Personal Data Protection Act (PDPA) Compliance

version 2019-1.2

What is Personal Data?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).

The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

Objectives of PDPA

Today, vast amounts of personal data are collected, used and even transferred to third party organisations for a variety of reasons. This trend is expected to grow exponentially as the processing and analysis of large amounts of personal data becomes possible with increasingly sophisticated technology.

With such a trend comes growing concerns from individuals about how their personal data is being used. Hence, a data protection regime to govern the collection, use and disclosure of personal data is necessary to address these concerns and to maintain individuals’ trust in organisations that manage data.

By regulating the flow of personal data among organisations, the PDPA also aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.

 

How does PDPA work?

The PDPA will ensure a baseline standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks. This means that organisations will have to comply with the PDPA as well as the common law and other relevant laws that are applied to the specific industry that they belong to, when handling personal data in their possession.

The PDPA takes into account the following concepts:

• Consent – Organisations may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions);
• Purpose – Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and
• Reasonableness – Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

 

Application of PDPA

The PDPA covers personal data stored in electronic and non-electronic forms.

The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

• Any individual acting in a personal or domestic basis.
• Any employee acting in the course of his or her employment with an organisation.
• Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
• Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.

 

Legislations

The Act

• Personal Data Protection Act 2012

Main Advisories References

• Advisory Guidelines on Key Concepts in the PDPA (revised 15 July 2019)
• Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers (issued 31 August 2018)
• Guide to Data Protection By Design for ICT Systems

 

Key obligations for organisations to comply

The Data Protection Provisions contain nine main obligations which organisations are required to comply with if they undertake activities relating to the collection, use or disclosure of personal data. These obligations may be summarised as follows. The sections of the PDPA which set out these obligations are noted below for reference.

The Consent Obligation (PDPA sections 13 to 17)

An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.

The Purpose Limitation Obligation (PDPA section 18)

An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

The Notification Obligation (PDPA section 20)

An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.

The Access and Correction Obligations (PDPA sections 21 and 22)

An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation.

The Accuracy Obligation (PDPA sections 23)

An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation.

The Protection Obligation (PDPA section 24)

An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

The Transfer Limitation Obligation (PDPA section 26)

An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

The Accountability Obligation (PDPA sections 11 and 12)

An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.

 

Application of Data Protection Provisions

Collection, use or disclose of nric or identity numbers

Organisations are generally not allowed to collect, use or disclose NRIC or identity numbers (or copies). They may do so only in the following specified circumstances:

• Collection, use or disclosure of NRIC or identity numbers (or copies) is required under the law (or an exception under the PDPA applies); or
• Collection, use or disclosure of NRIC or identity numbers (or copies) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.

Where the collection of the NRIC or identity number (or copy) is necessary to accurately establish or verify the identity of the individual to a high degree of fidelity, it would generally be considered reasonable for the organisations to require the consent of the individual to collect, use or disclose his or her NRIC or identity number for the stated purpose.

 

Intercorp's Compliance to PDPA

Compliance to PDPA's Consent Obligation

All personnel of Intercorp Solutions Pte Ltd (hereby known as “Intercorp”) and its associating and subsidiaries companies are required to sign an NDA (Non-disclosure agreement) letter to allow their personal information to be used for work-related purposes by their employers and to safeguard all clients’ personal information from malicious sharing, recording and illegal storage. Internal workshops, reminders and good practises are shared on matters and compliance to the PDPA Act.

Referring to PDPC Advisory Guidelines on Key Concepts in the PDPA Act (revised 15 July 2019), Intercorp is deemed a data intermediary (under the definition of Pt 6.15 page 22), and is obligated to the protection and retention of personal data (Pt 6.16 page 22) under Intercorp’s care.

All key stakeholders of client organisations, which uses Intercorp’s systems to manage their employees and manpower, have been reminded and taught by the Intercorp’s personnel to get consent from their employees regarding the use of their personal information, which would be inputted into the system. Such practises are taught to be part of their human resource recruitment processes or on-premise induction processes. Starting 1 September 2019, as part of the revised system handover process, Intercorp’s clients will be required to consent that the process of gathering their employees’ consensuses have been included within their internal processes.

A disclaimer of consent will also be presented within the system whenever new profiles are created or imported to ensure that the administrator have gotten the consensuses of the employees.

Compliance to PDPA's Purpose Limitation Obligation

Intercorp’s enterprise systems are used for the management of employees’ human resource data (which may include sensitive personal information) for the purposes of manpower management, work scheduling, personal data storage and references, time attendance, movement tracking, productivity measurements, employees’ leave recording, payroll purposes, safety reporting and more.

As such, Intercorp’s systems require unique high-fidelity identification of every personnel, for accurate recording of his or her data for the purposes stated in the above paragraph. There cannot be instances where low-fidelity identification whereby more than one records is presented, which will compromise the accuracy and purposes of the systems.

Intercorp’s system settings are highly configurable, with no determination that sensitive personal data such as NRIC are mandatory. As long as any unique numbers, such as Employee ID as an example, which will not result in any possible duplications, can be used in replacement.

Compliance to PDPA's Notification Obligation

All key stakeholders of client organisations have been reminded and taught by the Intercorp’s personnel to educated their employees regarding the purposes of use of their personal information. Such practises are taught to be part of their human resource recruitment processes or on-premise induction processes. Starting 1 September 2019, as part of the revised system handover process, Intercorp’s clients will be required to consent that the process of notifying and educating their employees have been included within their internal processes.

Compliance to PDPA's Access and Correction Obligations

Any personnel or organisation can request from Intercorp an audit report on how their information are accessed and used for the past year. Intercorp will prepare this report in a maximum of 14 (calendar) days upon request.

Administrators of client organisations can conduct omissions or corrections of data from the system or through Intercorp Helpdesk team, with written approval from the client organisation.

Compliance to PDPA's Accuracy Obligation

All personal data are inputted into the systems by client organisation’s administrators, who will be taught and reminded by Intercorp’s personnel to be as accurate as possible. Whenever any data is incorrect or outdated, the administrator is responsible for such corrections within the system, to ensure all data are keep updated and accurate.

Compliance to PDPA's Protection Obligation

Many security features are built and enhanced constantly within Intercorp’s system frameworks, from the infrastructure, end-devices, application to the database level. Unauthorized access to the systems are prevented through server firewalls, malware and viruses detection, SSL encrypted certification, secured VPN communication, encrypted login credentials verifications, login 2FA option, and more.

All sensitive personal data are first encrypted with 256-bit high-level encryption methodology upon submission to Intercorp’s systems for data storage within password protected, secured and access-limited databases. In the event of databases theft or loss, all sensitive data are unreadable.

Client organizations have the option to mask sensitive data on the front-end as well, to prevent system users from viewing such information. All sensitive data viewed by Intercorp’s helpdesk team will be masked.

Compliance to PDPA's Transfer Limitation Obligation

All sensitive data within Intercorp’s systems are currently stored in Singapore and will not be transferred outside of Singapore. All Intercorp personnel have signed an Non-Disclosure Agreement (NDA) and have been trained and regularly reminded of such compliances.

Compliance to PDPA's Accountability Obligation

All information regarding Intercorp’s compliances, procedures and processes will be readily available on Intercorp’s website and upon request. Intercorp will take all efforts to constantly review and upgrade, to ensure data protection standards and compliance to the PDPA Act.