ANALYSIS: Singapore’s Proposed Data Protection Regime
By Ken Chia, of Baker & McKenzie, Singapore.
Singapore’s proposed data protection (DP) regime seeks to fill the lacuna which Singapore has had for many years in respect of general data privacy legislation. The proposed DP regime undertakes a “principles-based” approach and proposes a baseline law applicable to all organisations in Singapore, except for public sector organisations. Therefore, the proposed DP regime will have a significant impact on private sector organisations which deal with personal data such as employee or customer data.
The Ministry of Information, Communications and the Arts (MICA) released on September 13, 2011, a public Consultation Document on the proposed DP regime in Singapore. The proposed DP regime proposes a baseline law applicable to all organisations in Singapore, except organisations in the public sector, which are governed by an existing DP framework.
Currently, there are several sector-specific laws regulating the protection of personal data. These include the Official Secrets Act, the Banking Act and the Infectious Diseases Act. For private sector companies, the Model Data Protection Code for the Private Sector (Model Code) was introduced in 2002 by the National Trust Council of Singapore, which established minimum standards for how personal data may be managed and processed by private sector companies. However, adoption of the Model Code was voluntary and did not have the force of law. The Consultation Document recognises that there is a “need to go beyond voluntary adoption of the Code to establish a mandatory baseline standard for DP across the private sector” (Paragraph 2.4, Consultation Document).
The objectives of the proposed DP law are twofold: public interest and economic interest. The public interest aspect seeks to protect consumers’ personal data, while the economic interest aspect seeks to strengthen Singapore’s position as a trusted hub for data protection, in order to facilitate the growth of Singapore as a data management and processing hub.
Proposed Principles of the DP Regime
The framework of the proposed DP law covers, among other things, the collection, use and disclosure of personal data, the transfer of personal data outside Singapore, the protection and retention of personal data, access to and correction of personal data, as well as a penalty and enforcement regime. The creation of a National Do-Not-Call (DNC) Registry is also proposed as part of the consultation exercise.
Impact of the DP Regime
Personal data is proposed to be defined as “information about an identified or identifiable individual; where ‘individual’ means a natural person, whether living or deceased” (Paragraph 3.9, Consultation Document). The Consultation Document is of the position that what constitutes personal data is generally context-specific. In view of the fact that technological developments may bring about new forms of personal data, the Consultation Document does not seek to prescribe a fixed list of personal data that should be protected. However, guidelines may be released to provide clarity over what constitutes personal data. In line with the privacy laws of Canada, the personal data of persons deceased for less than 20 years are proposed to be protected. Malaysia’s recent Personal Data Protection Act 2010 (see analysis by attorneys from Wong & Partners, Kuala Lumpur, a member firm of Baker & McKenzie International, at WDPR, May 2010, page 11) and the UK Data Protection Act 1998 cover living individuals’ personal data only…