- Category: August 2013 - Data Protection & Security
In today’s fast-paced information age, massive amounts of personal data are collected, used and even transferred to third party organizations for a variety of reasons. This trend is expected to grow exponentially as large amounts of personal data are becoming possible with the aid of sophisticated technology.
On 2 January 2013, the Personal Data Protection Commission (PDPC) was set up by the Singapore Government to administer and enforce the Personal Data Protection Act 2012 (PDPA). The other roles of PDPC include the undertaking of public education and engagement programs to help organizations understand and comply with the PDPA, as well as to promote greater awareness of the importance of personal data protection in Singapore.
The Act aims to strengthen the competitiveness and position of companies doing business in Singapore by instilling a certain degree of trust and security in this area. Besides, it will ensure there is a baseline standard of protection for personal data across the economy by complementing sector specific legislative and regulatory frameworks.
Organizations now have to comply with the Act as well as the common law and other relevant laws that are being applied to the specific industry that they belong to, when handling personal data in their possession. The three concepts of the PDPA are:
- On consent – Organizations may collect, use or disclose personal data only with the individual’s knowledge and consent;
- Purpose – Personal data can be collected, used or disclosed in an appropriate manner for the circumstances, and only if the organization has informed the individual of the purposes for the collection, use and disclosure;
- Reasonableness – Organizations may collect, use and disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances
The PDPA covers personal data stored in electronic and non-electronic forms. The data protection provisions in the PDPA (parts III to VI) generally do not apply to:
- Any individual acting in a personal or domestic basis.
- Any employee acting in the course of his or her employment with an organization.
- Any public agency or an organization in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
- Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.
These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statues, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.
The PDPA takes effect in phases starting with the provisions relating to the formation of the Personal Data Protection Commission (PDPC) on 2 January 2013. Provisions relating to the DNC registry will come into force on 2 January 2014 and the main data protection rules will come into force on 2 July 2014. This allows time for organizations to review and adopt internal personal data protection policies and practices, to help them comply with the PDPA. During this transition period, the PDPC will undertake educational and outreach activities to aid public understanding of and organizations’ compliance with the PDPA.
The DNC registry
The introduction of the Do Not Call (DNC) registry lets one opt out of marketing messages that are addressed to their Singapore telephone, such as those messages that promote or advertise a product or service. This will allow the recipient more control over the kind of messages you receive on your telephone, mobile phone or fax machine.
Organizations will be prohibited from sending such marketing messages to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers, registered with the registry.
The DNC registry is set up to focus on telemarketing calls or messages of a commercial nature sent to consumers.
There are certain areas that the DNC registry does not cover:
- Messages for pure market survey or research;
- Messages that promote charitable or religious causes;
- Personal messages sent by individuals;
- Public messages sent by government agencies;
- Political messages.
Telemarketing calls or messages of a commercial nature that target other businesses are also excluded from the DNC registry provisions. For the list of messages that are excluded under the PDPA, please refer to the Eighth Schedule of the PDPA.
But end users can still choose to receive marketing messages by certain organizations, simply by giving them a clear and unambiguous consent in written or other accessible form. Marketers can only send marketing messages to end users after obtaining their consent to their Singapore telephone numbers even if it is registered with the DNC registry. If the end users do change their mind, they can still withdraw their consent from the organization concerned (subjected to existing contracts).
The DNC registry generally prohibits organizations from sending certain marketing messages such as:
- Offering to supply, advertise or promote goods or services;
- Advertising / promoting suppliers or prospective suppliers of goods or services; or
- Supplying /advertising / promoting land, interests in land or business/investment opportunities.
The organization has to make sure when sending such messages or authorizing another organization to do so, it has to ensure that the messages are not sent to Singapore telephone numbers registered with the DNC registry.
If you want to send marketing messages to Singapore telephone numbers you need to:
- Check with the DNC registry, unless you have the recipients’ clear and unambiguous consent in written or other accessible form for sending the marketing message to the Singapore telephone number.
- The organization should send in a list of the telephone numbers that you are planning to send the messages to check with the DNC registry. The DNC registry will then indicate on the list, whether each number is in each of the Registers. The organization may then send its marketing messages to the numbers that are not in the relevant Registers. Your organization may rely on the information given by the DNC registry on whether any number is registered on any of the Registers for up to 30 days (60 days for the first six months of the DNC registry’s operations). If your organization intends to send the marketing message after the 30 days has lapsed, it must submit its list of numbers to the DNC registry again.
- If your organization is sending a text or fax message, you must include clear and accurate information identifying your organization as well as contact details within the message. This allows the recipient to contact you for clarifications, if necessary.
- If your organization is making a voice call, you have to ensure that the calling identity, or phone number from which the message is sent out from, is not concealed.
This new set of guiding regulations will definitely affect how marketers send their marketing messages across to the consumers and also enables the consumers more control the inflow of such messages on their end. For me I think the most affected industries are mainly insurance, banking and property and they have to rethink how they market their products and services. But the good thing is, they have decent time till next year to fine-tune and adjust when the policy is officially rolled out.
For more information about the Act, visit the Personal Data Protection Commission website.
By Augustine Hong