Commission and Committee Are Established For the Personal Data Protection Act
05 April 2013
Singapore’s Ministry of Communications and Information (MCI) has established a Personal Data Protection Commission to administer and enforce the Personal Data Protection Act, which was passed in Parliament on October 15, 2012 after a year of public and industry consultations.
The act will be implemented in stages over an 18-month period to give organizations time to adapt. “During the transition period, the commission will work closely with sectoral regulators and associations to help organizations comply with the act to adjust their data protection practices, and embark on public education and engagement programmes to help consumers better understand how they may protect their own personal data from misuse,” Leong Keng Thai, deputy CEO of the Infocomm Development Authority of Singapore, told Channel NewsAsia.
Singapore’s Parliament passed the act to help the city establish itself as a global, or at least regional, hub for IT and data management services, Lim Chong Kin, the head of telecommunications, media and technology at Drew & Napier in Singapore, tells Asia IP. “Singapore is only catching up with other benchmark jurisdictions, such as Europe and the US.”
It is envisaged that by regulating the flow of personal data among organizations, the act will strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses, he adds.
The commission will issue advisory guidelines to clarify the act, but there are still questions on what constitute personal data, as “the act only defines ‘personal data’ broadly as ‘data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access,’” Lim says.
Another uncertainty is about the personal data that are publicly available. “Social media sites such as Facebook and blogs are likely to raise questions as to whether an individual’s personal data that have been uploaded are considered publicly available,” says Lim.
If organizations breach the act’s provisions, the commission may direct the organization to rectify by ceasing its data collection or distribution, correcting its data and or “pay a financial penalty of an amount not exceeding S$1 million (US$814,000),” he says.
For individuals to opt out of receiving unsolicited marketing calls, text and fax messages, the commission is establishing a national “do not call” registry “around early 2014,” Lim says. “Organizations that contravene the do not call provisions may be liable for a fine not exceeding S$10,000 (US$8,130) for each offence.”
Although the act is expected to be beneficial to most, “it would be difficult for the commission to enforce the act against organizations with no presence in Singapore,” Lim says. “To do so effectively, the commission would likely require the assistance of the relevant foreign authorities, which connotes a whole set of challenges, but the Ministry of Information, Communications and the Arts noted that extending the personal data protection framework to overseas organizations might still prove valuable and provide consistent treatment for local organizations.”
Under a three-year term, the commission will be overseen by Leong Keng Thai, deputy CEO of the Infocomm Development Authority of Singapore. In addition to the commission, the MCI has also established a Data Protection Advisory Committee to advise the commission on enforcement and administration of the act. The eightmember committee will be chaired by the director and former director-general of the Intellectual Property Office of Singapore, Liew Woon Yin.