation which were formed about the
job applicant in the course of determining his
suitability and eligibility for the job), the
organisation will not be required to provide
such information to the individual.
OTHER IMPORTANT CONCEPTS
63. What does it mean to anonymise
personal data?
For the purposes of the PDPA, personal data
may be anonymised by removing all
information that can be used to identify a
particular individual.
In other words, where the remaining
information, whether alone or together with
any other information that an organisation has
or is likely to have access, can no longer be
used to identify a particular individual, such
information may be said to have been
anonymised.
64. How can personal data be anonymised?
The Commission has provided the following
suggestions on how data may be anonymised:
(a) Pseudonymisation: by replacing personal
identifiers (such as a person’s full name)
with other references (such as a randomly
generated reference number);
(b) Aggregation: by displaying only total
values rather than individual values which
could identify an individual (e.g. displaying
the sum of individual ages of the total
number of individuals in a group, rather
than the age of each individual
specifically);
(c) Replacement: by replacing specific values
or subset of specific values with a
computed average or a number derived
from the specific values (e.g. instead of
referring to 3 individuals aged 15, 18 and
20 years old, to make reference to 3
individuals aged approximately 17 years
old);
(d) Data reduction: by removing values that
are not required for the purpose (e.g.
removing an individual’s ethnicity from a
data set of the individual’s attributes);
(e) Data suppression: by banding or hiding
the value within a given range (e.g.
replacing the age ‘41’ with the range ’40-
50’);
(f) Data shuffling: by mixing up or replacing
values with those of the same type so that
information looks similar but is unrelated
to the actual details; and
(g) Masking: by removing certain details while
preserving the look and feel of the data
(e.g. representing an NRIC number as
‘S0XXXX45A’ instead of ‘S0122445A’).
It should be noted, however, that the
application of the above anonymisation
techniques may not render a data set fully
anonymised, or anonymised in perpetuity and
FAQs to the Advisory Guidelines to the PDPA
37 www.drewnapier.com
there remains a risk that anonymised data can
be used to re-identify particular individuals
(see question 65 below).
Where there is more than a trivial possibility of
so-called anonymised data being re-identified,
such data may still be regarded by the
Commission as personal data (see questions
65 and 66 below).
65. What are some challenges and
limitations in anonymising data?
Reduced functionality or usefulness of data
When data is stripped of too many personal
identifiers, the data may lose its usefulness,
and an organisation may be denied the
potential uses for the data which it has
collected.
Accordingly, before anonymising data, an
organisation should consider whether the
anonymised data would still be suitable for its
intended purposes.
Risk of re-identification
It should be noted that the application of the
anonymisation techniques (such as those
described in question 64 above) may not
render a data set fully anonymised, or
anonymised in perpetuity.
There remains a risk that anonymised data can
be used to re-identify particular individuals,
when it is combined with other information
that the organisation has or is likely to have
access.
Generally, re-identification involves identifying
an individual beyond doubt.
Where data is capable of re-identification, it
will generally be considered as personal data,
and will be subject to the Data Protection
Provisions.
By way of illustration, while a resultant data set
derived from the application of anonymisation
techniques may itself be anonymised for the
time being, if such resultant data set can still
be combined with other information that an
organisation has or is likely to have access to
identify particular individuals, the combination
of this resultant data set and the other
information will, when taken together, still
constitute personal data. In such case, given
that the organisation retains the ability to re-
identify individuals from the de-identified data,
the organisation will be considered to be
holding personal data.
Likewise, where an anonymised resultant data
set is disclosed to another organisation, and
that other organisation is able to combine the
data set it has received with other information
that it has, or is likely to have access, to
identify/re-identify particular individuals, the
anonymised data set and the other
information will, when taken together, still
constitute personal data.
66. Under what circumstances might data
be considered to have been re-
identified?
While various factors, such as educated
guessing, cross-relating information in
anonymised data sets, public knowledge or
information about groups of people, may
increase the possibility of re-identification, it
does not necessarily follow that the
Commission will always consider the data
concerned as personal data.
Importantly, if there remains only a trivial risk
of re-identification, the data concerned will not
be considered as personal data.
Educated guessing
The fact that a person making an educated
guess, by matching public or established
information with anonymised data, can narrow
down the possible identities of particular
individuals and potentially make a successful
guess may not in itself mean that the data is
personal data.
For instance, an organisation publishes a list of
masked NRIC numbers of the winners of a
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 38
lucky draw which reveal only the first 3 digits
of the NRIC numbers. Since the first two digits
typically reveals one’s birth year, it could be
ascertained that one of the winners was 22
years of age. On the same day, it is reported in
the newspapers that the two youngest
participants in the lucky draw were both 22
years of age. By matching these information, a
person may therefore make an educated guess
that one of these two participants was the
lucky draw winner. However, to the extent that
it is unclear which of these two participants
might have been the lucky draw winner, there
is no re-identification.
Cross-relating information in anonymised data
sets
A person may be able identify an individual by
cross-relating information from two separate
anonymised data sets which contain similar
information. However, if such individual
ultimately remains as an unknown individual,
there would be no re-identification and the
data will not be regarded as personal data.
For instance, Data Set A refers to an individual
#10147, who has the following characteristics:
male, blood type A, age 45, weight 88.8kg,
height 1.89m. Data Set B refers to an individual
#58965, who has the following characteristics:
male, blood type A, weight 88.8kg, height
189cm, suffering from hypertension. In such
case, however, while a person having access to
both data sets may be able to cross-relate the
information in these two data sets and
establish that the two data sets relate to the
same individual, such person is unable to
identify who that individual actually is.
Accordingly, there is no re-identification and
the data will not be regarded as personal data.
Public knowledge
In ascertaining the re-identification risks of an
anonymised data set, it will be important to
take into account the use of public knowledge
(such as established facts) or information that
is readily available to the public (such as
information in telephone directories or society
membership listings).
If an individual can be easily re-identified when
public knowledge/information is combined
with anonymised data, this will present
significant re-identification risks.
Personal knowledge
Having personal knowledge would not
generally amount to a high re-identification
risk for an anonymised data set.
The Specific Topics Guidelines states that, just
because an individual himself or someone
close to him is able to identify him from an
anonymised data set, this does not necessarily
mean that that anonymised data set is
personal data.
Information about groups of people
Information about groups of people may not
constitute personal data if it does not identify
any particular individual within the group.
However, such information may reveal the
personal data of an individual when combined
with other information, and thereby present
re-identification risks.
For example, an anonymised data set relating
to a group of individuals living within a postal
code reveals that they are all HIV-positive.
While no individual was identified, the
information reveals the personal data of one of
the individuals known to be living there.
Hence, if it becomes known that a person
(person A) lives in that postal code, then it
would also be known that person A is HIV-
positive. In such case, the anonymised data set
relating to this group of individuals will be
considered as personal data, when its
combination with other information or
knowledge can reveal personal data of an
individual.
67. How can organisations assess the risk of
re-identification?
As a guide, the Commission has suggested
that some factors which organisations should
consider in assessing whether anonymised or
FAQs to the Advisory Guidelines to the PDPA
39 www.drewnapier.com
de-identified data may be subsequently used
to re-identify individuals include:
(a) the type of data de-identified;
(b) the amount of alteration the data has been
subject to in the course of anonymisation;
(c) the degree and standard of the
anonymisation process;
(d) whether the data is disclosed to a specific
recipient whose motivations, re-
identification capabilities, and other
information in possession of that recipient
are known or can be reasonably inferred;
(e) the ease of access to, and volume of, other
information (such as complementary
information) available or likely to be
available;
(f) the organisation’s capability to re-identify
individuals (e.g. computing power and
availability of data-linking techniques,
having access to complementary
information or having specialised skills or
technologies that enable re-identification);
(g) the motivations for re-identification (in this
regard, the Commission has suggested
that it may be useful for organisations to
apply a ‘motivated intruder test’); and
(h) other risks that subject the data to re-
identification risks, including ‘residual’ risks
that are not directly related to a recipient’s
motivation and capability to re-identify
(e.g. risks of the data being compromised
or mistakenly disclosed to unintended
recipients such as people with better
ability of re-identification).
Motivated intruder test
The motivated intruder test considers whether
individuals can be re-identified from
anonymised data by someone who is
motivated, reasonably competent, has access
to standard resources such as the Internet and
published information such as public
directories or national archives, and employs
standard investigative techniques such as
making enquiries of people who may have
additional knowledge of the identity of the
data subject.
The motivated intruder test assumes that no
particular individual has been targeted for
identification and that the intruder does not
resort to criminality or any specialist
equipment or skills.
68. Will the Commission penalise
organisations for inadequate risk
assessments in relation to re-
identification?
At this stage, organisations are expected to
perform reasonable assessments of re-
identification risks if they are intending to
disclose any anonymised data sets. Such risk
assessments must be commensurate with the
nature of the data being anonymised and
other relevant factors (see question 67 above).
The Commission does not, however, expect
organisations to anticipate what is yet
unknown in such risk assessments.
Accordingly, should an organisation breach
the PDPA as a result of re-identification, the
Commission may be prepared to take into
consideration an organisation’s efforts to
reduce re-identification risks as a mitigating
factor in assessing its liability for such breach.
69. What is the co-relation between the
motivation for re-identification and the
risk of re-identification?
In the scenario where two organisations have
similar motivations for re-identification of
certain data, the organisation (Organisation A)
that possesses complementary information,
specialised skills or technologies would more
likely be capable of re-identifying individuals
from that data (and thereby have a higher risk
of re-identifying the data) than the other
organisation (Organisation B) that does not
have access to these information, skills or
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 40
technologies. In such case, there is a higher
risk of re-identification by Organisation A.
However, it may not necessarily follow that the
risk of re-identification will be higher where an
organisation has the requisite skills and
information for re-identification.
In a different scenario, Organisation A may
have little motivation to re-identify an
individual owing to disincentives, such as
regulatory or other legal (e.g. contractual)
obligations or consequences for re-identifying
individuals from the data which will serve to
negate any incentive or benefit that
Organisation A may derive when it re-identifies
an individual. Here, although Organisation A
may possess complementary information,
specialised skills or technologies which may
make it more capable of re-identifying
individuals, this may not necessarily mean that
the risk of re-identification by Organisation A
will be higher than Organisation B which may
be highly motivated to carry out re-
identification.
70. How can organisations lower the risk of
re-identification?
Broadly speaking, the impracticality of re-
identification can act as a deterrent to any
motivation for re-identifying anonymised data,
and may consequently lower the risk of re-
identification.
The risks of re-identification of data may be
lowered in various ways, including:
(a) by employing robust anonymisation
techniques;
(b) by limiting the number of people to whom
the anonymised data is disclosed;
(c) by imposing additional enforceable
restrictions on the use and subsequent
disclosure of the anonymised data;
(d) by implementing processes to govern
proper use of the anonymised data in line
with the restrictions (e.g. access
restrictions); and
(e) by implementing processes and measures
for the destruction of anonymised data as
soon as they no longer serve any business
or legal purpose.
SCOPE OF THE DNC PROVISIONS
71. To whom are the DNC Provisions
applicable?
The Do Not Call provisions, which are set out
in Part IX of the PDPA apply to all persons. This
includes individuals, companies, associations
and any incorporated or unincorporated
bodies of persons.
Generally, the DNC Provisions apply to a
person sending a “specified message” if that
person is a “sender” (see questions 72 and 73
below), and:
(a) sends the specified message when they
are in Singapore at the time the message
is sent; or
(b) sends the specified message to a recipient
who is in Singapore at the time the
message is accessed.
If the sender(s) and recipient are both not in
Singapore at the time the message is sent and
accessed respectively, the DNC Provisions will
not apply.
For instance, in the scenario where an
individual is subscribed to a Singapore
telecoms service provider and, when he travels
to London, receives a specified message from
a London telecoms operator, the DNC
Provisions will not apply.
In the scenario where the same individual
travels to London and receives a specified
message from his bank which is in Singapore,
the DNC Provisions will apply to the sending of
such specified message by the bank.
FAQs to the Advisory Guidelines to the PDPA
41 www.drewnapier.com
In the scenario where the same individual,
while in Singapore, receives a specified
message from his bank which is in Singapore
through an overseas number, but which has
outsourced its marketing operations to an
overseas call centre and authorised such
overseas call centre to send the specified
message, the DNC Provisions will apply to the
sending of such specified message by the bank
using the overseas number.
72. The DNC Provisions apply to “specified
messages”. What are “specified
messages”?
Generally, specified messages are messages
which have one or more of the following
purposes:
(a) to advertise, promote or offer to supply or
provide: (i) goods or services, (ii) an
interest in land; or (iii) a business or
investment opportunity;
(b) to advertise or promote a
supplier/provider or prospective
supplier/provider of: (i) goods or services,
(ii) an interest in land; or (iii) a business or
investment opportunity; or
(c) any other purposes as may be prescribed
under the PDPA (at a later stage) which are
related to obtaining or providing
information.
Importantly, a message can constitute a
specified message even if:
(a) the above-mentioned goods, services,
land, interest in land and/or business or
investment opportunity do not exist; or
(b) it may be unlawful to acquire such goods,
services, land or interest or take up the
opportunity referred to in the message.
To determine whether the message is being
sent for any of the above purposes, a person
should take into consideration the content and
presentation of the message. This includes the
telephone number from which the message
was sent, as well as any content that may be
obtained through the message, such as any
numbers, URLs or contact information which
are set out in the message.
Exclusions
It should be noted, however, that certain
categories of messages are expressly excluded
from the definition of “specified messages”.
These exceptions are set out in the Eighth
Schedule of the PDPA, and include:
(a) messages sent by a public agency (e.g.
Government ministries, tribunals
appointed under written law and certain
statutory bodies) under, or to promote,
any programme carried out by any public
agency which is not for a commercial
purpose;
(b) messages sent by an individual acting in a
personal or domestic capacity;
(c) messages which are necessary to respond
to an emergency that threatens the life,
health or safety of any individual;
(d) messages which have, as their sole
purpose:
i. the facilitation, completion or
confirmation of a transaction that the
recipient has previously agreed to enter
into with the sender;
ii. the provision of warranty information,
product recall information or security
information with respect to a product
or service purchased or used by the
recipient of the message;
iii. the delivery of goods or services,
including any product updates or
upgrades, that the recipient of the
message is entitled to receive under the
terms of a transaction that the recipient
has previously agreed to enter into with
the sender;
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 42
iv. the notification of any change in the
terms/feature of, or standing/status of
the recipient of the message with
respect to, a subscription, membership,
account, loan or comparable ongoing
commercial relationship involving the
ongoing purchase or use by the
recipient of the goods or services
offered by the sender;
v. the provision, at regular periodic
intervals, of account balance
information or other types of account
statements with respect to a
subscription, membership, account,
loan or comparable ongoing
commercial relationship involving the
ongoing purchase or use by the
recipient of the goods or services
offered by the sender; or
vi. the conduct of market research or
market survey; and
(e) messages sent to an organisation (as
opposed to an individual in a personal or
domestic capacity) for any purpose of the
receiving organisation (e.g. business to
business (B2B) marketing messages).
It may also be noted that, based on guidance
provided by the Commission in its Selected
Topics Guidelines, a message that is sent solely
to promote an employment opportunity would
not be regarded as a specified message.
B2B marketing messages
Regarding B2B marketing messages, these
generally include the marketing of goods and
services by one company to another company.
For instance, organisation A may call an
employee of organisation B using the business
contact details of such employee which it
obtained from B’s website. Such message
would generally fall within exception (e) above,
and would not constitute a specified message
for the purposes of the DNC Provisions.
However, if organisation A, while speaking
with the employee of organisation B, asks such
employee whether he/she may be interested in
purchasing another product for his/her
personal use, such a message would constitute
a specified message for the purposes of the
DNC Provisions.
73. The DNC Provisions apply to “senders”.
Who are “senders”?
A sender refers to any person who:
(a) actually sends or makes a voice call
containing a message;
(b) causes a message to be sent or a voice call
containing a message to be made; or
(c) authorises the sending of a message, or
making of a voice call containing a
message.
74. When might a person be responsible
under the DNC Provisions for a
specified message that he is not actively
involved in sending?
Deeming provisions under the PDPA
A person (i.e. person A) might be deemed to
be responsible for a specified message that he
is not actively involved in sending where he
has authorised another person (i.e. person B)
to promote his goods, services, land, interest
in land and/or business or investment
opportunity (i.e. send a specified message).
However, if person A takes reasonable steps to
prevent person B from sending any specified
message for the purpose of promoting person
A’s goods, services, land, interest in land
and/or business or investment opportunity,
person A may not be deemed under the PDPA
to have authorised person B to send the
specified message for those purposes.
The question of whether reasonable steps
have been taken by person A will depend on
the specific facts. For instance, in a contract
between person A and person B, if it is
expressly stated that person B “shall not send
FAQs to the Advisory Guidelines to the PDPA
43 www.drewnapier.com
any message, whether in sound, text, visual or
other form, to a Singapore telephone number to
promote A’s services unless expressly permitted
in writing by A”, this could be regarded as a
reasonable step taken by person A to prevent
person B from sending a specified message.
Express exclusions under the PDPA
The PDPA provides certain express exclusions,
where a person who is not actively involved in
sending a specified message will, by default,
not be presumed to have sent such message.
Under the PDPA, the following persons are
presumed not to have sent or authorised a
sending of a message, unless otherwise
proved:
(a) telecoms service providers who merely
provide a service that enables the sending
of a specified message; and
(b) owners or authorised users of a telecoms
device, service or network that was used to
send a specified message, if that device,
service or network was controlled by a
person without the knowledge of the
owner or authorised users at the relevant
time.
Defence for employees
On a related note, an employee who sends a
specified message in contravention of the DNC
Provisions may have a defence under the
PDPA, if such employee can prove that he
acted or engaged in conduct in good faith in
the course of his employment, or in
accordance with instructions given to him by
or on behalf of his employer in the course of
his employment.
75. Do the DNC Provisions only apply to
specified messages sent to a Singapore
telephone number?
Currently, yes. The Minister may, however,
prescribe other telephone numbers to be
subject to the DNC Provisions.
It should be noted that the messages sent to a
“Singapore telephone number” includes voice
calls, SMS or any data applications (such as
Whatsapp, Viber, iMessage) which use a
Singapore telephone number.
OBLIGATIONS AND DUTIES UNDER THE
DNC PROVISIONS
76. What does a person need to do before
sending a specified message?
Generally, a person that intends to send a
specified message to a Singapore telephone
number should check the relevant DNC
Register before sending such message (see
question 77 below), and confirm that the
Singapore telephone number is not listed the
DNC Register before sending such message.
However, it will not be necessary to check the
DNC registry if valid, clear and unambiguous
consent of the user of the subscriber of the
telephone number has been provided to allow
the person to send the specified message to
that telephone number (see question 81 for
more details).
The above requirements will take effect from 2
January 2014.
77. Is it necessary to check the DNC
Register every time a specified message
is proposed to be sent?
No. Generally, after a person has checked
whether a number is registered on a DNC
Register, these results will be valid for a certain
period (validity period), as follows:
(a) for results received between 2 January
2014 and 31 May 2014 – these results will
be valid for 60 days;
(b) for results received between 1 June 2014
and 1 July 2014 – these results will be valid
until 31 July 2014; and
FAQs to the Advisory Guidelines to the PDPA
www.drewnapier.com 44
(c) for results received from 2 July 2014 –
these results will be valid for 30 days.
Hence, if a person wishes to send a specified
message to the same telephone number (that
it has confirmed is not registered on the DNC
Register) during the validity period, it will not
be necessary to re-check if the telephone
number is registered on the DNC Register,
until the expiry of the validity period.
Further, as mentioned above, it is generally not
necessary to check the DNC registry if clear
and unambiguous consent of the user of the
subscriber of the telephone number has been
provided to allow the person to send the
specified message to that telephone number.
78. What happens when a person who had
previously given consent to receive
specified messages, subsequently
withdraws such consent?
From 2 January 2014 onwards, the withdrawal
of consent must be effected within the
following time periods:
(a) for withdrawal of consent between 2
January 2014 to 1 July 2014, it must be
effected within 60 days; and
(b) for withdrawal of consent from 2 July 2014
onwards, it must be effected within 30
days.
Therefore, even if a specified message is sent
to a user or subscriber of a telephone number
a few days after such user/subscriber has
withdrawn his/her consent to receive specified
messages, this may not amount to a
contravention of the DNC Provisions.
79. A person has previously given consent
to receive specified messages, but
subsequently registers his/her
telephone number on a DNC Register. Is
the consent still valid? Can specified
messages be sent to such person?
Yes. It is possible to send specified messages
to a telephone number, without first checking
the relevant DNC Register, where the user or
subscriber of that telephone number has
previously given clear and unambiguous
consent to receive specified messages which
can continue be relied upon.
Therefore, if a user/subscriber of a telephone
number no longer wishes to receive specified
messages from a particular person to whom
such user/subscriber had previously given
his/her consent, it would not be sufficient to
register that telephone number on the relevant
DNC Register.
80. Who can withdraw consent in respect of
a telephone number?
Either a user or subscriber of a telephone
number may withdraw consent to receive
specified messages using that telephone
number.
In cases where the user of the telephone
number is not the subscriber of the telephone
number, the subscriber may withdraw consent
which had been given by the user of the
telephone number.
81. What would constitute valid consent for
the purposes of the DNC Provisions?
Requirements regarding consent
In order for consent to be regarded as valid, it
must satisfy the following conditions:
(a) if the consent was sought as a condition
for supplying goods, services, land, interest
in land and/or business or investment
opportunity, the consent sought must not
have been more than what is reasonable
to provide such goods, services, land,
interest in land and/or business or
investment opportunity to that
subscriber/user;
(b) it must not have been obtained by
providing false or misleading information
FAQs to the Advisory Guidelines to the PDPA
45 www.drewnapier.com
or by using deceptive or misleading
practices; and
(c) it must be clear and unambiguous (see
below).
Consent from a user/subscriber will no longer
be regarded as valid if the user/subscriber was
prohibited from withdrawing his/her consent.
Clear and unambiguous consent
The Key Concepts Guidelines provides that the
following facts will need to be considered to
determine if the consent is, in fact, clear and
unambiguous:
(a) whether the person had notified the user
or subscriber clearly and specifically that
specified messages would be sent to his or
her Singapore telephone number; and
(b) whether the user or subscriber gave
consent to receive specified messages
through some form of positive action.
The failure to opt out through inaction on
the part of the user or subscriber would
not usually be enough to amount to
taking positive action (see question 19
above).
The Commission recommends that “clear and
unambiguous” consent would generally
require that the consent be evidenced:
(a) in writing – such as using a physical or
electronic form; or
(b) in a form that is accessible for future
reference – for instance, by capturing the
consent given in an audio or video
recording. The consent must be captured
in a manner or form that can be retrieved
and reproduced at a later time in order to
confirm that such consent was obtained.
82. If consent has been obtained from a
person before the DNC Provisions come
into effect (2 January 2014), is such
consent still valid?
Yes, such consent would be valid and would
exempt a person from having to check the
DNC Register prior to sending a specified
message, provided that:
(a) the consent has not been withdrawn; and
(b) the consent is valid and is clear and
unambiguous (see question 81 above).