A new law that protects consumers’ personal data will kick in from January 2013, and businesses will have up to 18 months to comply.
Among other things, the Personal Data Protection Act will, for example, allow consumers to protect personal data such as NRIC numbers and mobile phone numbers, and to shield themselves from getting calls from banks and companies who want to sell them products and services.
Speaking in Parliament this week, Minister for Information, Communications and the Arts Yaacob Ibrahim and Members of Parliament (MPs) had a four-hour debate before passing the Bill, which had already gone through many rounds of discussions earlier. His speech can be found on the ministry’s website.
The law will safeguard individuals’ personal data against misuse, and will regulate how organisations manage such data.
That means an organisation may collect, use or disclose an individual’s personal data only if consent is given. And it must specify why the data is needed and how the data will be used.
Consent is not considered valid if obtained by false or misleading means. Exceptions will come in for police investigations, medical emergencies, and data collected for news activities.
“A data protection law will also enhance Singapore’s competitiveness and strengthen our position as a trusted business hub,” Dr Yaacob said. “It will put Singapore on par with the growing list of countries that have enacted data protection laws and facilitate cross-border transfers of data.”
Here are some of the key highlights and examples raised:
1. National Do-Not-Call Registry
This registry is to address the growing issue of unsolicited telemarketing calls and messages, and is expected to be ready for public sign-up in early 2014.
In the first six months of the registry's setup, consumers can expect not to receive unwanted telemarketing calls or messages after 60 days of registering their numbers, Channel NewsAsia reported. Once this six-month setup period ends, they can expect not to receive such unwanted calls or messages after 30 days of registering.
Companies will not be allowed to send advertising messages to a consumer whose phone number is in the registry, unless they have clear and unambiguous consent. If they breach the law, they will be fined up to S$10,000. If the sender hides his or her number, he or she will be fined up to S$10,000.
Other penalties include a maximum fine of S$5,000 or jail of up to a year or both, if any individual tries to access consumers’ personal data without permission.
Businesses likely to be affected would be those in retail and services, such as banks, telcos, gyms, spas, and property agencies and developers.
2. Lucky draw forms
If a company, for example, clearly states on a lucky draw form that the personal data given will be used to contact the consumer to market products, then the company can use it for that purpose. If there is no mention of the purpose, then the company will likely be breaching the law if it uses the data to market products.
MPs said that consumers may miss the fine print while filling up lucky draw forms, and Dr Yaacob said the onus is on the consumers to check. Businesses seeking consent to use data by “using general or vaguely-worded clause buried within pages of other terms and conditions” will likely be deemed as not receiving “clear and unambiguous consent" from consumers. This may be considered misleading or deceptive and is prohibited under the new law, he said.
3. Protecting children and the mentally disabled
Several MPs raised the need to provide for special groups of people, such as children and the mentally disabled. TODAY newspaper reported that Chua Chu Kang GRC MP Low Yen Ling cited the increasing usage of the internet by children. "(The internet) also carries a spectrum of risk for children as they share more about themselves online ... They can be targets for aggressive online marketing ... or even identity fraud," she said.
Dr Yaacob said that the details of persons acting on behalf of minors, and the extent to which they can exercise the rights or powers of these individuals, will be set out in subsidiary legislation later.
4. Online information
MPs asked how the law will apply to personal data posted online, such as social networking sites and blogs. Dr Yaacob said that these sites and blogs may be considered “publicly available” sources depending on the circumstances. No consent is then needed to collect, use or disclose “publicly available” data.
5. Foreign businesses and cross-country exchange
The law will apply to any organisation that collects, uses or discloses personal data in Singapore. This includes foreign companies operating in Singapore.
Dr Yaacob said that the onus would be on the organisations in Singapore to ensure they protect personal data transferred overseas, and there is no need to further burden them with disclosing to consumers where they are transferring copies of the personal data.
A Personal Data Protection Commission is due to be set up in January 2013. It will be the main authority on matters relating to personal data protection, and will represent the Government internationally on matters relating to data protection.
Channel NewsAsia reported that this authority can impose fines of up to S$1 million for every data protection offence, for example. It will also promote awareness of personal data protection in Singapore by educating consumers and businesses on understanding the Act.
7. Government exempted from law
The law does not legislate the way government agencies use citizens' data. The public sector has its own set of data protection rules, and personal data held by government agencies are "protected by appropriate security safeguards against accidental or unlawful loss, as well as unauthorised access, use or disclosure", Dr Yaacob said.