Data Protection in the Practical Context: Strategies and Techniques [1 ed.] 9789811133763
Data Protection in the Practical Context – Strategies and Techniques provides a detailed study of the law, practice and
572 34 121MB
English Pages 364 [203] Year 2017
Polecaj historie
![Data Protection in the Practical Context: Strategies and Techniques [1 ed.]
9789811133763](https://dokumen.pub/img/200x200/data-protection-in-the-practical-context-strategies-and-techniques-1nbsped-9789811133763.jpg)
![The Professional Protection Officer: Practical Security Strategies and Emerging Trends [2 ed.]
0128177489, 9780128177488](https://dokumen.pub/img/200x200/the-professional-protection-officer-practical-security-strategies-and-emerging-trends-2nbsped-0128177489-9780128177488.jpg)
![Data Protection in the Practical Context: Strategies and Techniques [1 ed.]
9789811133763](https://dokumen.pub/img/200x200/data-protection-in-the-practical-context-strategies-and-techniques-1nbsped-9789811133763-u-8224921.jpg)
Table of contents :
Chapter 1 The Context of Protecting Personal Data
Chapter 2 The Practical and Conceptual Framework
Chapter 3 The Concept of Personal Data
Chapter 4 Notification Obligation
Chapter 5 Consent Obligation
Chapter 6 Purpose Limitation Obligation
Chapter 7 Data Protection by Design and Default
Chapter 8 Access and Correction Obligations
Chapter 9 Care of Personal Data
Chapter 10 Transfer Limitation Obligation
Chapter 11 Other Notable Provisions in the European Union
Chapter 12 Looking Ahead
Citation preview
MONOGRAPH SERiEsS
Data Protection in the Practical Context Strategies and Techniques Hannah YeeFen Lim
.ERIP
Academyy
Publishing
Academy Publishing is a division of the Singapore
Academy of Law ("the Academy"). The Academy is the promotion and development agency for Singapore's legal industry. Its vision is to make Singapore the legal hub of Asia. It aims to drive legal excellence through developing thought leadership, world-class infrastructure and legal solutions. It does this by building up the intellectual capital of the legal profession by enhancing legal knowledge, raising the international profile of Singapore law, promoting Singapore as a centre for dispute resolution and improving the eficiency of legal practice through the use of technology. More information can be found at www.sal.org.sg.
IN
SINGAPORE ACADEMY OF LAW
IN THE
DATA P R O T E C T I O N PRACTICAL CONTEXT
Strategies and Techniques
MONOGRAPH ABOUT THE
in-depth, compreheensive publish treatises providing issues. legal
The series aims to analysis of c u r r e n t Law
SERIES
of Sales in Singapore (2017) before the Singapore
Courts 1965-2015 Tort of Defamation (2017) Study and Empirical A Comparative Materials (2016) Singapore-Cases & Employment Lawin
Making (2015) Law in Singapore (2015) International Issues in Family
Singapore Law: 50
Juvenile Justice
-
Data Protection Law in SingaporeInterconnected World (2014)
Takes
Privacy
Singapore Law on
Arbitral Awards
Stage (2014) Sovereignty in an
Centre
and
Model Criminal Law for the 21lst Century-A (2012) Industrial Design Law in Singapore
PRACTICAL CONTEXT Strategies and Techniques
Years in the
Where Rehabilitation
DATA PROTECTION IN THE
Code
for
Singapore (2013)
(2011)
Guidelines for the Assessment of General Damages in Personal Injury
Hannah YeeFen Lim BSc, LLB, LLM (Hons) (University of Sydney); Advocate and Solicitor (Singapore); Associate Professor of Business Law,
Cases (2010) An Asian Perspective on Mediation (2009)
Nanyang Business School, Nanyang Technological University
Coroner's Practice in Medical Cases (2008) The Law on Corruption in Singapore - Cases and Materials (2007)
(2007) Confidentiality in Arbitration- How Far Does Life Sciences: Lawand Ethics- Recent Developments in Singapore (2006) It Extend?
Acadenmy
Publishing 2017
Academy Publishing is a division of the Singapore Academy of Law ("SAL
SAL is the promotion and development agency tor Singapore's legal to make Singapore the legal hub of Asia. It aims to drive legal excellence through developing hought lcadership, world-class
industry. Its vision is
infrastructure and legal solutions. It does this by building up the intellectual
capital of the legal profession by enhancing legal knowledge, raising the
Preface
international profile of Singapore law, promoung Singapore as a centre for dispute resolution and improving the efficiency of legal practice through the use of technology. More information can be found at www.sal.org.sg.
DISCLAIMER
Views expressed by the author are not necessarily thOse of Academy Publishing nor SAL. Whilst every effort has been made to ensure that the information
contained in this work is correct, the author, Academy Publishing and SAL disclaim all liability and responsibility for any error or omission in this of publication, and in respect of anything, or the consequences anything, done or omitted to be done by any person in reliance, whether wholly or partially, upon the whole
or
any part of the
contents
of this publication.
on personal data wonder whether a book Some naysayers may infant stage of the is necessary at this relatively protection law in law Singapore. After all, data protection development of personal decisions to date. been less than 30 there have
COPYRIGHT 2016 Hannah YeeFen Lim.
There
Third Impression 2019 Published
by Academy Publishing under exclusive licence.
All rights reserved. No part of this publication may be reproduced, stored in in any form or by any means, whether any retrieval system, or transmitted, electronic or mechanical, including photocopying and recording, without the written permission of the copyright holder. All enquiries seeking such
permission should be addressed
to:
Senior Director, Academy Publishing Singapore Academy of Law 1 Coleman Street #08-06 The Adelphi Singapore 179803
Tel No: (+65) 6332 4388
Fax No:
(+65)
E-mail: [email protected]
ISBN 978-981-11-337%-3
"
789811
"
1337
6333 9747
were
three main drivers for
embarking on this
endeavour. First,
with managing interactions with those tasked through my professional w e r e familiar with that me to they became apparent personal data, it as the personal data protection principles and competent in reciting confident in were less than however, they set out in the legislation, where the principles of those principles, especially the application The n u a n c e s seemed many. other. each with intersected or overlapped where seems to have only small pockets Second, the legal profession in personal data collection, of role the of technology the significance formal disclosure is understood. As a lawyer with storage, use and who and scientist, a as computer qualifications and work experience Australia for 25 years, in law data in protection has practised personal I could offer in this developing area I felt perhaps there was something nexus between personal data close of law in Singapore. Indeed, the not does ring as loudly as it ought to in protection and cybersecurity liabilities arising therefrom also some quarters. The potential risks and individuals. do not seem to be on the radar of many organisations and
the Third, the General Data Protection Regulation was adopted by of a European Parliament in 2016. This is significant piece regulation that will impact organisations in Singapore, not just those engaging in not mere c-commerce, but all organisations with websites that are
Preface passive displays of information will need to take heed of the European requirements. These overseas developments need to be synthesised
and expounded within the Singapore legal context.
This book is an attempt to address some of these issues. This is a modest, first attempt to analyse the personal data protection law in Singapore. It will no doubt grow in the years to come.
I am very grateful to the wonderful team at Academy Publishing for their meticulous editing and typesetting of this book. Special thanks to Bala Shunmugam for his support, encouragement and understanding and to Elizabeth Sheares for the superb final editing of this book and
for her steadfast patience and understanding. Thave endeavoured to state the law as at 28 February 2017. To Him who has given me all things
Hannah YeeFen Lim Ash Wednesday, 1 March 2017
VI
Contents
Page Preface Table of Legislation Table of Tnternational Conventions, Treaties and Reports
Table of Cases Chapter 1 A.
XXxiii
The Context of Protecting Personal Data
Identifying the harms The Erin Andrews case 2
8
Big data 4. Litany of harms Role of information technology in compliance The significance of the European Union legal position
The Practical and Conceptual Framework Chapter2 Scope B. Mandatory requirements
A.
2.
Policies and practices Developing a data protection policy
(a)
C.
1 3
Cybersecurity
3 B. C.
XV
Xxiii
Personal data audit (b) Structure and content Enforcement of rights 1. The Personal Data Protection Commission
(a)
Powers of the Commission
(b) (c)
Dispute resolution powers Review powers
ix
11 17 21 23
28 29 31 31 32 33
35 36 36 36 38 38
Conlenis
Contenis
Page (d) (c) 2.
3. .
Penalties
and
to
direct
decisions made
by the
broad
Appealing the Commission
powers
39
53
Criminal penalties
54 51
(a) Ofences under section (b) Piercing the veil correction (c) Unauthorised access or General penalty (d) Right of private action
Employer liability for employees
54
121
C.
57
59
F. G.
Encouraging compliance Conceptual framework of personal
regime
The Concept of Personal Data
Definition in the legislation
63 64
67
Consent Obligation
Chapter 5
56 56 56
62
B.
120
Position in the European Union
B.
Data intermediaries
A.
Notification of purposes in the online environment
E.
A.
The reasonable person"
Chapter 3
D.
55
D. E.
data
Page
D.
Consent Obligation Excessive consent required Deemed consent Deemed consent for multiple purposes . Deemed consent through action 2. Corollary of deemed consent to disclose Caution on deemed consent . Manner and form of consent
.
Withdrawal of consent Collecting personal data from third parties
G.
Exceptions to the Consent Obligation
67
1.
Evaluative purposes (a) Employment context (b)
123 125
127 132 132
134 136
136 137
138 141 142 145 146 149
"Data and "Information"
68
2.
Format of data
72
3.
To identify an individual
73
.
Personal data: Basic level
76
Personal data: Expanded level 5. Anonymisation of data 1. Receiving anonymised data sets
76
professional settings
83
Business asset transaction
152 155
Publicly available data (a) Definition of publicly available data
159 159
(b) (c)
Presence of restrictions Opening the floodgates
160 161
(d)
2.
2. 3.
85
5.
86
Anonymising data sets
(a)
Anonymisation testing
(b)
A more realistic view of anonymisation
89 93
Insurance Remaining evaluative purposes permitted (c) Managing or terminating an employment relationship Documents produced in business, employment and
149 150
Observable personal data
163
C.
The way forward to anonymising data sets 3. Deceased individuals
105
6.
Solely for artistic or literary purposes
D.
Historical records
106
7.
166 168
E.
Business contact information
107
8.
Research purposes Disclosure for archival or historical purposes
Exceptions of other kinds of personal data
109
9
Conferment of benefits
F.
Chapter 4
Notification Obligation
A.
Introduction
B
Rationales for the Notification Practical considerations
C.
On or before"
a) (b) (c) (d) (e)
111 111
Obligation
Purposes, not activities 2.
102
113 114
115 115
117
B.
Subsidiary purposes
.
Manner and form of notification
118
.
Consequences if personal data is not collected
120
10.
171 172
Private trusts and benefit plan Service for personal or domestic purposes
172
Emergencies Interests of the individual
174 174
Disclosures that provide benefit
176
Remaining exemptions
173
178
H.
Validity of consent of minors in Singapore
181
I.
Some thoughts on consent and exemptions in the Schedules 1. Importance of consent 2. Specific industry sectors
182 182
Impact of the European Union position on consent
188
J.
186
Cones
Contents
Page 1.
2
Directive 95/46/EC under EU General
Consent
Protection
New requirements New requirements for 16 years old
(b)
.
Data
Regulation 2016/679
(a) 3.
minors
under
Union regulations Compliance with European Cookies: Case study of obtaining consent online (a) Cookies on websites (b) Position in Singapore Position in the European Union (c)
(i)
The WP29 Opinion
(ii)
Practical implementations of cookie consent in the European Union
Purpose Limitation Obligation
Chapter 6
Personal Data Protection Commission's views
equivalent to "reasonable"
B.
"Appropriate" is
C.
Assessing the two tests 1.
D.
not
Effect of section 18 on exemptions to consent
Effect of section 18 on exemption to deemed consent 2. The reasonableness test 3. Scope of Purpose Limitation Obligation 1.
Collection, use or disclosure from another
2.
Shortcomings
organisation without consent E.
European Union position 1. Specified, explicit and
(a) (b) (c)
legitimate purposes
188
(a)
Status or significance of some types of personal
191 192
(b)
Personal
(c)
Sensitive personal data
194 198 200 200 202 205 209
Practical examples
239
4.
Data minimisation principle
243
(a)
Data minimisation principle and big data
244
(b)
Data minimisation principle and Internet of
Data Protection by Design and Default
Design 1.
1. 2. 3.
operation of business or organisational practices
Types and amount of personal data collected
xii
249
Access and Correction Obligations
Access Obligation Procedural requirements for Access Obligation 1. 2. Ways in which personal data has been used or
.
B. C.
267 267 270
Prohibitions and exceptions to Access Obligation
271 271 275 281 285 285 289 290 292
(a)
Prohibitions against granting access
(b)
Exceptions to granting access
Right of access- New European Union law
Right to rectification- The Directive New European Union law
Right to rectification
-
270 271
Care of Personal Data
293
Accuracy and completeness of personal data 1. The five factors
293 295
2.
The four aspects
297
3. 4.
Compliance with Accuracy Obligation
298
European Union position
299
Chapter 9
B.
265
disclosed (a) Disclosures to organisations (b) How personal data has been used or disclosed
Correction Obligation European Union position Right of access- The Directive 1. 2. 3. 4.
A.
255 259 260 262 263
Guides Data structures Internet of Things
Chapter 8 A.
237 238
245
Employer/Employee related matters
infrastructure
227 229 234 235
2.
and
B.
214
3.
Chapter 7
2.
254 255
Information technology systems and networked
213
Explicit Legitimate Compatible
data that is unique and
non-changeable
212
219 219 220 222 226
252
data
20
235 237
Specified
Things A.
Page
Protection Consent under EU Data
Protection of personal data 1. The Protection Obligation
301 301
2.
Data protection by design approach
305
3.
Risk assessment
310
Data breach notification - Personal Data Protection
311
251
Commission's Guide
251
(a)
Data breach management plan
312
(b)
Containing the data breach
313
xii
Contents
Page (c) (d) . 6.
Assessing risks and impact
314
data brcach Reporting the the response and recovery Evaluating
315 318
(e) Protection Complying with European Union position (a) Security principle
Personal data breach
(b)
Obligation
320 321 321
noification to
supervisory 322
authority
Personal data breach notification
(c)
to
affected
323 325
individuals Sanctions for non-compliance
(d) C.
Retention Limitation Obligation European Union position Transfer Limitation
Chapter 10 A.
325
Retention of personal data
2.
Personal Data
2.
Protection
Satisfying the Satisfying the
second
331
Obligation
Regulations
second
325 328
2014
requirement: Explicit requirement: "legally
332 situations
enforceable obligations" 3.
B. C.
A.
Assessing the Transfer Limitation Obligation
European Union position EU Data Protection Directive 95/46/EC EU General Data Protection Regulation 2. Asia-Pacific Economic Cooperation Privacy Framework
Chapter
Other Notable Provisions in the European Union
11
Rights object under European Union laws Right to object due to the individual's particular 1. to
Para Children's Online Privacy Protection Act of 1998 15 USC (US)
SS 6501-6505 (2006).
.
. . . .
.
.
336 337 338 338 340 342
16 CFR Pt 312 (US) (2012)
344 345
******************************************************************.****
...5.220, 5.222 Rule 78 Fed Reg 3972 (January 17, 2013) (US) . *************************** .
Computer Misuse and Cybersecurity Act (Cap 50A, 2007 Rev Ed)
.7
Tt....****************************************
9.56
******************************************* .
.
historical research, or statistical purposes Automated decisions and profiling
347
B. C.
Right to erasure
D.
Right to data portability
349 351
Interpretation Act (Cap 1, 2002 Rev Ed) s 48A ********************************************"********************************************************** .. S
O....
...
*
*neo*
*********
******"*****************************
s
Z.0, D. l0,
52
3.1, 3.2, 3.30, 3.48, 3.63, 3.108, 3.123, 5.66, 5.67, 5.69, 5.73,
5.74, 5.83, 5.109, 5.122, 5.147, 5.149, 5.164, 5.169, 5.170, 5.191, 5.192, 8.5, 8.37, 8.40, 9.41, 9.45, 9.47
s 2(1)(c).
**************************
***********"********
*****. 5.80 1.5, 2.3, 2.94, 2.102
s 4(1)(a). ****************************"**************essotes*.**
.*
4.0, D.I49
4(1)(b).. ************************** ****************************°******************* s 4(1)(c). )********************"***************"******************************"*"********************* s
************
357
9.101
***
4.1, 5.5, 7.16, 12.1 **********************.******* ** .s .. . s 2(1). ****** **************** .2.81, 2.86,
347
353
xiv
8.9
Personal Data Protection Act 2012 (Act 26 of 2 0 1 2 ) . . . . 1.1, 2.1, 3.15, 3.25,
s3..**********©*************°****°**************************° .1.4,
Index
5.129
5.129 s 32(1).. ***************************.*************************************************************************
Limitation Act (Cap 163, 1996 Rev Ed)
346
Looking Ahead
5.221
§ 312.5(b)(2) Children's Online Privacy Protection Rule: Final Amendment
yDclsCCuIlY Dul...********************************* Data Protection Act 1998 (c 29) (UK) . . .
New right to object to processing for scientific or
Chapter 12
D.220
Children's Online Privacy Protection Rule
Right to object for purposes of direct marketing
including profiling 3.
333
345
situation
2.
Table of Legislation
*********************************************
XV
*
**
4v
2.3, 2.4
e*... 4.OI, O.0, S.+D 45
Table of Legislation
Table ofLegislation Para
Para ****
********
s
4(4)
***
**
**
...
. . . .
*************
********
s 4(4) (6). *********"*******"** s 4(5)... s 4(0)...
*
****** .
********.
**************** ************************************
*****.*
*********°**
*
******
*************'***
* ********* s 6.. * ********************************** s 11
****
slI(1) .. s 11(2)
***
*********
****.******************************'
******
******
.... **
..2.95, 5.156, 6.34 .
*****
...
********
........ ... . . .
e** ******. **** ***
******************************************'****************
.... '****
*****
************"************'*******
13...
***°*********
s 13(6).... . s 14.....* **
..
.5.9 .0.
) (6)
.........
s21(4)..... 21(5)....
s
*****************°****°*******************
*
***** **
s 14(2)..
**************
14(2)(a)...
..
.0.l4,
.
s
..5.9 ***
15... s
*************************"**********
***************************
s
16(2) *************°*************°**********************
s 16(3) *******************"**** s
16(4) **************
**********
***°********
****
*********
****
*
°***************************
2.1 07, s.17...**************************************** ..............s* *
4.2, 4.6, 5.2, 5.55, 5.6l,
s 17(1) . . *
*eosn****************** *********"**************°************ s 17(2) . *************************"******°****°*************************
s s
18(6).....
*******************************************************************************************
****
******n......
......2.59, 2.104,
.56
4.15, 5.26, 5.34, 6.49, 6.75
s 20(1)(a)......*******e******************°*******°*****°*********** s 20(1) (¢).******************************e******°**** *******.*************°°****°********* s 20(2)
s 20(3)
..4.5, **********************************************************°*********
s 20(3) (a) ************ ...
...3.35, 5.11
4.7, 6.43, 6.48,
.
.4.1 ...4.1 6.49, 6.50 5.9, 6.4
6.48, 4.2,
***
10.1
. . . . . . 10.2
10.2
s 26(2)... s 27...
***********************************************************************************************************
28.
*****************************************************************""********************************
28(1) (a) . 28(1) (6)...
......
***********
********
2.32 2.34
2.35
.
.....
***********
********eso******r
**e*******e*o***e***** 2.36
s 28(2) (a) ***************"***********************************"***************************************°°° 2.35 4» s 28(2) (6).. *********************o******** * .a******o***..*****..* . . . . . . . 2.36 s 4.***************************************** ****************.****. 4 .08 2.38 ***********
s 29(2)...******.***o** .
...
29(2) (d) *********************************"* s 30... ****** **********************************.***********.******.. s
. .....
2.38, 12.4 2.2 Z.8
s 31... * *************************************************"********************* s 31(2).. ************************************** .s .. **********.****.... s
32....... **************************************************************..
s
32(1).... e***********.************°°*****°****
S
Ot
°***********
.**************************************************
*****
2.69 2.70)
...1.17, 2.79, 3.56
. * * . .
33.. **********************.*****************************e**************
Xvii
xvi
*********.o********.*
.
2 , 4.6, 4.18 *****°***°********°*****************°**
....... Z.89, 5.449, 9.98, 9.99, 9.104 ..... J , l 0 , 0 . t 9
..
s 26(3).. ****************************************************************************.*********************** . 10.2
s
s 20......
..
5.50 5.62
s
*****************************
..
26 s 26(1)..
.....5.56
.*so..*..***o*****.
8.52
...
***************"******************"****
.2.105, 3.16, 5.12, 5.18, 6.2, 6.5, 6.16, 6.23, *** 18......s*** 6.25, 6.26, 6.27, 6.28, 6.29, 6.30, 6.34, 6.45, 6.46, 6.47, 6.48, 6.54, 6.58, 6.63, 6.64, 6.66 6.60 **************************************************.************. ....5.12, 6.38, 6.43, 6.51, 6.49 18(a)...... 6.43, ..6.4, ************************ ********************************************
.*...
8.52
8.45,
****°*******************"*****.*****.
**********************************
S40......
* . . . . . . . . 5 . 5 6
s17(3) -.... . . . .
8.45
..... 8.45,
5.47
****5.44
****************************
e********.*****.*****vT9
***.*.....
*************************°**********
.2.106, 4.2, 5.2, 5.26, 5.201, 6.27, 6.30 5 . 2 6 , 5.32, 5.34
.******************************************
15(1).
********
8.50 8 . 4 7 , 8.54 ..************.******"************************** .... 8.47, 8.54 *****************e********************************** s 22(7)...... 9.25 23......... ... s .... .. *****.********************* 9.2, . . . 9 . 2 , 9.26 s 23(a)... ***********'************** ****** -. 9.2, 9.26 s 23(6) . . . ***************"*****.. 2.89, 9.29, 9.40, 9.75 s .**********************************
.
....5.35, 5.36 s 15(2) . ********************************************************* 5.60, 5.190) .5.43, S 16(1) ......... . . **********************************v
22(3)...
8.45 2.36, 8.45
8.5,
***.****
**
**********************
... 22(6)....
*******************************************************************************
*****.****.
*****
22(4)..... )............. o.. ... eo************************************************* s 22(5)..... .* **********************************************************.. 8.45, 8.46,
s......5.12
3.I7,
**********°******************
******
. . 2.36, 2.37, 2.108, 8.4, 8.78, 9.3
***********************************
22(2) (6)...
3.18, 5.19, 5.21, 5.22, 5.210 ********..10 s14(2)(b) .10, 5.14, 5.19 ... s14(3)..*****'** °*** *********"***************************************************** *****.** *..5 v ..7 l s 14(4) S
8.20
8.29 8.21, 8.40 ... 8.20 8.22 8.20, 3, *********** 8.23 * * * * * . * * * * * * * * . 8.20,
****************
***********"*************
22(2)..*******************
2
..
8.20 8.20
.. 8.10, 8.21,
s 22(2) (a)..
..0.20
*****************
******************"******************************"""*******************
*********************°*****°**************
************************°*** 22. s 22(1)...
7 ......5.34 54
14(1)(a)..
s 21(3) (e).
.O.8
*****~*'
***********"**************""*****************°**
***********************************
°****°°****************
°***
8.31
**********"******"*******************°*****°****"*********************** ....
.2
******"************ * . ****"** ** s 1 4 ( 1 ) . . . . .******************""********************'*******************"** .
s
*************"******************"****°****°***
.2.12
...
*
******************
*************************"***********************
*
************************
*
*********************************************
****"**************************************************
8.7
,8.16
****************"'**
*******************"*****.******************************
**
*****************************°*****°********
s 13().
***
..........
***..
Vv
O. ****************"*************
******"*****"****"*********
21(3). s 21(3)(a). s 21 (3)(b).. s 21(3)(c). 21 (3)(d) .. s
.......2.59, 2.106, 5.51
**************************************
s
21 (1) (a)... s 21(1)6)... s 21(2)...
.
*********""*****"****************************°**
12(6).. 12()... s 12(d) *****
4.3
2.35, 2.36, 2.108, 8.4 .. ... .. . .. 4 l . .****************************************"************************************************ . 8.15 ....
********************"*************************"***********
*****. . 2 . 5 9 , 2.95
****
****
4.11, 5.84
. . T.o,,6.89
*******.*.******
. . .
. .
*********
***
*******
.**
****
..
20(4) (b)..
........
**
.
s
.......
20(t)()....
.O.36
2.5 **************************************************** 2 . 1 0 , 2.11 s 11(3) . . * *** **** 2.10, 2.11 11(4) ********** ******** * * * * * * * * * * * ** *** . 2 . 1 ] , 8.9 ** .*** s 11(5) *************************'** ****************'***************** . . . . . . . . .. . . 2 . 1 2 s 12() ***° .12 ****************** ******* 4.. ************* . s *****
4.2, 4.3,
.
**
*******************
***********************************
...2.8, 2.9 ********"****************** .9 s.2.9
**
. .
s
20(3) (b)... ******* 20(4).**
.....
******************"***********
s 4(6) (a).. 4(6) (6)
s
.. 4.2, 4.6, 5.55
3. 120
3.115 *****"*********************************** .. ....2. 2.I03, 3.122, 5.99
****************************
******************...
************* **********.
.1b
2.69
. . . 2.69
Table of Legislation
Table of Legislation Para
Para ***************************************"*********************** *************"*****"'**********************************. ******* .......
s 34(2)... 34(3)
s
*
*
2.69 **
...
.
*
*****'****
***************°******************
s 35..
***""**************
s 35(1)..
*******"**
s 35(4)..
*************
**************4.
***
..2.84 .2.84
...
2.29, 2.30 ******************************************* .2. 2.29
**************
..
***
..
***************************
***********.
*************************
*********
****
***
s 50(2).. s50(3)
.
****************
*************************
*****************"*******
..2.69
2.70
s.......
******"'**********************'***
***** ****************
s 50(1) *************
.
*******************************.
******************
******************************************
s 48(1).. ss 48(2)-48(3). s50.
...
*******************
**************************.
°**
.70
.
*.........
2.31|
**********************.iis..2.31
****************
........
5,99
*********"**.
para 1 (p) (ii).
...................
*****************************************.
.2.72
****°"***************'**
2./76
.
s51.
******************************
**
s51(1).. s51(2).. s51(3)(@) s 51(3)(6) s51(3)().
**
..
********************************************
**********
***
*************4. 6
****.
***************************
*******'**
***************
*************************'***
.
*******************.....*****. ***
********
*****..
....
*****************************
para
3(2) (a).
***
**
.2.74
2 . / 2 , 2.74
*******************'"*****°*******
* * * e *
e.... o s ************************"*********
'************************************
..
2./5
******************************
s 52(1).... s 52(2)
**
52(3)
*******************************************"***********************
5.983
*******************.
5.106
para 3(3).
.
5.106
para 3(3) (a)...
5.106
********************"***
5.10D6 para 3(3) (6) *************e**********************"*************************"******** ******************************
*******************************************""*****°********************.
********
*************************************°***
s 53(1).. s 53(2)..
**
*******. ..2./
e...........
**********
* .
**********************************°***************************************
*********************************
54...*********************.***************
2.75
.2.75 7.22 81
*****
***********"*********************************4.
*********************
********************°****************************
**
************
*
......2.
**********°***************os***.....
. .
para
***************"***************************************************"************ para. para
3(4)
Third Sched..
*************************************************************
**********
***************.***************°*****
************************.****************************************
para 1(b). para 1(c)...
para l (d). '**
***********************************************************************
1(e)..
******************************.*****
...5.66, 5.73, 5.148, 5.189,
para1 ) .****************************************************** ..
2.79
*************************************************************************..
5.64, 5.65, 5.95, 5.96, 5.97, 5.145, 5.166, 5.186, 5.204, 6.4, 6.50, 6.58, 9.103, 12.1 )****************************************************************************************** .5.153
para 1(6) ... ****************************************************°°********************* 5 . 1 5 2 .5.1008, 6.26, 9.103 para 1 (). ********************************°****°°***************°**
.167
*** eson*a*ene*ntssvs. para I (4)... 5.168, 5.189 **.***+o*****.**ts*s**seostsssso*****.********.********s************** para I(e)... ************************************************************** ..5.66, 5.69, 5.148, 5.189, para 1(). 5.191, 5.192, 6.28, 6.51 . 1 2 8 , 6.51 *****'***************************************************.
para l(g).. para 1(h)..
************°****°******************************°**°°****°°****************
5.172 ***************.******es*n*******************e********o***************************
para 1().******************************************************************************** 5.173 ..5.173 para I ( )************************************************************************************* .. para 1(k) ....
5.146, 5.192
para 1(). ******************************************** 5.151 ..5.150, para 1(m) ********************.** *******************e*********** 5.189 5.89, para 1(n) .. 6.58 para I(o).. 6.51, 6.28, ******************************************* ..A11, 5.89, 5.189, ************************************o**************************e********e*********
5.173
****************.
para 1(g. para 1(h)... para 1( ) . .
******************************************.***
para1). para 2
******°***
***
******
5.173
.
5.139
5.57,
e***************************************************
5.5 ,5.85, 5.89, 5.95,
5.98, 5.99, 5.102, 5.128, 5.172, 5.173, 5.189, 5.192, 6.28, 6.51, 6.58
**********************************°**********
*******"**********
5.139
5.58, 5.94, 5.95 . para 3.. . Fourth Sched....*********************************** . 1.5, 2.107, 4.2, 4.6, 4.11, 5.2, 5.9, 5.55, 5.56, 5.57, 5.58, 5.60, 5.61, 5.63, 5.64, 5.65, 5.97, 5.145, 5.160, 5.166, 5.186, 5.204, 6.4, 6.50, 9.103, 12.1 **********************************************************************°
. 5.158, 5 . 1 5 2 , 5.161, 5.162, para 1(c)... ********************************°********°********************** .5.162, 5.163, para I ............... ********************************************************** . 5.108, 6.26, 8.27, para I(e) **************************.********s**s*.***** ....5.167,
para1(a). para 1(6).
********
.
*..****************
10.110 10.10 10.10 9.103 10.10
para 1 ()
. ..5.168, 5.189 .5.164, 5.174 para 1(g). ***************************'******°*********************°*******"************** .5.66, 5.74, 5.148, 5.189, para I(h).. ***********t*********************************** 5.191, 5.192, 6.28, 6.51
para1(i).************°********************************°****************.*******************. 5.173 para 1 )******************************************************************************************** .. 5.173 para 1(k). *********************************************************************************
para 1().********************************************************************************* 5.174 para I (m).*************************
***********************************************************"**************°******* 5 . 1 7 3
.
5.191, 5.192, 6.28, 6.51
*********************************************
2..77
******************************************************************************4.
XVil
1.5, 2.107, 4.2, 4.6, 4.11, 5.2, 5.9, 5.55, 5.56, 5.60, 5.61, 5.63, 5.64, 5.65, 5.145, 12.1 5.166, 5. 186, 5.204, 6.4, 6.50, 9.103, ... 5.153, 10.10 ...5.152, 10.10 . 5.108, 6.26, 9.103 *****************************************°"****** 5.167, 10.10 ...5.168, 5.189 **********************e***********
..
*************
*******************************
para 1(a)
para
***** 5.106
..5.58, 5.96
******************
.Z.
******************************************************************************42.87 0T s 67(2).... Pt IV (ss 13-20)... 5.77 PtV (ss 21-22)... 5.77, 9.1, 10.1 Pt VI (ss 23-26).. *************************************************.***. ...5, 2.107, 4.2, 4.6, 4.11, 5.2, 5.9, Second Sched ... a .....sso . eo***************** 5.55, 5.56, 5.57, 5.58, 5.60, 5.61, 5.63,
para
**
2./5
************°*********************************'******
s 52(4) .. s 53..
......
*****************.
**************************************
s
973
************.os*
1 73
*********
*****************************************
para 3(2) (6)
2.72
****e*s...2.
*******
s 51(5)....
s
*
...
****************************************
5
******"*************"
...
.
s51(4) . . .
s
..2.73
*****************
***"***************"****************
***** *****
***
5.57, 5.58, 5.96 *** para I(7).... 5.1 72 * ******* para 2. . . *********.... 3.99 para *********************************************************"********************* .5.102 ******************************"***************************°****************
para 1(9)..
* * * *
***********************
******************
************'*************"************************
para i(n) . para I (o).
*****°**********************************************.****
5.174 ***********************************************************************************"" 5.174 ************essstsseeessestose*i*************************************** 5.161, 10.10
para 1(p)(i)... ************************************************************************************ 5.99 para I() ****************************************.*******************************.*******. 5.139 v
xix
Table of Legislation
Table of Legislatiom
Para 5.144 . .....5.57, 5.58, 5.85, 5.89, 5.95, ** 5.128, 5.146, 5.172, 5.173, 5.189, 5.192. 6.28, 6.51, 6.58
I(7) para l(I).
para
******""*** ***********"*******
***.
****
para z
********
* *
*********
***************
************* para para 3(2) para 3(2) (b) . . .
.......
*************
***...99
****************d.102
*****************************
..5.98
*****°**** * . . . . 5 . l 0 6
******'*************
5.100 ****.... 139
.
*******
****
*******
** ****
para 4 para (e)....... ...
******
**
*****************
*****
.............
.***************"*******"****
**********************************************
.
para Fifth Sched...
. . 8 . 3 1 , 8.35,
****************.******""**********
***
3.140
..5.58, 5.94, 5.95 *** 8.37, 8.40, 8.47, 12.1
......8.37
*
. .............. . **** ********* *.* .8.35 para 1(6). . *****************....O.35 *********************** . (C) para ********* .. ... ... ***** ***** ***.........8.35 para 1(d)... * *************** ..8.35 35 i para (e) . . ***** ************************"°************* ******"** . ......8.235 para 1 ) . . . . .......8.35 35 ******* ********************* para I(g) **** .Ö.35. *************"*". ****"*******************""*** para 1(h)..... 8.35 **********"******"*******************************d para I(2). . .. 8.41 * * * * *********************** para 1) (1).. ...8.11, 8.30, 8.42 para I() (11).. 8.43 ****~****** ******************* para 1) (ii) *********"******°**** 8.44 para 1) (iv) . . 8 . 1 1 , 8.44 para 1() (v) . . 8 . 4 7 , 12.1 **** *** Sixth Sched.....*********************************°** ******....8.47 paras 1(a)-1(e).. 54 .v I ******************************"*** ******* para l(a). .******s******** ....2.31, 2.40 Ninth Sched..... Personal Data Protection (Enforcement) ..2.31 Regulations 2014 (S 455/2014). para
********************************************************
I(a) .....
1 0 . 5
**
reg 9(2)..
****.**********"*********
reg 9(3)(a) reg 9(3) (6)
TC8 D I T )
**
****
.7
.**..
...
reg 9(3))..... *******"********* reg 9(3)(g9... ******* reg 9(4) (a)... reg 9(4) (6)
..
.***.*......
0.10,
..
**************
..
****
*******************************°'**
**
*********
**
*******
***
****
.
**
*****************************
...
reg 9(4) ( ) . . . .
************************
.
...
*************************"****°******************************.
*************************************
*****************°***************************
*****************************************"****"**********************.
Personal Data Protection Regulations 2014 (S 362/2014) . . . reg 2. reg 3(1) . .
.*.
..
**
****
..8.48
****************************"*"**********
*************************** ..8.8
******"**********************************************
reg o[2){).... . . eg 3(2) (b) **.****** .
reg 4 *************°*****°*** ..
. .
.
**
+**********
. * .
*.
5.9
********************
*.
*******************************************************************
T
T){).
reg 10(1)(a)
.
10.14
. . . 10.144
10.15
.Ld
.***.*.***.******e**.*** 10.15
*****.******.*.*.**.
.
*************************************************
***********°****
reg 10(2) (6) . . . . ********.*
10.14 *******"****
reg 10(3) (6) (i) . .
*.*********.
***********************
***
************
*******.. 10.141
10.16
.o**
************************************
.***********************
.
reg 8 . . . .
reg9(1).. ******.*********°*°****°°****°.****°.
XX
10.15
****** *
10.15
.
10.155
******.**.****.*****.** **°°****°**** 5 . 1 3 0
s 4(2) (c) . ..... 5.130 s 5(3). ******************* 6.54 Sch 1 cl 4.4 *************************** **** ***°°°*****°°°° **°*********************** 6.55, 6.62 cl 4.4.1 *********************************************************"*****°*************** ....... 6.56, 6.58 ***************************************************************************************************
****°.****************.***********
****°°***°°**.
Privacy Act 1988 (Act No 119 of 1988) (Cth) s 6C......
************°°****°**** ***. 2.3
s 6D.. ********"*******************"****************************** Private Hospitals and Medical Clinics Act (Cap 248, 1999 Rev Ed)... *******************°***************.
5.9
..8.110
l 0 . 5
10.10, 1 0 . 4 , 10.8, 10.9, *****************°**** 10.12, 10.13, 10.17, 10.20
10.4, ***************************************************
.
10.15
(SC 2000, c 5) (Canada)
s 4(1)(a)..************************
**************************** so...i*..0.1t, 8.29 .2.36, 8.48
reg 9(1) (a).. ************************°°******************.******************
Teg9(1)(6)
**
.
Personal Information Protection and Electronic Document Act
. . 8 . 1 2 , 8.48
***********************************************°******
10.16
..**************e*******.****.
8 . 1 3
reg 7(4)...
10.16
10.16
*****
reg 10(4)()....
reg ****************°***°*******************"******************e******************** reg /.. ***********************************************
.
**********
**********
.0.10
******************°*********************************
****
10(3) (6) (11).. .... ...... ... 10(3) (6) (i1l) .. . ************* 10(3)(C).... .. ... .. . 10(4)(a) ..... ... o******************* 10(4) (6) ...
.8.9
******************************************
reg 4(1). ************* ************************* reg 4(2) **********************************"** *** * IC
3 ,8.8, 10.4, 10.18
I U.7 , 10.2
*******'******************************'***********
reg 10(1)()....... reg 10(1) (6)
reg
0.12
1 0 . 7
******************°
reg reg reg reg
T0.TT
U
*****e*****
* * .
*****'********
U
10.12
****"*****"***************************************
****
*v
.*
**
***
************************.*********************
reg (O){)..
reg
****"
***
********
...........
****
reg 9(3) (d)...
reg
****
******************************************
****""****".*****"****"***
**********""*********************************
**********************
**********************
para 3(4).. .
***
******
****
*************************
para 3(3)
5.l63
*********
*
*
****'*****
Para
......
****
******************************
10.4 10.13, 10.20 Xxi
**********.. 2.6
**********. **** . 174
Table of lnternational Conventions,
Treaties
and Reports
Para Commission) Article 29 Data Protection Working Party (European EU Approach to (WP37) Privacy on the Internet- An Integrated November 2000).... On-line Data Protection (adopted on 21 4/2007 on the Concept of Personal Data
3.37, 3.45
(WP136) Opinion
(adopted on 20June 2007) P6...
10.
... 3.8
***********************************"**************************************************************
***********************************************************************e*3 . 7 , 3.10
3.21 3.24
************************************ ..3.37, 3.45 *******"********************************* *************************************** pp 16-17... (WP194) Opinion 04/2012 on Cookie Consent Exemption 13..
...
. .
......
(adopted on 7June 2012) pp 6-7....
5.251 ***********e***oseeooe*****************************************
5.249
PP 6-9....
5.250, 5.251 ..**.ossasennos******************************************"******************
P6.
P...***s*.*..
..
. . 3.252, 5.253, 5.254, 5.2555
.
....5.260, 5.262
pp 8-9.........
p8..
.
******************************************************
P9..*.
5.256, 5.257, 5.258, 5.259 5.261
************nsssore*****n*oso**********************************************************"*"*****
(WP203) Opinion 03/2013 on Purpose Limitation
6.72 (adopted on 2 April 2013) . .... 6.765 ************************************************************"*******"********************* P 12. eo..**..**ao**oes*********o*sross**************
p l5... **********o*o******************e*************************************************************** 6.76 ******************* .. 6.77, 6.78, 6.79 p l7..... P 10...
****
6 . 8 0
p 20.. p21.******************************************************************
....6.82, 6.83 ************************ ...6.85, 6.86
*********************************************************************************************
xxiii
Table of International Conventions, Treales and Reports
p 51..
***************************
..
***************
...
6.89
******************************************************
P
p 53....
...
************************. s.....
pp 54-55.
***sos
**********************************************"******"***********
p 54.
.6.90
*******************************************..
*****
******************** ** ** *" * * * * * * * * * * *********************.***
**************************************
*********"**
Pp 56-70...
....
***********
********.
**************
******************************************************
0.91
6.92 .6.95
..6.93,6.94 .....
P .. *****************************.**..0.95 ........ p 60 example 7 . *************************** ..... 15 6.95 p 66 example ***************************************************************** . J0..
*****************************************************
**********'******
.6.87 .0,8. ...6.87, 6.93
Annex 3..
Annex 1.....
*****************
*****************************************"*******
Techniques
Anonymisation (WP216) Opinion 05/2014 on on 10 April 2014). (adopted **************************************************************************
3.83 3.83 ..3.86, 3.87, 3.88 3.84 .3.89 3.87 ......
**************************************"*
p ....*******
********************************************
***
******'**************
PP - / . . . P
*s************************************'***
p
.
*******************************...
*******************************************"****"*******************
Pp 11-12...
Pll......
*
889
****"***************
********************"******************************
pp 12-19.. p 12..
s*sens.....
**************************************************************ssisss...
*
*****************"************"*********************************
PP 13-14..
*********************************°**************************.
******************************°******* p 13.......******************************"**** ******************************************************. Pp 1 4 - 1 5 . .
P ************* p l6....
*************************
ssssn..
**********************************************
P lo..
********
....***********************'************
91 ...3.99 *. .100 3.91
..
**********3.96, 3.101 3.108
****************'****************"***********"***************.
****************************************"**** pp 23-24.. p
3.90
....
**********""******""*********'******************************************
.3.85, 3.104 ..3.83, 3.98, 3.104
****"*****************.
**************'********************************************************.
Pp 24-25...
. *
** *********************************************i 97 ********"**********"************************************** D.9T p 24...... .* on the (WP221) Statement Impact of the Development of Big Data on the Protection of Individuals With Regard To the Processing of their Personal Data in the EU
(adopted on 16 September 2014). **************"******"**"°°******"***********. 6.100 ...6.100, 6.101, 6.102 p2. .
.7.43
PP 16-19..
******************************************************************************************.
p 1 .*****"******"************************* ... ******
************************************** ..6.104, 6.105
6.105 PP 18-19... P
***************
P 19....
.6.107
*********"**************** *******
**
**********************"****"********
****************** .106 ******************** ..6.108
p 22
..6.109 * * ******************nnuosnn. . . . . . ...0.1 (WP238) Opinion 01/2016 on he EU-US Privacy Shield Draft Adequacy Decision (adopted on 13 April 2016).. ****************°*****************. .10.23 Asia-Pacific Economic Cooperation P'rivacy ...10.31 Framework... . p17********************************"********************************** *************************** .183
Charter of Fundamental
Rights of the European
Union
(2010) OJC 83 (2010) Art 8 para l.**************************************************************°******************* ..1.68
the Committee
Economic
of theRegions for
framework
European Parliament, and thc ( C O M / 2 0 1 1 / 0 9 4 2 final-2012) and
Social Committee
in the
trust building services
A coherent e - c o m m e r c e and Market for January 2012)
Digital Single
online
l1
(adopted********************************************************************************.
. .
.217
0.2.
2000 pursuant to I.. Decision 200075207 EC of 26July Parliament and of thec Commission 95/46/ECof the European the Directive of the protection provided by asked Council on the adequacy and related frequently principles safe harbour privacy of Commerce the US Department fn
qucstions issued by
*****************************************************************************
0.22
O4
2000] OJ L 215/7..
too 20 December 2001 pursuant Decision 2002/2/EC of Commission Parliament and of the the of European Directive 95/46/EC data provided by protection of personal Council on the adequate Electronic Information Protection and Canacdian Personal
the . **************.*s Documents Act [2002J OJ L002/13.. Decision (C(2016) 4176 final) of Implemening Commission to Directive 95/46/EC of the 12July 201l6P apursuant on the adequacy r l i a m e t and of the Council European the EU-US Privacy S h i e l d . . . . by provided the protection of on No 44/2001 of 22 December 2000 Council Regulation (EC) the recognition and enforcement of judgments and jurisdiction matters (OJ 2001 L 12, p 1) in civil and commercial Art 15(1)(C) Art
10.22
10.23
1 . l7 . 5
******""******************************************************
****************
J)...*********************************************************************************n********
Rules
Cross Border Privacy For Accountability
"******************"*******"*********************************
Agents..
********************************************************.**
***o***************************senesons********************..*.
For blUSinness
..
1.75 10.332
10.32 0.09
Parliament and of the Directive 95/46/EC of the European of individuals Council of 24 October 1995 on the protection with regard to the processing of personal data and on the frce movement of such data |1995] OJL 281/31.....
1.68, 1.69, 1.70, 1.77, 3.1, 3.3, 5.196, 5.205, 5.207, 5.247, 7.20, 8.56, 8.61, 8.63, 9.24, 9.85, 10.24, 11.3, 11.9, 11.18 .3.31, 3.32, 3.47, 3.86
Recital 26.. . Recital 2 8 . . .
6.775
*.***.******************************************************************* *************************************"""************************************** 8.60, 8.65, 8.72 Recital 41. Art
5.196 ************************************************************************************************
*************************************************************** .5.197, 6.85
Art 2(b).
Art 2(h).
Art 6... Art 6(1) (b)
*
************************************************************************************* 5.199
. 4.31 .o.. **.****.***************************************************************** **************************.... . 4.31, 5.197, 5.201, 6.53, 6.69, 6.73, 6.75
Art 6(1) (c)...
Art 6(1)(d) . .
.... 5.198, 6.70, 6.75
.
***********************************************************************************. 9.22
Art 6(1)(e) ****************
°********
**************************************************** 9.l07
Art 7....*****o*oo**o********n*****i***********************o****** 5.182, 6.82, 6.101 Art 7(a)...**************************** *********************"**************************.5.199, 5.201 Arts 7(b)-7(),.... ************"*************************************************************************** 5.199 Art 7(e)..
......*************
*************************************************** tL
Art 7(1). XXIV
Reports
to the
Communication
Commission Council, the
*ssssssssss***sss**sene*****************************************.
(WP223) Opinion 8/2014 on the Recent Developments on the Internet of Things (adopted on 16 September 2014) ...6.103, 7.43
and
Para
Para ...6.88, 6.89
s*s.
************
******
*********"****
Treaties Table ofInlernalional Conventions,
I1.4 XXV
Table of International Conventions,
Trealies and Reports
Table ofInlernational Conventions,
Treaties and Reportds Para
Para
******************************************************************
Art
...5.182,6.101 5.199,5.201 ...8.56, 8.62
***********************************************......
Art 8(1)... ***********************************************'*****"**** *****************
Art
Art 12(a).
....
**
********
**************************************************************** .8.57, 8.58,
8.59, 8.69
****************~ ..8.62, 8.71, 8.74, 8.75, 8.77, 8
Art
12(b).. **************************
Art
12(c).* . ***************************************************************************.
.
Art
...).
**********************************************************
Arts 13(1)(a)-13(1)(g)..
78
8.62, 8.76
..5.200, 8.56
************.**********************************************************
Art 13(1)...
*******************
************.
8.56 .8.56
.....
*********************************************
******************************** ****************
8.62
Art 14... ..... ****************"******* Il.4 Art 14(a).*****************************************************"****************. .. sssosssaas.l1,6 Art 14(b)... ***********************************************************.* . ***************************** l1,10 Art 15(1) . o984 Art 17. ..... ** 9.84 *************************'************************
**********************"********************"**********
***"**********.*.....
...
.
***************
***
.s*e*s***********************************
*******************************************************
.
Art 17(1)..*********************************************************************** 0 2 1 Art 25(1).*************************************************************** 10.21 Art 25(6).. . 0.18, 10.28 .*******************************************************************. .... 10.25 Art 26(2).
paras 2.65-2.66... **************************************************.
****************"**
***************************************************.
Parliament and of the 2002/58/EC of the European of of 12 July 2002 concerning the processing the protection of privacy in the and data personal electronic communications sector (Directive on privacy
Directive
para
Art 5(3)
ingapore link", which
eant
that the regime would only apply if the personal data was collected from an individual physically present in Singapore, or the
either
data was located in Singapore at the time of collection, or the
organisation used the data in Singapore, or the data was disclosed in Singapore. The final form of the legislation dropped this requirement rendering the regime more effective as it deters those who might
attempt to avoid compliance by shifting or outsourcing collection or use of data overseas. This stance of extratenitorial reach is consistent with other legislation in Singapore, such as the Computer Misuse and Cybersecurity Act" although realistically, for an organisation that has no presence in Singapore, it may be difficult for any claim to be made against it.
2.8 One of the most important points to note is that the personal data protection regime will operate concurrently with other legislative and regulatory frameworks, so organisations in those sectors that have sector specific requirements need to continue to comply with them. Section 4(6) (a) specifically states that nothing in the personal data
protection principles enshrined in the Act "shall affect any authority,
12
Privacy Act 1988 (Act No 119 of 1998) (Cth) s 6D. See also Yee Fen Lim, Cyberspace Law: Commentaries and Materials (Oxford University Press,
13
Computer Misuse and Cybersecurity Act (Cap 50A, 2007 Rev Ed) s 11.
2nd Ed, 2007) at pp 194-195.
30
to be 2.10 at least o n e person are required to designate Act All organisations the with that the organisation complies responsible for ensuring officer ("DPO") for this personal data protection but there is no need For sole officer (or limited to only o n e person). dedicated a to be be the sole trader.7 traders, the DPO may well
2.11 The DP0
organisations, there is
for many be from within the organisation and, if the counsel, either filled legal the role may often be by for human resources.s There is someone
can
one, or
responsible
be an external consultant. Regardless or outside the organisation, the Act within from of whether the DPO is business contact details of the DPO be publicly that the requires available," so it seems imperative that the public has a visible contact no
reason
why
the DPO
cannot
point.
1.
Policies and practices
2.12 In addition to appointing a DPO0, all organisations are required to develop and implement policies and practices that are needed to
14 15 16 17 18 19
Personal Data Protection Act 2012 (Act 26 of 2012)s4(6) (a). Personal Data Protection Act 2012 (Act 26 of 2012) s4(6)(6). Personal Data Protection Act 2012 (Act 26 of 2012) s 4(6) (a). Personal Data Protection Act 2012 (Act 26 of 2012) ss 11 (3) and 11(4). Personal Data Protection Act 2012 (Act 26 of 2012) ss 11(3) and 11(4). Personal Data Protection Act 2012 (Act 26 of 2012) s 11(5).
31
Data Protection in the Practical Context The Practical and
Act and to communicate thes hese o compliance with the must also a organisations Furthermore, staff. to complaints regarding persone and receive respond to process and practices and the complaint protection,2 and the policies ensure
develop
a
website, the personal
be available online in a layered information. to m o r e detailed
manner
complaint
blic upon request.22proces
must be made available to the general
organisation has
their
protection polic through the use of hVne data
Ifan
to
needs
structure to
be
to work closely with all tcams within and implement these policies and pracs develop to educate employees o n the policies and r
and, of course, es. Although the DPO will also likely be the person responsible for and responding to requeste f handling complaints and co-ordinating access or correction, however, the protection of data should be in the psyche of the whole organisation and not just the DPO. If it is lett solely in the hands of the DPO, compliance by an organisation will be
and
content
of the
protection personal data
developed.
Personal data audit
(a) 2.17
2.13 The DPO would need
organisation
Sccond,
policy
the
ConceptualFramework
use
and
disclosure
practices
must
first be
data collection, exercise is to All current i n f o r m a t i o n gathering and analysed. This as well identified a n organisation, held data by overview of the personal of an obtain regarding the handling procedures and systems it and described as its practices, wil to be This will enable the practices personal data. about whether any of the practices assessment to be made also allow a n whether any necessary the legislation and be might be contravening a n audit might organisations, For taken. larger action should be the data organisation discover the kinds of personal necessary to relevant processes and procedures as well as the handles, and collects data. regarding the personal
much more difticult.
2.18
2.14 Organisations should be mindful of compliance with these mandatory requirements of the appointment of a DPO and the development and implementation of policies and practices, as non-compliance can also
form the basis of a financial penalty."
Developing a data protection policy
2. 5
The level of complexity of a data protection policy will depend on how much personal data an organisation collects and how much processing is undertaken by the organisation, as well as whether it discloses any personal data.
to identify a personal data policy is The first step towards developing involve that the activities of organisation the main functions and a small tuition centre might| for list A personal data handling. simple conduct publicity campaigns, look like this: provide tuition services, and operate a website. For each of these activities, handle
complaints,
some of the essential information required might be: what personal data is collected and how it is collected, how the personal data is held, the purposes for the collection, use and disclosure, and whether the personal data is transferred outside Singapore.
2.19 If there are specific approaches or commitments which the organisation has in place, these should be noted and highlighted. Some examples might include:
(a) whether the organisation sells personal data to anyone 2.16 There
(b)
generally two main steps in developing a data protection policy. First, information about the organisation's personal data practices, procedures and systems must be gathered and understood.
20 21
22 3
Personal Data Protection Act 2012 (Act 26 of 2012) ss 12(a) and 12{9 Personal Data Protection Act 2012 (Act 26 of 2012) s 12(6). Personal Data Protection Act 2012 (Act 26 of 2012) s 12(d).
whether and what security protections such as encryption are in place;
are
(c)
to whom and in what circumstances personal data will be disclosed and whether they will be transferred oversees;
(d) what are the procedures and systems for identifying and managing security risk, as well as developing and monitoring (e)
controls for those risks; details of what processes
are
fu Kwe Kitchen Catering Services and Pixart Pte Lid |2016] SGPDPC 14.
32
in
place
personal data that is no longer needed;
33
to
identify
and manage
Data
what processes
(
Protectionin the
are
used to
de-identified;
(g) (h)
(i)
Practical Comtext
ensure
The Practical and ComceptualFramework
Dersonal
pcrsonal
for providing
of the procedurcs of personal data; pdating for upda procedures details of the and accurate; they are procedure. details of the complaints
data dala is is
access
to
destroyed.or
ar
details
ction
personal data (b)
2.20 addition to a D e r e . stressed that in it must be At this juncture, of their Dere. public the general that informs protection policy must also have Dracts practices organisations and protection practices, ees to follow follow in the handling of personal employees for in place policies no douhte in be clearly spelled out, leaving data. These should
minds of employees of what is permissible and what is not Der nissible, for handing ot personal data should not as The procedures in place to do anything th or enable the employees far as possible facilitate ditficult in some settinos be This may the Act. b might contravene
for solutions. Often, technology may have organisations should strive wrongdoing by employees, whether limit to possible any to be utilised should adopt the or accidental. Organisations are intentional
they practice of "personal
data
protection by design
or
"privacy by design"
wherever possible. 2.21 Personal data protection by design is an apPproach where the personal data is protected through embedding protection into the design of that is, the protections are technologies and physical infrastructures, weaved into the design specifications and architecture of new systems and processes. This will be discussed in further detail in chapter 7. 2.22 A very simple example of the implementation of personal data protection by design would be a system that might reduce opportunities for employees to pry into personal data records that they have no business looking into and to collect the personal data. Such a system might be to isue employees with personalised logins and passwords for logging into computer systems instead of just using a generic password shared by many employees. The system can also be layered so that before an employee can access a particular record, they have to input a valid case number, thereby restricting general access. In any event, the personalised login, when set up with the correct software and configurations, would be able to track all the persona data records accessed by employees along with logs of time ana duration of access and all this would assist to ensure compliance and o
34
idcutify the culprit personal data lcak.
in the
event
of
unauthorised
access
and/or
a
Structure and content
2.23 is be taken that the personal data protection policy Care should the terms of in organisation's s e n s e makes that arranged in a m a n n e r audience of the personal data protection policy. functions and the would bec should be provided for areas that individuals details More such as the selling or find with o r objectionable, may most concerned or processes that disclosure of personal data. Similarly, practices not would o r reasonably expect, would not be aware of,
individuals should be highlighted.
2.24
m e a n that c o m m o n The suggestions given above do not, however, There may be business or administrative practices should be ignored. individual as an such filling out a form processes that are self-evident, a is obvious that which address and name delivery to that a with address should be made or that the address is for billing purposes, but these practices should be summarised for the individuals.
2.25
Ideally, the information in a data protection policy should be grouped
under relevant headings such as scope of the policy, collection of use and processing of data, disclosure of personal data, and complaints procedure. Under each of these and choices, rights
personal data,
headings, all the relevant information should be provided with special focus on specific approaches or commitments the organisation has in place. For example, under the heading of collection of personal data, the personal data collected should be clearly stated and include the reasons for collection, highlighting any unusual or unexpected reasons or purposes for the collection, or even unexpected personal data collected. Information under the rights and choices heading should provide details on choices that individuals can make, including the right to request access and correction of personal data held about them and, of course, the complaints procedure should state the procedure on how to make a complaint and what other recourse
limited)
individuals might have. 2.26 If there are new processes introduced in the organisation, the personal data protection policy should be updated to reflect the changes and the new processes should be assessed to ensure that they meet
35
Data Protection
inthe Practical
Context The Practical and
compliance.
In any
be regularly organisation's
event, the
reviewed current
and
personal
data
protection
that
ensure
updated to data handling practices.
it re ould
personal
2.27
simple:
not complying"27 with the believe that the organisation is section that noted 50(1) of the Act does not be should it Act. However, in such a of the Commission to initiate investigations limit the power that:28 states m a n n e r as it simply
grounds
data protection policy should Lastly, the personal and in-house terms, unless the acronyms acronyns avoid legal jargon, detined or explained in the doc are clearly t. and in-house terms use
Conceptual Pramewok
nol:
language,
to
an or of its own motion, conduct The Commission may, upon complaint an organisation is not whether determine to section this under
investigation
complying with
this Act.
2.30
be ruled out that there may c o m e a time when the Commission may conduct audits." For this reason, organisations much a supervisory should be cognisant that the Commission is very with. reckoned be to Hence, it
ENFORCEMENT OF RIGHTS
C.
1.
Protection Commission The Personal Data
cannot
authority 2.31
2.28
overseen by the
data protection regime The Singapore personal Commission as the administrative and Personal Data Protection Commission also has the mandate to The enforcement authority. education and awareness efforts 4 data protection undertake personal ot the Commission may be structure It seems that the organisational Commission of Singapore. The Commission is
styled on the Competition is a quasi-judicial and supervisory authority
with enforcement and varied powers. All the directions of the Commission, except for directions on dispute resolution, can be enforced in the District Court
over whether The Commission appears to have a discretionary power as it may suspend, discontinue or to exercise its powers of investigation of refuse to conduct a n investigation if it thinks fit.30 The powers of the Commission and the inspectors a r e set out in the
investigation
Ninth Schedule.3 Also relevant here are the Regulations," and the Commission has also issued the Advrisory Cuidelines on Enforcement of which are non-binding, but they indicate the Data Proection the Commission's approach in handling complaints, reviews investigations of breaches of the data protection rules, as well as
Provisions,
and
enforcement and sanctions.
regardless of the monetary amount.2
(a)
Powers of the Commission
2.29 The personal data protection regime is one based primarily on a
the Ministry of Information, Communications and the Arts ("MICA") in the Public Consultation
complaints-based approach, however,
Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill ("2012 MICA Consultation")26 made it clear that the Commission may also initiate investigations, regardless of whether a complaint is received, into an organisation's compliance
27
28 29
also s 50 of the Personal Data Protection Act 2012 (Act 26 of 2012). 30 31
26
Personal Data Protection Act 2012 (Act 26 of 2012) Personal Data Protection Act 2012 (Act 26 of 2012)
s s
6. 30.
Mhnistry of Information, Communications and the Arts, Public Consuliatno Issued by Ministry of Informatiom, Communications and the Arts: Prop Personal Data Protection Bill (19 March 2012).
36
See
Proposed Personal Data Protection Bill (19 March 2012) at para 2.125. See
with any provision of the Act, "if it is satisfied that there are reasonable
24 25
Ministry of Information, Communications and the Arts, Public Consultatiom Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.123. See also s 50 of the Personal Data Protection Act 2012 (Act 26 of 2012). Personal Data Protection Act 2012 (Act 26 of 2012) s 5(1). Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts:
32 33
Personal Data Protection Act 2012 (Act 26 of 2012) s 50(3). Personal Data Protection Act 2012 (Act 26 of 2012) s 50(2) and Ninth Schedule.
Personal Data Protection Regulations 2014 (S 362/2014); Personal Data
Protection (Enforcement) Regulations 2014 Personal Data Protection Commission,
Advisory ofthe Data Protection Provisions (21 April 2016). 37
45 5/ 014). Gauidelines
on
Enforcement
Data Prolection
The Practical and ConceptualFramework
Dispute resolution powers
(b) 2.32
with organisation, the In
in the Practical Context
dealing
a
mediation with the any other
dispute
complaint
Commission consent
made
by
an
individual
has the power to relevant
of the
resolution method
with
refer the
under both section 21 to access the request by the complainant individual's own personal data as well as section 22 to correct personal
against an
amat r for rder tho consent
parties, without
as well
or
the relevant parties.
Commission
was
a
fee
Data However, charged to correct personal Protection Regulations 2014 specifically states that n o fee can be charged for correction of personal data under section 22(2) of the Act can
be
and organisations should be cognisant of this." Section 28(2) (6) grants
the Commission the power to confirm, reduce or disallow a fec, or direct the organisation to make a refund to the complainant as the
2.33 Consultation," MICA felt that mediation In the 2012 MICA resolution of complaints by facilitatina carly
encourage between the affected
gives the impression that data. The way this provision is worded data. the Personal
parties
and
given the power
to
hence
refer the
it
was
Ould e essential th
parties
to
mediatieon.
ne
case may be.
2.37 The third review power concerns the situation where an organisation has refused to make a correction to personal data under section 22 of
the Act or has failed to do so within a reasonable time. The (c)
Review powers
Commission may confirm the refusal to correct the personal data, or
direct the organisation to correct the personal data with full power to 2.34
dictate the manner of correction and set any time frames.
Under section 28 of the Act, upon the receipt of a complaint, the
Commission can review the exercise ot power by organisations in
Penalties arnd broad powers to direct
relation to three areas where an organisation has made a decision
(d)
regarding personal data.35 The three areas are: refusal or failure to provide access to personal data, the quantum of the fees charged for access to or correction of personal data and a refusal by the organisation to correct personal data or a failure to do so within a
2.38 The Commission also has broad powers to give directions to any organisation so as to ensure compliance with the Act.S9 Hence, it can
reasonable time.
direct an organisation to cease collection, use, disclosure of personal
data, as well as to destroy personal data.0 In the 2012 MICA Consultation," MICA also stated that directions can be given for
2.35 In relation to a refusal to provide access to personal data requested under section 21 of the Act by the complainant or a failure to provide access within a reasonable time, the Commission may confirm the refusal to provide access, or direct the organisation to provide access to the personal data within a set timeframe.S7
compensating affected individuals as a result of non-compliance with
2.36
In the few cases to date, the Commission's approach to enforcement
28(1) (6) of the Act gives the Commission jurisdiction to review Section a fee required from the complainant by an organisation in relation to a
can
the data protection law. Importantly, the Commission has the power to impose a financial penalty of up to $lm.12 This administrative law penalty is distinct from the criminal penalties which will be discussed below. 2.39
34
Personal Data Protection Act 2012 (Act 26 of 2012) s 27.
35
Ministry of Information, Communications and the Arts, Public Consuliation ssued by Ministry of Information, Communications and the Arts: Propeset
36 37
Personal Data Protection Bill (19 March 2012). Personal Data Protection Act 2012 (Act 26 of 2012)
s
38
38 39 40 41
28.
Personal Data Protection Act 2012 (Act 26 of 2012) ss 28(1)( and
28(2) (a).
be seen to be tempered by a concern to raise awareness and understanding of the requirements of the personal data protection
42
Personal Data Protection Regulations 2014 (S 362/2014) reg 7(4).
Personal Data Protection Act 2012 (Act 26 of 2012) s 29. Personal Data Protection Act 2012 (Act 26 of 2012) s 29(2).
Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.118. Personal Data Protection Act 2012 (Act 26 of 2012) s 29(2) (d). 9
Data Protection
in the Practical
Context
The Practical and Conceptual Framework directions
rather
than
issuing appropriate Unversal regime through Travel od Purel of In the decision Las punitive approach. t disclosino respondent) travel agent (the which involved a na tour to individ four customers of a group als who data of 37 of its in the tour, the Commission cancelled their participation that
causd without the disclosures of persona he employees'part the respondent's lack of awareness on data and not due to a systemic iissue that could result protection Obligations o r further harm to be made be disclosures to caused in further mistakes made by the respondo the disclosures were bona jde notification were consent and
such,
employees
who
were
seeking
to
assist
the
there
passengers ith their was a wilful disrepari
one where insurance claims, and not tor Since disclosures were made to a Act." the nited the provisions in to their personal e-mail addresses and th. number of persons and was in relation to limited individho data that was disclosed
personal
to remedy the situation by, inter alia, informing within two weeks the individuals who received the
the respondent the Commission directed
passenger list not
to
disclose the list to other third parties: to send course on the obligations under the Act
employees to attend training and the organisation's data protection policies within six months; and a
to put in place within three months a data protection policy and internal guidelines to comply with the provisions of the Act and, in 16 particular, to prevent future r e c u r r e n c e s of the breaches. 2.40
In the decision of Universal Travel Cop Pte Ltd," the Commission did
individuals
impose a penalty, partly due to the small number of personal data disclosed and partly due to the co-operative nature of the respondent. This case can be contrasted with the case of Fei Fah Medical Manufachuring Pte Ltd5 where the Commission levied a penalty not
of$5,000 fora data leak. User login identifications, poorly encrypted
passwords, e-mail addresses and mobile phone numbers of at least 836 individuals were leaked." The respondent company had no idea how the leak occurred and were unable to explain or to provide during the investigation. The Commission the user login identifications and password would have
sufficient information noted that enabled anyone to log 43 44 45 46 47 48 49 0
in and obtain access to other personal daa
[2016] SGPDPC 4.
Universal Travel Corp Pte Lid [2016] SGPDPC 4 Universal Travel Corp Pe Ltd [2016] SGPDPC 4 Universal Travel Corp Pte Ltd [2016] SGPDPC 4
[2016] SGPDPC 4. [2016] SGPDPC 3.
Fei Fah Medical Fe Pah Medical
[21]. at [21]. at [20]. at
Manufacturing Pte Ltd [2016] SGPDPC 3 at [7 Manufacturing Pte Lid [2016] SGPDPC 3 at [13]-|l5]. 40
respondent company "had been had nor forthcoming in its responses" and even completely ignored a had and provided incomplete responses of Documents and Information ("NTP") individuals."
rclating to the neither co-operative
Notice
to
Require the
The
Production
Commission under
the power
given
to
it under the
issued by the Act. Although the respondent company had Ninth Schedule of to take remedial actions, the instructed its data intermediary did not o c c u r until m o r e than actions remedial the implementation of of the initial data leak.5 As a result of the after discovery ten months
in addition to giving various directions these factors, the Commission, a new website and to conduct a web application such as to implement all vulnerabilities, imposed a financial scan and to
vulnerability
patch
penalty of $5,000.54
2.41
It would appear that the scale
or amount
of personal data that has a have
played been leaked and the co-operativeness of the respondents the key factor in determining the quantum of penalty imposed by and Ltd Entertainment Pte K of Box the case In Group Commission. Finantech Holdings Pte Lid where the data leak involved 317,000 K Box
Commission
to members' details, the imposed the highest date of $50,000 on K Box6 and $10,000 on its data intermediary Finantech.57 The data leak disclosed quite substantial amounts of personal data belonging to cach member, namely, the individual's
penalty
name, NRIC/passport/FIN number, Singapore mailing address,
contact number, e-mail address, gender, nationality, profession and date of birth.55 The leak of personal data was caused largely by a failure to make reasonable security arrangements to protect the personal data.33 In addition to numerous failings in its protection of personal data, K Box also had not appointed a DPO or put in place personal data policies.0 51 52 53 54 55 56
Fei Fah Medical Manaufacturing Pte Ltd [2016] SGPDPC 3 at [20]. Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3 at [33]. Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3 at [33].
Fei Fah Medical Manufactuing Pte Ltd [2016] SGPDPC3 at [35].
(2016] SGPDPC 1. K Box Entertainment Croup Pte Ltd and Finantech Holdings Pte Ltd [2016] SGPDPC 1l at [44].
57
K BoxEntertainment Group Pte Ltd and Finantech Holdings Pte Ld [2016]
58
K Bow Endertainment Cronp Pte Ltd and Finantech Holdings Pe Ltd [2016]
59
K Box Enterainment Group Pte Ltd and Finantech Holdings Pte Ltd [2016]
60
K Box Entertainment
SGPDPC 1 at [45].
SGPDPC 1 at [3].
SGPDPC 1 at [26). SGPDPC 1 at [42].
Group
Pte Ltd and Finantech
41
Holdings
Pte Ltd
[2016]
Practical Data Prolection in the
Context
The Practical and Conceptual Framework 2.42 Although the
remedial actions
of
both
K Box and
Finan
ech were
data leak,61 their shortco after the personal fair and prompt in the assistance their lacklustre were in ne in providing informat was not forthcoming investigation, K Box he that K Box had onlv in criicising Commission was scathing the investigatio ions, which did their responses during bare facts in Finanteco investigations.Similarly, Commission's the facilitate dr do information in providing appeared not to be forthcoming NIPs the were to only nro investigation. Finantech's responses were first issued in Octah ed after the NTPs months seven almost delaying the investigation process.
investigations. Duri
mings
provide
2014
thereby
2.43
data leak where the Commission imnoes In another case of personal Commission impOsed a penalty of $i0.000 the a substantial penalty," The personal against the Institution of Engineers Singapore ("TES°). data disclosed included members online login identification mobile phone numbers. TES was unable to ascertain how many members' personal data were disclosed but the Commission
passwords and
noted that the titles of the two lists that were disclosed indicated somewhere in the range of between 6,000 and more than 60.000
members personal and
data may have been disclosed.5 The IES
throughout
forthcoming
the
Was
Commission's
co-operative investigation and it promptly took measures, including additional security measures following its discovery of the personal data leak.57
2.44 It would appear that for personal data leaks that involve large
numbers, the penalties range from $5,000 upwards, but there is no clear formula that can be gleaned from these cases. The disclosure of the personal data of at least 836 individuals in Fei Fah Medical Manufacturing Pte Ltd earning it a penalty of $5,000 cannot really be reconciled with the $10,000 imposed on the IES for the disclosure of
61 62
K Box Entertainment Group Pte Ltd and inantech Holdings Pte Ltd (2016) SGPDPC 1 at [42]-[43]. K Box Entertainment Croup Pte Lid and Finantech Holdings Pte Ltd SGPDPC 1 at [42].
[2016
63
K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd [201o SGPDPC 1 at [43].
64 65 66
The Institution of Engineers Singapore [2016] SGPDPC 2. The Institution of Engineers Singapore [2016] SGPDPC 2 at The Institution of Engineers Singapore [2016] SGPDPC 2 at
67 68
[13].
42
not. Likewise,
was
Cellar Door and its the Commission expressed that both The cavalier attitude by providing a had "displaycd data intermediary issued by the Commission",70 which incomplete responses to the NTPs Cellar Door being landed with a $5,000 The to contributed Pte
Ltd
no
doubt
The Commission, a penalty and its data intermediary $3,000 penalty. unfortunately, did not elaborate on how many individuals' personal which is rather unhelpful because justice needs to data were disclosed, to have been meted out. The higher penalty to The seen be clearly
as was due to the Commission's view that The Cellar Door, the data controller, retained the primary responsibility and obligation
Cellar Door to
customers.71 protect the personal data of its
2.45
In two late 2016 cases where the breaches were very similar factually, of a financial penalty of $3,000 was imposed on the respondent in each the two cases. In both cases, the primary respondent was a catering
firm and, in both cases, the breach occurred in their online ordering system. In both cases, the breaches were the result of poor computer programming practices whereby the online order review web page or order details of a customer could be viewed by anyone. The personal data of other customers could be viewed by simply changing the number at the end of the web address, and these review web pages never expired and were permanently accessible." There were two further decisions in late 2016 that could be argued to be relatively factually similar to these two catering company cases; one imposed similar financial penalty of $3,000 whereas in the other, only a warning was issued.73
69 70 71
[2016] SGPDPC 22. The Cellar Door Pte Lid and Global Interactive Works Pte Ltd [2016] SGPDPC 22 at [36].
The Cellar Door Pie Lid and Global Interadtive Works Pe Ltd [2016] SGPDPC 22 at [39].
72
[7J-18).
The Institution of Engineers Singapore [2016] SGPDPC 2 at [39).
[2016] SGPDPC 3.
of members' personal data ranging from 6,000 to unknown number not even 60,000. If anything, the fact that the IES could more than been a factor to have breach should the cxtent of determine the exact indicia that level of penalty because it was a further increase the IES was the was data lacking. However, protection for the personal Medical Fei Fah whereas he process investigation co-operative with in The Cellar Door Ple Lid and Global Interactive Works an
73
Fu Kve Kitchen Catering Services and Pixart Pte Ltd [2016] SGPDPC 14 at [6] and [16]; Smiling Orchid (S) Pte Ltd, T2 Web Pte Ltd, Cybersite Services PeLtdand East Wind Sohutions Pte Ltd [2016] SGPDPC 19 at [13]-[14]. GMM Technoworld Pte Ltd [2016] SGPDPC 18; ABR Holdings Ltd [2016] SGPDPC 16.
13
Data Protection
in
the Practical
Context The Practical
2.46 Services and Pixart Plo Kwee Kitchen alerng In the decision of Fu names, postal addresses and the FuKwee had failed to protect and had not implemente its customers contact numbers of the collection, use o r di. for policies personal data protection a DPO." It is unclear ho of personal data, n o r appointed individuals' personal data ere involved, but Fu Kwee was
Lud ddresses and personal
forthcoming in providing
only provided
information
any
many
during the investigation 0
d the investioat bare facts in its responses during 1ons,76 Pixart, was also not co-operative d.
Fu Kwee's data intermediary, it did take active steps to recsie." the investigation process, although The Commission imn e weeks." two vulnerability within around on Pixart.78
penalty of $1,000
Subcontracted the that T2
identified
2.47
investigations
development of the CMS "developers based in China" 82
actual
as
to
another entity
2.49 information technology system and outsourcing of the The repeated serious cybersecurity issues. If n o o n e in the raises software product in the code, nor has the programming is what knows various entities there is arguably n o integrity nor warranty in the code been tested, c a n the programming code contain Not code.
only
programming business that exposes itself to this kind of liability is malware but any business assets, not only in the form of its customer risking its valuable of financial and other sensitive information that terms in base but also may also
The second case of Smiling Orchid (S) Pte Ltd, 12 Web Pte Lid, Crbersit Services Pte Ltd and East Wind Solutions Pte Ltd" was rather sketchy in th facts pertaining to who was responsible for what and the primaru respondent, Smiling Orchid, was so unco-operative during the that the Commission noted that.80
and Conceptual ramework
be
collected.
2.50
the full data protection breach involved the disclosure of mobile numbers, workplace addresses addresses, residential names, Orchid's customers.83 The and workplace e-mail addresses of Smiling individuals' how mention not personal data many Commission did affected. In the final analysis, since m o r e detailed facts of the The
personal
were
.. [it] was still unable to establish the pertinent facts on what caused the discourse and the specific roles of the parties involved at the material time As a result, the Commission had to take statements from the relevant parties in order to gather and distil facts.
2.48 T2 was engaged by Smiling Orchid to design the Smiling Orchid webpage and build a Content Management System ("CMS").31 T2 created the design and HTML code but outsourced the development of the entire CMS to a freelancer, who in turm
74 75
[2016] SGPDPC 14. FuKuee Kitchen Catering Services and Pixart Pte Ld [2016] SGPDPC:
76
Fu Kwee Kitchen Catering Services and Pixart Pte Lud [2016] sGPDPC 14
at [34].
responsibilities, especially of T2, could not be established, was the only party the Commission found to have been Orchid Smiling in breach of personal data protection requirements and hence imposed the $3,000 financial penalty upon it. roles and
2.51
A third case with relatively similar facts is GMM Technouorld Pte Lud where the respondent's unjustifiable ignorance or misunderstanding of the functions and features of a paid third party software it had implemented to collect personal data for registration of warranty resulted in the names, e-mail addresses, mobile phone numbers and residential addresses of 190 customers being publicly accessible.85 A financial penalty of $3,000 was handed to the respondent, taking into account that the respondent was co-operative in the investigation and took immediate steps to rectify the breach.86
at (32].
77 78 79 80 81
Fu Kve Kütchen Catering Services and Pixat Pe Lid [2016] at [33].
SGPDPC 14
Fu Kuee Kitchen Cateing Services and Pixart Pte Ltd [2016] SGPDPC 14 at [35].
82
[2016] SGPDPC 19.
83
Smiláng Orchid (S) Pte Lud, T2 Web Pte Ltd, Cybersite Services Pte Ltd and Eas Wind Solutions Pte Ltd [2016] SGPDPC at 19 [61)]. Smiling Orchid (S) Pte Ld, T2 Web Pte Ltd, Cybersite Seruices Pte Ltd and bAs* Wind Solutions Pte Ltd [2016] SGPDPC 19 at [6].
84 85 86
44
Smiling Orchid (S) Pte Ltd, T2 Web Pte Ltd, Cybersite Services Pte Ltd and East Wind SolutionsPte Ltd [2016] SGPDPC 19 at [7]. Smiling Orchid (S) Pte Lud, T2 Web Pte Ltd, Cybersite Services Pte Ld and East Wind Solutions Pte Ltd [2016] SGPDPC 19 at [11]. [2016] SGPDPC 18. GMM Technoworld Pte Ltd [2016] SGPDPC 18 at [6]. GMM Technoworld Pte Ltd [2016] SGPDPC 18 at [16] and [18].
45
Data
Protection
The Practical and Conceptual Framework
R7
Kitchen Catering Serico 7 in Fu Kwee decisions of the chairma were Pte Ltd" while Smilaing Orchid"9 was a
2.52 Both
the
decisions
GMM Technoworld Commission,
Thai, Leong Keng Yeong Zee
Commission member
mete out
any
Kin. In a
Commission
relatively similar facts,
and the
decision Yeong Zee Kin d did g no
tourth
member
financial penalties.
2.53 In
Conlext in the Practical
Swensen's Kids Clubthe respondent's of members by innse:e data the
websit
ABR Holdings Ltd
personal
allowed anyone as the memb embership numbgan membership number, guessable easily were issued in running sequence." The personal data of membersthat names, date ot birth, redemption states of accessible were their to
access
were
sundaes and "stamps",
number
of stamps
accumulated
and the
ev.
date of the membership. It could be said that these types ofnersSonal data revealed
intrusive as the personal data in Fu K. Kwe it is perhaps for this reason that 0 and Services" However, the respondent was informed by th
were
not
as
Kitchen Catering was imposed. penalty Commission of the breaches on 2 April 2014," before the Act d 2014, another complaint was lodged come into force. Yet, on 15July the s a m e breaches. When the Commission outlining with the Commission on 5 August 2014. t was informed by the respondent the names and immediately changed what could be viewed by omitting
date of birth of the members on the web pages. The inaction of the respondent for four months between April and August 2014 should surely have warranted some financial sanctions and not just simply a warning The Commission took the view that since the provisions only came into force on 2 July 2014, the infractions were only for about one month. This, however, is a myopic view given that the Commission itself acknowledged that the respondent had "ample time to take
corrective measures" between April and August 2014.
37 88 39 90 91 92 93 94 95 96 97 98 99
[2016] SGPDPC 14. (2016] SGPDPC 18.
[2016] SGPDPC 19. ABR Holdings Ltd [2016] SGPDPC 16. [2016] SGPDPC 16. ABR Holdings Lud [2016] SGPDPC 16 at [5]. ABR Holdings Ltd [2016] SGPDPC 16 at [8]. (2016] SGPDPC 14. ABR Holdings Lud [2016] SGPDPC 16 at [2]. ABR Holdings Ltd [2016] SGPDPC 16 at [3]. ABR Holdings Ltd [2016] SGPDPC 16 at [10]. ABR Holdings Ltd [2016] SGPDPC 16 at [21]. ABR Holdings Lud [2016] SGPDPC 16 at [20].
46
did not impose financial decided in 2015 also carlier cases few A the namcs, personal c-mail Ple Lld, the case of Metro Denaltics. In mobile phone numbers, dates of numbers, personal addresses, NRIC 445 of Metro's user login identifications of Facebook birth and active steps following the Metro had taken
2.54
were
disclosed.
customers the sccurity of its website, including engaging The data leak to strengthen internal IT security audit.102 an undertake to another firm was imposed.0 n o Metro but pcnalty a warning to Commission issued the personal data of Sociely, Comtputer in Singapore Further, disclosed via c-mail to the s a m e were inadvertently 214 individuals event. The Singapore who had registered for a n 214 individuals the breach to the itself reported ("SCS") Computcr Society Commission issued a warning without any penalty Commission and the full names, data disclosed were the registrant's to SCS. The personal e-mail addresses, organisation and numbers, contact NRIC numbers, and Singapore In both Metro Pte Lid designation information. in 2015. The in earlier time, occurred the breaches Computer Society, role in those m o r e strongly its educative felt Commission, perhaps, data leaks did not have was perhaps felt that the early cases. Further, it n o financial penalties w e r e imposed. hence and severe consequences NRIC numbers should be mnet With respect, any data leak involving numbers are very important NRIC with the highest level of censure, as identifiers that should be accorded the highest protection.8
universal
2.55 From the foregoing cases, it is unclear whether the current magic for the unauthorised disclosure of a number to
penalty trigger around personal data might be the disclosure of but Pte Technoworld GMM Lid109 in data as individuals' 200 personal the noting that the respondent in that case was co-operative during immediate corrective m e a s u r e s . The breaches took and investigations non-financial
in GMM Technoworld Pte Ltd
occurred in 2016 and is
100 101
[2016] SGPDPC 7. Metro Pte Ltd [2016] SGPDPC 7 at [6].
102 103
Metro Pte Lid [2016] SGPDPC 7 at [19]. Metro Pte Ltd [2016] SGPDPC 7 at [20].
104 105 106 107 108 109 110
[2016] SGPDPC 9. Singapore Compuler Society [2016)] SGPDPC 9 at [2]. GPDPC 20 [2016] SGPDPC 9. See ch 7. [2016] SGPDPC 18.
[2016] SGPDPC 18.
47
a
later
case
than
Data Protection
in
thePractical Context
The Practical and
Socety," both of whiL and Singapore Compuler Metro Ple Lid 2015. Certainly, in the occurred in with breaches that ases ore appcared Commission cared to be m more the willing decided in January 2017, In Protner substantial financial penalty.
which deal
impose a
Realty
penalty of $10,000 P e 1,765 individuals; this h e of data disclosure of the personal e imposed on JEs penalty financial contrasted with the $10,000 data belonging to 6,000 the personal of the disclosure 60,000 individuals. In P Pepperdine Group Pte Lid, 15 a i n a n c i ;to 2016 for to
Ltds the
more
imposed
Commission
a
financial
for placing the personal da ta was imposed penalty of $10,000 disclosure. There was no evidence that of risk the 30,000 individuals at uncO-operative with two cases were the respondents in these investigation process.
2.56
The remaining cases where the Commission has only issued
nings
co-operative respondens without imposing penalties of the breach of th the and impact breach likely the and where were somewhat limited. Obligations data have
personal
involved
protection
2.57 Spear Security Force Ple Ltdo involved an unattended open log book
data at a condominium and there was no evidence suggesting that personal data actually had been exposed to unauthorised third parties."7 Similarly, in Full House Communications Pe Lud8 the lapse in security involved the auto-fill function being enabled for drop-down boxes on laptops used by consumers ata furniture fair to enter a lucky draw. This led to consumers being able to see the personal data of other consumers who had entered their personal data for the lucky draw.19
containing visitors' personal
2.58 In Yestuition Agency20 the respondent had disclosed on its website without consent of the individuals, the photos of around 30 individuals who
had
registered
to
be
its
tutors,
using
the
111 112
(2016] SGPDPC 7. [2016] SGPDPC 9.
113
[2017] SGPDPC 1. The lnstiution of Engineers Singapore [2016)] SCPDPC 2.
114 115 116
117 118 19
120
48
at
no
evidence of how
2.59
of that involved the disclosure of the personal data resulted in a also being warning to about 30 recipients two individuals " the n a m e and of Jump Rofpe (Singapore), meted out. In the case e-mailed to around were individuals two NRIC number of of the for warning the schools about purpose 30 government schools two individuals. The so called "name and the of the blackisting to help schools in making decisions shame" exercise was meant solcly The Commission found when engaging rope skipping instructors. reasonable person standard in section 11 of the of breach a was A
Case
there
breach of the consent requirement. There appears to it was stated that section 20 was also be typographical errors where breached while in other paragraphs, the Commission stated that the Act25 and
a
section 20 was not relevant to the case. In any event, because the and breach only involved a limited number of government the personal data disclosed were limited and related to only two
schools
individuals, and the respondent was co-operative during the
investigation, the Commission decided a warning was the appropriate course of action. As will be discussed in chapter 6, this decision does not appear to have been correctly decided based on sections 11 and 13 of the legislation, hence, the non-imposition ofa financial penalty was indeed the appropriate course of action. 2.60 The facts of AIA Singapore Pte Ltd28 involved the unauthorised disclosure of one individual's bank account details to one other party, namely, the individual's chiropractor.23 This was a case that also
121
Yestuition Agency [2016] SGPDPC5 at [18].
122
[2016] SGPDPC 21.
and [18].
127 ump Rope (Singapore) [2016) SGPDPC 21 at [17].
[2016] SGPDPC 8.
SGPDPC8
was
123 Jump Rope (Singatpore) [2016] SGPDPC 21 at [7]. 124 Jump Rope (Singapore) [2016] SGPDPC 21 at [7] and (9]. 125 Personal Data Protection Act 2012 (Act 26 of 2012). 126 Jump Rope (Singapore) [2016] SCPDPC 21 at [14] but compare [15]. [16]
Spear Security Force Pte Ltd [2016] SGPDPC 12 at [13]. (2016] SGPDPC5.
here
the filenames. as NRIC numbers the vicwed the photos and NRIC numbers, but had many people had been co-operative and the respondent that Commission noted taken the investigation proccss and had also forthcoming during o n c e it was awarc of the breach situation the proactive steps to remedy of the Act. 2
individuals'
[2017] SGPDPC 2. [2016] SGPDPC 12.
Full House Communications Pte Ltd [2016]
Comceptual Framework
[9]-[ll).
128
[2016] SGPDPC 10.
129
AlA Singapore Pte Lid [2016] SGPDPC 10
49
at
[1].
Data Protection in
the Practical Context The
Obligations0 andd involved a sin one single party concerning one single ne to was disclosure the only no evidence of actual loss or da of personal data, and there was undertaken an immediate revin had suffered and the respondent issued only a warning. Another a of Commission the its proceses, also which involved the and discl was issued a where
only warning
My Digital Ioc k Pte mobile phone number and complainant's personal his disclosed on the social media Dlatf address m
is the of personal data of a single individual
Ltd
The
residential
case
of
were
Facebook, on the account of the employee of the respondent for
than longer information
o the purpose of transferrino an hour, apparentdy for the from his mobile phone to a computer tor sending on to
The Commission also took into account the limited mobile phone number and sensitivity of the personal data, namely, residential address, as well as the co-operative response of th
legal advisors.3
respondent in the investigation.4
co-operative with the investigations
and had proactively taken steps to the Commission not issue any dircctions but warning to both respondents.11
remedy the breach,
only issued
a
did
2.62 For breaches of the personal data protection Obligations involving of Central Depository (Pte) Ltd financial personal data, the July and Toh-Shi Printing Singapore Ple Ltd is instructive. This case involved the disclosure of 195 individuals' personal data. There was an crror which caused 92 individuals to receive personal data belonging to others. The personal data disclosed included account information such as name, address and account number; securities held; transaction The remaining 103 individuals summary and payment summary.
2016 case
received similar personal data belonging to others, except that there
were no details on securities held; transaction summary and payment
summary.14 The Commission found that Central Depository (Pte) Ltd was not in breach of the Protection Obligation as it had valid clauses in
2.61
the contract with its d a t a i n t e r m e d i a r y t o p r o t e c t p e r s o n a l data. 5
One case where the quantity of personal data disclosed was large but the nature and method of the personal data disclosed was not significant is the case of Challenger Technologies Ltd and Xirlynx Innovations. 5
Challenger's data intermediary, Xirlynx, had erroneously
sent e-mails containing the personal data of members of Challenger's ValueClub programme to other members of the programme, who were the wrong recipients.56 There were 165,306 recipients of e-mails with someone else's personal data.37 Nevertheless, the personal data disclosed was limited to the member's name, accumulated points and membership expiry date "5 The Commission noted that the personal
data disclosed were not of a sensitive nature and the personal data leaked could not be used by the individuals who had received them to profiteer or benefit from them, and was unlikely to lead to any harm or loss to the individuals concerned." Since the respondents had been
Singapore Pte Ltd [2016]
130 131
AIA AlA
132
[2016] SGPDPC 20. My Digital Lock Pte Ltd [2016] SGPDPC 20 My Digital Lock Pte Ltd [2016] SGPDPC 20
133 134 135 136
Practical and Conceptual Framework
Limitation
breach of the Purpose
SGPDPC 10
Singapore Pe Ltd [2016] SGPDPC
[2016] SGPDPC 6.
10
at at
at at
Protection Obligation and a penalty of $5,000 was imposed on Toh-Shi
Printing.0 The Commission noted that the personal data disclosed constituted sensitive financial personal data and that a total of 195 individuals' personal data were affected."" 2.63 Toh-Shi Printing was again sanctioned in a subsequent case. In Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd 8
its own staff failed to comply with its own security measures and
140
[25]. [28].
144
Ltd and
Xirlynx Innovations [2016] SGPDPC
137
Challenger Technologies at (15].
Ltd and
Xirlynx Innovations [2016] SGPDPC
138
Challenger Technologies t [14).
Ltd and
Xirlynx Innovations [2016] SGPDFU
147
139
Challenger Technologies at
Ltd and
Xirlynx Innovations [2016] SGPDr
148
50
Challerger Technologes Ltd and Kirlynx Innovations [2016] sGPDPC 6 at [37]-[38]. Chalenger Technologies Lid and Xirlynx Innovations [2016] SGPDPC 6 at [39).
142 143
Challenger Technologies at [14).
[37].
Aviva was found not to have
breached any of its obligations concerning personal data protection but Aviva's data intermediary, Toh-Shi, caused the data breach when
141
[18]-[21]. [24].
The
data intermediary was, however, found to be in breach of thc
145 D
146
[2016] SGPDPC 11.
Central Depository (Pte) Ltd and SGPDPC 11 at [8]. Central Depositor (Pte) Ltd and SGPDPC 11 at [9).
Toh-Shi
Printing Singapore Pe
Lud [2016]
TohShi
Printing Singapore Pte
Lid [2016]
Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 11 at [17]-[18]. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 11 at [23]. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 11 at [24). (2016] SGPDPC 15.
51
Dala
Toh-Shi's
procedures.
spreadsheet for Toh-Shi the
sort,
to
an
information
in the
without
Practical in the
staff had
further
the knowledge
take advantage
incomplete
or
Context
sorted
approval
The Practical and Coneeptual Framervork data data
the of
the order
in perfor
savings," of postage of the policyholders
selection
This resulted in
raw
in
Aviva, in
but
data was made. was printed information that
in the
account
Prolection
orming
acco
am mismatch a
and sent out.
2.64 the personal data bclonoi the disclosure of The breach involved Public Officers Gr under the Aviva roup 7,794 Aviva policyholders " Erroneous annual premi. ("POGIS"). Insurance Scheme to the POGIS policvhalia 2015 were sent out statements for the year data of 8,022 individuals, includin:the In total, however, the personal were disclosed in the data breach POGIS policyholders' dependants, data disclosed were the names of th incident.15 The personal the s u m insured under tho o r beneficiaries,
policyholder's dependants a m o u n t and type of coverage.153 insurance policy, the premium 2.65
not merely from a personal data disclosed were of a sensitive nature, financial perspective but that the disclosures could also be socially embarrassing; that this was Toh-Shi's second infraction in less than a the investigation and year; and that Toh-Shi was co-operative 55 took promnpt remedial and preventive actions.
during
2.66 From the cases to date, a few observations can be made. The Commission takes a much stricter view if the personal data in question is financial or sensitive in nature.136 For non-financial personal data, it would appear that the Commission is more forgiving of non-technological or human error, including errors of judgment,
157
Aviva Ltd and Toh-Shi Printing Singabore Pte Ltd [2016] Avva Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] Avva Lid and Toh-Shi Printing Singapore Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapoe Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapoe Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] Central Depository (Pte) Ltd and Toh-Shi
15 at [14]. 15 at [15). 15 at |1]. 15 at [(2]. 15 at [8|. 15 at [37). 15 at |38]
Printing Singapore Pte Ltd SGPDPC 11; Aviva Lid and Toh-Shi Printing Singapore Pte Ltd SGPDPC 15.
practices where
onc-oll
arc
Commission appears systemic
to
2.67 Data
errors
[2016 |2010
Spear Security Foce Pte Ltd [2016] SGPDPC 12; Full House Communicatio Pte Ltd [2016] SGPDPC 8; Challenger Technologies Ltd and Xriyni
that trigger personal dat wno
are not
be lookcd
limited about
impact. A
The
ensuring
that
protcction breaches
co-operative and
upon favourably
are not
rectified. forthcoming
10
are
aggravating
financial penalties. consider in calculating
6l
2.68
question if the quantum ot the penalties imposed to date are small. Certainly, penalties in the order of $5,000 to $10,000 may effect. It may be that the leniency of the not serve any deterrent a is date to sign of its desire to raise awareness and simply Commission in time. If the penalties remain at this level in to educate at this point the long term, it will have a deleterious effect on compliance.
One may
(e)
Appealing the decisions made by the Commission
2.69 There is a procedure provided in section 31 whereby applications can be made by either the organisation or the individual to the Commission within 28 days for it to reconsider any of its directions or decisions. In addition, the decisions and directions of the Commission, including the decisions and directions made as a result of the
Innovations [2016] SGPDPC 6; AIA Singapore Pte Ltd [2016] SGPDPC 10; Yestuition Agency [2016] SGPDPC 5; My Digital Lock Pte Ltd [2016]
159
SGPDPC 20; GMM Technoworld Pte Lid [2016] SGPDPC 18. Unaversal Travel Corp Pte Ltd [2016] SGPDPC 4; Singapore Compruter Society
2016] SGPDPC 9;My Digital Lock Pte Ltd [2016] S PDPC 20;, Jump Rope (Singapore) [2016] SGPDPC 21. Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3; K Box Entertainment Grouy Pte Ld and Finantech Holdings Pe Lud 12016] SGPDPC 1; The mstitution of Engineers Singapore [2016] SGPDPC 2; Smiling Orchid (S) Pe Ld, T2 Web Pte Ltd, Cybersite Services Pte Ltd and East Wind Solutions Pte Ltd
2016] SGPDPC 19; Fu Kwee Kitchen Catering Services and Pixart Pte Ltd 160 161
2016] SGPDPC 14.
rei Fah Medical Manufacthuring Pte Ltd [2016] SGPDPC 3; K Box Entertainment
Group Pte Ltd and Finantech Holdings Pte Ltd [2016] SGPDPC 1. Personal Data Protection Commission, Advisory Guidelines on Enforcement ofthe Data Protection Provisions (21 April 2016) at paras 25.1-25.3.
(cont'd on the next page)
52
with
Concerned
very
consistent with the Advisny Audelnes on Enfocement of the Protection Provsions 1SSued by the Commission, which sets out and mitigating factors that the Commission may
These some
De
ormation technology is involved, inffor
specially respondents I astlv, thosc will not with information
158
SGPDPC SGPDPC SGPDPC SGPDPC SGPDPC SGPDPC SGPDPC
they
too
financial penalty of $25,000 On The Commission imposed a Toh-Shi.15 The Commission took into account the fact that the
149 150 151 152 153 154 155 156
ecially if
53
Data
Protection
can
reconsideration
process, in sections 33
in
be to
the Practical
taken
35.
Context
The Practical and Conceptual Framework
through
an
The irst relevant
appcal
appellate
cess
body is but if there is concurre
which is set out Committee, an Protection Appeal the Data reconsideration, the a Commission for to the is Protection Appcal C application The Data deemed to be withdrawn. Commission and otherwise mat the remit the m a t t e r to mo y may Commission itself could have which the or decision o r direction taken could itself have Commission which the other such step take
mittee
2.70
direction is decision under noted that while a It should be direction or decision thar the of effect the reconsideration o r appeal, is not suspended, exccpt n reconsidered o r appealed is being or against the imposition of of appeals reconsideration applications for financial penalty.5 A decision the amount the or of a financial penalty Committee can be appealed to the of the Data Protection Appeal on a point of law or o n the amount of a Singapore High Court is a further right of appeal to the Singapore or
financial
penalty.164 There
in the case of decisions made Court of Appeal as exists of its original civil jurisdiction.l6 High Court in the exercise
2.
by
the
individuals
The penalty for the Act. for a term not imprisonment non-natural persons penalty for
is a
is
a
than
fine of up 12 months,
fine of not
more
to or
$10,000
than $100,000.167
2.73 that any person or organisation which Section 51(3)(a) specities or destroys records with intent to conceals falsifies, disposes of, alters, correct to o r access personal data o r information to evade a request to use o r disclosure of personal data, is subject collection, about the for and individuals $50,000 non-natural1 to $5,000 for a fine of up pcrsons. 68
2.74 Lastly,
or recklessly makes a false statement to anyone wh0 knowingly to mislead the or who knowingly misleads or attempts Commission, the o r powers under duties its of exercise the Commission in the c o u r s e of individuals is a fine an offence.The penalty for the Act also commits not more than 12 months, o r imprisonment for a term to $10,000 of up for non-natural persons is a fine of not more than or both. The penalty
(b)
Piercing the veil
2.75
The Act is
considerably strengthened
offences. The offences
procedural
so as
are
to ensure
with the inclusion of a number of
both substantive in nature as well as that there are no obstructions in the
administration of justice. Jurisdiction vests in the District Court to try
has power any offence under the Act and the District Court the full penalty or punishment in respect of the offences.
to
impose
situations Section 52 provides for the corporate veil to be pierced in there is Where non-natural committed are persons. offences where by a non-natural person, such as a an offence that has been committed by "" body corporate," a partnership, or an unincorporated association, then an officer or a partner or any member who manages who had, to through their consent or connivance or neglect allowed the offence occur, is also guilty of an offence, in addition to the body corporate,
partnership,
or
unincorporated association.
Offences under section 51
2.72 A general offence of obstruction or impediment can be foundn section 51(3)(6), which imposes criminal penalties on any organisation or individual that obstructs the Commission or an authorised officer or
the Commission in the performance of their duties or powers under 162
Personal Data Protection Act 2012 (Act 26 of 2012)
163 Personal Data Protection Act 2012 164 Personal Data Protection Act 2012 165 Personal Data Protection Act 2012 166 Personal Data Protection Act 2012
34(2).
(Act 26 of 2012) ss 34(3) and 31(2) (Act 26 of 2012) s 35(1). (Act 26 of 2012) s 35(4)
(Act 26 of 2012)
167 168
169 s
s
170
171 172 173
51 (5). s of 2012) 51(4) Personal Data Protection Act 2012 (Act 26 of2012) s 51(3)(¢). Personal Data Protection Act 2012 (Act 26 of 2012) Personal Data Protection Act 2012 (Act 26
s
Personal Data Protection Act 2012 (Act 26 of 2012) s 51(6). and Personal Data Protection Act 2012 (Act 26 of 2012)
ss 52(1)
Personal Data Protection Act 2012 (Act 26 of 2012) s 52(3). Personal Data Protection Act 2012 (Act 26 of 2012) s 52(4).
54.
55 54
or
both. The
$100,000.170
Criminal penalties
2.71
(a)
more
52(2).
Data Prolection inthe
Practical Context The Practical and Conceptual Framework
Unauthorised access
(c)
or
correction
2.80
2.76
some
safeguards for individuals
The remedies available
ao
hose The Act also provides other individal themselves as who who fraudulently represent + from themselves as having authority fraudulently represent access to or to chan offence to obtain individual. It is a n the individual Without the authori another of about personal data ,000 or imprisonmen is a fine of up to $5,04 individual." The penalty for o r both.175 months, than 12 term not m o r e
iniunctions
or
for this
declarations
private
action
are
wide-ranging,
damagcs and any othcr rclief
to
from
as
the
court thinks fit.
other
a
General penalty
(d)
4.
Employer liability for employees
2.81
The
Act is realistic and fair in its placement of liability in the and acts of an employee in the employment context. The conduct course of employment are treated as being done by both the employec
and the employer, whether
or
not
they
were
done
or
engaged
in with
the employer's knowledge or approval.76 The definition of "employee"
2.77 There is
"catch-all" penalty clause in scction 56 which: section provides the penalty where. natural persons. This An a
applies
general
only offence has no specific penalty expressly provided. Section 56 imno. poses not exceeding $l0,000 or imprisonment for a maximum a penalty to
term not exceeding three years or both. For a continuing offence it
also allows for further fines of up to $1,000 for every day the offener continues.
2.78
in the Act
includes
volunteers.77
2.82 This places the onus on employers to have systems, processes and procedures in place to supervise and monitor employees in the proper handling of personal data and to minimise any contraventions of the Act. Indecd, the Act provides a defence for the employer if the employer can prove that such steps as were practicable were taken to prevent the employee from doing the act or engaging in the
The slew of criminal sanctions in the Act, combined with the robust
conduct.8 It is thus imperative for employers to have sound policies
powers of the Commission, ensures the enforcement system has
and practices regarding employee conduct in the handling of personal data and to have checks in place to ensure that they are adhered to. A case in point is Aviwa Ltd and Toh-Shi Printing Singapore Pte Ltd,
significant power to deter.
where Toh-Shi's own employees breached its own procedures and
Right of private action
3.
2.79 Individuals who have suffered loss or damage directly as a result of a breach of any of the provisions in the personal data protection Obligations, namely, those set out in Part IV, V or VI of the Act, by an organisation have a right of private action for relief in civil proceedings section 32. The only proviso is that if there has been a decision
under
further, lapses occurred when its own quality control sample checks failed to spot the error as the sample checks were verified against the erroneously sorted file instead of the source data from Aviva.0 In the case of My Digital Lock Pte Ltd8 there was evidently no policy in place prohibiting employees from using an open social media platform such as Facebook to transfer personal data, which resulted in the employer being found liable for the breach by the employee in the course of employment.182
made by the Commission regarding a contravention of the personal data protection principles, then the private action regarding the same contravention cannot be commenced until all the
have been exhausted.
174 175
appeal processc
Personal Data Protection Act 2012 (Act 26 of 2012) s 51(1) Personal Data Protection Act 2012 (Act 26 of 2012) s 51(2). 56
176 Personal Data Protection Act 2012 (Act 26 of 2012) s 53(1). 77 Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). 78 Personal Data Protection Act 2012 (Act 26 of 2012) s 53(2). 179 [2016] SGPDPC 15. 180 Aviwa. td and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 15 at [16]. 181 182
[2016] SGPDPC 20.
My Digital Lock Pte Ltd [2016]
SGPDPC 20
57
at
[13]1-[14].
Data
Protection
Context in thePraclical
The Praclical and Conceptual Framework
levels and layers of. 2.83 is used, the apPpropriate the surreptitious cotri Where technology to prevent should be in place and access disclosure of personal use and and and subsequent should always be adopted. T. by design a good illustrasrin be personal data protection would I discussed in chapter Andreus case and appropriate technolOf training how crucial both employee should have been trainedgcal not to The hotel employees processes are. and not to accede to a stranger's , names of guests the disclose female celebrity, and the hotel's i next door to a to rent the room have been configured to hise should area telephone in a public room number of hotel guests.
data by employeelection
request
2.84 The Act also provides
have
a
employees
if
the
DATA INTERMEDIARIES
D. 2.86 data
act
was
done
or
the
conduct
engaged in
employee
was
ca
is defined in section 2(1)
data
defines "processing" the carying
on
as an
organisation which
organisation but does not organisation.87 Section 2(1) also
behalf of another
of that
other
in relation to
88 personal data as:
out of any operation or set of operations includes any of the following:
in relation
to
the
personal data, and
(a)recording;
in good
holdings
)
()
course
act or conduct must not have been consented to or connived in by the
organisation, adaptation or alteration; retrieval; combination; transmission;
(gerasure or destruction.
employee or be in any way attributable to any neglect on the part of the employee.85
intermediary
nrocesses personal include an employee
fai or in accordance with instructions oi of employment, in the course The employee in of employment. the employer in the by an instance must not be an otficer or someone Wno manages, and the
show that the
stringent
personal data.
..
defence for
DBS Hong Kong from liability if it did this may well absolve olicies and practices in place for the protection of
ed
invo
2.87
2.85 A case closer to home to watch on the interplay between employer and employee liability is the case in Hong Kong where some 20 DBS Hong Kong employees are being investigated by Hong Kong's anti-corruption agency, the Independent Commission against Corruption ("ICAC"). It appears that the employees had allegedly used bribery to obtain personal data of DBS clients which were then passed on to a call centre in mainland China offering telephone promotions for high-interest Some Hong Kong customers who received loan marketing calls
loans.
from people claiming to be DBS staff made complaints and DBS's internal investigation showed that the calls came mainly from the said call centre, even though DBS has never worked with the call centre on
telephone promotions. A report was then made to the ICAC for further investigations by the relevant authorities. It appears that the call centre shared commissions with the errant employees. It will be interesting to see whether DBS Hong Kong will be held liable for the personal data breaches of the errant employees but if bribery was 183 Erin Andrews v Marriott nternational Inc, et al 11C48311 (Tenn Davidson Co, 2016). 184 Personal Data Protection Act 2012 (Act 26 of 2012) s 48(1). 185 Personal Data Protection Act 2012 (Act 26 of 2012) ss 48(2)-48(3).
58
Processing is thus very widely defined and would appear to include any activity done in relation to personal data. As a consequence, the concept of a data intermediary and the scope of what a data intermediary can do is also extremely wide, ranging from those who offer document destruction services, to accounting and other organisations that provide payroll services, to those who provide courier services, even to freelance photographers hired just to take photographs at one event. Network service providers that merely act as conduits for the transmission of personal data will not be liable in respect of third party material in the form of electronic records to which they merely provide access.90 2.88 Whether a party is a data intermediary will depend to a large extent on the contract between the party and the organisation for whom it is 186
Lee Xin En, "MAS
monitoring
(9 December 2016), available
187 188 189
190
at
DBS
Hong Kong
case" The Straits Times
(accessed 9 December 2016).
Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised on 15 July 2016) at para 6.24. Personal Data Protection Act 2012 (Act 26 of 2012) s 67(2).
59
the Practical Context Dala Prolection in data. The
contract should
The Practical and Conceptual Framework
state clearlu
rights
processing personal well as the responsibilities cach party, as and obligations of and data, including wheth in relation to the personal liabilities
organisation is
to
process
personal
data
on
If the
behalf of
and One
for
the is silent or men for acceptanaly
contra tract
other organisation. purposes of the to another sent by one party consists of quotations both parties will occurs, Act the breach of payment, when a data Obligations to the full extent m
the personal Act. This was the case in
answer
to
KBox
Entertainment
where the scope of the
e Ltd and Croup Ple.
processing by
to
he
antech
Finantech
Ld both parties were held to the full extent Holdings K Box was unclear; Pte
dnd
ssible
for the breaches.
2.89
The Act does not "impose any obligation on a data intermediar in of personal data on behalf of and for the respect of its processing pursuant to a contract which purposes of another organisation
evidenced or made in writing," except in relation to the obligatione of personal data under to the security and protection section 24 and the retention of personal data under section 25,191 The
relating
organisation which has contracted out its personal data processing
activities is vicariously liable for any breaches of the Act by the data intermediary within
the bounds of the contract.
Hence.
organisations should engage data intermediaries that can and will with the personal data protection laws.
comply 2.90
In a few of the early cases, the Commission noted that the failure by the organisation to put in place data protection terms and conditions in its contract with the data intermediary instructing it to protect
personal data amounted to a breach of the Protection Obligation." Would an organisation which does have such a clause in the contract with its data intermediary be absolved from liability for breach of the Protection Obligation should the data intermediary not comply with the Protection Obligation? The question was answered in the 191
Personal Data Protection Commission, Aduisory Gruidelines Key Concapts in the Personal Data Protection Act (revised on 15 July 2016) at para 6.21.
192
[2016] SGPDPC 1 Personal Data Protection Act 2012 (Act 26 of 2012) s 4(2). Personal Data Protection Act 2012 (Act 26 of 2012) s 4(2). Personal Data Protection Act 2012 (Act 26 of 2012) s 4(3). See aiso Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3. K Box Enlertainment Group Pte Ltd and Finantech Holdings Pte Ltd [zu 16] SGPDPC 1 at [42]; The Institution of Engineers Singapore |2016J Sur* C2 at [30].
193 194 195 196
on
60
eaative in the July 2016 case ot Cenlral Depository (Pte) Ltd and Tah Shi Printing Singapore Ple Lla." The contract had required the intermediary, Toh-Shi Printing. to take necessary actions and data to protect the personal data during the rinting process. The ommission did not find Cenral Depository recautionary
measures
Prcc
(Pte)
Ltd in breach
of the Protection Obligation.
198
2.91
in K Box Enterlainment Group Ple Ltd similar vein, the Commission also stated that in discharging its Pe Holdings Drotection Obligation, the data intermediary which was, in this case, information technology service provider, should have an outsourced K Box, of failings in the data security customer, its notified arrangements.20 If it had done so, the Commission would have taken In
a
nnd Finantech
Lud
this into account in its
2.92
assessment
of Finantech's
culpability 201
be possible for the contract data intermediary to include indemnity clauses to force the data intermediary into indemnifying the organisation that has hired it for any personal data breaches.
It is also not between the
entirely clear organisation
but it and
might
its
2.93 If the data intermediary acts beyond the processing required by the organisation under the contract, then the data intermediary will not be considered a data intermediary in respect of such use or disclosure. In such circumstances, the data intermediary will cease being a data intermediary and will need to comply with all the personal data protection provisions.22 Thus, it is imperative for organisations to be explicit and clear in their contracts with data intermediaries in terms of what processing the data intermediaries are contracted to carry out for the organisations. It should be noted that a data intermediary is only a data intermediary for the personal data that it processes for or on behalf of another. Hence, a data intermediary will not be a data
197 198
[2016] SGPDPC 11. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ld [2016)
SGPDPC 1l at [171-[18]. 199
[2016] SGPDPC 1.
200 K Box Entertainment Group Pe Ltd and Finantech Holdings Pte Ltd [2016] SGPDPC 1 at [37]-[381. 201
K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd [2016]
202
Personal Data Protection Commission, Advisory Guidelines on Key Concepts n the Personal Data Protection Act (revised on 15July 2016) at para 6.22.
SGPDPC 1 at [38].
61
Data
for
intermediary data as
personal
Protection
the personal
of its
oWn
in the Practical
data it
Context
holds for
The Praclical and Conceptual its
own
bses, such 2.97
employees.
conducive to effective objective standard. As will be the ovable feast of what is a chapters, remaining would consider to and what this reasonable person
it is currently data protection
as TheAct personal
seen in the
"THE REASONABLE PERSON"
oropriate
the
of
ndeed,
the
reasonable
person
would
ler
consider
appropriate
in
poses
the
"203
2.95 that organisations, in Act further states Section 11(1) of the consider what a should Act under the nable their responsibilities in the circumstances.204 The consider appropriate would person considered section 11, however it is decision Jump Rope (Singaporeh was incorrectly decided and case the submitted that the respectfully 6.206 more fully in chapter decision is discussed
meeting
of
2.96
law and how and what this of the "reasonable person" in works well where there is a think would only reasonable person of the "reasonable person". The consensus or clear understanding reasonable the person test in an area such as problem with using which is so strongly intertwined with data protection, personal technology, is that it is practically impossible to determine what such a use
reasonable person might consider to be appropriate in any given
circumstance. The fundamental question is: who is the reasonable person? The social media addicted younger generation will have very different views and understanding of what personal data protection is or ought to be that would colour their thinking of what is appropriate. At the other extreme could be an age group that clings to the
traditions and values of restraint and non-exhibitionism, whose views on what is appropriate will be determined by their values. Somewhere in between, there may be a group of reasonable people who have some knowledge of technology and have seen the grave dangers of personal data misuse. 203
204 205
Personal Data Protection Act 2012 (Act 26 of 2012) Personal Data Protection Act 2012 (Act 26 of 2012)
[2016] SGPDPC 21.
206 See ch 6,
at
s
3.
s
11(1).
62
not
the
most
an
challenging
to
achieving
useful bascline
ENCOURAGING COMPLIANCE
2.98
data protection regime is in place and appears issues, including giving the Commission material the to cover all be done by the Commission. could more Substantial powers, the
personal
2.99 has been proactive and has issued a considerable The Commission and guides, which are publicly accessible on its number of guidelines commendable. are constantly updated which is, indeed, These website.207 assist in to documents these for compliance is by However, if the aim the Commission ought to make it easy for organisations,
organisations, abreast of the updates or changes by including individuals, to be kept made to the guides and guidelines, or at amendments highlighting the older versions of the documents the of archive an least, keep the very which comparisons can be made. This will enable on its website, with to, at a glance, ascertain which sections have been
organisations amended or updated, instead of trawling through multiple guides and guidelines from scratch, some of which are over 50 pages long, each
time the Commission issues an update. The Commission ought to make it easier and not more difficult for organisations to comply. In any event, as a matter of best practice, procedural fairness would entail
the organisation have access to a publicly available document which
the Commission has issued in the past and which the organisation may have followed but yet, the organisation may still face investigation over an alleged breach of the provisions in the Act. 2.100 Secondly, the Commission has yet to educate the community at large on the dangers, risks and consequences when personal data is misused.
It has thus far not seemed to realise that the best catalyst for organisations to comply with the pesonal data Obligations is pressure
207
paras 6.32-6.44.
is
it lacks
F.
A/hile
circumsances.
The
as
protection.
need of
individuals
organisations a
r c a s o n a b l e person" reter to the er section around 3, ccentres stated in as
in the Act
of the Act, data and the the their personal to protect data for personal disclose use o r to collect,
intention
right that
drafted
sonable person will prove
E.
2. 94 Many provisions
Frameauork
https://www.pdpc.gov.sg (accessed 16 February 2017). 63
Data and expectations organisations, organisations
in
one
way
individuals
Context
in the Practical
individuals,
from
and
Protection
are
Jnless
aware
fully
misuse
the
all,
Unless
another.
or
of
after who a r e
The Practical and Conceptual Framework the
custon
and and
unt
of the of
stomers of
unüil risks,
both dang ECs,
personal
as
by organisations with liability and 1, compliance highlighted in chapter will be, at best, h a l t - h e a r t e d and lukewarhe . obligalions personal data consequences
CONCEPTUAL
G.
FRAMEWORK
OF
DATA
PERSONAL
REGIM
anObligation
but
one
that
1s
not
well
undcrstood
nor
importani complicd with.
use o r disclosure of thc individual, c o n s e n t from thc onal data has use o r disclose the pcrsonal data.212 colled person required t o dividual is lematic as it encompasses the c o n s e n t is of issue the However, which complicates the application of the deemed consent, conccpt of
2.106
f o r the Gh after the purposes becn notificd
collection,
to the
Obligation of Consent.213
101 The
personal
which
must are
consent
data
protection
regime
has
Concepts
a
of key conce personal dataP and
number
such
as
be understood. understanding of fundamental to the
how the
reo
operates. .102
what docs excluded from
data"so
to "personal not legislation only applies th "personal data" is immediately as will be seen in chapter 3, "personal application of the Act. However, a n d it has many complexities
The
constitute
data" is
not
an
to grasp easy concept the definition.
intertwined within
2.103 data a r e excluded from the Second, certain types of personal business c o n t a c t information so for example, of the Act, operation the to recourse personal data protection can be handled without Act.2 Obligations in the
2.104
Third, once something is classified as personal data, before any collection, use o r disclosure of the personal data is carried out, the of the individual must be noified of the purpose or are there data. the However, collection, use or disclosure of personal
purposes
exceptions.210
107
for the requirement of however, also cxceptions circumstances set o u t in within the lalls data that conscnt. For personal F o u r t h Schedules, there a r e copious lists of and Third the Second, not required for collection, use o r s situations whereby consent
Sixth,
there
are,
disclosure of the
personal
data.211
2.108
need to
data would organisation holding any personal data protection Obligations set out in the personal comply with such as access to personal data by Parts IV to VI of the Act, Obligations about the individual by the held data of the personal an individual correction of personal data and security of personal organisation," will need careful data.216 Some of these principles o r Obligations between the will be there as overlap consideration and implementation the principles and s o m e of the other provisions that may of application For example, even if a piece of personal data prove to be confusing. in the above-mentioned falls into the categories of the exceptions and use Schedules and do not require c o n s e n t for collection, for have the example, to right, disclosure, a n individual appears to still of that disclosure use and piece of the collection, withdraw c o n s e n t for is not the case. this in examined 5, will be as but chapter personal data, There are n u m e r o u s such intersections in the implementation and them to real life situations c a n of the Act and
Seventh,
an
application prove to be perplexing.
applying
2.105
Fourth, there is a limitation on the permissible purposes of the collection, use or disclosure of the personal data.2 This is an
208 209 210 211
Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012
54
(Act 26 of 2012) s 3.
(Act 26 of 2012) s 4(5). (Act 26 of 2012) s 20. (Act 26 of 2012) s 18.
212 213 214 215
Personal Data Protection Act 2012 (Act 26 of 2012) s 13. Personal Data Protection Act 2012 (Act 26 of 2012) s 15. Personal Data Protection Act 2012 (Act 26 of 2012) s 17 and Second, Third and Fourth Schedules. Personal Data Protection Act 2012 (Act 26 of 2012) s 21.
216
Personal Data Protection Act 2012 (Act 26 of 2012) s 22.
65
Data Protection in 2.109 Eighth,
the Practical Context defin the perso
are not
the
terms
and "disclose "collect", "use", of of the e s s e n c e of are
personal
the
part data though they Act, in the e x a c t meaning m a ult in The uncertainty regime. a s c e r t a i n whethe protection to per be problematic where it may"collected", data has actually been "used" or "disclosed". Furthaona] re, situations even
disclosure
is
a
form of
doubts about what else "use".217 the notion of
2.110
use
and
might
the
be
inclusion
of
excluded f r o m
framework
the broad conceptual and this b0ok data protection regime issues, topics and individual dissecting the
This is
disclosure understand
the
ve
of
CHAPTER 3
The Concept of Personal
Data
Singapore ne this framewO requirements of the reai of the
will
use
3.1
The centrepiece of the Personal Data Protection Act 2012 (the "Act") is the concept of personal data,' around which all the provisions evolve. Conceptually, the definition in the Act is a fairly standard of many jurisdictions, as well as in one found in the legislation such as the European Union ("EU") Data framework legislation Protection Directive 95/46/EC and the General Data Protection Regulation 2016/679.3 The definition, however, though seemingly
simple, has generated multifaceted complexities in its application.
A.
DEFINITION IN THE LEGISLATION
3.2 The term "personal data" is defined in section 2 of the Act to meaan "data, whether true or not, about an individual who can be identified
2(1)
Personal Data Protection Act 2012 (Act 26 of 2012) s of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the on the data
Directive 95/46/EC 3
217
4
See further ch 5.
66
processing of personal data and free movement of such [1995] OJL 281/31 ("EU Data Protection Directive 95/46/EC").
Regulation (EU) 2016/679 of the European Parliament and of the Counciltoofthe27 April 2016 on the protection of natural persons with Tegard processing of personal data and on the free movement of Such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("EU General Data Protection Regulation 2016/679"). Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1).
67
Data Protection
inthePractical other
and from that data access". to have
or from that data; has o r is organisation
Context
(the "Commission")
Personal Data Concepts in the
that the
definition
construed and
which the
likely
3.3 noted that the Personal Data it should be At the outset, stated in thc Adv Commission
TheConcept of PersonalData
information to
Protection
Acé "is
p...
otecton Advisory Guidelines on Key idelines
("KeyConcepts not
intended to be
narro of personal data data from which an individual wly
covers
can De
all types of
identified".6
3.4
of this definition is that if an individhat
The simple understanding be identified from that piece
of data or from that piece of
ann
ta then the iirst piece data or combination with other informaton, data. lt sounds simple information constitutes personal Guidelines given bu L even some of the Advisory
of
but,
unfortunately,
Commission
have served
fuel confusion."
3.7
exactly does "data" and "information" about an individual encompass? In effect, most data "about' an individual falls into three broad categories that are not mutually exclusive: data with some
So what
about an individual; data with a purpose element about individual; and data with a result element about an individual.
content
3.5 There
1.
to
the
but the usage of two terms may have resulted from sutltation papers, sponding to the feedback from the consultation rounds. In the initial Public Consultation, the definition for "personal data" ata Protection, "information about an referred solely to the term "information", identifie or identifiable individual", which is a definition commonly such as the EU. Due to concerns raised found in other jurisdictions in the meaning of "identifiable individual", of clarity" about the lack of "personal data" was changed in the legislation definition the final and the result was to encompass both terms. The term to clarify information" could perhaps be argued to be a more general and common term. The term "data", on the other hand, perhaps more a more technical term. This, however, is neither here nor be to seems have the same meaning. there as they both
are
three
preliminary points to note about this definition,
an
3.8 The content element category of the concept is probably the easiest to comprehend and would certainly include any statements about an
"Data" and "Information"
3.6 First, the terms "data and "information" are both not defined in the legislation, so they should be interpreted in their ordinary meanings. The two terms seem to be synonymous according to many dictionaries, which means "information" and "data" appear to be interchangeable terms and any reference in the legislation to one can be taken to mean the same as the other. This, of course, raises the question of why the Legislature chose to use two different terms
individual and would cover "objective" data, such as a person's height, age and weight, as well as "subjective" data, such as opinions or
assessments.2 Often recorded subjective data would include assessments about an individual's credit worthiness, the person's risk of developing health problems, and the performance of an employee. Examples of data with some content about an individual would also include any results of medical tests conducted on the individual and any information contained in a company's folder under the name of an individual, whether an employee or client.
rather than one. No indication of the reasons can be found in the 9
5 6 7 8
Personal Data Protection Commission, Advisory Guidelines on Key Concepis in the Personal Data Protection Act (revised on 15 July 2016). Personal Data Protection Commission, Advisory Guidelines on Key Conceps in the Personal Data Protection Act (revised on 15July 2016) at para 5.2. See
paras 3.50-3.114 below on anonymisation. See, eg Cambridge Dictionary Online
(accessed 23 May 2010), Webster Merriam Dictionary Online dictionary/data> (accessed 23 May (accessed 23 May 2016). 68
10
11
Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Protection Bill (19 March 2012) at para 2.1. Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.2. See also EU Article 29 Data Protection Working Party, WP136,
PersonalData
Opinion 4/2007 on the Concept of Personal Data (adopted on 20 June 2007) at 10. 12
See also EU Article 29 Data Protection Working Party, WP136, Opinion 4/2007 on the Concept of Personal Data (adopted on 20 June 2007) at p 6.
69
the Practical Context Data Protection in
3.9
that the
data can
The Concefpt of Personal Data be true
explicitly specifies subjectve data, such as assese the objective or if even hence, c o n s t i t u t e personal data would still turn out to be untrue, they
The
definition
false,
ents,
impact, other
the
the types of about the individual's such as their work roles' individual, the as well activities undertaken by behaviours. This leads to the purpose eleme economic as social and hnt where the data is used o r is likely to use category of the concept, in a certain way or influence treat with the purpose to evaluate, of an individual." This category may encomna status or behaviour information conveyed by the data concer situations where the information
primarily objects in the first instance and not individuals. Those ahiects
but have some pnysical or geographical belong to someone else proximity with individuals or with other objects, or they may be der
may
have an impact upon individuals. It i the control of individuals or that it can be considered that the connection indirect the because of data relates to those individuals or those objects. 3.11 An example of this category might be the log of a particular telephone extension number of a company office which provides information about the alls that have been made to and from that telephone. The telephone log can be brought into relation with different individuals, The telephone extension might be under the exclusive control of a certain employee during working hours and calls are supposed to be made by the employee. The call log will provide information about whom the employee has called. The telephone can also be used by whomever is allowed into the premises in the absence of the employe, for example, when the employee is on leave. The call log can be for example, for the purpose of checking how many phone calls and
used,
the duration of the phone calls that the employee makes and whether they are personal calls to numbers that are unrelated to the job responsibilities. Here, both outgoing and incoming calls would contain information concerning individuals' private life, social relationships and communications, and these can be used for some purpose or
other. 13 14
of the concept, this is where the the result lement category garding an impact on an individual, or the to have data is likely use of and interests. The impact need not be a major
individua
3.10 doCs not specify or lim: it 2 of the Act The definition in section be personal data, r can data kind of hence any type of data, characteristics to the
from
3.12
as
rights
long
as
the
individual might be treated differently from
as a result of the processing of such data. So the
persons
dividual could, for example,
be
tagged
indivie
given a
certain status.
3.13
A evample of this might be the monitoring of credit card transactions Financial institutions often have a department h financial institutions. monitors credit card transactions, with the purpose that continuously
weeding out dubious-looking transactions, especially those irom overseas or online transactions that seem transactions originating The purpose of this 1s to prevent credit card fraud at the fraudulent. before huge sums are committed. The earliest instance, especially the monitor to purchasing habits or the movements of nurpose is not data can be used for such purposes, for the holder. Yet, card he Credit from the shops of example, if a customer is consistently purchasing of
the financial institution may well tag the luxury brands, then status possibly as a high net worth individual, accordingly, individual's individual who spends but does not save. The classification or even as an itself would be enough for the result element category.
3.14 One form of data about an individual that transcends all categories might be biometric data. With the advances of technology, biometric data has increasingly been collected and used for identity verification purposes, especially at border controls. Biometric data can be said to
be about the individual's characteristics in that they can be biological
or physiological characteristics, such as fingerprints, retinal patterns, birthmarks, voices, and even hand geometry. These are all about the individual and because some biometric data is unique, they can also identify the individual by providing the unique link. So, biometric data can function as "identifiers" to identify the individual. The analogy would be that instead of identifying an individual by name, the individual can be identified by his or her thumbprint. Whilst it is true that the current technology used to measure or compare a person's thumbprint patterns against a record of a thumbprint may not yet be faultess, the fact that a certain degree of probability is involved does not disqualify the thumbprint from being personal data.
Personal Data Protection Act 2012 (Act 26 of 2012) s 2. See also EU Article 29 Data Protection Working Party, WPI30 Opinion 4/2007 on the Concept of Personal Data (adopted on 20 June zv at p 10.
70
or
71
Data
Prolection
in the Praclical
Context
The Concept of Personal Dala
Format of data
3.17
O t h e r than han
3.15
is of data. This is
format
the
also
mats for
not which the da data is The the form in or the Act5 and the Act is technology prescribed by ogy definition in as the e l e c t r o n i c and non-electr ronic stored is unimportant data in personal covers both is data hence as even transferred and consistency looieOm is to e n s u r e This is indecd a forms. This vice versa. and media and second
point
concerns
collected
eutral
it
be
to
digital
sensible
approach.
database
or
Data
need
not
in a str structure care in implement
non-electronic
of the data would comprise
torms
of data, other possible
presentation mode, whcther
using alpha-numerical, graphical, photographical, as videos. both sounds and images such through
presented
sounds
or
r
paper
or
electronic
To
3
identify a n
individual
contained
be
much should take file. Organisations to e n s u r e the same level of data protection policies their personal forms. Many organisation data in both still and paper, some protection for personal data using pen then collect and process personal electronic tormat, hence even the data into transfer the personal to the personal1 adhere data itself needs to conversion process
3.18
The third prcliminary
being
able to
ot
point
identify a n
defined
concerns
the issue of what is
individual from the data. The term
international data in the Act and in
meant
by
"identify"
protection law
be able to single out a to identify" concept arlance, the a person from other individuals and to person or to distinguish is
means to
park
discover
who the
person is.
protection principles.
3.19
3.16
data is collected
and in later chapters, if personal As will be elucidated non-electronic means, then there may he stored using subsequently for the protection of ditferent pieces of differing considerations some pieces of same the piece of paper. For example, personal data on others whilst should be data can be retained for longer
data" in the Act:9
more clarity to data that is 'identifiable' that was used in the has been removed and replaced with 'who can be DP public consultation that information (whether a single identified'. However, it maintains the position that relates to an or a group of information taken together) piece of information individual will be considered personal data. [emphasis in
personal a compliance challenge if the destroyed sooner. This may pose handwritten data collection the original has simply kept organisation draw
typical example of typically collect the
form. A
this would be name
and
a
lucky
contact
place"
destroyed
The
form which
if
form also asked questions about opinions on competitors' products, such answers would be irrelevant to the subsequent marketing purposes and would need to be destroyed.
17
ssued by Ministry of Information, Communications and the Arts: Propose Personal Data Protection Bill (19 March 2012) at para 2.9. Itwould be difficult to find any legitimate legal or business purpose retain such information under s 25(6) of the Personal Data Protection Act 2012 (Act 26 of 2012). Furthermore, retention of this kind o
information would arguably be
prohibited under s 18. 12
also aims
to
provide
term
3.20 MICA proceeded to state in the following paragraph that the new definition "is not significantly different in effect from that which was earlier proposed and its principles are similar to internationallydefinitions of personal data".From this clear stance, the
adopted
of 2012).
Personal Data Protection Act 2012 (Act 26 Ministry of Information, Communications and the Arts, Public Consultaton
definition
identified or identifiable original
18 15 16
new
identifiable'. In this definition, the
information of the
would individual. As most lucky draws have a marketing element involved, individuals' names and assuming that consent is obtained to retain the contact details for contacting them for marketing purposes, all other information on the lucky draw form would probably need to be So, for example, the after the lucky draw has taken
Communications
view of the Ministry of Information, This was also the in the Public Consultation Issued by Ministry of ("MICA") Arts and the Prolection Communications And The Arts: Proposed Personal Data nformation, to the amended definition of "personal relation in 8 stated it Bil where
19
20
Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012). Ministry of Information, Communications and the Arts, Prublic Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.6. Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Infomation, Communications and the Ars: Proposed Personal Data Protection Bill (19 March 2012) at para 2.7.
73
Data
Prolection
jurisprudence
in thePractical Conlext
from
international
guidance and "identifiable" can "identificd" o r meaning of
be
The Concept of Personal Data sources
referred to.
on
the
In this way, it can be seen that the name of is not necessarily cquivalent to the "identity" of the an of a n individual in this example would be a The dividual. but not a unique identifier. A person's name is data useful "that reveals that he individual uses that combination of letters and nds to distinguish himself and be distinguished by other persons SOhom he establishes relations"" If a person has a purple in the shape of a star, that would arguably be a on his head hirthmark b i more unique identifier than the name of the person.
height
of the
ividual. indivic
individual
name
h
3.21 Party ("WP29") Data Protection Working The EU Article 29 "identified" when ateq considered as be can na that an individual from all other he or she is "distinguished" of persons, group that a n individual "is 'identis follows from this of the group. It nocele not been identified yet, it is has when, although the person 22 The WP29 suffix able')" of the do it (that is the meaning threshold condition in practice the is latter the that noted
nembers
ssible to h
3.22
"identitiable" require that a perso being "identified" or name is only one of many identifiers A person's name be known? individual 's name to be discovered would not be necessary for an to distinguish this individual from all able satisfy this. The key is being
Would
other individuals.
3.23 As already discussed above, fingerprints are also identifiers. Identifien
are data that hold a particularly close relationship with the particular individual. Some identifiers such as fingerprints and an individual's full name are so uniquely linked to the individual that a person can (often) be narrowed down and distinguished by that one identifier alone. Other identifiers will not have that close nexus and will not be sufficient to achieve identification on its own. So, for example, a common Chinese surname in Singapore like Tan or Lim will usually not be sufficient to identify someone, but if a Mr Tan is present in a room with other persons who are all non-Chinese, that is, he is the only ethnic Chinese person in the room, Mr Tan can most likely be identified. 3.24 The name of an individual is the most common identifier but in some instances, where there is more than one individual with the same identical name, in order to distinguish the individual accurately, the name has to be combined with other of such as the information pieces date of birth, the address or even known such as
physical attributes
22
3.25
TAc
determining identifiability.
21
identifier
u
EU Article 29 Data Protection Working Party, WP136, Opinion 4/200 the Concept of Personal Data (adopted on 20 June 2007) at p 12. EU Article 29 Data Protection Working Party, Opinion 4/200 the Concept of Personal Data (adopted on 20 JuneWP136, 2007) at p 12.
74
personal data as data about an individual who can be
require a person's Derson or to point out
that it is this individual
that individual. The pinpoint a certain to name, otherwise, the identity by Derson, not necessarily have inserted the extra words "by name". It should would Legislature that once an individual can be singled out, in this be noted, however, is often not dificult to discover the person's name. The it digital age, of being able to identify an individual is essentially about being able to single out the flesh and bone individual. or
be able to est in the Act is thus only merelythe toindividual
concept
3.26 Lastly, it should be noted that the Act is worded such that it requires the data to be able to identify an individual. This means that it must not be a mere hypothetical possibility. If the possibility does not exist or is negligible, the individual should not be considered identifiable and the information would not be considered as personal data. As the Commission has stated with respect to anonymisation, to re-identify means to be able to identify an individual beyond doubt and not just the ability to identify an individual through educated guessing.25
23
24 25 0
defines
identified, hence, to identify an individual would not necessarily name to be known, only to be able to distinguish the
Working Party, WP136, Opinion 4/2007 EUArticle 29 Data Protection the Data 13. Concept of Personal
on
(adopted on 20June 2007) at p Personal Data Protection Act 2012 (Act 26 of 2012). ersonal Data Protection Commission, Advisory Guidelines on the esonal Data Prolection Act for Selected Topics (revised on 20 December 2016) at paras 3.32-3.33.
75
Dala Protection
in the Practical
Context
The Concept of Personal Dala
level Personal data: Basic
the
area
concept
3.27
levels. At the most basic level individual, then the informati."a n is identify an of information can examples of personal data: t the Obvious data.
the Act has The definition in
piece regarded
as
two
personal
name,
photograph
or
see
3.28 can
be
true
or
false,
infor
Consultation
3.30
as the detinition encompase..
both true and untrue data. This means that a piece of informatioon, an individual by itsele which can be used to identily even if it is false but would still satisfy th information, other with or in combination data that could constitute personal data might be. definition. False for example, a photograph of photograph that has been doctored, onto an existing photograph person's face might be superimposed individual who was in the the was it really making it look like The photograph by nature of it being
a
compromising position.
doctored would be false data, but this, în accordance with the data. In this case. definition, does not disqualify it from being personal the individual can be identified through the photograph of the face.
5.
protection at the international level. There, the
was
nnal Data
include a person's basic level would y biometric information h a person's face, camera image of to the individ. are these unique of scans. Each fingerprints and iris themselves identify an individo most cases by in therefore can and
The information
of data of data
was simply defined as any information relating to an hile individual", which cssentially means that from the "identilia can be identified and which a n individu. would, of formation, the possibility ofcombining the information with other include se, finition of "personal data" in the Indecd, the original rmation. had Public definition, but it was amended due to respondents requests for a clearer definition.2 in
used this
deliniuon
This cxpanded level ot the fnformation that would otherwISe
serves
to
encompass much personal data. In the definition at this level is not overly wide, the order to ensure the ambit of the definition adopted by the ntrol test to limit with which Legislatur is that the other piece of inform Singapore original data is combined must be one that the organisation has or not
be considered
cont
the
is likely to
have
access
to.28
3.31 to Singapore and it narrows the This control test is relatively unique In other somewhat. definition the jurisdictions such as the EU of scoDe Canada, there is no such control test. In the EU Data Protection Directive 95/46/EC,23 Recital 26 provides that "account should be taken of all the means likely reasonably to be used", with the result that many courts in the EU have interpreted this to mean that if there is any piece of data that exists and can reasonably and possibly be used to
and
combine with the first piece of data to identify an individual, this will
Personal data: Expanded level
render the first piece of data to be personal data. 3.29 The second and more expanded level of the definition of personal data can be found in the latter half of the definition. At the expanded level of the definition, data which by itself cannot identify an individual can become "personal data" if, when combined with other information that the organisation has or is likely to have access to, can identify an individual. The inclusion of this concept of identification through combination of data is crucial in the digital age, where much data can be quickly and easily combined and matched. This concept was adopted by the Organisation for Economic Co-operation and Development ("OECD") in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, one of the earliest initiatives 26
1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (accessed 23 cl May 2016), 76
1(b).
3.32 Recital 26 of the EU General Data Protection Regulation 2016/679 has also confirmed this approach and states that: account should be taken of all the means reasonably likely to be used, such to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into the available technology at the time of the processing and
assingling out..
consideration
technological developments
27 28 29 30
Ministry of Information, Communications and the Arts, Public Consultation LSSued by Ministry of Information, Communications and the Arts: Proposed Protection Bill (19 March 2012) at paras 2.1-2.2.
ersomal Data Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). EU Data Protection Directive 95/46/EC, Recital 26. EU General Data Protection Regulation 2016/679, Recital 26. 77
Data Protection in
3.33
2016/679 does r e refer to Data Protection Regulation to be considered but ir them and require "all objective factors" tactors in the assesen consideration of subjectuve not preclude the This is illustrated in to be used. likely of the means reasonably addresses that will be disee Protocol (P) on Internet
The EU
General
discourse
below. 3.34
become personal data if data will only the In Singapore, the access to the second piece of dar have data. or is likely to has organisation of data to would limit the second piece that In practical terms, this obtain. This, o n the face of can feasibly t, which the organisation that is in the public domain, or which he would mean that any data o r otherwise, or throu obtain through purchase gh organisation can will render the original piece of dato other means, some obscrvation or data if it can be used in conjunction to identif constitute
personal
to
The Concepl of Personal Data
the Practical Context
the individual.
data
specify that the data that the organisation The Act, however, does has or is likely to have access to must only be accessible through legal
inder the purpose would sit under
this
personal
data.
home
identify
3.38
an
numbers, technically, only a small number of entities both a person s name and the person's NRIC number.
erarding NRIC
should hold number has been and continues to be Tnfortunately, the NRIG in too many contexts in Singapore, and and equested far too often residents have willingly given and permanent many Singaporeans
their
NRIC numbers,
even
for mundane purposes such
as
low
ade Jucky draws. As a result, ists containing a person's name and these of course can be obtained and used NRIC number abound and individual. to
3.35
nent
category and result element lecvel of the definition expanded of data the more familiar content category of with data, along of ldentification Card ("NRIC") numbers, National Registration numbers, IP addresses, credit card ddresses, c a r plate would all be personal data under the numbers and telephone numbers of infornation can be used to as all these picces level nded individua when combined with other data. 3.37
Much category of da
match and identify a n
not
considerations of legality should be entered into. Whilst this may seem an odd proposition, the reason is as follows, means,
and
as
such,
no
the enactment of the Act, Singapore had a rampant culture of combined with the collecting and sharing personal information. This, for the of 19 section in personal data collected allowance set out Act Prior
to
before the enactment of the Act, means that there may still exist
numerous avenues one can obtain data which might appear legal but which might actually fall into the shades of illegality.
3.36 It should be further noted that the definition in the Act only refers to information to which the organisation has or is likely to have access. There are no other factors other than "information" delimiting the control test. Hence, all other factors such as the means available to the organisation, the purposes of the organisation for the data, the advantage expected by the organisation, the interests at stake or even the costs involved to combine the pieces of data need not and should not be considered.
3.39
these can also constitute personal data. terms of home addresses, at an address, other data While there may be muliple persons residing can be used to identify the resident of attributes the such as physical if the data comprises of a For in example, individual question. the residential address, Address X and other information which the organisation has access to indicates that the particular individual is 60 elderly and there is only one person at Address X who is over years can be used as it data be X would Address of age, then clearly personal in combination with other information to identify the elderly person. At this juncture, recall that identification does not require the name of the individual to be known, only to be able to single out
In
the individual
and to know who the person is. Other physical attributes that can also constitute information with which to combine and identify individuals
would include the height, build, colour of hair, length of hair of a person and so on. 32
See EU Article 29 Data Protection Working Party, WP37, Priuacy on the
Internet-An Integrated EU Approach to On-line Data Proleation (adopted on 21 November 2000); EU Article 29 Data Protection Working Party,
WP136, Opinion 4/2007 on the Concept of Personal Data (adopted on
31
Personal Data Protection Act 2012 (Act 26 of 2012) 78
20 June 2007) at pp 16-17; Patrick Breyer v Bundesretrublk Deutschland Case C-582/14, Opinion of Advocate General Campos Sánchez-Bordona delivered on 12 May 2016); EU General Data Protection Regulation s
19.
2016/679, Recital 30.
79
the Practical Dala Prolection in
3.40
Context
The Concetpl of Personal Data
Commission, in the unhelpful that Key view that the Concepts Guidclines, cxpressed dlata will depend. or set of data is personal Iw]hether a certain piece the in a certain situation an individual context. Data that may identify no individual's residential addrese On this
point,
the
it is rather
an
example, individual's personal data. While thio:olten regarded as forming part of the about the individhhe as part of other data if the address is collected or the addrese information, contact and other example, with his name its in other contexts. data be not personal oWn may in
another.
For
delivery neighbours, delive
persons, contractorS and so on. The Commission
overlooked the definition in the Act. appea
3.44
Car
plate
numbers,
potenti:
IP addressCs and telephone numbers data for much the same reason as
nersonal
other data to allow family members that peopledo
be combined
can
all
they can all identify individuals. Although it is true
with
and friends to drive their cars, is small and limited
the number of persons permitted to drive
red to the whole world. Indeed, it is this narrowing down of to a much smaller group that makes the individu task of possible identifying an individua relatively casy when other data is combined, is at the core of why personal data has been defined as such and this decades now. A piece of information will take on for several the of personal data when the number of possible individuals to comparedto
3.41
the Commission is not present in th. This notion of "context" raised by Commission generates conf6 the Act and reference to it by sion, sets the control test as whether o r Act the simply The definition in the other to access informatin has or is likely to have
ion;
the organisation
contexts which can give a skeu the Act makes no mention of data" and also thercby di of lute impression of the meaning "personal
the definition.
aracter
it can be applicable is substantially narrowed, and when it is
mbined with other information, makes the identification of the indiv Dossible. This is truly the key to the concept of personal data. Personal data is information that assists in narrowing down
3.42
The example which the Commission gave concerning the notion of
notential individuals and when combined with other information. the individual can be singled out and the identity of the person discovered.
"context" is equally unhelpful:s4 A business wishes to sell its products to households within a certain area
around its location. It engages a service provider to distribute flyen advertising its products to all residential addresses within the area without
3.45 This is also the
reason
why
even
IP addresses
can
be
personal
data.5
Each computer connected to the Internet must have a unique
collecting or using the names or other personal data of individuals living at
IP address, so if the same employee is using the same computer every
those addresses. The residential addresses would not be personal data collected and used by the business.
day at a set time, and the IP address is not dynamically assigned (random) each time, then the IP address becomes personal data because it would be possible to identify the particular employee through the IP address when combined with information about all the employees who use that particular computer and at what time they used the computer. Even the information keyed into the computer by the employee can be used to connect the employee to the IP address.
3.43 The Commission's conclusion that the residential addresses thus collected would not be personal data is rather dubious. Just because the business does not collect or use the names or other personal data of individuals living at those addresses would not automatically disqualify the residential addresses from being personal data. The control test in the Act is whether the business has other information or is likely to have access to other information that can be combined with the addresses to identify the individuals. Such other information would not be difficult to obtain as residents' names would often be known to
This kind of information to link a computer or IP address to an
individual would be of relevance and great importance in many situations. For example, organisations that use cookies on their websites to track the website visitors may use the information for 35
See EU Article 29 Data Protection Working Party, WP37, Prvacy on the Internet- An Integrated EU Approach to On-line Daia Protection (adopted on
21 November 2000); EU Article 29 Data Protection Working Party, 33 34
Personal Data Protection Commission, Advisory Guidelines on Key ConcCps in the Personal Data Protection Act (revised on 15 July 2016) at para 5.12. Personal Data Protection Commission, Advisory Guidelines on Key Conceia in the Personal Data Protection Act (revised on 15 July 2016) at para 5.12.
80
WP136, Opinion 4/2007 m the Concept of Personal Data (adopted on at pp 16-17; Patrick Breyer v Bundesretrublik Deutschland Case C-582/14, Opinion of Advocate General Campos Sánchez-Bordona
20June 2007)
(delivered on 12 May 2016); EU General Data Protection Regulation
2016/679, Recital 30. 81
the Data Protection in
Practical Context
The Conceptof Personal Data
when compromising or or in times purposcs, to e m a n a t e from the com have been found activities or materials the offender. used to identify information can be commercial
nputer,
the
3.46 With respect
to
dynamically assigned
IP addresses,
Advocate
General
in Mav ("AC") 2016
the Campos gave his opinion in the cas Court of Justice ("CJEU"), which deal e European Federal Reprublic of Germany, with of Patrick Breyer v stated that:7 AG The IP addresses. assigned dynamically 1or the provider of Inter address must be classified, A dynamic IP the existence of a third data in view ot Sánchez-Bordona,
Manuel
as
(the Internet
3.47 He came to this
noting that Recital 26 of the Data based on there being a reasonabie was 95/46/EC Protection Directive which tuned on looking at whether he chance of identification, the data is reasonable: possibility of access to only if the conditions governina Information may be obtained 'reasonably first of which being the lepa are satisfied, the data of kind that access to t to others. It is true that the he and transterring possibility of retaining refuse to reveal the data concerned bu Internet access service provider may The possibility that the dala may be transfered the opposite is also possible. transforms the dynamic 1IP address, in acordane reasonable, itself is which perfectly nto personal data for the provider of services 95/46, 26 with recital of Directive on
conclusion
after
the Internet. [emphasis added]
3.48 test in the Singapore legislation This also illustrates that the control of narrower personal data than in the EU. concept a results in slightly other some piece of information exists and By and large, in the EU, if to be combinable and may taken be it can can be reasonably obtained, not the case in Singapore This is data. be to data render the personal information with which of due to the requirement that the other piece
Opinionof 12 May on
36
Patrick Breyer v BundesTepublik Deutschland Case C-582/14, Advocate General Campos Sánchez-Bordona (delivered
37
2016). Palrick Breyer v Bundesrepublik Deutschland Case C-582/14, Opinion of 12 May 201l0) Advocate General Campos Sánchez-Bordona (delivered on at [74].
38
to
access to.9 "Likely to have access to" is narrower than :
have
likely "can reasonably obtain'". is
3.49
forcaoing, it is crucial to always remember that "personal
From
ta" is
not
merely about a n individua but can also objects, processes and cven events.
comprise
of
about
information
ANONYMISATION OF DATA B.
personal
which may reasonably be approache service provider) n data that, combined with a du amic additüonal other order to obtain of a user. identification facilitate the IP address, can
services,
ata is combined must be one that the organisation has or t h e original
Patrick Breyer v BundesTepublik Deutschland Case C-582/14, Opinionof 2010) Advocate General Campos Sánchez-Bordona (delivered on 12 May at [72].
82
3.50
is exponentially more data available rise of big data, there With the than ever before. Much of this data contains for analysis now that can identify dividuals, for this reason, the data information
before use or disclosure. This would be the best uld be anonymised data the if subjects have given consent for secondary o r oractice even because the secondary use may often uses o r disclosures subsequent more dire than envisaged when combined with consequences produce which may go beyond the consent given other data sets 3.51
benetits that can be reaped from big There are enormous perceivable such as predicting resource and business for purposes data, not just also for health research through the search for consumer trends, but and other insights. Indeed, the applications in patterns, correlations are almost endless. For example, researchers data of analytics the field Sick Children have made use of big data at Toronto's Hospital for of lives the save premature babies.0 Through the analysis analytics to the researchers created an algorithm to vital signs, of already-collected most likely to develop a life-threatening predict which babies were infection before acute symptoms of infections appeared. For tiny detection is a lifepremature babies with little immunity, this early field of data analytics the in measure. Indeed, the applications
saving
are almost endless.
3.52 cannot lf data has genuinely and truly been anonymised, then it is no longer personal data. identify any individual and by definition, it However, to achieve the state of true anonymisation is a challenge.
39 40
Personal Data Protection Act 2012 (Act 26 of 2012) s2(1). Brian Proffitt, "Toronto Hospital Detects Infections with Analytics IT World Canada (27 April 2012).
83
Dala Prolection in
the Practical Context the
scientists rescarching in when shown that even and established
Many computer
area
data
of
I ne Concept of Personal Data data analvti
has supposedlv
the data subiectCe to re-identify anonymised, it is possible the m o r e notorious cxam of Two sets. combined with other data successful
already
have
reidentification
been
highlighted ted
the Personal Data
data sets Receiving anonymised
ehave
nples c
by Protert. the
. 3.54 Commission
vnect an organisation to take active steps to attempt to re-identify does not exp
ction Aduisory Guidelines Guidelines"). In a ater resear Topics ("Selected forSelected Topics a computer scientist1, found that o project in 1990, Latanya Sweeney, Commission
on
in its
(216 million of 248 million) of the population in the US
idenified
through
the
use
of only
three
attributes:
5-digit
individuals from anonymised data in order to make a determination as to data held by the in view of such data is personal thec which the organisation has or is likely to have acces. ation to
organisation
uld be
postal
birth." gender and date of
stated in the Selected Topics Guidelines that itt
The
cod code,
3.53 data so that individuals cann It is extremely difficult to anonymise annot outlined some anonymisatio Commission The be reidentified. Guidelines," which it warned was techniques in its Selected Topics exhaustive. However, it should be noted that the seven technianes data reduction, da data (pseudonymisation, aggregation, replacement, and masking) highlighted by th data shuffling suppression, Commission are all fairly primitive techniques which have been used
for many decades." Indeed, these very techniques were the ones used to anonymise data sets that computer scientists, such as Sweeney, were
3.55
news for organisations which have obtained or indeed good his is This sets of anonymised data they are not expected to received d a t a recc ascertain e the data sets constitute personal data by expending effort In effect, when an and r e - i d e n t ify individuals. organisation
to
try
anonymised
data sets, it
can assume
receives constitute personal data.
that the data sets do not
3.56
Ahile this obviates the need to engage in data analytics, in real terms it
that the data sets will never constitute personal data does not mean Bearing in mind that the Act also allows for private actions by any
individual who
has sutfered loSs
or
damage,"
an
organisation would
likely to hold other want all the data sets are combined, individuals data sets so that when cannot be identified. This would require the organisation to have a system to continuously assess its data inventory. For some organisations, it may be as simple as knowing and keeping track of to
able to re-identify individuals.
take steps
to ensure
that it it is
holding
or
what data and data sets it holds and tracing the life cycle of data. Data and the availability of data will likely increase over time, and this, coupled with developments in data matching capabilities, will mean organisations need to constantly monitor their data inventory. 3.57 or additionally, it may be wise for the organisation to insert indemnity clauses into the contract with the anonymised data set provider or to obtain warranties that consent for the use and disclosure of the data sets have been obtained from the data subjects.
Alternatively
41
Personal Data Protection Commission, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at paras 3.15-3.16.
42
LSweeney, Simple Demographics Ofiten ldentily People Uniquely (Carmegie Mellon University, Data Privacy Working Paper 3, Pitsburgh 2000)
chttp://dataprivacylab.org/projects/identifiability/paperl.pdf> (accessed
43
44
23 May 2016). Personal Data Protection Commission, Advisory Guidelines on the Personal Data Prolection Act for Selected Topics (revised on 20 December 2016) at para 3.8. this book was a computer science undergraduate in the these the obvious anonymisation that were
The author of 1980s and were being implemented then.
techniques
84
15
Personal Data Protection Commission, Advisory Guidelines on the Fersonal Data Protectiom Act for Selected Topics (revised on 20 December 2016) at para 3.20.
6
Personal Data Protection Act 2012 (Act 26 of 2012) s 32,
85
Data Protection in
the Practical Context
The Concept of Personal Data
Anonymising data sets
2.
receiving the anonyinisccd dala, as well as its motivation in entifying individuals rom the anonymised data set, the number of of the anonymised data, additional enforceable restrictions cipients of sclosure of the data and robust data and subscquent the use on nolicies and processes that will ensure the destnuction of data retention policie
Oganis:
reid
3.58 an
organIsatuon anonymiscs data to or sharing with others,
There may be occasions where for its own purposcs or for disclosing care must there is a disclosure to others, special hat the data set has truly been anonymiscd.
to
be taken
cither
W to e
when
they n o
longer:scrve any business
or
legal purpose.50
3.62
3.59
data but still retains
Ifan organisation anonymises the data means to re-identify, then data. Hence,
organisations
re-identify and, of
set would
must ensure that
course, ensure
that
the
the
"key"
still constitute nereo
sonal
they discard all meane original raw data is not
retained. To re-identify means to be able to identify an individhal individual through Similarly, even if it can be ascertained that tho
beyond doubt and not just the ability educated guessing
to
idenuty
prard, the the Commission appcars to be taking a less than towards the definition of personal data. By is personal data is whether something proclaimingthat on this regard, ientific approach
In
or
an
same individual is in two different data sets but the individual's identi cannot be discovered, this would not be re-dentification. However, ir
the individual can be positively identified by combining these two data sets with other data to which the organisation has or is likely to have data.8 access, then it would constitute personal
ependent
me2sured by the risk of re-identilication, it moves the definition into
the realm of great uncertainty Risk cannot be used as the test for
whether somethi is personal data the definition of personal data is out in section 2. already clearly spelled -
3.63 The Commission gave the example of fingerprinis to illustrate its view
t opined that a sct of fingerprints is not likely to be personal data to the lay person but the same set ot fingerprints would likely be personal
data to the expert, who would have the skills, technologies and complementary information for re-identification" By adopting the
3.60 In terms of how effective the anonymisation must be before it is no longer considered to be personal data, the Comnmission has stated that it takes a practical approach when assessing anonymisation and the
risks of identification:" If the risk of reidentification is high, then the data will be considered personal data. If the possibility of re-identification is trivial, the Commission will consider the data anonymised.
3.61 The Commission has also given some guidance on the factors that will impact on the risks of re-identification, which include the nature or type of data deidentified, the anonymisation techniques employed, the complementary data (likely to be) available, the capability of the 47
Personal
Data Protection
Commission,
Advisory
Guidelines
on
approach of assessing the subjective risks of re-identification, the
Commission appears to have interpreted the definition of personal data as a subjective test instead of the objective test as set out in the Act. According to the definition in the Act, something is personal data simply if an individual can be identified from that data or from that data and other information to which the organisation has or is likely to have access. This is an objective test, it is cither possible or not possible
to identify the individual from the data
"can be identified"
The
only subjective element of the definition is whether the organisation has or is likely to have access to the data. By introducing factors such as skills and technologies, the Commission has considerably confused the concept of personal data.
the
Personal Data Protection Act for Selected Topics (revised on 20 December 2016) 48
49
at paras 3.30 and 3.32. Personal Data Protection Commission, Advisory Guidelines on te Personal Data Protection Act for Selected Topics (revised on 20 December 2010) at paras 3.30 and 3.34-3.35. Personal Data Protection Commission, Advisory Guidelines on Personal Data Prolection Act for Selected Topics (revised on 20 December 2010)
50
at para 3.29.
52
86
51
Personal Data Protection Commission, Personal Data Protection Act for Selected Topics at paras 3.27-3.28. Personal Data Protection Commission, Fersonal Data Protection Act for Selected Topics at para 3.24.
Advisory Guidelines on the (revised on 20 December 2016) Advisory Guidelines on the
(revised
Personal Data Protection Act 2012 (Act 26 of 2012)
87
on
s
20 December 2016)
2(1).
The Concetpt of Personal Data
Practical Comtext Data Prolection in the gislation, s h1sanld oul
3.64
unclear, the Commission also to motivation of the organisatic
To make matters the relevance of the
cn.
ciated re-identify
even m o r e
data. It stated:53 Even does
3.68
skills and information for re-identüficas. if one has the requisite risks of re-identif ntification are high. mean that the not necessarily be considered.
uon, it
motivation to
re-identify
data
must
also
3.65
legal
or
contractual obligations
individuals from data. The motivations and incentives
The
or
to
explain that motivation
addition
if there are disincentives s1ch consequences for re-identi6
introduction
any
makes
of the
more
assessment
importantly,
of the riske
taken
into
account
as a
in
assessing
the
to consider tor assessing the risks of the Commission also recommended anonymisation of assessing the risks of re-identification,3
the factors
means
Anonymisation testing
3.69
Commission recommended that before organisations disclose anonymise data scts, they nould employ a "motivated intruder test" 56
consideratio
it takes the
to to
dentification,
(a) The
of
definiti of personal data further into the realm of subjectivity, somethino n. not the where from mandate for th unclear provided for in the Act. It is but since it is not in the Act, it mav he factor of motivation originates, re-identification rather vague,
In
esting
The Commission then proceeded be low reidentify an individual may
be
re-identification risks.
This
was
a
test
originally introduced by the UK Informatio
missioner's Office ("ICO) im its Anonymisation: Managing Data
Protection Risk
Code of Practice
57
actions. in open to challenge, especially private
3.70
3.66
data the anonymised data has been derived.
The "motivated intruder under the test is a person without any prior
Enowledge who wishes to identily the individual from whose personal The Commission also made a distinction between information publicl
available or knowledge that is held personally. If an individual canbe easily re-identified based
on
information that is
readily available
to the
public, then the re-identification risks are likely to be significant. The Commission's guidance is that in5 ascertaining the reidentification risks of an anonymised data set, one
should take into account the use of public knowledge for re-identification,
has been targeted for identification." However, some kinds of data will be more attractive to a "motivated intruder" than others, for example, Dersonal data about an individual for nefarious personal reasons or financial gain and any information that might cause mischief by embarrassing others or reveal newsworthy information about public figures. The characteristics of the motivated intruder are as follows:
but not necessarily personal knowledge of the individual or the people close to the individual.
3.67 While it is true that the re-identification risks are more likely to be significant if the complementary information is publicly available, it should be noted that there will be occasions where non-publicly available information of the individual will be a clear and relevant consideraion and these, in accordance with the wording of the
55
Personal Data Protection Commission, Advisony Guidelines on the
56
Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at paras 3.41-3.47. Personal Data Protection Commission, Advisory Guidelines on the
Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at para 3.45.
57 58 59
53
Personal Data Protection Commission, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 206) at para 3.26.
54
Personal Data Protection Commission, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 2010) at para 3.39.
88
The Commission stated
that the motivated intruder test assumes that no particular individual
UK Information Commissioner's Office, Anonymisation: Managing Data Protection Risk Code ofPractice (November 2012) at p 22. UK Information Commissioner's Office, Anonymisation: Maraging Data Protection Risk Code of Practice (November 2012) at p 22. Data Protection Commission, Advisory Guidelines on he Personal Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at para 3.45.
60 61
UK Information Commissioner's Office, Anonymisation: Managing Data Protection Risk Code of Practice (November 2012) at p 23. Personal Data Protection Commission, Advisory Guidelines on the
FersonalData Protection Act for Selected Topics (revised on 20 December 2016) at para 3.43.
89
Data Protection
(a)
(b)
in the Practical Context
The Concept of Personal Data
reasonably competent; has access to standard
librarics, and all
resources such as the Intero and published infaand documents public
information
such as public directories;
(c)
(d)
employs
standard
investigative tcchniques such
who may have additional enquiries of people
as
knowledge maki of ntheg anyone with
or even advertis identity of the data subject information to come forward; is not assumed to have any specialist knowledge such as ompute
equipment; and hacking skills, or to have access to specialist such as burglary or hacking. not resort to criminality does ng, to gain (e) access to data that is kept securely. to
3.72
the
the
Furthermore,
that
are
capal
be,
might
Commission
Commission
not directly not
vample,
elased
to
re-identification.5
averred that all to
a
other "residhal"
recipient's motivation
and
These
being unintended recipients with compromised better ability
or
of
data that is or a more conlidential or sensitive nature amission recommended more robust assessments than the intruder test. This should also be the case if the
Of
term
n
the
also
re-identify should also be taken into account. of the data for example, risks
mistakenly discle
3.73
ale
related
Commissi
motivated
consequences ot re-identification are more severe for the individuals
3.71 The Commission acknowledged that the amount of effort require
a n d / o r t h e organisation.66
the motivated intruder test will vary, however, the examples of ef for
it it
gave were somewhat simplistic. It suggested that, at the higher end
might entail "obtaining and processing publicly available but limitaed (eg national archives) resources to try to link anonymised data to .an
individual's identity" In reality, there is much more data available than just those publicly available in repositories such as national archives: social networking websites, for example, contain abundan information on individuals. If one hosts a website, there is already a
mountain of data that is collected by the website and, in addition to that, there are many databases one can either buy or subscribe to
Further, if the recipient organisation is a telecommunications company, for example, then it would already hold the vital data of many individuals such as their names, dates of birth, NRIC numbers, home addresses, telephone numbers and so on, which can be used to match the data sets. Indeed, the Commission affirmed that where the motivations, reidentification capabilities and other information in possession of that recipient are known or can be reasonably inferred these should also be accounted for.
3.74 In
to
e
consider
p.eEcult mental
the behaviour
exercise involving
Personal Data Protection Commission, Advisory Guidelines
on
is
a
second-guessing the motives, knowledge, resources and technical expertise of the intruder, as well as asS1umptions about the content, nature and usefulness of the data.
3.75
In essence, while the Commission has given guidelines on anonymising
data sets and the recommended or expected course of action appear to be a relatively light-touch measure, at the practical level, however, the guidelines may provide little assistance to organisations due to the generalised nature of the guidelines and uncertainty in their meaning and application. 3.76 The Selected Topics Guidelines do not provide the requisite level of clarity and certainty about how to anonymise and make judgments about the permissibility of disclosing data sets. It is also not exact role of the Guidelines, as the Guidelines are non-binding. It is unclear to what standards an organisation will be
completely
clear the
62
of a motivated intruder
he
Personal Data Protedtion At for Selected Topies (revised on 20 December 2016) at para 3.43. 63
Some of these would include Wherenext Intelligence System (WIS),
65
Amicus Data's database and HousesActually.sg, all of which specialise in 64
property-related information. Personal Data Protection Commission, Advisory Guidelines on Personal Data Protection At for Selerted Topics (revised on 20 December 2010) at para 3.45.
90
Personal Data Protection Commission, Advisory Guidelines on he ersonal Dala Protection At for Selected Topics (revised on 20 December 2016) at para 3.45.
6
Fersonal Data Protection Commission, Advisory Guidelines on the ersonal Data Protection Act for Selected Topics (revised on 20 December 2016) at para 3.46.
91
Data
Prolection
paragraph 1.2 judged. For examplc,
of the
Selected
states tha:67 These
The Concefpt of Personal Dala
in the Practical Context
in conjunction Guidelines should be read are subject the Guidelines' and
with
Topics Guidos
to the
Introduction to
(including
other
the document .
but
damage consequential
special
disclaimers settitled out
for any loss, claims, actions, costs, expenses not limited to any direct, indirect,
lable not liable
ommission is
ines
or
or punitive, profits)
damages, loss of income, revenue whether arising directly or indirectly from any decision in reliance on the Guidelines.
or
howsoever caused action taken
therein. 3.77 "Introduction Paragraph 3.1 of the first disclaimer as follows:
3.80 Paragraph to
the Guidelines"
expres.
the
constitute legalad The Guidelines are Commission or any other party e on the binding not legally C They are other and legislation PDPA made to the reference should be of any such leaiclase statement of the provisions complete and definitive or supplement in any way the legal e The Guidelines do not modify laws cited including, but not limited to, the D of PDPA any and interpretation as regulations and rules) issued und. 1der and any subsidiary legislation (such the PDPA. The provisions of the PDPA and any regulations or ules over the Guidelines in the event of issued thereunder will prevail any
advisory in
ctresses that all
9 3.3 stres
responsibility rests with that they rely on
effectively warns organisations
cach organisation the Guidelines at
a n d
their own rIsk.
nature and do not
3.81
All
these
decisions on
to respect permissible to disclose.
(b)
organisation in no clearer a position with anonymisation techniques and whether it is
claimers leave
A more realistic
an
vieW
of anonymisation
inconsistency. 3.82
3.78
that the Guidelines are not legally binding Paragraph 3.1 clearly on the Commission or any other party and the Guidelines appecar to have no legal effect. The next disclaimer informs that the Guidelines states
do not dictate nor give any assurance oft what courses of action the
missing from the Selected Topics Guidelines is One of the key insights heacknowledgement that anonymisation techniques are in practice the Commission seems to give eurrenly not fully effective, instead, that anoymity the impression is a binary issue. At present, actual
anonymisation
is
more
of
an
ideal rather than
something
that is
practically achievable.
Commission will or must take:" Nothing in the Guidelines shall be construed as granting any expectation that the Commission will take or not take any particular course of action in the future arising from or due to anything in the Guidelines. Accordingly,
the Guidelines shall not be construed to limit or restrict the Commission's administration and enforcement of the PDPA.
3.79
Lastly, paragraph 3.3 states as follows:20 The Guidelines are intended to provide general guidance only. Each
organisation remains responsible for assessing the appropriate action to be taken or decision to be made in its particular circumstances. The 67 68 69 70
Personal Data Protection Commission, Advisory Gruidelines on the Personal Dala Prolection Adt for Selected Topics (reuised on 20 December 2016) at para 1.2. Personal Data Protection at para 3.1.
Commission, "Introduction to the Guidelines
3.83 A thorough and more realistic assessment of current anonymisation was presented by the EU Article 29 Data Protection
techniques
Working Party ("WP29") in its Opinion 05/2014 on Anonymisation Techniques ("Anonymisation Techniques Opinion")." There, the WP29
analysed the effectiveness and limits of existing anonymisation techniques and concluded that all the current techniques which they assessed failed to meet with certainty the criteria of effective anonymisation.? It acknowledged that case studies and research publications have shown how difficult it is to create a truly anonymous data set whilst retaining as much of the underlying information as required for the task.28 The understanding of the limits and ettectiveness of anonymisation is important, given that should the
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
Personal Data Protection Commission, "Introduction to the Guidelines, at para 3.2.
72
Personal Data Protection Commission, "Introduction to the Guidelines
73
at para 3.3.
onAnonymisation Techniques (adopted on 10 April 2014). BU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
0nAonymisation Techniques (adopted on 10 April 2014) at p 23. BU Article 29 Data Protection Working Party, WP216, Opinin 05/2014 0n Anonymisation Techniques (adopted on 10 April 2014) at p 5.
92
93
Data Protection in the Practical Context anonymisation
organisations protection as
process will need to set out
in
not
The Concept of Personal Dala
prevent re-identific.
effectively
ation,
standards for personol comply with the d the Act for the inetfectivcly anon
3.87
a
The WP29 need
ined three criteria an efective anonymisation solution tisfy in order to achieve this:79 t o satis.
would
personal data.
the singling out of an individual in a data set which be idecnti out); enable the linking of two records within a data set about the prever individual or same groups of individuals, or between two (b) same and data sets (linkability);
(a)
3.84 The WP29 began its analysis
by making
1t
clear that the
proce
operation in itself
data
a processing anonymising personal data is can only be carried o anonymisation hence, under EU regulations, in collected compliance with appliet the original personal data was also hold true ae would this data protection laws." In Singapore, "use" under the Act
would constitute
prever
separate
prevent the possibi
(C)
and
anonymisation process would for which the need to be compatible with the original purpose data was collected.
(singling
them to
information
deduce with significant (inference).
in such data set
probability, any
line with the Singapore position, where the Commission has that to re-identify means to be able to identify an individual beyond doubt and not just the ability to identify an individual through This is in
educated guessing.0
3.85
evaluated by WP29 found that tho. The anonymisation techniques was no perfect anonymisation technique and, in light of this
3.88
recommended using a
airectly identifying elements in itself was not enough to ensure that
combination of
techniques and
outliner
strengths and weaknesses to consider when anonymising data.5 The Anonymisation Techniques Opinion gave some usefül and practical so that it can be used for on how to make data anonymous whole range of activities from big data analysis to medical research.
guidance
a
3.86 The WP29 defined anonymisation as something that results from
the three criteria, the wP29 concluded that the mere removal of
direca
entification of the individuals is no longer possible. Additional easures to prevent identification will be required, depending on the context and purposes of the processing for which the anonymised data contex
areintended.8
3.89 In the same vein, data sets that have been pseudonymised would also
data in order to irreversibly prevent identification,%
not be considered equivalent to anonymised data as it allows an individual to be singled out and linkable across different data sets.
stated that "to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used" to
Therefore, pseudonymisation is not an anonymisation technique and
processing personal
it noted that Recital 26 of the EU Data Protection Directive 95/46/EC reidentify the person." This same test of "rcasonably likely to be used is retained in the EU General Data Protection
Regulation 2016/679.
data that has been pseudonymised still constitutes personal data and remains within the scope of the legal regime of data protection. This has also been explicitly expressed in the EU General Data Protection Regulation 2016/679.5 The incffectiveness of pseudonymisation as an anonymisation technique was well illustrated by the America Online 79
74 75 76
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at p 7. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
80
on Anonymisation Techniques (adopted on 10 April 2014) at pp 23-24.
8
EU Article 29 Data Protection Working Paty, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 6-7.
77
EU Data Protection Directive 95/46/EC, Recital 26.
8
EU General Data Protection Regulation 2016/679, Recital 26.
94
82 63
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 6-7 and 11-12. Personal Data Protection Commission, Advisory Cuidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at paras 3.30 and 3.32. EU 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 6-7. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
Article
on Anonymisation Techniques (adopted on 10 April 2014) at p26.10. EU General Data Protection Regulation 2016/679, Recital
95
Data
Protection
The Concept of Personal Data
in the Practical Context
where a databasc of 20 million ("AOL") incident in 2006, AOL users were releasoreh threc-month period by keywords over a h identification replaced by a numerical att only their AOL uscr identified along with be to along with their able Some of the users were
(b)
.This involves altering the values within the data set just swapping them from one record to another, so it by olves shuffling the information in the records so
Permuta
value being attached to individual X, it now stcad of the i n d i v i d u a l Y with individual Z to individual gs cxample might be to individual Y's ight value. An Y's va Y's .ol XX's weight and so on. Such by individual maintains
locations.*1
replace
3.90 examined
The WP29 randomisation and
the
two
anonymisation
main
swapping the and distribution of values but correlations betwecn values theindividuals will be changed Permutation is useful when and act distribution of each to retai attribute important
technin
individual techniques generalisation," and the addition, permutation, differe noise cach of these categories: and -diversity, and t-closenese aggregation, kanonymity privacy, of the techniques' strengths and weaknesses as well as the cOmmon to their use were assessed against he mistakes and failures related and inference. These will linkability out, criteria three now of singling
it is thin the
data
exact weight of
set, for example, if it is of the individuals 8
deindividualised and anonymised views of a data set through
whilst a statistical algorithm copy of the original data. The anonymised views would typically be generated
3.91 Randomisation is a class of techniques that alters the veracity of he data and the individual data so that the strong link between the is
retaining
through a series of queries for a particular third party.8 The
method adds noise, that is, random talse information, in order to one individual within the data set. make it difficult to identity any
removed. The aim is to transform the data so that it is less accurate no longer reter
to
a
specific
individual
Randomisation will still maintain the singularity of each record in that cach record is derived from the one same individual but randomisation can be combined with generalisation techniques to achieve
stronger
privacy
protection.
The
main
randomisation
3.92 nifferential privacy is unique in that it also integrates the concept of dhe level of acceptable risk, which is derived from an awareness of known re-identification risks such as linkage attacks and multiple the data anonymiser can have some control over a overall "privacy budget', that is, the maximum privacy level dataset's the expectation of the number and type of queries it required given answer. This gives the data anonymiser the ability to add levels of noise that is appropriate to the number of data queries that will be
queries. From this,
techniques are as follows.86 (a)
new
generates
applying
that the data can
important to know the
each
Differenial privacy is a relatively Differential privacy. (c) technique and it is used when the organisation
be addressed briefly.
so
having
Noise addition. This consists of altering information in the data set so that they are less accurate whilst retaining the overal distribution. An example might be the age of individuals. Instead of the exact age, the age might be changed so that they are within a tolerable limit of either plus or minus five years. Noise addition should be combined with other anonymisation techniques such as the removal of any attributes that might amount to quasi identifiers. The level of noise introduced should depend on the necessity of the level of information required as well as the
will
permited. Differential privacy is more effective in anonymisation because the level of noise to be added can be adjusted and, the place or places where the noise should be added can also be calibrated in
order to both obscure every individual while retaining at least some useful qualities of the data.
impact on individuals' privacy.37 84
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
85
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 12-19. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 om Anonymisation Techniquas (adopted on 10 April 2014) at p 12. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
on Anonymisation Techniques (adopted on 10 April 2014) at p 11.
86
87
on Anonymisation Techniques (adopted on 10 April 2014) at p 12.
96
88
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 1-14.
89
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
90
Cynthia Dwork && Aaron Roth, "The Algorithmic Foundations ot Differential Privacy" (2014) Foundations and Trends® in Theoretical Computer Science Vol 9 (No 3-4) at Pp 211-407.
on Anonymisation Techniques (adopted on 10 April 2014) at p 15.
97
The Concept of Personal Data
Practical Context Data Protection in the
and k-anonymity. Inese techniques involve grouping at least k other individuals. The result is that the viduals with to such an extent that each individual shares is on
3.93 An
example
privacy student:
of how differential
example given by
a
rescarch
after
move
to
his
move
to another
would
ofi
(a)
n
database
allow you
to
generalised
value. For example, attributes such as salaries, height, or the dose of a medicine cani be generalised by grouping
data
that allows
deduce
you
to comDuto
before
his income.
the
to
extract
it is possible Through inference, To overcome
supposedly-hi
th
to inject noise in the form of giving The solution might be the result of more than one resident moving out of the area or na
changes to
ference attacks when the values of data against distributed.95 a r e well attributes lT-closeness. This 1s a retinement of -diversity, in that it aims to prote
king
the income.
create categories
super-sensitive
differential privacy might be appropriate. A case in point would be the Urban Redevelopment Authority's ("URA") database on private
AnthonyTockar, Diferential Privary: (accessed 23 May 2016).
92Urban Redevelopment Authority, (accessed 1June 2016).
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at p l6.
98
initial distribution of
perhaps only
one
of the three criteria of singling out,
linkability and
inference. The WP29 summarised its findings in a table format as
follows:
94
The Basics
the
3.97 From the forgoing, it should be clear that each technique will target
residential property transactions.
91
resemble
at least i different values should exist within each of data, not only that each value is represented as also many times as category, but mirror the initial distribution of each attribute.6 to necessary
online databases that the general public can query on a 24/7 basis
3.96 Generalisation is the second category of anonymisation techniques. It essentially comprises generalising the attributes of individuals in the data set by altering the respective scale or order of magnitude. For example, instead of the exact age, the age might be changed to bands of ten years such as 20 to 30 years old. Generalisation can be effective to prevent singling out, but it will not prevent linkability and inference.5 The main generalisation techniques are as follows.
that
attributes in the data set before anonymisation. For each category
3.95 Differential privacy will not be a very useful technique if the data is resolutions but in terms of some of tho al
required
region
ttacker with background knowledge on a specific data subject is with: significant uncertainty. Ldiversity is effective to always left
that
moves.
streeU n a m e tO
occurrence of categories with poor attribute variability, so that an
they both give the total the datasets are income of residents in the same area, albeit before and after Mr WVhite sense
the granularity of a location can be
or country,91 lowered Ldiversity. This extends k-anonymity and ensures that in cach L cquivalence class or category of data (for example, age group), attribute has at least1 different values so that probabilistic every inference attacks are no longer possible. he aim is to limit the
from
this problem, the so White. information about Mr is to apply some noise-generating mechanism to the related data.sets
related in the
weight,
same
into intervals; similar
and
(b)
3.94
Aggreg
cited
th It you knew that Mr wi.Ota certain area. Wa this database ho area, simply querying
have access to a Suppose you residents in a all of income
going
might work is the
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
onAnonymisation Techniques (adopted on 10 April 2014) at p 16.
9
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
96
On Anonymisation Techniques (adopted on 10 April 2014) at p 18. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
97
0EUAnonymisation Techniques (adopted on 10 April 2014) at p 18. Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at p 24.
99
Data
Protrction
in the Practical Conlext
Is Singling out still a
risk?
The Concept of Personal Data
Is Linkability
Is Inference
still a risk?
still a risk
Yes
Yes
Pscudonymisation
Yes
Noisc addition
Ycs
May not
May not
Permutation
Yes
Yes
May not
Aggregation or K-anonymity
No
Yes
Yes
Ldiversity
No
Yes
Differential privacy
May not
May not
May not May not
lso has its problems if logical links persista person's between attributes. For exanplc, in a table cotaining
3,100 Permutation alsc
diflere
and and
salary, cven il the auributes of the income are clear that a Chiet Executive Officer would be receivingth highest salary ilst the unemployed or part-time worker the lowest salary.0 From this, other information such as age can also be identified. be in the table role
ld be
would be
receivi.
might
3.101
differential privacy also can be problematic if not iniccted. Further, if a query history is no retained and
The technique of aiauc of noise
is
10ughi s ttreated independenuy, then an attacker who queries the is r c a t query database with ultiple questions can progressively reduce the breadth until a specific value of an individual or a outputted
Cno
3.98 From the table, it is clear that there is no one particular anonymisatio technique that satisfies all three criteria and the WP29 Went great details to present instances of each technique's wcakno ness,
.
nploy1mcnt permutatcd, i t w o u l d
cach
of the
individuals group of
a
101 is discovered.
Pseudonymisation is probably the most pronounced in this regard
The WP29 cited recent research at Massachusetts Institute
of of 15 months of spatial-temporal mobility coordinates of 1.5 million
Technology which found that from a pseudonymised data set
people on a territory within a radius of 100km, it was possible to single
out 95% of the population with four location points. Even more alarming was that just two points were sufficient to single out more Te
than 50% of the data subjects.3
3.102
of k-anonymity 1s that it does not prevent inference ttacks, in particula k-anonymity can be defeated through an equivalence attack. The attack can come from using a
The main failure available
data
set
to de-anonymis
publicly
another. As the example of
Mr White above showed, equivalence attacks can also be launched aCainst data sets that are updated periodically. The mere act of keeping a data set updated can inadvertenty reveal sensitive information because aggregate averages will change over time.
3.99 As for noise addition, the WP29 highlighted its failure with the well-known Netflix incident. Netflix released a database of over 100 million ratings on a scale from 1-5 of 18,000 movies, expressed by nearly 500,000 users. It was "anonymised" according to an internal privacy policy and all customer identifying information were removed except the ratings and dates. Noise was added on the ratings so that they were slightly increased or decreased. After analysing the geometric properties of the data set and comparing it with a publicly available data set, researchers found that 99% of user records could be uniquely identified in the data set using eight ratings and dates with 14-day errors as selection criteria.9
3.103 As for diversity and ttcloseness, they are not an improvement over
kanonymity in terms of unlinkability in that the probability that the same entries in two data sets belong to the same individual is the same. The main improvement of l-diversity and tcloseness over k-anonymity is that it is no longer possible to set up inference attacks against a "-diverse or "t-close" database with certainty,12 3.104 From the foregoing, it is clear that none of the anonymisation techniques can prevent singling out, linkability and inference. The 100
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
on Anonymisation Techniques (adopted on 10 April 2014) at pp 14-15. 98 99
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
om Anonymisation Technigues (adopted on 10 April 2014)
EU Article 29 Data Protection Working Party, WP216,
p 23. Opinion 05/2014
at
on Anonymisation Techniques (adopted on 10 April 2014) at p 13.
100
01
02
BU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 at p l6. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014
0n Anonymisation Techniques (adopted on 10 April 2014)
onAnonymisation Techniques (adopted on 10 April 2014) atp 18. 101
Dala WP29 stressed that
possible
to
cach data
give
set
Protection
most
minimum
needs
to
in the Practical Context
The Concetpt of Personal Data
techniques carry risks and recommendations
be considered
on a
that
it
1or parametecrs
case-by-casc
was no
basislo8as If
of the three criteria is not met, a thorough evaluation n e identificaion risks should be perfomed. There will almost alwa residual risk of identification inherent in cach of the techi Careful engineering in devising the apPplication of an indis
application of a cumulative technique required along f both randomisation and generalisation techniques. This will ene 1surc a is
with the
more robust outcome.
willbe or
AOL
Netflix ion
regular he
unclear
to what kind of standards there be similar incidents in
incidents,
the
and grievous for
an
organisation
Singapore like amifications would be serious for
the affected individuals
the the
organ
analysis must be the Act and the definition of As alrcady discussed above, personal data means that can identify an individual from the data or the data in
3.108 starting
point for 07
personal data".o
data
with other information
to
which the
organisation has or is the control test. Hence, when ikely disclosing anonymised data to another organisation, the capabilities resources of the other organisation need to be considered to ertain if the data is likely to be personal data to the other to
Good anonymisation practices outlined by the WP29 include audits to identify new risks to re-identification and to re-evaluate
is
Chould
combinat
3.105
tt
isclosing data.
o
have
access,
the latte
being
residual risks and to adjust practices accordingy; in etfect, to monitor and control the risks. In addition, relevant contextual elements m
organisation.
also be taken into account. These would include the nature of th original data, sample size, secuity measures restricting access to the
data set, the availability of public information resources and envisaged release of data to third parties. Of course, if the nature of the datai one that is appealing for attackers, such as sensitive or financial
3.109
Organisations
need
to
be
nindful of the grave
probability
of
eidentification. It is the control test of "other information to which the organisation has or is likely to have access that poses challenges. If
nersonal data is supposedly anonymisecd and released to the public,
personal data, then this will be a strong key factor to consider. 105
this will effectively mean that all members of the general public will
106 The WP29 also recommended that the purposes to be achieved through the anonymised data set should be clearly set out as these are pivotal in determining the identification risk.
When all members of the general public are considered, the "other information" that is available or likely to be accessible would be Jimitless as organisations range from the wealthy and resource-rich multinationals which can purchase a multitude of information and
need to be considered as the "organisation" under the definition.
data sets to the savvy IT companies or IT' researchers who have the vast
3.
The way forward to anonymising data sets
3.107 Given the disclaimers 06 by the Commission for the various Guidelines, for anonymisation, and the clear instructions therein that direct reference should be made to the Act and other legislation for the "complete and definitive statement" of the law, organisations that wish to avoid liabilities should tread very cautiously in anonymising and
incuding
expertise to combine and re-identify data sets. If organisations encompass those which have limitless knowledge and abilities, with the currently known anonymisation techniques, if only one technique is used, the supposedly anonymised data set will very likely be able to be reidentified, and if so, the supposedly anonymised data set would fall squarely within the definition of "personal data"' under the Act as it can be used in combination with other information to identify the individuals. Hence, if the supposedly anonymised data set is reidentified and is personal data, then the organisation that disclosed the supposedly anonymised data set will fall foul of the disclosure
103 104
EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 om Anonymisation Techniques (adopted on 10 April 2014) at p 23. EU Article 29 Data Protection 05/2014 Working Party, WP216,
provisions in the Act, not to mention incurring the wrath of the public and the individuals whose personal data have been compromised.
at paras 3.1-3.3.
Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1).
Opinion
Anonymisation Techniques (adopted on 10 April 2014) at pp 23-24. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 24-2 Personal Data Protection Commission, "Introduction to the Guidelines, on
105 106
102
103
Dala Protection
The Concepl of Personal Data
in the Practical Context
DECEASED INDIVIDUALS
3.110 One
conclusion to
is be drawn from this
to the general public thorough consideration
that
if o n e wishes to
case utmoa required before ro
so-called anonymised data, the be
and testing would would be wise to heed the guidancs oft the Furthermore, organisations cumulative use of anonymisation techniquee WP29 and apply a randomisation and generalisation. the two groups of
from
C. in
3.115
the Act also
Personal d
decea
ed but
the
more than
the
coverage
includes personal data about
is for those who have
not
the
been dead for
years.0 Even then, the coverage for the deceased is provisions o n non-disclosure and the protection of the
limited t o
scnt has been
personal data unless
obtained.
The Act does
any additional obligauon to retain personal data of the
3.111
because so much big d is rather unfortunate data benefit the health sci to enhance and and available for exploiting other sectors. Flowever, until anonymisa saüon technology, business and the risks are disproportionately high.
This, of
course,
iences,
techniques are improved,
3.112
disclose so-called prudent but to disclose onlv the to publiC sets general anonymised data enable s o m e control over the leml selected recipients. This will also arise by inserting relevant clauses into the contras that The
course
more
liabilities
not
deceased.
of aclion might
be not to
may
with the recipients. These clauses can contain warranties as to use and
be ifficult for an orga isation to ascertain whether actice, it may In the data relates is still alive or has died. The Act whom individual to the data belonging to the deceased from being personal prohibit
3.116
does
under the same regime as for those : still alive. So, data belonging to individuals whether alive or all personal in fact, processed be according to the same standard required eased can Act without distinction, and it may be simpler for an the under set of procedures and one stand to have o n e policy, ganisation
disclosure as well as indemnities. However, the disclosing organisation combination of anonymisation should still exercise care it does not have consent from the data where especially
and utilise
since
pecially pact on
a
techniques, subjects to disclose personal data.
not
handled or processed
the
personal data concerning the deceased can have an personal data of individuals still alive, and thereby of compliance with the Act. A case in point
triggering the requirement
pertaining to health or hereditary, if the deceased
medical
are
3.113 should develop good governance structures to conduct an initial risk analysis and ongoing follow-up. Indeed, any organisation wishing to anonymise data must engage in much discussion with the relevant IT personnel in order to develop workable anonymisation solutions. Co-ordination between data protection officers and those with technical expertise in applying the anonymisation techniques is essential. Key questions that need to be addressed include what is the data, for what purposes is the data being anonymised and for how long.
Organisations
issues. For illnesses
or diseases and the parent was a parent that that the parent was a carrier will reveal that carrier, this information also have the same disease. For example, a most would likely the child be a carrier for haemophilia, there is then a 50% chance
is data
is
a
woman may that her son will suffer from haemophilia contained in the X-chromosome.
as
haemophilia is linked
to a
gene
3.117 other rules of Secondly, for s o m e kinds of personal data, For requirements confidentiality example, apply. confidentiality may
are the methods being used appropriate and what re-identification
for medical personnel often persists even with the death of the patient.
risks may be posed.
Thus, it may not be personal data.
so
straightforward
to
put
a
time limit
on
the
3.114
Anonymisation is a highly complex field, both legally and scientificaly but the notion that anonymisation is merely in the realm of statisticians and researchers and too esoteric to be an issue of importance shoud be permanently dispelled. A healthy and realistic appreciation of the limitations of anonymisation, which are also becoming more apparey is in order. Once a data set has been released into the public doma
it is not feasible to "recover" or retract it.
104
3.118 In practical terms, it may therefore be good practice and indeed a the deceased SImpler one to process and handle the data concerning t h e same way as personal data concerning the living as required
08 Personal Data Protection Act 2012 (Act 26 of2012) s4(4)( 09
Personal Data Protection Act 2012 (Act 26 of 2012) s 4(4)6).
105
Data Prolection in the Practical
Context
the two than to separate under the Act, rather such as steps also include taking course, would the data if there
are
no
The Concetpl of Personal Data
sets
of
datta.
manenty destThis, oi for the data to be
or other reasons
legal
BUSINESS CONTACT INFORMATION E. 3.122
retained.
An
3.119 In order
to
minimise
costs
for organisations in
wclusion from the is business contact inform
important
the Do Not Call regime ontained in the same Act but which is
the event
under
that
deceased attempt to exercise any of the representatives of the Ohe of the deceased, such as the rights on behalf data protection correction, the data records could be digitised and ficlds be insertedt
beyond
the scope
3.123 contac
is known signal if the data subject 7. in detail chapter m o r e in discussed
D.
to
be deceascd. This is
of the data operation protection although this is still covered
of this work.
information
1siness
will
e
for his or
HISTORICAL RECORDS
is
defined
to mean
an
individual's
name,
title, business telephone number, business ition o r address, business c-mail nail addre address or business fax number, and any other similar information about the individual not provided by the individual her
personal
purposes.
112
solely
clear
3.124 types of information that are considered business contact The on are the standard kind of information one would find on a int card. This exclusion was name siness or designed with the the transfer.of business contact information is often that gnition integral to many business operations, and that in the context of
generally be excluded anyway, as it 1s not common for there to be
business contact information for certain purposes is often implied.13
personal data created and contained in any record if the person has
This exclusion relies on the concept of deemed consent that Singapore
3.120
the data protecti. The Act contains an interesting in a record thar contained data regime in excluding all personal Given that averac 100 least at years." for been in existence kife is well below 90 years, it 1s not entirely clea in exclusion from
expectancy
Singapore
why this exclusion is needed. Personal data in this category would
exchanging business contact information, consent for the use of
not yet been born. Given the average life expectancy is under 90 years,
has adopted. As will be discussed in chapter 5, the concept of deemed
most personal data in this category would not fall within the ambit of the Act as a person who dies at the age of, for example, 85, would have most of the protection ceasing upon death and all protection ceasing
consent may enable compliance to be less troublesome, but it leaves gaps in security and in the protection of personal data.
95 years after they were born.
3.125 The effect of excluding business contact information from the operation of the personal data protection provisions means that such information can be collected, used and disclosed without any restrictions whatsoever and they are also not subject to any of the personal data protection principles. On the positive side, this gives free to all to amass business contact information for purposes such as talent and recruitment, for general networking and perhaps
3.121 This exclusion could arguably have some application to wills but unclear why there is such a prominent exception for it. Perhaps, the exclusion was designed for the administrative benefit of archivists and others dealing with historical records. They would not need to check if the person is still alive and can simply proceed to collect, use and
it
disclose the historical personal data without incurring any compliance COsts.
reign
searches
to combine and compile to ascertain what kind of talent pool a rival
organisation might have.
l Personal Data Protection Act 2012 (Act 26 of 2012) s 4(5). 2Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). l3 Ministry of Information, Communications and the Arts, Public Consuitahon 5Ledy Ministry of Infermation, Communications and the Arts: Proposed 110
Personal Data Protection Act 2012 (Act 26 of 2012)
106
s
4(4) (a).
Personal Data Protection Bill (19 March 2012) at para 2.30.
107
The Concept of Personal Data
Data Prolection in the Practical Contex
3.126 the exclusion 1s that one's persona One of the negative effects of and combined witho raded, compiled can be frecly sold, information
corrected
or
delo
having erroneous domain the individual' the public effect, it is putting into individual works (or has the information concerning where name of recourse
to
collect any percentage ot the fares or of the the taxi drivers were plying their trade as taxi their mobile telephone numbers formed business contact did
not
ookings" As
pondents
a
ny n
me
the worlthe workplace, the and the role they hold even the qualifications of the n and the address of the workplace on anonymisation above in the section As already mentioned data or protession is one of the kev ni. life about an individual's working used to be can other data easily match and information with which
individual
drivers
information as tdly Iaxi service,
at
pieces
i twas imperative for the passengers to communicate
with the
bookings.
taxi drivers
ach
such
as thec
for matterS concerning the delivery of the pick-up location or cancellation of the
Being busIncss contact information, the mobile phone from the operation of the were cxempt personal data
ers visions rotection provis
and
mumb
their disclosure did not constitute any
breach.
of to reidentify the individual from data that is supposedly anonymised.
EXCEPTIONSs OF OTHER KINDS OF PERSONALIDATA F.
3.127 or monetay gain role is a It is true that a person's employment there should not be and in undertaken public any activity that is shielded. However, where a person works is of being expectation of their ume, in fact, it woul where they spend a large majority the number one spot of where for home individual's with the
compete
number of hours. Hence, when the the individual is located the most of the workplace are known, the location of address the and workplace individual will also be known. Thie the physical whereabouts of the makes it extremely easy to locate an individual, especially since the individual will be at that location on a regular basis. This kind of data would be prime data for narrowing down and singling out and distinguishing an individual, and thereby leaving the individual with reduced security both over the individual's person and the individual's personal data, and increased vulnerability to attacks. It is quite unfortunate that this exclusion is present in the Act.
3.128 There has only been one case to date on business contact information. The personal data in question in Comfort Transportatiom Pte Ltd and
3.129
give a general conception of what is under the Act. As will be seen in later nderstood to more kclusions or exceptions contained in there are many chapters, which are situational, so that whilst information may constitute e Act will be the case that some of the requirements in the has This chapter
sought
to
data be personal
ersonal data, it
legislation are exempt
from compliance.
3.130
be the classification of whether a piece of biggest hurdle can data. As already discussed in this chapter, even is personal information to have suggested a subjective and movable the Commission seems definiüion of personal data when dealing with supposedly anonymised personal data.This is a problematic move because if personal data becomes a subjective concept, the fact that the data is not regarded as personal data to personA means that person A can deal with the data The
in any manner without reference to the Act and can sell the data
to person B, and so on. This will perpetuate the disclosure and disemination of personal data as each person in the distribution chain
CiyCab Pte Ltd was the mobile telephone numbers of two taxi drivers
will try and claim the data is not personal data; soon, the weakest link
which was disclosed to passengers who had booked taxi services offered by these drivers. The Commission found that the two respondent taxi companies were acting as intermediaries in matching the taxi drivers with the passengers, The taxi drivers were not employees but the independent hirers in the business of driving taxis, furthermore,
becomes the biggest chain of personal data urading. By conceptualising personal data as a subjective concept and allowing a liberal view, more personal data then becomes publicly available and, as will be seen in
114 115
17 Conort Transportation Ple Ltd and CityCab Ple Ltd [2016] SGPDPC 17
[2016] SGPDPC 17.
Comfort Transportation Pte Lid and CityCab Pte Ltd [2016] SGPDPC
T7
Comfort Transportation
Pte Ltd and
at [16].
108
CityCab Pte Lid [2016]
SGPDHC
at u6
at (1]. 116
later chapters, when personal data is publicly available, its treatment
"
[8] and [16].
Comfort Transportation Pte Ltd and CityCab Pte Ltd [2016] SGPDPC 17
at [16]. 19 See paras
3.58-3.106. 109
Data Protectionin the different under the Act is is
not
required.20 This, of
as
Practical Context and dio ramifications forSre for
use consent for collection,
course,
has
serious
security.
CHAPTER44
Notification Obligation
INTRODUCTION
A. 4.1
or Obligations' outlined in the Personal are nine key principles 2012 (the "Act"); the first of which is the Act Protection Data the individual regarding all purposes of requirement of notification to of the individual's personal data on o r disclosure or the collection, use, or disclosure." The Personal Data Protection use, the collection, before Commission (the "Commission") has named this the Notification Obligation." The organisation should also be able to provide, when requested by the individual, the business contact information of someone who can address the queries of the individual.5
There
4.2 There are two main exceptions to the Obligation of Notification contained in section 20(3): where consent is deemed under section and in the situations listed in the three schedules referred to in
15
1
The Personal Data Protection Commission refers to the principles as
Obligations', see Personal Data Protection Commission, Aduisory Guidelines on Key Concepts in the Personal Data Protection Act (revised on
2 4
5
120
6
See ch 5.
110
15 July 2016) at para 10.2. Act 26 of 2012.
Personal Data Protection Act 2012 (Act 26 of 2012) s 20(1) (). Personal Data Protection Commission, Advisory Guidelines on Kry Concept5 mthe Persomal Data Protection Act (revised on 15 July 2016) at para 8.1. Personal Data Protection Act 2012 (Act 26 of 2012) s 20(1) (0). Fersonal Data Protection Act 2012 (Act 26 of 2012) s 20(3)(a).
111
Data Prolection in the
Practical Context
Notification Obligation
Third, a n d Fourth Schedules t the Sccond, section 17, namely, consent, n o notification is i deemed it is a situation of disclosure falls within.Cquire. ds use, o r collection, if the of Similarly, situations in the Second, Third, or Fourth Schedules, then
data to be collected from third parties without individual, but the collecting must organisation the the disclosing organisatiion with sufficient information the purpose of the collecion to enable the disclosing ding regar to determine whether the disclosure would be in 4.5
1 1 The Act a ll ou vS
the
conscnt
no required," subject to the emp notification of the purposes evePoymen in section 20(4). The out sct the exception exception to Schedules will be be duons discussed Se Third, and Fourth is
out
in the Second,
4.3
provide
in
chapter 5.
employer c a n collect In the employment context, an employee for the purpose of mo disclose personal data about relationship, the employee mu or terminating an employment first that in any situation Section requires 20(4) notified.10 be where o r disclosed for the Durnre used, personal data is collected, an employment relationship betwee managing or terminating the organisation must inform and individual, that organisation the individual of the purpose" and, on request by the individual, the business contact informatüon of a person who will be able to answer th individual's questions about that collection, use, or disclosure on before
accordance
of Information, Communications and the Arts ("MICA") had indicated hat it would be permissible for an organisation to give a general blanket notification in documents such as staff manuals and staff bulletins. Thus, for example, if employers wished to monitor the activities of their employees at work using closed circuit television cameras or video cameras, computer monitoring software and other surveillance devices, they are permitted to do so with just a blanket It would also appear that employers c a n collect and use notification. data of employees collected from social media and other personal with such a blanket notification, as long as the purpose is for managing or terminating the employment relationship.
platforms
the secuon on anonymisation
in chapter 3,5 the
erlosure of personal data to another organisation should not be done
managing
4.4 Although notification is required in such circumstances, the Ministry
Act.!1 with the
4.6 discuSed in
an
behalf of the organisation.
Dersonal
of the
data that is discloscd to lightly. In this regard, whatever personal nother organisation must only be for the same purposes that the first ranisation had notified to the individuals and consent obtained, and
in good practice, the disclosures should also be notificd to the individuals as well. Notification to the individual of the disclosure to
another organisation may be dispensed with if the personal data was
obtained via deemed consent or if the personal data to be disclosed to the other organisation falls within any of the situations listed in the Second, Third and Fourth Schedules.17
B.
RATIONALES FOR THE NOTIFICATION OBLIGATION
4.7 The reason for the notification of the purposes of the collection, use and disclosure is because of the need to obtain the individuals' consent for these activities with the personal data. The Consent Obligation will be discussed in chapter 5. Indeed, in the case of Universal Travel Conp Pte Ltd, the Commission found that since the travel agent had disclosed the passenger list containing the personal data of the 37 passengers without obtaining their prior consent, and in doing so had also not informed them of the purposes for which it was disclosing their personal data, it was also in breach of section 20 of the Act." 4.8
he notification of the purposes of the collection, use and disclosure
10 11 12 13
Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012
(Act 26 of 2012) s 20(3) (6). s 26 of (Act (Act 26 of 2012) 2012) ss20(3) 20(3)(a) (6) and "17. s 26 of (Act 2012) 20(4). (Act 26 of 2012) s 20(4))(a (Act 26 of 2012) s 20(4) (b). Ministry of Information, Communications and the Arts, Public Consullano cauons Arts, nfo of by Ministry Arts: PTOps 55ued muncations and the lDala Protection Bill (10 Personal Data Bill (19 March 2012) at para 2.69. ond
112
Ses the boundaries o f w h a t t h e o r g a n i s a t i o n is p e r m i t t e d to d o with
1
5
16 17 18 19
sonal Data Protection Act 2012 (Act 26 of 2012) s 20(2). See ch 3, at paras 3.50-3.114. Pe Data Protection Act 2012 (Act 26 of 2012) s 20(3)(a). 9na Data Protection Act 2012 (Act 26 of 2012) ss 20(3) (6)
[2016] SGPDPC 4. Uauersal Travel Corp Ple Ltd [2016] SGPDPC 113
4
at
[13].
and 17.
Context Data Protection in the Practical personal
data. The
organisation's
collection,
Notification Obligation use
and
disclo
Purposes, not activities
has beeSure limited to the purposes will be Any new purpose will require fresh notification and consent from the the
for which notification
4.9 The notification of informed decisions
purposes as
to
also
scrves
whether
they
to enable ole wish
to
choice
and
the purposesto
individuals
individuals to give consent formake
collection, use or disclosure for the stated purposes. The
cation
control
some over the Obligation gives individuals assess whether they are and allows individuals to data personal a m a n n e r for beneit used in such for their personal data to be s or
gains, if any.
10 Furthermore, by providing individuals with the purpose or purposes
for the collection, use and disclosure, individuals will be in a better position to ascertain whether the collection, use or disclosure complies with the Purpose Limitation Obligation, or whether what the organisation is requesting is excessive. 4.111 It should be noted, however, that the exception to the exceptions set out in section 20(4) above does not require consent, only notification. Hence, organisations may collect, use or disclose personal data with notification but without consent for the purposes of managing or
terminating an employment relationship.20
4.12 the minimum,
At
organisations
should provide notification of the primary purposes of collection, use or disclosure, that is, the specific
functions
or
objectives for which
the
a
particular personal data
is collected.
hence h ence
ctivities that it
use
and
disclosure.
individuals of It is
not a
inform individuals of all the possible uses and
requirement
disclosures,
there is no need for organisations to list all the
will undertake in relatio
to the personal data.2 For
i f the purpose is to enable the delivery of goods, there is no
instance, if eed to list all the
acuviues
t h a t will
be
undertaken with
respect to
the.
nhone number and delivery address such as stating that the ersonal data will be entered into a database, printed out, passed o n to
he delivery personnel whowould may be need external inform contractors and so on. individuals of its an organisation imilarly, notnormalto business practices, such as that internal purposes form part of and business planning
auditing,
billing.
4.14
t is more important for organisations to identify the purposes or objectives or reasons for the collection and use of the personal data and to state them clearly. By stating the purposes clearly, this would also help establish whether the personal data collected is consistent with the purposes identified and thereby minimising the risk of contravening the personal data protection Obligations in the Act.
"On or before"
2.
PRACTICAL CONSIDERATIONSs
C.
requirement informing
Obligation is a llection, collection. of the
4.13 The Notification
individuals.
4.15 Second, the requirement in section 20 is for the notification of purposes to be given "on or before" the collection, u s e o r disclosure of means that the notification may be given well in advance or just before personal data is collected, used o r disclosed. The usual practice would be to give the purposes for collection, use o r disclosure prior to collection so as to cover all activities for the stated personal data has been collected. If after the once personal data has been collected and an organisation would like to use
personal data. This
arposes
the
ne personal data for additional purposes, these would have to be noutied to the individuals and fresh consent obtained. Hence, it would
20
This is due to to
the exceptions in the Second, Third and Fourth Sched pertaining personal data collection, use and disclosure. n the of employment for purpose managing or terminauo019 2017 emploment relationship, see, eg, Personal Data Protection Act 26 of (ACt
2012) Sched 2, para 1(o). See 114
ch
5,
at
paras 5.84-5.88.
make practical sense to be well prepared and thorough before any collection of personal data is made. 21
ersonal 2e 4
Data Protection Commission, Advisory Guidelines on Key Concepis Fersonal Data Protection Act (revised on 15July 2016) at para l4.15.
115
Data
4.16 Where
Protection
in
the Praclical Context
collected, used data needs to be individuals need to be collection of the personal to the first
personal
periodic basis, informed
prior
formed
Notificalion Obligation or
disclo.
of this and data.22
d, however, be stresscd
on ; to
hbe
formedand
nurposcs
the
evident, t h e r e
dala appear that notification
that Cven where
there is a
for collection,
be
use and disclosure of will be situuations wherc
given.
1he
neXL
Where
there is n o formation of c o data is collected and the noification of the to advisable give be it would in a m a n n e r as noticcable as possihi
personal
involved,
C 3.
and protection. Ther is every visitor who ente The security cameras are conunuously capturing the ima of individuals cither as videos or as photographs and these are clearl personal data. As such, premises that utilise security cameras shoule
4.20 ld
premiscs obviously premises.
for
no
the purposes formal contract
of
security
formed with
deal with this
SubsidiaryY purposes
practicable carly Cxamplc, consider the situation where security cameras are 1,"or on as
as
personal
sound practice will
Section will
dictate
4..17
contract
be wise for organisations to distunguish between the levels or
and to assess how much depth of the purposes need of purposes lavcIs h e notificd to individuals.here are no concrete rules to be fallowed in this regard but the aim is for uhe individual to comprchend
have the notification of purposes at the gates or entry points of the
be put to. To this end, if the the all the purposes uirDoses will involve disclosure of the personal data to third parties or
premises. If the notices are located only at pointS well after where he
t the purposes thus far stated do not give an adequate idea of the full
security cameras are positioned or where visitors are unlikcly to sce them, there would be room to argue that the notification was not given before
he
collection
of personal
data
in
contravention
of the
Notification Obligation.
personal data will
extent of the use or disclosure of personal data in order to achieve the
stated purposes, then, the stated purposes should probably be more specific and detailed. For example, if there will usually be disclosures made to others, this should be notificd to the individuals and if the list
of recipients of the personal data is too long, they can be categorised 4.18
into recognisable classes or types of recipients.
Where personal data needs to be collected as part of a contract, then the notification should be given before the contract is formed. It may be the case that for some types of contracts, consent can be dcemed of he purposes is not required under and, as such, notification unless 20(3) purposes extend beyond the purpose of the contract. For example, for contracts involving a dclivery, in many purposes for the collection, u s e and disclosure of personal data such as the address and phone number will be clear
4.21 Often, there will be subsidiary purposes that will alrcady be encompassed by the main purposes stated, but for various reasons, such as the lack of possession of specialised knowledge, the subsidiary purposes would not be apparent to individuals and would need to be specifically notified to the individuals. Subsidiary purposes should not
section (a), instances, the
the
from thee context and they would be situations where consent can be
deemed and hence example in this
no notification will be required. The classic regard would be the ordering of pizzas for delivery. The address for delivery and the telephone number would need to be used for delivery purposes and they would also need to be disclosea to the delivery personnel who may be third-party subcontractoi However, if there are additional or secondary purposes that are o related to the purchase and delivery of pizzas, such as keeping u delivery address to send advertising materials, the secondary purpo must be notified and consent obtained, preferable at o r before u ime of personal data collection, so that there is no double handling
22
Personal Data Protection Commission, Advisory Guidelines on Key in the Personal Data Protection Act (revised on 15 at
July 2016)
116
para
naepts
be confused
with
secondary
purposes.
Subsidiary
purposes
are
that are intertwined with and usually deeply related to the main purpose and are required in order to achieve the main purposes.
purposes
Secondary purposes are usually understood as additional purposes Whether they are related to the mairn or primary purposes or not.
4.22
Cxample might serve to illustrate the point. Suppose an individual ISes
to
open
a
trading
account
wih
a
broker
so
that the individual
the
Singapore Stock Exchange ("SGX"). Here, the Conde dctual purposes are clear and thus the purposes of collecion, use lheosure of personal data also clear. It would be obvious that ODectives of the personal data collection, use and disclosure are on
are
ththe poses SGX and,
of
setting
up
an
technically, cons
account can
117
and
to
engage
be deemed and
in
no
trading o
notification
Data Prolection
is
necessary.
In this instance,
to the organisation to
the
formation
in the Practical
would however, it
actually provide
of the
data
notification
that
contract so
there
collection,
Notification Obligation
Context
is
be good of
no
use
practicefo Pria
the purp
ambiguity
and
ut he
disclo
of the personal the m a i n obJCctives o r p u r is because although r e a s o n for this to be use« used or disclosed need data may obvious, the personal the individual mayy not which in be and ways subsidiary purposes and other frameworks surroundine of due to the regulatory a trading accou in addition to setting up trading. For example, Dank and disclosed for the to be collected need account details may related to but which is a purpose of depositing dividends,
objectives
rposes are
for Ware
quity
POse
sube
the purpose of setting up the trading account. Individuals may l o be need to be ex thus, and, they aware of this subsidiary purpose informed
4.
so
that
Manner
their
consent can
be
obtained.
plicitly
and form of notification
be provided also be prou
also
through personal a
data
protection is indeed feasible, the organisation would nced to While this 2 data data protection policy 1s the nersonal actually accessed or that could
notification
personal
policy.
ure
by
the
r e aid vidual
data
to
protec
unreasonable
iis
somehow brought
to the attention of the For example, if the personal policy is only available online, it would be assert that notification has taken place as not
individual
ensure
or
true
notification.
or client has access
customer o r clier
to
the
every lnternet, and know that the
nal data protection policy contains the notification of purposes t h e website to find the personal data where o n
Ptoknknow and to
protection
such a situation, the organisation should explicitly direct
duals to the personal data protection policy for the notification of the policy o r the relevant furnish a copy parts of the purposes or
policy
of
policy to
individuals.
4.25
mhedding the notification ot purposes in a personal data protection
organisauons r u n the risk that the nolicy may also m e a n Droad be too may or t o o general for a section of notification tdividuals and, hence, may necd to be supplemented with a more that
1.23 The Act does not specify any requirements as to the manner or form of
the notification. For this reason, the most appropriate manner and form will depend on the circumstances. In the example of the security ove, a notice at the point of entry would be the best method
cameras of providing the notification as that would be the first oPportunity to notify individuals of the collection of personal data and it would also be the most visible. Similarly, for the recording of telephone calls, where a person's voice and the contents of what the individual says would be the relevant personal data collected, the earliest point at which notification could take place would be at the beginning of the call. Thus, the notification of purposes could take the form ofa recorded message about the purposes of recording the telephone call before the telephone call is actually answered by a human being. In this regard, a number of organisations in Singapore using call centres greet their callers with the noification that the call may be recorded for quality and training purposes". Arguably, these a r e then the only purposes for which the personal data can be used, s o that if there is a dispute as to the substance or content of what transpired during the the recorded conversation cannot be used against the caller that would not fall within "quality and training purposes".
cnecific notification of purposes. This might be the case, for example, of
if the organisation offers a wide variety services o r products but for the much more details of the certain services offeredbyFor organisation, a n insurer are example, may provide health Durposes required. insurance as well as home insurance. The purposes for the collection
and use of personal data for a health insurance policy will be more complex than the purposes for a home insurance policy and, hence,
the notification should be more comprehensive. 4.26 For some transactions, it would be efficient and ideal if the organisation states the notification of purposes and, at the same time, obtains the individual's acknowledgement of the notification and consent in writing, either electronically o r o n paper.
conversation, because
4.24 For evidentiary reasons, it would, of course, be beneficial tor notification to be recorded in some way, such as in written form, eiu
in electronic or paper format. The Commission has suggested that
118
23 24
ersonal Data Protection Commission, Advisory Guidelines on Key Concepts at para 14.12. Snal Data Protection Commission, Advisory Guidelines on Key Concepls eFersonal Data Protection Act (revised on 15July 2016) at para 14.13.
he Personal Data Protection Act (revised o n 15 July 2016)
119
Data Protection in the 5.
Consequences
4.27 In providing
if personal
Practical Context
data
is
not
Notification Obligation
collected
POSITION IN
of the collection 1, of the purposes holistic view to be prese a for data,
notification
n
use and
ted, i
of personal to elaborate for organisations would also be helpful all of the personamain o r some if for the individual consequences used o r disclosed. not collected,
disclosure
personal data is
4.28
the signie list every single c o n s e q u e n c e , only to result need to be be expected could that consequences avoided o r lessened can be some of the consequences other not but personal data, this individual providing some notification. Some examples of consequences
There is
no
need
o ifican thro should
to
highlighted in the o r disclosed micat data is not collected, used may result if personal o r concession cann membership a benefit, that an application for de processed, or that the individual will receive a different level of ervice. individual may n o t be eligible to hire a car, the discount unless the individual provides details of the status of
For example,
fo heir
demerit points under the driver's improvement point system.
4.31 ticle
nirective
6
f
the
THE EUROPEAN
European
95/46/ECprovides
UNION
Union
that
EU") personal data
Data Protection be "collected
must
explicit and legitimate purposes and not further way incompatible with those purposes". This is echoed orocessecche EU General Data Protection Regulation specified,
for
2016/679.27
i n Article5
Data Protection Regulation 2016/679 general transparency obligation on organisations that imposes personal data. Recital 39 of the General Data Protection
4.32
addition, the EU General
In
handle
lation 2016/679 further provides that it should be transpare ndividuals that personal data concerning them are collected, used, and extent the personal data or otherwise to co he processed. Any information and communication relating to the processing of those personal data must be easily accessible and easy to understand, and clear and plain language must be used. This principle of transparency is appicable, inler alia, to the purposes of Drocessing and any further information to ensure fair and transparent orocessing of personal data. Individuals should be made aware of risks,
consulted
processed
what
nules, safeguards and rights in relation to the processing of personal
D.
NOTIFICATION OF PURPOSES IN THE ONLINE
data and how to exercise their rights in relation to such processing. In
ENVIRONMENT
particular, the specific purposes for which personal data are processed should be cxplicit and legitimate, and determined at the time of the collection of the personal data.
4.29 Much personal data is collected and processed in the online environment, either through applications that are used by individuals, such as social media applications or even through the browsing of web pages. These activities would also require users to be informed of the purposes prior to the collection and use of the personal data, unless they fall within an exception.
4.33 The requirements for
notification under the EU General Data a r e far more comprehensive than the requirements under the Singapore legislation. The Act only requires
Protection Regulation 25
.30 In recent years, the use of cookies on Internet web pages to surreptitiously collect and use personal data has drawn mucn attention. This will be discussed in more detail in chapter 5.
26 27
2016/679
Directive 95/46/EC of the European Parliament and of the Council of 24October 1995 on the protection of individuals with regard to the data and on the free movement such data
Processing of personal of 1995] OJL 281/31 ("Data Protection Directive 95/46/EC").
Data Protection Directive 95/46/EC, Art 6(1)(b). 2016/679 of the European Parliament and of the Council of 27 2016 on the April protection of natural persons EU
Kegulation (EU)
with
gard to the processing of personal data and on the free movement of
such data, and repealing
Directive 95/46/EC (General
Data
Protection Kegulation) ("EU General Data Protection Regulation 2016/679"),
Art 5(1) (b).
0EU General Data Protection Regulation 2016/679, Arts 12 and 13, and Recitals 58, 60, 61 and 62.
EU
120
General Data Protection Regulation 2016/679, Recital 39. 121
Data Prolection the
use or of the collection, s o meone the contact details of
purposes
with The EU General Data
along
individuals
such
in the Practical Context
as
are
Protection
provided
with
disclosure who
to
be o.
notilied,
answer que
uestion ensure beyond the n a
can
Regulation 2016/679
information
in the risks, ules and rights
well
relation
to
urpos the processin
transparency concero are personal data. Individuals data will be processed, and the exten. what and how their personal be processed. This rena are o r will which their personal data the purpOses but also of not only Just providing notification law requires that individa EU the In short, be processing activities. relation to the "processing" of th entitled to full
CHAPTER5 C o n s e n tO b l i g a t i o n
requires
in informed about everything defined to include very broadly "processing" with every personal data, data, to including the ac s of done personal conceivable act that can be
collection and storage."
the most contentious and consent appears to be inciple of of the personal data protection regime in aspect problem: of consent is so problematic that it nearly
5.1
The
princip
The principle
apore. borders
on
rendering
unworkable.
obligation
to
the
whole personal data protection regime
Obligation is a helpful and essential those who collect, use or disclose personal impose o n the concept has been shortcoming Is the way
The
Consent
data, but the major legislation. conceived in the Singapore 5.2 There
are two
main aspects to be
of the Consent detrimental.
Obligation that will, in
The first is the concept of
vears to come, prove second is the voluminous situations listed in deemed consent' and the is not required. Both of these allow the the statute where consent without consent and which goes massive stockpiling of personal data collect to The personal data without consent is unchecked. ability the in first floodgates of problems. Once the opening step arguably accumulates. Even if the uses personal data is collected, it remains and of the personal data are stipulated narrowly (which they are often not),
it is near impossible for a third party such as a governmental authority to constanty monitor, let alone enforce, that the personal data is only
30
EU General Data Protection Regulation 2016/679, Art 4(2): is processing means any operation or set of operations which or data or on sets of personal data, whether on performed personal not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructon.
122
being used for the permitted purposes. If the personal data is further allowed to be disclosed liberally, the whole process perpetuates iiselt
Personal Data Protection Act 2012 (Act 26 of 2012)
s
15.
Data Protection Act 2012 (Act 26 of 2012) ss 20(3)(6) andl, 2Personal and Second, Third and Fourth Schedules.
123
Data Protection in the Practical Context
Consent Obligation amounts of information, much of it is necessarily al data. These large pools of personal data have come under
and the situation is made even morC acute with even mos
accumulations of personal data. With collection and accum harms has already occurred be one of the because there
biggest
centralised
pool
of information
on
individuals.
vast
tion, is a
vfa s t holder o
rity threats in recent years. the the computers from the to delink was to
sophisticat
coms
delink
Cxperts
5.3 As discussed in chapter 1, the accumulatüon of large pools of ne data over time and from many ditferent sources creates o environment in a number of ways. It can certainly harm people in that were not foreseen. At the top of all concerns for organisat however, would be the associated costs of protecting such Dere
data;
to ensure that there
are no
rsonal
the personal data. The consequences and liabilities of a data leak example, would be far more dire for the organisation than the costs or protection, in financial terms and in reputation and goodwill. Indo of
stolen tangible property.
are
we have to make sure that our system is secure. We can't get infiltrated, data cannot be stolen, somebody can't come in and wipe out your data or cause some other mischief .. In terms of security, safety of our systems, safety of our citizens and information concerning them, it's absolutely necessary. Otherwise, one day you find all your NRIC numbers, addresses and income tax returns for sale on the internet, one package 10 gigabytes How will the Government explain?
5.5 The situation is aptly summed up by the Prime Minister: "In terms of security, safety of our systems, safety of our citizens and information concerning them, it's absolutely necessary" The Government is a Charissa Yong, "Delinking Internet access necessary to keep Govt data PM Lee" The Strais Times 2016). Charissa Yong, "Delinking Internet access necessary to keep Govt da secure: PM Lee" The Straits Times (9 June 2016).
these concerns Act 2012 (the
n
allowing
to
sit
on
security
large collections corporate computer
to be
"Act").
found in
Why,
for prevent of personal data and systems waiting to be
similar concerns that
sations from amassing
ought
to
by hackers, thereby engendering the safety of
and rendering informatior concerning them vulnerable. The
citizen
collection is only the starting point. Ifcybersecurity threats are be ed seriously, organisations should also not be allowed to freely use disclose personal data without consent in the ways that they are the Singapore personal.data protection legislation.
and
allowed to u n d e r
5.6 fndeed, it is because of the enormous negative by-products of personal
dofa CCumulation that security expert Bruce Schneier has called data, especially personal data, "the pollution of the information age" and
A.
that "its
atter-effects
are
toxic"
6
CONSENT OBLIGATION
5.7 The second Obligation set out in the Act mandates that consent be
obtained from the individual before personal data is collected, used, or disclosed." Consent may also be given by any person validly acting on behalf of the individual for the collection, use or disclosure of the individual's personal data. The practice of referring potential customers commonly found in Singapore would fall under this category. An existing customer may disclose, with the consent of the potential customer, the name and telephone number of the potential customer to a bank, for example, and consent would have validly been given to the bank. 5.8 This Consent Obligation, however, does not apply where collection, USe or disclosure of an individual's personal data without consent is
5
(9 June
124
no
example,
argues unequivocally
5.4 So serious are the concerns of data breach and cyber attacks that Singapore's Prime Minister Lee Hsien Loong announced in June 2016 that from May 2017, all computers used by the public service will be disconnected from the Intermet. This, according to the Prime Minister, was "absolutely necessary" to keep government data secure. The press reported that the Prime Minister said:3
secure:
of
he advice from
and
difficult if not impossible to undo. The ensuing damage could, in somo circumstances, be contained but once personal data is stolen, it will be forever stolen as some personal data, such as biomentric data, can never be changed and the information cannot be "recovered", unlike
3
traces
Protection
attacked
breaches of the system and no theft.of
the consequences of a data breach are often unpredictable
are no ondering why there Singapore'sPersonal Data
1
Internet. This leaves one
8
Act 26 of 2012.
Bruce Schneier, "The Tech Lab: Bruce Schneier BBC (26 February 2009). Personal Data Protection Act 2012 (Act 26 of 2012) s 13(). Fersonal Data Protection Act 2012 (Act 26 of 2012) s 14(4)
125
Data Prolection in the Practical Context
Consent Obligation
required or authorised under the Act or any other Written law.
Thus,
the Act is subject to other laws.
5.9
The term "consent" is not defined in the Act but the cone.
the notion of deemed
consent
which will be
dise pt is
complicated by below. Furthermore, pursuant to section 14(1)(a), subject to e d tWo situations falling exceptions under section 20(3), namely,
withi
deemed consent and the situations set out in the Second, Third Fourth Schedule, consent that is obtained without first notifvino individual of the purposes of collection, use and disclosure is not Thus
imperative that organisations provide clear notifications of purposes.
purposes beyond
what would be
new
considered
reasonable. l5
prompted
MICA to cite the requirement of the be reasonable, as this was not enacted in the having ses een in chapter 6, the limitation purpo be sscen will be of purpose As will legislation. a i m p o s e sucha requiremen The test in section 18 is does n o t principle ase :must be one that a "reasonable person would consider hat
5.12 t
is
unclcar
to
that
the
purpose
in the circumstances
hiIs is an appropriateness test
oriate
consent.10 Section 14(1)(6) also requires that the consent given huvalid
individual is for the purposes notified to him or her.
for
r f o ra
is
which
5.13 It is ata
5.10
Consent is also invalid if false or misleading information regardino
is n o t
clear,
it
the same
however,
holds for
arOvisions,
as
requiring the purposes to be reasonable,!7 anisation has never used personal prior to the commencement of
that if
an
keting
purposes
it would
not be able to do sO now
without
consent.
the
the collection, use or disclosure of the personal data has been
provided to the individual, or if misleading or deceptive practices have been utilised.2 The Personal Data Protection Commission (the
"Commission")
has
elaborated
that
this
would
1on encompas
stated in vague or inacCurate tems, in an illegible font or placed in an obscure area of a document or a
situations where "the purposes
are
a
location that is difficult to access" 5.11 Section 19 deals with the position of personal data collected before the commencement of the provisions. It allows organisations to use such personal data for the purposes for which the personal data was collected, unless consent has been withdrawn." The Ministry of Information, Communications and the Arts ("MICA") has stated that this is limited to existing uses that are reasonable taking into account the nature of the organisation's business. Hence, organisations are not required to obtain explicit consent for the continued use and processing of their personal data unless they use existing personal data
EXCESSIVE CONSENT REQUIRED
B. 5.14
the validity of consent is the important restriction concerning what consent organisations can require from individuals on limitation use and disclosure of personal data as a regarding the collection, o r sevice. The Act a of product prohibits an providing condition
An
organisation from requiring an individual to consent to the collection,
disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual. If consent is obtained but this test of reasonableness in section 14(2) (a) is not satisfied, then the consent obtained is invalid.19 use or
5.15 In effect, there are two main areas this provision covers. First, it prohibits organisations from requiring individuals to provide excessive 15
Ministry of Information, Communications and the Arts, Publc Consultatio
Issued by the Ministry of Information, Communications and the Ars: Proposed 9 10
Personal Data Protection Act 2012 (Act 26 of 2012) s 13(b).
Personal Data Protection Act 2012 (Act 26 of 2012) ss 14(1)(a) and 20(3). See also the case of Universal Travel Corp Pte Ltd [2016] SGPDPC 4.
12
Personal Data Protection Act 2012 (Act 26 of 2012) ss 14(2)0
13
and 14(3). Personal Data Protection Commission, Advisory Guidelines on Key Coneps in the Personal Data Protection Act (revised on 15 July 2016) at para 12.22.
14
Personal Data Protection Act 2012 (Act 26 of 2012) s 19.
126
6 17
Personal Data Protectiom Bill (19 March 2012) at para 2.139. Personal Data Protection Act 2012 (Act 26 of 2012) s 18(0). The Ministry of Information, Communications and the Arts may have relied on s 14(2) of the Personal Data Protection Act 2012 (Act of 2012), but that section deals with the provision of a product or service Personal data already collected and used by organisations for whatever purposes may not be associated with any good or service provided. s Data Protection Act 2012 (Act 26 ().
26
of 2012) 14(2) Personal Personal Data Protection Act 2012 (Act 26 of 2012) s 14(3). 127
Consent Obligation
Data Protection in the Practical Context or extra
personal
data that is
not
reasonable in order
to
Dro.:
woO product or service. A scenario that might ould bethe store membership or privilege card for the holder to obtain d a when making purchases. In order to provide the scrvice o
discour
discounts, it would be reasonable for the organisation
g
to
information such as the name, gender and telephone number would also be relevant for the purpose of identifyins the
individ
uncommon
IC
The combination of the name and telephone number is o test. sufficient to identify a person, there is no necd for the date ofbi
th. Some stores may give special discounts for the birthday month of the individual and, in such a case, the personal data requested should h the month of birth, not the date of birth.
reasonableness
use
or
store discount
obtained
would
be invalid
ronsent
for stores to request information not such date of birth and National Registration ldentification Card ("NRt a
number, it is doubtful if these would satisfy the reasonablenes
organisat
unreasonable
these
a residential address is really not necessary for identification n
Although it is
An example of the former would which is legitimately collectedbe an number ividual's t e l e p h o n e and test but to require nableness tecst individuals to consent the the of satishying disclosure disclo telephone numbers in unrelated to the t membership, such as for marketingways to which mesages, and would fall foul of section 14(2) (a) and able and any id be disclosed b y t h e
illustrate this
de
Similarly, for something such
as a store membership for discounts, requesting an individual's NRIc
onale behind the prohibition is valuable, the way the is worded has resulted in some dilution of the effect. It provision is still request the individual to an o r g a n i s a i o n may 5.18 Whilst
the
rationale
give
that
ot for the collection, use o r disclosure of the excess or cxtra it is thec choice of the individual whether or not to data, but nalthe personal data The wording of section 14(2)(a) is:
appears
consen
supply "An organisation
shall
service, require an
not
as a
ondition of
providing product a
or
individual to consent to ..". This suggests that an
and governmental landscape. Even if the store membership programi
nisation may still request the information, but the organisation require it. However, this request woul still be subject to the requirementset out in section 18 of purpose limitation to be discussed
one whereby members can accumulate points for redemption, the bes
in chapter 6.
number would seem to be excessive, especially given the special significance and importance of NRIC numbers in the Singapore legal
cannot
way to safeguard the points from fraudulent use is to utilise a system of
passwords or personal identification numbers ("PINS") for members, The collection, use and disclosure of NRIC numbers will be dealt with in chapter 7. 5.16 The types of personal data that would cdearly be unreasonable to collect, use or disclose for a mere store discount membership would be information on medical illnesses, an individual's educaional qualifications and the type of car the individual drives, if any. 5.17 The second main area this provision covers is the prohibition against organisations from requiring individuals to consent to uses or disclosures of the personal data beyond what is reasonable to provide the product or service. This can apply to both personal data validly collected for the provision of products or services within the reasonableness test, but which the organisation is requiring consent for extra or excess uses or disclosures; additionally, it can also apply to extra personal data that the organisation is seeking to collect for the extra uses or disclosures. An example of the latter would be similar to
5.19
f an organisation wishes to obtain consent lor the extra personal data,
it would need to ensure that individuals are informed that the consent for the collection, use or disclosure of the excess or extra data is not mandatory; otherwise individuals may assume that all the personal data is required, leading to the consent thus obtained falling foul
requested
ofsecion 14(2) (a) and the consent would be deemed invalid.20 To this end, it would be useful when collecting personal data through forms, whether online or on paper, that those fields or questions that are mandatory or required are clearly marked, for example, with an asterisk, to alert individuals to the fact that the other fields are
optional 5.20 The example of the store discount membership would illustrate how this might operate. If the store wishes to send out notifications of OCcasional promotions to the members, it can do so with consent via
mobile phone text messages. Alternatively, it may request the ndividual for an address to which the promotional details can be sent.
Arguably, to achieve this, an e-mail address would suffice but if an
what has been discussed above in relation to the first area, information such as a person's medical illnesses should not be required in the first
place
for
a
mere
store discount
128
membership, let alone used
or
Personal
Data Protection Act 2012 (Act 26 of 2012) ss 14(2)()
and 14(3).
129
Consent Obligation
Data Protection in the Practical Context c-mail address, then a residential or worl ork to this scenario s could be collected. There are three layers whether to individual the to should be optional any of for receiving promotional address, c-mail or physical, mate is materials als likely to ho of individual has
no
First, it form
provide
promotional because the receipt the service of provi what is reasonable to provide be mandatory for the not should it discounts. Second, addressCs. One kind of and email both physical provide
oviding membereyond
dual ada dress should be sufficient. Third, it may be that there will be OCca the presentation of physical vouche whereby the store will require certain promotions to limit the number of redemptions. In s informed that those who do event, individuals should be
not
leave
it to the individuals to decide whether they wish to provide thei. residential addresses. In short, individuals should not be require provide their physical addresses; it should be optional but they shonld
be informed that they will be precluded from the opportunities
enjoy promotions using physical
vouchers.
5.21 The Commission has, however,
in
this.
Toput
to
that section
opined 14(2) (a) may not prohibit certain situations in which an organisation may seek to
require consent. It gave the example of organisations providing "offers, discounts or lucky draw opportunities to individuals that are conditional on the use or disclosure of their personal data for specified purposes"2
collection,
5.22 It would appear that he Commission may be referring to the situation where the contract or bargain itself is purely to enter into a lucky draw or to obtain a discount or offer. It would otherwise be to see how the Commission could have reached this view, that the given plain words in section 14(2) («) refer to "providing a product or service", which would encompass the situations of "offers, discounts or lucky draw opportunities". Since "offers, discounts or lucky draws" are products or services, in accordance with the plain words o section 14(2)(a), there can be no conditions attached to the provision of the products or services requiring consent for personal data beyond what is reasonable to provide the products or services, unless the product or service itself is the offer, discount, or lucky draw.
difficult
are
more
a
meml
membership. Contrast this with
colle what
is
reasonable
provision
organisatio
permisib
is
one
where the
effect, the individual "sells" personal data in
ter exchange for the discount, or the opportunity to enter into a lucky
se may be. Thus, an example of the latter scenario might called Moonbucks that sels coffee. A latte at Moonbucks be a provide their personal data to $6, but if individ normally is Moonbucks nd consent to heir personal data being used for draw, as the store
called
dtering and outreach purposes, they will in return receive a voucher them to buy a latte:at $3. The voucher for the latte at $3 is a enablin separate and independeni contract or transaction and would be a transaction for personal data collection, use and disclosure permissible under the Act.
5.24
This provision gives autonomy to individuals to decide how and whether they wish to trade their personal data for goods and services, and this would appear to be in line with the Government's desire to
engender business innovation and entrepreneurship, and not to stifle economic activity. Indeed, it tries to balance the need to stimulate economic activity and growth with the need to protect personal data. 5.25 However admirable the goals of this provision are, organisations should be acutely aware that one of the key tenets of good personal data practice is to collect enough personal data for the
protection
purposes and not too much. As will be seen in chapter 9, the less
personal data that an organisation collects and holds, the less in terms security and protection the organisation will need to provide for the
of
personal data. In this modern digital age where hacking and daa arching is cheap, easy and prevalent, and often applied to compile
profiles of individuals, as a matter of best practices, personal data idt 1S Sensitive
esdential 21
product
discount
store
scenario
nr videan a
physical address will be foregoing those kinds of promotions and
Concrete manner, ne Cxample given above of con membership has as the mc or service the nefits. As Such, consent for the vith discount the bership ndd disclosure of perSOnal data cannot move beyond ollection, use a n the onable to provide the consideration of the contract between the the situation here wh of and the individual is the personal data in discount at the store. This latter scenario xchange f o r would be for a to the Commission. In u n d e r the Actaccording
5.23
or
addresses,
significant,
such
as
NRIC numbers
and
even
should be collected
sparingly. This should be so y tor the good of protecting individuals' personal data, but also
Personal Data Protection Commission, in the Personal Data Prolection Act
Advisory Guidelines on Key Concey (revised on 15 July 2016) at para 12.
130
to
. e compliance costs for the organisation, as well as to reduce
miability arising from the personal data being compromiseu. 131
Data Protection
in
Consent Obligation
the Practical Context d
C.
his or her address to tacilitate the actual delivery of
za delivery, a n d
has been ordered. Furthermore, there would also be no
DEEMED CONSENT
the p i z z at h a t
5.26
adopted to mi. consent was The concept of deemed in the on organisations the impact of the new regime collection." Section 15 of the Act2 data processes of personal consent. The section begins with. the meaning of deemed to the collection, use or disel. consent individual is deemed to no
doubt
s
Act setss day ou "
Consent is deemed from an individual ir use, and disclosure. without actually giving consent, voluntarily provides
the individual, the for that purpose, and it is reasonak. personal data to the organisation would provide the data,24 n voluntarily that the individual nd
disclosure is at the core of the consent that is deemed. The purnoee must be clear to both parties. This also raises the question of how man that can be deemed: are can there be in any given transaction
purposes there any limits to the number of purposes? Would all the purposes
have to be clear to both parties? Arguably, if there is any purpose which is unclear or which was not envisaged by the individual, these would need to be notified to the individual, and if this is the case, then the situation would not fall under the section 15 deemed consent and would bounce back to the obligation to notify the purposes under section 20 and consent would need to be obtained as required under section 14(1).
1.
1o be
which
contractors,
nsent All this speeds up the transaction and assists in the
decmed
conse
s
losure of personal data about the individual by an organisation for a purpose if.." Hence, the key to this provision is the purpose of the collect ection,
understanding of what is the purpose of the collection, use,
hop tto o obtain explicit consent for the personal data shop
thepizzato the the delivery person, even it they are third party for disclosed to is often the case, because this too would fall under
c e dl
Deemed consent for multiple purposes
5.27 A simple example of deemed consent would be the telephone ordering of a pizza for delivery. Instead of the pizza shop staff having to enquire explicitly whether the individual consents to the collection and use of the customer's name, telephone number and address, the consent can be deemed. Under the deemed consent provision, the shop can legitimately assume consent for the collection and use of the customer's name to identify the customer, the customer's telephone number in case of a delay or some other misadventure in
pizza
OTgan
in its
delivery
productivity
of
goods
and
and
enables
the
organisation
to be efficient
services.
that are clear from the above example are the purchase of a pizza. However, oth purposes serve only a single
5.28
The purpoSCS
delivery
purposes are intimately interconnected. If the the personal data to, for example, provide future such as o enable future orders to pizza shop service i n the more efficientfaster.m a n n e r , the shop would not be able to rely on the a in be taken to do this. To illustrate, if the shop wishes to ned consent provision data, it would first need to retain the personal data. utilisethe personal 9 on the retention of personal data, the be seen in chapter As will to tain the personal data if, inter aha, it is is permitted rganisation his in instance, there may well be tax law and law, quired by reanirements to retain some ot the personal data. However, the retention of the personal data in this regard would be for
and
ian and
transaction a n d was
he
two
to utilise
Dermitted
business process efficiency purposes. So, purposes, not for identifies the individual through the the if shop piz2a for example, it cannot for efficiency reasons retain number, individual's telephone number and address on the system as a the individual's telephone record to avoid having to re-take o r re-input the delivery address for future orders. Further, if the individual had ordered a Hawaiian pizza the first time, the pizza shop would also not be permitted to use deemed consent to retain the choice of pizza ordered and ask the customer if they would like to order a Hawaiian pizza again. All the personal data and the type of pizza ordered can be retained for tax purposes and this should be kept at the backend. The personal data and the kind of pizza ordered, however, should not be retained and used, and be accessible to front end staff for the purpose of enabling more efficient ordering of pizzas in the future, unless explicit consent has been obtained.
tax related
5.29 22
23 24
Ministry of Information, Communications and the Arts, Public Comnsulkation ssued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.48. Personal Data Protection Act 2012 (Act 26 of 2012). Personal Data Protection Act 2012 (Act 26 of 2012) s 15(1). 132
as of analysis can be applied to other industries and e , where there is only a single or one-off transaction with a clear
nis kind
settüngs
Purpose or clear closely inter-connected purposes, such ordening of a taxi service or visiting a show flat.
as
133
in the
Consent Obligation
Practical Context Data Protection in the
What consent, if any, can be deemed for the use the collection stag tage.
5.30
there can Onc situation where of retention personal data
the
where
an
individual submits
perhaps be clear decmed co might be in the employment a
job
application interest
in
by
for
writing
working a n
a general organisation expressing he ume frame. The oroa without any expressed organisation llon the of consent individual to deemed could be said to have the the for future positions that mieP t arise data on file indefinitely
personal
endure unil the individual vithS may would need to dest case the organisation consent, in which roy the individual. the on personal data it holds
This deemed
he photograph? This is a difficult question and much o f tu disclosure If the was taken at a r be for the might deemed to be rt, the a t t c n d e e s of the wo but not beyond that, the ated amongst commercial purposes. If the photograph was taken at certainlyn o t f o r par perhaps with the individual standing ark o r a theme pa toon characters, the deemed consent life-size a short duration side p h o t o g r a p h t o be displayed in on
consent
amusement
famous
Indeed, it would appear that the concept of deemed consent
Pplies
one main o r primary purposc. It well to situations that have only may consent to more than one purpose in be difficult to apply deemed any the purposes have only a tenuous where or given scenario, especially
no relationship to each other. As a matter of sound practice and
ugh
rule of thumb, explicit consent should probably be obtained if an An wishes to claim deemed consent for more than one mmain
organisation
purpose in any given
scenario.
the befor
rould
order
for the
photograph
photograplhs i f
they
so
and
the to
cameras
entering
premises, the
individual hereby consents to
ptured by the security cameras. Would
this her images when the individual consent given by the individ factual case bea Or would tthe situation be better characterised into the premises? steps consent provISion that by taking the action to step mder the deemed the individual has, through action, provided the into the premises, cameras? This is really a moot point as the nersonal data to the seccurity Po under cither conceptions. The former characterised be consent can would be tenable under a contractual model, that conceptualisation of the contract o r condition is collection of an individual's image part The latter conceptualisation is equally the onto premises. of entering who without Section 15(1) merely refers to an individual,
palatable. to in section 14, voluntarily provides actually giving consent referred The relevant the personal data to the organisation for that purpose. The into the sign with the premises. purpose here would be entering make it clear to notification at the entry point of the premises would will be the individual that for security purposes, security cameras The the into who all premises. of step persons capturing the images individual voluntarily provides the personal data to the organisation
the purpose of entering into the premises when he or she voluntarily steps into the premises and allows the organisation's 1or
Personal Data Protection Commission, Advisory Guidelines on Key Concepis in the Personal Data Protection Act (revised on 15July 2016) at para 12.25.
134
purchase
use
security cameras to record the individual's images. 25
to
Beyond that, it would be difficult
brings i n t o
having his o r
5.33 The scope of deemed consent through action can also sometimes be contentious. Take the example of a person taking photographs. If the subject of the photograph actually posed for the photograph, it would be safe to say that the individual being photographed has given deemed consent for the photograph to be taken. However, that is only
desired.
inspect
into question the images recorded by security cameras Notification Obligation. It was mentioned 4 c in chapter discussed p r o t e c t e d by security cameras, a nouification of premises that for shoulk be placed at the entry points of the there of security the lividuals the notification required under section 20. individ to give premises consent be conceptualiscd in such a situation? Any How would the would n o doubt state something along the lines that 5.34 This
ch notificationthese
5.32 Consent can also be deemed through action as section 15(1) does not pecify the manner in which the individual has to provide the personal data. The Commission gave an examnple in this regard," of a person visiting a medical cinic for a check-up and allows herself to be subjected to the collection and use of personal data, such as measurement of her height and weight for the purpose of the check up. These would all fall within deemed consent, even though the individual did not actually give the personal data as such but the personal data was provided to the clinic through measurements.
for
to
deemed consent.
Such
Deemed consent through action
ubjects
a r g u e a n yo t h e r
on
2.
carto
alongside
consent
5.31
photograph photograph
the circumstances.
u l dd e p e n d o n
135
Consent Obligation
Data Prolection in the Practical Context
Corollary of deemed consent to disclose
3.
The purpose or
individ
data
5.35 Section 15(2) specifically states that should an individual ual deemed to have given consent to the disclosure
by
the
hould
also
be
clea
to
purposes for the deemed the individuals and there should be
n od o u b i s ,
give of personal dataor byis
one organisation to a second organisation lor a particular
purpoUsee,
then the individual is deemed to have consented to the collecti
and disclosure of the personal data for that particular purpose second organisation.6 This is a logical necessity if the whole deemed consent is to be workable.
there is discl losure
5.38
Wherd
need
to
required
ensure
the
oncept of
part
of the consent
for the collection, use limited purposes and disclosure of would be constuctive to it and data reiterate this to the al
rganisation
b conethe
as
receiving party of the personaldeemed. data is
awareofthe
t h ep e r s o n a l
receivingparty.
5.36 The pizza delivery scenario set out above would provide
as
delivery
deemed consent is a retrograde step for personal and personal data security. It allows security security, finaancial personal used and disclosed without collected, be explicit consent, to data the protectio onal data. The also gaps in concept openir and those who have been the purposes given access to the 5.39
a
example of the meaning of this provision. The customer who or the pizza was deemed to have consented to personal data such he personnel. For delivery address to be disclosed to the to workable, the delivery personnel must also receive some protectinbe from personal data protection liability when the personal dat on s received by the deliverer. Hence, section 15(2) also the customer to have provided consent for the delivery to receive, use and disclose the personal data for that same of the the Section namely pizza. purpose delivering l15(2) is really the flipside of the initial deemed consent to disclose. In the situation of the pizza delivery personnel, the deliverer would need to receive or collect the address to deliver the pizza. The address would be used by the deliverer when the delivery of the pizza takes place. Lastly, the deliverer may need to disclose the address to others if the deliverer cannot find the address and requires extra directions from others; order to find the address. Section 15(2) automatically makes all this possible by deeming consent for all of these activities by the delivery personnel.
this
deems personnel purpoe
In all,
as a
ans
cent,
conc
that
nsl data are not properly tracked and are thus difficult to be held
accountable.
MANNER AND FORM OF CONSENT
D.
5.40 The legislation does not dictate the manner and form of the consent but for evidentiary purposes, good personal data protection practices the consent be obtained in wTiting Consent may also be obtained verbally but way.
would entail
or
recorded in
proof of this
some
may be
ificult unless the process is somehow embedded, or the verbal consent is followed up with a confirmation of the consent in writing, whether in electronic or paper format. Verbal consent can be recorded
iftis given over the telephone, or it may take the form ofa pre-recorded 4.
message
at the beginning of the telephone call deemed by continuing with the telephone call.
Caution on deemed consent
5.37 Deemed consent is efficient and useful for keeping transactions at a minimal level of engagement for both parties, but it should be applied with caution. Where there is any doubt whether the deemed consent
provision applies, obtaining consent from the individual would avoid
disputes from arising and save the collecting organisation from having8 to prove elements such as voluntariness in the provision of persona
5.41 The Commission has made it clear that a failure to opt out will not always be regarded as consent in all situations." Much will depend on the actual circumstances. A failure to tick a box on a form to opt out of where the box before the place where the individual
consent
Personal Data Protection Act 2012 (Act 26 of 2012)
136
s
15(2).
appears
has to sign is likely to signal valid consent, whereas a failure to do an
27 26
stating that consentis
Personal Data Protection Commission, Advisory Gauidelines on Key omcepis N he Personal Data Protection Act (revised on 15 July 2016) at para 12.10.
137
Consent Oblagaton
Data Prolection in the Practical Context
act such as mail back to the organisation a consent opt out leta
unlikely to be considered a
ter s
valid consent.
advised 5.45
the withdrawal of consent
e to the individuals
ncerned and which clearly inform
easily accessible
he form and manner to submit a notice to withdraw
being
declared invalid, organisations should adhere to the good practice
obtaining consent from an individual through a positive action individual to consent to the collection, use and disclosure personal data for the stated purposes.
facilitate
ng aDpropriate consent withdrawal policies that are
through desig
5.42 To avoid the risk of having a failure to opt out type of consent he
to
are
anisauo
Onganisatic
for specifio
consent their
or
disclosure of his
the
whom, submitted
mcans
purposcs as well as the person to notice to withdraw consent should
stating
by which, the
time frame for the withdrawal to be and the expected nisations should make clear which this end,
To effected,
essary and which are optional to the supply of the
purposes are
S0od
WITHDRAWAL OF CONSENT
E.
services. Furthermore, it must be possible for individuals to for optional purposes without concurrently having to
withdrawc o n s e n t . consent
for the necessary purposes.
withdraw
5.43 Consent for the collection,
use
and disclosure of personal data for any
purpose can be withdrawn by an individual at any time, even where e
consent has been deemed, with reasonable notice to be given to th
organisation.2 The Commission has indicated that it is difficult
the to
prescribe a specific time frame for reasonable notice to be given but, as a general nile of thumb, the Commission would consider a withdrawal
notice of at least ten business days from the day the organisaion receives the withdrawal notice to be reasonable notice. Should an organisation require more time to give effect to a withdrawal notice the organisation should inform the individual of the time frame which the withdrawal of consent will take effect.29 5.44 Organisations cannot prohibit an individual from withdrawing consent and this does not affect any legal consequences arising from such withdrawal f consent is withdrawn, then whatever legal consequences that may arise from the withdrawal will have to be borne by the
individual but upon receipt of the notice of withdrawal of consent, the organisation has the responsibility to inform the individual of the likely consequences of the withdrawal of consent, even if the consequences may already be stated in another document
of consent notice needs to be clear about what it ctive. Hence, if an individual does not to be to for it the consent has been withdrawn, it will be what purposes pecify for the withdrawal notice. The to act ificult for the organisation taken upon a busines-friendly position in mmission has, however, the withdrawal notice tor marketing is general in inctances where consent for marketing messages". The as "withdraw my such nature withdrawal of consent for marketing that consider will any
5.46
T h ewithdrawal.
pertains
Commission is worded generally
provide
33 28
Personal Data Protection Act 2012 (Act 26 of 2012) s 16(1).
29
Personal Data Protection Commission, Advisory Gruidelines om Key Concenis the Personal Data Protection Act (revised on 15 July 2016) at para 12.42. Personal Data Protection Act 2012 (Act 26 of 2012) s 16(3).
30
31 32
Personal Data Protection Commission, Advisory Guidelines on Key Comaeps in the Pesonal Data Protection Act (revised on 15 July 2016) at para 12.51.
138
via
a
particular
channel
to
only apply
to
facility
Personal Data Protection Commission,
Aduisory Guidelines on Key
Comcepts in the Personal Data Protection Act (revised on 15 July 2016) of Information, Communications
in
Personal Data Protection Act 2012 (Act 26 of 2012) s 16(3). Personal Data Protection Act 2012 (Act 26 of 2012) ss 16(2) and 16(
sent
via that channel. So, it an e-mail withdrawing consent messages the organisation is was generally worded, for marketing messages cease sending marketing messages via e-mail only. For to only obliged to all other channels, such as the withdrawal of consent to apply to need would individual explicitly state the channels of SMSes, the communications." Similarly, if an individual only indicates the withdrawal of consent for telephone related marketing purposes, then the withdrawal of consent would include telephone calls, SMS messages and any other kinds of telephone communications. f organisations a for individuals to withdraw consent, such as a web sent
4
and the
at paras 12.41-12.43; Ministry Arts, Public Consultation Issued by Ministry of Information, CommunualioS 2.55. at n the Arts: Proposed Personal Data Prolection Bill (19 March 2012) para on Ky Data Protection Commission, Advisory Guidelines Personal Coneps
in the Personal Data Protection Act (revised on 15 July 2016) at para 12.3
Data Protection Commission, Advisory Guidelines on Key Concept sonal D e Personal Data Prolection Act (revised on 15 July 2016) at para 12.49.
139
Consent Obligation
Data Protection in the Practical Context page, the organisations withdrawals.36
cOLLECTING PERSONAL DATA FROM THIRD PARTIES
should clearly indicate the scope
such
5.47 The legal consequences of the withdrawal of consent is unar
uld be exercised before great c a r e an llects personal data from a party other than the As organisation collects personal data, it must always individual. Befo. purpose of the collection to the individuals who are ovide the purp ation about themselves. This is also still the case if the noted
the provision, so if the withdrawal of consent means the individsby
will no longer be able to receive the services or if thereheis individual an termination fee that will be imposed as a result of this, the ind:.rly
4, in chapter
organis
disclosing i n f o r data
personal
is collected third
llected
ion,
must cease and ensure its data intermediaries and agents also o
collecting, using, or disclosing the personal data. There arecease no requirements for the organisation to inform third parties of. means
that
the
onus lies on
the the
individual to seek out the other organisations to withdraw consent which is quite burdensome on the individual. The individual wouid first need to request from the organisation the individual's personal
data in its possession or control as well as information concerning the ways in which his or her personal data may have been disclosed and to whom. Then the individual, armed with the list of organisations, approach the other organisations directly to withdraw consent for the collection, use or disclosure of personal data for such purposes.
Can
5.49 It should be noted that the withdrawal of consent will not affect the retention of data. Under section 25, an organisation may retain personal data, for example, if it is necessary for legal or business
purposes. Certainly, for most organisations, it would be advisable to retain the personal data for at least until the statute of limitations
expires. 5.50 The main exception to the permissibility of the withdrawal of consent the collection, use, or disclosure is required or authorised by law.40
is where
to disclos data
the personal data, the organisation
woul itself be in breach of the Act for using personal data for which it has no
personal ing the subsequently and ing collect to do so.11 permission consent
or
5.52 Organisations
ollecting personal data from third parties should
due diligernce to check and ensure that the validly disclose the personal data for use and third party mmission has recommended that disclosure. In this regard, the organisatior adopt one or more of the following measures
rcise
exerci
the
appropriate
source
can
ollecting
appropriate to (a)
Seek a
36
from a
data ispermission
5.48 Once a withdrawal of consent has been received by an organisaia.
withdrawal of consent, which
a tthird party. Furthermore, if personal party and the third party does not, in fact,
from
would have to bear the consequences."
an
term
the
circumstances
undertaking
from
at
hand:12
the
disclosing organisation through
of contract between the two organisations that the
disclosure for the stated purposes is within the scope of the
consent given by the individual to the disclosing organisation.
(b)Obtain confirmation in writing from the disclosing organisation,. c) Obtain, and document in an appropriate form, verbal
confirmation from the disclosing organisation. (d) Obtain a copy of the document(s) containing evidence of the consent given by the individuals concerned to the disclosing organisation to disclose the personal data. This often may not be possible for commercial and other reasons. 5.53 In essence, the measures that the Commission suggests are mainly
contractual or quasi-contractual measures.
Personal Data Protection Commission, Advisory Guidelines on Kq on 15 July 2016)
Concepts in the Personal Data Protection Act (revised at paras 12.47-12.48. 37 38 39 40
Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012
(Act 26 of 2012) s 16(3). (Act 26 of 2012) s 16(4). (Act 26 of 2012) s 25(b). (Act 26 of 2012) s 16(4).
140
Personal Data Protection Act 2012 (Act 26 of 2012) s 13. Personal Data Protection Commission, Advisory Guidelines on Key Concepts n tne Personal Data Protection Act (revised on 15 July 2016) at para l2.30.
141
Consent Obligation
Dala Prolection in the Practical Context
the extensive cxceptions to the Consent be considered in the next section.
rely
COllected in accordance with the situations set hedule can be used without consent for purposes olt nuith the purposc of the collection. Similarly, paragraph 1(s) waS a l data that
5.54
For collecting organisations, where possi ble, it may perhaps be sar. on
Obligation, whichierwillto
consistent
personal data collected in the Sch chedule to be disclosed for nsistent with the purpose of the collection. Lastly, Second Schedule allows personal data that was 1(7) of the Schedule
enables
Fourth
of
the
set
out
in
the
Second
ircumstances
G.
EXCEPTIONS TO THE CONSENT OBLIGATION
raph
paragra
disclosed
5.55
validly
section 17 situations which, in fact, refer to the circumstances in
the
Second, Third, or Fourth Schedule." It is appropriate at this junctae to consider the section 17 exemptions in their own right. The section 17 exemptions weaken considerably the power and force ofthe Singapore data protection regime, and to a certain extent, they define
the Singapore personal data protection regime. 5.56 Section 17(1) permits personal data to be collected without the consent of the individual in the circumstances set out in the Second Schedule including collection from third parties. Sections 17(2) and 178) similarly provide that personal data can be used or disclosed without consent in the circumstances set out in the Third and Fourth Schedules, respectively. As will be seen below, these Schedules contain wide exemptions, such as where the personal data is publicly available, or where the use is necessary for evaluative purposes (evaluative purposes is defined widely in the Act), or where the personal data is collected solely for artistic or literary purposes. Some of these exemptions may have materialised through pressure from industry driven by concerns
about compliance costs. These exemptions, however, are extremely broad and dilute substantially any meaningful protection accorded to personal data. This, in turn, will impact negatively on data security and cybersecurity due to the fact that once informatio is released, it is "out there" and impossible to "retrieve" or "recall" and fence in and, even worse, some personal data, like biometric data, cannot be altered. 5.57 In addition, the circumstances in the three Schedules have cumulative effect. By virtue of paragraph 1() of the Third Schedul, 43 44
Personal Data Protection Act 2012 (Act 26 of 2012) s 17. Personal Data Protection Act 2012 (Act 26 of 2012) ss 20(3) (6) and 17.
142
consistent
5.58 For
circumstances
collected
The exemptions contained in section 17 of the Act" have alread.
been mentioned in relation to the Noüfication Obligation in ter 4. For the Notification Obligation, no notification of the purposes. of collection, use, or disclosure is required if the situations fall within he
se out in the Fourth Schedulc to be without the consent of the individual for purposes of the disclosure. with the purpose
in the
nal data collected prior to he commencement of the personal
data protcction provision
person
Second
iedule, these
can
in the circumstances set out in the
also be used and discloscd.13 Under
of the Third Schedule, all such personal data is deemed accOrdance wth in paragraph 1() of the have been collectcd that all personal data collected in the means This Schedule. Third the Second Schedule prior to the out in set rcumstances of the personal data protection regime can be used commencement consistent with the purpose of the collection. Similarly for purposes Daragraph 5 of the Fourth Schedule decms all such personal data in accordance with paragraph 1(s) of the to have been collected This m e a n s that all personal data collected in the Schedule. Fourth Second Schedule the in prior to the circumstances set out data protection regime can be the of personal commencement disclosed for purposcs consistent with the purpose of the collection. Lastly, paragraph 4 of the Second Schedule deems all personal data
nhbh
paragra
disclosed prior to the commencemcnt of the personal data protection
provisions in the circumstances set out in the Fourth Schedule to have been collected in accordance with paragraph 1(7 of the Second Schedule, so that such data can continue to be collected for consistent purposes. 5.59
As will be seen below, there appcars, however, to be a gap in the exemption for personal data that was generated or produced but not disclosed prior to the commencement of the personal data protection
provisions.
Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para 3.
143
Consent Obligation
Data Protection in the Practical Context
5.60 An issue to consider here is whether personal data that falls wis circumstances of the Second, Third and Fourth Schedules tha for collection,
consent from individuals require have the consent over its collection,
wording of section
use or
individual risk for security wide-ranging purposes. Th a This
rnoses.
itself
he do
disclos re o
use or disclosure withdrawn,' can would suggest that this is not possible-t6 he 16(1)
.. an individual may at any time withdraw any consent given, or dees. have becn given under this Act, in respect of the collection to
purpose
withdrawing
not required as in the section 17 references to the Second, Third and
Fourth Schedules.
comprehensive
exemptions
The
ons in the three Schedule Indeed, some of the circumstances
isted their
are
true
For avoidance of doubt, the withdrawal of consent would not affect the collection, use or disclosure of personal data that is publicly available. In such cases, an organisation that receives a withdrawal of consent may wish to
cease further use or disclosure of the photographs or video recordings in question as a good practice.
so
broad broa
cffects
in scope and cxpressed in very general terms that
are
hitherto
unknown.
Evaluative purposes
1.
If
Schedules referred to in section 17:"
sections
Cxemptions con
5.66
5.62 This interpretation appears to be supported by the Commission, which has said, in relation to the exemption to the requirement of consent for "publicly available" personal data that appears in all three
for
cctions will examine the brcadth of some of the kev the three Schedules and will elucidate the of situations covered cxamples by the categories. rough ide is not to provid. coverage of all the intention
5.65 following
Cxemp
5.61 The withdrawal of consent provision only applies to consent given, or deemed to have been given under this Act". It.any does in instances where not state that withdrawal is permitted consent is m
challenge
cybersecurity.
disclosure by that organisation of personal data about the individal o r T any
let alone their use and disclosure indeed presents a
the
callection,
collectior
use
or
disclosure
is
necessary
for
evaluative
then no consent nor notification is required for the purposes,18 th
or disclosure of the personal data. This is one of the exemptions of the Consent Obligation. The term most in ealuative purposes" is defined very broadly section 2(1) of the Act llection,
use
far-reach
to encompass
many
situations.
5.67
the purpose of determining the suitability, eligibility or the individual to whom the data relates, "evaluative of qualifications Durposes" would include the situations of evaluation for the purposes In relation
to
of 49
5.63 This is clear indication that under the Singapore personal data protection regime, it is not possible to withdraw consent for the collection, use or disclosure of personal data that falls within the situations set out in the Second, Third and Fourth Schedules. 5.64
(a)
(b) (c) (d) (e)
This, unfortunately, leaves individuals with little control over their personal data, a "no escape" situation and, as will be seen below, an almost losing proposition. Whether an individual likes it or not, the
three Schedules give wide ambit for their personal data to be collected,
() selection for an athletic or artistic purpose; of financial or social assistance, or the delivery of appropriate health services, under any scheme adminisiered by
grant
a public agency;
used or disclosed. The resulting conglomeration of personal data is in
46 47
Personal Data Protection Act 2012 (Act 26 of 2012) s 16(1). Personal Data Protection Commission, Aduisory Guidelines on the Persona
Data Protection Ad for Selected Topics (revised on 20 December 2016) at para 4.21.
144
employment or appointment to office; promotion in employment or office or for continuance in employment or office; removal from employment or office; admission to an education institution; the award of contracts, awards, bursaries, scholarships, honours or other similar benefits;
48 49
rersonal
Data Protection Act 2012 (Act 26 of 2012) Second Sched,
para 1);Third Sched, para 1() and Fourth Sched, para 1( Data Protection Act 2012 (Act 26 of 2012) s 2(1). 145
Consent Obligation
Data Protection in the Practical Comtext
(h)
determining honour
or
whether any contract, award, other similar benefit should be
or cancelled;
(i)
bursary, scholanarst continued, mod
odified
deciding whether to insure any individual or propert or continue or renew the insurance of any individual or Dro and other simnilar purposes as may be prescribed by the
types
exemption
cluding
minister
5.68 The list of situations that come within the evaluative purmo POses exception is quite broad and encompasses a wide variety of scti. Some of these will now be considered, beginning with one of the m prominent situations in the above list, that of the employment
(a)
The
this
that can be collected and data thar reanal data covered under are extremely broad: personal data such as the and alifications; ormal education nistory, isconduct or talures during any tenure of any misc personal
ot
employment
i n d i v i d u a l' s f o r m a l
operty,
conte
or appointment to office.
5.71
Employment context
the
on nformation nployment; any i n f
inchn
be might ny that any
employec;
individual's
levant
to
releu
convictions,
convictions;
lifestyle,
individual's integrity or
the individual's and
eve
likes and dislikes,
any
standing
morality
as a model nformation on the
hobbies and
family background,
may all all be factors determining an individual's suitability for
as
these
may
employmecnt.
5.72 from the be s e e n As can ollected and accumulated
the types of personal data that can without consent are extensive, SO that employers c a n readily build a complete profile of an albeit for the purpose of evaluation for employment or individual,
foregoing,
extensive
appointment to office.
5.69
Under paragraph 1() of the Second Schedule of the Act, there is na need to obtain consent from individuals before collecting personal data from them or from any other source if it is necessary for determining the individual's suitability, eligibility or qualifications for employment or appointment to office. This would certainly cover the situation where the individual submits a job application, but it would also cover situations even where the individual is not actually looking to be a candidate for employment or appointunent to office. Thus, the exception would allow employers to conduct searches and compile liss of potential candidates without having to first obtain consent from the individuals.
5.73 Similarly, paragraph 1)
5.70 Of course, background checks can also be conducted on potential employees. There are many available sources of personal data from which employers can do this, ranging from social media networks to simple searches that trawl the whole Internet for information about individuals. There also appears to be no limits on the methods one can example, if an employer wishes to "friend" a person on the social media network Facebook, using a fictitious name in order to look into the person's private or personal life, including access to
the specific purposes, the practical enforcement and restriction of the
employ. So, for
photos or posts that may be restricted, it would appear that the
ot
the
Third Schedule allows the
use
of
individual concerned for personal data This means that after accumulating a complete evaluative purposes." on an individual, the profile containing ide-ranging personal data in organisation may use the personal data any way that is related to the determination of the individual's suitability, eligibility or qualifications for employment or appointment to office. As mentioned above, one of the biggest harms has already occurred when there is a centralised without
consent
ot
the
deposit of information concerning an individual. Once the personal data has been collected in one place, although the uses are limited by use to the specified purposes are often challenging. For organisations, to clearly define the permissible purposes attached to each piece of personal data they hold and to set systems, procedures and practices in place to limit the personal data to such purposes.
they would need
5.74
paragraph 1 (h) of the Fourth Schedule permits the isclosure of personal data for evaluative purposes without the consent
Furthermore, O the
individual.52 This
that
have
20)
and
Act 2012 (Act 26 of 2012) s200)
and
means
that the
complete profiles
employer may do so under this evaluative purposes exception. 50
Personal
Data Protection Act 2012 (Act 26 of 2012)
Second Sched, para 1().
146
s
2(1)
and
52
Data Protection Personal Third Sched, para 1( Data Protection ersonal Fourth
Sched, para 1(h).
Act 2012 (Act 26 of 2012)
147
s
Consent Obligalion
Data Protection in the Practical Context been built and used can also be disclosed for the purposes of a e . individual's suitability, cligibility or qualifications for emnlng or appointment to officc. It would not be uncommon for organi to trade such personal data for a fec. One ot the negative clte cts the evaluative purposcs exemption is that it condones the tra. irade personal data for evaluative purposes associated with employme appointment to office. In this regard, the Act effectively ran recruitment organisations a free reign over the personal daa collect, use or disclose about individuals. Thus, in Singapore, giventhey the weak laws in this area, hackers and other cyber intruders would regard the computing systems of recruitment organisations with collections of personal data as prime targets of attacks. The this is that the amassing of the personal data of individuals can e asily be used for other less savoury purposes by hackers. an
their corolla
5.78
not required
also
if
the
collectio
os of promotion
Consc
in or
use or
disclosure
removal trom
tinuance in employmen
t h ec v a l
conti
is for
employment
office. This would
Hce orrly the same position as recruitment firms in the sheput ersonal data data they can accumulate without consent and hing thc compuung systems ot human resource another vet another rich wellspring ot pesonal data to be as yet rtments for
office r
or
mploye
volume
departn
criminal
geted
for
activity.
ue that that the kinds kinds of personal data that can be collected argue may h y an employer for promoton and removal purposes should of
5.79 Some
and used
paid job description. While this may be do include codes of conduct for nany urue, to abide by and these codes of conduct would address their as convictions. or other kinds of misconduct issues such c a n De removed or demoted from their ans by which employees
be
5.75
is
valuative p u r p o s e s «
closely
aligned
with
the
employment
contracts
employees
Indeed, regarding the hack of the 1 billion accounts of Yahoo Ine security experts cautioned that "the real danger of the attack was not
that hackers gained access to Yahoo users e-mail accounts, but that they obtained the credentials to hunt doWn more lucrative information about their targets wherever it resided across the web".53
means
positions.
(b)
Insurance
5.76
Moreover, the exemption for evaluative purposes amplifies the
exemption from the operation of the Act of business contact information discussed in chapter 3. Business contact information such as those appearing on business cards can be used without consent for any purpose whatsoever and is not limited to search and hiring processes. Thus, business contact information can be used as the foundation of databases with other kinds of personal data added to it to build complete profiles of individuals. 5.77 A cautionary note for organisations such as recruitment firms which amass personal data is that they are still required to comply with the other Obligations in the Act, such as the Protection Obligation, which will be discussed in chapter 9. Thus, although organisations may collect, use or disclose personal data without consent for evaluative purposes, they still need to comply with the other rights given to individuals over their personal data in Parts V and VI of the Act.
5,80 The
definition of "evaluative purpose
in section
2(1) also includes
a
to the purpose of deciding whether to reference in subclause () individual or property or to continue o r renew the insure any or property. This provision preserves the insurance of any individual of insurance companies and underwriters of collecting, using
practices
and disclosing personal data about individuals to make sound business decisions and to guard against insurance fraud.
(c)
Remaining evaluative purposes permitted
5.81 The remaining evaluative purposes permitted without the need to
obtain consent from individuals can be loosely categorised into four broad categories. First, the conferment of bencfits such as the grant of financial or social assistance or the award of honours such as awards,
Scholarships, bursaries and whether such awards should be continued, modified or cancelled. The second broad category is for the selection
Or an athletic or artistic purpose. Both of these categories have been
agued to be necessary, especially where the awards are nominated by 53
Vindu Goel & Nicole Perlroth, "Hacked Yahoo Data is for Sale Dark Web" The New York Times (15 December 2016).
148
on the
parties and the individuals need not take any action, for exampie,
LVCTSItes may be asked to nominate their students for scholarships
149
Consent Obligalion Data Protection in the Practical Context
and bursaries, and the exemption is intended to allow this actiske continue without interference. While the purposes are honon bearing in mind that individuals cannot withdraw consent for th kinds of uses, those organisations involved in the collection, these disclosure of such personal data should take care that only releu personal data is collected and, further, that they do not engage levant in the wholesale collection of every single individual's available personal dan data, especially where the individuals have, for example, little or no cha hance of being selected for any athletic or artistic purpose.
arable,
5.82 The third broad category of admission to an education institution 1s also aimed at the practicalities of enabling education institutions to screen and select their students. Indeed, a very broad range of personal data can be collected to facilitate this purpose, but it should arguably be restricted to those individuals who have applied for admission and not a general cross-section of the public.
as been given, consent is not requiredffor the collection, tification has
sure
categorywith far-reaching implications. It is surprising that it is
grouped together with the award of awards, bursaries, scholarships and other honours in the definition in section 2(1). This category no doubt has business aims in mind as it enables organisations to screen and
assess to whom it awards conturacts by conducting background checks without the need to obtain consent. Like the purpose of evaluating admission to an education institution, in evaluating whether a contract
should be awarded, an organisation should restrict itself to only collecting, using or disclosing the personal data of those cont nders for the contracts and not simply amassing vast amounts of personal data on contractors and other parties who have not expressed any interest in the contracts or who are in no way related to the contracts.
data.
-hedule of the Act," paragraph 1(0) allows emplovers
Schea
585 Second
the.
in to
ollect
data without consent as lorng as the collection is the purpose of managing or terminating an
personal
or
reasonable
onship betwcen the organisation and the individual.
hove. paragraph 1(j) of the Third Schedule is a blanket allows personal data collected by an organisation in the clausethat Second Schedu to be used i n the Second set out by the circumstances consiste with the purposes purpose of that for of the Fourth Schedule is a Similarly, paragraph 1(s) data collected in the circumstances allows personal clause that blanket S e c o n d Schedule to be disclosed by the organisation for the set outin with the purpose of that collection.
employment
As mentioned:
organisation
collectior
ses
consistent
5.86
5.83 The fourth broad category of exemption from consent is for the evaluative purpose of the award of contracts as well as whether the contracts should be continued, modified or cancelled. This is another
of p c r s o n a l
u s e o rd i s c
data collected for the purpose of managing or relauonship between the organisation employnent terminating used and disclosed without consent. so can be and the individual consitute managing an employment Examples of what might found in the management of employer can be readily relationship For example, the allocation of computers to equipment o r resources. thereof are both aspects of managing an employees and their usage monitors the computer relationship. lf the employer
Hence,
any
personal an
employment information on which websites they usage of employees by collecting and personal data collected could then be used access, the information if they were, the to determine if any prohibited websites were accessed; terminate the or to employer could then use the information manage to the information this disclose to and employment of the employee relevant authorities. 5.87 t should be noted, however, that the exemption does not empower of of collection, use, and disclosure with unfettered
2.
Mar
agi
or terminating an employment relationship
5.84
in any In chapter 4, it was discussed that section 20(4) requires that situation where personal data is collected, used, or disclosed for the or terminating an employment relationship between the organisation and that individual, the organisation must Once the give notification and inform the individual of the purpose.
purpose of managing
150
employers e personal
rights
data of their employees to manage or terminate the
cnployment relationship. The personal data collected, used, disclosed must still comply with the other personal data protectio
or
provisions. For example, if an employer feels that an employee spernas Fersonal Data Protection Act 2012 (Act 26 of 2012). 55 stry of Information, Communications and the Arts, Pubac Consuuon ArIS: Tupoa Communications and the of Information, Po PersonalMinistry Data Protection Bill (19 March 2012) at para 2.69.
151
ConsentObligation Data Protection in the Practical Comtext inordinate amount of time in the toilet, it would not be apDron. employer to install cameras inside the toilet to check t e the employee is doing inside the toilet. what
wasadopted from the Canadian position in was no doudt anven by business efficacy t tions need not worry about
an
for the
exclusio and
This BrtishColumbia
means
cxclusion
his
TCasorno f t h e i r day-to-day
5.88 There are,
of course, grey
areas
on
what
would
be conside
idered appropriate or reasonable. Consider an organisation which has as one of its main aims to promote life and has a strong stance agains abortion. Could the organisation collect information employees' spouses and other immediate family members to ascer the certain if any of the immediate relatives are strong proponents of abortior There are arguments that this might be inappropriate or as the relatives are not employees, whilst equally valid arguments woul
aga on
unreasonah
suggest that if the employee is a senior enough employee, this wonil
be perfectly reasonable as the reputation of the organisation tarnished and the organisation might be labelled a hypocrite. just one example of the broad and uncertain scope of the exemptions contained in the three Schedules.
mighthe This
3.
to-day document crealuon processes that include
Documents produced in business, employment and
rsonal within
this
mployees. Some Some examples of documents falling
employces.
of
data
clude minutes of mectings that may contain
exclusi
whether an. an employee was absent or present and what
whether
on
have said at the meeting if he attended, e-mails might oploy ntained an employee's name, records of the times at
information
g e nerat h e
ich
that contain
records
employee' rate
rived arriv
employee
the
of pay,
and
with
at work and effectively anything in the
the human resources department, such as the been or should be the employment
increments has
any salarY documents any other
whether
whether
related to
produced in the course of and business or profession. This takes purposes for the ustrate even wider. Some examples should of the exclusio ambit the e x c l u s i o is. If an individual wishes to set up a business the how broad or retail space, then the lease of the premises andrequires be a document that is produced in the course of and for wOuld clearly of the individual 's business, as would all other documents the purposes relate to the leasing of the premises. Such as e-mails generated that and collected in all of these data produced Hence, all personal use or would not require consent for their collection, 5.91
chsion
covers documents
also
of
he
individual's
commercial.
professional settings 5.89 The Act also provides for an exemption from consent in paragraph 1(n) of the Second Schedule if personal data is included in a document that was produced and collected in the course of the individual's employment, business or professional life, as long as the personal data was produced and collected for the purposes of the individual's employment, business or profession.55 Furthermore, by virtue of the catch all provisions in the Third and Fourth Schedules, personal data that was produced and collected in this manner can also be freely used and disclosed for consistent purposes subject to any other kinds of confidentiality requirements other than the personal data protection regime." Such personal information included in work
product documents, although excuded from the requirements of
documents
use as long as the collection, with the purposes of leasing the premises.
disclosure,
or
disclosure
are
consistent
5.92
professional, say a legal or medical a practising certificate, the is application of the practising certificate is a document that produced
Similarly, if professional
the individual is and
wishes
to
a
obtain
n the course of and for the purposes of the individual's profession,
and
would fall under this exclusion, hence
tne collection,
use
and
disclosure
of
no consent
the
is
personal
required data
in
for the
consent for collection, use and disclosure, would still need to comply
application.
with the other data protection principles or Obligations in the Act
sociations do not need permission from their members to couec Se and disclose their personal data, as long as the use and disclosure ot tne iited to the purposes of collection, which is membership
such as those pertaining to access, accuracy and correction.
This
would
effectively
mean
that
all
professional
professional body.
56
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sche para I(n).
57
Personal
Data Protection Act 2012 (Act 26 of 2012) Third para 1() and Fourth Sched, para 1(s).
152
Sched
58
the Arts, Public
Lntormation, Communications and le Ministry of Information, Commaunications and the D Usonal Data Protection Bill (19 March 2012) at para 2.31.
153
Consultaton
Ats:
Froposeu
Consent Obligation
Data Protection in the Practical Context
5.93 Other
examples of documents produced the course f profession might be the reports, professional opinions assessments generated by professionals Such as doctors, architects. A doctor's medical report on a patient will engine reveal per information about the patient, such as the patient's rsonal identity, conditi symptoms, treatments and so on. It is also, however, a document tho hat is generated in the course of and for the purposes of the individal lual's (the doctor's) profession. It comprises the doctor's professioa opinion and action taken as a medical
professional. The med report will also contain the doctor's diagnosis which will refloe competency of the doctor amongst other things, and hence will althe constitute personal data about the doctor. A report such as this can h freely used and disclosed by the patient without obtaining Drio
consent from the doctor, but only for purposes consistent with the purposes for which document was created, which would likely to be the delivery of medical treatment. This, prima facie, appears to be a sensible exclusion as it would be rather tedious and an inefficient delivery of healthcare if the doctor's consent is required each time the patient visits a specialist doctor and wishes to share the first doctor's report and diagnosis with the specialist doctor.
5.94 As discussed consent
above,
specifically provides exemption from the requirement for personal data collected, used or disclosed the commencement of the personal data protection the Act
provisions.3 However, there appears to be a gap in the legislation in clearly provide that documents that were generated or
that it does not
produced prior to the commencement of the personal data protection provisions with personal data contained therein can be collected even though they can be used and disclosed without consent. Collection is not defined in the Act and it cannot be presumed to include the act of generation of documents. The Commission has said that "[c]ollecton refers to any act or set of acts through which an organisation obtains control over or possession of pesonal data". 0
This understanding of
collection" would not be helpful in the situation where documents are generated, as the generation of documents such as e-mails does not necessarily mean that the organisation has control over the personal data or has possession of the personal data. There is the further legal
Commission's interpretation of the term
the uch weight cr be disputed i t h e mat
should
in
individual's
before
issuc o f how
will
carry
5.95
the
Thi ed
effect,
In he
manncr set
Schedule, paragraph
out
consc
Paragraph lection.
collec
the Second
in
1() enables data Scheedule to be used collected in without
before the commencement of the in the he circumstances and regime
collected
data
ection
prior
purposes are consistent with the purposes of the of the Third Schedule, provides that
3
personal
personal
conditions set out in
proteo
Schedule
atisfy paragraph 1()) of the Third Sch
shall satisfy
data the
Second notwithstanding that it was not im force at the time of the collection device
appears in paragraphs 1(9) and 5 of the Fourth Schedule
Aesimilar garding disclosure.
Second Schedule. The "back-dating" nroie The anomaly is in the 4 ot Second Schedule, but it only refers et Out in paragraph Second dchedule which deals with the situation the of naragraph 1() "disclosed to the organisation" and "collected
5.96
to
wherepersonal
datavwas
Hence, in the situation where documents were nt disclosed as such but were produced in the course of and for the of the individual's employment, business or profesional life to the commencement of the any disclosure whatsoever prior by the organisation".
nurposes without Dersonal data provisions,
then, it would not be permissible to collect
the personal data contained in such documents under the Second Schedule without consent. Such personal data can, however, be used and disclosed without consent. This is yet another example of the complex and perhaps unintended scope of the exemptions in the three Schedules.
4.
Business asset transaction
5.97 The Act also allows for the "business asset transaction" exception which 1s elaborately detailed in
the
Second and Fourth Schedules. This
exception has a clearly defined life cycle and it is the only instance in the Act that requires personal data to be destroyed or returned. 5.98
59 60
Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para and Fourth Sched, para 5. Personal Data Protection Commission, Advisory Guidelines on Key Conaeya in the Personal Data Protection Act (revised on 15 July 2016) at para 7.2.
154
Aprerequisite before CIS
the business
asset transaction excepu
that both organisations must have entered into an
Teent that requires the prospective party to use or disclose the d a t a solely for purposes related to the business asset
155
Consent Obligation
Data Protection in the Practical Context
transaction. the
This is to safeguard against wTongiul use personal data by the collecting organisation.
5.99 This data
or discl. disclosure o
exception allows the collection, and disclosure of belonging to employees, customers, directors, perso offiena shareholders in the defined situation of a business asset transao This is clearly defined list of individuals; use
a
business associates and
trading partners.
missing from this n,
This means that co e and business associates such as agrent joint venture or
with with
trading partners subcontractors, agree supply agreements, purchase agreements, partnership distribution agreen management agreements, fee share agreements and other ements, party agreements that contain personal data are not relate business asset transaction exception and cannot be covered revealed wie first obtaining consent. It is unlikely that the information exemption can be uilised to coverbusiness C these Contac agreements as these agreements would usually contain more kinde ners of data than just the mere business contact information of ersonal the individh.
duals.
100
"Business
asset
transaction"
is
detined
in
paragraph 3(4)
of tho
h u d i n gp e r s o n a
business asse
102
trasaction cxception,
Um
isclose
busine
consent
to
of the
the
areholders,
ithout
a
tomers, share.
or
its
assets,
where there iv
consideration, organisation is prospectiv party certain individuals, whether they be personal data nder
the e r
permi.
rganisation an
OspcCtit
directors or officers. The the business asset in
data must, personalemployees or
question or that part of ncerns the business asset transaction and the necessary ecessary for the organisation m u s t be to data with the business asset transaction66 determine proceed etherto relate directly
he
ganisation that
however
persona
5.103
can o r neceds
on
the
to
depena
rt specific.
necessity,
the amount ent of of personal data a due be disclosed duri exercise business n a t u r e of t transacted
the requirement Given
For example,
being
diligence
and will be
very if the value of a business is directly linked to
as in the case of an tise of its staff, be necessary to disclose more then it may start-up, process than would during the due a b o u t the staff
tac
that will
information technology
diligence
personal
data
otherwise
be necessary.
the
purchase, sale, lease, merger amalgamation any other acquisition, disposal or financing of organisation portion of an or of of the business or assets of an organisation any organisation other than the personal data to be disclosed under paragraph 1(P). or
an
or
or
a
5.101 It is clear that a business asset transaction does not include the situation where the transaction concerns the personal data itself, that is, it does not cover the trading in personal data such as the purchase, sale, lease, or amalgamation of personal data. This definition of a business asset transaction does, however, include the financing of an organisation or a portion of an organisation, hence, it would cover the situation where an organisation seeks financing for its own operations, as well as where an organisation seeks financing for the purchase of
62
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 3(2) (6); Third Sched, para 1() and Fourth Sched, para 3(2) (6). Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,
63 64
paras 1(p) (i) and 3; Third Sched, para 1() and Fourth Sched, paras 1 (p) (ü) and 3. Personal Data Protection Act 2012 (Act 26 of 2012) s 4(5). Personal Data Protection Act 2012 (Act 26 of 2012) Fourth Sched,
61
nal data.
a n o t h e ro r g
the exper
Fourth Schedule to mean: ...
isation ora porttion of another.
or
para 3(4).
5,104
eally, fnancial information will be required for due diligence but. nicaly in most business transactions, the individual names and
records of employees may not be necessary for an organisation to determine whether to proceed with the business asset transaction.
instead, aggregated information about the employees of the busines, uch as deidentified information about salaries, leave entitlements and long service leave entitlements, and time and wages records would be more the norm. In addition to this, it might be necessary to reveal some individual employee records, such as key executive staff or key service personnel. If there are any agreements with employees that
contain material provisions, for example, compensation for loss of office or payment of any bonuses or profit shares, these would probably be considered necessary as well.
65
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,
paras 1(p) (ii) and 3,; Third Sched, para 1) and Fourth Sched, 66
paras 1 (p) (ii) and 3. Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,
para 3(2) (a); Third Sched, para 1() and Fourth Sched, para 3(2)(a).
156
157
Consent Obligation
Data Protection in the Practical Context
Publicly available data
5.105
Regarding
the personal data of customers, these would gcnen aggregated statistical non-personal data about the ybe customer base but, sometimes, personal data about customaor their financial information omers and might be necessary.
limited
to
Definition
(3 5.108
5.106
Where the business
ofpublicly
the
cxemppti
transaction
does not
paragraph
proceed, all ne
data collected must be destroyed or returned to the dise organisation.67 Where the transaction is entered into," the emnig and other individuals whose personal data have been disclosed ces be notified that the business asset transaction has taken place an personal data about them has been disclosed to the other parha t ha the event that excess personal data was collected for example. i he personal data collected did not relate directly to the busines asset then any such excess data must be destroyed or returned
should
heduleP Schedule,
personal
within the d
sed
use
1(d)
of
or
disclosure, which means that that comnes available" can be nition of "publicly collected, used or and p u r nose p o s e and there are no means of any stopping the or disclosure as consent cannot be withdrawn 72 or
anything
11Se or t hcollection,usc e
for
disclosure:
use
collection,
cole
2(1) defines "publicly available" in relation to personal data Sectio
individual
bout
to
mean:73
an
rsonal data that is generally available to the public, and includes which can be observed by reasonably expected means at a personal data perso
location
rather than keep or make copies of personal data.
collect,
individual.
of
5.107 As a general rule, the
disclosing organisation should try and proida only de-identified information wherever possible. It would also he good practice to allow the prospective party to only inspect document
organisations may
disclose nersonal data is publicly available without the data if the There is no restricion on the dual. T; the purposes of personal
Four
-
disclosing organisation." Of course, the recipient organisation only use or disclose the personal data collected for the same nu may for which the disclosing organisation had permission to use urposes or dieclose the data.
ontained in paragraph I() of the Second t(d of the Third Schedule and paragraph
Schedule, the
ata
1 () o f t }
Under
asset
available
or
(a)
(6)
an
event
-
individual appears; and at which the that is open to the public
5.110 The definition is in effect focused on the element of being "generally arnilable to the public" with the explicit inclusion about personal data
that Can be observed by reasonably expected means. The Commission went to great lengths to describe the meaning of the "publicly 2vailable" concept and focused at length on physical locations that
micht be in public but may or may not be considered to fall within the
noion of being "publicly available"." Much of the Commission's
67
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,
jurisprudence on this topic is reminiscent of the notions of "public" in copyright law that has developed over the decades, especially in overscas jurisdictions such as the UK and Australia."5 For example, the copyright cases had to determine whether there had been a communication or distribution or performance of the copyright
para 3(4). 68
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 3(3) and Fourth Sched, para 3(3).
69
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,
70
para 3(3) (c) and Fourth Sched, para 3(3). Data Protection Act 2012 (Act 26 of 2012) Second Sche, Persc
71
para 3(3) (6). Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 3(3)(a). 158
2 73
See the discussion on withdrawal of consent at paras 5.43-5.50 above.
Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). 4Personal Data Protection Commission, Advisory Guidelines on Key oncepis in the Personal Data Protection Act (revised on 15 July 2016) at paras 12.57-12.67.
eg ee, Telstra
cases
like APRA Ltd v Tolbush Pty Lid APRA (1997) 191 CLR 140.
Corp Ltd v
159
(1985)
62 ALR 521 and
Consent Obligation
the Practical Contex! Data Prolection in
protected work cases
to
the
"public"
or
"in public".
Many
whether issues such dealt with similar music heard by mobile or whether as
a
of
room
thes.
of a
phone
copyrights hospita subscribers
n public76 while they were waiting "on hold" fell within he definitio transmitted "to the public"" It would ot be surprising in Singapore come Commission and the courts in the future. cases such jurisprudence from
to
rely rely
on
being
some of
amount
ncommon
the
individual
that
name,
mber and residenti:
Singapore? If it is assumed for their personal data such address to be disclosed to all
considered to be members, can this personal of and above be the club entry fee Would available'? "generally available to the considered be t o be data be
2
$28,000
"publicly a
barrier
public"? Further,
it lor
have over 19,000 members," would such a number be to the data being "generally large to Commission The "? gave public" very little guidance the
personal
amournt
some
Presence of restrictions
in
members gave consent
contac
suficiently
(b)
with some clubs
WIth s o m e
ailable
to
on this.
5.111
Opening the floodgates
The Commission explained that personal data is "generally availahi..
ble to data stresed
the public if any member of the public could btain or access the with few or no restrictions"." However, the Commission also
5.114
that just because restrictions are present does not necessarily me n
that the personal data is not publicly available.79
(c
the Commission
Furthe.
mentioned
the situation where personal
closed to a single member of the public who is inadvertently data is known to the individual concerned" and concluded not personaly
5.112 To illustrate, the Commission gave a few examples. There may be a group which requires membership to Join, such as a group on social media. Although one needs to be a member to access the group and
the contents and communications addressed to the group members membership to the group can easily be obtained. Examples of this would be social media groups such as Facebook groups, where it seems almost routine for many users to add strangers as their "friend". The Commission gave a contrasting example of where personal data is disclosed to a closed circle of an individual's family and friends, and in this latter example, the personal data would not be "publicly available, even if it is inadvertently disclosed to a single member of the public who is not personally known to the individual concerned.30
dat would not be "publicly available" under this that the personal must surely be tempered by how the disclosure is circumstance. This is, for example, made to a person's social media disclosure made. If the Facebook page, which happens to have settings that enable everyone,
nen those without a Facebook account, to be able to view the person's Facebook page, the disclosure would surely become "publicly available" as anyone
would be able to
see
the disclosure.
5.113
5.115 Further, what if the disclosure was inadvertently made to ten persons not personally known to the individual concerned, would this uansiorm the personal data to become "publicly available"? The Commission did not explain whether "publicly available" will always be determined by the number of people the personal data is disclosed to. It gave the example of one person outside the circle of family and
These are simple cases at the extreme ends of the spectrum. The
friends and ruled out that one recipient could change the character of
Commission did not address the difficult situations. What if the
the personal data to be "publicly available", but it gave no guidance of
personal data is disclosed within a club amongst its members and
Wnether the number of recipients of the disclosure would be a relevant
the entrance fee to join the club is over $28,000, which is not an
cOnsideration and, if so, what the threshold number of recipients nght be for the personal data to be transformed into being "publicly
76 77 78 79 80
Duck v Bates (1884) 13 QBD 843. Telstra Corp Ldv APRA (1997) 191 CLR 140. Personal Data Protection Commission, Aduisory Guidelines on Key Gonc in the Personal Data Protection Act (revised on 15 July 2016) at para 12. Personal Data Protection Commission, Advisory Guidelines on Ney Concepis in the Persomal Data Prolection Act (revised on 15 July 2016) at pa Personal Data Protection Commission, Aduisory Guidelines on 9 ncehis m the Persornal Data 59. Protection Act (revised on 15 July 2016) at patd -
160
available". the entrance fee for the Raffles Town Club, nisChub was v Lim Eng Hock Peter [2013] 1 SLR 374 at [17]. Or
see
Rafles
Toun
example, Raffles Town lub had 19,048 members, see atjles 1 ourt
ub v Lim Eng Hock Peter [2013] 1 SLR 374 at [3].
a l Data Protection Commission, Advisory Guidelines on Key Coneps Protection Act on 2016) at para 12.59.
Fersonal Data
(revised
161
15July
Data Protection inthe I'ractical 5.116
Context
Consent Oblhgation
nersonal
to
give guidance on whethcr t h . The Commission cinitilüon could be governed by the class of of "publicly available" ersons. The ious at the obviou end is of friends the and example of family of a definition the could presence but the question remains: allow the personal data to remain not class or category of persons to 19,0 class of persons amounts the if even available", also did
ipients, a n d ,
not
spectrum,
publicly 9,000 individuals?
can,
grapple wth, especially sin ce These questions of the rights, if any, tha a clear consensus hat seems to be lacking in Singapore are aimed at data protection laws copyright law, the issue of "public" is made slightly clearer with are
dificult
to
become data
personal collected, used or
Closed for any purpose. This exemption nption efee persona gives v e r their their personal data and ntrol oover no opens up many fividuals and and data security of the individual. in the p e r s o n a l
discldry disclosed
y
all
fectively
conirol
indivie
erabilities
highlighted
should be
idition,
that the
Commission was also
there
the personal data in question cxplicit licly available at the point of collection, organisations would
aim
without consent, be publicly available at the point in time whe it is used or disclosed.*7 This, mission, is to avoid organisatüons according to the to
protectingpersonal For
the economic rights of the c of copyright law being to protect will aim to holder, thus any interpretation of "public" uphole by copyright law. economic given holder's rights copyright
copyrig)
5.118 In all, this exemption of "publicly available" is antithetical to
1nstantancously
that all the
thuss
5120
5.117
data would have
would be le". The result from the onwards, be
blicly available".
the
that in its position
In
able
to
good
data to be instantly transformed into personal data that can be free collected, used and disclosed without any restrictions whatsoever simply releasing it to the public. The personal data will then be "publicly available" and thus fall outside of the personal data protection regime forever. MICA was asked to clarify this very point br it sidestepped the issue by stating that the provisions of the Act will not override other existing laws. Of course, the perpetrator of wrongful disclosures will have to suffer the consequences of any existing laws. The question is the status of the personal data that has been wrongfully disclosed, does it fall within the purview of this exemption or not? In the absence of any confirmation to the contrary by MICA, one can only presume that such personal data will come within this very broad
exemption. 5.119
Hence, all that is needed is one unscrupulous person to upload massive amounts of personal data onto the Internet to websites such as
and
long
disclose
as
personal
notwithstanding that the personal data
a n t verify that the
ording to
personal data protection policy and makes cybersecurity near impossible. This exemption enables almost every piece of personal
use
as
the
data
may
no
longer
having
data remains publicly available which,
mmission, Comr
is an "excessively burdensome" task.88
5.121
clear that one of the rationales behind this exemption is to the burden of compliance on organisations. It has, however, the effect of chilling cybersecurity etforts and opens all personal data belonging to individuals to attack. Organisations should also be
It seem
mindful that even though the personal data regime sanctions such
collection, use or disclOsure, organisations may still be liable under other areas of law such as criminal law, contract law or even the tort of
negligence should they or their systems have played a part in harm occuring as a result of such collection, use or disclosure of personal data
(d)
Observable personal data
5.122 The definition in section 2(1) also includes be observed in public. There are two main personal data:9
personal
data that can that the
requirements,
Wikileaks,3 or to e-mail the personal data to a large number or 84 85
See ch 1.
Ministry of Information, Communications and the Arts, Public Consul by Ministry of Communications and the Ars: Fropu Personal Data ProtectionInformation, Bill (19 March 2012) at paras 2.65-2.66. See Wikileaks at Issued
86
(accessed 7July 2016).
Yee Fen Lim,
yberspace
Law:
Commentaries and Materials (Oxford
University Press, 2002) at p 132. Yee Fen Lim, Cyberspace Law: Commentaries
and Materials
(Oxford
University Press, 2002) at p 132. rganisation for Economic Co-operation and Development, The OECD Cy ramework 2013 (accessed 7 July 2016) at p8.. Asia-Pacific Economic Cooperation, APEC Privacy Framework au
184
the consent of the data subject but the collection is also limited to the
185
Consent Obligation
Data Prolection in the Practical Context the notice. Furthermore, personal data cannot be ised o for other purposes without fresh consent. This is a vast . or proces the wide sweeping exemptions in Singapore, which are alsot r e in nature, so that once a piece of personal data is collee. and disclosed for rele ed unde it can also be used
that in all aspects of the employment relationship,
without consent.
disclosirng
employve employer
from
amulatitheve
exemption,
is only ecollecting, using oro rsonal and emp relatio the cmployment n e n t cmploveea f r o m the nce the withdrawal
seems,t h e r e f 5190
h e as
long
nsent is hatsent data
as
required does not
apply to personal personal data where consent has notapply free reign to employers as they would never hesentprhis gives 170 employees. no couision
been cxempted, this oc fo n s
from their
consent
btain
Specific industry sectors
2.
have t
5.188 When
19
some
are
specific industry sectors of personal data collection,
how permissive 5.189
employers in the employees and potential
For
considered. use
ill be clear
disclosure the Ac
is.
handling of personal data data belonging employees for the purposes of. o
emplo
related purposes. th ment not for other non-employment above have elucidated how liberal are the requirements oCtons Prior to employment, in assessing and finding candidates t e hire,Act
and
prior
consent
is needed for collection,
evaluative purposes
use or
disclosure
During employment.
exemption.
notice is given, the employer can collect, use
or disclose
no
C the
long
concerned with managing the em relationship," including terminating the relationship. For 'n
data for any purpose
ona t
in other aspects of the employment relatuonship such as promotion
this would be covered by the evaluative purposes exception,l67 The evaluative purposes exception can also be used for the purpose od terminating the employment relationship. AS tor documents produced in the course of and for the purposes of the employment,8 Consent for these are also not required.
f
there is any misconduct bv
employees, any collection, use or disclosure of personal data is also permitted for any investigation or proceedings.169
164 165 166 167 168 169
See, eg, the position in the European Union. Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1(; Third Sched, para 1 (f) and Fourth Sched, para 1 (h). Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1(o); Third Sched, para 1() and Fourth Sched, para 1(s). Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1(); Third Sched, para 1() and Fourth Sched, para 1(h). Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1 (n); Third Sched, para 1(j) and Fourth Sched, para 1(s). para 1(e); Third Sched, para 1 (e) and Fourth Sched para 1().
is recruitment would appear to be in
tion than other employers in general regarding
neasier reCruitment firm retains employees, no consent mpliance. f from the employees as long as the organisation
an even
casier
ld b er e q u i r e d
hevond employment related purposes with the personal
data that a recruitment firm handles about the personal c o n f i n e s of recruitment purposes, all of these the d i v i d u a l s w i thin hir from the requirement of consent for collection, use b e exempt f r o m
d o e sn o t m o v e
or
d a t a . A sf o r
purposes exemption." As discussed data that can be collected, used of the types the suitability, eligibility or of "determining disclosedfor the 1"172 for for em employment or appointment to of the aualifications wide. Ience, for an organisation whose business is extremely are. oftice arguably not need to obtain uitment services, they wou limited to collection of personal data for any of their business the nt for handle personal data for purposes other than ctivities. If they then those other ctivities would need to be assessed. under
1ative the evalua
disclosu
or
above,
personal
Durpose
individual"l72
recruitment,
5.192
equally privileged position. they For insurance companies, collected, used and disclosed for employment data Again, personal consent from their employees or related purposes would not require There are also sweeping exemptions for personal are in an
Dotential employees. data collected, used or disclosed in connection with insurance policies both prior to insuring using the evaluative purposes exemption,73 as
Sched, Sched, Sched, Sched,
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,
186
se busin business ations whose
i..
170 Personal Data Protection Act 2012 (Act 26 of 2012)
s
16(1).
71 Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 1(; Third Sched, para 1() and Fourth Sched, para 1(h).
2 Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). 173 Personal Data Protection Act 2012 (Act 26 of 2012) s2(1); Second Sched, para 1(); Third Sched, para 1() and Fourth Sched, para 1 (h).
187
Data Protection in the Practical Contex
ConsentObligation
well as all other aspects of the conterment and adm
nistraion
insurance policy using the benefit plan exemption 7strar
t o Control their personal data; and to ensure data within the EU member states. Thus, the d a t a with personal the data subject is at the hcart of the of t h e i rright
in particular,
.
t h e frce o w
o fp e r s o n a l
.193 For many organisations, especially those in the the retai
retail
sector, the cOnsent aspec personal coll disclose about customers or clients, or potential custome
EUregime.
arca they will need to scrutinise concerning the co data will likely be the personal data tho
omers or ciens
Dala
only and es
OF THE CONSENT
EUROPEAN
UNION
POSITION ON
"colle.
EU The data
IMPACT
ction Dire Directive 95/46 46/EC mandates that personal "collected for specific explicit and legitimate be processed in a way incompatiblc with those f 6urther urt data is very broadly defined'78 processin concept of
Protection 5.197
may
).
by
data
conrol
not
The
cludes collection, consultat
n, disclosure and even erasure
or
purpos
and
destruction.
5.194 As discussed in chapter 1, organisations in Sinoapproach personal data protection with a myopic view,
pore canno
expanded
territorial
reach of
Regulation 2016/679,"3
the
EU
organisations
General
woul
ta
need
especially their online activities and if they are caug
teritorial reach, to ensure they do not fall foul of of the
the
the EU.
to
Proexamitecionne
new
laws in
The EU General Data Protection Regulation 2016/679 did no the requirements and concepts concerning consent, insteadchan
confirmed the concepts and requirements in a clearer and comprehensive form. For this reason, both sets of personal more data protection will now be considered.
Consent under EU Data Protection Directive
95/46/EC
5.196
Both the
public
and
private sectors Protection Directive 95/46/EC, and
175
excessive
not
in
that personal data must be
relation
further
and/or collected,
ed
data
personal
elevant a n d
cannot
to
adequate, relevant
the purposes for which they are
This effectively means that the disclosed must be necessary and
processed.
used
or
excessive. be in any way
for when personal data may be legally conse of the data subject is one of the orocessed - the all requiring an element of criteria with the remaining ritera," is ecessary to protect the vital where processing necessitysuch as The definition of consent that must be of the data subject."* dat to be processed means "any the datasubject for personal given by informed indication" of the data subject's and specific freely given that consent must be explicit for the wishes. 181 Article 8 requires of data, such as racial or ethnic origins, processing of special categories lists the
criteria
unambiguous
interests
religious
or
philosophical
beliefs and
political affiliation.182
that member states may permit in The small number of exceptions and other issues are: measures to safeguard national consent of respect and related regulatory functions; security; defence; public security breaches of ethics for regulated professions and related regulatory functions, an important economic interest of a member state or of
Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,
para 1();Third Sched, para 1() and Fourth Sched, para 1(s). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons wiun regard to the processing of personal data and on the free movement of
Such data, and repealing Directive 95/46/EC (General Data Protecion 176
requires
5.200
covered
by the EU Daa the two objectives listed in Protection Directive 95/46/ECT are to are
Article 1 of the EU Data protect the fundamental rights and freedoms of natural persons and, 174
6(1) (c)
5.199 icle 7
5.195
1.
6.198
Article
Regulation) ("EU General Data Protection Regulation 2016/679).
EUData Protection Directive 95/46/EC, Art 1. 188
177 EU Data Protection Directive 95/46/EC, Art 6(1) (b). 178 EU Data Protection Directive 95/46/EC, Art 2(b). I79 EU Data Protection Directive 95/46/EC, Art 7(a).
80 EU Data Protection Directive 95/46/EC, Arts 7(b)-7().
EU Data Protection Directive 95/46/EC, Art 2(h). 82 EU Data Protection Directive 95/46/EC, Art 8(1). 189
Consent Obligalion
Data Prolection in the Practical Contev related regulatory lunctions; and the the EU and frecdoms of the rights and subject or of of enti ntire industries exemptions wholesale or r
others.
worded
legislation. in the Singapore
5.201
otection of the There
no idd daa
that are preserm
of
not Is T h is on s id e r a b l yb br re oader
considcrabl
Didual.
provide the oduct or servico that necessity but a testof what is sonable, the test of
necessity.
is which
on
persona
ictin g the
collected andrealisefurher
the amount ot personal data collecto purposes and to be the smallest possihl processed for the purposes To over the personal data, consent must he.
subjectcontrol given by the data subject
to
test
test
aa
consent pursuans. EU standard 95/46/EC 1s that purposes musthe the EU n Directive Protection must be legitimate purposecs I8Oficd,a to the data subject and they 184 further processed must be necesea The and data collected in relationa not excessive.185 This would resalt in the purpOses and
In summary, the
able hat is reaso
beyondWhat i s
for the
collection,
use
and
unambilosureguo
that consent ca the stated purposes,which for the ciDe dee position.Lastly, unlike the Singapore ion and of special categories of data, explicit consent i means
processing
5.204
can
med in in
more 0
the
EU regime.
Singapore, which is quite contrary nambiguous and Cxplicit consent in
decmed
of
Lastly
antithctical
than deemed
the three Schedule permienccivcd re broadly conceived. It would
Eve.
exemptions
U6 tists of o
in
is legIslation
the EU
SiDgapore
dis
to
onal perso.
the the
is restrictiv.
adhere to
the
data
apore
collecion, use
Thus, if
oor
requirementsorganisations under
the on, they would need a complete overhaul of their legisia tion practices should they come under the
ore
SU
position
simply
conser
u l e s s C
t
gthy
ingapo.
al
be
crequiremecnt onsent
protecti
data
of jurisdictions
such
as
the EU,
purn
EU General Data Protection nsent under Regulation 2016/679
5.202 The EU position sits in stark contrast to the legislative requirem
Singapore. Not only must the amount of personal data collec
ents in
and also be Unambiguous consente
processed be the bare necessary minimum, the purposes must explicit, legitimate and not overly broad.
of the
data subject must be obtained and there are no wide.e.
af
5.206
In the
consent,
the
area
2016/679
reaffirm
on Protection Directive 95/46/EC.
EU
General Data Protection and clarifies the EU Data
strengthens
Sweeping
All this serves to ensure that the smallest amoun personal data can be legitimately collected and further processed of
exceptions.
5.206 The definition
5.203 Singapore's position with respect to the purposes permitted, as will be seen in chapter 6, is that which a reasonable person would considet
of consent is largely nchanged, Article 4(11) defines
"consent" of the
data
subject
to mean:l89
appropriate in the circumstances; this is far broader than the
informed and unambiguous indication of the freely given, specific, which he or she, by a statement or by a clear subject's wishes by to the processing of personal data affirmative action, signifies agreement
EU requirement of legitimate and explicit purposes. There is no
relating to him
any
data
or
her[.]
requirement in Singapore that the personal data collected, used or disclosed be limited to that which is necessary. The only stipulation in
the Singapore legislation is that an organisation cannot, as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual
183 EU Data Protection Directive 95/46/EC, Art 13. 184 EUData Protection Directive 95/46/EC, Art 6(1) (6). 185 EU Data Protection Directive 95/46/EC, Art 6(1)(c). 186 EU Data Protection Directive 95/46/EC, Art 7(a). 187 Personal Data Protection Act 2012 (Act 26 of 2012) s 15. 188 EU Data Protection Directive 95/46/EC, Art 8(1).
190
5.207
remains equally broad and incudes The definition of "processing" disclosure.0 Article 6 sets out the and combination collection, storage, situations where the processing of personal data is lawful. It is nearly that other identical to the EU Data Protection Directive 95/46/EC in
EU Ceneral Data Protection Regulation 2016/679, Art 4(11). 190 EU General Data Protection 2016/679, Art
8
Regulation 191
4(2)
Data Protection in the Practical
than the consent the e l e m e n t
of
the data
subject, all the
2
of necessity.
Consent Obligation
lext
other
siluations Tequige
frecly
frecly
en
not
on
have
he
oro pro
of personal date of special categories The processing has data given explicit subjec unless the prohibited data for specified purn such personal processing of such as where proccssino is limited situations, other the the data subject or ane of interests vital protect the is incapable of giving consent 194 1s where the data subject constitutes specia categories The list of what the processing of genetic data, bior to include
data
coninue 93
ing
expanded
identifying
a
kept
as
neces one eto
individu consent,"" applicable of personal data has beens
atural person
the purpose of uniquely such all the other existing categories
or if
netric data tor
and it
reasonable
the
duct
or
of what is necessary. whas
of
consent
beyond what service, instead of the
EU
General
Data Protection ETI 2016/679 details of what will be requ ired to meet some of the
to the
.211 The Recitals
alsoprovidemuch
Regulation
e l e m e n t so fc o n s c n t .
hasalso
oncerning health
EU General
32 stipulates and
Regulation 2016/679 has int. introduc clarifying the concept and requiremen
Protection The EU General Data
several new requirements
provide
pro
to
to
standard
New requirements
5.209
a
i1s
higher
5.212
(a)
not nccessary
he be
can
pplicd
pore
Singa
Standard js
performa of a conditional on consentcontract, inclu to the processing
ecessary for the pertormance of that compared with section 14(2)(«) of the for provides similar restriction, 202 which except the in Singapore requirin 1s
that
This
201
i r a c t»
to sent to thbee
if if tthe
scrvic
o fa
data da1a
o f perso
5.208
p given
been
of consent. Article 7 lays down several conditi for consent to b that the data suhia lid, It specifies that the onus of showing have consented to the processing of their personal data lies organisation. Where the consent is obtained in the contevs he of a written declaration which also concerns other matters, the uest fo
oftheonsent
Regulation 2016/679208
unambiguous
act uch as clear afirmative
by a statement, whether writen or an oral statement. A form, in simple would consist of ticking a box when visiting an
processin
through
in
Data Protection
should be a freely given, specific, informed that indication of the individual's agreement to the her personal data. This indication must be of his or
hard copy,
or
method
electronic internet website
or
Recital Moreover,
orinactivity in
should
consent shall be presented in a manner which is clearly distinguishahle
personal data
from the other matters, in an intelligible and easily accessible fom
all of them.
choosing technical settings for online services ovides that silence, pre-ticked boxes not nstitute consent. Where the processing of
32 expressly
has multiple purposes, consent needs to be obtained for
using clear and plain language.Where this is not done, the Consent is
not
binding.
199
5.210 The right to withdraw consent at any time must be made known to the data subject at the time the consent was obtained and it must be as easy to withdraw consent as to give consent.200 Consent will likely be held to
191 EU Ceneral Data Protection Regulation 2016/679, Art 6(1)(a). 192 EU General Data Protection Regulation 2016/679, Arts 6(1)(b)-6(1)). 193 EU General Data Protection Regulation 2016/679, Arts 9(1) and 9(2)a 194 EU General Data Protection Regulation 2016/679, Arts 9(1) and 9(2)0). 195 BU General Data Protection Regulation 2016/679, Arts 9(1) and 9(2) 196 EU General Data Protection Regulation 2016/679, Art 9(1) 197 EU General Data Protection 2016/679, Art 7(1) 198 EU General Data Protection Regulation Art 7(2). 199 EU General Data Protection Regulation 2016/679, Art 7(Z 2016/679, Regulation 200 EU General Data Protection Regulation 2016/679, Art 7(3).
192
5.213 the organisation to ensure that the data subject The onus is also upon and the extent to which consent is given. 204 In that fact is aware of the of consent pre-formulated by the organisation declaration a particular, should be written in an intelligible and easily accessible form, using clear and plain language and should not contain unfair terms.20 The minimum information that needs to be provided to the data subject in order for the consent to be informed is the identity of the organisation and the purposes of the processing for which the personal data is intended.206
201 EU General Data Protection Regulation 2016/679, Art 7(4). U Personal Data Protection Act 2012 (Act 26 of 2012). 5 BU General Data Protection Regulation 2016/679, Recital 32.
0U General Data Protection Regulation 2016/679, Recital U General Data Protection Regulation 2016/679, Recital U
General Data Protection Regulation 2016/679, Recital 2.
193
Dala Protection in the Practicat Context
Consent Obligation
5.214
to be freely given if the Consent is not considered withdraw consent with or refuse to unable vein, consent is presumed not to be frecly given if it.
rmally
data subject is
ilar does notSimallow different personal data operations in circumstances where it is appropriate to do
separate
consent
to
be
given
to
processing
so 208
nrovided
provided
Thus,
charge
direct
object
individual requc m e a n s that
of
at a
a
distance, by
esent
online
5.215 Lastly, where personal data is collected or processed marketing purposes, the data subject shall have the ight t and at any time to the processing of perso free of
for remuneration,
recipient of services"electronic ans anddistance 215 2N5 The C e is a ided without the 216 enn a t simultaneously present.216 The service traP ust be one the arties. ission of data on that is through individual provided 217 request definition is quite broad and would cover a the wide variety of as electronic at the
seri
commerce in
goods, including aharmaceutical products, electronic commerce
luding online gambling. lt would also extend networks and even ocational training by distance learning 218
in
to social
concerning him or her for such marketing, which includes profilina
This right should be explicitly brought to the attention of subject and presented clearly and separately from anny other data information.210
5.218
special of those under 16 of age is that they may be less aware of the risks, consequences andyears safeguards in ation to the and their rights of personal concern is when personal data is used for the
Therationale for
treatment
processing
concerned
keting or creating personalhty or user profiles and wherepurposes services fered directly to a child. One ot the harms in the minds of the
New requirements for minors under 16 years old
(b)
5.216 The EU General Data Protection
Regulation 2016/679 introdticed specific protection in the context of children's personal data h putting restrictions on the validity of consent given by children21l This is something completely new in the EU data protection landscape. Article 8(1) states that when offering information society services directly to children under the age of 16, or a lower age provided by EU member state law but which may not be below 13 years, consent is only valid if it is given or authorised by the holder of parental responsibility over the child.2 The organisation bears the onus to make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into
consideration available technology.213
a s probably the rise in the number of online predators, becially sexual predators. It is interesting to note that the consent of the holder of parental responsibility is not necessary in the context of preventive or counselling services offered directly to a child.29
5.219
These new rules on minors under 16 years of age will pose challenges to those wishing to offer goods or services, even without charge, to those in the EU. Considering that teenagers are the largest consuners and, in some respects, drivers of online goods and services, whetherin terms of social media, games or the purchase of music, they represent a significant segment of the market. Organisations that need to continue to tap into those market segments will need to devise ways of with these new requirements. They would need to first
complying
establish if the person is under 16 years of age and if they are, to
5.217 Article 4(25) states that "information society service" has the same meaning as service" in another EU directive?1 and is "any service
nformation in the field of technical regulations and of rules Directive services [2015] OJ L 241/1 ("EU
ontormation Society 207
208 209
210
EU General Data EU General Data EU General Data
EU General Data Protection Regulation 2016/679, Recital
General Data Protection ZEU Regulation 2016/679, Art 8 and EU General Data 212 Protection Regulation 2016/679, Art 8(1) 213 EU General Data
214
i 216
Protection Regulation 2016/679, Recital *. Protection Regulation 2016/679, Recital 45 Protection Regulation 2016/679, Art 21 cital 38.
Protection Regulation 2016/679, Art 8(2). and of the Directive (EU) 2015/1535 of the European Council of 9 September 2015 laying down a proceParhame om the nextpag (cont'd 194
2015/1535").
EU Directive EU Directive
2015/1535, Art 1(1)(b). 2015/1535, Art EU Directive 2015/1535, Art 1(1)(b)( Council, Parliament, the OCommission Communication1(1)(b)(1) to the European COnomic and Social Committee and the Committee
t
for
4 coherent framework for building irnust in n 2012) (adoptea 1l LTC and online services (COM/2011/0942 finalJanuary 2012) at fn 1. 219 General Data Protection
gulation 2016/679,
195
Recital 38.
Consent Obligation
Dala Proteclion in the Praclical Context
cnsure
that
they obtain permiSSion no
parental responsibility. this
might
be
legislation has
This is
achieved
existed for
could some
authorisation fror om the hold casy task. Some puid.
the consent is
or
be gleaned
ume to
m
protect minors
T of
in enacted in the US
1998
to
Act
amended
where
the
to
range of operators.22
additional or
parent
legal
legal guardian
post:
guardian
address
proviso that
children
personal information. confirmatory e-mail following receipt of consent, a
to
telephone irming the parent
or
or number from the parent or
and confirminc
call.
letter or
consent
was safety.
cgulatüFTCons The
legal Organisations guardian's
can i
strengthen reol
parental
disclose
telephone by that use this notice that the must provide parent or legal guardian hod ke any consentgiven in response to the earlier
or
to mobile application devel. expanding COPPA's reach and on the collecion of personal infs. expanding the prohibition lion of without verifiah 13 under age years from children to a wider
Such
("COPPAy
protect children's onli line ("FTC enacted Rule" in 1999.
Commission
Trade The US Federal COPPA ("COPPA implementing the Rule in 2012* COPPA the
not
ons incude: include: sendine steps sending
t h e organisation.
btaining a
5.220 Children's Online Privacy Protection The
consent
does
elines on how the US,
the parent or legal guardian with
5,222 last meth
The and
it
ded
concluded
is
termed
the
that it remains
"e-mail plus" method2 the by FTC a valued and
for certain organisations.
mechanism f o r «
other methods of consent, the FT innovate
to
create
additional
However,
as
cost-effective consent it is less reliable than
"strongly encourages industry to
useful
mechanisms
as
quickly
as
p o s s i b l e "225
5.221
Some of the acceptable methods for proving "verifiable na parental
consent" include the following: 22 (a) (b)
5.223
a signed parental consent form returned to the operator hu postal mail, facsimile, or electronic scan; requiring a parent or legal guardian, in connection with
a
monetary transaction, to use a credit card, debit card, or other
(c)
(d) (e)
(f)
220
221 222 223
online payment system that provides notification of each discrete transaction to the primary account holder; having a parent or legal guardian call a toll-free telephone number staffed by trained personnel; having a parent or legal guardian connect to trained personnel via video-conference; verifying a parent or legal guardian's identity by checking a form of government-issued identification against databases of such information, where the parent or legal guardian's identification is deleted by the operator from its records promptly after such verification is complete; or an organisation may use an e-mail coupled with additional steps to provide assurances that the parent or legal guardian prova
Children's Online Privacy Protection Act 1998 15 USC (US) SS 650l-0 (2006).
Online Privacy Protection Rule 78 Children's Fed Reg 3972 (anuary 17, 2013) (US).
Children's Online Privacy Protection Rule 78 Fed Reg 3972 (anua at 3972 and 3985. Children's Online Privacy Protection Rule 16 CFR Pt 314 S)
2013) (US)
$ 312.5(b) (2) (2012).
196
Cane organisations in the US, such as social media provider Facebook,
haue Complied with COPPA by not permiting users under 13 years old to 1se their social media service. However, the screening is quite nrimiúve and appears to be bascd on the date of birth entered by the
ser and no further checks are done. It is doubtful whether such kinds of simplistic screenings will be acceptable in the EU regime and, in any event, the onus lies with the organisation to demonstrate compliance.
Thus, an ineffective measure to restrict children under 16 years of age to access the service such as this would probably not satisfy the requirements in Article 8 of the EU General Data Protection Regulation 2016/679. 5.224 lt 1s, of course, unclear how many, if any, of the methods listed by the
Cwill be found to be satisfactory to the EU regulators but they represent some of the available techniques to date. The burden will be On organisaticons that collect, use and disclose personal data to comply.
Odren's Online Privacy Protection Rule 78 Fed Reg 3972 (January1, 2013) (US) at 3990. 25 Ch
Protection
Rule 78 Fed Reg 3972 (January 17,
Oo 2013) (US Tvacy ebook Help Centre, "How do I report a child underthe age ot (acc
at (accessed 11 July 2016). 201
Consent Obligalion
Data Protection in the Practical Context matter of course. Although users can disable cookies in .
websites one can access since websiteS so
commonly
c setings (
numbercookico utilis
that that the lack of meant it was difficult for cookie a 1on accompanying a user to assess whether to accept or not accept a particular cook This situ been the technologies. It has long
case
changed somewhat in the past few years, especiz
of the
numb
their browser programs, this may drastically reduce the
information
in the EU 28
ion has
telephoncc
the
ocation
version
owser usecd, peof u l d b e r e a s o n a b l e
hese
would
5.238
mission
5.239 The Commission presents an example of how deemed consent would operate in the context of websites. For Internet activities that the user has clearly requested, there may be no need to seek consent for the use of cookies to collect, use or disclose personal data where the user is aware of the purposes because the user, having voluntarily provided such personal data, can be deemed to have consented to the collection, use or disclosure by the cookies.241
phone,
the None of the online
on.
facilitating
his his
consented
actively manage of an t the imply that the individual has consented individual
does not collect personal data, then no consent is required 29cookie Commission gave the example of cookies that "only collect and saThe technical data to play back a video on a website"0- no consent be required for such cookies.
for
also
accept.313
In Singapore, the position of the Commission is that if
necessary
opined that consent may be reflected in the wav browser to accept certain cookies but rejects a to the be found to have he may collection, use and athers; nersonal data by the cookies that he has chosen disclosurd to Commission was the caref to note that 292 However, the
5.241
usCr
Position in Singapore
vice if it is a mobile the browser and so
purchase,
configures
(b)
of
to:
his
browser
mere
settings does not collection, use and
to the his personal data by all websites for of their stated disclosure purposes.245 In fact, many users of he Internet are unaware of how to
change the
browser
settings.
5.242
Importantly, the Commission was of the view that the obligation to
ahtain the individual's consent tor the collection of his personal data lies with the organisation that is collecting such personal data24
Thus, in the situation where organisation X operates a website but organisation Y, a third party, collects personal data, then organisation Y has the obligation to obtain consent.213 5.243
5.240 It should be noted, however, that this example given by the Commission would only make sense if the cookies are only using and disclosing personal data for the purpose which iscollecting, deemed. Often, cookies collect a lot more information for many other purposes that are quite unrelated to the primary interaction. For example, if the interaction with the website is to facilitate an online purchase, it is not uncommon for cookies to collect information about the deviccs 238 239
240
241
Yee Fen
Lim, Cyberspace Law: Commentaries and Materials (Oxrord University Press, 2002) at pp 114-118. Personal Data Protection Commission, Advisory Guidelines o Personal Data Protection Act for Selected Totpics (revised on 20 Deceme 2016) at para 7.7.
Personal Data Protection Commission, Guidelines Personal Data Prolection Act for Selected Topics Advisory at para 7.7. (revised on 20 Decemoer
Personal Data Protection Personal Data Protection At
at para 7.8.
forbehavioural
212
Personal Data Protection Commission, Advisory Guidelines on the Fersonal Dala Prolection Act for Selected Topics (revised on 20 December 2016) at para 7.9.
ersonal Data Protection Commission, Advisory Guidelines on the
O a Data Protection Act for Selected Topics (revised on 20 December 2016) at para 7.9.
* O n a l Data Protection Commission, Advisory Gauidelines on the ersonal Data Protection Act for Selected Topics (revised on 20 Decemor 4UO at para 7.10.
the
Commission, Aduisory Gue for Selected Topics (revised on 20 Den 2016) 202
Lastly, the Commission made it very clear that where cookies are used targeting, the individual's consent is required for such collection, usage or disclosure of personal data.246
ersonal Data Protection Commission, Advisory Guidel1nes o
Personal Data Protection Act. for Selected opics (revised on 20 December 2016)
246
at para 7.10.
Protection Commission, Advisory Guidelines 0n the Persomlata Personal Data Protecti Act for Selected Topics (revised on 20December at para 7.11.
203
Data Protection inthe Practical Contex!
Consent Obligation
Position in the European Union
(c)
informed, be specific be of the indication freely nd individual's wishes. be anisations clear explicit, and the natu of cookies emplov compreher eir disclosures Ies employed consent their obtaining use
or
lection,
g T v C na n d
5.244 In the EU, there is a specific law that deals with cooks
relevance, Article 5(3)
was
amended
to
European Parlia
and it
is
irective ment. Of
rovide stronger protecuon
for
The law previously permitted vebsites to use cookies Where there was clear advance notice to the user. This was
users.
information nmonl ahouty
achieved by a website's privacy policy providi cookies that are employed on the website.
ensure
that
the
storing of information, in
already
transmission network,
or
of
as
society service the service.
or access
a
for
processing. sole
the
communication
over
prevent anv carrying out the electronic
purpOse
an
of
provide
5.246
as
web
beacons/bugs*"
before
they
5.247
248 250
exemptions
o r where they are in order for necessary requested of thea provider of an inlormation society service explicitly by
strictly
communica
to
provide
that
service.
5.249
T FIl Artcle
Protection
29 Data Working Party's Opinion 04/2012 anCookie Consent Exemptaon ("WP29 Opinion") has concluded that the Wo Categories of exemptüons in Article 5(3) would include the following
uypes of cookies.251
5.250 First, "user input cookies', which refers to session cookies that are used to keep track of a user's input in a series of message exchanges with a These are typically first party service provider in a consistent manner cookies relying on a session-ID, a random temporary unique number generated for the session, which expires when the session ends, although some may persist beyond the session. These first party user input session cookies are normally used to keep track of a user's input wien filling online forms over several pages, or in shopping cart Scenanios to keep track of the items the user has selected for purchase.
Article 5(3) specifically refers to the EU Data Protection Directive 95/46/EC,0 hence, the consent must be obtained prior to
249
5,248 n s 1from consent provided in Article 5(3) are wo The where cookics are used fori the sole purpose of carrying out the transmission
communications
order for the provider of an information requested by the subscriber or user to
other similar technologies such can be employed by the website.
on
uscrs'
to
the
Specifically, Article 5(3) requires prior informed consent for storage or for access to information stored on a user's terminal equipment, thus, organisations must obtain users' consent to the use of cookies and
24
prior
cauino.8aning
strictly necessary in explicidy
to
about
The WP29 Opinion or
of access to information the terminal stored, subscriber or user is only allowed on condition that the subscriher ta concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance ith Directive 95/46/EC inter alia, about the purposes of the This shall not
technical storage
and be
real
websitesp
he user
5.245 The new Article 5(3) reads:218 Member States shall
must
requires
contained in what 1s Commonly known as the e-Privam. es
which was amended in 2009 by the
lisclosure, dis
constitute a
Directive 2002/58/EC of the European Parliament and of the Coun 12 July 2002 concerning the processing of personal data and the pro of privacy in the electronic communications sector (Directive on and electronic communications) [2002] OJL 201/37 ( r Directive 2002/58/EC"). See Art 5(3) of the Yee Fen Lim,
e-Privacy Directiv 2002/58/EC. Cyberspace Law: Commentaries and University Press, 2002) at pp 118-119. Directive 95/46/EC of
24 October 1995
on
the
Materus
processing of personal 1995] OJ L 281/31.
data and
on
the free movement
of sucn 0aa
taken irom wng section on the examples of exempt cookies are 04/2014 29 WP194, Data Protection Working Party, BUArticle Opinion
1t
the Councilof the
page) (cont'd on the next
204
wDether it be filling in a form or purchasing an item online."
of
(Oxford
European Parliament and or u the protection of individuals with regard t
nese cookies are exempted because they are clearly needed to provnde an information service explicitly requested by the user,
0 C0okie Consent Exemplion (adopted on 7 June 2012) at ppoAcle 29 Data Protection Working Party, WP194, pn0
COOkie Consent Exembtion (adopted on 7 June 2012) atp 04/2012 Protection Working Party, WP194, Opinion Data on Cookie LOORie Comsent Exenption (adopted on 7 June 2012) at pb.
205
Data Protection in lhe Practical Context 5.251 authentication
cookies which
are used
Consent Obligation
dentify auser
Second, 251 into a wcbsite.254 Authenicalion cookies the user has logged once usually session okies but they are essential to allow continue
to
provide
access
example, upon logging
into
to a
the
various
pages
banking website,
of
the account balance and transacti. know it is still the s a m e user and allo
the
te to
website. Fo
next page scet records, the websi needs
access to the to transaction records webpage. The website will be able to :
through the
authentication cookie. Witho
checkbo box
balance and ascertain the authenticatio Cookithcis,
the user would have to provide a username and password
password
on cach of the bank's website that is accessed. As the authentication information service the user is an essential part of the
page
cookie is
society
requesting, it would be exempted under Article 5 (3),55
explicitly
5.252
"keep me.logged in" next Lo the
i n d i c a t ec o n s c n t , 2 5 8
the website
an overview of all accounts held. In order to move to tho access
as
such to.
5,254
type
hird yP
T h et h i r d
have h e s p
ily
b e e ne x p l i c i t l y
submit button
to
of cookie is he user centric 1ask of increasing the security the user. An requested by
security cookie 259 These of the service has example of this can bethatffound detect repeated failed login attempts on website system designed to protect the login system
okies used to m
a
o
other
from This type of cookie falls within the exempion as of websites and it is a service for the security that has been he uSer. This type of user secunty cookie lifespan in order to fulf their security purpose.20 usually has a
or some
access.
unauthorised
i is
used
requested
longe
5.255
multimedia player session coOkies are cookies used to store
technical data required to play back video or audio content, such as
The WP29 Opinion sounds a warning
authentication cookies must only use
them tor
that websites thas use
authentication
purpose poses behavioural monitoring or advertising without consent 56such For example, if a bank user is checking the toreign currency rates on an
and must not
use
the authentication cookies for other
as
hourly basis on the bank's secured website, the bank cannot ue the authentication cookies to track the welb pages visited by the conclude the user is interested in foreign currency investments
user and or
present foreign currency advertising without first obtaining consent.
quality, network link speed and bufifering parameters.261 These are commonly known as lash cookies", named after Adobe Flash hich is the most utilised platform for the delivery of Internet
image
altimedia content. These cookies should not endure for longer than the session and other additional information that are not strictly
multin
necessary for the playbacko
the media content should not be
cookie.262 included into the
to
5.253 There are, however, also authentication cookies that are used by e-mail providers and others that are stored for longer than a session; these are not exempted from the consent requirement according to the WP29 Opinion. The rationale for this is that users may not be
5.256
Fith, Ioad balancing cookies also fall within the exemption.35 The task of a load balancing cookie is to ensure that the web server requests from a specific user is always forwarded to the same server. Organisations often have a pool of machines to handle and process
web server requests. Load balancing enables the eicient allocation of resources in this regard. A load balancing gateway is used to process
immediately aware of the fact that closing the browser will not clear their authentication settings.25 Users may return to the website under the erroneous assumption that they are accessing anonymousy whereas, in fact, they are still logged in to the service. Consent can
be obtained for these kinds of persistent login cookies by using a 254
258 EU Article 29 Data Protection Working Party, WPI94, Opinion 04/2012 on Cookie Consent Exemption (adopted on 7 June 2012) at p 7. 259 EU Article 29 Data Protection Working Party, WP194, Opinion 4/2012
onCookie Consent Exemptionm (adopted on 7 June 2012) at p1.
EU Article 29 Data Protection Working Party, WP194, Opinion 04/401 0n Cookie Consent at p Exemption (adopted on 7 June 2012) 6. EU Article 29 Data Protection Working Party, WP194, Opinion U4/4u 2012
250 EU Article 29 Data Protection Working Party, WP194, Opimion U9/2012 onCookie Consent Exemption (adopted on 7June 2012) at p i.
Cookie Consent Exemplion (adopted on 7 June 2012) at pp o. /2012 256 EU Article 29 Data Protection Working Party, WP194, Oinion On Cookie Consent Exembtion (adopted on 7 June 2012) at p7 4 EU Article 29 Data Protection Working Party, WP194, Opinion.0/
onCookie Consent Exemption (adopted on 7June 2012) at p. i c l e 29 Data Protection Working Party, WP194, Opinion 04/2012 0n Cookie Consent Exemption (adopted on 7June 2012) at pi. 04/2012 29 Data Protection Working Party, WP194, Opinion
255
on
om Cookie Consent Exemption (adopted on 7June 2012) atp .
206
261
EU Article 29 Data Protection Working Party, WP194, Onion U704
c le Cookie Consent Exemption (adopted on 7June 2012) at po.
207
Consent Obligation
Data Protection in the Practical Context
web requests available
users
from
internal
and
machines
it
directs
the wch web
in the pool,261
request to one
of
5.257
a ser must be originating from specific user Often, all requests to maintain the the the consistency of p0ol s e r v e r in same to the cookice may be use load balancing a the processing. Thus, load balancer can corree! so that the server in the pool These are Session coOKIes that expire web server requests. fall within the exemption because the the session. They nave the dof sole o n e of the servers in the he pool an purpose of identifying c o m m u n i c a u o n over the the networt 26 thus to m.
forwarded
denify tthhee Trectly redirect -
necessary
carry out
by the WP29 Op on is the social type of coo last sharing ent he ent sha of a social enefit. lt should social network. be noted embers that the ogged-in nion only singled out the social plugin content sharing the these exemption; are 99 Opn within from which cookie king cial plug-in tracki requires the conscnt of the cookie discussed
the
k.
5.260
cookie. This
USCr
5.261
can
The sixth example
of
exempt
interface
C1ct.
saion
expliciuly
requested the service to remember a certain piece ofinformation
s store user's preference regarding an aspect of a :service across web pages and are not linked to other persistent identifiers such as a name. Some common examples of user intertace customisation
:
cookies re language preference cookies that are used to remember the lange
selected by a user on a multilingual website, as well as result disnia
preference cookies used in online search queries that will display a set number of results per page.267
they
are
plug-in
modules" that website
on the social network. These plug-ins the user's device in order to allow the social
connected
cookies
in
andtoaccess identify their members hen they interact with these plug
store
emption would only be available for those social network
netw
ins. This e x
example, by clicking on a button or ticking a box. These cookiee a
"social
suets to share content they like with their "friends" or those with
cookies.26 This type of cookie occurs where the user has
provide rovide
integrate into their websites, such as to allow social
integrate
users
whom
coOkies 1S user
networks
ocial Many o perators
networks
5.258
distinguished
WP20
cookie as
embers
loggea
in
who are logged in. This is so because only users who are to use and access social would expect to be able on
plug-ins
Those who are not logged in or who are not embers would not ha such an expectation. hus, for those who are ged in, the cookie is trictly necessary for a functionality explicitly the user and therefore falls within the exemption, 270
third party websites.
requested by 5.262
This type of cookie may be session cookies or have a lifespan of week or months, depending on their purpose, but since they are customised by the user, they are explicidly enabled by the user of an information
These types of cookies are session cookies because in order to serve their particular purpose, they only need to persist for as long as the user is logged in or as long as the browser is not closed. Social networks that wish to use cookies for a longer duration or for additional purposes should inform their users on the social network
5ociety service, and are strictly necessary in order for the provider of
platform itself and obtain the relevant consent.271
5.259
the service to provide that service, hence they fall within the would be for the customisation to exemption. However, the persist only for the duration of the session unless otherwise brought to norm
the attention of or
i)
requested by the user.288
Practical implementations of cookie consent in the European Union
5.263 264 265 200
267 268
EU Article 29 Data Protection
Working Party, WP194, Opinion 4/201 on Cookie Consent Exemption (adopted on 7June 2012) at p8. EU Article 29 Data Protection Working Party, WP194, Opinion 4/201 on Cookie Consent Exemption (adopted on 7June 2012) at p 8. EU Article 29 Data Protection Working Party, WP194, Opinion U 012 on Cookie Consent Exemption (adopted on 7 June 2012) at p 8.. 04/2012 EU Article 29 Data Protection Working Party, WP194, pnune o on Cookie Consent at on 7 Exemption (adopted ö.. 04/2012 EU Article 29 Data Protection Working June Party,2012) WP194, pOpinmon on
Cookie
Consent Exemption (adopted on 7June 208
2012) atp
o.
Complying with
the EU cookie law may seem daunting but it 15 not more may need to provide
particularly difficult. First, organisations
C0EU Article 29 Data Protection Working Party, WP194, Opiniom 4/2012 220ookie Consent Exemption (adopted on 7 June 2012) at pp Article 29 Data Protection Working Party, WP194, Onuon 04/2012
Cookie Consent Exemption (adopted on 7 June 2012) atp.. 271 U 04/2012 EU Article 29 WP194, Opinion Data
L0OR2
Prot
ction Working Party,
Consent Exemption (adopted on 7June 2012) at Pp 209
Data Prolection in the Practical Context
Consent Obligation
detailed information about the use of cookies in their
protection policies. Second, some form of website ban
personal tata or pop-p
notice that seeks and obtains a user's consent will be:required. will be would only need to be shown for users from the EU.
These
cific aand clear; and lastly, it must be n
i
Ist
must
be
specific
Google and Dagc annoying, b various
5.264
which is e
to install and set up. lt is a JavaScript-based kit that will automa to add a header banner available in 24 once the user has banner header disappears or re cookies used on the website. Included in the kit are the a tool to declare the cookies and provide a link to thc co
languages the web matically accepted bpage. The the
following,
noice
helps to
of cookies; a consent cookie to prevent prior storage remembe choice of the user across the website and a template for tha
he for the cookie
notice p a g e 272
uscrs
in the the
EU, the the cookie
ons functio,
5.267
ogleservices
of the cookies that
cookies more For organisations that extensively, they may d to that Google has had to emulate the types of implement as a result of requests by EU data protection authorities to practices in the EU.27" Google had been surreptütiously tracking users across websites and other applications over the years using cookies and other technologies before they were discovered. Google has, in July 2015, launched a new user consent policy for users of its AdSense. DoubleClick for Publishers and DoubleClick Ad The of cookie consent by Google may provide insight into what satisfactory compliance would entail under the EU General Data Protection Regulation 2016/679.275
the in the
Google uses
EU contain
ific disclosures specific
In the
a conscnt page that about how
obtaincd
provides users
GoOgle heir activities and toprocesses personal interact with the disclosures before they can procecd any further on the very "in your tace. The they a r e quite disclosures include website information onwhat what and how personal data i1s collected and what kind ha lot of It requires data.
users
to
pause
-
personal data collected will be put to. It provides with of the cookies and show ifthey disagree angeanytheaspect the uSCrs where they can cha settings and how to change the
choices
olso settings. It als
5.265
revocal
notices appear on almost eed click click throu. through them; some at cxplicit and specific consent may find this can be
necd to to
forthe
The European Commission ofters a "cookie consent ki" , e
page; a JavaScript API with methods and functions that
serviccs
provides users with
information
on
how
they can delete
their accounts.
use
consent
change
Exchange products
implementation
5.268
example of an explicit disclosure that is shown to EU users reads: This site uses cookies from Google to deliver its services, to personalise ads and to analyse trafic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies." This statement is then followed by two buttons which users can click on. One is "Leam More" and the other is "Got it".
.266 The kind of consent required has three main elements: it must be obtained prior to any collection, that is, before cookies can be utilised; 272
European Commission,
273
en.hun#section_4> (accessed 11 July 2016). Google, "Introducing a new user consent policy" .26. h e Personal Data Protection Act (revised on 15 July 2016) para
273
Data
Access and Coreclion Obligations
Prolection in the Practical Context
consent. This would also not be applicable in in tho the data in question is embodied The
personal
which is not publicly available as such, but
Information,
within the ample under th. CC
of presed finsuy
of
Bey
data was reco stSoougs ody of
does not make the CCTV personal data publicly available. If a person was
footage containn orded the shopping centre that day, the personal data perceived cally at the "live" and could arguably be in senseswould be public
the
area
o fm a s k i n g a
h ec o s t
such as video footage, it is embodied in
that form and
once
aterial formm the
data cannot be said to be publicly available unless the available for general viewing, such as i was
Pesonal
uploaded onto aideopubliclywas
accessible website.
.28 As neither of the two circumstances outlined by the Commise applicable, it is submitted that the better view is that such fonta before
they
can
be revealed
to
esting
hdtind
be
noted,
Shou hould
discussed
access
however,
burden
onable
to
the
an
or
organisation
request
on
to
will he
provide
access would be
disproportionate
ual's interest, and
to
disproportionate
the organisation could decline to
p r o v i d ea c c e s s ,
requesting individuals for access to
security camera ide. the access request is for a short period of time deo footage, suchas one or two minutes, the video footage will likely show the faces and of as other individuals well. This would trigger the bodies prohibition in section 21(3) (c) as it reveals personal data about another individual.2 The question then becomes whether it is possible to mask or conceal the faces and bodies of all the other people in the footage Technically, this would be possible, but external technical assistance may be needed to do this, and it is unclear the extent to which
access
a
the Act places an obligation on organisations to acquire such skill sets the tools required to achieve such results. The Commission has stated that the purpose of the fee is to allow organisations to recover or
the incremental costs of responding to the access request
8.31
provides that organisations are not required to accede request in respect of the matters specified in the although organisations may do so if they so wish.49 Fith Schedule18 alt ifaganisations take advantage of the exceptions and do not provide gan data in response to an access request, the access to personal Commission has advised that where appropriate, organisations should, as good practice, inform the individual of the relevant reason(s), so that the individual is aware of and understands the organisation's reason (s) for its decision".50 ction 21(2)
Sectios 10
an
access
It also
expressed the view that organisations are required to make the necessary arrangements to provide for standard types of access requests, but that costs incurred in capital purchases such as the purchase of new equipment in order to provide access to the requested personal data should not be transferred to individuals." Given that the
Ministry of Information, Communications and the Arts, Public Consulation ssued by Ministry of Information, Communications and the Ars: Proposed PersonalData Protection Bill (19 March 2012) at para 2.139. Personal Data Protection Regulations 2014 (S 362/2014) reg 7. Personal Data Protection Act 2012 (Act 26 of 2012) 5
Fifth Sched,
para (1) () (ii).
A4
required
providing
or
charge.
exceptions which
is not
or
unreasona
coRSidered
even if
42 43
such costs to the
allowed to
the t.17 Thus, if the time and cost of masking other is video footag for great, the example, if the video individuals in period than a few a much longer minutes, it may be for is to the organisatior
Exceptions to granting a
onc of the
organisatio expense of
individual's i n t e r c s t , 17
8.29
considering
pass
through the fee it is
howev
is that
a c e s s i ft h e
are
from
probably
Owner
v i d u a lr e q u e s t i n g
loolag
otage security cameras need to have the images of other individuale
When
camera
setuniy
through the
public. Hor personal data is no longer "live" but captured into:a
can a icw na sicw ld appear that incharge such a reasonable fee on a sis, r t vidco circumstance where footage is unlikely to be great, the
at rccovey
Shopping Centre ABC. Just because the personal data in a
Communications and the Arts ("MICA")
that organisatio
o f
Personal Data Protection Act 2012 (Act 26 of 2012) s21(3)(9. Personal Data Protection Commission, Advisory Guidelines on Key Conepis in the Personal Data Protection Act (revised on 15 July 2016) at para Personal Data Protection Commission, Advisory Guidelines on l3.i. 27n the Personal Data Protection Act (revised on 15 July 2016) at para
Ke nG
274
Personal Data Protection Act 2012 (Act 26 of 2012) s 21(2). Fersonal Data Protection Commission, Advisory Guidelines on Kiy oncepis t h e Personal Data Protection Act (revised on 15 July 2016) at para l5.23 resonal Data Protection Commission, Advisory Guidelines on Ky tndys e 2016) at para on Protection Act
PersonalData
(revised
275
15 July
i.
Data
Protection in the Practical Context
Access and Comectiom Obligation
8.32
organisation
declines to provide access to personal . request, the Commission has opined that the a the personal data in question for a 30 calendar days after rejecting the access mi request.31 This is to individual to seek a review to the Commission of This all w the the decision.2 If such an application of review is made to the sation's and if the Commission issues a Notice of Review Annl:
If
an
is s u l j e c tt o to
t
organisationdata under
mission,
organisation, the organisation should preserve the withheldion to the
data until the review by the Commission is concluded and an the individual to apply for reconsideration and appeal is exh2 For the avoidance of doubt, an organisatimay face hausted action should the review of the Commission find that there valid grounds upon which the personal data was withheld f 23 individual.54 he
personal right of
Korcement
8.33 The Commission has averred that "as good practice, the organieat'. should keep a record of all access requests received and
documenting clearly
whether the
rejected" 55
8.34 The
requested
access was
a prosecution and
isrclatea
Osccution h a v e
easonable period,hould keep
ninimaly
legal privilege;*
related
an
to
s
appcals
in
the
of
the
lated to the
proceedings and the proceedings mercial information that
been completed:58
confidential
opini
position of
or
investigat
have not
and d w o u l dr e v c a l
the proceedings
not been completed7
reasonable
a
organisation:59
person,
could,
harm the
competitive
etsonal data of the beneficiaries of a lely for the purpose ofaadministering the trust:0private trust kept eot by an arbitral institution rsonal data or a mediation 0 r e Ssolely for the purposes of arbitration or mediatio the arbitral by institution or proceedings administered
mediation
Centre
is personal data collec
he in
conduct of
appointed
to
lated
(th) i s r e l a t
act;
to
a
or created by a mediator or arbitrator
mediati.
or
any examinatio
or
arbitration for which he
conducted by
institution, examination scripts and, prior examination results, examination results.3
processod provided.
to
an
was
education
the release of
8.36
some of the key following exceptions and, like the consent from discussed in chapter 5, the exemptions reader is encouraged to closely examine each of the items listed in the Fifth Schedule.
highlights
ald be he noted here that since the Act is subject to other laws, the h should provisions
of the personal data protection regime do not affect
Hicovery obligations under other laws that the parties to a legal
dispute may have.
8.35
One group of exceptions in the Fifth Schedule covers situations where the personal data or information is in some ways confidentúial and should not therefore be revealed. These include situations where the information:
51 52
Personal Data Protection Commission, Advisory Guidelines on Key Conce in the Personal Data Protection Act (revised on 15 July 2016) at para Personal Data Protection Commission, Advisory Gauidelines on Key Concepis n the Personal Data Protection Act (revised on 15 July 2016) at para lb.3
l5.3
53
Personal Data Protection Commission, Advisory Guidelines on Key Lontye
54
Personal Data Protection Commission, Advisory Gauidelines on Key ona
55
Personal Data Protection Commission, Advisory Guidelines on he)
in the Personal Data Protection Act (revised on 15 July 2016) at para l3.0
in the Personal Data Prolection Act (revised on 15 July 2016) atpara dnaepts t
17n the Personal Data Protection Act (revised on 15July 2016) at para 10
276
S6 Personal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched,
para (1) (). 57 Personal Data Protection Act 2012 (Act para (1) (e). 8 Personal Data Protection Act 2012 (Act para (1) (h). Personal Data Protection Act 2012 (Act para (1) (g). 0Personal Data Protection Act 2012 (Act para (1) (). Data Protection Act 2012 (Act Personal para (1) (d).
62
Fersonal Data para(1)(i).
26 of 2012) Fifth Sched, 26 of 2012) Fifth Sched, 26 of 2012)
Fifth Sched,
26 of 2012)
Fih Sched,
26 of 2012) Fifth Sched,
Protection Act 2012 (Act 26 of 2012) Fifth Sched,
ersonal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched, para (1) (6). Daa Dal Data Protection Act 2012 (Act 26 of 2012) s 4(6); Personal in the Fersonau n Commission, Advisory Guidelines on Key Concepts Da Dala Protection Act (revised on 15 July 2016) at para l.0.
277
Access and orrection Obligatiom Data Protection in the Practical
Context 's background
t h e employer's
8.37 The remaining exceptions contained in the Fifth fh Schedule wide variety of situations. First, opinion data kept solel purposes are exempt irom access.
only
Lerm is not to or about individuals made in the context of evaluative broadness of the definition of "evaluative purposes" in sect: Ses. The discussed in chapter 5 on Consent Obligation and it wOuld was the exception from access would allow those
judgments opinig inions appear that making ecisions
itio
, in
an
individual
or
to
remove
individual, an individhto
employment. During the term ot employment, the reDorte from opinions guiding processes such as annual review and promarand processes, grievances, misconduct investigations and decisions afee
dle
t h eF i f t h S c h e d u l e
pupo
gricvances
edin
and
section
1 o a
can also be triggered to misconduct
2(1)
detined
of
the Act to Act to
eement
breach
encompas breaches of
so
in incdude
there
exceptions mentioned
avoid auons,
are
employment
providin dingacce ess. "investigation" is an investigation rela g no doubts
contract.
that it would
Hence,
while
oing and the appeal procesS has not yet been access can also also be denied under paragraph (1)(h) of
ivesigation exvhausted,
to
from
to the ception for opinion data kept solely for evaluative mployment context, the other
for
review of
8.38 This evalluative purposes exception would be useful for em in their deliberations on whether to hire an ployers promotion
printouts
cover
It should ho
evaluative purposes to be able to do so freely without fear of a their decisions or decision making processes later on.
as
ites.
ial media websites,
"opinion data" is not required o be provided but thitha defined in the Act. It would presumably1
ecks, such
u i l so t t h e
the investigation has also not be possible. ents may as opinion data kept
F i t hS c h e d u l e .
thedocumcnts
night be classified
nat
urpose of the
a k e nf r o m
ied,
the
access to
many Apart from informatior solely for the evaluative
investigation, if evidence or information had been
her individuals
such as employees or customers, and it 11s from the contents that the information is from those
Nould b eo b v i o u s
individuals, then access to that information can be denied in section 21 (3) (d), that is, it would lead to ound set out the af identification o f thOse individuals, even it their names have been
particular
employees individually, such as job transters, can be denied accece on the basis that they comprise opinion data solely fo evaluative purposes. For example, if an employee is posted to another division or another job role, this may have been the result of an evaluation of the employee's ability to pertorm the task required, I however, the reason for the transfer is policy-based such as the closure of a division in the organisation and not unique to the particular employee, then the employee would be able to access such information, but as a matter of best practice, most employers would, as a matter of course, inform their employees of the policy reasons in such instances.
ofthe investigating panel may also be denied because it is thereportbe considered opinion data kept solely for evaluative hkely to access to iniormation on the identity of the OuDOseS. Finally, embers of the investigation panel can also be denied based on ecion 21(3) (d). It would appear that the only sure information the
8.39 The evaluative purposes exception also means that those individuals who were unsuccessful in applying for employment positions or
841 Secondly, an organisation may reject a request for access if it would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests.5 The obvious cxample of this may be where an individual makes the same request on
employees
admission into educational institutions cannot demand to see the opinions formed that led to their unsuccessful applications. f an
the information or documents. Furthermore, access to
cmployee would be able to access is the result of the investigation, which one would hope would be made available in any event.
a weekly or fortnightly basis and there have been no changes and
employer still holds the personal data of applicants who were unsuccessful and these do not constitute opinion data, the employer
Cenls or incidents
would, however, need to provide details of these in response to an
personal data.
that would
have
changed or increased the
ganisation's holdings or use or disclosure of the individualls
access request. Some of such personal data or information may be the
65
Personal Data Protection Act 2012
para (1) (a).
(Act 26 of 2012) Fifth Schea,
66
Pers
ersonal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched,
para (1) () ().
278
279
Dala
Protection in
the Practical
Access
Context
8.42
Thirdly, access
mentioned, an organisatic where the burden or expense as
further quire.
may also refuse of
the :access
neca
the
on i
Dcan cant
purposes of the
1
quest fromn the
hay
provi
o he given ahoa footage from security cameras. In the same vein, if an to access all video footage of him or request indivic her over the past one year, this would be regarded as both unrcasonab) organisation and disproportionate to the ole to the the ime and effort that would have to be interests to s due ta individual from the footage and to conceal expended the personal ify the other individuals. of all
cORRECTION OBLIGATION
concerwasnintgo vidual
individual's
request.
making
disproportionate would be period of the
8.43
TheCorrection on
in ections
Obligation provides
that is due
to
a
right
held by
data the personal
error
or
or
for
individuals to
under the
request
controlof
omission."Organisations
an
not to correct the data.3 If an oganisation decide ides against correction, then the personal data should the correction that was requested but not made4 shoul correct the he organisation personal data as soon as and send the correctecd personal data to acticable every other the the personal data was to w h i c h disclosed by the Oganisation before one year the date the correction on within was made. if the other organisation does not need the corrected or business data for any legal purpose, then the first persona. does not need to do this.7 With the consent of the idual, an organisation ich is not a credit bureau can also send the corrected personal lata only to specific organisations to which the rsonal data was disclose by the organisation within a year before
grounds,
choose
b ea n n o t a t c
Fourthly, organisations information in response
do not need to to
an
access
provide
request
if the
rWIse, Oltherwn
personal
da.
data
information or data and information does personal is no longer required to be tion t kept by an organisation,informatir this excep provides an incentive for the to
not exist or cannot be found." For
organisation
longer than is necessary. For cxample, applicants who have been unsuccesstul in for
ception retain persanal. for the personal al data data o their not
job business or legal reasons to retain such applications i data employers should delete such personal data as soon personal as possible eliminate the burden of having to meet the Access are no
Obligation arisin from such personal data. The deletion such personal data of will also assist the organisation to minimise their in the event of liability breaches in personal data security, as will be discussed in chapter 9.
8.44
The last
two
requests
are
exceptions that organisations may rely on to deny access where the information is trivial" or where the request is otherwise frivolous or vexatious." It may be that in order to determine if a request is frivolous or vexatious, in some situations, organisations 67
Personal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched,
68
Personal Data Protection Act 2012 (Act 26 of 2012) s 4(6); Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Parsona Data Protection Act (revised on 15 July 2016) at para 15.24.
69
Correction Obliga ga lions
c n to
unreasonable to the organisation or providing individual's interests. An example of this was
there
and
para (1) () (i).
Personal Data Protection Act 2012
para (1) () (iii). 70
Personal
71
Personal Data Protection Act 2012
Data Protection Act 2012
para (1)()(iv). para (1)() (V).
280
(Act 26 of 2012) Fifth Sched, Sched, (Act 26 of 2012) Fifth Fifth Sched, (Act 26 of 2012)
oganisation
However,
oganisation
he date the
correction
was
made.77
846 When the recipient organisation receives the notice of a correction of peronal data, it also has the same choice as the first organisation as to iether to correct its records." If it does not make the corrections, it mIst also annotate the personal data in its possession or under its Control with the correction that was requested but not made7
847 There are numerous exceptions to the Correction Obligation. The first
s contained in section 22(6), which exempts organisations from having b corect or otherwise alter an opinion, including a professional Or an expert opinion. The remaining exceptions are expressed in Personal Data Protection Act 2012 (Act 26 of 2012) s 22(1). 2ersonal Data Protection Act 2012 (Act 26 of2012) ss 22(2) and 225). ersonal Data Protection Act 2012 (Act 26 of 2012) s 22(5). TSOnal Data Protection Act 2012 (Act 26 of 2012) s 22(2)(a).
ersonal Data Protection Act 2012 (Act 26 of 2012) s 22(2)(0). ersonal Data Protection Act 2012 (Act 26 of 2012) s 22(3). 3onal Data Protection Act 2012 (Act 26 of 2012) s 22(4). rersonal Data Protection Act 2012 (Act 26 of 2012) s 22(). 281
Data Protection in the
Access ana
scction 22(7) and listed in the Sixth Schedule 0 Th subset of the exceptions which are found in the re a sma the Fifth exempting organisations from the Access Scl Sixth Schedule states that the Correction does not the following. app
Obligation Obligation.SchedulThee
(a) (6)
opinion data kept solely for an evaluative purpose: any examination conducted by an education institution scripts and, prior to the release of examination ion,
results,
results;
personal«data
of the beneficiaries of
()
the
(d)
the purpose of administering the trust; personal data kept by an arbitral institution
(e)
a
for the purposes of arbitratio administered by the arbitral institution or
solely
rection Obligations
Practical Context
priva or
trust a
apply to
neous, false
the uture, tne
hat
e
as
n
in
if it
for
reeauences
negauve
Con t context,
howe..CCtn
p o r T e c u o no t h e r
fect the
be
correct
not
xamination
unnecessary
demed erroneous l c n g t h
mediation on centre mediation centre; oceedings a document related to a prosecution it all proceedings related to the prosecution have not been completed. or
«
8.48 The procedural matters in relation to a correction request are t out in the Regulations and they are the same as for the access quest The only differences are that under regulation 5,3 the irame for a response for a correction request is "as soon as so
practicable under regulation 7(4),*" an organisation cannot charge a fee under and the Correction Obligation.
since
of
"ength
of
the
For
to
seven
years. The former data because
i
example, in the employee, Sarah, who with her former requests employment employer of be r ,
years to change the
Sarah
Sarah is is no
Tvice
on
made
If the annotati
kept solely f
mediss
ce
0 ngployer;, unnce
incomplete perso data
and
accurate. This might lead individu
truce
o faO former
consider
ddoes
examination
was
longer
record to
personal
Sarah's be
service requested
itis
employee, and the unchanged at seven personal data was simply an
lett
is
changed but changes were
stating
the
actual number of without made" nething which an organisation seems to be permitted to do being
specific
Sarah was a loyal employee for seven a future the potential employer contacts the lost. be may employer to conduc background checks on Sarah, the ycars former employer will not indicate that Sarah held by the employee for seven years but was an uncommitted a loyal
years, s o
section
22(5),
under
the fact ithat
.
inlornation
had
been
who only stayed with her former employer for seyven
eremployee
months.
851
situations, the power given
In some situati
to an
organisation
to not correct
the advantage of the individual, although work nal data may to be uncertain. If an organisation holds m o r e likely are the effects that are inaccurate or incomplete, then in individuals on nersonal data the data set may be of little or less use to breach, a of security the event accumulated the utilise personal data for nefarious those who wish to this cannot be a truism to be relied upon as However, purposes. will know how to combine data sets intelligent personal data thieves that the personal data is outdated, determine to and will be able to create an even or wrong but will, nevertheless, be used incomplete of the individual with the historical or erroneous faller to
8.49 From the
foregoing, a number of points can be made about the Obligation. First, the obligation to correct is onlylimitedto errors and omissions, and thus constitute relatively narrow grounds on
Correction
which corrections can be requested. 8.50
Secondly, the Correction Obligation is by no means a strict obligation
to correct when the organisation has the power to decide thata correction should not be made, albeit on reasonable grounds, This carries both positive and negative repercussions. One negative etfect is that erroneous, false or incomplete personal data can continue to be held about an individual. Although an annotation of the correction if this is not done properly, it may be possible is
requested 80 81 82
83 84
required,
s 22(7) and Personal Data Protection Act 2012 (Act 26 of 2012) Sixth Sched. Sixth Sched, Personal Data Protection Act 2012 (Act 26 of 2012)
paras 1(a)-1(e). Personal Data Protection Regulations 2014 (S 362/2014) reg 2. Personal Data Protection Regulations 2014 (S 362/2014) reg. reg 7(4) Personal Data Protection Regulations 2014 (S 362/2014)
282
profile
personal data, whichever
case
it may be.
8.52 The third point to be made about the Correction Obigation goes to
the heart of the obligation itself. If personal data is in error the Complete and the individual has requested correction, in cation ought to be made unless it is trivial or insignificant,
or
ch case the individual would probably not have requested tne
oection in the first place. The way the Correction Obligation5 on the gned is problematic. posing a requirement By
283
Data
organisati
to
organisation*"
or
Prolection
in the
Access and Coreclion Obligations
Practical Context
send the corrected a subset thereof,*
person onal data toto to
which
it has personal data in the past one ycar, may create This means that too informed, some of which may not need many oroa
over-inclusiveness.
such as where the need for them to
create the problemoher
disclosed the
the corrected ations may the corrected persoy
longer exists, for example, if the company and the delivery has been completed or provides service for warranty purposes and the the expired.37 no
well as opinion data vould appear that the main
or Cxperto p i n i o n s ,
every
cation could be h i c hr e c t i f i c
since
personal da
organisationif thewasersonal data elivery
i t is
her
Hence,
th.
rsonal data is
or
his
given be
uhat
requested are
individual who has
at
least
without
kept solcly for
bulk of evaluative thosce of a Tsonal data for
factual nature. vested interest to
error or
this minimum ;
mount
ensure omission, individuals
of
control
should
over
personal data.
their
a
ganisation warranty orperiod
FUROPEAN UNION POSITION
has
8.53 To counter this over-inclusiveness problem, the Legislature limiter such that if the other organisation does not need the da personal data for any legal or busines requirement to send the corrected purpose, then there secied organisations. This is a convoluted way of personal data to thohose the structiring Obligation and requires more resources thar Correctic is necessary, bothi its implementation and in the decision-making process of whethae make the corrections and to ther to whom the corrected personal data be sent. For some they may find it easier to sho organisations, comply simply forwarding the corrected personal data to the other organisations it has disclosed the persornal data to in theall the past one v than to make an assessment of whether the year other
organisations need corrected personal data. Untortunately, this would individual's corrected personal data is being passed mean that an around to maaw organisations unnecessarily since they have no need of the corecte
European 855
("EU") law providesacomprehensive
Union ("EU'")
system rights In particular, the EU General Data ta subject. Protection has given individuals 2016/679 numerous new rights with corresponding on ourdens ed of
Regulation
organisations which are requirements quite detailed to be
accompanied
data. Some of the sCussion below is only intende
process p e r s o n a l
and
an
introduction to the
materials.
Right of access
The Directive
the
8.56
personal
are the EU Data Protection Directive 95/46/EC and is further trenothened in the EU General Data Protection Regulation 2016/679. stren Arnicle 12 of the EU Data Protection Directive 95/46/EC sets out the
data. This adds
to
the
availability,
individuals' personal data, thereby accessibility and increasing secuniy risks for the individuals and, ultimately, the organisations as well, as their computing systems would be a rich target for attackers.
accumulation
of
8.54 In terms of good data protection practices that foster personal data security, the individual should simply have been given the ability to have the personal data rectified, and to specify which organisations the corrected personal data should also be sent to as deemed appropriate. This would not give too much power to the individual over the personal data the organisation holds as the exceptions for the
Correction Obligation exclude opinions, whether they are profesional
The right of access for the individual has been enshrined in EU law
clements of the data subjects right of access. To be clear, there are cxceptions to the right of access that are enumerated in Article 13 and which are also applicable to other rights, but these exceptions are selfFlimiting. So, for example, Article 13(1) allows exceptions where it snecessary to safeguard national security; defence; public security; the
8
Personal Data Protection Act 2012 (Act 26 of 2012) s 22(6). Personal Data Protection Act 2012 (Act 26 of 2012) Sixth Sched, para 1 (a).
22(7) and
Regulation (EU) 2016/679 of the European Parliament and of the LOuncil of 27 April 2016 on the protection of natural persons witn egard to the processing of personal data and on the free movement or
Such data, and repealing Directive 95/46/EC (General Data Protection 85 86 87
Personal Data Protection Act 2012 (Act 26 of 2012) s 22(2)(6). Personal Data Protection Act 2012 (Act 26 of 2012)
s22(3).
Personal Data Protection Commission, Advisory Guidelines on Kry
17 the Personal Data Protection Act (revised on 15July 2016) at para l»s4
284
egulation) ("EU General Data Protection Regulaion 2016/679). 94ve95/46/EC of the European Parliament and of the Council of ctober 1995 on the protection of individuals with regara to ue proce of personal data and on the free movement of such aaa
93OJL 281/31 ("EU Data Protection Directive 95/46/ EAU 285
Data Protection in the Practical
Access and Comectiom Obligations
Contex!
prevention, investigation,
detection and prosecution of ethics for regulated financial interest of a
of breaches
8.57 Article 12(a) of the EU Data Protection Directive member states to guarantee every data a constraint and at reasonable intervals to
fessiocrins,minanal
(b) (c)
(d)
(e)
the purposes of the processing; the categories of data concerned; the recipients or categoies ot
disclosed;
data without and o
personal data it following-98
recipients
to
whom
the personal data undergoing processing and any available intormation as to the provided in source of the and
in the case of automated decisions, the
automatic processing of personal data.
the
data
s
ntelligible person- fom
logic involved
example, to saisfy Article 12(a), organisations cannot just cursorily inform the data subject that it is processing his or her name, address and date of
birth without providing the specifics of what name they hold for her, her actual address and her actual date of birth. Thus, this means that an organisation would have to tell an individual specifically, for example, that: "The name on file we have for you is Mary Magdalene, the address in our records for you is 3 Calilee Rd, Magdala, we do not have your date of birth in our records." 8.59 The other information specified in Article 12(a) such as the source of
available, but
the information would also need to be provided where data an organisation must not destroy information about the source of in order to be exempt from disclosing it, nor should it avoid keeping documentation on the source of the personal data. This provision aimed at maintaining fairness and accountability, the two principi
EU Data Protection Directive 95/46/EC, Arts 13(1) (a)-13(1)(g) EU Data Protection Directive 95/46/EC, Art 12(a).
286
the
need
to
s o u r
the on
provide
aled iafornmation
.ndergoes any processing
as well as the
processes explained in intelligible form be to the or legal jargon should end, this be avoided adeect. To where that is the on information being held by eviatu0 be explained to the data subject. Finally, where must
and
an
technical
s,
nced
decisions
aated de
he
ulomated need pocess
Kaluate
The
the
whether
have
ugem
general logic of the decision
with
the
criteria utilised
to
subject,
of the EU the
right
to
Data Protection Directive 95/46/EC access information extends to the past and
pean
arose
from
into
the
explained, along
past. This issue was Union ("CJEU") in
dear
howlong
en made,
b e e e d
5
data
vordin,
an
to the
ab
ganisatuon,
a
practical
terms, Article 12(a) requires the data to be informed about the categories of data processed as wellsubjects as about the actual content of the personal data. For
92 93
nat
the
wethouders van
in ththe
8.58 In
In
stated
subject has a right to obtain confirmation from ular, very data om the organisation whether or not personal data is being on as to process what is and information the
(a)
Sing
SCd
ersonaldata t h a t
personal other information about their personal data. In particula
concerning
Commission has explicitly
above.
and so on
subject right95/46/EC of access Tequires their
processing
be noted that the organisations do not Singapore, the personal data. source of should
It
offences, of important economic or member e EU, including monetary, budgetary and axatior ation matters or of the or
a
examin by the Court of Justice 2009 in the case of College van Rotterdam v MEE Rijkeboes ("Rijkeboer")
dispute
Rijkeboer and the College, College partially refused to provide ata relating to him in the past. Rijkeboer had between
authority, where the municipal with personal
ikeboer uested that the College inform him of all circumstances in which him had been disclosed to third parties in the two years relating to tata neceding his request. In response, the College provided Rijkeboer th the details of the recipients to whom personal data had been isdlosed, but only for the period of one year preceding his request, in accordance with national legislation. The College claimed that personal data dating back more than one year prior to his request had been, according to Dutch law, automatically erased.7 862 The issue in the CJEU was whether the national legislation, which set the time limit of one year, was compatible with Article 12(a). The
gEU outined the role of Article 12 and stated that the right of access
opersonal data is necessary to enable
the data subject to exercise the gIt to rectify, erase or block his personal data or to notify this to
"esonal Data Protection Commission, Advisory Gruidelines on KeyConaepts B Persomal Data Protection Act (revised on 15 July 2016) at para 15.7.
6U Data Protection Directive 95/46/EC, Recital 41. se C-553/07 (7 May 2009) ECLI:EU:C:2009:293.
steT en wethouders van Rotterdam C553/07 ((7 N 3/07 May 2009) ECLI:EU:C:2009:293 at |25).
v
287
MEE
Rijkeboer Case
Data
parties
third
which
Access and Corectiom
Protection in the Praclical Context
arc
contained in Articles 12(h the CJEU also and stressed that t is also necessary to enable the data to cxercio subject object to the processing of personal data his rigt in was of the view that for a data to be subject able of these sets of rights effectively, access to the personal "must of necessity relate to the past",100 ata access the data would not be in a position to exercise his personal data rectified, erased or blocked or
respectively. Secondly,
12
contained
CIEU
effectively
and obtain
acces
Article 14 to. The
exercise both
otherwise, to
bring 10i legal compensation for the damage suffered.
proceeri edings
the
length of time or subject with the
the scope, the CJEU burden of the organisation s personal data. It noted that in other parts of of the EU Data Prote Directive 95/46/EC, account may be taken of otecion the disproportion nature of burdens, and concluded that a
balan. balanced the to stOTe
right of the data
subiject's personal
disproportionate
data for
effort required
a
of
legal obligation to keen. long period of time would hethe
organisations.2
legislation of member states should strike interests of data subjects and the
a
It said
fair balance
organisations holding the personal data.0 The CEU said:101
or
that
ricted ea
anduly ataonabout
een t e processing esSing
limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information. Rules
while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the
determinations necessary.
personal data may not be rights of both parties, rtunity to obtain the personal data. oftheir
the
processing
- New European Union law
R i g h to fa c c e s s -
has
ght of acce
EU
in
the
been further
strengthened
ation 2016/679.
EU
Data
Protection
in the EU In addition to the
General
provisions
Directive 95/46/EC,
the EU
Protection Regulation 2016/679 adds a Article 156 sets out the and clarifies some rights ss by the data subject and it adds that a data subject h ofextra present
obligations.
General
1o
obtain,
where
data will personal
a
the
accCSS one's
acce
timne
The. Data P r o t e c t i o n
Regarding
to
To balano the time limits. restrictcd by a reasonable b j e c t s m u s t a l s o be given
this regara,
bject ight toSulhave
8.63
data
the right
Obligation
ermine
that
the
possible,
8.66 fa order
envisaged period
be stored or, if not
neriod16
and the
right
supervisorya u t h o r i t y . 107
expressly
possible,
of
couple
for which the
the criteria used to
lodging a complaint with
a
give organisauons some flexibility in meeting the es requirement, Recital 63 of the EU General Data Protection that where possible, the controller Reaulation 2016/679 provides remote access to a secure system which to able be provide tould to
wOuld provide the data subject with direct access to his or her personal
daa. However, this should not result in a refusal by the organisation to 108 provide all information to the data subject. 8.67
98 99
wethouders van Rotterdam v MEE Rijkeboer Case C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [51].
College van burgemeester en
College
van
College
van
burgemeester
en
burgemeester
en
wethouders
van
Rotterdam
v
MEE
C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [51]-[52]. T00
wethouders
van
Rotterdam
v
MEE
Rijkeboer \ase
MEE
Rkeboer Lase
C553/07 (7 May 2009) ECLI:EU:C:2009:293 at [54]. Rotterdam
101
Rijkeboer Case
College van burgemester en wethouders van C553/07 (7 May 2009) ECLI:EU:C:2009:293 at [54]. 102 Colege van burgemeester en wethouders van Rotterdam v MEB KIRRD0r C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [62] 103 Colege van burgemeester en wethouders van Rotterdam v MEE KyJReD0 G-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [64]. v MBE RiyReD0 van Rotterdam van burgemeester en wethouders 0LolUEge C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [70]. 288
v
ase
ase
Ihe organisation should also use all reasonable measures to verify the of a data subject who requests access, especially in the context services and online identifiers. Lastly, possibly with the
dentity aonine hgpadboer case mentioned above in mind, organisations should not cain personal data for the sole purpose of being able to react to potental access requests.
106General Data Protection Regulation 2016/679, Art 15. 07 neral Data Protection Regulation 2016/679, Art 15(1)(a). General Data Protection Regulation 2016/679, Art 1o EU General 09 EU Genera Data 2016/679,
ata
Protection Regulation Recital o Protection Regulation 2016/679, Recital 64. 289
Access and Corectom
Data Protection in the
Article 12 (5) stipulates that the information should he of charge unless the requess from a data subject are provi free unfounded or excessive, in particular because of their character.0 In such cases, a reasonable fee takino int administrative costs of providing the nformation can be account the the organisation may refuse to act on the request. This departure from the position in Singapore and complianco to be costly for organisations.
mani fesdy repeitve
narged or te a compliance mayquiprove
eciiat
8.70 onerous to
right requirements in the EU laws are quite when compared with the Singapore legislati
EU
Protection
Directive 95/46/EC
povnles t n a ld a t a
relating
accuracy
ta
the
piUcula lar
p o c e s s i n g1 . 4
The
les
ightforward exa
a
ired
to
naguired sted.
eland sabject,
name
is
of
rectification
may include where the
where here has been a of nuumber. For some rectilication, evidence may be
change
correct or
antiate the alleged inaccuracy and the changes dentiary proof required must be at an appropriate
substantiat
The evide
must
c an unreasonable burden of proof on the data
placec
not
thereby precludi
data subjects from having their data
may be demanding a birth certificate as example An where the birth certificate may have been cified. proof form of in a w a r . the only fire o r of
destroyed
in a
acccss
comply with
requirements. Organisations that find themselves falling within
the
jurisdiction of the EU laws would need to ensure that their personsl data practices are fully compliant well beforehand.
3.
Data
subjects "must be able to cxerCise the right offurther access him which are being processed, in order to ver hi to o off the data and the lawfulness of racy the
41 o f the
p e l i n go
8.69 As with all data subject rights, the information should he n the data subject without undue delay and within one month ovided of the request. That period may be extend by two further mon where necessary, taking into account the complexity and numh er of the request.
strengthened
-
Practical Context
8.68
The
Obligalio
Right to rectification The Directive
EU Data Protection Directive 95/46/EC also gives (b) of the data erased. This is often due hiects the right to have personal basis for the collection or processing of o the lack of legitimate c o n s e n t has been withdrawn, or where as where al data, such is n o longer needed for the purpose of the data he personal counter sucth a request for erasure, organisations rnlection. Thus, to the legitimacy of the processing,15 il need to show
8.71
As mentioned above in the Rijkeboer case,
the CJEU had held
that one of the reasons for the ight of access was so that data subjects could exercise their right to, amongst others, have their incorrect personal data rectified. Article 12(b) of the EU Data Protection Directive 95/46/EC provides that every data subject has the right to
obtain from the organisation, "as appropriate the recification, erasure the blocking of data the processing of which does not comply with or the of because incomplete in this of Directive, particular provisions
or
inaccurate nature of the data".13
875
data subjects the right to have personal Lastly, Article 12(b) also gives data the
that personal therefore be used for would result in further processing, especially if the processing decisions being made concerning the data subject, in particular, deleted in such a Degative decisions. The personal data will not be fair of processing, the with the Kenario but in accordance principle
da blocked. This was
incorrect
or
might
be due to
allegations
inaccurate and should
not
personal data, in accordance with Article 12(b), cannot be utilised." 8.76
concerns the right of notification to third partiesto or Upersonal data has been disclosed of any rectification, erasure
2c) 110 111 T12
113
Art 12(5). EU General Data Protection Regulation 2016/679,
EU General Data Protection Regulation 2016/679, Art 12(3). Lase Rotterdam v MEE Rijkeboer Colege van burgemeester en wethouders van ECLI:EU:C:2009:293. C-553/07 (7 May 2009) EU Data Protection Directive 95/46/EC, Art 12(6).
290
EU Data Protection Directive 95/46/EC, Recital 41. U Data Protection Directive 95/46/EC, Art 12(D). U Data Protection Directive 95/46/EC, Art 12(b). 291
Data Prolection in the
Practical Context
blocking, unless this is impossible or involves a disprono. personal data has been published on the are many and their identities unknown l17 Inteor,
rtionate elfon
such as when the recipients
and
Right to rectification-New European
4.
CHAPTER9
Union law
Care
8.77
of
Personal
Data
The right to rectification under the EU Gencral nas Data Regulation 2016/679 is far more strongly: and was in the EU Data Protection Directive than 16 of theiu EU General Data Protection Regulation 2016, that an organisation should rectify without undue dat that is inaccurate." As for incomplete personal data, into accou unt the purposes of the processing, the data subje has the to incomplete personal data completed, by means of have 20
rotecion
clearly
worded 95/46/EC.8 Article 16/679 provides
a
delay personal taking right cluding
providing
supplementary statement.
8.78
Article 16 is very clearly articulated and leaves no room for dou unlike Article 12(b) of the EU Data Protection Directive 95/46/EC
prefaced with the words "as appropriate" and which that the right to rectity, erase or block could onlv he exercised when the processing does "not comply with the provisions'n of the EU Data Protection Directive 95/46/EC. Article 16 also grants to the data subject a clear unfettered and absolute right to rectify inaccurate personal data, unlike the Singapore statute which gives the organisation an opportunity to decline correction on reasonable grounds.22 As for the right to rectification of incomplete personal data, the only criteria that can be taken into account according to Article 16 is the purpose of the processing. This is again relatively narrowly specified when compared with the Singapore legislation, where rectification can be declined on reasonable grounds. which
was
specified
h a n t e r will deal with
the tirst three Obligations in Part VI
f Personal Data) of the Personal Data Protection Act 2012 (Care of ithe "Act"), regarding accuracy, protection and retention of personal data, To a large extent, the Accuracy Obligation and the Completeness Obligation are quite lax and may not be effective in achieving their aims.
A.
ACCURACY AND COMPLETENESS OF PERSONAL DATA
9.2 The Accuracy Obligation requires organisations to make a "reasonable to ensure that personal data collected by or on bechalf of an is accurate and complete.* However, even this "reasonable
efort Organisation ettort" required
is not an absolute requirement, as organisations are
Only Tequired to do this if the personal data is likely to be used by the to make a decision that affects the individual to whom the personal data relates* or if it is likely to be disclosed by the organisation
Oganisation
to another organisation. This is indeed very weak protection for the ,
as talse and incorrect information can continue to De
and the the individual.
117 118 119
EU Data Protection Directive 95/46/EC, Art 12(c). EU Data Protection Directive 95/46/EC, Art 12(b). EU General Data Protection Regulation 2016/679, Art 16.
120
EU General Data Protection Regulation 2016/679, Art l6.
121 122
EU Data Protection Directive 95/46/EC, Art 12(b).
Personal Data Protection Act 2012 (Act 26 of 2012) s 22.
292
perpetuated without the knowledge and control of
Act 26 of 2012.
Onal Data Protection Act 2012
(Act 26 of 2012) s 23. Dal Protection Act 2012 (Act 26 of 2012) $ 23(0). Persona Data Data Protection Act 2012 (Act 26 of 2012) s 2510).
293
Data
Care of PersonalData
Protection in the Practical Context
9.3 As noted in
chapter 8, the rights rights and they would not
to
absolute rectio are that is held or used to be accurate, n especially when orga. a choice whether to correct personal incomplete. The Accuracy Obligation 1s data that i in errorhwave
Accuracy Obligation
is set at such it can achieve its stated
ecessarily engender
a
objective.
personal daa
equally relaxed
low level that it s
The
isdced
howhe Personal Data nclear Pro
Commission (the "Commission") has indicated that the e otction Accuracy Obligation is to ensure that where m of the data may personal to make a decision that affects the be used u individual, the data correct and complete so as to ensure that the asonably decision to b takes into account all relevant parts ot accurate personal data 6 made 9.4 First, imposing the obligation ot accuracy "may be used to make a decision 1s
on
only personal
a the
a
common for a data that was initially thought unlikely to be used forpiece o any decisions to be in fact used later on, King perhaps several make a decision. However, as the initial assessment years later. was that unlikely to be used for decision-making, no care was taken to it we ensure that the personal data was accurate and complete. An example of this may be information on an individual's educational qualifications for a store discount card for the purpose of sampling the of customers. This type of personal data may, however, be used years later to make decisions on which holders of the store discount card should be invited for a new co-branded credit card.
personal
malino
demographics
9.5 Secondly, if the aim is to ensure that any decision made affecting the individual takes into account all relevant parts of accurate personal data, then organisations should not be given any choice to decline the correction of personal data that is in error or incomplete. By organisations a choice, this opens the door for inaccurate and incomplete personal data to creep in.
allowing8
6
Personal Data Protection Act 2012 (Act 26 of 2012) s 22. Coma Guidelines on Ky
Data Protection Commission, Advisory rersonal in the Personal Data Protection Act (revised on 15July 2016)
recasonai
Thirdly
of
at
y
that
at pare
16.2.
not
low, well
flexible
l is
circumstances
onable eftort" entail
7TCasc Danad
The five factors
1
h a s provided a list of factors that should be taken what constitutes "a reasonable
The 9 7 Commissior.
effort".
todetermine
into accountt o
Thehirs
factor
is
that
of the nature of the
individ
the health,
it would
higher personal
effort
be
a
would
data such a
9.9
data and its
significance to
example, if the personal data relates nificant type of personal data and, presumably,
concerned,
be
for
required as compared with other types of ference for a brand of mobile phone.
person's
for which the data is
second factor is the purpose The ar disclosed. Presumably, the more
collected,
used
serious or important the purpose,
be to ensure accuracy. The third factor is higher the effort should data. The Commission has confirmed that where the of the reliability DErsonal data was obtained from the relevant individual directly, organisations may presume that the personal data is accurate.° The the
Commission also suggested the device of requiring the individual to
make a verbal or written declaration that the personal data provided is accurate and complete, especially where the personal data may have ben collected some time ago and the currency of the personal data is
important." 9.10 t would appear from this that the Commission would not require nganisations to verify the veracity of the personal data themselves as rersonal Data Protection Commission, Advisory Guidelines on Key Concepts 4 eFersonal Data Protection Act (revised on 15 July 2016) at para l0.t. sonal Data Protection Commission, Advisory Guidelines on Key oncepas e Fersonal Data Protection Act (revised on 15 July 2016) at para nal Data Protection Commission, Advisory Guidelines on Key lb.4. Con0eps Data Protection Act (revised on 15 10 Personal Per 2016) at
July para Protection Commission, Advisory Guidelines 0n Ne) p Persomal Data Protection at Act (revised 15July 2016) para 6.
in the Data
on
294
to meet is
vague,
in in naturc. The Commission has stated that what will depend on the exact entails t" at
a
delincd and,
9.8
data
sloppiness inthat handling of personal data. lt creates encouraging in hierarchy personal data and leads to double standards being appliedtheto valhu of difto fer ent types of personal data. Further, it is not
5
rganisations are required effort. This standard is
ndard that rdly, the standard
access and
295
Dala Protection in the
Care of Personal Data
Practical Context
rt of satisfying the requirement of reasonab able efforts. For there is no need for as part of organisations their reasona sight documents such as the Natio
("NRIC")
to
prove
the truth ot the
individual would suffice.
Kamyleto, Registration onable eforts personal data. ldentifica
data. AAdecaOn Card
decdaration by the
is the im impact on the individual concerned if the the or incomplete. Thi last factor is in some factor of th nature of the data and first its th e he
is factor data
is
T h el a s t
lated to personal
inaccura1
dividual concerned. For example, if the personal
indiv
to
nay3
sigznificance
the
health
9.11
Where personal data is collected from a third party instead the individual, the Commission d of from suggested confirmation from the disclosing organisation of the acuracy completeness of the personal data or it may also cond and independent verification if it deems prudent to do so.l duct further
organisations could obtain
9.12 This also raises the issue of authentücation, especially in the con online interactions. From the Commission's context of
statements, it appea s that that collect personal data online, such as thtongh their websites, can assume that they are collecting from the elevant individuals directly and the personal data is acurate and relevne comple Organisations may, for their own business purposes, implement processes that verify the personal data such as through sending an e-mail to the e-mail address provided to contirm that the owner of the e-mail account has actually signed up or provided personal data on the
organisations
organisation's website.
9.13 The fourth factor to consider is the currency of the data, this appears to suggest that if the personal data was collected some years ago, to meet the requirement of reasonable effort, the organisation would need to take steps to update the personal data. However, the Commission stated that "an organisation may not be required to check the accuracy and completeness of an individual's personal data each and every time it makes a decision about the individual"." From this,
afais
is also significant to the individual in and on the individual may concern the life and death which
related,
the impact on
he individual, and thus the impact is also significant.
oi f sel,
or we.
ors, one is, however, lett wondering what would 8.15 r e nt h e constitute
"reasonable
movable
feast.
effort" as the standard appears to be an Take the example of entering data, a simple
paper form that a customer ould "reasonable effort" require
uncertain personal data from a ansferring Wo computer system. in to a
led
in place, in addition to the data entry
t h eo r g a n i s
who
second a
Cases
as insurance, banking and health would appear to be required as the nature of the data in
some purposes such
purposes, this
These,
the personal data entered? From the
person
lactors, f o r
these
cks checks
would be quite significant
however,
are
to the individual concerned.
the straighttorward
ye25onable effort" required of utilities such as
ision provisio
cases.
What would be the as the
entry for purposes such telecommunications or Internet,
for data
or car
by the Commission do not give clear rental? The factors set out"checker" would be required for accuratee a whether uidance as to into a coomputer system in these cases. It would data entry of personal factors that would dictate a course appear that there are no overriding of action for an organisation to meet compliance. It may be that aim to meet the higher standard and ensure a checker is in place in order to avoid falling short of compliance. This
oganisations would
would, in any event, be the best course of action for the organisation in order to adequately ensure personal data is accurate.
the Commission seems to be suggesting that the factors may well on the or cancel out each other. This makes compliance based a factors relatively difficult; a factor to which the organisation may gve heavier weight may be given a lighter weight by the Commission.
balance
2.
The four aspects
9.16 addition to these five factors, the Commission also listed four lar aspects where organisations should make reasonable eftorts
TlPersonal Data Protection Commission, Advisory Guidelines on 15 July 2016) atompara Conaeps the Personal Data Protection Act (revised 12
on
7
Guidelines A Personal Data Protection Commission, Advisory 2016) at paird 172 the Personal Data Protection Act (revised on 15 July
296
297
Care of Personal Data
Data
"in order
Protection in
to ensure that
Organisations must make (a)
it
accurately
(c) (d) 9.17 The
personal
Context
personal a
records
source,
(b)
the Practical
data is accurate and reasonable effort to enSitre.
personal
.
data which it
data it collects includes all
completeness;
that:4
relevant parts thereof
shatever
rcumstances
informatüon.
Commission recommended
that
organisations perform the: their o to ensure the completeness of personal data that is likely to be usedaccuracy and decision that will affect the individual.5 The Commission to also0make a that an organisation may also not be required to review all the no data currently in its possessionn to ensure that ersonal they are accurate time it is complete each and to use
reasonable ffort
every
individual.16
likely
make
a
decision abontt the
.18 It would appear that the Commission is on the one hand espousing the ideal of making decisions about
organisations
accurate and
complete personal data,"
requiring from organisations order to achieve this.
individuals ing
but on the other hand, it is not the rigour of the standards required in
act on individuals are relatively non-significant pended satisfy
could iht be that any etfort that is hlosure of the currency of the personal data, nseriort" In terms disclost
it has taken the ensure appropriate (reasonable) steps in the to ensure the accuracy and correctness of the it has considered whether it is necessary to update the data and
risk assessment and
here t . h e naturcce 920
collccte
personal
of the personal data, purpOses of the collection use
complete
able
effort"
humb might be that any personal data more than
thum of
ould be verified wit the individual and updated as data ata is relatively static personal dar the personal anless other types of biometricdata.
rule
rough thne years o l d
a
r e q u i r e d ,u n l c s s
asthumbprints, irises
data, purposes of the collection use individuals are significant in any way, then isclosure, or the approach of doing all it can within its c o u l d adopt isations be impractical or impossible. organk imited only by what would of reasonable effort" and would be the standa above sit the
nature
ofthe
personal.
impact on
or
This
would
compliant
obligation. with the
European Union position 4.
9.22
(°EU") position on accuracy and completeness data has been well established since the EU Data Protection Article 6(1) (d) requires that personal data
Union The European of personal
Diecive 95/46/EC.8
mst be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate
3.
Compliance with Accuracy Obligation
or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified" 19
9.19 the very fact that the standard of "reasonable effort" is a variable requirement depending on the circumstances, it should be relatively easy for organisations to argue that it has complied with the Accurney not Obligation, even though the requirements for compliance are
By
9.23 TheEU General Data Protection Regulation 2016/6790 is similarly Narded in terms of the accuracy of personal data. The requirement in
entirely clear. 13
Personal Data Protection Commission, Advisory Gruidelines on Key Conas n the Personal Data Protection Act (revised on 15July 2016) at para lD.
14
Personal Data Protection Commission, Advisory Guidelines on K A in the Personal Data Protection Act (revised on 15 July 2016) at para
15 16 17
Personal Data Protection Commission, Advisory Guidelines on K
in the Personal Data Protection Act (revised on 15July 2016) at para on Ky n Advisory Gruidelines Fersonal Data Protection Commission, on 15 at 2016) parn July in the Personal Data Protection Act (revised Guidelines on K) Protection Commission, Aduisory Data Personal 2016) at pard Protection Act (revised on 15 July n the
PersonalData
298
irective 95/46/EC of the European Parliament and of the CounCil ot October 1995 on the protection of individuals with regard to the
Caing of personal data and on the free movement of such data
OJL 281/31 ("EU Data Protection Directive 95/46/EU), Art 6(1) (d).
Data Protection EU 0 Directive 95/46/EC, Art
Reg
(EU) 2016/679
of the
6(1)(d)
European Parliament
and or
uie 27 April 2016 on the Cof natural perso regard to the processing of perso protection data and onof the free movement of such d and
repealing Directive 95/46/EC (General Data Protection (cont'd on the next page) 299
Data Protection
in the
Care of Personal Data
Practical Context
EU law is clear, that personal data must be and absolute standard required. It also
vidual
accurate,
that
the an obligation organisations to keep the personal data up toimposes date where re
necessar
osed
disc
that
for
respect
to both
personal
data that was
step had
personal data that incomplete. Under the EU inaccicCurate : Protection Regulation 2016/679, for personal data that isGener Data incomo discussed in chapter 8, the data subject has the mplete, to rectification right under Article 16, manifested in the right to have
well
as
was
as
data
completed, including by
means of
statement.
incomplete personol providing a supplementay
reasonable efforts to ensure that personal data collected by or on behalf of the organisation is accurate and complete.22 To take every reasonable step is to do everything reasonably possible which entails the maximum amount of effort. To make reasonable effort, however, does not involve expending the maximum amount of effort, especially given the five factors outlined by the Commission.23
9.26
on A further point of difference is that the EU law requirements to whereas the requirement make accuracy applies to all personal data,
reasonable effort in the Singapore statute only applies to personal daa
likely
to be used
Regulation) ("EU
by
an
organisation
to
make
a decision
ulae
organisation.25
within the jurisdictional reach of the EU, it hat fallstraightforward to have one set of accuracy of
n e a t e ra n d m o r e s
that adhere to the EU standard. This would and would assist in practices minimising
personal data p r a c t i c e s rb
best
liability
a
industry
claim.
l dindividuals m a k e . eel
OF
PROTECTION
PERSONAL
DATA
B. of personal data in the Act, the the of is key provisions to the personal data Obligation, ovision mandating the security of ithout a regime. rotection data protection regime would Pldata, the whole personal
9.28 The prov
on
the
protection one
Protectio
persona
The Protection Obligation 9.29
Section 24 of the An
General
Data
Protection
Regulation 2016/0
Art 5(1)(d). Regulation 2016/679, Data EU General 2012) s 23. of 26 2012 Act (Act n Personal Data Protection Protection
magtis
Guidelines na 16.4. Commission, Advisory 2016) at pa Personal Data Protection on 15 July Protection Ad (revised 7n the Personal Data 300
Act
organisation
its control
by
provides that:
shall protect making
personal
reasonable
data in its
security
possession
arrangements
to
or
under
prevent
unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 9.30 The Protection Obligation is broadly worded to cover all kinds of
Secunity arrangements from administrative measures to physical and nical measures. The standard that organisations are held to is aOnable security arrangements". Like the standard of "reasonable the Accuracy Obligation, the Commission has stated that tor there
no single solution. Organisations are to adopt security dirents that are reasonable and appropriate in the
Art 5(1) (d). 22 23
data relates?or if it is
to another
ganisations t h a t .
ances.
21
personal
fll apart.
9.25 It should be noted that the EU requirement of taking 'every reasonable step" to ensure that personal data is accurate is quite different from the legislative requirement in Singapore of making
that is
the
organisati
iely
organisations must take everyslight differenc reasonable
inaccurate personal data, while previoue e step the EU Data Protection Directive 95/46/EC, every reasonable under sten to be taken with to
by
whom
an
be to
9.24 The EU General Data Protection Regulation 2016/679a Tmana. every reasonable step must be taken to ates that ensure that are inaccurate, having regard to the purposes forpersonal d that processed, are erased or rectified ithout delay. The which they are in the new EU law is
only with respect
to
fectsthe individual
24
Personal
Some of the factors that are relevant and can De
Data ersonal Data Protection Act 2012 (Act 26 of 2012) s 23(a). 6 Perso Act 2012 (Act 26 of 2012) s 23(6). Tsonal Data Protectic Act 2012 (Act 26 of 2012). n the TOtection Commission, Advisory Gruidelinesaton Key onapis Persomal Data Protection Act (revised on 15July 2016) para ll.6*
Protection.
Personal
301
Data Protection in the Practical
considered include the the
personal
nature of the
Care
Context
data has been collected,personal data and the
both
security arrangements. If a organisation is an employer, then all of the personal data it hol. concerning employees should be given a high level of securi protection. Similarly, the personal data held by healthcare clinics. such as medical clinics and physiotherapy clinics, would comprise largely of health related personal data and, hence, these organisations should be mindful that much of the personal data they hold is highly confidental and sensitive in nature and should implement high levels of security for the personal data. 9.32 Second, the Commission also stated that organisations should identify reliable and well-urained personnel responsible for ensuring information security.31 The Commission is clearly placing the onus on of organisations to engage personnel to manage the security personal are are appropriate personnel in that they data and to ensure that
they
where reliable and well-trained. This cannot be stressed enough ned to information Organisations utilise technology. organisations are to ensure that their computer systems engage specialised personnel that can the consequences secure from unauthorised access and all
29
30 31
Cuidelines on Ky ng Personal Data Protection Commission, Aduisory at para on 15July 2016) Act Protection (revised the n Personal Data Guidelines onm Kay ong Advisory Commission, Protection Personal Data at para Conces on 15 July 2016) in the Personal Data Protection Act (revised on Guidellnes n 7.3(a). Personal Data Protection Commission, Advisory at pa s on 15July 2016) on n the Personal Data Protection Act (revised Advisory Guidelines h) Commission, Protection 2015) at paia rersonal Data Protection Act (revised on 15 July m
the Personal Data
302
employees
as
well
as
others.
nisationss h o u l d
personal data they hold being deleted or tampered
Oganisa
he n t negatively o on the integrity of the personal
negatively albo result
impacting
hereby data.
should implement robust policies and procedures
Third, rganisations she
riate levels of security for personal daa of varying organisations«can implement such policies Before ivity.shey would need to assess their personal data
933
9.31 In terms of compliance with the Commission gave some indications of Protection Oblipatio what would be gation, the exp ected of organisations." First, organisations should security arrangements to fit the nature f the design and or personal data held by the organisation and the possible harm that result might breach0 Organisations would need to0 assess the from a s kinds of per it data holds and devise appropriate personal
from
always be mindful that unauthorised access can
therefron,
tho
individual concerned in the event possible form in which of any unauthorised disclosure, modification and so npact to the on. For example., anu access, use, on health would call for much higher levels levels of security data on an individual's favourite security than data restaurant or the one drives. Similarly, an individual's salary is mod.el of personal car tha often confidential piece of informatuon so that individual's remuneration should be well personal data data cone. conceningsan guarded.
28
Data
of Personal
and
rocedurcbtain the nature of the personal data as required by lined by the Commissio In the employment outlin
ventoryand
requirement
lirst.
the
for
example,
necessitate
might
appraisals idential employee
f o rh i g h l y c o n f i d e
the
this
hhealthcare insurance, employee health
provides employer deserve higher
rds would also
a higher level of security personal data on salaries,
levels of protection.
records
to be prepared and able to respond to organisations need reaches promptly and effectively.3 This is a formation security detailed and which will be considered1 is quite anse Dlan which
9.34
Lastly,
below.
9.35 a considerable number of the cases dealt As discussed in chapter 2, date have concerned lapses or failures to with by the Commission to included cases of data leak such as Fei Fah These data. protect personal Medical Manufacturing Pte Ltd" K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd,5 The Institution of Engineers Singapore and
Metro Ple Ltd37 In these data leak cases, the information technology Ised was not properly secured, and the cases highlight the need for
Onganisations to engage reliable, reputable and trustworthy information echnology personnel. The growing number of cases involving lapscs nthe implementation or usage of secure information technology Commission to publish, in January 2017, Cuide to Prevening
a the
o n a l Data Protection Commission, Advisory Guidelines on Key Concepis 8 33 e Personal Data Protection Act (revised on 15 July 2016) at para 17.3(c. n a Data Protection Commission, Advisory Gauidelines on Key Conces Data Protection Act (revised on 15 July 2016) at para 17.3(a). 4 9010al 2016) SGPDPC 3.
2016] SGPDPC 1. 2016] SGPDPC 2. S7 2016) SGPDPC 7.
303
Data Protection in
Care of Personal Data
the Practical Context
Accidental Disclosure when Processing and Sending Persone onal also included useful short summaries of the information failures in some of the decided cases.3 The fact that to publish such a Guide, as well as the vas a need breaches in the cthere was show that there are substantial gaps in the
Data which
l e n g e rT e c h n
af My Digital Lock Pte Lia" 1s somewhat an oddity as
technology
inable why someone would transfer information from quite unimaginable
technology knowledge of both organisations and those individmsclves, basic
the organisation who ought to have known.
reliable and reputable information technolam ensure the software programs deployed have .PesOnne safeguards in place to prevent unnecessary disclosure of pervo y The cases of Fu Kwee Kitchen Catering Services and Pixant Pte Ld" Pte T2 Orchid (S) Web Pte Ltd, Cybersite Services Pte Lud, Ltd and Ea Smiling Solbutions Pte Ltd" ABR Holdings Lid" and GMM TechnoworlH Pa 1. are cases illustrative of this simple principle. The agreements with information technology providers should also include clausee that warrant the systems deployed do indeed protect and secure data. The importance of such contractual clauses were personal played in PPebperdine Group Ple Lld," where the information provider, Ascentis, was contracted to only provide the design nology of the webpage for the respondent." This absolved Ascentis completely from
Engaging
would also
liability for the breach of the Protection Obligation.
9.37 In other
were
not
properly protected, some
place. For example, in Universal Travel Corp Pte Ld
the respondens
cross-checking, the human errors made in Singapore Compruter Socaty Personal Data Protection Commission, Guide to Preuenting Aecailena Disclosure when Processing and Sending Personal Data (issuwd on 20Jomuay
2017). Personal
Disclosure 41 42 43 44 45
46
47
of transfer,
Such
as direct connection to a
ganisatior
olicies
through C-mailing the files to oneself. Nevertheless, need to protect themselves from liability by setting still ohibit the use of any open platforms for any transfer
that prohiB
ut o fpersonal d a t a .
Id and Toh-Shi Printing Singap0re Ple Lid,
9.38
procedur
were
in
place
but
they
were
on the other hand, not
followed, hence
eed to e n s u r e employees are properly trained and are mployers ot the processing of personal data. acCOuntable at every step
proper
2.
Data protection by design approach
9.39
for personal data, much of it can be n terms of implementing security from the perspective or approach of privacy by design or
data protection by design discussed in chapter 7, and all the principles
personal
data
should have had a policy that prevented the sending of passenger lss that were not redacted. Similarl, had a policy been in place for
40
hods methods
approached cases where
of them were due to administrative human errors that could have been averted if robust policies concerning personal data handling were in
39
using an open social media platform Common sense would suggest many other better
computer to their
Faccbook.
faster
such
computer o r
9.36
38
hone
formation
s in
logies Ltd and Xirlynx Innovations;and Central Depository Shi Printing Singapore Ple Ltd would not have
Data Protection Commission, Guide to when Processing and Sending Personal Data
2017) at para 3.1. [2016] SGPDPC 14. [2016] SGPDPC 19. [2016] SCPDPC 16. [2016] SGPDPC 18. [2017] SGPDPC 2.
JPPepperdine
Group Pte Ltd
and approaches discussed there are relevant to the issue of ensuring reasonable security arrangements are in place. The Commission has given some examples of the administrative, physical and technical
measures that organisations can employ. To address the full range of
security arrangements from administrative measures to physical and technical measures in a given situation, the illustration of the employment context will be considered in more detail. The employment context provides a rich base to begin the discourse as nost organisations are also employers, so they collect, hold and
process a basic
[2017]
[2016] SGPDPC 4. [2016] SGPDPC 9.
304
at
[20].
personal
data.
Preventing (issued on 20Janely
48 49
SGPDPC 2
core of
Accidental
[2016] SGPDPC6. [20161] SGPDPC11.
50 2016)
SGPDPC 20. 2016) SGPDPC 15. Data Protection Commission. A dvisory Guidelines on Key Concepis Personal Data Protection Act((revised on 15 July 2016) at para 17.5.
a
305
Data
Protection in the
Care of Personal Dala
Practical Context
9.40 For
bly
a variety of security measures shoul De adopted o personal data from the time of collection of personal its disposal. The life cycle of personal data could dataa unil pre-application stage when employers are in the bein as the an
employer,
much personal data is collected about potential cruitmen from recruitment firms or from the emplov stage. f seanarches and background checks, best practices requir these toown be even from the prying eyes of kept employees who are not recruitment, directly or indirectly. Indecd, section 94 volved in procedures and processes to ensure that the person
employer's
exposed to unreasonable risks.
be
permissible
mobile
ch
mobile
such as salary, residenti: residential onal data n d date of birth should be SCnsiivei n f o r m a t i o n , aand the
to
aces
pers
address,
restricted
leave and to access
class of employecs.
medical by only.
loyees, eithe
ecurely,
ler pool of employeesbutto more have bile telephone numbery of their colleagues,
943
le, all computer systems holding personal data should Further, passwords should not be shared or passwords. by ted passwords, and employees should be given individual ofa breach, there is the the ability to trace that in
Asa general
be protected
a
event
commor
ords s o responsib those hold to
is
to account.
and
9.41 Where
Lid
Lid and Global Inleractive Works Pte the Cllar Door Pte was unequivocal about the necessity of the system
applicants apply for jobs using employers must ensure that the applicationspaper-based are received applicaions, secure not simply submitted or leit in exposed areas. Access yand
9.44
contents. For examnple, job applications open tray where any person, even if they are employees, and look at the contents. This is to protect not the
measures highlighted by the Commission in this of firewalls on servers, the closure of re the implementation decision 56 o n s e r v e r s and the encryption of login credentials, nused ports of Yahoo Inc, it would be advisable for the data breaches Given the utilised to be reasonably sophisticated and not encryption methods
applications
should be restricted to
only
to the
those who need to sed see he should never be
leftin
an
can walk h
only contents of the that contains the relevant personal data, but also t protect the fact that the individuals have applied for a position with the employer. This fact would be considered personal data under the Act as the individual can clearly be indentified from the data or
applications
application3 and, hence, would be protected under the Act. This would achieve the broader aim of protecting the individual as details
of employment movements are often regarded as sensitive and confidential. For applications that are submitted online such as on employers websites, the information should be encrypted to prevent eavesdropping by hackers.
9.42 During the course of employment, employers must ensure ua employees are bound by confidentiality clauses in their employmentot the sharing contracts. These should extend to prohibitions on both withn with data of people and personal passwords knowledge ensure that should and outside of the organisation. Employers that they need for neu employees only have access to personal data having layercu Work and no m o r e . This, for example, might require with different clearadin computer systems basis. In mostcasc know to need a on levels for different employees
access
53
to
information on
in s 2(1) of the Persona the wide definition of "processing" ch b. and discussed in Protection Act 2012 (Act 26 of 2012)
See
306
In The Cella Commission
administrator's
six
characters
password being strong: it had to be more than
with
a
mix of alphanumeric and special characters.35
Other essential
easily hacked.57
9.45 Employers should invest in conducting regular training sessions for employees to remind them of their obligations towards handling
personal data and
to educate
employees
on
what
are
acceptable and
unacceptable practices. For example, it should be stressed to employees the need for confidential documents to be clearly marked and to ensure that they are given higher security protection. Unacceptable practices, especially if they are known to employers, repeatedly highlighted to employees coupled with stern aings of the consequence for the employees, should they engage in case of the secretly filmed nude videos of Erin Andrews
stould be
nem. The
s e r v e as an incentive and warning for all employers to educate 54
[2016] SGPDPC 22.
larat [30]. Door Pte Lid and Global Interactive Works Pte Ltd [2016] SGPDPC 22
l a(30].rDoor Pe Lid and Global Interactive Works Pte Ld [2016) SGPDPC 22 57 paras 9.93-9.96 below:
(18Teecurity problems (18 December 2016).
Ioseph Menn, Jim Finkle & of too little, too
a
story
307
DustunReuters vo1
late
Data
thcir employees and sanctions are in
understand of
personal
and
Care
Protection in the Practical Context
to ensure
adequate
policies deter erran ant employees.andEmplo physical threats that can data. To this end, ensue ensuc from 1 the employers mu to have in phmis safeguard the security must of for place
the
to
nw.
procedures
disciplinary procedures
employees who mis
cedres, a shodd andi personal dpoligny s, and
a
Unongsr
as
an place. limited with the organisations engaging The eir liabiliy liability for any personal data was the case in bresl Challenger Technologies Ltdprotection and Xirlnx Fei Fah Medical This Manufacturing Pte Ltd and K Box Lid and Finantech Ple Lid. These cases Entertainment vations Holdings can be cont Grout the case of Central P (Pte) Ltd and Toh-Shi Printine Depository with Ltd where the Commission found that Central not in breach (Pte)e of the Protection Obligation asDepository Lud it had in the contract with its data alid clau to clauses protect The data intermediary was, intermediary dau however, found to be inpersonal data Protection Obligation. breach ofathe
bearing
full
was
9.47 The
("UOB")
Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). Personal Data Protection Act 2012 (Act 26 of 2012) ss 2(1) and 4(2) Personal Data Protection Act 2012 (Act 26 of 2012) s 4(3). [2016] SGPDPC 6. [2016] SGPDPC 3. [2016] SGPDPC 1. [2016] SGPDPC 11. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016)
SGPDPC 1l at [17]-[18]. 66
Personal Data Protection Act 2012 (Act 26 of2012) s2(1). 308
details
and
client
0ok
log-in paSswords was also found
Other items found included documents
with
otearbage
ns for its wholesale and retail banking units
idential,
which would undoubtedly have to the news report, the bank did data. al of personal data and at bag garbage the of
oncernin
hat were marked
o n t a i n c dp e r s o n a l d a t a .
the
According
e Monetary Authority of Singapore, which is ersight of of all financial institutions in Singapore,
discovery
of writing, th o td e n y
oversight ime
the
for Teyponsible Commission are
investigating the matter
and the
that
849
whole garbage since the
sinc
bag
was
filled with
the bag was perhaps intended for did not reach its destination. somehow ction but if the bag was marked as is clear it n e w s report,
ntial documents
and
aPpcar
would
dential
contidential
repor
news
the from
but this However, n f i d e n t i a l w a s te", e", the
r
tion
such
which
It
shred
being UOB
would
be
as
only one required practice and disposal of personal data,
and
handlin and sensitive
secure
oce durec o n f i d e n t i a l ially
of
9.48 In July 2016, it was reported that a large garbage bag full of unshredded bank documents from United Overseas Bank
reported
number
RIC
organisations
processing personal data can also include the destruction of personal data. Hence, organisations that utilise the services to parties process" personal data, such as the provision of of third confidential destruction of personal data, should ensure the agreements with the third parties have the necessary personal data security clauses in place,
58 59 60 61 62 63 64 65
containcd
0pica"have n e r es a i d t o
g u a r a n t o r ,h i s N R I
i p s í d et h e
organisations that to process personal data should utilis the services of ensure the parties have the necessaiy agreements wiuthi paries personal data security third parties will be clauses in third regarded data intermediaries clauses under the Act is
statements,
internal reports from the bank. The documents data such as the name of a p c r s o n a l da birth. It was also and da
thedocu.
a, inchuting
similar vein,
discovered
o u nlications a a n d int
9.46 In
the bank's head office 7
were several corporate
cred
nents
Data
2016 near
in June
ec
tre.
Under a
of Personal
data.
In
any event,
large
do outsource their confidential waste olve, at the minimum, the documents involv
banks
would
remains
to
be seen how the garbage bag full of
ended up under a tree, but the incident highlights
documents
tions having procedures and processes that ishandled in any way, especially if the not is data personal individuals concerned and, in this instance, for consequences for the will be severe and significant. For highly as well, organisation the the documents data such as barnk docunments, ronfidential personal of the confidential the lest transport chauld be shredded on site,creates more for personal opportunities site another
the importance
ensure
Hocuments
to
route. Organisations holding sensitive or be mishandled en utilise the services of mobile on-site confidential personal data c a n the destruction of its personal data but, even so, for services shredding own employees to oversee the organisations should position their destruction process as it occurs at their premises,
data
to
67
Jamie Lee, "MAS probes case of UOB's unshredded client data" Business
Times (21 July 2016). 8 Jamie Lee, "MAS probes case of UOB's unshredded client data" Busine Times (21 July 2016). 69 See further ch 7 generally.
309
Care
Data Protection in the Practical Context
of Personal Dala
he of special benetit to those holding large data
9.50
Employers
should also ensure that filing cabinets and inside secure personal data is stored premises, and not in areas in locked accessible. Where computer systems and networks are to those, including the physical rooms, utilised controls systems, security alarms and should be secured ui Ces even surveillance cam. ccess mputer networks, databases and systems themselves secured through access passwords and firewalls andshould be e anti-virus software and anti-spyware cryptio activated and kept up to date. software should be instalO Employers should and uld also also imni implement policies regarding the use of portable electronic USB devices. laptops, drives, tablets and obile devices, such : for work that store or hold data. If thesetelephones personal devices are permitod used by employees or are issued by to be employers, should be password protected and policies should be implementedthey to ensure taken by employees over their safe great care are is custody. Employers should also have in place ha that restrict processes and monitor the printing and photocopying of confidential or highly sensitive personal data. 2nd
holding
generaly
ameras. The
these types of when in transit.
personal
data should be
encrypted
when stored
and
a variety
of di fferent
kinds of personal data.
at may be considered tor such a risk assessment o f t h ef a c t o r s
the
of the organisation and the amount and type of o f th
size
hin the with access the persons itholds; personal data is or will be held and whether the eonnal data 1alf of the organisation.72 behal on
C I C r i s caa r e
organisation
data
o
thep
d by
a
third party
nent exercise is similar to the privacy impact assessment 7. Even though the term "privacy" is used, the in chapter the same: an a s s e s s m e n t of the impact of the use
9.54
T h i sr i s k a s s e s s
exercise
is
essentially
i handling
data and whether the measures in place are dat
of personal
Privacy impact assessments, however, are involve examining the whole life cycle more collected, used and closed, whereas the risk f personal data is only in relation to exercise suggested by the Commission propriate or adequate.
generally targeted
and:
esment
the security arrangements.
9.51
The destruction of personal data should also be done securely such that the personal data cannot be re-identified. The Commission has recommended that the preferred sustainable approach to the secure disposal of personal data is the use of cross-cutting shredders that slice documents in at lcast two different directions or confetti shredders, followed by the recycling of such shredded paper.70 Electronically held data should be deleted in such a way that it cannot be undeleted or otherwise retrieved. The risks associated with de-identifying personal data have been discussed in chapter 3 and the present technologies indicate that true anonymisation is extremely difficult to achieve and, hence, re-identification is a real risk.
3.
-
Personal Data Protection
9.55 la temns of compliance with the Protection Obligation, the Commission gave some indications of what would be expected of oganisations, the last one of these expectations mentioned above oncerns the requirement that organisations be prepared and able to
espond to information security breaches promptly and effectively."3 ihe Commission has prepared a Guide to Managing Data Breaches (Data Breach Guide") that is aimed at helping organisations manage personal data breaches effectively.
Risk assessment
9.52 In order for organisations to ascertain whether their intormauou
Security arrangements
are
adequate,
might be useful for organisations
the Commission to
undertake
a
suggested tnat risk
assessimene
Dala
70
Data breach notification Commission's Guide
Guide to Disposal of Personut and * Fersonal Data Protection Commission, at paras 7.2 on Physical Medium (revised on 20 January 2017)
310
1 T2
Data Protection Personal in thete k
mission, Advisory Guidelines on Key Concepis (revised on 15 July 2016) at para 17.4. mmission, Advisory Guidelines on Ky Concepts Perseonal Data Protection Act (revised on 15 July 2016) at para 17.4
Personal Data Protection Act Person Data Protection
inth
ata Protection Commission, Aduisory Guidelines on Key
Onal Data Protection Act (revised on 15July 2016) at pard Lons ersonal Data Protecti Commission, Cuide to Managing Data Breaches (8 May 2015).
311
Data
Protection in the
Care
Practical Context
and fire drills: lire cscape plans instruc t h e event of a lirc and the fire drills are the
lan fire escap¢ plai
9.56
There are no data breach in the cnts in Act and, at data breaches do not needrequirements t at the to be to the reported Commise individuals concerned. However, , ission momen or to the is standalone Cybersecurity Bill in Singapore expected to 2017,"
and table a likcly mandate data brcaches to this be renos piece of probably set out othe to the requirements inported information security breaches. In the any event, the of strongly recommended that the Data Breach Guide COmCnt sion has be advises strongly followe organisations to notify the Commission a4dit possible of any data breaches that might cause s0on where there is a risk of harm to a public conce ot group
legislation
will authorities and
alfected
individuals,7%
9.57 The Data Breach
errors.79 Regardless of the cause of data breaches, computer system they are costly and can lead to financial losses for the organisation and for the individual concerned. Individuals may also lose trust in an
organisation.
organisation
Other
may come in the form of sector-specific rules or laws that may have been breached as well as common law duies that have been breached or not been complied with.3 Data breach
pacusc runs
mission, the data ording t o the
I59
dtord
inpact, reporting
prevent
78 79 80
contain
taken to
be
steps to b e m
the breach and manage the incident.2 the
be akin to the fire wardens in a fire would be ideal for the data breach plan. It how to o u t l i n e possibledata breach plan to runs at least once a year. to hold and practise
members
emeigency
managem
respo
would
9.60
the following:83 contain a breach, including that led (a) shut down the compromised system
to
as
it is
can
aware of a be taken to
the data breach whilst
preserving evidence; the data breach in the system and, where (b) isolate the causes of applicable, change the access rights to the compromised system; (c) remove external connections to the system; (d) prevent further unauthorised access to the system such as through resetting passwords if accounts or passwords have been compromised; eestablish whether steps can be taken to recover lost data, such as from a real-time back up;
0
limit any damage caused by the breach, such as through remotely disabling a lost mobile telephone or tablet stop practices that led to the data breach; and )notify the police if criminal activity is suspected and preserve evidence for investigation.
Personal Data Protection Commission, Guide (8 May 2015) at p 9. Data Protection Commission, Guide
to
Managing Dala Breachas
to
Managing Data Brecls
Personal Data Protection Commission, Guide (8 May 2015) at p 4. Guide Personal Data Protection Commission, (8 May 2015) at p 5. Guide Personal Data Protection Commission, (8 May 2015) at p 4.
to
Managing Data
Breacio
to
Managing Data
Breae
2
Breaco
to
Managing Data
83
312
advises organisations to act as soon are a variety of measures that
There data breach.
"Parliament: New Cybersecurity Bill to be tabled next year to strengtien The Straits Times (11 April 2016).
Personal (8 May 2015).
to
The Commission
and implement a data breach
Singapore's online defences"
i
scenariosand
them
data breach Containing the
management and response plan to manage data breaches. This plan, when developed, tested and perhaps rehcarsed or practised on a regular basis, will assist organisations to handle and react more effectively to data breaches when they occur. The idea is based on the
77
containing
the incident and aluating the response and future breaches. It would be helpful for the plan futi to dataibrcach management team, indicating the ery details ofthe de ho would lead and make time-critical decisions on ns
management plan
Organisations should develop
76
as
such
brcach management plan may asscssing risks and
uhe breach,
inchude.
9.58
75
in
be
se
Guide" defined a data breach as the unauthorien a and retrieval of information that may include corporatete personal data.78 The Commission gave the three causes of data breaches as malicious activities, human errors possible and
an
to
n t ah te e d s
Thesetcam
access
costs for
done
onccpt
ne
«
(a)
of Personal Data
Protection Commision, naData (8 May 2015) at 6. p
Guide to
Managing Data Breaches
Onal Data Protection Commission, Guide to Managing Data Bredees
(8 May 2015) at p 6. ( a Data Protection Commission, Guide to Managing Data breuees (8 May 2015) at p 7.
313
Data
Protection in
the
9.61
Care ofPersonal
Practical Context necessary
This list of measures the best
practices.
provided by
For
the
Commission certainly
to be able to these measures, however,organisations the relevant will need to be executete some personnel in the son ot highly skilled, alert and Sony Online Entertainment aware. A which, in 2011. case. point is breach only some two weeks("SOE") after it occurred. The namee a data mail addresses, birth dates, telephone numbe of 25 million customers bers and otheres, addresses were stolen from "outdated database" from 2007 which servers as inform 23,400 people outside the US andcontained details of an well a inchuded 10,700 direct records for customers in proximatcly Austria, the SpainThe data set was stolen onGermany, Netherla 16 and rlands another data breach at Sony's 17 April 2011, and Playstation before its
to 19 April 2011, where 77 million Network, which occure stolen, including credit card numbers.5 dividuals' personal Sony took around two weeks to discover For both data bre
from 17
to
take. such as to
af the individualsaltectcd,
contains
ganisations
Steps
Data
notify
the
hat can be considered in assessing risks and f a c t o
These include the nature of the personal
many o fd a t a are
breache
There
hether they will
inpac
Lead to financial loss, identity theft or other lass of individuals whose personal data are
harm. The clas,
aaia, whe
on the impact of a breach; whether data may produce different
bearing have a kinds. also can breached nployces' personal ed or
ons m must u s t be aware that the risks and impact have an impact on the organisatio and trust, as well as the substano of
tomers' hey a r ec u
ces.
Organisations
on indiviat
well,i n
terms
of
reputation
the breach.
were
that its systems
compromised.6 9.62 Even
worse
than the
Sony
breaches
hadbeen
the two which were only discovered some two to three Yahoo Inc breache aches, years after the personal data theft, and only after law enforcement showed up on the doorstens of the company with copies of extracts from the stolen personal data that were for sale on the dark web. The was company totally unaware of the 2013 breach involving 1 billion users' accounts, until they were notified by the authorities.7
(c)
were
Assessing risks and impact
assessing
risks and
impact
of data breachesis
toassist
organisations to ascertain the scope of consequences to afected individuals and to the organisations. This in turn will inform the
of risks
of
apects
of data breaches and impact as risks and such issues,
organisations, apart impact of further system
technical
the from omises,
pact ofthe
or
or
other
data is likely it one
compromised
organisations,
to
personal data may be on the organisations
uch
be used by
of the key
need
how
and
processe
on
to also assess the non-technical a breach may be facilitated through rocedures, as well as determine what the
organisations
whether
inadequate
vhether the
as
compromised personal
organisations.0 This breaches at information contained in the
others to defraud other
concerns about
the wo massive data
the hackers will use the fahoo Inc, that data to launch other attacks.
stolen
Reporting the data breach
d)
9.63 The aim of
Interms
9.66 This section of the
Data
Breach
Guide
is by far the most
comprehensive and concrete. It gives clear guidance as to whatis reqired, when it is required and how to execute reporting of a data reach" It would appear that organisations are expected to follow the
84
85 86
Charles Arthur,
"Sony suffers second data
more
user details" The Guardian (3 May 2011). theft of 2óm morc Charles Arthur, "Sony suffers second data breach with user details" The Guardian (3 May 2011). more theft of 2om Charles Arthur, "Sony suffers second data breach with
user details" The Guardian (3 May 2011).
87
breach with theft of 25m
"Yahoo under scrutiny artc Greg Roumeliotis & Jessica Toonkel, December 2010). hack, Verizon seeks new deal terms" Reuters (16
314
latest
Personal Data Protection Commission, Guide to Managing Data Breaches (8 May 2015) at 8. p
onal(8 Pe
Data Protection Commission, Guide to Managing Data Breaches May 2015) at p 8.
Data Protection Commission, Guide to Managing Dala Bree (8 May l2015) at p 8.
nal (8 May Data Protection 2015) at p 9.
Commission, Guide
315
to
Managing Dala Breacns
Data
Protection in
Data
Breach Guide and the the requirements.
Care
the
Practical Context
Commission gave
9.6
The
Commission
noted that
individuals affected by take
a
it
data
1s
Some
clear reason. sons for
cialm e d i a ,
impact
breach
whose personal data cludeduals. the rties who have been may need
third and financial be înstitutions, and the to polic Commission also advised to organisations if a notify the Conm "especially data breach involves sensitive
include banks
b e
actions individuals can take.
mmission
very
was
was
clear
The notilied.
dbe w
nibena n d .
the
the
in
breach
data data
in
doing
uhe data
there
harm
urtier
oganisaluons
or
are
damage,
information
the
as possible.
should be made explicit. Lastly, of ways to contact them for
these
details should provide or
assistance.
addresses numbers, e-ma il ail
notiky,
curred, the types of personal data
occu
breach, and what the organisation has done
the risks that have arisen as a result of SDonse to there are specific facts available on thec data b ebreach. Where tho ofwill individuals can take to minimise actions specificc mised
or if
data breach involves sensitive Commission recommended that it personal data, individuals should notified immediately to enable them to take early avoid, or at least minimise, abuse of the necessary actions t potential Sensitive personal data would include credit compromised data 9 details. The period immediately after the theft card and bank accon count of data is most it is during this period that criminals would attempt to usecrucial as stolen records before customers have been notified and had a preventive measures. Thus, it is critical to shorten this chanceasto take period much
Breach Guide about what should include information on
in the Data
notificat
hrther
In terms of when to
media
tions on what
each
personal data"
9.68
through
c-ma.
d f i c a t i o n ss h o
ilease
dividuals to
should guardians or parentsorganisations of young children consider notifvino
compromised. Relevant
be
a
preventive measures to reduce the will enable to notify and may assist in indivi restoring consumer trust. of the data in some situations, may be legally bre: required to noti Oher parties that otify affected individuz
organisations
means woud
easily comprehensible, specific and provide kar astruction
generally good practice as it
breach,
possible
nails, telephone calls, faxes and letters.5 The
affected
i n h i n a i u z l sa l e
each of
ofPersonal Data
These ese
or
can
be
websites.7
through telephone
hotline
the tionale for
notification
to
the affected individuals
seem
the desire to return to individuals some control g r o u n d e d upon dearly data once there has been a data breach. Individuals The
heir personalare
ae
the o n e s
who
most negatively affected by a data breach and in
and justice, they ought to be armed with the interests of fairness since the data counter whatever harm may result, especially
the hility to
hreach occurred through
no
fault of their
own.
9.73
9.69 The Commission noted that another occasion to infom affected individuals would be when a data breach has been resolved, as
the Commission advises organisations to notify he pries, Commission as soon as possible of any data breaches that might cause
9.70
public concern or where there is a risk of harm to a group of afected individuals. To facilitate this, the Commission has provided and a telephone number for this very purpose. The m
organisations would then be in a better position to provide further details to the individuals.
email address
Regarding there
la addition to advising the affected individuals and the relevant third
the methods of notifying the data breach to individuals, effective ways organisations can inform of on the urgency of the situation and the number
individuals
are numerous
depending
lomamnision is explicit about the contents of the notification to the
rersonal Data Protection Commission, Guide to Managing Data Breaches 92
Personal Data Protection Commission, Guide
to
Managing Data
Breacns
to
Managing Data
Breates
to
Managing Data
bruuo
(8 May 2015) at p 9. 93
Personal Data Protection Commission, Guide
94
Personal
(8 May 2015) at p 9.
Data Protection Commission, Guide (8 May 2015) at p 9.
316
8 May 2015) Per
at p 9.
Data Protection Commission, Guide (8 May 2015) at 9. p
to
Managing Data
Breaches
Data Protection Commission, Guide to Managing Data Breacnes (8
98 PersMay
8 May
2015)
at p 9.
ata Protection Commission, Guide to Managing Data Breaches
2015)
at p 10.
317
Dala
Commission available:99 (a) (b) (c) (d)
Prolection in the Practical
and should
clude
extent of the data breach; type and volume of
the
Care
Context
from occurring."
following informa
measures
that
prerent
s h o u l
Commision oganisations, 104
or
terms
in
,
ced
to
and
Even where ecific information on the data brea is not the Commission has advised that yet organisations should to notification the Commission, providing a brief send anavailable int incident.100 Furthermore, the Commission stresseddescription e the that whether notification was made by an as well as organisation the organisation has adequate recovery procedures in whether place will weigh upon the Commission's decision on whether the
organisation has met
the Protection Obligation.101
9.75 The list of items to be included in the notification to the Commission appears to be aimed at imposing full transparency and accountability on organisations. Given the general manner in which the Protection Obligation is set out in section 24 of the Actl and the clear indication in the Data Breach Guide that
a
data breach notification
to
the
Commission is expected, the onus is undoubtedly placed on organisations to do all it can to protect the security of personal data and to be fully prepared for a data breach, a suitably high duty.
be
addressed
existing
weaknesses in 105 Other both
related
technology
physical
issues
be
software
9.74
rational and policy related issues, some of the nclude the frequcncy of audits on inc
of 977
.
(e)
they are not, then new
be considered. The be adopted should hould four arcas that should be considered by sets out fo
imilar breaches
personal data involved: suspected cause of whether the breach has beenthe breach; rectified; (e) measures and processes that the organisation time of the breach; had put in in () information on whether place at the affected been notified and, if individuals of the not, when the dala hu. g) contact details of persons whom organisation intends to ch have the do s further information or clarification. Commission can liaite nd cause
of Personal Data
curity to
security measures and possible
mcasures
such as the use of outdated
nsider may be whether there to prevent a recurrence of the breach
cons.
introduced
ure breaches should if futur damage mit the responsibiliti roles, the involv e d ed,
processcs
r t ol i m i t
partners are
recur. If vendors and and liability of cach
106 reviewed,
should
9.78 The
be
are the resource related issues. of issues to evaluate were enough resources to manage the data there whether ternal resources are needed to better manage whether
sond
second
nch sucth as
area
area
.
breach and
such breaches, 107
9,79
08
It is on personal data protection trained be inportant for employees skills. Employees in many ways act matters and incident management s the custodians of personal data and should be fully aware of security
Third, employee
related issues also need to be considered. to
rehated issues. The review should consider whether these areas can be improved and how to make the improvements.0
Evaluating the response and recovery
9.76 After the data breach has been resolved, the breach and the secunty arrangements should be reviewed to determine if they
are
adequate
99
Personal Data Protection Commission, Guide to Managing Dala bru
100
Personal
(8 May 2015) at p 10. Data Protection Commission, Guide
to
Managing Data
101
(8 May 2015) at p 10. Personal Data Protection Commission, Guide to Managng Due
102
(8 May 2015) at p 10. Personal Data Protection Act 2012 (Act 26 of 2012).
318
to
aches breaee
ersonal DataatProtection (8 May 2015) p 11. 04
to
Data Protection Commission, Guide to at p 11.
May 2015)
Managing Data Breaches Managing Data
Breaches
rersonal Data Protection Commission, Guide to Managing Data Breaches 8 May 2015) at 11. p a8l Data Protection Commission, Guide to Managing Data Breaches May 2015) at p 11.
ona (8 08
Breaches
Personal (8
Commission, Guide
Data Protection Commission, Guide to Managing Dala BreucneSs
May 2015)
at
11.
ersonal Data p Commissior Guide to Managing Data Breaches (8 May 2015) atProtection 09 Perso p 11. (8(8 Mav 901ea Protection Commission, Guide to Managing Data Breaches
May 2015) at p 11.
319
Data
Protection in
the
Care
Practical Context
9.80
was
Lastly, management related issues necd whether there was a clear line of during the management of the data
be
conei
and responsibility breach, both
e x t e r n a l l y . 110
required
pache persoearnal
ered, such
personal
the
ommunicaiandon
co
int
by the Protection Obligation to breach of the when
pondent he w a s in data and dat data to the third
The
to
of Personal Data
tenant. A
Obligation nancial penalty
'13 disclosed
imposcd.
he
was
ofS500 European U n i o n p o s i t i o n
Complying with
5.
Protection
Obligation Security p r i n c i p l e
9.81
From the foregoing, it can be said that the Protection Obliat. strong duty imposed upon organisations. Although the D 1 a is in couched terms Obligation of reasonable security are what would be considered reasonable has a level of heo can be gathered from industry practices. This certainty is clearly level of data acceptable personal protection than the reasonablene test in, for example, the Access and Correction
gements,
even
erroneous
personal
data
can
Obligations, where
remain uncorrected.
1
9.84
assets
such
as
trade secrets which
organisations keep guarded.
Commission has made it clear that one cannot take personal data The that one has been provided with in one's commercial capacity and chooses"
a
personal
or
domestic
capacity
"as and when
he
In Chua Yong Boon Justin,"2 the respondent was a real
estate agent who disclosed the full names and NRIC numbers of two
third tenant. The Commission made it clear that it h because of the tenancy agreement that the respondent came to nav his possession the full names and NRIC numbers of the two ten and, as such, the personal data was obtained in his co tenants
I1o
to a
Personal Data Protection Commission, Guide
to
(8 May 2015) at p 11.
[2016] SGPDPC 13 at [13]. Chua Boon justin 112 [2016]Yong SGPDPC 13.
320
Managng vue
95/46/EC stated quite explicitly the
personal data, which includes the collection
processing data, to be secure.11 Article 17 effectively sets o f the security principle in great detail. and all the r e q u i r e m e n t s iis that "such measures shall ensure a level the verriding to the risks represented by the processing and of security a p p r o p r i a t e 15 which has the same effect as be protected" to data the of storage
of
personal
requirements
out
nature
legislative he Singapore g
requirement of being "reasonable".
9.85
Data Protection Regulation 2016/679, Article 32 In the EU General of processing and is very similar to its EU Data deals with the security 95/46/EC counterpart, except it is even more Directive Protection detailed and explicit. Under Article 32, organisations "shall implement ensure a level appropriate technical and organisational m e a s u r e s to which is a long-winded wayof to the risk", appropriate ofsecurity
expressing a standard that is reasonable to the circumstances. Articles 32(1) and 32(2) list some of the issues that considered as part of the security measures, such as the technical
need to be
9.83
disclose it in
of
The need forthe
the
9.82 It would appear that as long as organisations adhere to industr standards, they would meet the Protection Obligation. It is thus essential for organisations to be aware what the of industry standards are and to engage skilled personnel where necessary, especially in specialised areas such as the management of information security. In terms of protecting personal data, organisations would do well to treat personal data like any other asset that organisations hold, whether it be physical assets that they guard under lock and key or non-tangible
Directive
Protection
EU.Data
Breachs
requirements,17 including ensuring the ongoing confidentiality,
integrity, availability and resilience of processing systems and services, 25 well as all the different ways that risks can arise, such as through loss
and alteration.118
9.86
cie 5(1)( of the EU General Data Protection Regulation 2016/679 pinciples regarding the legitimate processing of personal data
Chua Yong Boon Justin [2016] SGPDPC 13 at 114 [22J. 15 Fata Protection Directive 95/46/EC, Art 17. 16 ata Protection Directive 95/46/EC, Art 17(1). I1 General Data ilation 2016/679, Art 32(1). EU General Data Protection 118 EU 2016/679, Art 32(1). Regulation Protection e r a l Data (2). Protection Regulation 2016/679, Art o414 321
Data
standard aDDropriate security
also sets the
Care of Personal Dala
Proteclion n the Praclical Context
of
processing personal data ta to personal data includinto be or unlawtul unauthorised procesSing and destruction or damage, using appropriate against of the
9.87
which
to
EU
(d 2ddr measur
organisatioloss,nal
is
Pro code to be used a
an
otecionof
further
its p o s s i b l e
be taken
including,
adverse effects.
by
the controller
where
to
appropriate,
rOvide information is an enduring one, as where pr rovide all the information together at the same rmation may be provide in phases without undue nilar to the requirements set out by the T h i s is
delay. in
128 Singapore.
Commission
security princinle 20dn's
breach notitication
9,91
to
1s
core
a
off o
similarity in the information required in the
breach notification of the EU and the breach requirements of the Commission. The Commission information on the cause or suspected cause of the breach, is not required by the EU law, instead, the EU General Data this Dtection Regulation 2016/679 requires information o n the likely of the personal data breach, which the Commission does
supervisory authority
There
data
person,
notification
EU
requires
.
a
consequences not stipulate
a
in the EU General Data Protection Regulation 2016/679 is the duty to
maintain a record or register of all personal data breaches,129 The facts must be recorded, along with its effects and the remedial action taken. This internal breach register
relating to each personal data breach
9.89 The minimum information that
must
are:126
(b)
the
nature
(c)
of the
personal
be
provided
data breach,
enables the supervisory authority to verify whether compliance has in the notificaion
been met.130
including the categories and
(c)
approximat number of data subjects concerned and the categonies and approximate number of persornal data records concerned; the name and contact details of the data protection officer or other contact
necessary.
An additional duty required of organisations that handle personal data
natural persons.125
(a)
as
9.92
not
a
the likely consequences of the personal data breach; and
Regulation 2016/679, Art5 120 EU General Data Protection Regulation 2016/679, Art 34 35 and o E U General Data Protection Regulation 2016/679, Arts Art T22 EU General Data Protection Regulation 2016/679, 534 Art 30 23 EU General Data Protection Regulation 2016/679, 2016/679, Art 33 E U General Data Protection Regulation 125 EU General Data Protection Regulation 201b/o 38/3)
data breach is likely to result in high risk for apersonal rights and freedoms, the organisation will also have the a
vduals
ation to notify the individuals of the breach without undue Article 34 (2) mandates that the notification to affected als must contain the information that is
EU General Data Protection
EU General Data Protection
Regulation 2016/6/9, 322
Personal data breach notification to affected individuals
9.93
point where more information can be obtained;
f
126
not
it time, the in.
General Data Protection Regulation 2016/679 introduced new mandatory requirement of personal data breach notificationa all applies across that industry sectors.*" lt mandates process personal data must nouty the competentthat those who holdor supervisory authoritv without undue delay after becoming aware of personal data breachl where and, feasible, within 72 hours. If the 72-hour met, reasoned justification for the delay must be timeframe is only exemption from this requirement is where theprovided. The personal data breach is unlikely to result in a risk to the rights and freedoms of
119
mitigate
to
breach,
T h er e q u i r e m e n t t o 9.90
9.88
The
:s to
data
ental
General Data to
adherence
cerufication
Personal data
(b)
the
approved mechanism demonstrate compliance with the
or an
stecionensur agaiinnstg
proposed
tako
the personal
the meas
pOssible
Importantly, Article 32(3) of Regulation 2016/679 enables
hv
one of ens
technical or
mcasures".19
conduct
casures (d)
27
required in the
breach
eneral Data Protection Regulation 2016/679, Art 33(4). (8BMay Commission, Cuide to Managing Data Breaches May 901a 2015) atProtection p 10. EU neral Data Protection Regulation 2016/679, Art 55(9 EU 131 EU Ceneral Data Protection. gulation 2016/679, Art 33(5). General Data Protection.Regulation 2016/679, Art 34(1) 128
323
Data notification
to
the data
must
language"
Protection in the Practical Contert superviso
Care of Personal Data us
p e r s o n a l c d a t a ,1 3 9
plain
9.94 There are three exceptions to the requiremen
those measures
and organisational protecti.on
applied
were
the
to
1telihood
compromised
of
episodes
the
encryption
identity
personal
affecteasures, and encrypted, personal data, other forms ofeffectively limi the
theft or of thee Yahoo Inc data
method
was
misuse."
owever, given asily cracked
breaches, where
employed, the actual
individuals"
Sanctions
notficaion impleme
data personal data breach." An example of this is where was
encral Data
ener i s k for the
rights
:and
t0
freedoms". 110
high
affected individuals. First, where the organisatior technical
appropriate
cOmparable
the position undcr the EU Protection Rcgulation 2016/679, which uses the test of
authority and that "clear
be used.
encryption
technology
implemented would need too be asscssed. Yahoo Inc was. using discredited technology for data known rently stil as in 2013 when the breaches occurred. This was MD5 well after Mellon University's Software Engineering Institute had issued an warning in 2008 to security professionals through a US gowe alert that funded vulnerability MD5 "should be system sidered cryptographically broken and unsuitable for further use" conside
encrypting
9.97
for
for
non-compli
sanction
hefity to meet
the
personal
organisations ito
ertaking
(an
Protection Regulation 2016/679 introduced ce that should be highlighted. Failure reach notification requirements exposes data bre
Data
General EU
The
non-Compliance
administrative fine
an
enterprise
tal worldwide
annual
of
up
group of turnover of the
within
a
to
¬l0m
or
in
enterprises),
preccding
case
of
an
2% of financial year, up
to
the whichever is higher.
Carneg
PERSONAL DATA RETENTION OF
C
Retention Limitation Obligation
1.
9.95 The second
exception
which
is where the that the
organisation
has taken subseauen
high risk to the rights and freedoms of data subjects is no longer likely to materialise.50 The last exception is where notification to the affected individuals would involve measures
ensure
disproportionate effort. In such a case, there should instead be a
public communication or similar measure whereby the data subjecs are informed in an equally effective manner. 137
9.96 aim of notification to affected individuals in EU law appears be The the same as that espoused by the Commission for notfication to to
atfected individuals under the Singapore statute: to allow
atfecied
elves. individuals to take the necessary precautions to protectthemselves
Although the Commission in Singapore recommended that indido Only need to be notified if the personal data breach involves seisu
3UGeneral Data Protection Regulation 2016/679, Art34 38 EU Ceneral Data Protection Regulation 2016/679, ATt T34
135
19
9.98
the retention of The Retention Limitation Obligation concerning Act2 it requires a n and of the section 25 in out personal data is set to c e a s e to retain personal data as s o o n as it is reasonable organisation data was collected is to assume that the purpose for which the personal the of retention served no personal data and that
by
longer being
retention is no longer necessary for legal or business purposes. The legislation does not specify minimum o r maximum periods for to hold retaining personal data, but organisations may be required personal data for set periods of time under other legislation o r
Sectorial requirements. The Commission aptly warned that organisations should not retain personal data in perpetuity where it has no legal or business reasons
to
do so.113 Thus, personal data should not be
retained just in case the data is needed one day for some untoreseen
reason.
EU General Data Protection Regulation 2016/679, Atohlems a stoy
onal(8 May DataatProtection Commission,
Joseph Menn, Jim Finkle & Dustin Volz, "Yahoo securiy pa of too little, too late" Reuters (18 December 2010). UGeneral Data Protection Regulation 2016/679, Art4 c
l41 ETneral Data Protection Regulation 2016/679, Art 34( Art 83(4) (a) 42 Perso Personal Data Protection Regulation 2016/679,
a
E U General Data Protection Regulation 2016/679, ATR6 86. 138 EU General Data Protection Regulation 2016/0, * 324
2015)
143
Cuide to
Managing Dala
Breaches
p 9.
Data Protection.Act 2012 (Act 26 Personal in the Perta onps Data Protection Protectior Commission, Advisory Guidelines on Key 18.2. ETSOnal Data Protection Act (revised 15July 016) para of 2012).
on
325
at
Data
Prolection in the
Care of Personal Data
Practical Context
9.99 Section 25 establish the test for can be retained to be one of be considered a reasonable period will for collection and other legal and business retention of the personal lata may be
inte t h e i r personal data into classes so that it may mayingroup the rationale for why some personal data is kept
Oganisationsm a yg
determining how
nableness. The durlo ng personal that wouldatad depend greatlyuration on
purpose thepurposes nersonal data may need to be retained to necessary. FFor hich the generate which may entail the personal data kample, being kept for one data is required for Teports yea i personal ongoing legal action need to be retained for much involving longer.
explain
to
in
e
recor
the
organis
1S
data
nal
.
should
data
uher
personal
piece
data management to ensure that and stored in a manner which facilitates Retention Limitation Obligation. " Reviews
personal
elop procCsses
an
then it may
periods of time.'16 Organisations also need to
ively long peri
casicr
be
conducted on a regular basis to determine
o f personal
data is still needed and should be da
particular
{a eltained
9.100
The same type of personal data collected for more or or less less the purpose but collected in ditferent settings can sometimes hrin same of different conclusions what may be considered a reasonable neriod of retention. For example, security cameras in a restaurant would h the purpose of capturing incidents such as have rowdy naer leaving without paying and so on. The reasonable patrons or patrons period of retentin ention for such images may only be a very short period of time because anu incident or event requiring a review the
of images would arise quickly. In the event of incidents, the images would need to be fairlw longer for investigative and law enforcement purposes. If thiskeptis compared with images from security cameras installed to deter fraud or theft at a bank's automatic teller machine ("ATM"), the footage at
an ATM would need to be retained for at least a few months as fraudulent transactions may not come to light before victims receive
their bank statements. Further, in the event of a series of ATM
fraudulent transactions, the images may assist to determine if there is a pattern over a period of time.
8103
on hOw long it retains personal and used under the exemptions set may Third and Fourth Schedules of the Act.45 Although Second, he data can seem to be kept without constraints,
Organisations
should exercise
have
ou
of the
care
been collected
personal
data is publicly available,4 the Retention the personal. data from retained all in fact prohib. imit Obligation no longer being served or if there are is collection its Durpose for for the retention of the personal data. All n leral or business purposes such as the Protection Obligation and me
chas
where
being
personal
data Obligations to all personal data Retention Limitation Obligation apply the personal data was exempted from the whether of irespective
de personal the
Consent Obligation and the Notification Obligation. 9.104
in terms of the meaning of ceasing to retain in section 25 of the Act,150 the Commission has stated that this means no longer having access to the documents and the personal data they contain. This means that
the personal data is inaccessible or irretrievable to the The Commission gave some possibilities of what may satisfy this, and
organisation.
9 .101 144 Given that the statute of limitation is six years for contracts and torts it would seem reasonable to deduce that some personal data can
p
kept for at least this long. In this regard, the Commission appeare permit personal data relating to contracts to be retained lor e the ule years from the date of termination of the contract, gven statute of limitation period is six years." 9.102
Organisations should develop personal outlining their approach to retention periods data
retention
tiey included returning the documents to the relevant individuals,
uasterring the documents to another person on the instructions of a
SOnal Data Protection Commission, Advisory Guidelines om Ky onceps 142DePersonal Data Protection Act (revised on 15 July 2016) at para 18.8. a l Data Protection Commission, Advisory Guidelines on Key Concepis Data Protection 2016) at para 13./. on
Peeonal ersonal Data
po
for personal data
150
Act (revised 15 July rotection Act 2012 (Act 26 of 2012). Protection Act 2012 (Act 26 of 2012)
Sched, Pan1(c); Data Third Sched, ara 1(c) and Fourth Sched, para Second 1(4). Personal Data Protectior Act 2012 (Act 26 of 2012). Personal Data Protection Commission, Advisory Guidelines Key Concepis nthe Personal Data 2016) para Act (revised Protection 15 July Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Person on
144 145
Limitation Act (Cap 163, 1996 Rev Ed) s 6. Personal Data Protection Commission, Advisory 272 the Personal Data Protection Act (revised on 15July
Guidelines
326
2010)
on
ap
Key
Coneys
18.4
on
d
Protection Act
(revised on 15 July 2016) 327
18.10.
at at
para
18.12.
Data data subject, the documents
Protection in the Practical
Context
destroying the documents such ch as by de-identüilying personal data. 153 properly shredding
9.105
There
Care
they
which
or
"
r3, processing" ected
is
in
a permanent and complete manner.51
broadly defined and includes storage, statute
S Siin ng ga apore
in the the
there
restrictions
he r
as
long
rovision would be equivalent to pro that personal data should only
this
hence
nsultation,
are
chnically, depending
Personal Data
further processed".l56 As discussed in
are
very
in
also situations where an to make the organisation may have personal data inaccessible have attempied inaccessible, such as where documents but it ma may not be totally hat have remain in the been organisation's premises. shredd cd still shredder used and the thinness the shreds of of nossihle to re-access the paner the data by be all the together. To deal with suchpersonal piecing grey areas, the shred. consider four factors to determine it an Commission said it wowould retain the personal data. The factors are organisation has ceased whether the any intention to use or access the organisatio to has personal data; how much eftort resources the organisation would nced to in order to seLand expend access the personal data or again; whether third parties have been given access to the personal data; and whether the organisation has made a reasonable attempt to destroy, dispose of or delete the personal data
of
are
legal
or business purposes to do so.
as
k e pf t or,
Generah
Data
Regulation 2016/679157 is als that personal data should be kept
Protection
provides and
orded tthan han
gpnilarly longer data
are
is
necessary
ocessed".58
processed".
no
or however,
sonal
2016/679,
tjon
hegula
personal
be data will da
interest,
public bject the gauistical purposes sub in
the
The EU
purposes for which the Data Protection
General
longer periods of retention for archiving pur solely processed
Lroduced intro
tific
scientifi
the athere
for
historical
or
rescarch
purposes
or
appropriate to implementation order to safeguard the rights m e a s u r e s in of the
a n do r g a n i s a t i o n a l tecthnte
and
freedoms
of the
data subject.
159
General Data
9.109
Recital 39 of the EU however, that s t a t e s that:16 2016/679 Regulation relevant and limited to data should be adequate,
hshould be noted,
9.106 These four factors will be of great relevance in the
Protection
electronic personal data such as those residing on computer servers, portable devices such as laptops and mobile devices such as tablets and mobile phones. If personal data has simply been placed in the "rash bin" on a laptop which can be restored casily by a few clicks of the mouse, the organisation will probably not be considered to have ceased to retain the personal data.
European Union position
2. 9.107
data is
simiar
of personal position in the EU on retention The EU Data Protecton to that of the Singapore legislation. 10r data should be kept that personal Directive 95/46/ECI55 stipulates wete data for which the no longer than is necessary for the purposes The
153 54
155
Conceps 18.10. Advisory Gudetanesat Personal Data Protection Commission, 2016) para Cones on 15 July the PersOnal Data Protection Act (revised
272 Personal
Gudenesat
Data Protection Commission, Advisory 2016) on 15 July Data Protection Act (revised Personal in the Art 6(1)(¬). 95/46/EC, Directive Protection EU Data
328
pa
18.13.
what is
This requires, in personal for which they a r e processed. data are stored is necessary for the purposes the which personal that the period for Darticular, ensuring
of
electronic personal data and the techniques organisations employ to delete case
The
limited
to
a
strict
minimum.
9.110 contextualise and minimum" appears to This requirement of "strict data "for no of keeping personal qualify the general requirement the which personal data for longer than is necessary for the purposes adhere to the to are processed".ioi It places the o n u s on organisations there may be vague sinct minimum" requirement, so that even where business purposes, for Tcasons why personal data need to be retained a closer evaluation to dictate e strict minimum" requirement will
shop might argue ertain the "strict minimum". To illustrate, a pizza and addresses of all its s
business
reasons to
keep
the
names
the for a period until S Who have bought a pizza from it maximuin a limitation ends. Realistically, however, after
EU 57 EU Data Protection Directive 95/46/EC, Art 6(1) (e). 5(1)(e). gulation 2016/679, Art 158 EU General Data Protection Art 5(1) (e). 2016/679, Protection 159 EU Regulation General Data Data Protection Regulation 2016/679, Art 5(1)(e). EU General
General!
6)
Data Protection Regulation 2016/679, Recital3 EU neral eral Data Protection gulation 2016/679, Art 5(1) (e). 329
Data Protection in the Practical Context
riod of one year, there appcars
to be few reasons retain such personal data, i especially if no claims why or other incidents have of food ould need been nade it. Even ses, it may not be foor taxation to necessary retain the recor customers' names and addresses tor so In long. minimum" would likely be not more than one this case the "strictthe year. to
against
poisoning
CHAPTER1 0
Transfer Limitation Obligation
9.111 Under the EU General Data Protec ion Regulation 2016/679.1 time of personal data collection, the data subject should be at he of the envisaged retention period or, if this is not inform used to determine the retention possible, thecritena cr period. 9.112
Probably
one
of the most
in the EU
General
retention
periods
environment. chapter 11.
signiticant
Data Protection is the right to
The right
to
be
new
rights given
to
Regulation 2016/679 individel, relatedeto be forgotten
torgotten
in the n online will be
discussed
n
10.1
in the final Personal provision that was passed section 26 on the transfer of is "Act")' 2012 (the Data Protection Act The limitation on transfer was not outside Singapore. Dersonal data and one can only speculate that it may have addressed in the draft billF on the European Union-Singapore discussions the been spurred by which was completed in 2014. The Transfer Free Trade Agreement, in the Act, grouped Limitation Obligation is the last of the Obligations under Part VI (Care of Personal Data). Onc
surprising
new
10.2 Section 26(1) provides that an organisation must not transfer any outside Singapore, except in This is to requirements prescribed under the Act. ensure that organisations provide a standard of protection to personal data that is comparable with the protection under the Act in Singapore, Even when the personal data is transferred out of Singapore. However, personal data to
a
country
or
territory
accordance with
ganisations may apply to be exempt from this requirement."
10.3
ompliance with this provision falls upon the organisation sending ne personal
62 l63
EU General Data Protection Regulation EU General Data Protection Regulation
330
2016/679, Art 13(2)1a) 2016/679, Art I7.
data
overseas,
so
it would
appear
that
the Senaing
Act 26 of 2012. Publc Consullatnon o t Information, Communications and the Arts, the Ars: Proposea Communications and Information, of Mnistry Pe ersonal Data Protection Bill (19 March 2012). and 26(3). a t a Protection Act 2012 (Act 26 of 2012) ss 26(2)
331
Data
organisation
may look
undertake contractual
protection is given. A.
to
in the
TransferLimitation Obligation
Practical Context
the laws of
the mechanisms to ensure foreign i an
data is: simply atthis ersonal
ctton or
1gpears that
tistying
an
can set out
two
personal data protection provisionsto ensure that 9(1). iwill in
data remains
its
while the nen control second sonal
under its organisation must takepossession to ensure appropriate steps of the that the recini the personal data outside Singapore is bound n by legally obligations to protect the personal data in enforceahi that are at least accordance comparable to the protection underwith standard. or
Singapore.
the Act inin
10.5
the
the
seconc
taken to have satistied the first personal data is in transit or publicly available in requirement if the Singapore The tem "data in transit" has a long definition and means:3
personal
are
data transferred
through Singapore or
in the course of onward country territory outside Singapore, without the personal data being accessed or used by, or disclosed to, any organisation (other than the transferring organisation or an employee of the transferring organisation acting in the course of the employee's employment with the transferring organisation) while the personal data is in Singapore, except for the purpose of such transportation.
transportation
to
a
deal with the
requirement: Explicit
situations
requirement, the Persona Data Protection seven explicit situations where an 2014 provides have satistied this requirement. The first to taken be second
Regulations
can
where the individual consents to the transfer of is wh. in that country or territory, 10 al data to the recipientis f valid In order for such consent such c o n s e n t given However, n o t .all isation
anganis
situations
these.
the personal
have, before giving his consent, been in writing of the extent to which summary a vided with transferred to that country or territory will be be to data the to the protection under the Act in s t a n d ard r d comparable a rotected to must also not have been obtained by the valid,
the
0 be
ividual
must
reasonable
poud
persona
Ca3Dore.Consent
Organisations
to
Singapore en route
REGULATIONS 2014
Before Regulations 2014 provides requirements. vides more details it must organisation transfer satisty perOn requirements in must take data organisation regulation appropriate steps comply with the
overseas, First, the
attempt
assing through servers within
its destination overseas.
sination where
of
Personal Data Protection
of the
is an
definition convoluted
equiy
PERSONAL DATA PROTECTION
10.4
The
Protection
as
usferring organisation erice, unless the transfer
a
condition
of
providing
a
product
or
provide the reasonably individual." Finally, in obtaining the consent the to oroduct or service information to obtain the consent, false or misleading necessary to
is
or attempting
and other deceptive or misleading must not have been provided used." A classic example of where an been have not must
practices
individual would give consent is where an individual is travelling use her overseas for a holiday. For the individual to be able to
Aantomated Teller Machine ("ATM") card overseas to withdraw money, she would have to give consent to her financial institution to transfer
her personal data overseas to facilitate access to her account, including account details such as the available balance for withdrawal. 10.8
C Second situation where an organisation can be taken to have Asted the second requirement is where the transfer of the personal tothe recipient is necessary for the performance of a contract DEDWeen the individual and the transferring organisation, o i n Data Protection Commission, Advisory Guidelines on Key Concepts
S 362/2014. 5
6 8
Personal Data Protection Regulations 2014 Personal Data Protection Regulations 2014 2014 Personal Data Protection Regulations 2014 Personal Data Protection Regulations
332
(S 362/2014) reg 9 (S 362/2014) reg (S 362/2014) reg9o. (S 362/2014) reg
12 13
Peeonal Data Protection Act (revised on 15 July 2016) at para 19.7. Personal Data Protection Regulations 2014 (S 362/2014) reg 9(3) (a). Sonal Data Protection ulations 2014 (S 362/2014) reg 9(4) (a). Persona Data Protectic Perse 2014 (S 362/2014) reg 9(4)(6). Regulations ersonal Data Protection.Regulations 2014 (S 362/2014) reg 9(4)().
Person
333
Data
anything entering
example (the
at the
into a of this
Protection in the Practical
Transfer Limilation Obligation
Context
individual's request with contract with the ransferring view orgto given by the Personal
mely way" pected to with
Data Protection sation" An where an with travel In order to make s ionman the hotel agency that in inchudesindividual hotel accepupurCommi c hases the transferring organisation, reservations, travel agency, whi c h need personal data to the hotelswould he immodat ndiidhishuatiotn.h'se overscas.' in This transfer requirement regulation 9(1). would satisfy
transfer
of the
conclusion
or
the
use
a
organisation
servers are
personal
located outside
data out of
considered
analyse
to be in
of
its
is disclosure
uscor
the
sfer ing
adopt cloud-based clientis personal data and comnuia theputing dod
To transfer Singapore." the individual and on to
Singapore
the cloud servers would
the individual's interest as this would the fulfilment of the contract between the individual
organisation.
he facilitate
and he
certain
the
that the
health
or
satety
affcct
of the individual
and
consent for
or
another
the disclosure
seriously will be and b e .obtained in a timely way," the next-of-kin of data contacting the purpose of tlh for fthe for individual
cannot
the
nd ofany
is
injured
ill
or
deceased individual
or
5
to transferring the personal data overseas, the reasonable steps to ensure that the personal on must take In all sclosed by the recipient for any other o r discl. used be under one of these will n o t scenario that would fall 20 A typical is seriously injured whilst overseas and a n individ is where uires the patient history of the individual 10.11
ch
cases,
prior
Ogan
dala
situation
the overseas hospital before surgery
can
take
place.
10.12 a n organisation is taken to have seventh situations where The sixth and in regulation 9(1) are where the satisfied the second requirement the personal data is publicly where and transit" is in personal data available,3" respectively.
10.10
Fifth, the second requirement in regulation 9(1) is satisfied where the transfer overseas is necessary for a
necessary in the national interest:23 itions, there are reasonable grounds to
conditions
to
subject believe
,
third party which
to store or
the
anotherindividual;22
hl
an
the tana the request or which a reasonable is entered into at the indiui person would consider to dividual's individual's interest." The example he the which the where an Commission gNe decides to a was
solution
o r
disclosure
personal a
reasonably
the life, that threatens the
second
organisation can he in requirement regulation 9(1) is wherken data to the is recipient the of pertormance contract betweennecessary
organisation and
not
is necessaTy to respond to an emergency health or safety of the individual or
discl osure lasture be
a
The third and fourth situations where have satisfied the second
the individual would
ained
"Commission") is the situationon overseas tour
10.9
or
ithhold consent;2
a
also taken to be
disclosure in certain situations where the consent of the individual is not required use
or
under the Act. These are where:
(a)
the use or disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its use cannot be
20
2 14 15
16 17
19
Personal Data Protection Regulations 2014 (S 362/2014) reg93)0
Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para 1(a) and Fourth Sched, para 1 (a). Data Protection Act (Act 26 of 2012) Third Sched,
Personal
2012
para 1(a).
2Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para 1 (6) and Fourth Sched, para 1(6).
Personal Data Protection Commission, Advisory Guidelines on Key Conces in the Personal Data Protection Act (revised on 15 July 2016) at para 9:
23
example 2.
Data Fersonal para 1 (c).
Personal Data Protection Regulations 2014 (S 362/2014) reg 913)G. Personal Data Protection Regulations 2014 (S 362/2014) reg 9( Guidelines on Keay Cones Personal Data Protection Com ISsion, Aduisory 1s 2016) at para n the Personal Data Protection Act (revised on 15 July
example 3. Personal Data Protection Regulations 2014
334
(S
362/2014) reg ON0
Personal para
Data Protection
Act 2012
1(d) and Fourth Sched, para 1(e).
2
Data ersonal para 1(0).
Protection
(Act 26 of 2012) Third Sched,
Act 2012 (Act
26
of 2012)
Fourth Sched,
Protection Act 2012 (Act 26 of 2012) Fourth Sched,
27Ponal Data Protection Regulations 2014 (S 362/2014) reg 9(3) (e. 28 POnal Data Protection Regulations 2014 (S 362/2014) reg 9(3)).
ersonal Data ProtectionlRegulations 2014 (S 362/2014) reg 9(3) (8). 335
Transfer Limilation Obligatia
Data Proletion inthe Practical Context
Satisfying the second requirement: "legally enforceable
2
dircctly
or indircctly, controlled
the recipicnt and the
obligations"
indire
ctly, under the
control
by the trans
ransferring of a
common
aced in the European Union
ules surface
10.13
of these seven scenas cannot tall under any one 1arios, If an organisation can sausIy the second requiremer it it ascertain in it nceds to then regulation 9(1) by taking appropriate steps to ensure that the recini ipient bound by legally enforceahi outside Singapore is of the personal data in accordance with standard data the personal obligations to protect to the protection under the Act ct in that are at least comparable Singapore.2"
10.14
examples of what would constitute lerall,. Regulation 10 provides list is fairly broad and includes any law The enforceable obligations. the recipient contract must, however, require and any contract. The transferrcd to it, a standard of data the personal to rovide to to the protection under the Act is at least comparable that protection the countries and contract must also specify in Singapore" and the transferred under the be data may the territorics
contract.
to
which
personal
would
contract To this end, the in Singapore, Act the in set out
Obligations view that if th has expressed the Protection and intermediary, only the need to be addressed. 10.15
need
to
although
address all the
the Commission
overscas recipient is a data Limitation Obligations
Retention
binding instrument. binding legally
or to the transferring organisation.3" if the recipient, directly related to the transferring organisation the recipient is, the transferring organisation;" indirectly, controls
30
Personal Data Protection Personal Data Protection
31
Personal
32 33
34 35
36
37 38
Data
Protection
Personal Data Protection Personal Data Protection Personal
Data
Concepls in the
Regulations 2014 Regulations 2014 Regulations 2014 Regulations 2014 Regulations
Protection
2014
Personal Data Protection
(S 362/2014) (S 362/2014) (S 362/2014) (S 362/2014) (S 362/2014)
Advisory Act (revised
Commission,
at paras 19.5-19.6. Personal Data Protection
reg 9(1) (6). reg 10(1) (a). reg 10(1)(6). reg 10(2)(a). reg 10(2)(6).
Guidelines on
on
15 July
201)
(S 362/2014) reg 10(1)(¢). Regulations 2014 (S 362/2014) reg l10(1)(). Personal Data Protection Regulations 10(3)(9. 2014 (S 362/2014) reg 10(4)(). Personal Data Protection Regulations 2014 (S 362/2014) reg Protection Regulations Data Personal 2014
336
or
corporate the EU pragmatic means of laws; thesc will be as
10.16 binding corporatec nules must require The evcry recipicnt of ansferred personal data to protect the the data personal transferred to it, of protection hat is at least ndard at a s t to the tion protectio theAct in Singapore The rules must also corporatc of the transferred recipients the personal data to which specily rules apply;? the countries and territories to the ding corporate which lata may be transferred under the
comparable
binding
under
binding corporate the
personal
rules"
and
obligations provided by
the rights and
corporate r u l e s , 1
10.17
binding
rules
arc usctul mechanisms in situations where a may have all of their employee or customer group data processed in one locatio which is outside Singapore. be payroll operation or customer fulfilment These could operations. be transferred fron all around the Personal data would need to world location. Under the Personal Data Protection
orate
Binding c o r p o r a t e
companies
ersonal
Regulations 2014,
t the Singapore legislation, the transter of personal data outside
enforceable obligations can other rules" as well as any corporate the recipient is related be c a n only used where data is Binding corporate nules A recipient of personal
29
discusscd below.
are, person." Bindingdirccdy
x long as binding corporate rules mect or exceed the protections
also take the form of
Legally
ng similar requirements under
meen
erring organisation;
sanisation
the Singapore will satisty
3.
second
Assessing the Transfer
requirement in regulation 9(1).
Limitation
Obligation
10.18 The Transfer Limitation Obligation is a codification of the most efiecdve and workable aspects of the solutions currently found in international practice for protecting personal data that is transferred ONerseas. The Personal Data Protection Regulations 2014 is very clear in permitting the common situations where personal data need to be
9Personal Data Protection Regulations 2014 (S 362/2014) reg 10(4) (6).
Personal Data Protection Regulations 2014 (S 362/2014) reg 10(4)(c).
Fersonal Data Protection Regulations 2014 (S 362/2014) reg 10(3)(a).
Personal Data Protection Regulations 2014 (S 362/2014) reg l0(3)(6) (7). Data Protection Regulations 2014 (S 362/2014) 4ersonal reg 10(3) (6) (in). ersonal Data Protection Regulations 2014 (S 362/2014) reg 10(3)(6)(in). 337
Data
Protection
Trans/er Limitalion Obligation in the
Practical Context
ransferred out of Singapore. In fact, reflect permitting transters of personal data that they were set
Protection Directive 95/46/EC5
the
out in
10.19
Commission has made d.
TogatDataions
the El
Indeed, the only shortcoming with the implementation of the T Limitation Obligation may be the standard of the Singapore protection iransier legislation itself: due to the relatively ed by weak given by the Singapore legislation, most protecti other jurisdiction ecion existing personal data protection laws may well with offer level of protection. a
mparable
10.20 It remains to be seen if the Commission will provide guidance forthe purposes of the second requirement in route that the EU has taken over theregulation 9(1) by taking ng ihe decades, by declaring data personal protection laws of certain jurisdictions to be comparahlethe to the protection under the Act in Singapore.16 .
B.
EUROPEAN UNION POSITION
1.
EU Data Protection Directive 95/46/EC
is the competent body to assess the level of personal data protection in and it consults the countries
through adequacy findings,
European garding Canada's
lhe
an
adequacy finding,
on
assessments with the EU Article 29 Data Protection Working Party
("WP29").
furisdictions where the Canadian legislation is
example
ould h ply European Commission also made an:adequacy finding icable.
nduct, the the US Safe Flarbour Privacy Principles" The was a voluntary scheme where US businesses would the code of conduct. However, this finding of with
conduct,
for
Code
of
a
code o fc o n d u c t
to
in
Court of Jusice of the in the Cou in Maximillian Schrems v Data Prolection Commissioner,
comply
Union
European
challenged
was adequacy
("CJE'U")
in 2015 invalidated the European Commission's
US Safe Harb decisionon the and
10.23 to Subsequentto
blished publis The
WP29
its
Privacy Principles.
EU-US Privacy Shield was created to Privacy Principles. On 13 April, the WP29 the adequacy of the EU-US Privacy Shicld.5
this decision, the
Safe replacethe US
Harbour
on opinion oubts
casted
dou
on the adequacy of this new scheme but on
the European Commission formally adopted a decision Shield.32 Organisations adequacy ot the EU-US Privacy confirming to the standards set out in the EU-US Privacy self-certify in the US may 2016. Shield from 1 August 10.24 of the long-perceived uncertainty of the It is amidst the backdrop of conduct such as the US Safe Harbour code a of adequacy of Privacy Principles that organisations within a multünational group 48
Commission Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on data provided by the Canadian the adequate protection of personal Electronic Documents Act [2002 nformation Protection and
Personal OJL 002/13.
pursuant to Commission Decision 2000/520/EC of 26 July 2000 of the Council on Drective 95/46/EC of the European Parliament and harbour e adequacy of the protection provided by the safe issued byprivacy the 50
Pnciples and related frequently asked questions US Department of Commerce [2000] OJ L 215/7. Se362/14 (6 October 2015) ECLI:EU:C:2015:650, available at p:curia.europa.eu/juris/documents.jsf?num=C-362/14> 1 June 2016).
45
the Coune Parliament and of Directive 95/46/EC of the European with regard to e individuals of 24 October 1995 on the protection movement of sucn data and on the free processing of personal Ant Protection Directive 95/46/EC), Data ("EU reg>u I995] OJL 281/31 362/2014) 2014 (S Personal Data Protection Regulations Art 25(1). EU Data Protection Directive 95/46/EC,
338
for
personal data protection legislation," so
2016, 12July the
10.21 Under the EU Data Protection Directive 95/46/EC," if a non-EU country (third country) has an adequate level of data protection, then personal data can flow freely to the third country. The requirement is of adequacy and not equivalence. In accordance with Article 25(6)od the EU Data Protection Directive 95/46/EC, the European Commision
foreign
a.22
(accessed
Article 29 Data Protection Working Party, WP238, Opinion01/20 on 13 Apnl vacy Shield draft adequacy decision (adopted 2016) 4 l 7 6 final, Commission Implementing Decision of 12July 2010 Cant to Directive 95/46/EC of the European Pariament uncil on the adequacy of the protection ovided by the
Privacy Shield.
339
EU-UJS
Data
Protection in
companies which need,
as data to and from part each corporatc rules.
personal
Transfer Limilaton Obligalion
the
Practical Context s
ot their
business processes. other, have tako aken the route ransler Binding corporate rules are of bin internal rules t
adopted by multinational tinding global policy governing thegroup of companies. These nilessaly international trar within the same iransfers of personastate the group, as it is often within the group corporate the are located in thaat countries which docase adequate level of protection as assesscd not provientities under the EU Directive 95/46/EC. Data Proan a
10.25
Under Article 26(2) of the EU Data organisations may transfer personal dataProtection to a
Directive 95/46/ third level of which da adcquate protection for country adduces adequate personal data i with safeguards to respect the personal data, and protection of th such safeguards may come fr appropriate contractualspecifically, clauses. from Essentially, not ensure an
rules is
an
alternative
having binding comora orate
to an
having to sign standard contractual clauses each time itorganisauon necds to member of its group as it can become transfer personal data to contractual clauses for each transfer madequite burdensome to Sign within a corporate rules present an alternauve mechanism group. Bindino that ensures all transfers made within a group benetit from an adequate level of protection.
their
unless amended, replaced or repealed by the
status
E u r o p e a n C o m m i s s i o n ,5 5
maintain
Gencral
M 7 U T h2 eE
2016/679 affirmed the thods of transterring personal data that are
Data
General
Cxisting
Kegulation
Protection
metho
sed, such as standard contractual clauses 6 Other other cuTent
recognised,
priatesafeguards, such g
and
enforceable
as
binding
corporate rules" and legal
instruments between public authorities,5
are
ding and ded for. Indeed, the EU General Data Protection scts out a
express ulation 2 0 1 6 / 6 7 9
long ist of the minimum Content
binding corporate rules" The EU General Data requircments for also provides two new schemes 2016/67 Regulation on
hereby transfers
will
be allowed: an approved code of conduct
in Article 40 s e t ut sctheme A r t i c l e 42. o u t in
and an approved certification mechanism
set
10.28
Protection Regulation 2016/679, the of personal data in limited ogations to similar exXisting derogations in the EU Data circumstances are Protection Directive 95/46/EC.1 These include explicit consent,
EU General Under the
permitting
Data
transters
contractual necessity," important
reasons
of
public interest
and
vital interests,65
2.
EU
General Data Protection
10.29
Regulation
Given the numerous new schemes and the explicit recognition of axisting mechanisms allowing transfer of personal data to third
10.2
Under the EU General Data Protection Regulation 2016/679, transíers of personal data to third countries continue to be restricted.5 The European Commission will continue to have the power to determine
countries, it would appear that the position in the EU is becoming more permissive and enabling of transfers to third countries than it has ever been.
that certain countries, territories, specified sectors or international
organisations offer an adequate level of protection for data transfers The countries which have previously been approved by the European Commission to have adequate protection for personal data ill
53
of of the European Parliament and the Council of 27 April 2016 on the protection of natural persons wu
Regulation (EU) 2016/679
and regard to the processing of personal data Such data, and repealing Directive 95/46/EC Regulation) ("EU General Data Protection
54
on the free movement o (General Data Protecuo Regulation 2016/b/
Arts 44-47. Art 45(1) EU General Data Protection Regulation 2016/679,
340
0 EU General Data Protection Regulation 2016/679, Art 45(9). EU General Data Protection Regulation 2016/679, Arts 46(2) (c)46(2)(d) K General Data Protection Regulation 2016/679, Arts 46(2)6) and 47. U General Data Protection Regulation 2016/679, Art 46(2)(a). RU General Data Protection Regulation 2016/679, Art 47(2). U General Data Protection Regulation 2016/679, Art 49(1). EU Data Protection Directive 95/46/EC, Art 26. 63 General Data Protection Regulation 2016/679, Art 49 64 RTTneral Data Protection Regulation 2016/679, Art 49)(D). 65 FTTCral Data Protection Regulation 2016/679, Art 49(1){d). eral Data ulation 2016/679, Art 49(1) (). Protection 341
10.30
Since for
Transfer Limitalion Obligation
Data Protection in the Practical Context
Singapore
has not yet achieved
organisations wishing for
Singapore corporate
sharing
rules would
with
to a
adequacy status under R transfer personal data tolaws,
related
organisation,
the
use of h probably be the easiest which do not have approach to: inding any entities, they would need to fall relationship with adopt. Eor scenarios, the higher standard ofback on contractual solutions t need to be the governing standard. protection under EU la
organisations
ould
C.
ASIA-PACIFIC ECONOMIC COOPERATION PRIVACYy
There
are
..only four participating APEC CBPR systemn and Janada. This number may M e x i c o , Japan
currently
0.33
U s, US,
economics: t h e
pecially since the APEC Electronic Commerce the WP29 have, in 2014, produced a common of the APEC CBPR system and the t h e requirements ering is no mutual recognition of both Binding Corporate Rules. the
reasc o v e r t i
cate Rules.There
FU B
certiicationf o r
systems
ification
The
mmOn
nmon
for
questionnaire
10.31
policy constructing barriers to information flows.
perceived
need
to
s e r v e as
the
basis for double
would
woul
nced
to
be submitted to the respective
approval is needed for Authority, binding corporate rules, as well as to the t o be nisations whose approval is needed to be granted APEC a c c o u n t a b i l i t y a g e n t , therefore, be much easier for businesses to be CBPRs. I t w o u l d , the process to obtain even systems, both with compliant u n d e r the two systems.71 different 20proval is The
qDrotection
EU Data
At this juncture, it might be useful to mention anoher the protection of data, if only in terms of the framework fo personal the arena of transfer of value it brinosi personal data. The Cooperation ("APEC") Privacy Framework was Asia-Pacificin Economic adopted 2004. As a framework, it has significant differences from the EU framework and importantly, the APEC Privacy Framework was firmly located within the context of electronic commerce and a
can
an
10.34
FRAMEwORK
referential
organisation.70
whose
granted
CBPRS.
though
avoid
10.32 The
APEC
Cross Border Privacy Rules ("CBPR")
system is It requires self-regulatory. participating businesses to develop and implement personal data
voluntary, certification-based system
a
that is
protection policies consistent with the APEC Privacy Framework. The policies and practices of these businesses are assessed against the
minimum program accountability
requirements
of the APEC CBPR
system by
an
agent. At the time of writing, there were only two accountability agents, TRUSTe in the US and JIPDEC in Japan and thus far, mainly US businesses have applied for CBPR certification.
68
ross Border
at Privacy Rules System, "For Business", available 1 June (accessed www.cbprs.org/Business/BusinessDetails.aspx>
90 2016). Border Privacy Rules System, "For Business", available 1 June 201 2016). www.cbprs.org/Business/BusinessDetails.aspx> (accessed
al
Border Privacy 1 June 2016).
Rules
System