Data Protection in the Practical Context: Strategies and Techniques [1 ed.] 9789811133763

Data Protection in the Practical Context – Strategies and Techniques provides a detailed study of the law, practice and

262 72 121MB

English Pages 364 [203] Year 2017

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Chapter 1 The Context of Protecting Personal Data
Chapter 2 The Practical and Conceptual Framework
Chapter 3 The Concept of Personal Data
Chapter 4 Notification Obligation
Chapter 5 Consent Obligation
Chapter 6 Purpose Limitation Obligation
Chapter 7 Data Protection by Design and Default
Chapter 8 Access and Correction Obligations
Chapter 9 Care of Personal Data
Chapter 10 Transfer Limitation Obligation
Chapter 11 Other Notable Provisions in the European Union
Chapter 12 Looking Ahead
Recommend Papers

Data Protection in the Practical Context: Strategies and Techniques [1 ed.]
 9789811133763

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

MONOGRAPH SERiEsS

Data Protection in the Practical Context Strategies and Techniques Hannah YeeFen Lim

.ERIP

Academyy

Publishing

Academy Publishing is a division of the Singapore

Academy of Law ("the Academy"). The Academy is the promotion and development agency for Singapore's legal industry. Its vision is to make Singapore the legal hub of Asia. It aims to drive legal excellence through developing thought leadership, world-class infrastructure and legal solutions. It does this by building up the intellectual capital of the legal profession by enhancing legal knowledge, raising the international profile of Singapore law, promoting Singapore as a centre for dispute resolution and improving the eficiency of legal practice through the use of technology. More information can be found at www.sal.org.sg.

IN

SINGAPORE ACADEMY OF LAW

IN THE

DATA P R O T E C T I O N PRACTICAL CONTEXT

Strategies and Techniques

MONOGRAPH ABOUT THE

in-depth, compreheensive publish treatises providing issues. legal

The series aims to analysis of c u r r e n t Law

SERIES

of Sales in Singapore (2017) before the Singapore

Courts 1965-2015 Tort of Defamation (2017) Study and Empirical A Comparative Materials (2016) Singapore-Cases & Employment Lawin

Making (2015) Law in Singapore (2015) International Issues in Family

Singapore Law: 50

Juvenile Justice

-

Data Protection Law in SingaporeInterconnected World (2014)

Takes

Privacy

Singapore Law on

Arbitral Awards

Stage (2014) Sovereignty in an

Centre

and

Model Criminal Law for the 21lst Century-A (2012) Industrial Design Law in Singapore

PRACTICAL CONTEXT Strategies and Techniques

Years in the

Where Rehabilitation

DATA PROTECTION IN THE

Code

for

Singapore (2013)

(2011)

Guidelines for the Assessment of General Damages in Personal Injury

Hannah YeeFen Lim BSc, LLB, LLM (Hons) (University of Sydney); Advocate and Solicitor (Singapore); Associate Professor of Business Law,

Cases (2010) An Asian Perspective on Mediation (2009)

Nanyang Business School, Nanyang Technological University

Coroner's Practice in Medical Cases (2008) The Law on Corruption in Singapore - Cases and Materials (2007)

(2007) Confidentiality in Arbitration- How Far Does Life Sciences: Lawand Ethics- Recent Developments in Singapore (2006) It Extend?

Acadenmy

Publishing 2017

Academy Publishing is a division of the Singapore Academy of Law ("SAL

SAL is the promotion and development agency tor Singapore's legal to make Singapore the legal hub of Asia. It aims to drive legal excellence through developing hought lcadership, world-class

industry. Its vision is

infrastructure and legal solutions. It does this by building up the intellectual

capital of the legal profession by enhancing legal knowledge, raising the

Preface

international profile of Singapore law, promoung Singapore as a centre for dispute resolution and improving the efficiency of legal practice through the use of technology. More information can be found at www.sal.org.sg.

DISCLAIMER

Views expressed by the author are not necessarily thOse of Academy Publishing nor SAL. Whilst every effort has been made to ensure that the information

contained in this work is correct, the author, Academy Publishing and SAL disclaim all liability and responsibility for any error or omission in this of publication, and in respect of anything, or the consequences anything, done or omitted to be done by any person in reliance, whether wholly or partially, upon the whole

or

any part of the

contents

of this publication.

on personal data wonder whether a book Some naysayers may infant stage of the is necessary at this relatively protection law in law Singapore. After all, data protection development of personal decisions to date. been less than 30 there have

COPYRIGHT 2016 Hannah YeeFen Lim.

There

Third Impression 2019 Published

by Academy Publishing under exclusive licence.

All rights reserved. No part of this publication may be reproduced, stored in in any form or by any means, whether any retrieval system, or transmitted, electronic or mechanical, including photocopying and recording, without the written permission of the copyright holder. All enquiries seeking such

permission should be addressed

to:

Senior Director, Academy Publishing Singapore Academy of Law 1 Coleman Street #08-06 The Adelphi Singapore 179803

Tel No: (+65) 6332 4388

Fax No:

(+65)

E-mail: [email protected]

ISBN 978-981-11-337%-3

"

789811

"

1337

6333 9747

were

three main drivers for

embarking on this

endeavour. First,

with managing interactions with those tasked through my professional w e r e familiar with that me to they became apparent personal data, it as the personal data protection principles and competent in reciting confident in were less than however, they set out in the legislation, where the principles of those principles, especially the application The n u a n c e s seemed many. other. each with intersected or overlapped where seems to have only small pockets Second, the legal profession in personal data collection, of role the of technology the significance formal disclosure is understood. As a lawyer with storage, use and who and scientist, a as computer qualifications and work experience Australia for 25 years, in law data in protection has practised personal I could offer in this developing area I felt perhaps there was something nexus between personal data close of law in Singapore. Indeed, the not does ring as loudly as it ought to in protection and cybersecurity liabilities arising therefrom also some quarters. The potential risks and individuals. do not seem to be on the radar of many organisations and

the Third, the General Data Protection Regulation was adopted by of a European Parliament in 2016. This is significant piece regulation that will impact organisations in Singapore, not just those engaging in not mere c-commerce, but all organisations with websites that are

Preface passive displays of information will need to take heed of the European requirements. These overseas developments need to be synthesised

and expounded within the Singapore legal context.

This book is an attempt to address some of these issues. This is a modest, first attempt to analyse the personal data protection law in Singapore. It will no doubt grow in the years to come.

I am very grateful to the wonderful team at Academy Publishing for their meticulous editing and typesetting of this book. Special thanks to Bala Shunmugam for his support, encouragement and understanding and to Elizabeth Sheares for the superb final editing of this book and

for her steadfast patience and understanding. Thave endeavoured to state the law as at 28 February 2017. To Him who has given me all things

Hannah YeeFen Lim Ash Wednesday, 1 March 2017

VI

Contents

Page Preface Table of Legislation Table of Tnternational Conventions, Treaties and Reports

Table of Cases Chapter 1 A.

XXxiii

The Context of Protecting Personal Data

Identifying the harms The Erin Andrews case 2

8

Big data 4. Litany of harms Role of information technology in compliance The significance of the European Union legal position

The Practical and Conceptual Framework Chapter2 Scope B. Mandatory requirements

A.

2.

Policies and practices Developing a data protection policy

(a)

C.

1 3

Cybersecurity

3 B. C.

XV

Xxiii

Personal data audit (b) Structure and content Enforcement of rights 1. The Personal Data Protection Commission

(a)

Powers of the Commission

(b) (c)

Dispute resolution powers Review powers

ix

11 17 21 23

28 29 31 31 32 33

35 36 36 36 38 38

Conlenis

Contenis

Page (d) (c) 2.

3. .

Penalties

and

to

direct

decisions made

by the

broad

Appealing the Commission

powers

39

53

Criminal penalties

54 51

(a) Ofences under section (b) Piercing the veil correction (c) Unauthorised access or General penalty (d) Right of private action

Employer liability for employees

54

121

C.

57

59

F. G.

Encouraging compliance Conceptual framework of personal

regime

The Concept of Personal Data

Definition in the legislation

63 64

67

Consent Obligation

Chapter 5

56 56 56

62

B.

120

Position in the European Union

B.

Data intermediaries

A.

Notification of purposes in the online environment

E.

A.

The reasonable person"

Chapter 3

D.

55

D. E.

data

Page

D.

Consent Obligation Excessive consent required Deemed consent Deemed consent for multiple purposes . Deemed consent through action 2. Corollary of deemed consent to disclose Caution on deemed consent . Manner and form of consent

.

Withdrawal of consent Collecting personal data from third parties

G.

Exceptions to the Consent Obligation

67

1.

Evaluative purposes (a) Employment context (b)

123 125

127 132 132

134 136

136 137

138 141 142 145 146 149

"Data and "Information"

68

2.

Format of data

72

3.

To identify an individual

73

.

Personal data: Basic level

76

Personal data: Expanded level 5. Anonymisation of data 1. Receiving anonymised data sets

76

professional settings

83

Business asset transaction

152 155

Publicly available data (a) Definition of publicly available data

159 159

(b) (c)

Presence of restrictions Opening the floodgates

160 161

(d)

2.

2. 3.

85

5.

86

Anonymising data sets

(a)

Anonymisation testing

(b)

A more realistic view of anonymisation

89 93

Insurance Remaining evaluative purposes permitted (c) Managing or terminating an employment relationship Documents produced in business, employment and

149 150

Observable personal data

163

C.

The way forward to anonymising data sets 3. Deceased individuals

105

6.

Solely for artistic or literary purposes

D.

Historical records

106

7.

166 168

E.

Business contact information

107

8.

Research purposes Disclosure for archival or historical purposes

Exceptions of other kinds of personal data

109

9

Conferment of benefits

F.

Chapter 4

Notification Obligation

A.

Introduction

B

Rationales for the Notification Practical considerations

C.

On or before"

a) (b) (c) (d) (e)

111 111

Obligation

Purposes, not activities 2.

102

113 114

115 115

117

B.

Subsidiary purposes

.

Manner and form of notification

118

.

Consequences if personal data is not collected

120

10.

171 172

Private trusts and benefit plan Service for personal or domestic purposes

172

Emergencies Interests of the individual

174 174

Disclosures that provide benefit

176

Remaining exemptions

173

178

H.

Validity of consent of minors in Singapore

181

I.

Some thoughts on consent and exemptions in the Schedules 1. Importance of consent 2. Specific industry sectors

182 182

Impact of the European Union position on consent

188

J.

186

Cones

Contents

Page 1.

2

Directive 95/46/EC under EU General

Consent

Protection

New requirements New requirements for 16 years old

(b)

.

Data

Regulation 2016/679

(a) 3.

minors

under

Union regulations Compliance with European Cookies: Case study of obtaining consent online (a) Cookies on websites (b) Position in Singapore Position in the European Union (c)

(i)

The WP29 Opinion

(ii)

Practical implementations of cookie consent in the European Union

Purpose Limitation Obligation

Chapter 6

Personal Data Protection Commission's views

equivalent to "reasonable"

B.

"Appropriate" is

C.

Assessing the two tests 1.

D.

not

Effect of section 18 on exemptions to consent

Effect of section 18 on exemption to deemed consent 2. The reasonableness test 3. Scope of Purpose Limitation Obligation 1.

Collection, use or disclosure from another

2.

Shortcomings

organisation without consent E.

European Union position 1. Specified, explicit and

(a) (b) (c)

legitimate purposes

188

(a)

Status or significance of some types of personal

191 192

(b)

Personal

(c)

Sensitive personal data

194 198 200 200 202 205 209

Practical examples

239

4.

Data minimisation principle

243

(a)

Data minimisation principle and big data

244

(b)

Data minimisation principle and Internet of

Data Protection by Design and Default

Design 1.

1. 2. 3.

operation of business or organisational practices

Types and amount of personal data collected

xii

249

Access and Correction Obligations

Access Obligation Procedural requirements for Access Obligation 1. 2. Ways in which personal data has been used or

.

B. C.

267 267 270

Prohibitions and exceptions to Access Obligation

271 271 275 281 285 285 289 290 292

(a)

Prohibitions against granting access

(b)

Exceptions to granting access

Right of access- New European Union law

Right to rectification- The Directive New European Union law

Right to rectification

-

270 271

Care of Personal Data

293

Accuracy and completeness of personal data 1. The five factors

293 295

2.

The four aspects

297

3. 4.

Compliance with Accuracy Obligation

298

European Union position

299

Chapter 9

B.

265

disclosed (a) Disclosures to organisations (b) How personal data has been used or disclosed

Correction Obligation European Union position Right of access- The Directive 1. 2. 3. 4.

A.

255 259 260 262 263

Guides Data structures Internet of Things

Chapter 8 A.

237 238

245

Employer/Employee related matters

infrastructure

227 229 234 235

2.

and

B.

214

3.

Chapter 7

2.

254 255

Information technology systems and networked

213

Explicit Legitimate Compatible

data that is unique and

non-changeable

212

219 219 220 222 226

252

data

20

235 237

Specified

Things A.

Page

Protection Consent under EU Data

Protection of personal data 1. The Protection Obligation

301 301

2.

Data protection by design approach

305

3.

Risk assessment

310

Data breach notification - Personal Data Protection

311

251

Commission's Guide

251

(a)

Data breach management plan

312

(b)

Containing the data breach

313

xii

Contents

Page (c) (d) . 6.

Assessing risks and impact

314

data brcach Reporting the the response and recovery Evaluating

315 318

(e) Protection Complying with European Union position (a) Security principle

Personal data breach

(b)

Obligation

320 321 321

noification to

supervisory 322

authority

Personal data breach notification

(c)

to

affected

323 325

individuals Sanctions for non-compliance

(d) C.

Retention Limitation Obligation European Union position Transfer Limitation

Chapter 10 A.

325

Retention of personal data

2.

Personal Data

2.

Protection

Satisfying the Satisfying the

second

331

Obligation

Regulations

second

325 328

2014

requirement: Explicit requirement: "legally

332 situations

enforceable obligations" 3.

B. C.

A.

Assessing the Transfer Limitation Obligation

European Union position EU Data Protection Directive 95/46/EC EU General Data Protection Regulation 2. Asia-Pacific Economic Cooperation Privacy Framework

Chapter

Other Notable Provisions in the European Union

11

Rights object under European Union laws Right to object due to the individual's particular 1. to

Para Children's Online Privacy Protection Act of 1998 15 USC (US)

SS 6501-6505 (2006).

.

. . . .

.

.

336 337 338 338 340 342

16 CFR Pt 312 (US) (2012)

344 345

******************************************************************.****

...5.220, 5.222 Rule 78 Fed Reg 3972 (January 17, 2013) (US) . *************************** .

Computer Misuse and Cybersecurity Act (Cap 50A, 2007 Rev Ed)

.7

Tt....****************************************

9.56

******************************************* .

.

historical research, or statistical purposes Automated decisions and profiling

347

B. C.

Right to erasure

D.

Right to data portability

349 351

Interpretation Act (Cap 1, 2002 Rev Ed) s 48A ********************************************"********************************************************** .. S

O....

...

*

*neo*

*********

******"*****************************

s

Z.0, D. l0,

52

3.1, 3.2, 3.30, 3.48, 3.63, 3.108, 3.123, 5.66, 5.67, 5.69, 5.73,

5.74, 5.83, 5.109, 5.122, 5.147, 5.149, 5.164, 5.169, 5.170, 5.191, 5.192, 8.5, 8.37, 8.40, 9.41, 9.45, 9.47

s 2(1)(c).

**************************

***********"********

*****. 5.80 1.5, 2.3, 2.94, 2.102

s 4(1)(a). ****************************"**************essotes*.**

.*

4.0, D.I49

4(1)(b).. ************************** ****************************°******************* s 4(1)(c). )********************"***************"******************************"*"********************* s

************

357

9.101

***

4.1, 5.5, 7.16, 12.1 **********************.******* ** .s .. . s 2(1). ****** **************** .2.81, 2.86,

347

353

xiv

8.9

Personal Data Protection Act 2012 (Act 26 of 2 0 1 2 ) . . . . 1.1, 2.1, 3.15, 3.25,

s3..**********©*************°****°**************************° .1.4,

Index

5.129

5.129 s 32(1).. ***************************.*************************************************************************

Limitation Act (Cap 163, 1996 Rev Ed)

346

Looking Ahead

5.221

§ 312.5(b)(2) Children's Online Privacy Protection Rule: Final Amendment

yDclsCCuIlY Dul...********************************* Data Protection Act 1998 (c 29) (UK) . . .

New right to object to processing for scientific or

Chapter 12

D.220

Children's Online Privacy Protection Rule

Right to object for purposes of direct marketing

including profiling 3.

333

345

situation

2.

Table of Legislation

*********************************************

XV

*

**

4v

2.3, 2.4

e*... 4.OI, O.0, S.+D 45

Table of Legislation

Table ofLegislation Para

Para ****

********

s

4(4)

***

**

**

...

. . . .

*************

********

s 4(4) (6). *********"*******"** s 4(5)... s 4(0)...

*

****** .

********.

**************** ************************************

*****.*

*********°**

*

******

*************'***

* ********* s 6.. * ********************************** s 11

****

slI(1) .. s 11(2)

***

*********

****.******************************'

******

******

.... **

..2.95, 5.156, 6.34 .

*****

...

********

........ ... . . .

e** ******. **** ***

******************************************'****************

.... '****

*****

************"************'*******

13...

***°*********

s 13(6).... . s 14.....* **

..

.5.9 .0.

) (6)

.........

s21(4)..... 21(5)....

s

*****************°****°*******************

*

***** **

s 14(2)..

**************

14(2)(a)...

..

.0.l4,

.

s

..5.9 ***

15... s

*************************"**********

***************************

s

16(2) *************°*************°**********************

s 16(3) *******************"**** s

16(4) **************

**********

***°********

****

*********

****

*

°***************************

2.1 07, s.17...**************************************** ..............s* *

4.2, 4.6, 5.2, 5.55, 5.6l,

s 17(1) . . *

*eosn****************** *********"**************°************ s 17(2) . *************************"******°****°*************************

s s

18(6).....

*******************************************************************************************

****

******n......

......2.59, 2.104,

.56

4.15, 5.26, 5.34, 6.49, 6.75

s 20(1)(a)......*******e******************°*******°*****°*********** s 20(1) (¢).******************************e******°**** *******.*************°°****°********* s 20(2)

s 20(3)

..4.5, **********************************************************°*********

s 20(3) (a) ************ ...

...3.35, 5.11

4.7, 6.43, 6.48,

.

.4.1 ...4.1 6.49, 6.50 5.9, 6.4

6.48, 4.2,

***

10.1

. . . . . . 10.2

10.2

s 26(2)... s 27...

***********************************************************************************************************

28.

*****************************************************************""********************************

28(1) (a) . 28(1) (6)...

......

***********

********

2.32 2.34

2.35

.

.....

***********

********eso******r

**e*******e*o***e***** 2.36

s 28(2) (a) ***************"***********************************"***************************************°°° 2.35 4» s 28(2) (6).. *********************o******** * .a******o***..*****..* . . . . . . . 2.36 s 4.***************************************** ****************.****. 4 .08 2.38 ***********

s 29(2)...******.***o** .

...

29(2) (d) *********************************"* s 30... ****** **********************************.***********.******.. s

. .....

2.38, 12.4 2.2 Z.8

s 31... * *************************************************"********************* s 31(2).. ************************************** .s .. **********.****.... s

32....... **************************************************************..

s

32(1).... e***********.************°°*****°****

S

Ot

°***********

.**************************************************

*****

2.69 2.70)

...1.17, 2.79, 3.56

. * * . .

33.. **********************.*****************************e**************

Xvii

xvi

*********.o********.*

.

2 , 4.6, 4.18 *****°***°********°*****************°**

....... Z.89, 5.449, 9.98, 9.99, 9.104 ..... J , l 0 , 0 . t 9

..

s 26(3).. ****************************************************************************.*********************** . 10.2

s

s 20......

..

5.50 5.62

s

*****************************

..

26 s 26(1)..

.....5.56

.*so..*..***o*****.

8.52

...

***************"******************"****

.2.105, 3.16, 5.12, 5.18, 6.2, 6.5, 6.16, 6.23, *** 18......s*** 6.25, 6.26, 6.27, 6.28, 6.29, 6.30, 6.34, 6.45, 6.46, 6.47, 6.48, 6.54, 6.58, 6.63, 6.64, 6.66 6.60 **************************************************.************. ....5.12, 6.38, 6.43, 6.51, 6.49 18(a)...... 6.43, ..6.4, ************************ ********************************************

.*...

8.52

8.45,

****°*******************"*****.*****.

**********************************

S40......

* . . . . . . . . 5 . 5 6

s17(3) -.... . . . .

8.45

..... 8.45,

5.47

****5.44

****************************

e********.*****.*****vT9

***.*.....

*************************°**********

.2.106, 4.2, 5.2, 5.26, 5.201, 6.27, 6.30 5 . 2 6 , 5.32, 5.34

.******************************************

15(1).

********

8.50 8 . 4 7 , 8.54 ..************.******"************************** .... 8.47, 8.54 *****************e********************************** s 22(7)...... 9.25 23......... ... s .... .. *****.********************* 9.2, . . . 9 . 2 , 9.26 s 23(a)... ***********'************** ****** -. 9.2, 9.26 s 23(6) . . . ***************"*****.. 2.89, 9.29, 9.40, 9.75 s .**********************************

.

....5.35, 5.36 s 15(2) . ********************************************************* 5.60, 5.190) .5.43, S 16(1) ......... . . **********************************v

22(3)...

8.45 2.36, 8.45

8.5,

***.****

**

**********************

... 22(6)....

*******************************************************************************

*****.****.

*****

22(4)..... )............. o.. ... eo************************************************* s 22(5)..... .* **********************************************************.. 8.45, 8.46,

s......5.12

3.I7,

**********°******************

******

. . 2.36, 2.37, 2.108, 8.4, 8.78, 9.3

***********************************

22(2) (6)...

3.18, 5.19, 5.21, 5.22, 5.210 ********..10 s14(2)(b) .10, 5.14, 5.19 ... s14(3)..*****'** °*** *********"***************************************************** *****.** *..5 v ..7 l s 14(4) S

8.20

8.29 8.21, 8.40 ... 8.20 8.22 8.20, 3, *********** 8.23 * * * * * . * * * * * * * * . 8.20,

****************

***********"*************

22(2)..*******************

2

..

8.20 8.20

.. 8.10, 8.21,

s 22(2) (a)..

..0.20

*****************

******************"******************************"""*******************

*********************°*****°**************

************************°*** 22. s 22(1)...

7 ......5.34 54

14(1)(a)..

s 21(3) (e).

.O.8

*****~*'

***********"**************""*****************°**

***********************************

°****°°****************

°***

8.31

**********"******"*******************°*****°****"*********************** ....

.2

******"************ * . ****"** ** s 1 4 ( 1 ) . . . . .******************""********************'*******************"** .

s

*************"******************"****°****°***

.2.12

...

*

******************

*************************"***********************

*

************************

*

*********************************************

****"**************************************************

8.7

,8.16

****************"'**

*******************"*****.******************************

**

*****************************°*****°********

s 13().

***

..........

***..

Vv

O. ****************"*************

******"*****"****"*********

21(3). s 21(3)(a). s 21 (3)(b).. s 21(3)(c). 21 (3)(d) .. s

.......2.59, 2.106, 5.51

**************************************

s

21 (1) (a)... s 21(1)6)... s 21(2)...

.

*********""*****"****************************°**

12(6).. 12()... s 12(d) *****

4.3

2.35, 2.36, 2.108, 8.4 .. ... .. . .. 4 l . .****************************************"************************************************ . 8.15 ....

********************"*************************"***********

*****. . 2 . 5 9 , 2.95

****

****

4.11, 5.84

. . T.o,,6.89

*******.*.******

. . .

. .

*********

***

*******

.**

****

..

20(4) (b)..

........

**

.

s

.......

20(t)()....

.O.36

2.5 **************************************************** 2 . 1 0 , 2.11 s 11(3) . . * *** **** 2.10, 2.11 11(4) ********** ******** * * * * * * * * * * * ** *** . 2 . 1 ] , 8.9 ** .*** s 11(5) *************************'** ****************'***************** . . . . . . . . .. . . 2 . 1 2 s 12() ***° .12 ****************** ******* 4.. ************* . s *****

4.2, 4.3,

.

**

*******************

***********************************

...2.8, 2.9 ********"****************** .9 s.2.9

**

. .

s

20(3) (b)... ******* 20(4).**

.....

******************"***********

s 4(6) (a).. 4(6) (6)

s

.. 4.2, 4.6, 5.55

3. 120

3.115 *****"*********************************** .. ....2. 2.I03, 3.122, 5.99

****************************

******************...

************* **********.

.1b

2.69

. . . 2.69

Table of Legislation

Table of Legislation Para

Para ***************************************"*********************** *************"*****"'**********************************. ******* .......

s 34(2)... 34(3)

s

*

*

2.69 **

...

.

*

*****'****

***************°******************

s 35..

***""**************

s 35(1)..

*******"**

s 35(4)..

*************

**************4.

***

..2.84 .2.84

...

2.29, 2.30 ******************************************* .2. 2.29

**************

..

***

..

***************************

***********.

*************************

*********

****

***

s 50(2).. s50(3)

.

****************

*************************

*****************"*******

..2.69

2.70

s.......

******"'**********************'***

***** ****************

s 50(1) *************

.

*******************************.

******************

******************************************

s 48(1).. ss 48(2)-48(3). s50.

...

*******************

**************************.

°**

.70

.

*.........

2.31|

**********************.iis..2.31

****************

........

5,99

*********"**.

para 1 (p) (ii).

...................

*****************************************.

.2.72

****°"***************'**

2./76

.

s51.

******************************

**

s51(1).. s51(2).. s51(3)(@) s 51(3)(6) s51(3)().

**

..

********************************************

**********

***

*************4. 6

****.

***************************

*******'**

***************

*************************'***

.

*******************.....*****. ***

********

*****..

....

*****************************

para

3(2) (a).

***

**

.2.74

2 . / 2 , 2.74

*******************'"*****°*******

* * * e *

e.... o s ************************"*********

'************************************

..

2./5

******************************

s 52(1).... s 52(2)

**

52(3)

*******************************************"***********************

5.983

*******************.

5.106

para 3(3).

.

5.106

para 3(3) (a)...

5.106

********************"***

5.10D6 para 3(3) (6) *************e**********************"*************************"******** ******************************

*******************************************""*****°********************.

********

*************************************°***

s 53(1).. s 53(2)..

**

*******. ..2./

e...........

**********

* .

**********************************°***************************************

*********************************

54...*********************.***************

2.75

.2.75 7.22 81

*****

***********"*********************************4.

*********************

********************°****************************

**

************

*

......2.

**********°***************os***.....

. .

para

***************"***************************************************"************ para. para

3(4)

Third Sched..

*************************************************************

**********

***************.***************°*****

************************.****************************************

para 1(b). para 1(c)...

para l (d). '**

***********************************************************************

1(e)..

******************************.*****

...5.66, 5.73, 5.148, 5.189,

para1 ) .****************************************************** ..

2.79

*************************************************************************..

5.64, 5.65, 5.95, 5.96, 5.97, 5.145, 5.166, 5.186, 5.204, 6.4, 6.50, 6.58, 9.103, 12.1 )****************************************************************************************** .5.153

para 1(6) ... ****************************************************°°********************* 5 . 1 5 2 .5.1008, 6.26, 9.103 para 1 (). ********************************°****°°***************°**

.167

*** eson*a*ene*ntssvs. para I (4)... 5.168, 5.189 **.***+o*****.**ts*s**seostsssso*****.********.********s************** para I(e)... ************************************************************** ..5.66, 5.69, 5.148, 5.189, para 1(). 5.191, 5.192, 6.28, 6.51 . 1 2 8 , 6.51 *****'***************************************************.

para l(g).. para 1(h)..

************°****°******************************°**°°****°°****************

5.172 ***************.******es*n*******************e********o***************************

para 1().******************************************************************************** 5.173 ..5.173 para I ( )************************************************************************************* .. para 1(k) ....

5.146, 5.192

para 1(). ******************************************** 5.151 ..5.150, para 1(m) ********************.** *******************e*********** 5.189 5.89, para 1(n) .. 6.58 para I(o).. 6.51, 6.28, ******************************************* ..A11, 5.89, 5.189, ************************************o**************************e********e*********

5.173

****************.

para 1(g. para 1(h)... para 1( ) . .

******************************************.***

para1). para 2

******°***

***

******

5.173

.

5.139

5.57,

e***************************************************

5.5 ,5.85, 5.89, 5.95,

5.98, 5.99, 5.102, 5.128, 5.172, 5.173, 5.189, 5.192, 6.28, 6.51, 6.58

**********************************°**********

*******"**********

5.139

5.58, 5.94, 5.95 . para 3.. . Fourth Sched....*********************************** . 1.5, 2.107, 4.2, 4.6, 4.11, 5.2, 5.9, 5.55, 5.56, 5.57, 5.58, 5.60, 5.61, 5.63, 5.64, 5.65, 5.97, 5.145, 5.160, 5.166, 5.186, 5.204, 6.4, 6.50, 9.103, 12.1 **********************************************************************°

. 5.158, 5 . 1 5 2 , 5.161, 5.162, para 1(c)... ********************************°********°********************** .5.162, 5.163, para I ............... ********************************************************** . 5.108, 6.26, 8.27, para I(e) **************************.********s**s*.***** ....5.167,

para1(a). para 1(6).

********

.

*..****************

10.110 10.10 10.10 9.103 10.10

para 1 ()

. ..5.168, 5.189 .5.164, 5.174 para 1(g). ***************************'******°*********************°*******"************** .5.66, 5.74, 5.148, 5.189, para I(h).. ***********t*********************************** 5.191, 5.192, 6.28, 6.51

para1(i).************°********************************°****************.*******************. 5.173 para 1 )******************************************************************************************** .. 5.173 para 1(k). *********************************************************************************

para 1().********************************************************************************* 5.174 para I (m).*************************

***********************************************************"**************°******* 5 . 1 7 3

.

5.191, 5.192, 6.28, 6.51

*********************************************

2..77

******************************************************************************4.

XVil

1.5, 2.107, 4.2, 4.6, 4.11, 5.2, 5.9, 5.55, 5.56, 5.60, 5.61, 5.63, 5.64, 5.65, 5.145, 12.1 5.166, 5. 186, 5.204, 6.4, 6.50, 9.103, ... 5.153, 10.10 ...5.152, 10.10 . 5.108, 6.26, 9.103 *****************************************°"****** 5.167, 10.10 ...5.168, 5.189 **********************e***********

..

*************

*******************************

para 1(a)

para

***** 5.106

..5.58, 5.96

******************

.Z.

******************************************************************************42.87 0T s 67(2).... Pt IV (ss 13-20)... 5.77 PtV (ss 21-22)... 5.77, 9.1, 10.1 Pt VI (ss 23-26).. *************************************************.***. ...5, 2.107, 4.2, 4.6, 4.11, 5.2, 5.9, Second Sched ... a .....sso . eo***************** 5.55, 5.56, 5.57, 5.58, 5.60, 5.61, 5.63,

para

**

2./5

************°*********************************'******

s 52(4) .. s 53..

......

*****************.

**************************************

s

973

************.os*

1 73

*********

*****************************************

para 3(2) (6)

2.72

****e*s...2.

*******

s 51(5)....

s

*

...

****************************************

5

******"*************"

...

.

s51(4) . . .

s

..2.73

*****************

***"***************"****************

***** *****

***

5.57, 5.58, 5.96 *** para I(7).... 5.1 72 * ******* para 2. . . *********.... 3.99 para *********************************************************"********************* .5.102 ******************************"***************************°****************

para 1(9)..

* * * *

***********************

******************

************'*************"************************

para i(n) . para I (o).

*****°**********************************************.****

5.174 ***********************************************************************************"" 5.174 ************essstsseeessestose*i*************************************** 5.161, 10.10

para 1(p)(i)... ************************************************************************************ 5.99 para I() ****************************************.*******************************.*******. 5.139 v

xix

Table of Legislation

Table of Legislatiom

Para 5.144 . .....5.57, 5.58, 5.85, 5.89, 5.95, ** 5.128, 5.146, 5.172, 5.173, 5.189, 5.192. 6.28, 6.51, 6.58

I(7) para l(I).

para

******""*** ***********"*******

***.

****

para z

********

* *

*********

***************

************* para para 3(2) para 3(2) (b) . . .

.......

*************

***...99

****************d.102

*****************************

..5.98

*****°**** * . . . . 5 . l 0 6

******'*************

5.100 ****.... 139

.

*******

****

*******

** ****

para 4 para (e)....... ...

******

**

*****************

*****

.............

.***************"*******"****

**********************************************

.

para Fifth Sched...

. . 8 . 3 1 , 8.35,

****************.******""**********

***

3.140

..5.58, 5.94, 5.95 *** 8.37, 8.40, 8.47, 12.1

......8.37

*

. .............. . **** ********* *.* .8.35 para 1(6). . *****************....O.35 *********************** . (C) para ********* .. ... ... ***** ***** ***.........8.35 para 1(d)... * *************** ..8.35 35 i para (e) . . ***** ************************"°************* ******"** . ......8.235 para 1 ) . . . . .......8.35 35 ******* ********************* para I(g) **** .Ö.35. *************"*". ****"*******************""*** para 1(h)..... 8.35 **********"******"*******************************d para I(2). . .. 8.41 * * * * *********************** para 1) (1).. ...8.11, 8.30, 8.42 para I() (11).. 8.43 ****~****** ******************* para 1) (ii) *********"******°**** 8.44 para 1) (iv) . . 8 . 1 1 , 8.44 para 1() (v) . . 8 . 4 7 , 12.1 **** *** Sixth Sched.....*********************************°** ******....8.47 paras 1(a)-1(e).. 54 .v I ******************************"*** ******* para l(a). .******s******** ....2.31, 2.40 Ninth Sched..... Personal Data Protection (Enforcement) ..2.31 Regulations 2014 (S 455/2014). para

********************************************************

I(a) .....

1 0 . 5

**

reg 9(2)..

****.**********"*********

reg 9(3)(a) reg 9(3) (6)

TC8 D I T )

**

****

.7

.**..

...

reg 9(3))..... *******"********* reg 9(3)(g9... ******* reg 9(4) (a)... reg 9(4) (6)

..

.***.*......

0.10,

..

**************

..

****

*******************************°'**

**

*********

**

*******

***

****

.

**

*****************************

...

reg 9(4) ( ) . . . .

************************

.

...

*************************"****°******************************.

*************************************

*****************°***************************

*****************************************"****"**********************.

Personal Data Protection Regulations 2014 (S 362/2014) . . . reg 2. reg 3(1) . .

.*.

..

**

****

..8.48

****************************"*"**********

*************************** ..8.8

******"**********************************************

reg o[2){).... . . eg 3(2) (b) **.****** .

reg 4 *************°*****°*** ..

. .

.

**

+**********

. * .

*.

5.9

********************

*.

*******************************************************************

T

T){).

reg 10(1)(a)

.

10.14

. . . 10.144

10.15

.Ld

.***.*.***.******e**.*** 10.15

*****.******.*.*.**.

.

*************************************************

***********°****

reg 10(2) (6) . . . . ********.*

10.14 *******"****

reg 10(3) (6) (i) . .

*.*********.

***********************

***

************

*******.. 10.141

10.16

.o**

************************************

.***********************

.

reg 8 . . . .

reg9(1).. ******.*********°*°****°°****°.****°.

XX

10.15

****** *

10.15

.

10.155

******.**.****.*****.** **°°****°**** 5 . 1 3 0

s 4(2) (c) . ..... 5.130 s 5(3). ******************* 6.54 Sch 1 cl 4.4 *************************** **** ***°°°*****°°°° **°*********************** 6.55, 6.62 cl 4.4.1 *********************************************************"*****°*************** ....... 6.56, 6.58 ***************************************************************************************************

****°.****************.***********

****°°***°°**.

Privacy Act 1988 (Act No 119 of 1988) (Cth) s 6C......

************°°****°**** ***. 2.3

s 6D.. ********"*******************"****************************** Private Hospitals and Medical Clinics Act (Cap 248, 1999 Rev Ed)... *******************°***************.

5.9

..8.110

l 0 . 5

10.10, 1 0 . 4 , 10.8, 10.9, *****************°**** 10.12, 10.13, 10.17, 10.20

10.4, ***************************************************

.

10.15

(SC 2000, c 5) (Canada)

s 4(1)(a)..************************

**************************** so...i*..0.1t, 8.29 .2.36, 8.48

reg 9(1) (a).. ************************°°******************.******************

Teg9(1)(6)

**

.

Personal Information Protection and Electronic Document Act

. . 8 . 1 2 , 8.48

***********************************************°******

10.16

..**************e*******.****.

8 . 1 3

reg 7(4)...

10.16

10.16

*****

reg 10(4)()....

reg ****************°***°*******************"******************e******************** reg /.. ***********************************************

.

**********

**********

.0.10

******************°*********************************

****

10(3) (6) (11).. .... ...... ... 10(3) (6) (i1l) .. . ************* 10(3)(C).... .. ... .. . 10(4)(a) ..... ... o******************* 10(4) (6) ...

.8.9

******************************************

reg 4(1). ************* ************************* reg 4(2) **********************************"** *** * IC

3 ,8.8, 10.4, 10.18

I U.7 , 10.2

*******'******************************'***********

reg 10(1)()....... reg 10(1) (6)

reg

0.12

1 0 . 7

******************°

reg reg reg reg

T0.TT

U

*****e*****

* * .

*****'********

U

10.12

****"*****"***************************************

****

*v

.*

**

***

************************.*********************

reg (O){)..

reg

****"

***

********

...........

****

reg 9(3) (d)...

reg

****

******************************************

****""****".*****"****"***

**********""*********************************

**********************

**********************

para 3(4).. .

***

******

****

*************************

para 3(3)

5.l63

*********

*

*

****'*****

Para

......

****

******************************

10.4 10.13, 10.20 Xxi

**********.. 2.6

**********. **** . 174

Table of lnternational Conventions,

Treaties

and Reports

Para Commission) Article 29 Data Protection Working Party (European EU Approach to (WP37) Privacy on the Internet- An Integrated November 2000).... On-line Data Protection (adopted on 21 4/2007 on the Concept of Personal Data

3.37, 3.45

(WP136) Opinion

(adopted on 20June 2007) P6...

10.

... 3.8

***********************************"**************************************************************

***********************************************************************e*3 . 7 , 3.10

3.21 3.24

************************************ ..3.37, 3.45 *******"********************************* *************************************** pp 16-17... (WP194) Opinion 04/2012 on Cookie Consent Exemption 13..

...

. .

......

(adopted on 7June 2012) pp 6-7....

5.251 ***********e***oseeooe*****************************************

5.249

PP 6-9....

5.250, 5.251 ..**.ossasennos******************************************"******************

P6.

P...***s*.*..

..

. . 3.252, 5.253, 5.254, 5.2555

.

....5.260, 5.262

pp 8-9.........

p8..

.

******************************************************

P9..*.

5.256, 5.257, 5.258, 5.259 5.261

************nsssore*****n*oso**********************************************************"*"*****

(WP203) Opinion 03/2013 on Purpose Limitation

6.72 (adopted on 2 April 2013) . .... 6.765 ************************************************************"*******"********************* P 12. eo..**..**ao**oes*********o*sross**************

p l5... **********o*o******************e*************************************************************** 6.76 ******************* .. 6.77, 6.78, 6.79 p l7..... P 10...

****

6 . 8 0

p 20.. p21.******************************************************************

....6.82, 6.83 ************************ ...6.85, 6.86

*********************************************************************************************

xxiii

Table of International Conventions, Treales and Reports

p 51..

***************************

..

***************

...

6.89

******************************************************

P

p 53....

...

************************. s.....

pp 54-55.

***sos

**********************************************"******"***********

p 54.

.6.90

*******************************************..

*****

******************** ** ** *" * * * * * * * * * * *********************.***

**************************************

*********"**

Pp 56-70...

....

***********

********.

**************

******************************************************

0.91

6.92 .6.95

..6.93,6.94 .....

P .. *****************************.**..0.95 ........ p 60 example 7 . *************************** ..... 15 6.95 p 66 example ***************************************************************** . J0..

*****************************************************

**********'******

.6.87 .0,8. ...6.87, 6.93

Annex 3..

Annex 1.....

*****************

*****************************************"*******

Techniques

Anonymisation (WP216) Opinion 05/2014 on on 10 April 2014). (adopted **************************************************************************

3.83 3.83 ..3.86, 3.87, 3.88 3.84 .3.89 3.87 ......

**************************************"*

p ....*******

********************************************

***

******'**************

PP - / . . . P

*s************************************'***

p

.

*******************************...

*******************************************"****"*******************

Pp 11-12...

Pll......

*

889

****"***************

********************"******************************

pp 12-19.. p 12..

s*sens.....

**************************************************************ssisss...

*

*****************"************"*********************************

PP 13-14..

*********************************°**************************.

******************************°******* p 13.......******************************"**** ******************************************************. Pp 1 4 - 1 5 . .

P ************* p l6....

*************************

ssssn..

**********************************************

P lo..

********

....***********************'************

91 ...3.99 *. .100 3.91

..

**********3.96, 3.101 3.108

****************'****************"***********"***************.

****************************************"**** pp 23-24.. p

3.90

....

**********""******""*********'******************************************

.3.85, 3.104 ..3.83, 3.98, 3.104

****"*****************.

**************'********************************************************.

Pp 24-25...

. *

** *********************************************i 97 ********"**********"************************************** D.9T p 24...... .* on the (WP221) Statement Impact of the Development of Big Data on the Protection of Individuals With Regard To the Processing of their Personal Data in the EU

(adopted on 16 September 2014). **************"******"**"°°******"***********. 6.100 ...6.100, 6.101, 6.102 p2. .

.7.43

PP 16-19..

******************************************************************************************.

p 1 .*****"******"************************* ... ******

************************************** ..6.104, 6.105

6.105 PP 18-19... P

***************

P 19....

.6.107

*********"**************** *******

**

**********************"****"********

****************** .106 ******************** ..6.108

p 22

..6.109 * * ******************nnuosnn. . . . . . ...0.1 (WP238) Opinion 01/2016 on he EU-US Privacy Shield Draft Adequacy Decision (adopted on 13 April 2016).. ****************°*****************. .10.23 Asia-Pacific Economic Cooperation P'rivacy ...10.31 Framework... . p17********************************"********************************** *************************** .183

Charter of Fundamental

Rights of the European

Union

(2010) OJC 83 (2010) Art 8 para l.**************************************************************°******************* ..1.68

the Committee

Economic

of theRegions for

framework

European Parliament, and thc ( C O M / 2 0 1 1 / 0 9 4 2 final-2012) and

Social Committee

in the

trust building services

A coherent e - c o m m e r c e and Market for January 2012)

Digital Single

online

l1

(adopted********************************************************************************.

. .

.217

0.2.

2000 pursuant to I.. Decision 200075207 EC of 26July Parliament and of thec Commission 95/46/ECof the European the Directive of the protection provided by asked Council on the adequacy and related frequently principles safe harbour privacy of Commerce the US Department fn

qucstions issued by

*****************************************************************************

0.22

O4

2000] OJ L 215/7..

too 20 December 2001 pursuant Decision 2002/2/EC of Commission Parliament and of the the of European Directive 95/46/EC data provided by protection of personal Council on the adequate Electronic Information Protection and Canacdian Personal

the . **************.*s Documents Act [2002J OJ L002/13.. Decision (C(2016) 4176 final) of Implemening Commission to Directive 95/46/EC of the 12July 201l6P apursuant on the adequacy r l i a m e t and of the Council European the EU-US Privacy S h i e l d . . . . by provided the protection of on No 44/2001 of 22 December 2000 Council Regulation (EC) the recognition and enforcement of judgments and jurisdiction matters (OJ 2001 L 12, p 1) in civil and commercial Art 15(1)(C) Art

10.22

10.23

1 . l7 . 5

******""******************************************************

****************

J)...*********************************************************************************n********

Rules

Cross Border Privacy For Accountability

"******************"*******"*********************************

Agents..

********************************************************.**

***o***************************senesons********************..*.

For blUSinness

..

1.75 10.332

10.32 0.09

Parliament and of the Directive 95/46/EC of the European of individuals Council of 24 October 1995 on the protection with regard to the processing of personal data and on the frce movement of such data |1995] OJL 281/31.....

1.68, 1.69, 1.70, 1.77, 3.1, 3.3, 5.196, 5.205, 5.207, 5.247, 7.20, 8.56, 8.61, 8.63, 9.24, 9.85, 10.24, 11.3, 11.9, 11.18 .3.31, 3.32, 3.47, 3.86

Recital 26.. . Recital 2 8 . . .

6.775

*.***.******************************************************************* *************************************"""************************************** 8.60, 8.65, 8.72 Recital 41. Art

5.196 ************************************************************************************************

*************************************************************** .5.197, 6.85

Art 2(b).

Art 2(h).

Art 6... Art 6(1) (b)

*

************************************************************************************* 5.199

. 4.31 .o.. **.****.***************************************************************** **************************.... . 4.31, 5.197, 5.201, 6.53, 6.69, 6.73, 6.75

Art 6(1) (c)...

Art 6(1)(d) . .

.... 5.198, 6.70, 6.75

.

***********************************************************************************. 9.22

Art 6(1)(e) ****************

°********

**************************************************** 9.l07

Art 7....*****o*oo**o********n*****i***********************o****** 5.182, 6.82, 6.101 Art 7(a)...**************************** *********************"**************************.5.199, 5.201 Arts 7(b)-7(),.... ************"*************************************************************************** 5.199 Art 7(e)..

......*************

*************************************************** tL

Art 7(1). XXIV

Reports

to the

Communication

Commission Council, the

*ssssssssss***sss**sene*****************************************.

(WP223) Opinion 8/2014 on the Recent Developments on the Internet of Things (adopted on 16 September 2014) ...6.103, 7.43

and

Para

Para ...6.88, 6.89

s*s.

************

******

*********"****

Treaties Table ofInlernalional Conventions,

I1.4 XXV

Table of International Conventions,

Trealies and Reports

Table ofInlernational Conventions,

Treaties and Reportds Para

Para

******************************************************************

Art

...5.182,6.101 5.199,5.201 ...8.56, 8.62

***********************************************......

Art 8(1)... ***********************************************'*****"**** *****************

Art

Art 12(a).

....

**

********

**************************************************************** .8.57, 8.58,

8.59, 8.69

****************~ ..8.62, 8.71, 8.74, 8.75, 8.77, 8

Art

12(b).. **************************

Art

12(c).* . ***************************************************************************.

.

Art

...).

**********************************************************

Arts 13(1)(a)-13(1)(g)..

78

8.62, 8.76

..5.200, 8.56

************.**********************************************************

Art 13(1)...

*******************

************.

8.56 .8.56

.....

*********************************************

******************************** ****************

8.62

Art 14... ..... ****************"******* Il.4 Art 14(a).*****************************************************"****************. .. sssosssaas.l1,6 Art 14(b)... ***********************************************************.* . ***************************** l1,10 Art 15(1) . o984 Art 17. ..... ** 9.84 *************************'************************

**********************"********************"**********

***"**********.*.....

...

.

***************

***

.s*e*s***********************************

*******************************************************

.

Art 17(1)..*********************************************************************** 0 2 1 Art 25(1).*************************************************************** 10.21 Art 25(6).. . 0.18, 10.28 .*******************************************************************. .... 10.25 Art 26(2).

paras 2.65-2.66... **************************************************.

****************"**

***************************************************.

Parliament and of the 2002/58/EC of the European of of 12 July 2002 concerning the processing the protection of privacy in the and data personal electronic communications sector (Directive on privacy

Directive

para

Art 5(3)

ingapore link", which

eant

that the regime would only apply if the personal data was collected from an individual physically present in Singapore, or the

either

data was located in Singapore at the time of collection, or the

organisation used the data in Singapore, or the data was disclosed in Singapore. The final form of the legislation dropped this requirement rendering the regime more effective as it deters those who might

attempt to avoid compliance by shifting or outsourcing collection or use of data overseas. This stance of extratenitorial reach is consistent with other legislation in Singapore, such as the Computer Misuse and Cybersecurity Act" although realistically, for an organisation that has no presence in Singapore, it may be difficult for any claim to be made against it.

2.8 One of the most important points to note is that the personal data protection regime will operate concurrently with other legislative and regulatory frameworks, so organisations in those sectors that have sector specific requirements need to continue to comply with them. Section 4(6) (a) specifically states that nothing in the personal data

protection principles enshrined in the Act "shall affect any authority,

12

Privacy Act 1988 (Act No 119 of 1998) (Cth) s 6D. See also Yee Fen Lim, Cyberspace Law: Commentaries and Materials (Oxford University Press,

13

Computer Misuse and Cybersecurity Act (Cap 50A, 2007 Rev Ed) s 11.

2nd Ed, 2007) at pp 194-195.

30

to be 2.10 at least o n e person are required to designate Act All organisations the with that the organisation complies responsible for ensuring officer ("DPO") for this personal data protection but there is no need For sole officer (or limited to only o n e person). dedicated a to be be the sole trader.7 traders, the DPO may well

2.11 The DP0

organisations, there is

for many be from within the organisation and, if the counsel, either filled legal the role may often be by for human resources.s There is someone

can

one, or

responsible

be an external consultant. Regardless or outside the organisation, the Act within from of whether the DPO is business contact details of the DPO be publicly that the requires available," so it seems imperative that the public has a visible contact no

reason

why

the DPO

cannot

point.

1.

Policies and practices

2.12 In addition to appointing a DPO0, all organisations are required to develop and implement policies and practices that are needed to

14 15 16 17 18 19

Personal Data Protection Act 2012 (Act 26 of 2012)s4(6) (a). Personal Data Protection Act 2012 (Act 26 of 2012) s4(6)(6). Personal Data Protection Act 2012 (Act 26 of 2012) s 4(6) (a). Personal Data Protection Act 2012 (Act 26 of 2012) ss 11 (3) and 11(4). Personal Data Protection Act 2012 (Act 26 of 2012) ss 11(3) and 11(4). Personal Data Protection Act 2012 (Act 26 of 2012) s 11(5).

31

Data Protection in the Practical Context The Practical and

Act and to communicate thes hese o compliance with the must also a organisations Furthermore, staff. to complaints regarding persone and receive respond to process and practices and the complaint protection,2 and the policies ensure

develop

a

website, the personal

be available online in a layered information. to m o r e detailed

manner

complaint

blic upon request.22proces

must be made available to the general

organisation has

their

protection polic through the use of hVne data

Ifan

to

needs

structure to

be

to work closely with all tcams within and implement these policies and pracs develop to educate employees o n the policies and r

and, of course, es. Although the DPO will also likely be the person responsible for and responding to requeste f handling complaints and co-ordinating access or correction, however, the protection of data should be in the psyche of the whole organisation and not just the DPO. If it is lett solely in the hands of the DPO, compliance by an organisation will be

and

content

of the

protection personal data

developed.

Personal data audit

(a) 2.17

2.13 The DPO would need

organisation

Sccond,

policy

the

ConceptualFramework

use

and

disclosure

practices

must

first be

data collection, exercise is to All current i n f o r m a t i o n gathering and analysed. This as well identified a n organisation, held data by overview of the personal of an obtain regarding the handling procedures and systems it and described as its practices, wil to be This will enable the practices personal data. about whether any of the practices assessment to be made also allow a n whether any necessary the legislation and be might be contravening a n audit might organisations, For taken. larger action should be the data organisation discover the kinds of personal necessary to relevant processes and procedures as well as the handles, and collects data. regarding the personal

much more difticult.

2.18

2.14 Organisations should be mindful of compliance with these mandatory requirements of the appointment of a DPO and the development and implementation of policies and practices, as non-compliance can also

form the basis of a financial penalty."

Developing a data protection policy

2. 5

The level of complexity of a data protection policy will depend on how much personal data an organisation collects and how much processing is undertaken by the organisation, as well as whether it discloses any personal data.

to identify a personal data policy is The first step towards developing involve that the activities of organisation the main functions and a small tuition centre might| for list A personal data handling. simple conduct publicity campaigns, look like this: provide tuition services, and operate a website. For each of these activities, handle

complaints,

some of the essential information required might be: what personal data is collected and how it is collected, how the personal data is held, the purposes for the collection, use and disclosure, and whether the personal data is transferred outside Singapore.

2.19 If there are specific approaches or commitments which the organisation has in place, these should be noted and highlighted. Some examples might include:

(a) whether the organisation sells personal data to anyone 2.16 There

(b)

generally two main steps in developing a data protection policy. First, information about the organisation's personal data practices, procedures and systems must be gathered and understood.

20 21

22 3

Personal Data Protection Act 2012 (Act 26 of 2012) ss 12(a) and 12{9 Personal Data Protection Act 2012 (Act 26 of 2012) s 12(6). Personal Data Protection Act 2012 (Act 26 of 2012) s 12(d).

whether and what security protections such as encryption are in place;

are

(c)

to whom and in what circumstances personal data will be disclosed and whether they will be transferred oversees;

(d) what are the procedures and systems for identifying and managing security risk, as well as developing and monitoring (e)

controls for those risks; details of what processes

are

fu Kwe Kitchen Catering Services and Pixart Pte Lid |2016] SGPDPC 14.

32

in

place

personal data that is no longer needed;

33

to

identify

and manage

Data

what processes

(

Protectionin the

are

used to

de-identified;

(g) (h)

(i)

Practical Comtext

ensure

The Practical and ComceptualFramework

Dersonal

pcrsonal

for providing

of the procedurcs of personal data; pdating for upda procedures details of the and accurate; they are procedure. details of the complaints

data dala is is

access

to

destroyed.or

ar

details

ction

personal data (b)

2.20 addition to a D e r e . stressed that in it must be At this juncture, of their Dere. public the general that informs protection policy must also have Dracts practices organisations and protection practices, ees to follow follow in the handling of personal employees for in place policies no douhte in be clearly spelled out, leaving data. These should

minds of employees of what is permissible and what is not Der nissible, for handing ot personal data should not as The procedures in place to do anything th or enable the employees far as possible facilitate ditficult in some settinos be This may the Act. b might contravene

for solutions. Often, technology may have organisations should strive wrongdoing by employees, whether limit to possible any to be utilised should adopt the or accidental. Organisations are intentional

they practice of "personal

data

protection by design

or

"privacy by design"

wherever possible. 2.21 Personal data protection by design is an apPproach where the personal data is protected through embedding protection into the design of that is, the protections are technologies and physical infrastructures, weaved into the design specifications and architecture of new systems and processes. This will be discussed in further detail in chapter 7. 2.22 A very simple example of the implementation of personal data protection by design would be a system that might reduce opportunities for employees to pry into personal data records that they have no business looking into and to collect the personal data. Such a system might be to isue employees with personalised logins and passwords for logging into computer systems instead of just using a generic password shared by many employees. The system can also be layered so that before an employee can access a particular record, they have to input a valid case number, thereby restricting general access. In any event, the personalised login, when set up with the correct software and configurations, would be able to track all the persona data records accessed by employees along with logs of time ana duration of access and all this would assist to ensure compliance and o

34

idcutify the culprit personal data lcak.

in the

event

of

unauthorised

access

and/or

a

Structure and content

2.23 is be taken that the personal data protection policy Care should the terms of in organisation's s e n s e makes that arranged in a m a n n e r audience of the personal data protection policy. functions and the would bec should be provided for areas that individuals details More such as the selling or find with o r objectionable, may most concerned or processes that disclosure of personal data. Similarly, practices not would o r reasonably expect, would not be aware of,

individuals should be highlighted.

2.24

m e a n that c o m m o n The suggestions given above do not, however, There may be business or administrative practices should be ignored. individual as an such filling out a form processes that are self-evident, a is obvious that which address and name delivery to that a with address should be made or that the address is for billing purposes, but these practices should be summarised for the individuals.

2.25

Ideally, the information in a data protection policy should be grouped

under relevant headings such as scope of the policy, collection of use and processing of data, disclosure of personal data, and complaints procedure. Under each of these and choices, rights

personal data,

headings, all the relevant information should be provided with special focus on specific approaches or commitments the organisation has in place. For example, under the heading of collection of personal data, the personal data collected should be clearly stated and include the reasons for collection, highlighting any unusual or unexpected reasons or purposes for the collection, or even unexpected personal data collected. Information under the rights and choices heading should provide details on choices that individuals can make, including the right to request access and correction of personal data held about them and, of course, the complaints procedure should state the procedure on how to make a complaint and what other recourse

limited)

individuals might have. 2.26 If there are new processes introduced in the organisation, the personal data protection policy should be updated to reflect the changes and the new processes should be assessed to ensure that they meet

35

Data Protection

inthe Practical

Context The Practical and

compliance.

In any

be regularly organisation's

event, the

reviewed current

and

personal

data

protection

that

ensure

updated to data handling practices.

it re ould

personal

2.27

simple:

not complying"27 with the believe that the organisation is section that noted 50(1) of the Act does not be should it Act. However, in such a of the Commission to initiate investigations limit the power that:28 states m a n n e r as it simply

grounds

data protection policy should Lastly, the personal and in-house terms, unless the acronyms acronyns avoid legal jargon, detined or explained in the doc are clearly t. and in-house terms use

Conceptual Pramewok

nol:

language,

to

an or of its own motion, conduct The Commission may, upon complaint an organisation is not whether determine to section this under

investigation

complying with

this Act.

2.30

be ruled out that there may c o m e a time when the Commission may conduct audits." For this reason, organisations much a supervisory should be cognisant that the Commission is very with. reckoned be to Hence, it

ENFORCEMENT OF RIGHTS

C.

1.

Protection Commission The Personal Data

cannot

authority 2.31

2.28

overseen by the

data protection regime The Singapore personal Commission as the administrative and Personal Data Protection Commission also has the mandate to The enforcement authority. education and awareness efforts 4 data protection undertake personal ot the Commission may be structure It seems that the organisational Commission of Singapore. The Commission is

styled on the Competition is a quasi-judicial and supervisory authority

with enforcement and varied powers. All the directions of the Commission, except for directions on dispute resolution, can be enforced in the District Court

over whether The Commission appears to have a discretionary power as it may suspend, discontinue or to exercise its powers of investigation of refuse to conduct a n investigation if it thinks fit.30 The powers of the Commission and the inspectors a r e set out in the

investigation

Ninth Schedule.3 Also relevant here are the Regulations," and the Commission has also issued the Advrisory Cuidelines on Enforcement of which are non-binding, but they indicate the Data Proection the Commission's approach in handling complaints, reviews investigations of breaches of the data protection rules, as well as

Provisions,

and

enforcement and sanctions.

regardless of the monetary amount.2

(a)

Powers of the Commission

2.29 The personal data protection regime is one based primarily on a

the Ministry of Information, Communications and the Arts ("MICA") in the Public Consultation

complaints-based approach, however,

Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill ("2012 MICA Consultation")26 made it clear that the Commission may also initiate investigations, regardless of whether a complaint is received, into an organisation's compliance

27

28 29

also s 50 of the Personal Data Protection Act 2012 (Act 26 of 2012). 30 31

26

Personal Data Protection Act 2012 (Act 26 of 2012) Personal Data Protection Act 2012 (Act 26 of 2012)

s s

6. 30.

Mhnistry of Information, Communications and the Arts, Public Consuliatno Issued by Ministry of Informatiom, Communications and the Arts: Prop Personal Data Protection Bill (19 March 2012).

36

See

Proposed Personal Data Protection Bill (19 March 2012) at para 2.125. See

with any provision of the Act, "if it is satisfied that there are reasonable

24 25

Ministry of Information, Communications and the Arts, Public Consultatiom Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.123. See also s 50 of the Personal Data Protection Act 2012 (Act 26 of 2012). Personal Data Protection Act 2012 (Act 26 of 2012) s 5(1). Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts:

32 33

Personal Data Protection Act 2012 (Act 26 of 2012) s 50(3). Personal Data Protection Act 2012 (Act 26 of 2012) s 50(2) and Ninth Schedule.

Personal Data Protection Regulations 2014 (S 362/2014); Personal Data

Protection (Enforcement) Regulations 2014 Personal Data Protection Commission,

Advisory ofthe Data Protection Provisions (21 April 2016). 37

45 5/ 014). Gauidelines

on

Enforcement

Data Prolection

The Practical and ConceptualFramework

Dispute resolution powers

(b) 2.32

with organisation, the In

in the Practical Context

dealing

a

mediation with the any other

dispute

complaint

Commission consent

made

by

an

individual

has the power to relevant

of the

resolution method

with

refer the

under both section 21 to access the request by the complainant individual's own personal data as well as section 22 to correct personal

against an

amat r for rder tho consent

parties, without

as well

or

the relevant parties.

Commission

was

a

fee

Data However, charged to correct personal Protection Regulations 2014 specifically states that n o fee can be charged for correction of personal data under section 22(2) of the Act can

be

and organisations should be cognisant of this." Section 28(2) (6) grants

the Commission the power to confirm, reduce or disallow a fec, or direct the organisation to make a refund to the complainant as the

2.33 Consultation," MICA felt that mediation In the 2012 MICA resolution of complaints by facilitatina carly

encourage between the affected

gives the impression that data. The way this provision is worded data. the Personal

parties

and

given the power

to

hence

refer the

it

was

Ould e essential th

parties

to

mediatieon.

ne

case may be.

2.37 The third review power concerns the situation where an organisation has refused to make a correction to personal data under section 22 of

the Act or has failed to do so within a reasonable time. The (c)

Review powers

Commission may confirm the refusal to correct the personal data, or

direct the organisation to correct the personal data with full power to 2.34

dictate the manner of correction and set any time frames.

Under section 28 of the Act, upon the receipt of a complaint, the

Commission can review the exercise ot power by organisations in

Penalties arnd broad powers to direct

relation to three areas where an organisation has made a decision

(d)

regarding personal data.35 The three areas are: refusal or failure to provide access to personal data, the quantum of the fees charged for access to or correction of personal data and a refusal by the organisation to correct personal data or a failure to do so within a

2.38 The Commission also has broad powers to give directions to any organisation so as to ensure compliance with the Act.S9 Hence, it can

reasonable time.

direct an organisation to cease collection, use, disclosure of personal

data, as well as to destroy personal data.0 In the 2012 MICA Consultation," MICA also stated that directions can be given for

2.35 In relation to a refusal to provide access to personal data requested under section 21 of the Act by the complainant or a failure to provide access within a reasonable time, the Commission may confirm the refusal to provide access, or direct the organisation to provide access to the personal data within a set timeframe.S7

compensating affected individuals as a result of non-compliance with

2.36

In the few cases to date, the Commission's approach to enforcement

28(1) (6) of the Act gives the Commission jurisdiction to review Section a fee required from the complainant by an organisation in relation to a

can

the data protection law. Importantly, the Commission has the power to impose a financial penalty of up to $lm.12 This administrative law penalty is distinct from the criminal penalties which will be discussed below. 2.39

34

Personal Data Protection Act 2012 (Act 26 of 2012) s 27.

35

Ministry of Information, Communications and the Arts, Public Consuliation ssued by Ministry of Information, Communications and the Arts: Propeset

36 37

Personal Data Protection Bill (19 March 2012). Personal Data Protection Act 2012 (Act 26 of 2012)

s

38

38 39 40 41

28.

Personal Data Protection Act 2012 (Act 26 of 2012) ss 28(1)( and

28(2) (a).

be seen to be tempered by a concern to raise awareness and understanding of the requirements of the personal data protection

42

Personal Data Protection Regulations 2014 (S 362/2014) reg 7(4).

Personal Data Protection Act 2012 (Act 26 of 2012) s 29. Personal Data Protection Act 2012 (Act 26 of 2012) s 29(2).

Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.118. Personal Data Protection Act 2012 (Act 26 of 2012) s 29(2) (d). 9

Data Protection

in the Practical

Context

The Practical and Conceptual Framework directions

rather

than

issuing appropriate Unversal regime through Travel od Purel of In the decision Las punitive approach. t disclosino respondent) travel agent (the which involved a na tour to individ four customers of a group als who data of 37 of its in the tour, the Commission cancelled their participation that

causd without the disclosures of persona he employees'part the respondent's lack of awareness on data and not due to a systemic iissue that could result protection Obligations o r further harm to be made be disclosures to caused in further mistakes made by the respondo the disclosures were bona jde notification were consent and

such,

employees

who

were

seeking

to

assist

the

there

passengers ith their was a wilful disrepari

one where insurance claims, and not tor Since disclosures were made to a Act." the nited the provisions in to their personal e-mail addresses and th. number of persons and was in relation to limited individho data that was disclosed

personal

to remedy the situation by, inter alia, informing within two weeks the individuals who received the

the respondent the Commission directed

passenger list not

to

disclose the list to other third parties: to send course on the obligations under the Act

employees to attend training and the organisation's data protection policies within six months; and a

to put in place within three months a data protection policy and internal guidelines to comply with the provisions of the Act and, in 16 particular, to prevent future r e c u r r e n c e s of the breaches. 2.40

In the decision of Universal Travel Cop Pte Ltd," the Commission did

individuals

impose a penalty, partly due to the small number of personal data disclosed and partly due to the co-operative nature of the respondent. This case can be contrasted with the case of Fei Fah Medical Manufachuring Pte Ltd5 where the Commission levied a penalty not

of$5,000 fora data leak. User login identifications, poorly encrypted

passwords, e-mail addresses and mobile phone numbers of at least 836 individuals were leaked." The respondent company had no idea how the leak occurred and were unable to explain or to provide during the investigation. The Commission the user login identifications and password would have

sufficient information noted that enabled anyone to log 43 44 45 46 47 48 49 0

in and obtain access to other personal daa

[2016] SGPDPC 4.

Universal Travel Corp Pte Lid [2016] SGPDPC 4 Universal Travel Corp Pe Ltd [2016] SGPDPC 4 Universal Travel Corp Pte Ltd [2016] SGPDPC 4

[2016] SGPDPC 4. [2016] SGPDPC 3.

Fei Fah Medical Fe Pah Medical

[21]. at [21]. at [20]. at

Manufacturing Pte Ltd [2016] SGPDPC 3 at [7 Manufacturing Pte Lid [2016] SGPDPC 3 at [13]-|l5]. 40

respondent company "had been had nor forthcoming in its responses" and even completely ignored a had and provided incomplete responses of Documents and Information ("NTP") individuals."

rclating to the neither co-operative

Notice

to

Require the

The

Production

Commission under

the power

given

to

it under the

issued by the Act. Although the respondent company had Ninth Schedule of to take remedial actions, the instructed its data intermediary did not o c c u r until m o r e than actions remedial the implementation of of the initial data leak.5 As a result of the after discovery ten months

in addition to giving various directions these factors, the Commission, a new website and to conduct a web application such as to implement all vulnerabilities, imposed a financial scan and to

vulnerability

patch

penalty of $5,000.54

2.41

It would appear that the scale

or amount

of personal data that has a have

played been leaked and the co-operativeness of the respondents the key factor in determining the quantum of penalty imposed by and Ltd Entertainment Pte K of Box the case In Group Commission. Finantech Holdings Pte Lid where the data leak involved 317,000 K Box

Commission

to members' details, the imposed the highest date of $50,000 on K Box6 and $10,000 on its data intermediary Finantech.57 The data leak disclosed quite substantial amounts of personal data belonging to cach member, namely, the individual's

penalty

name, NRIC/passport/FIN number, Singapore mailing address,

contact number, e-mail address, gender, nationality, profession and date of birth.55 The leak of personal data was caused largely by a failure to make reasonable security arrangements to protect the personal data.33 In addition to numerous failings in its protection of personal data, K Box also had not appointed a DPO or put in place personal data policies.0 51 52 53 54 55 56

Fei Fah Medical Manaufacturing Pte Ltd [2016] SGPDPC 3 at [20]. Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3 at [33]. Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3 at [33].

Fei Fah Medical Manufactuing Pte Ltd [2016] SGPDPC3 at [35].

(2016] SGPDPC 1. K Box Entertainment Croup Pte Ltd and Finantech Holdings Pte Ltd [2016] SGPDPC 1l at [44].

57

K BoxEntertainment Group Pte Ltd and Finantech Holdings Pte Ld [2016]

58

K Bow Endertainment Cronp Pte Ltd and Finantech Holdings Pe Ltd [2016]

59

K Box Enterainment Group Pte Ltd and Finantech Holdings Pte Ltd [2016]

60

K Box Entertainment

SGPDPC 1 at [45].

SGPDPC 1 at [3].

SGPDPC 1 at [26). SGPDPC 1 at [42].

Group

Pte Ltd and Finantech

41

Holdings

Pte Ltd

[2016]

Practical Data Prolection in the

Context

The Practical and Conceptual Framework 2.42 Although the

remedial actions

of

both

K Box and

Finan

ech were

data leak,61 their shortco after the personal fair and prompt in the assistance their lacklustre were in ne in providing informat was not forthcoming investigation, K Box he that K Box had onlv in criicising Commission was scathing the investigatio ions, which did their responses during bare facts in Finanteco investigations.Similarly, Commission's the facilitate dr do information in providing appeared not to be forthcoming NIPs the were to only nro investigation. Finantech's responses were first issued in Octah ed after the NTPs months seven almost delaying the investigation process.

investigations. Duri

mings

provide

2014

thereby

2.43

data leak where the Commission imnoes In another case of personal Commission impOsed a penalty of $i0.000 the a substantial penalty," The personal against the Institution of Engineers Singapore ("TES°). data disclosed included members online login identification mobile phone numbers. TES was unable to ascertain how many members' personal data were disclosed but the Commission

passwords and

noted that the titles of the two lists that were disclosed indicated somewhere in the range of between 6,000 and more than 60.000

members personal and

data may have been disclosed.5 The IES

throughout

forthcoming

the

Was

Commission's

co-operative investigation and it promptly took measures, including additional security measures following its discovery of the personal data leak.57

2.44 It would appear that for personal data leaks that involve large

numbers, the penalties range from $5,000 upwards, but there is no clear formula that can be gleaned from these cases. The disclosure of the personal data of at least 836 individuals in Fei Fah Medical Manufacturing Pte Ltd earning it a penalty of $5,000 cannot really be reconciled with the $10,000 imposed on the IES for the disclosure of

61 62

K Box Entertainment Group Pte Ltd and inantech Holdings Pte Ltd (2016) SGPDPC 1 at [42]-[43]. K Box Entertainment Croup Pte Lid and Finantech Holdings Pte Ltd SGPDPC 1 at [42].

[2016

63

K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd [201o SGPDPC 1 at [43].

64 65 66

The Institution of Engineers Singapore [2016] SGPDPC 2. The Institution of Engineers Singapore [2016] SGPDPC 2 at The Institution of Engineers Singapore [2016] SGPDPC 2 at

67 68

[13].

42

not. Likewise,

was

Cellar Door and its the Commission expressed that both The cavalier attitude by providing a had "displaycd data intermediary issued by the Commission",70 which incomplete responses to the NTPs Cellar Door being landed with a $5,000 The to contributed Pte

Ltd

no

doubt

The Commission, a penalty and its data intermediary $3,000 penalty. unfortunately, did not elaborate on how many individuals' personal which is rather unhelpful because justice needs to data were disclosed, to have been meted out. The higher penalty to The seen be clearly

as was due to the Commission's view that The Cellar Door, the data controller, retained the primary responsibility and obligation

Cellar Door to

customers.71 protect the personal data of its

2.45

In two late 2016 cases where the breaches were very similar factually, of a financial penalty of $3,000 was imposed on the respondent in each the two cases. In both cases, the primary respondent was a catering

firm and, in both cases, the breach occurred in their online ordering system. In both cases, the breaches were the result of poor computer programming practices whereby the online order review web page or order details of a customer could be viewed by anyone. The personal data of other customers could be viewed by simply changing the number at the end of the web address, and these review web pages never expired and were permanently accessible." There were two further decisions in late 2016 that could be argued to be relatively factually similar to these two catering company cases; one imposed similar financial penalty of $3,000 whereas in the other, only a warning was issued.73

69 70 71

[2016] SGPDPC 22. The Cellar Door Pte Lid and Global Interactive Works Pte Ltd [2016] SGPDPC 22 at [36].

The Cellar Door Pie Lid and Global Interadtive Works Pe Ltd [2016] SGPDPC 22 at [39].

72

[7J-18).

The Institution of Engineers Singapore [2016] SGPDPC 2 at [39).

[2016] SGPDPC 3.

of members' personal data ranging from 6,000 to unknown number not even 60,000. If anything, the fact that the IES could more than been a factor to have breach should the cxtent of determine the exact indicia that level of penalty because it was a further increase the IES was the was data lacking. However, protection for the personal Medical Fei Fah whereas he process investigation co-operative with in The Cellar Door Ple Lid and Global Interactive Works an

73

Fu Kve Kitchen Catering Services and Pixart Pte Ltd [2016] SGPDPC 14 at [6] and [16]; Smiling Orchid (S) Pte Ltd, T2 Web Pte Ltd, Cybersite Services PeLtdand East Wind Sohutions Pte Ltd [2016] SGPDPC 19 at [13]-[14]. GMM Technoworld Pte Ltd [2016] SGPDPC 18; ABR Holdings Ltd [2016] SGPDPC 16.

13

Data Protection

in

the Practical

Context The Practical

2.46 Services and Pixart Plo Kwee Kitchen alerng In the decision of Fu names, postal addresses and the FuKwee had failed to protect and had not implemente its customers contact numbers of the collection, use o r di. for policies personal data protection a DPO." It is unclear ho of personal data, n o r appointed individuals' personal data ere involved, but Fu Kwee was

Lud ddresses and personal

forthcoming in providing

only provided

information

any

many

during the investigation 0

d the investioat bare facts in its responses during 1ons,76 Pixart, was also not co-operative d.

Fu Kwee's data intermediary, it did take active steps to recsie." the investigation process, although The Commission imn e weeks." two vulnerability within around on Pixart.78

penalty of $1,000

Subcontracted the that T2

identified

2.47

investigations

development of the CMS "developers based in China" 82

actual

as

to

another entity

2.49 information technology system and outsourcing of the The repeated serious cybersecurity issues. If n o o n e in the raises software product in the code, nor has the programming is what knows various entities there is arguably n o integrity nor warranty in the code been tested, c a n the programming code contain Not code.

only

programming business that exposes itself to this kind of liability is malware but any business assets, not only in the form of its customer risking its valuable of financial and other sensitive information that terms in base but also may also

The second case of Smiling Orchid (S) Pte Ltd, 12 Web Pte Lid, Crbersit Services Pte Ltd and East Wind Solutions Pte Ltd" was rather sketchy in th facts pertaining to who was responsible for what and the primaru respondent, Smiling Orchid, was so unco-operative during the that the Commission noted that.80

and Conceptual ramework

be

collected.

2.50

the full data protection breach involved the disclosure of mobile numbers, workplace addresses addresses, residential names, Orchid's customers.83 The and workplace e-mail addresses of Smiling individuals' how mention not personal data many Commission did affected. In the final analysis, since m o r e detailed facts of the The

personal

were

.. [it] was still unable to establish the pertinent facts on what caused the discourse and the specific roles of the parties involved at the material time As a result, the Commission had to take statements from the relevant parties in order to gather and distil facts.

2.48 T2 was engaged by Smiling Orchid to design the Smiling Orchid webpage and build a Content Management System ("CMS").31 T2 created the design and HTML code but outsourced the development of the entire CMS to a freelancer, who in turm

74 75

[2016] SGPDPC 14. FuKuee Kitchen Catering Services and Pixart Pte Ld [2016] SGPDPC:

76

Fu Kwee Kitchen Catering Services and Pixart Pte Lud [2016] sGPDPC 14

at [34].

responsibilities, especially of T2, could not be established, was the only party the Commission found to have been Orchid Smiling in breach of personal data protection requirements and hence imposed the $3,000 financial penalty upon it. roles and

2.51

A third case with relatively similar facts is GMM Technouorld Pte Lud where the respondent's unjustifiable ignorance or misunderstanding of the functions and features of a paid third party software it had implemented to collect personal data for registration of warranty resulted in the names, e-mail addresses, mobile phone numbers and residential addresses of 190 customers being publicly accessible.85 A financial penalty of $3,000 was handed to the respondent, taking into account that the respondent was co-operative in the investigation and took immediate steps to rectify the breach.86

at (32].

77 78 79 80 81

Fu Kve Kütchen Catering Services and Pixat Pe Lid [2016] at [33].

SGPDPC 14

Fu Kuee Kitchen Cateing Services and Pixart Pte Ltd [2016] SGPDPC 14 at [35].

82

[2016] SGPDPC 19.

83

Smiláng Orchid (S) Pte Lud, T2 Web Pte Ltd, Cybersite Services Pte Ltd and Eas Wind Solutions Pte Ltd [2016] SGPDPC at 19 [61)]. Smiling Orchid (S) Pte Ld, T2 Web Pte Ltd, Cybersite Seruices Pte Ltd and bAs* Wind Solutions Pte Ltd [2016] SGPDPC 19 at [6].

84 85 86

44

Smiling Orchid (S) Pte Ltd, T2 Web Pte Ltd, Cybersite Services Pte Ltd and East Wind SolutionsPte Ltd [2016] SGPDPC 19 at [7]. Smiling Orchid (S) Pte Lud, T2 Web Pte Ltd, Cybersite Services Pte Ld and East Wind Solutions Pte Ltd [2016] SGPDPC 19 at [11]. [2016] SGPDPC 18. GMM Technoworld Pte Ltd [2016] SGPDPC 18 at [6]. GMM Technoworld Pte Ltd [2016] SGPDPC 18 at [16] and [18].

45

Data

Protection

The Practical and Conceptual Framework

R7

Kitchen Catering Serico 7 in Fu Kwee decisions of the chairma were Pte Ltd" while Smilaing Orchid"9 was a

2.52 Both

the

decisions

GMM Technoworld Commission,

Thai, Leong Keng Yeong Zee

Commission member

mete out

any

Kin. In a

Commission

relatively similar facts,

and the

decision Yeong Zee Kin d did g no

tourth

member

financial penalties.

2.53 In

Conlext in the Practical

Swensen's Kids Clubthe respondent's of members by innse:e data the

websit

ABR Holdings Ltd

personal

allowed anyone as the memb embership numbgan membership number, guessable easily were issued in running sequence." The personal data of membersthat names, date ot birth, redemption states of accessible were their to

access

were

sundaes and "stamps",

number

of stamps

accumulated

and the

ev.

date of the membership. It could be said that these types ofnersSonal data revealed

intrusive as the personal data in Fu K. Kwe it is perhaps for this reason that 0 and Services" However, the respondent was informed by th

were

not

as

Kitchen Catering was imposed. penalty Commission of the breaches on 2 April 2014," before the Act d 2014, another complaint was lodged come into force. Yet, on 15July the s a m e breaches. When the Commission outlining with the Commission on 5 August 2014. t was informed by the respondent the names and immediately changed what could be viewed by omitting

date of birth of the members on the web pages. The inaction of the respondent for four months between April and August 2014 should surely have warranted some financial sanctions and not just simply a warning The Commission took the view that since the provisions only came into force on 2 July 2014, the infractions were only for about one month. This, however, is a myopic view given that the Commission itself acknowledged that the respondent had "ample time to take

corrective measures" between April and August 2014.

37 88 39 90 91 92 93 94 95 96 97 98 99

[2016] SGPDPC 14. (2016] SGPDPC 18.

[2016] SGPDPC 19. ABR Holdings Ltd [2016] SGPDPC 16. [2016] SGPDPC 16. ABR Holdings Lud [2016] SGPDPC 16 at [5]. ABR Holdings Ltd [2016] SGPDPC 16 at [8]. (2016] SGPDPC 14. ABR Holdings Lud [2016] SGPDPC 16 at [2]. ABR Holdings Ltd [2016] SGPDPC 16 at [3]. ABR Holdings Ltd [2016] SGPDPC 16 at [10]. ABR Holdings Ltd [2016] SGPDPC 16 at [21]. ABR Holdings Lud [2016] SGPDPC 16 at [20].

46

did not impose financial decided in 2015 also carlier cases few A the namcs, personal c-mail Ple Lld, the case of Metro Denaltics. In mobile phone numbers, dates of numbers, personal addresses, NRIC 445 of Metro's user login identifications of Facebook birth and active steps following the Metro had taken

2.54

were

disclosed.

customers the sccurity of its website, including engaging The data leak to strengthen internal IT security audit.102 an undertake to another firm was imposed.0 n o Metro but pcnalty a warning to Commission issued the personal data of Sociely, Comtputer in Singapore Further, disclosed via c-mail to the s a m e were inadvertently 214 individuals event. The Singapore who had registered for a n 214 individuals the breach to the itself reported ("SCS") Computcr Society Commission issued a warning without any penalty Commission and the full names, data disclosed were the registrant's to SCS. The personal e-mail addresses, organisation and numbers, contact NRIC numbers, and Singapore In both Metro Pte Lid designation information. in 2015. The in earlier time, occurred the breaches Computer Society, role in those m o r e strongly its educative felt Commission, perhaps, data leaks did not have was perhaps felt that the early cases. Further, it n o financial penalties w e r e imposed. hence and severe consequences NRIC numbers should be mnet With respect, any data leak involving numbers are very important NRIC with the highest level of censure, as identifiers that should be accorded the highest protection.8

universal

2.55 From the foregoing cases, it is unclear whether the current magic for the unauthorised disclosure of a number to

penalty trigger around personal data might be the disclosure of but Pte Technoworld GMM Lid109 in data as individuals' 200 personal the noting that the respondent in that case was co-operative during immediate corrective m e a s u r e s . The breaches took and investigations non-financial

in GMM Technoworld Pte Ltd

occurred in 2016 and is

100 101

[2016] SGPDPC 7. Metro Pte Ltd [2016] SGPDPC 7 at [6].

102 103

Metro Pte Lid [2016] SGPDPC 7 at [19]. Metro Pte Ltd [2016] SGPDPC 7 at [20].

104 105 106 107 108 109 110

[2016] SGPDPC 9. Singapore Compuler Society [2016)] SGPDPC 9 at [2]. GPDPC 20 [2016] SGPDPC 9. See ch 7. [2016] SGPDPC 18.

[2016] SGPDPC 18.

47

a

later

case

than

Data Protection

in

thePractical Context

The Practical and

Socety," both of whiL and Singapore Compuler Metro Ple Lid 2015. Certainly, in the occurred in with breaches that ases ore appcared Commission cared to be m more the willing decided in January 2017, In Protner substantial financial penalty.

which deal

impose a

Realty

penalty of $10,000 P e 1,765 individuals; this h e of data disclosure of the personal e imposed on JEs penalty financial contrasted with the $10,000 data belonging to 6,000 the personal of the disclosure 60,000 individuals. In P Pepperdine Group Pte Lid, 15 a i n a n c i ;to 2016 for to

Ltds the

more

imposed

Commission

a

financial

for placing the personal da ta was imposed penalty of $10,000 disclosure. There was no evidence that of risk the 30,000 individuals at uncO-operative with two cases were the respondents in these investigation process.

2.56

The remaining cases where the Commission has only issued

nings

co-operative respondens without imposing penalties of the breach of th the and impact breach likely the and where were somewhat limited. Obligations data have

personal

involved

protection

2.57 Spear Security Force Ple Ltdo involved an unattended open log book

data at a condominium and there was no evidence suggesting that personal data actually had been exposed to unauthorised third parties."7 Similarly, in Full House Communications Pe Lud8 the lapse in security involved the auto-fill function being enabled for drop-down boxes on laptops used by consumers ata furniture fair to enter a lucky draw. This led to consumers being able to see the personal data of other consumers who had entered their personal data for the lucky draw.19

containing visitors' personal

2.58 In Yestuition Agency20 the respondent had disclosed on its website without consent of the individuals, the photos of around 30 individuals who

had

registered

to

be

its

tutors,

using

the

111 112

(2016] SGPDPC 7. [2016] SGPDPC 9.

113

[2017] SGPDPC 1. The lnstiution of Engineers Singapore [2016)] SCPDPC 2.

114 115 116

117 118 19

120

48

at

no

evidence of how

2.59

of that involved the disclosure of the personal data resulted in a also being warning to about 30 recipients two individuals " the n a m e and of Jump Rofpe (Singapore), meted out. In the case e-mailed to around were individuals two NRIC number of of the for warning the schools about purpose 30 government schools two individuals. The so called "name and the of the blackisting to help schools in making decisions shame" exercise was meant solcly The Commission found when engaging rope skipping instructors. reasonable person standard in section 11 of the of breach a was A

Case

there

breach of the consent requirement. There appears to it was stated that section 20 was also be typographical errors where breached while in other paragraphs, the Commission stated that the Act25 and

a

section 20 was not relevant to the case. In any event, because the and breach only involved a limited number of government the personal data disclosed were limited and related to only two

schools

individuals, and the respondent was co-operative during the

investigation, the Commission decided a warning was the appropriate course of action. As will be discussed in chapter 6, this decision does not appear to have been correctly decided based on sections 11 and 13 of the legislation, hence, the non-imposition ofa financial penalty was indeed the appropriate course of action. 2.60 The facts of AIA Singapore Pte Ltd28 involved the unauthorised disclosure of one individual's bank account details to one other party, namely, the individual's chiropractor.23 This was a case that also

121

Yestuition Agency [2016] SGPDPC5 at [18].

122

[2016] SGPDPC 21.

and [18].

127 ump Rope (Singapore) [2016) SGPDPC 21 at [17].

[2016] SGPDPC 8.

SGPDPC8

was

123 Jump Rope (Singatpore) [2016] SGPDPC 21 at [7]. 124 Jump Rope (Singapore) [2016] SGPDPC 21 at [7] and (9]. 125 Personal Data Protection Act 2012 (Act 26 of 2012). 126 Jump Rope (Singapore) [2016] SCPDPC 21 at [14] but compare [15]. [16]

Spear Security Force Pte Ltd [2016] SGPDPC 12 at [13]. (2016] SGPDPC5.

here

the filenames. as NRIC numbers the vicwed the photos and NRIC numbers, but had many people had been co-operative and the respondent that Commission noted taken the investigation proccss and had also forthcoming during o n c e it was awarc of the breach situation the proactive steps to remedy of the Act. 2

individuals'

[2017] SGPDPC 2. [2016] SGPDPC 12.

Full House Communications Pte Ltd [2016]

Comceptual Framework

[9]-[ll).

128

[2016] SGPDPC 10.

129

AlA Singapore Pte Lid [2016] SGPDPC 10

49

at

[1].

Data Protection in

the Practical Context The

Obligations0 andd involved a sin one single party concerning one single ne to was disclosure the only no evidence of actual loss or da of personal data, and there was undertaken an immediate revin had suffered and the respondent issued only a warning. Another a of Commission the its proceses, also which involved the and discl was issued a where

only warning

My Digital Ioc k Pte mobile phone number and complainant's personal his disclosed on the social media Dlatf address m

is the of personal data of a single individual

Ltd

The

residential

case

of

were

Facebook, on the account of the employee of the respondent for

than longer information

o the purpose of transferrino an hour, apparentdy for the from his mobile phone to a computer tor sending on to

The Commission also took into account the limited mobile phone number and sensitivity of the personal data, namely, residential address, as well as the co-operative response of th

legal advisors.3

respondent in the investigation.4

co-operative with the investigations

and had proactively taken steps to the Commission not issue any dircctions but warning to both respondents.11

remedy the breach,

only issued

a

did

2.62 For breaches of the personal data protection Obligations involving of Central Depository (Pte) Ltd financial personal data, the July and Toh-Shi Printing Singapore Ple Ltd is instructive. This case involved the disclosure of 195 individuals' personal data. There was an crror which caused 92 individuals to receive personal data belonging to others. The personal data disclosed included account information such as name, address and account number; securities held; transaction The remaining 103 individuals summary and payment summary.

2016 case

received similar personal data belonging to others, except that there

were no details on securities held; transaction summary and payment

summary.14 The Commission found that Central Depository (Pte) Ltd was not in breach of the Protection Obligation as it had valid clauses in

2.61

the contract with its d a t a i n t e r m e d i a r y t o p r o t e c t p e r s o n a l data. 5

One case where the quantity of personal data disclosed was large but the nature and method of the personal data disclosed was not significant is the case of Challenger Technologies Ltd and Xirlynx Innovations. 5

Challenger's data intermediary, Xirlynx, had erroneously

sent e-mails containing the personal data of members of Challenger's ValueClub programme to other members of the programme, who were the wrong recipients.56 There were 165,306 recipients of e-mails with someone else's personal data.37 Nevertheless, the personal data disclosed was limited to the member's name, accumulated points and membership expiry date "5 The Commission noted that the personal

data disclosed were not of a sensitive nature and the personal data leaked could not be used by the individuals who had received them to profiteer or benefit from them, and was unlikely to lead to any harm or loss to the individuals concerned." Since the respondents had been

Singapore Pte Ltd [2016]

130 131

AIA AlA

132

[2016] SGPDPC 20. My Digital Lock Pte Ltd [2016] SGPDPC 20 My Digital Lock Pte Ltd [2016] SGPDPC 20

133 134 135 136

Practical and Conceptual Framework

Limitation

breach of the Purpose

SGPDPC 10

Singapore Pe Ltd [2016] SGPDPC

[2016] SGPDPC 6.

10

at at

at at

Protection Obligation and a penalty of $5,000 was imposed on Toh-Shi

Printing.0 The Commission noted that the personal data disclosed constituted sensitive financial personal data and that a total of 195 individuals' personal data were affected."" 2.63 Toh-Shi Printing was again sanctioned in a subsequent case. In Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd 8

its own staff failed to comply with its own security measures and

140

[25]. [28].

144

Ltd and

Xirlynx Innovations [2016] SGPDPC

137

Challenger Technologies at (15].

Ltd and

Xirlynx Innovations [2016] SGPDPC

138

Challenger Technologies t [14).

Ltd and

Xirlynx Innovations [2016] SGPDFU

147

139

Challenger Technologies at

Ltd and

Xirlynx Innovations [2016] SGPDr

148

50

Challerger Technologes Ltd and Kirlynx Innovations [2016] sGPDPC 6 at [37]-[38]. Chalenger Technologies Lid and Xirlynx Innovations [2016] SGPDPC 6 at [39).

142 143

Challenger Technologies at [14).

[37].

Aviva was found not to have

breached any of its obligations concerning personal data protection but Aviva's data intermediary, Toh-Shi, caused the data breach when

141

[18]-[21]. [24].

The

data intermediary was, however, found to be in breach of thc

145 D

146

[2016] SGPDPC 11.

Central Depository (Pte) Ltd and SGPDPC 11 at [8]. Central Depositor (Pte) Ltd and SGPDPC 11 at [9).

Toh-Shi

Printing Singapore Pe

Lud [2016]

TohShi

Printing Singapore Pte

Lid [2016]

Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 11 at [17]-[18]. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 11 at [23]. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 11 at [24). (2016] SGPDPC 15.

51

Dala

Toh-Shi's

procedures.

spreadsheet for Toh-Shi the

sort,

to

an

information

in the

without

Practical in the

staff had

further

the knowledge

take advantage

incomplete

or

Context

sorted

approval

The Practical and Coneeptual Framervork data data

the of

the order

in perfor

savings," of postage of the policyholders

selection

This resulted in

raw

in

Aviva, in

but

data was made. was printed information that

in the

account

Prolection

orming

acco

am mismatch a

and sent out.

2.64 the personal data bclonoi the disclosure of The breach involved Public Officers Gr under the Aviva roup 7,794 Aviva policyholders " Erroneous annual premi. ("POGIS"). Insurance Scheme to the POGIS policvhalia 2015 were sent out statements for the year data of 8,022 individuals, includin:the In total, however, the personal were disclosed in the data breach POGIS policyholders' dependants, data disclosed were the names of th incident.15 The personal the s u m insured under tho o r beneficiaries,

policyholder's dependants a m o u n t and type of coverage.153 insurance policy, the premium 2.65

not merely from a personal data disclosed were of a sensitive nature, financial perspective but that the disclosures could also be socially embarrassing; that this was Toh-Shi's second infraction in less than a the investigation and year; and that Toh-Shi was co-operative 55 took promnpt remedial and preventive actions.

during

2.66 From the cases to date, a few observations can be made. The Commission takes a much stricter view if the personal data in question is financial or sensitive in nature.136 For non-financial personal data, it would appear that the Commission is more forgiving of non-technological or human error, including errors of judgment,

157

Aviva Ltd and Toh-Shi Printing Singabore Pte Ltd [2016] Avva Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] Avva Lid and Toh-Shi Printing Singapore Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapoe Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapoe Pte Ltd [2016] Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] Central Depository (Pte) Ltd and Toh-Shi

15 at [14]. 15 at [15). 15 at |1]. 15 at [(2]. 15 at [8|. 15 at [37). 15 at |38]

Printing Singapore Pte Ltd SGPDPC 11; Aviva Lid and Toh-Shi Printing Singapore Pte Ltd SGPDPC 15.

practices where

onc-oll

arc

Commission appears systemic

to

2.67 Data

errors

[2016 |2010

Spear Security Foce Pte Ltd [2016] SGPDPC 12; Full House Communicatio Pte Ltd [2016] SGPDPC 8; Challenger Technologies Ltd and Xriyni

that trigger personal dat wno

are not

be lookcd

limited about

impact. A

The

ensuring

that

protcction breaches

co-operative and

upon favourably

are not

rectified. forthcoming

10

are

aggravating

financial penalties. consider in calculating

6l

2.68

question if the quantum ot the penalties imposed to date are small. Certainly, penalties in the order of $5,000 to $10,000 may effect. It may be that the leniency of the not serve any deterrent a is date to sign of its desire to raise awareness and simply Commission in time. If the penalties remain at this level in to educate at this point the long term, it will have a deleterious effect on compliance.

One may

(e)

Appealing the decisions made by the Commission

2.69 There is a procedure provided in section 31 whereby applications can be made by either the organisation or the individual to the Commission within 28 days for it to reconsider any of its directions or decisions. In addition, the decisions and directions of the Commission, including the decisions and directions made as a result of the

Innovations [2016] SGPDPC 6; AIA Singapore Pte Ltd [2016] SGPDPC 10; Yestuition Agency [2016] SGPDPC 5; My Digital Lock Pte Ltd [2016]

159

SGPDPC 20; GMM Technoworld Pte Lid [2016] SGPDPC 18. Unaversal Travel Corp Pte Ltd [2016] SGPDPC 4; Singapore Compruter Society

2016] SGPDPC 9;My Digital Lock Pte Ltd [2016] S PDPC 20;, Jump Rope (Singapore) [2016] SGPDPC 21. Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3; K Box Entertainment Grouy Pte Ld and Finantech Holdings Pe Lud 12016] SGPDPC 1; The mstitution of Engineers Singapore [2016] SGPDPC 2; Smiling Orchid (S) Pe Ld, T2 Web Pte Ltd, Cybersite Services Pte Ltd and East Wind Solutions Pte Ltd

2016] SGPDPC 19; Fu Kwee Kitchen Catering Services and Pixart Pte Ltd 160 161

2016] SGPDPC 14.

rei Fah Medical Manufacthuring Pte Ltd [2016] SGPDPC 3; K Box Entertainment

Group Pte Ltd and Finantech Holdings Pte Ltd [2016] SGPDPC 1. Personal Data Protection Commission, Advisory Guidelines on Enforcement ofthe Data Protection Provisions (21 April 2016) at paras 25.1-25.3.

(cont'd on the next page)

52

with

Concerned

very

consistent with the Advisny Audelnes on Enfocement of the Protection Provsions 1SSued by the Commission, which sets out and mitigating factors that the Commission may

These some

De

ormation technology is involved, inffor

specially respondents I astlv, thosc will not with information

158

SGPDPC SGPDPC SGPDPC SGPDPC SGPDPC SGPDPC SGPDPC

they

too

financial penalty of $25,000 On The Commission imposed a Toh-Shi.15 The Commission took into account the fact that the

149 150 151 152 153 154 155 156

ecially if

53

Data

Protection

can

reconsideration

process, in sections 33

in

be to

the Practical

taken

35.

Context

The Practical and Conceptual Framework

through

an

The irst relevant

appcal

appellate

cess

body is but if there is concurre

which is set out Committee, an Protection Appeal the Data reconsideration, the a Commission for to the is Protection Appcal C application The Data deemed to be withdrawn. Commission and otherwise mat the remit the m a t t e r to mo y may Commission itself could have which the or decision o r direction taken could itself have Commission which the other such step take

mittee

2.70

direction is decision under noted that while a It should be direction or decision thar the of effect the reconsideration o r appeal, is not suspended, exccpt n reconsidered o r appealed is being or against the imposition of of appeals reconsideration applications for financial penalty.5 A decision the amount the or of a financial penalty Committee can be appealed to the of the Data Protection Appeal on a point of law or o n the amount of a Singapore High Court is a further right of appeal to the Singapore or

financial

penalty.164 There

in the case of decisions made Court of Appeal as exists of its original civil jurisdiction.l6 High Court in the exercise

2.

by

the

individuals

The penalty for the Act. for a term not imprisonment non-natural persons penalty for

is a

is

a

than

fine of up 12 months,

fine of not

more

to or

$10,000

than $100,000.167

2.73 that any person or organisation which Section 51(3)(a) specities or destroys records with intent to conceals falsifies, disposes of, alters, correct to o r access personal data o r information to evade a request to use o r disclosure of personal data, is subject collection, about the for and individuals $50,000 non-natural1 to $5,000 for a fine of up pcrsons. 68

2.74 Lastly,

or recklessly makes a false statement to anyone wh0 knowingly to mislead the or who knowingly misleads or attempts Commission, the o r powers under duties its of exercise the Commission in the c o u r s e of individuals is a fine an offence.The penalty for the Act also commits not more than 12 months, o r imprisonment for a term to $10,000 of up for non-natural persons is a fine of not more than or both. The penalty

(b)

Piercing the veil

2.75

The Act is

considerably strengthened

offences. The offences

procedural

so as

are

to ensure

with the inclusion of a number of

both substantive in nature as well as that there are no obstructions in the

administration of justice. Jurisdiction vests in the District Court to try

has power any offence under the Act and the District Court the full penalty or punishment in respect of the offences.

to

impose

situations Section 52 provides for the corporate veil to be pierced in there is Where non-natural committed are persons. offences where by a non-natural person, such as a an offence that has been committed by "" body corporate," a partnership, or an unincorporated association, then an officer or a partner or any member who manages who had, to through their consent or connivance or neglect allowed the offence occur, is also guilty of an offence, in addition to the body corporate,

partnership,

or

unincorporated association.

Offences under section 51

2.72 A general offence of obstruction or impediment can be foundn section 51(3)(6), which imposes criminal penalties on any organisation or individual that obstructs the Commission or an authorised officer or

the Commission in the performance of their duties or powers under 162

Personal Data Protection Act 2012 (Act 26 of 2012)

163 Personal Data Protection Act 2012 164 Personal Data Protection Act 2012 165 Personal Data Protection Act 2012 166 Personal Data Protection Act 2012

34(2).

(Act 26 of 2012) ss 34(3) and 31(2) (Act 26 of 2012) s 35(1). (Act 26 of 2012) s 35(4)

(Act 26 of 2012)

167 168

169 s

s

170

171 172 173

51 (5). s of 2012) 51(4) Personal Data Protection Act 2012 (Act 26 of2012) s 51(3)(¢). Personal Data Protection Act 2012 (Act 26 of 2012) Personal Data Protection Act 2012 (Act 26

s

Personal Data Protection Act 2012 (Act 26 of 2012) s 51(6). and Personal Data Protection Act 2012 (Act 26 of 2012)

ss 52(1)

Personal Data Protection Act 2012 (Act 26 of 2012) s 52(3). Personal Data Protection Act 2012 (Act 26 of 2012) s 52(4).

54.

55 54

or

both. The

$100,000.170

Criminal penalties

2.71

(a)

more

52(2).

Data Prolection inthe

Practical Context The Practical and Conceptual Framework

Unauthorised access

(c)

or

correction

2.80

2.76

some

safeguards for individuals

The remedies available

ao

hose The Act also provides other individal themselves as who who fraudulently represent + from themselves as having authority fraudulently represent access to or to chan offence to obtain individual. It is a n the individual Without the authori another of about personal data ,000 or imprisonmen is a fine of up to $5,04 individual." The penalty for o r both.175 months, than 12 term not m o r e

iniunctions

or

for this

declarations

private

action

are

wide-ranging,

damagcs and any othcr rclief

to

from

as

the

court thinks fit.

other

a

General penalty

(d)

4.

Employer liability for employees

2.81

The

Act is realistic and fair in its placement of liability in the and acts of an employee in the employment context. The conduct course of employment are treated as being done by both the employec

and the employer, whether

or

not

they

were

done

or

engaged

in with

the employer's knowledge or approval.76 The definition of "employee"

2.77 There is

"catch-all" penalty clause in scction 56 which: section provides the penalty where. natural persons. This An a

applies

general

only offence has no specific penalty expressly provided. Section 56 imno. poses not exceeding $l0,000 or imprisonment for a maximum a penalty to

term not exceeding three years or both. For a continuing offence it

also allows for further fines of up to $1,000 for every day the offener continues.

2.78

in the Act

includes

volunteers.77

2.82 This places the onus on employers to have systems, processes and procedures in place to supervise and monitor employees in the proper handling of personal data and to minimise any contraventions of the Act. Indecd, the Act provides a defence for the employer if the employer can prove that such steps as were practicable were taken to prevent the employee from doing the act or engaging in the

The slew of criminal sanctions in the Act, combined with the robust

conduct.8 It is thus imperative for employers to have sound policies

powers of the Commission, ensures the enforcement system has

and practices regarding employee conduct in the handling of personal data and to have checks in place to ensure that they are adhered to. A case in point is Aviwa Ltd and Toh-Shi Printing Singapore Pte Ltd,

significant power to deter.

where Toh-Shi's own employees breached its own procedures and

Right of private action

3.

2.79 Individuals who have suffered loss or damage directly as a result of a breach of any of the provisions in the personal data protection Obligations, namely, those set out in Part IV, V or VI of the Act, by an organisation have a right of private action for relief in civil proceedings section 32. The only proviso is that if there has been a decision

under

further, lapses occurred when its own quality control sample checks failed to spot the error as the sample checks were verified against the erroneously sorted file instead of the source data from Aviva.0 In the case of My Digital Lock Pte Ltd8 there was evidently no policy in place prohibiting employees from using an open social media platform such as Facebook to transfer personal data, which resulted in the employer being found liable for the breach by the employee in the course of employment.182

made by the Commission regarding a contravention of the personal data protection principles, then the private action regarding the same contravention cannot be commenced until all the

have been exhausted.

174 175

appeal processc

Personal Data Protection Act 2012 (Act 26 of 2012) s 51(1) Personal Data Protection Act 2012 (Act 26 of 2012) s 51(2). 56

176 Personal Data Protection Act 2012 (Act 26 of 2012) s 53(1). 77 Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). 78 Personal Data Protection Act 2012 (Act 26 of 2012) s 53(2). 179 [2016] SGPDPC 15. 180 Aviwa. td and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 15 at [16]. 181 182

[2016] SGPDPC 20.

My Digital Lock Pte Ltd [2016]

SGPDPC 20

57

at

[13]1-[14].

Data

Protection

Context in thePraclical

The Praclical and Conceptual Framework

levels and layers of. 2.83 is used, the apPpropriate the surreptitious cotri Where technology to prevent should be in place and access disclosure of personal use and and and subsequent should always be adopted. T. by design a good illustrasrin be personal data protection would I discussed in chapter Andreus case and appropriate technolOf training how crucial both employee should have been trainedgcal not to The hotel employees processes are. and not to accede to a stranger's , names of guests the disclose female celebrity, and the hotel's i next door to a to rent the room have been configured to hise should area telephone in a public room number of hotel guests.

data by employeelection

request

2.84 The Act also provides

have

a

employees

if

the

DATA INTERMEDIARIES

D. 2.86 data

act

was

done

or

the

conduct

engaged in

employee

was

ca

is defined in section 2(1)

data

defines "processing" the carying

on

as an

organisation which

organisation but does not organisation.87 Section 2(1) also

behalf of another

of that

other

in relation to

88 personal data as:

out of any operation or set of operations includes any of the following:

in relation

to

the

personal data, and

(a)recording;

in good

holdings

)

()

course

act or conduct must not have been consented to or connived in by the

organisation, adaptation or alteration; retrieval; combination; transmission;

(gerasure or destruction.

employee or be in any way attributable to any neglect on the part of the employee.85

intermediary

nrocesses personal include an employee

fai or in accordance with instructions oi of employment, in the course The employee in of employment. the employer in the by an instance must not be an otficer or someone Wno manages, and the

show that the

stringent

personal data.

..

defence for

DBS Hong Kong from liability if it did this may well absolve olicies and practices in place for the protection of

ed

invo

2.87

2.85 A case closer to home to watch on the interplay between employer and employee liability is the case in Hong Kong where some 20 DBS Hong Kong employees are being investigated by Hong Kong's anti-corruption agency, the Independent Commission against Corruption ("ICAC"). It appears that the employees had allegedly used bribery to obtain personal data of DBS clients which were then passed on to a call centre in mainland China offering telephone promotions for high-interest Some Hong Kong customers who received loan marketing calls

loans.

from people claiming to be DBS staff made complaints and DBS's internal investigation showed that the calls came mainly from the said call centre, even though DBS has never worked with the call centre on

telephone promotions. A report was then made to the ICAC for further investigations by the relevant authorities. It appears that the call centre shared commissions with the errant employees. It will be interesting to see whether DBS Hong Kong will be held liable for the personal data breaches of the errant employees but if bribery was 183 Erin Andrews v Marriott nternational Inc, et al 11C48311 (Tenn Davidson Co, 2016). 184 Personal Data Protection Act 2012 (Act 26 of 2012) s 48(1). 185 Personal Data Protection Act 2012 (Act 26 of 2012) ss 48(2)-48(3).

58

Processing is thus very widely defined and would appear to include any activity done in relation to personal data. As a consequence, the concept of a data intermediary and the scope of what a data intermediary can do is also extremely wide, ranging from those who offer document destruction services, to accounting and other organisations that provide payroll services, to those who provide courier services, even to freelance photographers hired just to take photographs at one event. Network service providers that merely act as conduits for the transmission of personal data will not be liable in respect of third party material in the form of electronic records to which they merely provide access.90 2.88 Whether a party is a data intermediary will depend to a large extent on the contract between the party and the organisation for whom it is 186

Lee Xin En, "MAS

monitoring

(9 December 2016), available

187 188 189

190

at

DBS

Hong Kong

case" The Straits Times

(accessed 9 December 2016).

Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised on 15 July 2016) at para 6.24. Personal Data Protection Act 2012 (Act 26 of 2012) s 67(2).

59

the Practical Context Dala Prolection in data. The

contract should

The Practical and Conceptual Framework

state clearlu

rights

processing personal well as the responsibilities cach party, as and obligations of and data, including wheth in relation to the personal liabilities

organisation is

to

process

personal

data

on

If the

behalf of

and One

for

the is silent or men for acceptanaly

contra tract

other organisation. purposes of the to another sent by one party consists of quotations both parties will occurs, Act the breach of payment, when a data Obligations to the full extent m

the personal Act. This was the case in

answer

to

KBox

Entertainment

where the scope of the

e Ltd and Croup Ple.

processing by

to

he

antech

Finantech

Ld both parties were held to the full extent Holdings K Box was unclear; Pte

dnd

ssible

for the breaches.

2.89

The Act does not "impose any obligation on a data intermediar in of personal data on behalf of and for the respect of its processing pursuant to a contract which purposes of another organisation

evidenced or made in writing," except in relation to the obligatione of personal data under to the security and protection section 24 and the retention of personal data under section 25,191 The

relating

organisation which has contracted out its personal data processing

activities is vicariously liable for any breaches of the Act by the data intermediary within

the bounds of the contract.

Hence.

organisations should engage data intermediaries that can and will with the personal data protection laws.

comply 2.90

In a few of the early cases, the Commission noted that the failure by the organisation to put in place data protection terms and conditions in its contract with the data intermediary instructing it to protect

personal data amounted to a breach of the Protection Obligation." Would an organisation which does have such a clause in the contract with its data intermediary be absolved from liability for breach of the Protection Obligation should the data intermediary not comply with the Protection Obligation? The question was answered in the 191

Personal Data Protection Commission, Aduisory Gruidelines Key Concapts in the Personal Data Protection Act (revised on 15 July 2016) at para 6.21.

192

[2016] SGPDPC 1 Personal Data Protection Act 2012 (Act 26 of 2012) s 4(2). Personal Data Protection Act 2012 (Act 26 of 2012) s 4(2). Personal Data Protection Act 2012 (Act 26 of 2012) s 4(3). See aiso Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3. K Box Enlertainment Group Pte Ltd and Finantech Holdings Pte Ltd [zu 16] SGPDPC 1 at [42]; The Institution of Engineers Singapore |2016J Sur* C2 at [30].

193 194 195 196

on

60

eaative in the July 2016 case ot Cenlral Depository (Pte) Ltd and Tah Shi Printing Singapore Ple Lla." The contract had required the intermediary, Toh-Shi Printing. to take necessary actions and data to protect the personal data during the rinting process. The ommission did not find Cenral Depository recautionary

measures

Prcc

(Pte)

Ltd in breach

of the Protection Obligation.

198

2.91

in K Box Enterlainment Group Ple Ltd similar vein, the Commission also stated that in discharging its Pe Holdings Drotection Obligation, the data intermediary which was, in this case, information technology service provider, should have an outsourced K Box, of failings in the data security customer, its notified arrangements.20 If it had done so, the Commission would have taken In

a

nnd Finantech

Lud

this into account in its

2.92

assessment

of Finantech's

culpability 201

be possible for the contract data intermediary to include indemnity clauses to force the data intermediary into indemnifying the organisation that has hired it for any personal data breaches.

It is also not between the

entirely clear organisation

but it and

might

its

2.93 If the data intermediary acts beyond the processing required by the organisation under the contract, then the data intermediary will not be considered a data intermediary in respect of such use or disclosure. In such circumstances, the data intermediary will cease being a data intermediary and will need to comply with all the personal data protection provisions.22 Thus, it is imperative for organisations to be explicit and clear in their contracts with data intermediaries in terms of what processing the data intermediaries are contracted to carry out for the organisations. It should be noted that a data intermediary is only a data intermediary for the personal data that it processes for or on behalf of another. Hence, a data intermediary will not be a data

197 198

[2016] SGPDPC 11. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ld [2016)

SGPDPC 1l at [171-[18]. 199

[2016] SGPDPC 1.

200 K Box Entertainment Group Pe Ltd and Finantech Holdings Pte Ltd [2016] SGPDPC 1 at [37]-[381. 201

K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd [2016]

202

Personal Data Protection Commission, Advisory Guidelines on Key Concepts n the Personal Data Protection Act (revised on 15July 2016) at para 6.22.

SGPDPC 1 at [38].

61

Data

for

intermediary data as

personal

Protection

the personal

of its

oWn

in the Practical

data it

Context

holds for

The Praclical and Conceptual its

own

bses, such 2.97

employees.

conducive to effective objective standard. As will be the ovable feast of what is a chapters, remaining would consider to and what this reasonable person

it is currently data protection

as TheAct personal

seen in the

"THE REASONABLE PERSON"

oropriate

the

of

ndeed,

the

reasonable

person

would

ler

consider

appropriate

in

poses

the

"203

2.95 that organisations, in Act further states Section 11(1) of the consider what a should Act under the nable their responsibilities in the circumstances.204 The consider appropriate would person considered section 11, however it is decision Jump Rope (Singaporeh was incorrectly decided and case the submitted that the respectfully 6.206 more fully in chapter decision is discussed

meeting

of

2.96

law and how and what this of the "reasonable person" in works well where there is a think would only reasonable person of the "reasonable person". The consensus or clear understanding reasonable the person test in an area such as problem with using which is so strongly intertwined with data protection, personal technology, is that it is practically impossible to determine what such a use

reasonable person might consider to be appropriate in any given

circumstance. The fundamental question is: who is the reasonable person? The social media addicted younger generation will have very different views and understanding of what personal data protection is or ought to be that would colour their thinking of what is appropriate. At the other extreme could be an age group that clings to the

traditions and values of restraint and non-exhibitionism, whose views on what is appropriate will be determined by their values. Somewhere in between, there may be a group of reasonable people who have some knowledge of technology and have seen the grave dangers of personal data misuse. 203

204 205

Personal Data Protection Act 2012 (Act 26 of 2012) Personal Data Protection Act 2012 (Act 26 of 2012)

[2016] SGPDPC 21.

206 See ch 6,

at

s

3.

s

11(1).

62

not

the

most

an

challenging

to

achieving

useful bascline

ENCOURAGING COMPLIANCE

2.98

data protection regime is in place and appears issues, including giving the Commission material the to cover all be done by the Commission. could more Substantial powers, the

personal

2.99 has been proactive and has issued a considerable The Commission and guides, which are publicly accessible on its number of guidelines commendable. are constantly updated which is, indeed, These website.207 assist in to documents these for compliance is by However, if the aim the Commission ought to make it easy for organisations,

organisations, abreast of the updates or changes by including individuals, to be kept made to the guides and guidelines, or at amendments highlighting the older versions of the documents the of archive an least, keep the very which comparisons can be made. This will enable on its website, with to, at a glance, ascertain which sections have been

organisations amended or updated, instead of trawling through multiple guides and guidelines from scratch, some of which are over 50 pages long, each

time the Commission issues an update. The Commission ought to make it easier and not more difficult for organisations to comply. In any event, as a matter of best practice, procedural fairness would entail

the organisation have access to a publicly available document which

the Commission has issued in the past and which the organisation may have followed but yet, the organisation may still face investigation over an alleged breach of the provisions in the Act. 2.100 Secondly, the Commission has yet to educate the community at large on the dangers, risks and consequences when personal data is misused.

It has thus far not seemed to realise that the best catalyst for organisations to comply with the pesonal data Obligations is pressure

207

paras 6.32-6.44.

is

it lacks

F.

A/hile

circumsances.

The

as

protection.

need of

individuals

organisations a

r c a s o n a b l e person" reter to the er section around 3, ccentres stated in as

in the Act

of the Act, data and the the their personal to protect data for personal disclose use o r to collect,

intention

right that

drafted

sonable person will prove

E.

2. 94 Many provisions

Frameauork

https://www.pdpc.gov.sg (accessed 16 February 2017). 63

Data and expectations organisations, organisations

in

one

way

individuals

Context

in the Practical

individuals,

from

and

Protection

are

Jnless

aware

fully

misuse

the

all,

Unless

another.

or

of

after who a r e

The Practical and Conceptual Framework the

custon

and and

unt

of the of

stomers of

unüil risks,

both dang ECs,

personal

as

by organisations with liability and 1, compliance highlighted in chapter will be, at best, h a l t - h e a r t e d and lukewarhe . obligalions personal data consequences

CONCEPTUAL

G.

FRAMEWORK

OF

DATA

PERSONAL

REGIM

anObligation

but

one

that

1s

not

well

undcrstood

nor

importani complicd with.

use o r disclosure of thc individual, c o n s e n t from thc onal data has use o r disclose the pcrsonal data.212 colled person required t o dividual is lematic as it encompasses the c o n s e n t is of issue the However, which complicates the application of the deemed consent, conccpt of

2.106

f o r the Gh after the purposes becn notificd

collection,

to the

Obligation of Consent.213

101 The

personal

which

must are

consent

data

protection

regime

has

Concepts

a

of key conce personal dataP and

number

such

as

be understood. understanding of fundamental to the

how the

reo

operates. .102

what docs excluded from

data"so

to "personal not legislation only applies th "personal data" is immediately as will be seen in chapter 3, "personal application of the Act. However, a n d it has many complexities

The

constitute

data" is

not

an

to grasp easy concept the definition.

intertwined within

2.103 data a r e excluded from the Second, certain types of personal business c o n t a c t information so for example, of the Act, operation the to recourse personal data protection can be handled without Act.2 Obligations in the

2.104

Third, once something is classified as personal data, before any collection, use o r disclosure of the personal data is carried out, the of the individual must be noified of the purpose or are there data. the However, collection, use or disclosure of personal

purposes

exceptions.210

107

for the requirement of however, also cxceptions circumstances set o u t in within the lalls data that conscnt. For personal F o u r t h Schedules, there a r e copious lists of and Third the Second, not required for collection, use o r s situations whereby consent

Sixth,

there

are,

disclosure of the

personal

data.211

2.108

need to

data would organisation holding any personal data protection Obligations set out in the personal comply with such as access to personal data by Parts IV to VI of the Act, Obligations about the individual by the held data of the personal an individual correction of personal data and security of personal organisation," will need careful data.216 Some of these principles o r Obligations between the will be there as overlap consideration and implementation the principles and s o m e of the other provisions that may of application For example, even if a piece of personal data prove to be confusing. in the above-mentioned falls into the categories of the exceptions and use Schedules and do not require c o n s e n t for collection, for have the example, to right, disclosure, a n individual appears to still of that disclosure use and piece of the collection, withdraw c o n s e n t for is not the case. this in examined 5, will be as but chapter personal data, There are n u m e r o u s such intersections in the implementation and them to real life situations c a n of the Act and

Seventh,

an

application prove to be perplexing.

applying

2.105

Fourth, there is a limitation on the permissible purposes of the collection, use or disclosure of the personal data.2 This is an

208 209 210 211

Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012

54

(Act 26 of 2012) s 3.

(Act 26 of 2012) s 4(5). (Act 26 of 2012) s 20. (Act 26 of 2012) s 18.

212 213 214 215

Personal Data Protection Act 2012 (Act 26 of 2012) s 13. Personal Data Protection Act 2012 (Act 26 of 2012) s 15. Personal Data Protection Act 2012 (Act 26 of 2012) s 17 and Second, Third and Fourth Schedules. Personal Data Protection Act 2012 (Act 26 of 2012) s 21.

216

Personal Data Protection Act 2012 (Act 26 of 2012) s 22.

65

Data Protection in 2.109 Eighth,

the Practical Context defin the perso

are not

the

terms

and "disclose "collect", "use", of of the e s s e n c e of are

personal

the

part data though they Act, in the e x a c t meaning m a ult in The uncertainty regime. a s c e r t a i n whethe protection to per be problematic where it may"collected", data has actually been "used" or "disclosed". Furthaona] re, situations even

disclosure

is

a

form of

doubts about what else "use".217 the notion of

2.110

use

and

might

the

be

inclusion

of

excluded f r o m

framework

the broad conceptual and this b0ok data protection regime issues, topics and individual dissecting the

This is

disclosure understand

the

ve

of

CHAPTER 3

The Concept of Personal

Data

Singapore ne this framewO requirements of the reai of the

will

use

3.1

The centrepiece of the Personal Data Protection Act 2012 (the "Act") is the concept of personal data,' around which all the provisions evolve. Conceptually, the definition in the Act is a fairly standard of many jurisdictions, as well as in one found in the legislation such as the European Union ("EU") Data framework legislation Protection Directive 95/46/EC and the General Data Protection Regulation 2016/679.3 The definition, however, though seemingly

simple, has generated multifaceted complexities in its application.

A.

DEFINITION IN THE LEGISLATION

3.2 The term "personal data" is defined in section 2 of the Act to meaan "data, whether true or not, about an individual who can be identified

2(1)

Personal Data Protection Act 2012 (Act 26 of 2012) s of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the on the data

Directive 95/46/EC 3

217

4

See further ch 5.

66

processing of personal data and free movement of such [1995] OJL 281/31 ("EU Data Protection Directive 95/46/EC").

Regulation (EU) 2016/679 of the European Parliament and of the Counciltoofthe27 April 2016 on the protection of natural persons with Tegard processing of personal data and on the free movement of Such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("EU General Data Protection Regulation 2016/679"). Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1).

67

Data Protection

inthePractical other

and from that data access". to have

or from that data; has o r is organisation

Context

(the "Commission")

Personal Data Concepts in the

that the

definition

construed and

which the

likely

3.3 noted that the Personal Data it should be At the outset, stated in thc Adv Commission

TheConcept of PersonalData

information to

Protection

Acé "is

p...

otecton Advisory Guidelines on Key idelines

("KeyConcepts not

intended to be

narro of personal data data from which an individual wly

covers

can De

all types of

identified".6

3.4

of this definition is that if an individhat

The simple understanding be identified from that piece

of data or from that piece of

ann

ta then the iirst piece data or combination with other informaton, data. lt sounds simple information constitutes personal Guidelines given bu L even some of the Advisory

of

but,

unfortunately,

Commission

have served

fuel confusion."

3.7

exactly does "data" and "information" about an individual encompass? In effect, most data "about' an individual falls into three broad categories that are not mutually exclusive: data with some

So what

about an individual; data with a purpose element about individual; and data with a result element about an individual.

content

3.5 There

1.

to

the

but the usage of two terms may have resulted from sutltation papers, sponding to the feedback from the consultation rounds. In the initial Public Consultation, the definition for "personal data" ata Protection, "information about an referred solely to the term "information", identifie or identifiable individual", which is a definition commonly such as the EU. Due to concerns raised found in other jurisdictions in the meaning of "identifiable individual", of clarity" about the lack of "personal data" was changed in the legislation definition the final and the result was to encompass both terms. The term to clarify information" could perhaps be argued to be a more general and common term. The term "data", on the other hand, perhaps more a more technical term. This, however, is neither here nor be to seems have the same meaning. there as they both

are

three

preliminary points to note about this definition,

an

3.8 The content element category of the concept is probably the easiest to comprehend and would certainly include any statements about an

"Data" and "Information"

3.6 First, the terms "data and "information" are both not defined in the legislation, so they should be interpreted in their ordinary meanings. The two terms seem to be synonymous according to many dictionaries, which means "information" and "data" appear to be interchangeable terms and any reference in the legislation to one can be taken to mean the same as the other. This, of course, raises the question of why the Legislature chose to use two different terms

individual and would cover "objective" data, such as a person's height, age and weight, as well as "subjective" data, such as opinions or

assessments.2 Often recorded subjective data would include assessments about an individual's credit worthiness, the person's risk of developing health problems, and the performance of an employee. Examples of data with some content about an individual would also include any results of medical tests conducted on the individual and any information contained in a company's folder under the name of an individual, whether an employee or client.

rather than one. No indication of the reasons can be found in the 9

5 6 7 8

Personal Data Protection Commission, Advisory Guidelines on Key Concepis in the Personal Data Protection Act (revised on 15 July 2016). Personal Data Protection Commission, Advisory Guidelines on Key Conceps in the Personal Data Protection Act (revised on 15July 2016) at para 5.2. See

paras 3.50-3.114 below on anonymisation. See, eg Cambridge Dictionary Online

(accessed 23 May 2010), Webster Merriam Dictionary Online dictionary/data> (accessed 23 May (accessed 23 May 2016). 68

10

11

Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Protection Bill (19 March 2012) at para 2.1. Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.2. See also EU Article 29 Data Protection Working Party, WP136,

PersonalData

Opinion 4/2007 on the Concept of Personal Data (adopted on 20 June 2007) at 10. 12

See also EU Article 29 Data Protection Working Party, WP136, Opinion 4/2007 on the Concept of Personal Data (adopted on 20 June 2007) at p 6.

69

the Practical Context Data Protection in

3.9

that the

data can

The Concefpt of Personal Data be true

explicitly specifies subjectve data, such as assese the objective or if even hence, c o n s t i t u t e personal data would still turn out to be untrue, they

The

definition

false,

ents,

impact, other

the

the types of about the individual's such as their work roles' individual, the as well activities undertaken by behaviours. This leads to the purpose eleme economic as social and hnt where the data is used o r is likely to use category of the concept, in a certain way or influence treat with the purpose to evaluate, of an individual." This category may encomna status or behaviour information conveyed by the data concer situations where the information

primarily objects in the first instance and not individuals. Those ahiects

but have some pnysical or geographical belong to someone else proximity with individuals or with other objects, or they may be der

may

have an impact upon individuals. It i the control of individuals or that it can be considered that the connection indirect the because of data relates to those individuals or those objects. 3.11 An example of this category might be the log of a particular telephone extension number of a company office which provides information about the alls that have been made to and from that telephone. The telephone log can be brought into relation with different individuals, The telephone extension might be under the exclusive control of a certain employee during working hours and calls are supposed to be made by the employee. The call log will provide information about whom the employee has called. The telephone can also be used by whomever is allowed into the premises in the absence of the employe, for example, when the employee is on leave. The call log can be for example, for the purpose of checking how many phone calls and

used,

the duration of the phone calls that the employee makes and whether they are personal calls to numbers that are unrelated to the job responsibilities. Here, both outgoing and incoming calls would contain information concerning individuals' private life, social relationships and communications, and these can be used for some purpose or

other. 13 14

of the concept, this is where the the result lement category garding an impact on an individual, or the to have data is likely use of and interests. The impact need not be a major

individua

3.10 doCs not specify or lim: it 2 of the Act The definition in section be personal data, r can data kind of hence any type of data, characteristics to the

from

3.12

as

rights

long

as

the

individual might be treated differently from

as a result of the processing of such data. So the

persons

dividual could, for example,

be

tagged

indivie

given a

certain status.

3.13

A evample of this might be the monitoring of credit card transactions Financial institutions often have a department h financial institutions. monitors credit card transactions, with the purpose that continuously

weeding out dubious-looking transactions, especially those irom overseas or online transactions that seem transactions originating The purpose of this 1s to prevent credit card fraud at the fraudulent. before huge sums are committed. The earliest instance, especially the monitor to purchasing habits or the movements of nurpose is not data can be used for such purposes, for the holder. Yet, card he Credit from the shops of example, if a customer is consistently purchasing of

the financial institution may well tag the luxury brands, then status possibly as a high net worth individual, accordingly, individual's individual who spends but does not save. The classification or even as an itself would be enough for the result element category.

3.14 One form of data about an individual that transcends all categories might be biometric data. With the advances of technology, biometric data has increasingly been collected and used for identity verification purposes, especially at border controls. Biometric data can be said to

be about the individual's characteristics in that they can be biological

or physiological characteristics, such as fingerprints, retinal patterns, birthmarks, voices, and even hand geometry. These are all about the individual and because some biometric data is unique, they can also identify the individual by providing the unique link. So, biometric data can function as "identifiers" to identify the individual. The analogy would be that instead of identifying an individual by name, the individual can be identified by his or her thumbprint. Whilst it is true that the current technology used to measure or compare a person's thumbprint patterns against a record of a thumbprint may not yet be faultess, the fact that a certain degree of probability is involved does not disqualify the thumbprint from being personal data.

Personal Data Protection Act 2012 (Act 26 of 2012) s 2. See also EU Article 29 Data Protection Working Party, WPI30 Opinion 4/2007 on the Concept of Personal Data (adopted on 20 June zv at p 10.

70

or

71

Data

Prolection

in the Praclical

Context

The Concept of Personal Dala

Format of data

3.17

O t h e r than han

3.15

is of data. This is

format

the

also

mats for

not which the da data is The the form in or the Act5 and the Act is technology prescribed by ogy definition in as the e l e c t r o n i c and non-electr ronic stored is unimportant data in personal covers both is data hence as even transferred and consistency looieOm is to e n s u r e This is indecd a forms. This vice versa. and media and second

point

concerns

collected

eutral

it

be

to

digital

sensible

approach.

database

or

Data

need

not

in a str structure care in implement

non-electronic

of the data would comprise

torms

of data, other possible

presentation mode, whcther

using alpha-numerical, graphical, photographical, as videos. both sounds and images such through

presented

sounds

or

r

paper

or

electronic

To

3

identify a n

individual

contained

be

much should take file. Organisations to e n s u r e the same level of data protection policies their personal forms. Many organisation data in both still and paper, some protection for personal data using pen then collect and process personal electronic tormat, hence even the data into transfer the personal to the personal1 adhere data itself needs to conversion process

3.18

The third prcliminary

being

able to

ot

point

identify a n

defined

concerns

the issue of what is

individual from the data. The term

international data in the Act and in

meant

by

"identify"

protection law

be able to single out a to identify" concept arlance, the a person from other individuals and to person or to distinguish is

means to

park

discover

who the

person is.

protection principles.

3.19

3.16

data is collected

and in later chapters, if personal As will be elucidated non-electronic means, then there may he stored using subsequently for the protection of ditferent pieces of differing considerations some pieces of same the piece of paper. For example, personal data on others whilst should be data can be retained for longer

data" in the Act:9

more clarity to data that is 'identifiable' that was used in the has been removed and replaced with 'who can be DP public consultation that information (whether a single identified'. However, it maintains the position that relates to an or a group of information taken together) piece of information individual will be considered personal data. [emphasis in

personal a compliance challenge if the destroyed sooner. This may pose handwritten data collection the original has simply kept organisation draw

typical example of typically collect the

form. A

this would be name

and

a

lucky

contact

place"

destroyed

The

form which

if

form also asked questions about opinions on competitors' products, such answers would be irrelevant to the subsequent marketing purposes and would need to be destroyed.

17

ssued by Ministry of Information, Communications and the Arts: Propose Personal Data Protection Bill (19 March 2012) at para 2.9. Itwould be difficult to find any legitimate legal or business purpose retain such information under s 25(6) of the Personal Data Protection Act 2012 (Act 26 of 2012). Furthermore, retention of this kind o

information would arguably be

prohibited under s 18. 12

also aims

to

provide

term

3.20 MICA proceeded to state in the following paragraph that the new definition "is not significantly different in effect from that which was earlier proposed and its principles are similar to internationallydefinitions of personal data".From this clear stance, the

adopted

of 2012).

Personal Data Protection Act 2012 (Act 26 Ministry of Information, Communications and the Arts, Public Consultaton

definition

identified or identifiable original

18 15 16

new

identifiable'. In this definition, the

information of the

would individual. As most lucky draws have a marketing element involved, individuals' names and assuming that consent is obtained to retain the contact details for contacting them for marketing purposes, all other information on the lucky draw form would probably need to be So, for example, the after the lucky draw has taken

Communications

view of the Ministry of Information, This was also the in the Public Consultation Issued by Ministry of ("MICA") Arts and the Prolection Communications And The Arts: Proposed Personal Data nformation, to the amended definition of "personal relation in 8 stated it Bil where

19

20

Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012). Ministry of Information, Communications and the Arts, Prublic Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.6. Ministry of Information, Communications and the Arts, Public Consultation Issued by Ministry of Infomation, Communications and the Ars: Proposed Personal Data Protection Bill (19 March 2012) at para 2.7.

73

Data

Prolection

jurisprudence

in thePractical Conlext

from

international

guidance and "identifiable" can "identificd" o r meaning of

be

The Concept of Personal Data sources

referred to.

on

the

In this way, it can be seen that the name of is not necessarily cquivalent to the "identity" of the an of a n individual in this example would be a The dividual. but not a unique identifier. A person's name is data useful "that reveals that he individual uses that combination of letters and nds to distinguish himself and be distinguished by other persons SOhom he establishes relations"" If a person has a purple in the shape of a star, that would arguably be a on his head hirthmark b i more unique identifier than the name of the person.

height

of the

ividual. indivic

individual

name

h

3.21 Party ("WP29") Data Protection Working The EU Article 29 "identified" when ateq considered as be can na that an individual from all other he or she is "distinguished" of persons, group that a n individual "is 'identis follows from this of the group. It nocele not been identified yet, it is has when, although the person 22 The WP29 suffix able')" of the do it (that is the meaning threshold condition in practice the is latter the that noted

nembers

ssible to h

3.22

"identitiable" require that a perso being "identified" or name is only one of many identifiers A person's name be known? individual 's name to be discovered would not be necessary for an to distinguish this individual from all able satisfy this. The key is being

Would

other individuals.

3.23 As already discussed above, fingerprints are also identifiers. Identifien

are data that hold a particularly close relationship with the particular individual. Some identifiers such as fingerprints and an individual's full name are so uniquely linked to the individual that a person can (often) be narrowed down and distinguished by that one identifier alone. Other identifiers will not have that close nexus and will not be sufficient to achieve identification on its own. So, for example, a common Chinese surname in Singapore like Tan or Lim will usually not be sufficient to identify someone, but if a Mr Tan is present in a room with other persons who are all non-Chinese, that is, he is the only ethnic Chinese person in the room, Mr Tan can most likely be identified. 3.24 The name of an individual is the most common identifier but in some instances, where there is more than one individual with the same identical name, in order to distinguish the individual accurately, the name has to be combined with other of such as the information pieces date of birth, the address or even known such as

physical attributes

22

3.25

TAc

determining identifiability.

21

identifier

u

EU Article 29 Data Protection Working Party, WP136, Opinion 4/200 the Concept of Personal Data (adopted on 20 June 2007) at p 12. EU Article 29 Data Protection Working Party, Opinion 4/200 the Concept of Personal Data (adopted on 20 JuneWP136, 2007) at p 12.

74

personal data as data about an individual who can be

require a person's Derson or to point out

that it is this individual

that individual. The pinpoint a certain to name, otherwise, the identity by Derson, not necessarily have inserted the extra words "by name". It should would Legislature that once an individual can be singled out, in this be noted, however, is often not dificult to discover the person's name. The it digital age, of being able to identify an individual is essentially about being able to single out the flesh and bone individual. or

be able to est in the Act is thus only merelythe toindividual

concept

3.26 Lastly, it should be noted that the Act is worded such that it requires the data to be able to identify an individual. This means that it must not be a mere hypothetical possibility. If the possibility does not exist or is negligible, the individual should not be considered identifiable and the information would not be considered as personal data. As the Commission has stated with respect to anonymisation, to re-identify means to be able to identify an individual beyond doubt and not just the ability to identify an individual through educated guessing.25

23

24 25 0

defines

identified, hence, to identify an individual would not necessarily name to be known, only to be able to distinguish the

Working Party, WP136, Opinion 4/2007 EUArticle 29 Data Protection the Data 13. Concept of Personal

on

(adopted on 20June 2007) at p Personal Data Protection Act 2012 (Act 26 of 2012). ersonal Data Protection Commission, Advisory Guidelines on the esonal Data Prolection Act for Selected Topics (revised on 20 December 2016) at paras 3.32-3.33.

75

Dala Protection

in the Practical

Context

The Concept of Personal Dala

level Personal data: Basic

the

area

concept

3.27

levels. At the most basic level individual, then the informati."a n is identify an of information can examples of personal data: t the Obvious data.

the Act has The definition in

piece regarded

as

two

personal

name,

photograph

or

see

3.28 can

be

true

or

false,

infor

Consultation

3.30

as the detinition encompase..

both true and untrue data. This means that a piece of informatioon, an individual by itsele which can be used to identily even if it is false but would still satisfy th information, other with or in combination data that could constitute personal data might be. definition. False for example, a photograph of photograph that has been doctored, onto an existing photograph person's face might be superimposed individual who was in the the was it really making it look like The photograph by nature of it being

a

compromising position.

doctored would be false data, but this, în accordance with the data. In this case. definition, does not disqualify it from being personal the individual can be identified through the photograph of the face.

5.

protection at the international level. There, the

was

nnal Data

include a person's basic level would y biometric information h a person's face, camera image of to the individ. are these unique of scans. Each fingerprints and iris themselves identify an individo most cases by in therefore can and

The information

of data of data

was simply defined as any information relating to an hile individual", which cssentially means that from the "identilia can be identified and which a n individu. would, of formation, the possibility ofcombining the information with other include se, finition of "personal data" in the Indecd, the original rmation. had Public definition, but it was amended due to respondents requests for a clearer definition.2 in

used this

deliniuon

This cxpanded level ot the fnformation that would otherwISe

serves

to

encompass much personal data. In the definition at this level is not overly wide, the order to ensure the ambit of the definition adopted by the ntrol test to limit with which Legislatur is that the other piece of inform Singapore original data is combined must be one that the organisation has or not

be considered

cont

the

is likely to

have

access

to.28

3.31 to Singapore and it narrows the This control test is relatively unique In other somewhat. definition the jurisdictions such as the EU of scoDe Canada, there is no such control test. In the EU Data Protection Directive 95/46/EC,23 Recital 26 provides that "account should be taken of all the means likely reasonably to be used", with the result that many courts in the EU have interpreted this to mean that if there is any piece of data that exists and can reasonably and possibly be used to

and

combine with the first piece of data to identify an individual, this will

Personal data: Expanded level

render the first piece of data to be personal data. 3.29 The second and more expanded level of the definition of personal data can be found in the latter half of the definition. At the expanded level of the definition, data which by itself cannot identify an individual can become "personal data" if, when combined with other information that the organisation has or is likely to have access to, can identify an individual. The inclusion of this concept of identification through combination of data is crucial in the digital age, where much data can be quickly and easily combined and matched. This concept was adopted by the Organisation for Economic Co-operation and Development ("OECD") in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, one of the earliest initiatives 26

1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (accessed 23 cl May 2016), 76

1(b).

3.32 Recital 26 of the EU General Data Protection Regulation 2016/679 has also confirmed this approach and states that: account should be taken of all the means reasonably likely to be used, such to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into the available technology at the time of the processing and

assingling out..

consideration

technological developments

27 28 29 30

Ministry of Information, Communications and the Arts, Public Consultation LSSued by Ministry of Information, Communications and the Arts: Proposed Protection Bill (19 March 2012) at paras 2.1-2.2.

ersomal Data Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). EU Data Protection Directive 95/46/EC, Recital 26. EU General Data Protection Regulation 2016/679, Recital 26. 77

Data Protection in

3.33

2016/679 does r e refer to Data Protection Regulation to be considered but ir them and require "all objective factors" tactors in the assesen consideration of subjectuve not preclude the This is illustrated in to be used. likely of the means reasonably addresses that will be disee Protocol (P) on Internet

The EU

General

discourse

below. 3.34

become personal data if data will only the In Singapore, the access to the second piece of dar have data. or is likely to has organisation of data to would limit the second piece that In practical terms, this obtain. This, o n the face of can feasibly t, which the organisation that is in the public domain, or which he would mean that any data o r otherwise, or throu obtain through purchase gh organisation can will render the original piece of dato other means, some obscrvation or data if it can be used in conjunction to identif constitute

personal

to

The Concepl of Personal Data

the Practical Context

the individual.

data

specify that the data that the organisation The Act, however, does has or is likely to have access to must only be accessible through legal

inder the purpose would sit under

this

personal

data.

home

identify

3.38

an

numbers, technically, only a small number of entities both a person s name and the person's NRIC number.

erarding NRIC

should hold number has been and continues to be Tnfortunately, the NRIG in too many contexts in Singapore, and and equested far too often residents have willingly given and permanent many Singaporeans

their

NRIC numbers,

even

for mundane purposes such

as

low

ade Jucky draws. As a result, ists containing a person's name and these of course can be obtained and used NRIC number abound and individual. to

3.35

nent

category and result element lecvel of the definition expanded of data the more familiar content category of with data, along of ldentification Card ("NRIC") numbers, National Registration numbers, IP addresses, credit card ddresses, c a r plate would all be personal data under the numbers and telephone numbers of infornation can be used to as all these picces level nded individua when combined with other data. 3.37

Much category of da

match and identify a n

not

considerations of legality should be entered into. Whilst this may seem an odd proposition, the reason is as follows, means,

and

as

such,

no

the enactment of the Act, Singapore had a rampant culture of combined with the collecting and sharing personal information. This, for the of 19 section in personal data collected allowance set out Act Prior

to

before the enactment of the Act, means that there may still exist

numerous avenues one can obtain data which might appear legal but which might actually fall into the shades of illegality.

3.36 It should be further noted that the definition in the Act only refers to information to which the organisation has or is likely to have access. There are no other factors other than "information" delimiting the control test. Hence, all other factors such as the means available to the organisation, the purposes of the organisation for the data, the advantage expected by the organisation, the interests at stake or even the costs involved to combine the pieces of data need not and should not be considered.

3.39

these can also constitute personal data. terms of home addresses, at an address, other data While there may be muliple persons residing can be used to identify the resident of attributes the such as physical if the data comprises of a For in example, individual question. the residential address, Address X and other information which the organisation has access to indicates that the particular individual is 60 elderly and there is only one person at Address X who is over years can be used as it data be X would Address of age, then clearly personal in combination with other information to identify the elderly person. At this juncture, recall that identification does not require the name of the individual to be known, only to be able to single out

In

the individual

and to know who the person is. Other physical attributes that can also constitute information with which to combine and identify individuals

would include the height, build, colour of hair, length of hair of a person and so on. 32

See EU Article 29 Data Protection Working Party, WP37, Priuacy on the

Internet-An Integrated EU Approach to On-line Data Proleation (adopted on 21 November 2000); EU Article 29 Data Protection Working Party,

WP136, Opinion 4/2007 on the Concept of Personal Data (adopted on

31

Personal Data Protection Act 2012 (Act 26 of 2012) 78

20 June 2007) at pp 16-17; Patrick Breyer v Bundesretrublk Deutschland Case C-582/14, Opinion of Advocate General Campos Sánchez-Bordona delivered on 12 May 2016); EU General Data Protection Regulation s

19.

2016/679, Recital 30.

79

the Practical Dala Prolection in

3.40

Context

The Concetpl of Personal Data

Commission, in the unhelpful that Key view that the Concepts Guidclines, cxpressed dlata will depend. or set of data is personal Iw]hether a certain piece the in a certain situation an individual context. Data that may identify no individual's residential addrese On this

point,

the

it is rather

an

example, individual's personal data. While thio:olten regarded as forming part of the about the individhhe as part of other data if the address is collected or the addrese information, contact and other example, with his name its in other contexts. data be not personal oWn may in

another.

For

delivery neighbours, delive

persons, contractorS and so on. The Commission

overlooked the definition in the Act. appea

3.44

Car

plate

numbers,

potenti:

IP addressCs and telephone numbers data for much the same reason as

nersonal

other data to allow family members that peopledo

be combined

can

all

they can all identify individuals. Although it is true

with

and friends to drive their cars, is small and limited

the number of persons permitted to drive

red to the whole world. Indeed, it is this narrowing down of to a much smaller group that makes the individu task of possible identifying an individua relatively casy when other data is combined, is at the core of why personal data has been defined as such and this decades now. A piece of information will take on for several the of personal data when the number of possible individuals to comparedto

3.41

the Commission is not present in th. This notion of "context" raised by Commission generates conf6 the Act and reference to it by sion, sets the control test as whether o r Act the simply The definition in the other to access informatin has or is likely to have

ion;

the organisation

contexts which can give a skeu the Act makes no mention of data" and also thercby di of lute impression of the meaning "personal

the definition.

aracter

it can be applicable is substantially narrowed, and when it is

mbined with other information, makes the identification of the indiv Dossible. This is truly the key to the concept of personal data. Personal data is information that assists in narrowing down

3.42

The example which the Commission gave concerning the notion of

notential individuals and when combined with other information. the individual can be singled out and the identity of the person discovered.

"context" is equally unhelpful:s4 A business wishes to sell its products to households within a certain area

around its location. It engages a service provider to distribute flyen advertising its products to all residential addresses within the area without

3.45 This is also the

reason

why

even

IP addresses

can

be

personal

data.5

Each computer connected to the Internet must have a unique

collecting or using the names or other personal data of individuals living at

IP address, so if the same employee is using the same computer every

those addresses. The residential addresses would not be personal data collected and used by the business.

day at a set time, and the IP address is not dynamically assigned (random) each time, then the IP address becomes personal data because it would be possible to identify the particular employee through the IP address when combined with information about all the employees who use that particular computer and at what time they used the computer. Even the information keyed into the computer by the employee can be used to connect the employee to the IP address.

3.43 The Commission's conclusion that the residential addresses thus collected would not be personal data is rather dubious. Just because the business does not collect or use the names or other personal data of individuals living at those addresses would not automatically disqualify the residential addresses from being personal data. The control test in the Act is whether the business has other information or is likely to have access to other information that can be combined with the addresses to identify the individuals. Such other information would not be difficult to obtain as residents' names would often be known to

This kind of information to link a computer or IP address to an

individual would be of relevance and great importance in many situations. For example, organisations that use cookies on their websites to track the website visitors may use the information for 35

See EU Article 29 Data Protection Working Party, WP37, Prvacy on the Internet- An Integrated EU Approach to On-line Daia Protection (adopted on

21 November 2000); EU Article 29 Data Protection Working Party, 33 34

Personal Data Protection Commission, Advisory Guidelines on Key ConcCps in the Personal Data Protection Act (revised on 15 July 2016) at para 5.12. Personal Data Protection Commission, Advisory Guidelines on Key Conceia in the Personal Data Protection Act (revised on 15 July 2016) at para 5.12.

80

WP136, Opinion 4/2007 m the Concept of Personal Data (adopted on at pp 16-17; Patrick Breyer v Bundesretrublik Deutschland Case C-582/14, Opinion of Advocate General Campos Sánchez-Bordona

20June 2007)

(delivered on 12 May 2016); EU General Data Protection Regulation

2016/679, Recital 30. 81

the Data Protection in

Practical Context

The Conceptof Personal Data

when compromising or or in times purposcs, to e m a n a t e from the com have been found activities or materials the offender. used to identify information can be commercial

nputer,

the

3.46 With respect

to

dynamically assigned

IP addresses,

Advocate

General

in Mav ("AC") 2016

the Campos gave his opinion in the cas Court of Justice ("CJEU"), which deal e European Federal Reprublic of Germany, with of Patrick Breyer v stated that:7 AG The IP addresses. assigned dynamically 1or the provider of Inter address must be classified, A dynamic IP the existence of a third data in view ot Sánchez-Bordona,

Manuel

as

(the Internet

3.47 He came to this

noting that Recital 26 of the Data based on there being a reasonabie was 95/46/EC Protection Directive which tuned on looking at whether he chance of identification, the data is reasonable: possibility of access to only if the conditions governina Information may be obtained 'reasonably first of which being the lepa are satisfied, the data of kind that access to t to others. It is true that the he and transterring possibility of retaining refuse to reveal the data concerned bu Internet access service provider may The possibility that the dala may be transfered the opposite is also possible. transforms the dynamic 1IP address, in acordane reasonable, itself is which perfectly nto personal data for the provider of services 95/46, 26 with recital of Directive on

conclusion

after

the Internet. [emphasis added]

3.48 test in the Singapore legislation This also illustrates that the control of narrower personal data than in the EU. concept a results in slightly other some piece of information exists and By and large, in the EU, if to be combinable and may taken be it can can be reasonably obtained, not the case in Singapore This is data. be to data render the personal information with which of due to the requirement that the other piece

Opinionof 12 May on

36

Patrick Breyer v BundesTepublik Deutschland Case C-582/14, Advocate General Campos Sánchez-Bordona (delivered

37

2016). Palrick Breyer v Bundesrepublik Deutschland Case C-582/14, Opinion of 12 May 201l0) Advocate General Campos Sánchez-Bordona (delivered on at [74].

38

to

access to.9 "Likely to have access to" is narrower than :

have

likely "can reasonably obtain'". is

3.49

forcaoing, it is crucial to always remember that "personal

From

ta" is

not

merely about a n individua but can also objects, processes and cven events.

comprise

of

about

information

ANONYMISATION OF DATA B.

personal

which may reasonably be approache service provider) n data that, combined with a du amic additüonal other order to obtain of a user. identification facilitate the IP address, can

services,

ata is combined must be one that the organisation has or t h e original

Patrick Breyer v BundesTepublik Deutschland Case C-582/14, Opinionof 2010) Advocate General Campos Sánchez-Bordona (delivered on 12 May at [72].

82

3.50

is exponentially more data available rise of big data, there With the than ever before. Much of this data contains for analysis now that can identify dividuals, for this reason, the data information

before use or disclosure. This would be the best uld be anonymised data the if subjects have given consent for secondary o r oractice even because the secondary use may often uses o r disclosures subsequent more dire than envisaged when combined with consequences produce which may go beyond the consent given other data sets 3.51

benetits that can be reaped from big There are enormous perceivable such as predicting resource and business for purposes data, not just also for health research through the search for consumer trends, but and other insights. Indeed, the applications in patterns, correlations are almost endless. For example, researchers data of analytics the field Sick Children have made use of big data at Toronto's Hospital for of lives the save premature babies.0 Through the analysis analytics to the researchers created an algorithm to vital signs, of already-collected most likely to develop a life-threatening predict which babies were infection before acute symptoms of infections appeared. For tiny detection is a lifepremature babies with little immunity, this early field of data analytics the in measure. Indeed, the applications

saving

are almost endless.

3.52 cannot lf data has genuinely and truly been anonymised, then it is no longer personal data. identify any individual and by definition, it However, to achieve the state of true anonymisation is a challenge.

39 40

Personal Data Protection Act 2012 (Act 26 of 2012) s2(1). Brian Proffitt, "Toronto Hospital Detects Infections with Analytics IT World Canada (27 April 2012).

83

Dala Prolection in

the Practical Context the

scientists rescarching in when shown that even and established

Many computer

area

data

of

I ne Concept of Personal Data data analvti

has supposedlv

the data subiectCe to re-identify anonymised, it is possible the m o r e notorious cxam of Two sets. combined with other data successful

already

have

reidentification

been

highlighted ted

the Personal Data

data sets Receiving anonymised

ehave

nples c

by Protert. the

. 3.54 Commission

vnect an organisation to take active steps to attempt to re-identify does not exp

ction Aduisory Guidelines Guidelines"). In a ater resear Topics ("Selected forSelected Topics a computer scientist1, found that o project in 1990, Latanya Sweeney, Commission

on

in its

(216 million of 248 million) of the population in the US

idenified

through

the

use

of only

three

attributes:

5-digit

individuals from anonymised data in order to make a determination as to data held by the in view of such data is personal thec which the organisation has or is likely to have acces. ation to

organisation

uld be

postal

birth." gender and date of

stated in the Selected Topics Guidelines that itt

The

cod code,

3.53 data so that individuals cann It is extremely difficult to anonymise annot outlined some anonymisatio Commission The be reidentified. Guidelines," which it warned was techniques in its Selected Topics exhaustive. However, it should be noted that the seven technianes data reduction, da data (pseudonymisation, aggregation, replacement, and masking) highlighted by th data shuffling suppression, Commission are all fairly primitive techniques which have been used

for many decades." Indeed, these very techniques were the ones used to anonymise data sets that computer scientists, such as Sweeney, were

3.55

news for organisations which have obtained or indeed good his is This sets of anonymised data they are not expected to received d a t a recc ascertain e the data sets constitute personal data by expending effort In effect, when an and r e - i d e n t ify individuals. organisation

to

try

anonymised

data sets, it

can assume

receives constitute personal data.

that the data sets do not

3.56

Ahile this obviates the need to engage in data analytics, in real terms it

that the data sets will never constitute personal data does not mean Bearing in mind that the Act also allows for private actions by any

individual who

has sutfered loSs

or

damage,"

an

organisation would

likely to hold other want all the data sets are combined, individuals data sets so that when cannot be identified. This would require the organisation to have a system to continuously assess its data inventory. For some organisations, it may be as simple as knowing and keeping track of to

able to re-identify individuals.

take steps

to ensure

that it it is

holding

or

what data and data sets it holds and tracing the life cycle of data. Data and the availability of data will likely increase over time, and this, coupled with developments in data matching capabilities, will mean organisations need to constantly monitor their data inventory. 3.57 or additionally, it may be wise for the organisation to insert indemnity clauses into the contract with the anonymised data set provider or to obtain warranties that consent for the use and disclosure of the data sets have been obtained from the data subjects.

Alternatively

41

Personal Data Protection Commission, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at paras 3.15-3.16.

42

LSweeney, Simple Demographics Ofiten ldentily People Uniquely (Carmegie Mellon University, Data Privacy Working Paper 3, Pitsburgh 2000)

chttp://dataprivacylab.org/projects/identifiability/paperl.pdf> (accessed

43

44

23 May 2016). Personal Data Protection Commission, Advisory Guidelines on the Personal Data Prolection Act for Selected Topics (revised on 20 December 2016) at para 3.8. this book was a computer science undergraduate in the these the obvious anonymisation that were

The author of 1980s and were being implemented then.

techniques

84

15

Personal Data Protection Commission, Advisory Guidelines on the Fersonal Data Protectiom Act for Selected Topics (revised on 20 December 2016) at para 3.20.

6

Personal Data Protection Act 2012 (Act 26 of 2012) s 32,

85

Data Protection in

the Practical Context

The Concept of Personal Data

Anonymising data sets

2.

receiving the anonyinisccd dala, as well as its motivation in entifying individuals rom the anonymised data set, the number of of the anonymised data, additional enforceable restrictions cipients of sclosure of the data and robust data and subscquent the use on nolicies and processes that will ensure the destnuction of data retention policie

Oganis:

reid

3.58 an

organIsatuon anonymiscs data to or sharing with others,

There may be occasions where for its own purposcs or for disclosing care must there is a disclosure to others, special hat the data set has truly been anonymiscd.

to

be taken

cither

W to e

when

they n o

longer:scrve any business

or

legal purpose.50

3.62

3.59

data but still retains

Ifan organisation anonymises the data means to re-identify, then data. Hence,

organisations

re-identify and, of

set would

must ensure that

course, ensure

that

the

the

"key"

still constitute nereo

sonal

they discard all meane original raw data is not

retained. To re-identify means to be able to identify an individhal individual through Similarly, even if it can be ascertained that tho

beyond doubt and not just the ability educated guessing

to

idenuty

prard, the the Commission appcars to be taking a less than towards the definition of personal data. By is personal data is whether something proclaimingthat on this regard, ientific approach

In

or

an

same individual is in two different data sets but the individual's identi cannot be discovered, this would not be re-dentification. However, ir

the individual can be positively identified by combining these two data sets with other data to which the organisation has or is likely to have data.8 access, then it would constitute personal

ependent

me2sured by the risk of re-identilication, it moves the definition into

the realm of great uncertainty Risk cannot be used as the test for

whether somethi is personal data the definition of personal data is out in section 2. already clearly spelled -

3.63 The Commission gave the example of fingerprinis to illustrate its view

t opined that a sct of fingerprints is not likely to be personal data to the lay person but the same set ot fingerprints would likely be personal

data to the expert, who would have the skills, technologies and complementary information for re-identification" By adopting the

3.60 In terms of how effective the anonymisation must be before it is no longer considered to be personal data, the Comnmission has stated that it takes a practical approach when assessing anonymisation and the

risks of identification:" If the risk of reidentification is high, then the data will be considered personal data. If the possibility of re-identification is trivial, the Commission will consider the data anonymised.

3.61 The Commission has also given some guidance on the factors that will impact on the risks of re-identification, which include the nature or type of data deidentified, the anonymisation techniques employed, the complementary data (likely to be) available, the capability of the 47

Personal

Data Protection

Commission,

Advisory

Guidelines

on

approach of assessing the subjective risks of re-identification, the

Commission appears to have interpreted the definition of personal data as a subjective test instead of the objective test as set out in the Act. According to the definition in the Act, something is personal data simply if an individual can be identified from that data or from that data and other information to which the organisation has or is likely to have access. This is an objective test, it is cither possible or not possible

to identify the individual from the data

"can be identified"

The

only subjective element of the definition is whether the organisation has or is likely to have access to the data. By introducing factors such as skills and technologies, the Commission has considerably confused the concept of personal data.

the

Personal Data Protection Act for Selected Topics (revised on 20 December 2016) 48

49

at paras 3.30 and 3.32. Personal Data Protection Commission, Advisory Guidelines on te Personal Data Protection Act for Selected Topics (revised on 20 December 2010) at paras 3.30 and 3.34-3.35. Personal Data Protection Commission, Advisory Guidelines on Personal Data Prolection Act for Selected Topics (revised on 20 December 2010)

50

at para 3.29.

52

86

51

Personal Data Protection Commission, Personal Data Protection Act for Selected Topics at paras 3.27-3.28. Personal Data Protection Commission, Fersonal Data Protection Act for Selected Topics at para 3.24.

Advisory Guidelines on the (revised on 20 December 2016) Advisory Guidelines on the

(revised

Personal Data Protection Act 2012 (Act 26 of 2012)

87

on

s

20 December 2016)

2(1).

The Concetpt of Personal Data

Practical Comtext Data Prolection in the gislation, s h1sanld oul

3.64

unclear, the Commission also to motivation of the organisatic

To make matters the relevance of the

cn.

ciated re-identify

even m o r e

data. It stated:53 Even does

3.68

skills and information for re-identüficas. if one has the requisite risks of re-identif ntification are high. mean that the not necessarily be considered.

uon, it

motivation to

re-identify

data

must

also

3.65

legal

or

contractual obligations

individuals from data. The motivations and incentives

The

or

to

explain that motivation

addition

if there are disincentives s1ch consequences for re-identi6

introduction

any

makes

of the

more

assessment

importantly,

of the riske

taken

into

account

as a

in

assessing

the

to consider tor assessing the risks of the Commission also recommended anonymisation of assessing the risks of re-identification,3

the factors

means

Anonymisation testing

3.69

Commission recommended that before organisations disclose anonymise data scts, they nould employ a "motivated intruder test" 56

consideratio

it takes the

to to

dentification,

(a) The

of

definiti of personal data further into the realm of subjectivity, somethino n. not the where from mandate for th unclear provided for in the Act. It is but since it is not in the Act, it mav he factor of motivation originates, re-identification rather vague,

In

esting

The Commission then proceeded be low reidentify an individual may

be

re-identification risks.

This

was

a

test

originally introduced by the UK Informatio

missioner's Office ("ICO) im its Anonymisation: Managing Data

Protection Risk

Code of Practice

57

actions. in open to challenge, especially private

3.70

3.66

data the anonymised data has been derived.

The "motivated intruder under the test is a person without any prior

Enowledge who wishes to identily the individual from whose personal The Commission also made a distinction between information publicl

available or knowledge that is held personally. If an individual canbe easily re-identified based

on

information that is

readily available

to the

public, then the re-identification risks are likely to be significant. The Commission's guidance is that in5 ascertaining the reidentification risks of an anonymised data set, one

should take into account the use of public knowledge for re-identification,

has been targeted for identification." However, some kinds of data will be more attractive to a "motivated intruder" than others, for example, Dersonal data about an individual for nefarious personal reasons or financial gain and any information that might cause mischief by embarrassing others or reveal newsworthy information about public figures. The characteristics of the motivated intruder are as follows:

but not necessarily personal knowledge of the individual or the people close to the individual.

3.67 While it is true that the re-identification risks are more likely to be significant if the complementary information is publicly available, it should be noted that there will be occasions where non-publicly available information of the individual will be a clear and relevant consideraion and these, in accordance with the wording of the

55

Personal Data Protection Commission, Advisony Guidelines on the

56

Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at paras 3.41-3.47. Personal Data Protection Commission, Advisory Guidelines on the

Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at para 3.45.

57 58 59

53

Personal Data Protection Commission, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 206) at para 3.26.

54

Personal Data Protection Commission, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 2010) at para 3.39.

88

The Commission stated

that the motivated intruder test assumes that no particular individual

UK Information Commissioner's Office, Anonymisation: Managing Data Protection Risk Code ofPractice (November 2012) at p 22. UK Information Commissioner's Office, Anonymisation: Maraging Data Protection Risk Code of Practice (November 2012) at p 22. Data Protection Commission, Advisory Guidelines on he Personal Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at para 3.45.

60 61

UK Information Commissioner's Office, Anonymisation: Managing Data Protection Risk Code of Practice (November 2012) at p 23. Personal Data Protection Commission, Advisory Guidelines on the

FersonalData Protection Act for Selected Topics (revised on 20 December 2016) at para 3.43.

89

Data Protection

(a)

(b)

in the Practical Context

The Concept of Personal Data

reasonably competent; has access to standard

librarics, and all

resources such as the Intero and published infaand documents public

information

such as public directories;

(c)

(d)

employs

standard

investigative tcchniques such

who may have additional enquiries of people

as

knowledge maki of ntheg anyone with

or even advertis identity of the data subject information to come forward; is not assumed to have any specialist knowledge such as ompute

equipment; and hacking skills, or to have access to specialist such as burglary or hacking. not resort to criminality does ng, to gain (e) access to data that is kept securely. to

3.72

the

the

Furthermore,

that

are

capal

be,

might

Commission

Commission

not directly not

vample,

elased

to

re-identification.5

averred that all to

a

other "residhal"

recipient's motivation

and

These

being unintended recipients with compromised better ability

or

of

data that is or a more conlidential or sensitive nature amission recommended more robust assessments than the intruder test. This should also be the case if the

Of

term

n

the

also

re-identify should also be taken into account. of the data for example, risks

mistakenly discle

3.73

ale

related

Commissi

motivated

consequences ot re-identification are more severe for the individuals

3.71 The Commission acknowledged that the amount of effort require

a n d / o r t h e organisation.66

the motivated intruder test will vary, however, the examples of ef for

it it

gave were somewhat simplistic. It suggested that, at the higher end

might entail "obtaining and processing publicly available but limitaed (eg national archives) resources to try to link anonymised data to .an

individual's identity" In reality, there is much more data available than just those publicly available in repositories such as national archives: social networking websites, for example, contain abundan information on individuals. If one hosts a website, there is already a

mountain of data that is collected by the website and, in addition to that, there are many databases one can either buy or subscribe to

Further, if the recipient organisation is a telecommunications company, for example, then it would already hold the vital data of many individuals such as their names, dates of birth, NRIC numbers, home addresses, telephone numbers and so on, which can be used to match the data sets. Indeed, the Commission affirmed that where the motivations, reidentification capabilities and other information in possession of that recipient are known or can be reasonably inferred these should also be accounted for.

3.74 In

to

e

consider

p.eEcult mental

the behaviour

exercise involving

Personal Data Protection Commission, Advisory Guidelines

on

is

a

second-guessing the motives, knowledge, resources and technical expertise of the intruder, as well as asS1umptions about the content, nature and usefulness of the data.

3.75

In essence, while the Commission has given guidelines on anonymising

data sets and the recommended or expected course of action appear to be a relatively light-touch measure, at the practical level, however, the guidelines may provide little assistance to organisations due to the generalised nature of the guidelines and uncertainty in their meaning and application. 3.76 The Selected Topics Guidelines do not provide the requisite level of clarity and certainty about how to anonymise and make judgments about the permissibility of disclosing data sets. It is also not exact role of the Guidelines, as the Guidelines are non-binding. It is unclear to what standards an organisation will be

completely

clear the

62

of a motivated intruder

he

Personal Data Protedtion At for Selected Topies (revised on 20 December 2016) at para 3.43. 63

Some of these would include Wherenext Intelligence System (WIS),

65

Amicus Data's database and HousesActually.sg, all of which specialise in 64

property-related information. Personal Data Protection Commission, Advisory Guidelines on Personal Data Protection At for Selerted Topics (revised on 20 December 2010) at para 3.45.

90

Personal Data Protection Commission, Advisory Guidelines on he ersonal Dala Protection At for Selected Topics (revised on 20 December 2016) at para 3.45.

6

Fersonal Data Protection Commission, Advisory Guidelines on the ersonal Data Protection Act for Selected Topics (revised on 20 December 2016) at para 3.46.

91

Data

Prolection

paragraph 1.2 judged. For examplc,

of the

Selected

states tha:67 These

The Concefpt of Personal Dala

in the Practical Context

in conjunction Guidelines should be read are subject the Guidelines' and

with

Topics Guidos

to the

Introduction to

(including

other

the document .

but

damage consequential

special

disclaimers settitled out

for any loss, claims, actions, costs, expenses not limited to any direct, indirect,

lable not liable

ommission is

ines

or

or punitive, profits)

damages, loss of income, revenue whether arising directly or indirectly from any decision in reliance on the Guidelines.

or

howsoever caused action taken

therein. 3.77 "Introduction Paragraph 3.1 of the first disclaimer as follows:

3.80 Paragraph to

the Guidelines"

expres.

the

constitute legalad The Guidelines are Commission or any other party e on the binding not legally C They are other and legislation PDPA made to the reference should be of any such leaiclase statement of the provisions complete and definitive or supplement in any way the legal e The Guidelines do not modify laws cited including, but not limited to, the D of PDPA any and interpretation as regulations and rules) issued und. 1der and any subsidiary legislation (such the PDPA. The provisions of the PDPA and any regulations or ules over the Guidelines in the event of issued thereunder will prevail any

advisory in

ctresses that all

9 3.3 stres

responsibility rests with that they rely on

effectively warns organisations

cach organisation the Guidelines at

a n d

their own rIsk.

nature and do not

3.81

All

these

decisions on

to respect permissible to disclose.

(b)

organisation in no clearer a position with anonymisation techniques and whether it is

claimers leave

A more realistic

an

vieW

of anonymisation

inconsistency. 3.82

3.78

that the Guidelines are not legally binding Paragraph 3.1 clearly on the Commission or any other party and the Guidelines appecar to have no legal effect. The next disclaimer informs that the Guidelines states

do not dictate nor give any assurance oft what courses of action the

missing from the Selected Topics Guidelines is One of the key insights heacknowledgement that anonymisation techniques are in practice the Commission seems to give eurrenly not fully effective, instead, that anoymity the impression is a binary issue. At present, actual

anonymisation

is

more

of

an

ideal rather than

something

that is

practically achievable.

Commission will or must take:" Nothing in the Guidelines shall be construed as granting any expectation that the Commission will take or not take any particular course of action in the future arising from or due to anything in the Guidelines. Accordingly,

the Guidelines shall not be construed to limit or restrict the Commission's administration and enforcement of the PDPA.

3.79

Lastly, paragraph 3.3 states as follows:20 The Guidelines are intended to provide general guidance only. Each

organisation remains responsible for assessing the appropriate action to be taken or decision to be made in its particular circumstances. The 67 68 69 70

Personal Data Protection Commission, Advisory Gruidelines on the Personal Dala Prolection Adt for Selected Topics (reuised on 20 December 2016) at para 1.2. Personal Data Protection at para 3.1.

Commission, "Introduction to the Guidelines

3.83 A thorough and more realistic assessment of current anonymisation was presented by the EU Article 29 Data Protection

techniques

Working Party ("WP29") in its Opinion 05/2014 on Anonymisation Techniques ("Anonymisation Techniques Opinion")." There, the WP29

analysed the effectiveness and limits of existing anonymisation techniques and concluded that all the current techniques which they assessed failed to meet with certainty the criteria of effective anonymisation.? It acknowledged that case studies and research publications have shown how difficult it is to create a truly anonymous data set whilst retaining as much of the underlying information as required for the task.28 The understanding of the limits and ettectiveness of anonymisation is important, given that should the

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

Personal Data Protection Commission, "Introduction to the Guidelines, at para 3.2.

72

Personal Data Protection Commission, "Introduction to the Guidelines

73

at para 3.3.

onAnonymisation Techniques (adopted on 10 April 2014). BU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

0nAonymisation Techniques (adopted on 10 April 2014) at p 23. BU Article 29 Data Protection Working Party, WP216, Opinin 05/2014 0n Anonymisation Techniques (adopted on 10 April 2014) at p 5.

92

93

Data Protection in the Practical Context anonymisation

organisations protection as

process will need to set out

in

not

The Concept of Personal Dala

prevent re-identific.

effectively

ation,

standards for personol comply with the d the Act for the inetfectivcly anon

3.87

a

The WP29 need

ined three criteria an efective anonymisation solution tisfy in order to achieve this:79 t o satis.

would

personal data.

the singling out of an individual in a data set which be idecnti out); enable the linking of two records within a data set about the prever individual or same groups of individuals, or between two (b) same and data sets (linkability);

(a)

3.84 The WP29 began its analysis

by making

1t

clear that the

proce

operation in itself

data

a processing anonymising personal data is can only be carried o anonymisation hence, under EU regulations, in collected compliance with appliet the original personal data was also hold true ae would this data protection laws." In Singapore, "use" under the Act

would constitute

prever

separate

prevent the possibi

(C)

and

anonymisation process would for which the need to be compatible with the original purpose data was collected.

(singling

them to

information

deduce with significant (inference).

in such data set

probability, any

line with the Singapore position, where the Commission has that to re-identify means to be able to identify an individual beyond doubt and not just the ability to identify an individual through This is in

educated guessing.0

3.85

evaluated by WP29 found that tho. The anonymisation techniques was no perfect anonymisation technique and, in light of this

3.88

recommended using a

airectly identifying elements in itself was not enough to ensure that

combination of

techniques and

outliner

strengths and weaknesses to consider when anonymising data.5 The Anonymisation Techniques Opinion gave some usefül and practical so that it can be used for on how to make data anonymous whole range of activities from big data analysis to medical research.

guidance

a

3.86 The WP29 defined anonymisation as something that results from

the three criteria, the wP29 concluded that the mere removal of

direca

entification of the individuals is no longer possible. Additional easures to prevent identification will be required, depending on the context and purposes of the processing for which the anonymised data contex

areintended.8

3.89 In the same vein, data sets that have been pseudonymised would also

data in order to irreversibly prevent identification,%

not be considered equivalent to anonymised data as it allows an individual to be singled out and linkable across different data sets.

stated that "to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used" to

Therefore, pseudonymisation is not an anonymisation technique and

processing personal

it noted that Recital 26 of the EU Data Protection Directive 95/46/EC reidentify the person." This same test of "rcasonably likely to be used is retained in the EU General Data Protection

Regulation 2016/679.

data that has been pseudonymised still constitutes personal data and remains within the scope of the legal regime of data protection. This has also been explicitly expressed in the EU General Data Protection Regulation 2016/679.5 The incffectiveness of pseudonymisation as an anonymisation technique was well illustrated by the America Online 79

74 75 76

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at p 7. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

80

on Anonymisation Techniques (adopted on 10 April 2014) at pp 23-24.

8

EU Article 29 Data Protection Working Paty, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 6-7.

77

EU Data Protection Directive 95/46/EC, Recital 26.

8

EU General Data Protection Regulation 2016/679, Recital 26.

94

82 63

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 6-7 and 11-12. Personal Data Protection Commission, Advisory Cuidelines on the Personal Data Protection Act for Selected Topics (revised on 20 December 2016) at paras 3.30 and 3.32. EU 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 6-7. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

Article

on Anonymisation Techniques (adopted on 10 April 2014) at p26.10. EU General Data Protection Regulation 2016/679, Recital

95

Data

Protection

The Concept of Personal Data

in the Practical Context

where a databasc of 20 million ("AOL") incident in 2006, AOL users were releasoreh threc-month period by keywords over a h identification replaced by a numerical att only their AOL uscr identified along with be to along with their able Some of the users were

(b)

.This involves altering the values within the data set just swapping them from one record to another, so it by olves shuffling the information in the records so

Permuta

value being attached to individual X, it now stcad of the i n d i v i d u a l Y with individual Z to individual gs cxample might be to individual Y's ight value. An Y's va Y's .ol XX's weight and so on. Such by individual maintains

locations.*1

replace

3.90 examined

The WP29 randomisation and

the

two

anonymisation

main

swapping the and distribution of values but correlations betwecn values theindividuals will be changed Permutation is useful when and act distribution of each to retai attribute important

technin

individual techniques generalisation," and the addition, permutation, differe noise cach of these categories: and -diversity, and t-closenese aggregation, kanonymity privacy, of the techniques' strengths and weaknesses as well as the cOmmon to their use were assessed against he mistakes and failures related and inference. These will linkability out, criteria three now of singling

it is thin the

data

exact weight of

set, for example, if it is of the individuals 8

deindividualised and anonymised views of a data set through

whilst a statistical algorithm copy of the original data. The anonymised views would typically be generated

3.91 Randomisation is a class of techniques that alters the veracity of he data and the individual data so that the strong link between the is

retaining

through a series of queries for a particular third party.8 The

method adds noise, that is, random talse information, in order to one individual within the data set. make it difficult to identity any

removed. The aim is to transform the data so that it is less accurate no longer reter

to

a

specific

individual

Randomisation will still maintain the singularity of each record in that cach record is derived from the one same individual but randomisation can be combined with generalisation techniques to achieve

stronger

privacy

protection.

The

main

randomisation

3.92 nifferential privacy is unique in that it also integrates the concept of dhe level of acceptable risk, which is derived from an awareness of known re-identification risks such as linkage attacks and multiple the data anonymiser can have some control over a overall "privacy budget', that is, the maximum privacy level dataset's the expectation of the number and type of queries it required given answer. This gives the data anonymiser the ability to add levels of noise that is appropriate to the number of data queries that will be

queries. From this,

techniques are as follows.86 (a)

new

generates

applying

that the data can

important to know the

each

Differenial privacy is a relatively Differential privacy. (c) technique and it is used when the organisation

be addressed briefly.

so

having

Noise addition. This consists of altering information in the data set so that they are less accurate whilst retaining the overal distribution. An example might be the age of individuals. Instead of the exact age, the age might be changed so that they are within a tolerable limit of either plus or minus five years. Noise addition should be combined with other anonymisation techniques such as the removal of any attributes that might amount to quasi identifiers. The level of noise introduced should depend on the necessity of the level of information required as well as the

will

permited. Differential privacy is more effective in anonymisation because the level of noise to be added can be adjusted and, the place or places where the noise should be added can also be calibrated in

order to both obscure every individual while retaining at least some useful qualities of the data.

impact on individuals' privacy.37 84

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

85

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 12-19. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 om Anonymisation Techniquas (adopted on 10 April 2014) at p 12. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

on Anonymisation Techniques (adopted on 10 April 2014) at p 11.

86

87

on Anonymisation Techniques (adopted on 10 April 2014) at p 12.

96

88

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 1-14.

89

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

90

Cynthia Dwork && Aaron Roth, "The Algorithmic Foundations ot Differential Privacy" (2014) Foundations and Trends® in Theoretical Computer Science Vol 9 (No 3-4) at Pp 211-407.

on Anonymisation Techniques (adopted on 10 April 2014) at p 15.

97

The Concept of Personal Data

Practical Context Data Protection in the

and k-anonymity. Inese techniques involve grouping at least k other individuals. The result is that the viduals with to such an extent that each individual shares is on

3.93 An

example

privacy student:

of how differential

example given by

a

rescarch

after

move

to

his

move

to another

would

ofi

(a)

n

database

allow you

to

generalised

value. For example, attributes such as salaries, height, or the dose of a medicine cani be generalised by grouping

data

that allows

deduce

you

to comDuto

before

his income.

the

to

extract

it is possible Through inference, To overcome

supposedly-hi

th

to inject noise in the form of giving The solution might be the result of more than one resident moving out of the area or na

changes to

ference attacks when the values of data against distributed.95 a r e well attributes lT-closeness. This 1s a retinement of -diversity, in that it aims to prote

king

the income.

create categories

super-sensitive

differential privacy might be appropriate. A case in point would be the Urban Redevelopment Authority's ("URA") database on private

AnthonyTockar, Diferential Privary: (accessed 23 May 2016).

92Urban Redevelopment Authority, (accessed 1June 2016).

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at p l6.

98

initial distribution of

perhaps only

one

of the three criteria of singling out,

linkability and

inference. The WP29 summarised its findings in a table format as

follows:

94

The Basics

the

3.97 From the forgoing, it should be clear that each technique will target

residential property transactions.

91

resemble

at least i different values should exist within each of data, not only that each value is represented as also many times as category, but mirror the initial distribution of each attribute.6 to necessary

online databases that the general public can query on a 24/7 basis

3.96 Generalisation is the second category of anonymisation techniques. It essentially comprises generalising the attributes of individuals in the data set by altering the respective scale or order of magnitude. For example, instead of the exact age, the age might be changed to bands of ten years such as 20 to 30 years old. Generalisation can be effective to prevent singling out, but it will not prevent linkability and inference.5 The main generalisation techniques are as follows.

that

attributes in the data set before anonymisation. For each category

3.95 Differential privacy will not be a very useful technique if the data is resolutions but in terms of some of tho al

required

region

ttacker with background knowledge on a specific data subject is with: significant uncertainty. Ldiversity is effective to always left

that

moves.

streeU n a m e tO

occurrence of categories with poor attribute variability, so that an

they both give the total the datasets are income of residents in the same area, albeit before and after Mr WVhite sense

the granularity of a location can be

or country,91 lowered Ldiversity. This extends k-anonymity and ensures that in cach L cquivalence class or category of data (for example, age group), attribute has at least1 different values so that probabilistic every inference attacks are no longer possible. he aim is to limit the

from

this problem, the so White. information about Mr is to apply some noise-generating mechanism to the related data.sets

related in the

weight,

same

into intervals; similar

and

(b)

3.94

Aggreg

cited

th It you knew that Mr wi.Ota certain area. Wa this database ho area, simply querying

have access to a Suppose you residents in a all of income

going

might work is the

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

onAnonymisation Techniques (adopted on 10 April 2014) at p 16.

9

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

96

On Anonymisation Techniques (adopted on 10 April 2014) at p 18. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

97

0EUAnonymisation Techniques (adopted on 10 April 2014) at p 18. Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at p 24.

99

Data

Protrction

in the Practical Conlext

Is Singling out still a

risk?

The Concept of Personal Data

Is Linkability

Is Inference

still a risk?

still a risk

Yes

Yes

Pscudonymisation

Yes

Noisc addition

Ycs

May not

May not

Permutation

Yes

Yes

May not

Aggregation or K-anonymity

No

Yes

Yes

Ldiversity

No

Yes

Differential privacy

May not

May not

May not May not

lso has its problems if logical links persista person's between attributes. For exanplc, in a table cotaining

3,100 Permutation alsc

diflere

and and

salary, cven il the auributes of the income are clear that a Chiet Executive Officer would be receivingth highest salary ilst the unemployed or part-time worker the lowest salary.0 From this, other information such as age can also be identified. be in the table role

ld be

would be

receivi.

might

3.101

differential privacy also can be problematic if not iniccted. Further, if a query history is no retained and

The technique of aiauc of noise

is

10ughi s ttreated independenuy, then an attacker who queries the is r c a t query database with ultiple questions can progressively reduce the breadth until a specific value of an individual or a outputted

Cno

3.98 From the table, it is clear that there is no one particular anonymisatio technique that satisfies all three criteria and the WP29 Went great details to present instances of each technique's wcakno ness,

.

nploy1mcnt permutatcd, i t w o u l d

cach

of the

individuals group of

a

101 is discovered.

Pseudonymisation is probably the most pronounced in this regard

The WP29 cited recent research at Massachusetts Institute

of of 15 months of spatial-temporal mobility coordinates of 1.5 million

Technology which found that from a pseudonymised data set

people on a territory within a radius of 100km, it was possible to single

out 95% of the population with four location points. Even more alarming was that just two points were sufficient to single out more Te

than 50% of the data subjects.3

3.102

of k-anonymity 1s that it does not prevent inference ttacks, in particula k-anonymity can be defeated through an equivalence attack. The attack can come from using a

The main failure available

data

set

to de-anonymis

publicly

another. As the example of

Mr White above showed, equivalence attacks can also be launched aCainst data sets that are updated periodically. The mere act of keeping a data set updated can inadvertenty reveal sensitive information because aggregate averages will change over time.

3.99 As for noise addition, the WP29 highlighted its failure with the well-known Netflix incident. Netflix released a database of over 100 million ratings on a scale from 1-5 of 18,000 movies, expressed by nearly 500,000 users. It was "anonymised" according to an internal privacy policy and all customer identifying information were removed except the ratings and dates. Noise was added on the ratings so that they were slightly increased or decreased. After analysing the geometric properties of the data set and comparing it with a publicly available data set, researchers found that 99% of user records could be uniquely identified in the data set using eight ratings and dates with 14-day errors as selection criteria.9

3.103 As for diversity and ttcloseness, they are not an improvement over

kanonymity in terms of unlinkability in that the probability that the same entries in two data sets belong to the same individual is the same. The main improvement of l-diversity and tcloseness over k-anonymity is that it is no longer possible to set up inference attacks against a "-diverse or "t-close" database with certainty,12 3.104 From the foregoing, it is clear that none of the anonymisation techniques can prevent singling out, linkability and inference. The 100

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

on Anonymisation Techniques (adopted on 10 April 2014) at pp 14-15. 98 99

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

om Anonymisation Technigues (adopted on 10 April 2014)

EU Article 29 Data Protection Working Party, WP216,

p 23. Opinion 05/2014

at

on Anonymisation Techniques (adopted on 10 April 2014) at p 13.

100

01

02

BU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 at p l6. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014

0n Anonymisation Techniques (adopted on 10 April 2014)

onAnonymisation Techniques (adopted on 10 April 2014) atp 18. 101

Dala WP29 stressed that

possible

to

cach data

give

set

Protection

most

minimum

needs

to

in the Practical Context

The Concetpt of Personal Data

techniques carry risks and recommendations

be considered

on a

that

it

1or parametecrs

case-by-casc

was no

basislo8as If

of the three criteria is not met, a thorough evaluation n e identificaion risks should be perfomed. There will almost alwa residual risk of identification inherent in cach of the techi Careful engineering in devising the apPplication of an indis

application of a cumulative technique required along f both randomisation and generalisation techniques. This will ene 1surc a is

with the

more robust outcome.

willbe or

AOL

Netflix ion

regular he

unclear

to what kind of standards there be similar incidents in

incidents,

the

and grievous for

an

organisation

Singapore like amifications would be serious for

the affected individuals

the the

organ

analysis must be the Act and the definition of As alrcady discussed above, personal data means that can identify an individual from the data or the data in

3.108 starting

point for 07

personal data".o

data

with other information

to

which the

organisation has or is the control test. Hence, when ikely disclosing anonymised data to another organisation, the capabilities resources of the other organisation need to be considered to ertain if the data is likely to be personal data to the other to

Good anonymisation practices outlined by the WP29 include audits to identify new risks to re-identification and to re-evaluate

is

Chould

combinat

3.105

tt

isclosing data.

o

have

access,

the latte

being

residual risks and to adjust practices accordingy; in etfect, to monitor and control the risks. In addition, relevant contextual elements m

organisation.

also be taken into account. These would include the nature of th original data, sample size, secuity measures restricting access to the

data set, the availability of public information resources and envisaged release of data to third parties. Of course, if the nature of the datai one that is appealing for attackers, such as sensitive or financial

3.109

Organisations

need

to

be

nindful of the grave

probability

of

eidentification. It is the control test of "other information to which the organisation has or is likely to have access that poses challenges. If

nersonal data is supposedly anonymisecd and released to the public,

personal data, then this will be a strong key factor to consider. 105

this will effectively mean that all members of the general public will

106 The WP29 also recommended that the purposes to be achieved through the anonymised data set should be clearly set out as these are pivotal in determining the identification risk.

When all members of the general public are considered, the "other information" that is available or likely to be accessible would be Jimitless as organisations range from the wealthy and resource-rich multinationals which can purchase a multitude of information and

need to be considered as the "organisation" under the definition.

data sets to the savvy IT companies or IT' researchers who have the vast

3.

The way forward to anonymising data sets

3.107 Given the disclaimers 06 by the Commission for the various Guidelines, for anonymisation, and the clear instructions therein that direct reference should be made to the Act and other legislation for the "complete and definitive statement" of the law, organisations that wish to avoid liabilities should tread very cautiously in anonymising and

incuding

expertise to combine and re-identify data sets. If organisations encompass those which have limitless knowledge and abilities, with the currently known anonymisation techniques, if only one technique is used, the supposedly anonymised data set will very likely be able to be reidentified, and if so, the supposedly anonymised data set would fall squarely within the definition of "personal data"' under the Act as it can be used in combination with other information to identify the individuals. Hence, if the supposedly anonymised data set is reidentified and is personal data, then the organisation that disclosed the supposedly anonymised data set will fall foul of the disclosure

103 104

EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 om Anonymisation Techniques (adopted on 10 April 2014) at p 23. EU Article 29 Data Protection 05/2014 Working Party, WP216,

provisions in the Act, not to mention incurring the wrath of the public and the individuals whose personal data have been compromised.

at paras 3.1-3.3.

Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1).

Opinion

Anonymisation Techniques (adopted on 10 April 2014) at pp 23-24. EU Article 29 Data Protection Working Party, WP216, Opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at pp 24-2 Personal Data Protection Commission, "Introduction to the Guidelines, on

105 106

102

103

Dala Protection

The Concepl of Personal Data

in the Practical Context

DECEASED INDIVIDUALS

3.110 One

conclusion to

is be drawn from this

to the general public thorough consideration

that

if o n e wishes to

case utmoa required before ro

so-called anonymised data, the be

and testing would would be wise to heed the guidancs oft the Furthermore, organisations cumulative use of anonymisation techniquee WP29 and apply a randomisation and generalisation. the two groups of

from

C. in

3.115

the Act also

Personal d

decea

ed but

the

more than

the

coverage

includes personal data about

is for those who have

not

the

been dead for

years.0 Even then, the coverage for the deceased is provisions o n non-disclosure and the protection of the

limited t o

scnt has been

personal data unless

obtained.

The Act does

any additional obligauon to retain personal data of the

3.111

because so much big d is rather unfortunate data benefit the health sci to enhance and and available for exploiting other sectors. Flowever, until anonymisa saüon technology, business and the risks are disproportionately high.

This, of

course,

iences,

techniques are improved,

3.112

disclose so-called prudent but to disclose onlv the to publiC sets general anonymised data enable s o m e control over the leml selected recipients. This will also arise by inserting relevant clauses into the contras that The

course

more

liabilities

not

deceased.

of aclion might

be not to

may

with the recipients. These clauses can contain warranties as to use and

be ifficult for an orga isation to ascertain whether actice, it may In the data relates is still alive or has died. The Act whom individual to the data belonging to the deceased from being personal prohibit

3.116

does

under the same regime as for those : still alive. So, data belonging to individuals whether alive or all personal in fact, processed be according to the same standard required eased can Act without distinction, and it may be simpler for an the under set of procedures and one stand to have o n e policy, ganisation

disclosure as well as indemnities. However, the disclosing organisation combination of anonymisation should still exercise care it does not have consent from the data where especially

and utilise

since

pecially pact on

a

techniques, subjects to disclose personal data.

not

handled or processed

the

personal data concerning the deceased can have an personal data of individuals still alive, and thereby of compliance with the Act. A case in point

triggering the requirement

pertaining to health or hereditary, if the deceased

medical

are

3.113 should develop good governance structures to conduct an initial risk analysis and ongoing follow-up. Indeed, any organisation wishing to anonymise data must engage in much discussion with the relevant IT personnel in order to develop workable anonymisation solutions. Co-ordination between data protection officers and those with technical expertise in applying the anonymisation techniques is essential. Key questions that need to be addressed include what is the data, for what purposes is the data being anonymised and for how long.

Organisations

issues. For illnesses

or diseases and the parent was a parent that that the parent was a carrier will reveal that carrier, this information also have the same disease. For example, a most would likely the child be a carrier for haemophilia, there is then a 50% chance

is data

is

a

woman may that her son will suffer from haemophilia contained in the X-chromosome.

as

haemophilia is linked

to a

gene

3.117 other rules of Secondly, for s o m e kinds of personal data, For requirements confidentiality example, apply. confidentiality may

are the methods being used appropriate and what re-identification

for medical personnel often persists even with the death of the patient.

risks may be posed.

Thus, it may not be personal data.

so

straightforward

to

put

a

time limit

on

the

3.114

Anonymisation is a highly complex field, both legally and scientificaly but the notion that anonymisation is merely in the realm of statisticians and researchers and too esoteric to be an issue of importance shoud be permanently dispelled. A healthy and realistic appreciation of the limitations of anonymisation, which are also becoming more apparey is in order. Once a data set has been released into the public doma

it is not feasible to "recover" or retract it.

104

3.118 In practical terms, it may therefore be good practice and indeed a the deceased SImpler one to process and handle the data concerning t h e same way as personal data concerning the living as required

08 Personal Data Protection Act 2012 (Act 26 of2012) s4(4)( 09

Personal Data Protection Act 2012 (Act 26 of 2012) s 4(4)6).

105

Data Prolection in the Practical

Context

the two than to separate under the Act, rather such as steps also include taking course, would the data if there

are

no

The Concetpl of Personal Data

sets

of

datta.

manenty destThis, oi for the data to be

or other reasons

legal

BUSINESS CONTACT INFORMATION E. 3.122

retained.

An

3.119 In order

to

minimise

costs

for organisations in

wclusion from the is business contact inform

important

the Do Not Call regime ontained in the same Act but which is

the event

under

that

deceased attempt to exercise any of the representatives of the Ohe of the deceased, such as the rights on behalf data protection correction, the data records could be digitised and ficlds be insertedt

beyond

the scope

3.123 contac

is known signal if the data subject 7. in detail chapter m o r e in discussed

D.

to

be deceascd. This is

of the data operation protection although this is still covered

of this work.

information

1siness

will

e

for his or

HISTORICAL RECORDS

is

defined

to mean

an

individual's

name,

title, business telephone number, business ition o r address, business c-mail nail addre address or business fax number, and any other similar information about the individual not provided by the individual her

personal

purposes.

112

solely

clear

3.124 types of information that are considered business contact The on are the standard kind of information one would find on a int card. This exclusion was name siness or designed with the the transfer.of business contact information is often that gnition integral to many business operations, and that in the context of

generally be excluded anyway, as it 1s not common for there to be

business contact information for certain purposes is often implied.13

personal data created and contained in any record if the person has

This exclusion relies on the concept of deemed consent that Singapore

3.120

the data protecti. The Act contains an interesting in a record thar contained data regime in excluding all personal Given that averac 100 least at years." for been in existence kife is well below 90 years, it 1s not entirely clea in exclusion from

expectancy

Singapore

why this exclusion is needed. Personal data in this category would

exchanging business contact information, consent for the use of

not yet been born. Given the average life expectancy is under 90 years,

has adopted. As will be discussed in chapter 5, the concept of deemed

most personal data in this category would not fall within the ambit of the Act as a person who dies at the age of, for example, 85, would have most of the protection ceasing upon death and all protection ceasing

consent may enable compliance to be less troublesome, but it leaves gaps in security and in the protection of personal data.

95 years after they were born.

3.125 The effect of excluding business contact information from the operation of the personal data protection provisions means that such information can be collected, used and disclosed without any restrictions whatsoever and they are also not subject to any of the personal data protection principles. On the positive side, this gives free to all to amass business contact information for purposes such as talent and recruitment, for general networking and perhaps

3.121 This exclusion could arguably have some application to wills but unclear why there is such a prominent exception for it. Perhaps, the exclusion was designed for the administrative benefit of archivists and others dealing with historical records. They would not need to check if the person is still alive and can simply proceed to collect, use and

it

disclose the historical personal data without incurring any compliance COsts.

reign

searches

to combine and compile to ascertain what kind of talent pool a rival

organisation might have.

l Personal Data Protection Act 2012 (Act 26 of 2012) s 4(5). 2Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). l3 Ministry of Information, Communications and the Arts, Public Consuitahon 5Ledy Ministry of Infermation, Communications and the Arts: Proposed 110

Personal Data Protection Act 2012 (Act 26 of 2012)

106

s

4(4) (a).

Personal Data Protection Bill (19 March 2012) at para 2.30.

107

The Concept of Personal Data

Data Prolection in the Practical Contex

3.126 the exclusion 1s that one's persona One of the negative effects of and combined witho raded, compiled can be frecly sold, information

corrected

or

delo

having erroneous domain the individual' the public effect, it is putting into individual works (or has the information concerning where name of recourse

to

collect any percentage ot the fares or of the the taxi drivers were plying their trade as taxi their mobile telephone numbers formed business contact did

not

ookings" As

pondents

a

ny n

me

the worlthe workplace, the and the role they hold even the qualifications of the n and the address of the workplace on anonymisation above in the section As already mentioned data or protession is one of the kev ni. life about an individual's working used to be can other data easily match and information with which

individual

drivers

information as tdly Iaxi service,

at

pieces

i twas imperative for the passengers to communicate

with the

bookings.

taxi drivers

ach

such

as thec

for matterS concerning the delivery of the pick-up location or cancellation of the

Being busIncss contact information, the mobile phone from the operation of the were cxempt personal data

ers visions rotection provis

and

mumb

their disclosure did not constitute any

breach.

of to reidentify the individual from data that is supposedly anonymised.

EXCEPTIONSs OF OTHER KINDS OF PERSONALIDATA F.

3.127 or monetay gain role is a It is true that a person's employment there should not be and in undertaken public any activity that is shielded. However, where a person works is of being expectation of their ume, in fact, it woul where they spend a large majority the number one spot of where for home individual's with the

compete

number of hours. Hence, when the the individual is located the most of the workplace are known, the location of address the and workplace individual will also be known. Thie the physical whereabouts of the makes it extremely easy to locate an individual, especially since the individual will be at that location on a regular basis. This kind of data would be prime data for narrowing down and singling out and distinguishing an individual, and thereby leaving the individual with reduced security both over the individual's person and the individual's personal data, and increased vulnerability to attacks. It is quite unfortunate that this exclusion is present in the Act.

3.128 There has only been one case to date on business contact information. The personal data in question in Comfort Transportatiom Pte Ltd and

3.129

give a general conception of what is under the Act. As will be seen in later nderstood to more kclusions or exceptions contained in there are many chapters, which are situational, so that whilst information may constitute e Act will be the case that some of the requirements in the has This chapter

sought

to

data be personal

ersonal data, it

legislation are exempt

from compliance.

3.130

be the classification of whether a piece of biggest hurdle can data. As already discussed in this chapter, even is personal information to have suggested a subjective and movable the Commission seems definiüion of personal data when dealing with supposedly anonymised personal data.This is a problematic move because if personal data becomes a subjective concept, the fact that the data is not regarded as personal data to personA means that person A can deal with the data The

in any manner without reference to the Act and can sell the data

to person B, and so on. This will perpetuate the disclosure and disemination of personal data as each person in the distribution chain

CiyCab Pte Ltd was the mobile telephone numbers of two taxi drivers

will try and claim the data is not personal data; soon, the weakest link

which was disclosed to passengers who had booked taxi services offered by these drivers. The Commission found that the two respondent taxi companies were acting as intermediaries in matching the taxi drivers with the passengers, The taxi drivers were not employees but the independent hirers in the business of driving taxis, furthermore,

becomes the biggest chain of personal data urading. By conceptualising personal data as a subjective concept and allowing a liberal view, more personal data then becomes publicly available and, as will be seen in

114 115

17 Conort Transportation Ple Ltd and CityCab Ple Ltd [2016] SGPDPC 17

[2016] SGPDPC 17.

Comfort Transportation Pte Lid and CityCab Pte Ltd [2016] SGPDPC

T7

Comfort Transportation

Pte Ltd and

at [16].

108

CityCab Pte Lid [2016]

SGPDHC

at u6

at (1]. 116

later chapters, when personal data is publicly available, its treatment

"

[8] and [16].

Comfort Transportation Pte Ltd and CityCab Pte Ltd [2016] SGPDPC 17

at [16]. 19 See paras

3.58-3.106. 109

Data Protectionin the different under the Act is is

not

required.20 This, of

as

Practical Context and dio ramifications forSre for

use consent for collection,

course,

has

serious

security.

CHAPTER44

Notification Obligation

INTRODUCTION

A. 4.1

or Obligations' outlined in the Personal are nine key principles 2012 (the "Act"); the first of which is the Act Protection Data the individual regarding all purposes of requirement of notification to of the individual's personal data on o r disclosure or the collection, use, or disclosure." The Personal Data Protection use, the collection, before Commission (the "Commission") has named this the Notification Obligation." The organisation should also be able to provide, when requested by the individual, the business contact information of someone who can address the queries of the individual.5

There

4.2 There are two main exceptions to the Obligation of Notification contained in section 20(3): where consent is deemed under section and in the situations listed in the three schedules referred to in

15

1

The Personal Data Protection Commission refers to the principles as

Obligations', see Personal Data Protection Commission, Aduisory Guidelines on Key Concepts in the Personal Data Protection Act (revised on

2 4

5

120

6

See ch 5.

110

15 July 2016) at para 10.2. Act 26 of 2012.

Personal Data Protection Act 2012 (Act 26 of 2012) s 20(1) (). Personal Data Protection Commission, Advisory Guidelines on Kry Concept5 mthe Persomal Data Protection Act (revised on 15 July 2016) at para 8.1. Personal Data Protection Act 2012 (Act 26 of 2012) s 20(1) (0). Fersonal Data Protection Act 2012 (Act 26 of 2012) s 20(3)(a).

111

Data Prolection in the

Practical Context

Notification Obligation

Third, a n d Fourth Schedules t the Sccond, section 17, namely, consent, n o notification is i deemed it is a situation of disclosure falls within.Cquire. ds use, o r collection, if the of Similarly, situations in the Second, Third, or Fourth Schedules, then

data to be collected from third parties without individual, but the collecting must organisation the the disclosing organisatiion with sufficient information the purpose of the collecion to enable the disclosing ding regar to determine whether the disclosure would be in 4.5

1 1 The Act a ll ou vS

the

conscnt

no required," subject to the emp notification of the purposes evePoymen in section 20(4). The out sct the exception exception to Schedules will be be duons discussed Se Third, and Fourth is

out

in the Second,

4.3

provide

in

chapter 5.

employer c a n collect In the employment context, an employee for the purpose of mo disclose personal data about relationship, the employee mu or terminating an employment first that in any situation Section requires 20(4) notified.10 be where o r disclosed for the Durnre used, personal data is collected, an employment relationship betwee managing or terminating the organisation must inform and individual, that organisation the individual of the purpose" and, on request by the individual, the business contact informatüon of a person who will be able to answer th individual's questions about that collection, use, or disclosure on before

accordance

of Information, Communications and the Arts ("MICA") had indicated hat it would be permissible for an organisation to give a general blanket notification in documents such as staff manuals and staff bulletins. Thus, for example, if employers wished to monitor the activities of their employees at work using closed circuit television cameras or video cameras, computer monitoring software and other surveillance devices, they are permitted to do so with just a blanket It would also appear that employers c a n collect and use notification. data of employees collected from social media and other personal with such a blanket notification, as long as the purpose is for managing or terminating the employment relationship.

platforms

the secuon on anonymisation

in chapter 3,5 the

erlosure of personal data to another organisation should not be done

managing

4.4 Although notification is required in such circumstances, the Ministry

Act.!1 with the

4.6 discuSed in

an

behalf of the organisation.

Dersonal

of the

data that is discloscd to lightly. In this regard, whatever personal nother organisation must only be for the same purposes that the first ranisation had notified to the individuals and consent obtained, and

in good practice, the disclosures should also be notificd to the individuals as well. Notification to the individual of the disclosure to

another organisation may be dispensed with if the personal data was

obtained via deemed consent or if the personal data to be disclosed to the other organisation falls within any of the situations listed in the Second, Third and Fourth Schedules.17

B.

RATIONALES FOR THE NOTIFICATION OBLIGATION

4.7 The reason for the notification of the purposes of the collection, use and disclosure is because of the need to obtain the individuals' consent for these activities with the personal data. The Consent Obligation will be discussed in chapter 5. Indeed, in the case of Universal Travel Conp Pte Ltd, the Commission found that since the travel agent had disclosed the passenger list containing the personal data of the 37 passengers without obtaining their prior consent, and in doing so had also not informed them of the purposes for which it was disclosing their personal data, it was also in breach of section 20 of the Act." 4.8

he notification of the purposes of the collection, use and disclosure

10 11 12 13

Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012

(Act 26 of 2012) s 20(3) (6). s 26 of (Act (Act 26 of 2012) 2012) ss20(3) 20(3)(a) (6) and "17. s 26 of (Act 2012) 20(4). (Act 26 of 2012) s 20(4))(a (Act 26 of 2012) s 20(4) (b). Ministry of Information, Communications and the Arts, Public Consullano cauons Arts, nfo of by Ministry Arts: PTOps 55ued muncations and the lDala Protection Bill (10 Personal Data Bill (19 March 2012) at para 2.69. ond

112

Ses the boundaries o f w h a t t h e o r g a n i s a t i o n is p e r m i t t e d to d o with

1

5

16 17 18 19

sonal Data Protection Act 2012 (Act 26 of 2012) s 20(2). See ch 3, at paras 3.50-3.114. Pe Data Protection Act 2012 (Act 26 of 2012) s 20(3)(a). 9na Data Protection Act 2012 (Act 26 of 2012) ss 20(3) (6)

[2016] SGPDPC 4. Uauersal Travel Corp Ple Ltd [2016] SGPDPC 113

4

at

[13].

and 17.

Context Data Protection in the Practical personal

data. The

organisation's

collection,

Notification Obligation use

and

disclo

Purposes, not activities

has beeSure limited to the purposes will be Any new purpose will require fresh notification and consent from the the

for which notification

4.9 The notification of informed decisions

purposes as

to

also

scrves

whether

they

to enable ole wish

to

choice

and

the purposesto

individuals

individuals to give consent formake

collection, use or disclosure for the stated purposes. The

cation

control

some over the Obligation gives individuals assess whether they are and allows individuals to data personal a m a n n e r for beneit used in such for their personal data to be s or

gains, if any.

10 Furthermore, by providing individuals with the purpose or purposes

for the collection, use and disclosure, individuals will be in a better position to ascertain whether the collection, use or disclosure complies with the Purpose Limitation Obligation, or whether what the organisation is requesting is excessive. 4.111 It should be noted, however, that the exception to the exceptions set out in section 20(4) above does not require consent, only notification. Hence, organisations may collect, use or disclose personal data with notification but without consent for the purposes of managing or

terminating an employment relationship.20

4.12 the minimum,

At

organisations

should provide notification of the primary purposes of collection, use or disclosure, that is, the specific

functions

or

objectives for which

the

a

particular personal data

is collected.

hence h ence

ctivities that it

use

and

disclosure.

individuals of It is

not a

inform individuals of all the possible uses and

requirement

disclosures,

there is no need for organisations to list all the

will undertake in relatio

to the personal data.2 For

i f the purpose is to enable the delivery of goods, there is no

instance, if eed to list all the

acuviues

t h a t will

be

undertaken with

respect to

the.

nhone number and delivery address such as stating that the ersonal data will be entered into a database, printed out, passed o n to

he delivery personnel whowould may be need external inform contractors and so on. individuals of its an organisation imilarly, notnormalto business practices, such as that internal purposes form part of and business planning

auditing,

billing.

4.14

t is more important for organisations to identify the purposes or objectives or reasons for the collection and use of the personal data and to state them clearly. By stating the purposes clearly, this would also help establish whether the personal data collected is consistent with the purposes identified and thereby minimising the risk of contravening the personal data protection Obligations in the Act.

"On or before"

2.

PRACTICAL CONSIDERATIONSs

C.

requirement informing

Obligation is a llection, collection. of the

4.13 The Notification

individuals.

4.15 Second, the requirement in section 20 is for the notification of purposes to be given "on or before" the collection, u s e o r disclosure of means that the notification may be given well in advance or just before personal data is collected, used o r disclosed. The usual practice would be to give the purposes for collection, use o r disclosure prior to collection so as to cover all activities for the stated personal data has been collected. If after the once personal data has been collected and an organisation would like to use

personal data. This

arposes

the

ne personal data for additional purposes, these would have to be noutied to the individuals and fresh consent obtained. Hence, it would

20

This is due to to

the exceptions in the Second, Third and Fourth Sched pertaining personal data collection, use and disclosure. n the of employment for purpose managing or terminauo019 2017 emploment relationship, see, eg, Personal Data Protection Act 26 of (ACt

2012) Sched 2, para 1(o). See 114

ch

5,

at

paras 5.84-5.88.

make practical sense to be well prepared and thorough before any collection of personal data is made. 21

ersonal 2e 4

Data Protection Commission, Advisory Guidelines on Key Concepis Fersonal Data Protection Act (revised on 15July 2016) at para l4.15.

115

Data

4.16 Where

Protection

in

the Praclical Context

collected, used data needs to be individuals need to be collection of the personal to the first

personal

periodic basis, informed

prior

formed

Notificalion Obligation or

disclo.

of this and data.22

d, however, be stresscd

on ; to

hbe

formedand

nurposcs

the

evident, t h e r e

dala appear that notification

that Cven where

there is a

for collection,

be

use and disclosure of will be situuations wherc

given.

1he

neXL

Where

there is n o formation of c o data is collected and the noification of the to advisable give be it would in a m a n n e r as noticcable as possihi

personal

involved,

C 3.

and protection. Ther is every visitor who ente The security cameras are conunuously capturing the ima of individuals cither as videos or as photographs and these are clearl personal data. As such, premises that utilise security cameras shoule

4.20 ld

premiscs obviously premises.

for

no

the purposes formal contract

of

security

formed with

deal with this

SubsidiaryY purposes

practicable carly Cxamplc, consider the situation where security cameras are 1,"or on as

as

personal

sound practice will

Section will

dictate

4..17

contract

be wise for organisations to distunguish between the levels or

and to assess how much depth of the purposes need of purposes lavcIs h e notificd to individuals.here are no concrete rules to be fallowed in this regard but the aim is for uhe individual to comprchend

have the notification of purposes at the gates or entry points of the

be put to. To this end, if the the all the purposes uirDoses will involve disclosure of the personal data to third parties or

premises. If the notices are located only at pointS well after where he

t the purposes thus far stated do not give an adequate idea of the full

security cameras are positioned or where visitors are unlikcly to sce them, there would be room to argue that the notification was not given before

he

collection

of personal

data

in

contravention

of the

Notification Obligation.

personal data will

extent of the use or disclosure of personal data in order to achieve the

stated purposes, then, the stated purposes should probably be more specific and detailed. For example, if there will usually be disclosures made to others, this should be notificd to the individuals and if the list

of recipients of the personal data is too long, they can be categorised 4.18

into recognisable classes or types of recipients.

Where personal data needs to be collected as part of a contract, then the notification should be given before the contract is formed. It may be the case that for some types of contracts, consent can be dcemed of he purposes is not required under and, as such, notification unless 20(3) purposes extend beyond the purpose of the contract. For example, for contracts involving a dclivery, in many purposes for the collection, u s e and disclosure of personal data such as the address and phone number will be clear

4.21 Often, there will be subsidiary purposes that will alrcady be encompassed by the main purposes stated, but for various reasons, such as the lack of possession of specialised knowledge, the subsidiary purposes would not be apparent to individuals and would need to be specifically notified to the individuals. Subsidiary purposes should not

section (a), instances, the

the

from thee context and they would be situations where consent can be

deemed and hence example in this

no notification will be required. The classic regard would be the ordering of pizzas for delivery. The address for delivery and the telephone number would need to be used for delivery purposes and they would also need to be disclosea to the delivery personnel who may be third-party subcontractoi However, if there are additional or secondary purposes that are o related to the purchase and delivery of pizzas, such as keeping u delivery address to send advertising materials, the secondary purpo must be notified and consent obtained, preferable at o r before u ime of personal data collection, so that there is no double handling

22

Personal Data Protection Commission, Advisory Guidelines on Key in the Personal Data Protection Act (revised on 15 at

July 2016)

116

para

naepts

be confused

with

secondary

purposes.

Subsidiary

purposes

are

that are intertwined with and usually deeply related to the main purpose and are required in order to achieve the main purposes.

purposes

Secondary purposes are usually understood as additional purposes Whether they are related to the mairn or primary purposes or not.

4.22

Cxample might serve to illustrate the point. Suppose an individual ISes

to

open

a

trading

account

wih

a

broker

so

that the individual

the

Singapore Stock Exchange ("SGX"). Here, the Conde dctual purposes are clear and thus the purposes of collecion, use lheosure of personal data also clear. It would be obvious that ODectives of the personal data collection, use and disclosure are on

are

ththe poses SGX and,

of

setting

up

an

technically, cons

account can

117

and

to

engage

be deemed and

in

no

trading o

notification

Data Prolection

is

necessary.

In this instance,

to the organisation to

the

formation

in the Practical

would however, it

actually provide

of the

data

notification

that

contract so

there

collection,

Notification Obligation

Context

is

be good of

no

use

practicefo Pria

the purp

ambiguity

and

ut he

disclo

of the personal the m a i n obJCctives o r p u r is because although r e a s o n for this to be use« used or disclosed need data may obvious, the personal the individual mayy not which in be and ways subsidiary purposes and other frameworks surroundine of due to the regulatory a trading accou in addition to setting up trading. For example, Dank and disclosed for the to be collected need account details may related to but which is a purpose of depositing dividends,

objectives

rposes are

for Ware

quity

POse

sube

the purpose of setting up the trading account. Individuals may l o be need to be ex thus, and, they aware of this subsidiary purpose informed

4.

so

that

Manner

their

consent can

be

obtained.

plicitly

and form of notification

be provided also be prou

also

through personal a

data

protection is indeed feasible, the organisation would nced to While this 2 data data protection policy 1s the nersonal actually accessed or that could

notification

personal

policy.

ure

by

the

r e aid vidual

data

to

protec

unreasonable

iis

somehow brought

to the attention of the For example, if the personal policy is only available online, it would be assert that notification has taken place as not

individual

ensure

or

true

notification.

or client has access

customer o r clier

to

the

every lnternet, and know that the

nal data protection policy contains the notification of purposes t h e website to find the personal data where o n

Ptoknknow and to

protection

such a situation, the organisation should explicitly direct

duals to the personal data protection policy for the notification of the policy o r the relevant furnish a copy parts of the purposes or

policy

of

policy to

individuals.

4.25

mhedding the notification ot purposes in a personal data protection

organisauons r u n the risk that the nolicy may also m e a n Droad be too may or t o o general for a section of notification tdividuals and, hence, may necd to be supplemented with a more that

1.23 The Act does not specify any requirements as to the manner or form of

the notification. For this reason, the most appropriate manner and form will depend on the circumstances. In the example of the security ove, a notice at the point of entry would be the best method

cameras of providing the notification as that would be the first oPportunity to notify individuals of the collection of personal data and it would also be the most visible. Similarly, for the recording of telephone calls, where a person's voice and the contents of what the individual says would be the relevant personal data collected, the earliest point at which notification could take place would be at the beginning of the call. Thus, the notification of purposes could take the form ofa recorded message about the purposes of recording the telephone call before the telephone call is actually answered by a human being. In this regard, a number of organisations in Singapore using call centres greet their callers with the noification that the call may be recorded for quality and training purposes". Arguably, these a r e then the only purposes for which the personal data can be used, s o that if there is a dispute as to the substance or content of what transpired during the the recorded conversation cannot be used against the caller that would not fall within "quality and training purposes".

cnecific notification of purposes. This might be the case, for example, of

if the organisation offers a wide variety services o r products but for the much more details of the certain services offeredbyFor organisation, a n insurer are example, may provide health Durposes required. insurance as well as home insurance. The purposes for the collection

and use of personal data for a health insurance policy will be more complex than the purposes for a home insurance policy and, hence,

the notification should be more comprehensive. 4.26 For some transactions, it would be efficient and ideal if the organisation states the notification of purposes and, at the same time, obtains the individual's acknowledgement of the notification and consent in writing, either electronically o r o n paper.

conversation, because

4.24 For evidentiary reasons, it would, of course, be beneficial tor notification to be recorded in some way, such as in written form, eiu

in electronic or paper format. The Commission has suggested that

118

23 24

ersonal Data Protection Commission, Advisory Guidelines on Key Concepts at para 14.12. Snal Data Protection Commission, Advisory Guidelines on Key Concepls eFersonal Data Protection Act (revised on 15July 2016) at para 14.13.

he Personal Data Protection Act (revised o n 15 July 2016)

119

Data Protection in the 5.

Consequences

4.27 In providing

if personal

Practical Context

data

is

not

Notification Obligation

collected

POSITION IN

of the collection 1, of the purposes holistic view to be prese a for data,

notification

n

use and

ted, i

of personal to elaborate for organisations would also be helpful all of the personamain o r some if for the individual consequences used o r disclosed. not collected,

disclosure

personal data is

4.28

the signie list every single c o n s e q u e n c e , only to result need to be be expected could that consequences avoided o r lessened can be some of the consequences other not but personal data, this individual providing some notification. Some examples of consequences

There is

no

need

o ifican thro should

to

highlighted in the o r disclosed micat data is not collected, used may result if personal o r concession cann membership a benefit, that an application for de processed, or that the individual will receive a different level of ervice. individual may n o t be eligible to hire a car, the discount unless the individual provides details of the status of

For example,

fo heir

demerit points under the driver's improvement point system.

4.31 ticle

nirective

6

f

the

THE EUROPEAN

European

95/46/ECprovides

UNION

Union

that

EU") personal data

Data Protection be "collected

must

explicit and legitimate purposes and not further way incompatible with those purposes". This is echoed orocessecche EU General Data Protection Regulation specified,

for

2016/679.27

i n Article5

Data Protection Regulation 2016/679 general transparency obligation on organisations that imposes personal data. Recital 39 of the General Data Protection

4.32

addition, the EU General

In

handle

lation 2016/679 further provides that it should be transpare ndividuals that personal data concerning them are collected, used, and extent the personal data or otherwise to co he processed. Any information and communication relating to the processing of those personal data must be easily accessible and easy to understand, and clear and plain language must be used. This principle of transparency is appicable, inler alia, to the purposes of Drocessing and any further information to ensure fair and transparent orocessing of personal data. Individuals should be made aware of risks,

consulted

processed

what

nules, safeguards and rights in relation to the processing of personal

D.

NOTIFICATION OF PURPOSES IN THE ONLINE

data and how to exercise their rights in relation to such processing. In

ENVIRONMENT

particular, the specific purposes for which personal data are processed should be cxplicit and legitimate, and determined at the time of the collection of the personal data.

4.29 Much personal data is collected and processed in the online environment, either through applications that are used by individuals, such as social media applications or even through the browsing of web pages. These activities would also require users to be informed of the purposes prior to the collection and use of the personal data, unless they fall within an exception.

4.33 The requirements for

notification under the EU General Data a r e far more comprehensive than the requirements under the Singapore legislation. The Act only requires

Protection Regulation 25

.30 In recent years, the use of cookies on Internet web pages to surreptitiously collect and use personal data has drawn mucn attention. This will be discussed in more detail in chapter 5.

26 27

2016/679

Directive 95/46/EC of the European Parliament and of the Council of 24October 1995 on the protection of individuals with regard to the data and on the free movement such data

Processing of personal of 1995] OJL 281/31 ("Data Protection Directive 95/46/EC").

Data Protection Directive 95/46/EC, Art 6(1)(b). 2016/679 of the European Parliament and of the Council of 27 2016 on the April protection of natural persons EU

Kegulation (EU)

with

gard to the processing of personal data and on the free movement of

such data, and repealing

Directive 95/46/EC (General

Data

Protection Kegulation) ("EU General Data Protection Regulation 2016/679"),

Art 5(1) (b).

0EU General Data Protection Regulation 2016/679, Arts 12 and 13, and Recitals 58, 60, 61 and 62.

EU

120

General Data Protection Regulation 2016/679, Recital 39. 121

Data Prolection the

use or of the collection, s o meone the contact details of

purposes

with The EU General Data

along

individuals

such

in the Practical Context

as

are

Protection

provided

with

disclosure who

to

be o.

notilied,

answer que

uestion ensure beyond the n a

can

Regulation 2016/679

information

in the risks, ules and rights

well

relation

to

urpos the processin

transparency concero are personal data. Individuals data will be processed, and the exten. what and how their personal be processed. This rena are o r will which their personal data the purpOses but also of not only Just providing notification law requires that individa EU the In short, be processing activities. relation to the "processing" of th entitled to full

CHAPTER5 C o n s e n tO b l i g a t i o n

requires

in informed about everything defined to include very broadly "processing" with every personal data, data, to including the ac s of done personal conceivable act that can be

collection and storage."

the most contentious and consent appears to be inciple of of the personal data protection regime in aspect problem: of consent is so problematic that it nearly

5.1

The

princip

The principle

apore. borders

on

rendering

unworkable.

obligation

to

the

whole personal data protection regime

Obligation is a helpful and essential those who collect, use or disclose personal impose o n the concept has been shortcoming Is the way

The

Consent

data, but the major legislation. conceived in the Singapore 5.2 There

are two

main aspects to be

of the Consent detrimental.

Obligation that will, in

The first is the concept of

vears to come, prove second is the voluminous situations listed in deemed consent' and the is not required. Both of these allow the the statute where consent without consent and which goes massive stockpiling of personal data collect to The personal data without consent is unchecked. ability the in first floodgates of problems. Once the opening step arguably accumulates. Even if the uses personal data is collected, it remains and of the personal data are stipulated narrowly (which they are often not),

it is near impossible for a third party such as a governmental authority to constanty monitor, let alone enforce, that the personal data is only

30

EU General Data Protection Regulation 2016/679, Art 4(2): is processing means any operation or set of operations which or data or on sets of personal data, whether on performed personal not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructon.

122

being used for the permitted purposes. If the personal data is further allowed to be disclosed liberally, the whole process perpetuates iiselt

Personal Data Protection Act 2012 (Act 26 of 2012)

s

15.

Data Protection Act 2012 (Act 26 of 2012) ss 20(3)(6) andl, 2Personal and Second, Third and Fourth Schedules.

123

Data Protection in the Practical Context

Consent Obligation amounts of information, much of it is necessarily al data. These large pools of personal data have come under

and the situation is made even morC acute with even mos

accumulations of personal data. With collection and accum harms has already occurred be one of the because there

biggest

centralised

pool

of information

on

individuals.

vast

tion, is a

vfa s t holder o

rity threats in recent years. the the computers from the to delink was to

sophisticat

coms

delink

Cxperts

5.3 As discussed in chapter 1, the accumulatüon of large pools of ne data over time and from many ditferent sources creates o environment in a number of ways. It can certainly harm people in that were not foreseen. At the top of all concerns for organisat however, would be the associated costs of protecting such Dere

data;

to ensure that there

are no

rsonal

the personal data. The consequences and liabilities of a data leak example, would be far more dire for the organisation than the costs or protection, in financial terms and in reputation and goodwill. Indo of

stolen tangible property.

are

we have to make sure that our system is secure. We can't get infiltrated, data cannot be stolen, somebody can't come in and wipe out your data or cause some other mischief .. In terms of security, safety of our systems, safety of our citizens and information concerning them, it's absolutely necessary. Otherwise, one day you find all your NRIC numbers, addresses and income tax returns for sale on the internet, one package 10 gigabytes How will the Government explain?

5.5 The situation is aptly summed up by the Prime Minister: "In terms of security, safety of our systems, safety of our citizens and information concerning them, it's absolutely necessary" The Government is a Charissa Yong, "Delinking Internet access necessary to keep Govt data PM Lee" The Strais Times 2016). Charissa Yong, "Delinking Internet access necessary to keep Govt da secure: PM Lee" The Straits Times (9 June 2016).

these concerns Act 2012 (the

n

allowing

to

sit

on

security

large collections corporate computer

to be

"Act").

found in

Why,

for prevent of personal data and systems waiting to be

similar concerns that

sations from amassing

ought

to

by hackers, thereby engendering the safety of

and rendering informatior concerning them vulnerable. The

citizen

collection is only the starting point. Ifcybersecurity threats are be ed seriously, organisations should also not be allowed to freely use disclose personal data without consent in the ways that they are the Singapore personal.data protection legislation.

and

allowed to u n d e r

5.6 fndeed, it is because of the enormous negative by-products of personal

dofa CCumulation that security expert Bruce Schneier has called data, especially personal data, "the pollution of the information age" and

A.

that "its

atter-effects

are

toxic"

6

CONSENT OBLIGATION

5.7 The second Obligation set out in the Act mandates that consent be

obtained from the individual before personal data is collected, used, or disclosed." Consent may also be given by any person validly acting on behalf of the individual for the collection, use or disclosure of the individual's personal data. The practice of referring potential customers commonly found in Singapore would fall under this category. An existing customer may disclose, with the consent of the potential customer, the name and telephone number of the potential customer to a bank, for example, and consent would have validly been given to the bank. 5.8 This Consent Obligation, however, does not apply where collection, USe or disclosure of an individual's personal data without consent is

5

(9 June

124

no

example,

argues unequivocally

5.4 So serious are the concerns of data breach and cyber attacks that Singapore's Prime Minister Lee Hsien Loong announced in June 2016 that from May 2017, all computers used by the public service will be disconnected from the Intermet. This, according to the Prime Minister, was "absolutely necessary" to keep government data secure. The press reported that the Prime Minister said:3

secure:

of

he advice from

and

difficult if not impossible to undo. The ensuing damage could, in somo circumstances, be contained but once personal data is stolen, it will be forever stolen as some personal data, such as biomentric data, can never be changed and the information cannot be "recovered", unlike

3

traces

Protection

attacked

breaches of the system and no theft.of

the consequences of a data breach are often unpredictable

are no ondering why there Singapore'sPersonal Data

1

Internet. This leaves one

8

Act 26 of 2012.

Bruce Schneier, "The Tech Lab: Bruce Schneier BBC (26 February 2009). Personal Data Protection Act 2012 (Act 26 of 2012) s 13(). Fersonal Data Protection Act 2012 (Act 26 of 2012) s 14(4)

125

Data Prolection in the Practical Context

Consent Obligation

required or authorised under the Act or any other Written law.

Thus,

the Act is subject to other laws.

5.9

The term "consent" is not defined in the Act but the cone.

the notion of deemed

consent

which will be

dise pt is

complicated by below. Furthermore, pursuant to section 14(1)(a), subject to e d tWo situations falling exceptions under section 20(3), namely,

withi

deemed consent and the situations set out in the Second, Third Fourth Schedule, consent that is obtained without first notifvino individual of the purposes of collection, use and disclosure is not Thus

imperative that organisations provide clear notifications of purposes.

purposes beyond

what would be

new

considered

reasonable. l5

prompted

MICA to cite the requirement of the be reasonable, as this was not enacted in the having ses een in chapter 6, the limitation purpo be sscen will be of purpose As will legislation. a i m p o s e sucha requiremen The test in section 18 is does n o t principle ase :must be one that a "reasonable person would consider hat

5.12 t

is

unclcar

to

that

the

purpose

in the circumstances

hiIs is an appropriateness test

oriate

consent.10 Section 14(1)(6) also requires that the consent given huvalid

individual is for the purposes notified to him or her.

for

r f o ra

is

which

5.13 It is ata

5.10

Consent is also invalid if false or misleading information regardino

is n o t

clear,

it

the same

however,

holds for

arOvisions,

as

requiring the purposes to be reasonable,!7 anisation has never used personal prior to the commencement of

that if

an

keting

purposes

it would

not be able to do sO now

without

consent.

the

the collection, use or disclosure of the personal data has been

provided to the individual, or if misleading or deceptive practices have been utilised.2 The Personal Data Protection Commission (the

"Commission")

has

elaborated

that

this

would

1on encompas

stated in vague or inacCurate tems, in an illegible font or placed in an obscure area of a document or a

situations where "the purposes

are

a

location that is difficult to access" 5.11 Section 19 deals with the position of personal data collected before the commencement of the provisions. It allows organisations to use such personal data for the purposes for which the personal data was collected, unless consent has been withdrawn." The Ministry of Information, Communications and the Arts ("MICA") has stated that this is limited to existing uses that are reasonable taking into account the nature of the organisation's business. Hence, organisations are not required to obtain explicit consent for the continued use and processing of their personal data unless they use existing personal data

EXCESSIVE CONSENT REQUIRED

B. 5.14

the validity of consent is the important restriction concerning what consent organisations can require from individuals on limitation use and disclosure of personal data as a regarding the collection, o r sevice. The Act a of product prohibits an providing condition

An

organisation from requiring an individual to consent to the collection,

disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual. If consent is obtained but this test of reasonableness in section 14(2) (a) is not satisfied, then the consent obtained is invalid.19 use or

5.15 In effect, there are two main areas this provision covers. First, it prohibits organisations from requiring individuals to provide excessive 15

Ministry of Information, Communications and the Arts, Publc Consultatio

Issued by the Ministry of Information, Communications and the Ars: Proposed 9 10

Personal Data Protection Act 2012 (Act 26 of 2012) s 13(b).

Personal Data Protection Act 2012 (Act 26 of 2012) ss 14(1)(a) and 20(3). See also the case of Universal Travel Corp Pte Ltd [2016] SGPDPC 4.

12

Personal Data Protection Act 2012 (Act 26 of 2012) ss 14(2)0

13

and 14(3). Personal Data Protection Commission, Advisory Guidelines on Key Coneps in the Personal Data Protection Act (revised on 15 July 2016) at para 12.22.

14

Personal Data Protection Act 2012 (Act 26 of 2012) s 19.

126

6 17

Personal Data Protectiom Bill (19 March 2012) at para 2.139. Personal Data Protection Act 2012 (Act 26 of 2012) s 18(0). The Ministry of Information, Communications and the Arts may have relied on s 14(2) of the Personal Data Protection Act 2012 (Act of 2012), but that section deals with the provision of a product or service Personal data already collected and used by organisations for whatever purposes may not be associated with any good or service provided. s Data Protection Act 2012 (Act 26 ().

26

of 2012) 14(2) Personal Personal Data Protection Act 2012 (Act 26 of 2012) s 14(3). 127

Consent Obligation

Data Protection in the Practical Context or extra

personal

data that is

not

reasonable in order

to

Dro.:

woO product or service. A scenario that might ould bethe store membership or privilege card for the holder to obtain d a when making purchases. In order to provide the scrvice o

discour

discounts, it would be reasonable for the organisation

g

to

information such as the name, gender and telephone number would also be relevant for the purpose of identifyins the

individ

uncommon

IC

The combination of the name and telephone number is o test. sufficient to identify a person, there is no necd for the date ofbi

th. Some stores may give special discounts for the birthday month of the individual and, in such a case, the personal data requested should h the month of birth, not the date of birth.

reasonableness

use

or

store discount

obtained

would

be invalid

ronsent

for stores to request information not such date of birth and National Registration ldentification Card ("NRt a

number, it is doubtful if these would satisfy the reasonablenes

organisat

unreasonable

these

a residential address is really not necessary for identification n

Although it is

An example of the former would which is legitimately collectedbe an number ividual's t e l e p h o n e and test but to require nableness tecst individuals to consent the the of satishying disclosure disclo telephone numbers in unrelated to the t membership, such as for marketingways to which mesages, and would fall foul of section 14(2) (a) and able and any id be disclosed b y t h e

illustrate this

de

Similarly, for something such

as a store membership for discounts, requesting an individual's NRIc

onale behind the prohibition is valuable, the way the is worded has resulted in some dilution of the effect. It provision is still request the individual to an o r g a n i s a i o n may 5.18 Whilst

the

rationale

give

that

ot for the collection, use o r disclosure of the excess or cxtra it is thec choice of the individual whether or not to data, but nalthe personal data The wording of section 14(2)(a) is:

appears

consen

supply "An organisation

shall

service, require an

not

as a

ondition of

providing product a

or

individual to consent to ..". This suggests that an

and governmental landscape. Even if the store membership programi

nisation may still request the information, but the organisation require it. However, this request woul still be subject to the requirementset out in section 18 of purpose limitation to be discussed

one whereby members can accumulate points for redemption, the bes

in chapter 6.

number would seem to be excessive, especially given the special significance and importance of NRIC numbers in the Singapore legal

cannot

way to safeguard the points from fraudulent use is to utilise a system of

passwords or personal identification numbers ("PINS") for members, The collection, use and disclosure of NRIC numbers will be dealt with in chapter 7. 5.16 The types of personal data that would cdearly be unreasonable to collect, use or disclose for a mere store discount membership would be information on medical illnesses, an individual's educaional qualifications and the type of car the individual drives, if any. 5.17 The second main area this provision covers is the prohibition against organisations from requiring individuals to consent to uses or disclosures of the personal data beyond what is reasonable to provide the product or service. This can apply to both personal data validly collected for the provision of products or services within the reasonableness test, but which the organisation is requiring consent for extra or excess uses or disclosures; additionally, it can also apply to extra personal data that the organisation is seeking to collect for the extra uses or disclosures. An example of the latter would be similar to

5.19

f an organisation wishes to obtain consent lor the extra personal data,

it would need to ensure that individuals are informed that the consent for the collection, use or disclosure of the excess or extra data is not mandatory; otherwise individuals may assume that all the personal data is required, leading to the consent thus obtained falling foul

requested

ofsecion 14(2) (a) and the consent would be deemed invalid.20 To this end, it would be useful when collecting personal data through forms, whether online or on paper, that those fields or questions that are mandatory or required are clearly marked, for example, with an asterisk, to alert individuals to the fact that the other fields are

optional 5.20 The example of the store discount membership would illustrate how this might operate. If the store wishes to send out notifications of OCcasional promotions to the members, it can do so with consent via

mobile phone text messages. Alternatively, it may request the ndividual for an address to which the promotional details can be sent.

Arguably, to achieve this, an e-mail address would suffice but if an

what has been discussed above in relation to the first area, information such as a person's medical illnesses should not be required in the first

place

for

a

mere

store discount

128

membership, let alone used

or

Personal

Data Protection Act 2012 (Act 26 of 2012) ss 14(2)()

and 14(3).

129

Consent Obligation

Data Protection in the Practical Context c-mail address, then a residential or worl ork to this scenario s could be collected. There are three layers whether to individual the to should be optional any of for receiving promotional address, c-mail or physical, mate is materials als likely to ho of individual has

no

First, it form

provide

promotional because the receipt the service of provi what is reasonable to provide be mandatory for the not should it discounts. Second, addressCs. One kind of and email both physical provide

oviding membereyond

dual ada dress should be sufficient. Third, it may be that there will be OCca the presentation of physical vouche whereby the store will require certain promotions to limit the number of redemptions. In s informed that those who do event, individuals should be

not

leave

it to the individuals to decide whether they wish to provide thei. residential addresses. In short, individuals should not be require provide their physical addresses; it should be optional but they shonld

be informed that they will be precluded from the opportunities

enjoy promotions using physical

vouchers.

5.21 The Commission has, however,

in

this.

Toput

to

that section

opined 14(2) (a) may not prohibit certain situations in which an organisation may seek to

require consent. It gave the example of organisations providing "offers, discounts or lucky draw opportunities to individuals that are conditional on the use or disclosure of their personal data for specified purposes"2

collection,

5.22 It would appear that he Commission may be referring to the situation where the contract or bargain itself is purely to enter into a lucky draw or to obtain a discount or offer. It would otherwise be to see how the Commission could have reached this view, that the given plain words in section 14(2) («) refer to "providing a product or service", which would encompass the situations of "offers, discounts or lucky draw opportunities". Since "offers, discounts or lucky draws" are products or services, in accordance with the plain words o section 14(2)(a), there can be no conditions attached to the provision of the products or services requiring consent for personal data beyond what is reasonable to provide the products or services, unless the product or service itself is the offer, discount, or lucky draw.

difficult

are

more

a

meml

membership. Contrast this with

colle what

is

reasonable

provision

organisatio

permisib

is

one

where the

effect, the individual "sells" personal data in

ter exchange for the discount, or the opportunity to enter into a lucky

se may be. Thus, an example of the latter scenario might called Moonbucks that sels coffee. A latte at Moonbucks be a provide their personal data to $6, but if individ normally is Moonbucks nd consent to heir personal data being used for draw, as the store

called

dtering and outreach purposes, they will in return receive a voucher them to buy a latte:at $3. The voucher for the latte at $3 is a enablin separate and independeni contract or transaction and would be a transaction for personal data collection, use and disclosure permissible under the Act.

5.24

This provision gives autonomy to individuals to decide how and whether they wish to trade their personal data for goods and services, and this would appear to be in line with the Government's desire to

engender business innovation and entrepreneurship, and not to stifle economic activity. Indeed, it tries to balance the need to stimulate economic activity and growth with the need to protect personal data. 5.25 However admirable the goals of this provision are, organisations should be acutely aware that one of the key tenets of good personal data practice is to collect enough personal data for the

protection

purposes and not too much. As will be seen in chapter 9, the less

personal data that an organisation collects and holds, the less in terms security and protection the organisation will need to provide for the

of

personal data. In this modern digital age where hacking and daa arching is cheap, easy and prevalent, and often applied to compile

profiles of individuals, as a matter of best practices, personal data idt 1S Sensitive

esdential 21

product

discount

store

scenario

nr videan a

physical address will be foregoing those kinds of promotions and

Concrete manner, ne Cxample given above of con membership has as the mc or service the nefits. As Such, consent for the vith discount the bership ndd disclosure of perSOnal data cannot move beyond ollection, use a n the onable to provide the consideration of the contract between the the situation here wh of and the individual is the personal data in discount at the store. This latter scenario xchange f o r would be for a to the Commission. In u n d e r the Actaccording

5.23

or

addresses,

significant,

such

as

NRIC numbers

and

even

should be collected

sparingly. This should be so y tor the good of protecting individuals' personal data, but also

Personal Data Protection Commission, in the Personal Data Prolection Act

Advisory Guidelines on Key Concey (revised on 15 July 2016) at para 12.

130

to

. e compliance costs for the organisation, as well as to reduce

miability arising from the personal data being compromiseu. 131

Data Protection

in

Consent Obligation

the Practical Context d

C.

his or her address to tacilitate the actual delivery of

za delivery, a n d

has been ordered. Furthermore, there would also be no

DEEMED CONSENT

the p i z z at h a t

5.26

adopted to mi. consent was The concept of deemed in the on organisations the impact of the new regime collection." Section 15 of the Act2 data processes of personal consent. The section begins with. the meaning of deemed to the collection, use or disel. consent individual is deemed to no

doubt

s

Act setss day ou "

Consent is deemed from an individual ir use, and disclosure. without actually giving consent, voluntarily provides

the individual, the for that purpose, and it is reasonak. personal data to the organisation would provide the data,24 n voluntarily that the individual nd

disclosure is at the core of the consent that is deemed. The purnoee must be clear to both parties. This also raises the question of how man that can be deemed: are can there be in any given transaction

purposes there any limits to the number of purposes? Would all the purposes

have to be clear to both parties? Arguably, if there is any purpose which is unclear or which was not envisaged by the individual, these would need to be notified to the individual, and if this is the case, then the situation would not fall under the section 15 deemed consent and would bounce back to the obligation to notify the purposes under section 20 and consent would need to be obtained as required under section 14(1).

1.

1o be

which

contractors,

nsent All this speeds up the transaction and assists in the

decmed

conse

s

losure of personal data about the individual by an organisation for a purpose if.." Hence, the key to this provision is the purpose of the collect ection,

understanding of what is the purpose of the collection, use,

hop tto o obtain explicit consent for the personal data shop

thepizzato the the delivery person, even it they are third party for disclosed to is often the case, because this too would fall under

c e dl

Deemed consent for multiple purposes

5.27 A simple example of deemed consent would be the telephone ordering of a pizza for delivery. Instead of the pizza shop staff having to enquire explicitly whether the individual consents to the collection and use of the customer's name, telephone number and address, the consent can be deemed. Under the deemed consent provision, the shop can legitimately assume consent for the collection and use of the customer's name to identify the customer, the customer's telephone number in case of a delay or some other misadventure in

pizza

OTgan

in its

delivery

productivity

of

goods

and

and

enables

the

organisation

to be efficient

services.

that are clear from the above example are the purchase of a pizza. However, oth purposes serve only a single

5.28

The purpoSCS

delivery

purposes are intimately interconnected. If the the personal data to, for example, provide future such as o enable future orders to pizza shop service i n the more efficientfaster.m a n n e r , the shop would not be able to rely on the a in be taken to do this. To illustrate, if the shop wishes to ned consent provision data, it would first need to retain the personal data. utilisethe personal 9 on the retention of personal data, the be seen in chapter As will to tain the personal data if, inter aha, it is is permitted rganisation his in instance, there may well be tax law and law, quired by reanirements to retain some ot the personal data. However, the retention of the personal data in this regard would be for

and

ian and

transaction a n d was

he

two

to utilise

Dermitted

business process efficiency purposes. So, purposes, not for identifies the individual through the the if shop piz2a for example, it cannot for efficiency reasons retain number, individual's telephone number and address on the system as a the individual's telephone record to avoid having to re-take o r re-input the delivery address for future orders. Further, if the individual had ordered a Hawaiian pizza the first time, the pizza shop would also not be permitted to use deemed consent to retain the choice of pizza ordered and ask the customer if they would like to order a Hawaiian pizza again. All the personal data and the type of pizza ordered can be retained for tax purposes and this should be kept at the backend. The personal data and the kind of pizza ordered, however, should not be retained and used, and be accessible to front end staff for the purpose of enabling more efficient ordering of pizzas in the future, unless explicit consent has been obtained.

tax related

5.29 22

23 24

Ministry of Information, Communications and the Arts, Public Comnsulkation ssued by Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 2.48. Personal Data Protection Act 2012 (Act 26 of 2012). Personal Data Protection Act 2012 (Act 26 of 2012) s 15(1). 132

as of analysis can be applied to other industries and e , where there is only a single or one-off transaction with a clear

nis kind

settüngs

Purpose or clear closely inter-connected purposes, such ordening of a taxi service or visiting a show flat.

as

133

in the

Consent Obligation

Practical Context Data Protection in the

What consent, if any, can be deemed for the use the collection stag tage.

5.30

there can Onc situation where of retention personal data

the

where

an

individual submits

perhaps be clear decmed co might be in the employment a

job

application interest

in

by

for

writing

working a n

a general organisation expressing he ume frame. The oroa without any expressed organisation llon the of consent individual to deemed could be said to have the the for future positions that mieP t arise data on file indefinitely

personal

endure unil the individual vithS may would need to dest case the organisation consent, in which roy the individual. the on personal data it holds

This deemed

he photograph? This is a difficult question and much o f tu disclosure If the was taken at a r be for the might deemed to be rt, the a t t c n d e e s of the wo but not beyond that, the ated amongst commercial purposes. If the photograph was taken at certainlyn o t f o r par perhaps with the individual standing ark o r a theme pa toon characters, the deemed consent life-size a short duration side p h o t o g r a p h t o be displayed in on

consent

amusement

famous

Indeed, it would appear that the concept of deemed consent

Pplies

one main o r primary purposc. It well to situations that have only may consent to more than one purpose in be difficult to apply deemed any the purposes have only a tenuous where or given scenario, especially

no relationship to each other. As a matter of sound practice and

ugh

rule of thumb, explicit consent should probably be obtained if an An wishes to claim deemed consent for more than one mmain

organisation

purpose in any given

scenario.

the befor

rould

order

for the

photograph

photograplhs i f

they

so

and

the to

cameras

entering

premises, the

individual hereby consents to

ptured by the security cameras. Would

this her images when the individual consent given by the individ factual case bea Or would tthe situation be better characterised into the premises? steps consent provISion that by taking the action to step mder the deemed the individual has, through action, provided the into the premises, cameras? This is really a moot point as the nersonal data to the seccurity Po under cither conceptions. The former characterised be consent can would be tenable under a contractual model, that conceptualisation of the contract o r condition is collection of an individual's image part The latter conceptualisation is equally the onto premises. of entering who without Section 15(1) merely refers to an individual,

palatable. to in section 14, voluntarily provides actually giving consent referred The relevant the personal data to the organisation for that purpose. The into the sign with the premises. purpose here would be entering make it clear to notification at the entry point of the premises would will be the individual that for security purposes, security cameras The the into who all premises. of step persons capturing the images individual voluntarily provides the personal data to the organisation

the purpose of entering into the premises when he or she voluntarily steps into the premises and allows the organisation's 1or

Personal Data Protection Commission, Advisory Guidelines on Key Concepis in the Personal Data Protection Act (revised on 15July 2016) at para 12.25.

134

purchase

use

security cameras to record the individual's images. 25

to

Beyond that, it would be difficult

brings i n t o

having his o r

5.33 The scope of deemed consent through action can also sometimes be contentious. Take the example of a person taking photographs. If the subject of the photograph actually posed for the photograph, it would be safe to say that the individual being photographed has given deemed consent for the photograph to be taken. However, that is only

desired.

inspect

into question the images recorded by security cameras Notification Obligation. It was mentioned 4 c in chapter discussed p r o t e c t e d by security cameras, a nouification of premises that for shoulk be placed at the entry points of the there of security the lividuals the notification required under section 20. individ to give premises consent be conceptualiscd in such a situation? Any How would the would n o doubt state something along the lines that 5.34 This

ch notificationthese

5.32 Consent can also be deemed through action as section 15(1) does not pecify the manner in which the individual has to provide the personal data. The Commission gave an examnple in this regard," of a person visiting a medical cinic for a check-up and allows herself to be subjected to the collection and use of personal data, such as measurement of her height and weight for the purpose of the check up. These would all fall within deemed consent, even though the individual did not actually give the personal data as such but the personal data was provided to the clinic through measurements.

for

to

deemed consent.

Such

Deemed consent through action

ubjects

a r g u e a n yo t h e r

on

2.

carto

alongside

consent

5.31

photograph photograph

the circumstances.

u l dd e p e n d o n

135

Consent Obligation

Data Prolection in the Practical Context

Corollary of deemed consent to disclose

3.

The purpose or

individ

data

5.35 Section 15(2) specifically states that should an individual ual deemed to have given consent to the disclosure

by

the

hould

also

be

clea

to

purposes for the deemed the individuals and there should be

n od o u b i s ,

give of personal dataor byis

one organisation to a second organisation lor a particular

purpoUsee,

then the individual is deemed to have consented to the collecti

and disclosure of the personal data for that particular purpose second organisation.6 This is a logical necessity if the whole deemed consent is to be workable.

there is discl losure

5.38

Wherd

need

to

required

ensure

the

oncept of

part

of the consent

for the collection, use limited purposes and disclosure of would be constuctive to it and data reiterate this to the al

rganisation

b conethe

as

receiving party of the personaldeemed. data is

awareofthe

t h ep e r s o n a l

receivingparty.

5.36 The pizza delivery scenario set out above would provide

as

delivery

deemed consent is a retrograde step for personal and personal data security. It allows security security, finaancial personal used and disclosed without collected, be explicit consent, to data the protectio onal data. The also gaps in concept openir and those who have been the purposes given access to the 5.39

a

example of the meaning of this provision. The customer who or the pizza was deemed to have consented to personal data such he personnel. For delivery address to be disclosed to the to workable, the delivery personnel must also receive some protectinbe from personal data protection liability when the personal dat on s received by the deliverer. Hence, section 15(2) also the customer to have provided consent for the delivery to receive, use and disclose the personal data for that same of the the Section namely pizza. purpose delivering l15(2) is really the flipside of the initial deemed consent to disclose. In the situation of the pizza delivery personnel, the deliverer would need to receive or collect the address to deliver the pizza. The address would be used by the deliverer when the delivery of the pizza takes place. Lastly, the deliverer may need to disclose the address to others if the deliverer cannot find the address and requires extra directions from others; order to find the address. Section 15(2) automatically makes all this possible by deeming consent for all of these activities by the delivery personnel.

this

deems personnel purpoe

In all,

as a

ans

cent,

conc

that

nsl data are not properly tracked and are thus difficult to be held

accountable.

MANNER AND FORM OF CONSENT

D.

5.40 The legislation does not dictate the manner and form of the consent but for evidentiary purposes, good personal data protection practices the consent be obtained in wTiting Consent may also be obtained verbally but way.

would entail

or

recorded in

proof of this

some

may be

ificult unless the process is somehow embedded, or the verbal consent is followed up with a confirmation of the consent in writing, whether in electronic or paper format. Verbal consent can be recorded

iftis given over the telephone, or it may take the form ofa pre-recorded 4.

message

at the beginning of the telephone call deemed by continuing with the telephone call.

Caution on deemed consent

5.37 Deemed consent is efficient and useful for keeping transactions at a minimal level of engagement for both parties, but it should be applied with caution. Where there is any doubt whether the deemed consent

provision applies, obtaining consent from the individual would avoid

disputes from arising and save the collecting organisation from having8 to prove elements such as voluntariness in the provision of persona

5.41 The Commission has made it clear that a failure to opt out will not always be regarded as consent in all situations." Much will depend on the actual circumstances. A failure to tick a box on a form to opt out of where the box before the place where the individual

consent

Personal Data Protection Act 2012 (Act 26 of 2012)

136

s

15(2).

appears

has to sign is likely to signal valid consent, whereas a failure to do an

27 26

stating that consentis

Personal Data Protection Commission, Advisory Gauidelines on Key omcepis N he Personal Data Protection Act (revised on 15 July 2016) at para 12.10.

137

Consent Oblagaton

Data Prolection in the Practical Context

act such as mail back to the organisation a consent opt out leta

unlikely to be considered a

ter s

valid consent.

advised 5.45

the withdrawal of consent

e to the individuals

ncerned and which clearly inform

easily accessible

he form and manner to submit a notice to withdraw

being

declared invalid, organisations should adhere to the good practice

obtaining consent from an individual through a positive action individual to consent to the collection, use and disclosure personal data for the stated purposes.

facilitate

ng aDpropriate consent withdrawal policies that are

through desig

5.42 To avoid the risk of having a failure to opt out type of consent he

to

are

anisauo

Onganisatic

for specifio

consent their

or

disclosure of his

the

whom, submitted

mcans

purposcs as well as the person to notice to withdraw consent should

stating

by which, the

time frame for the withdrawal to be and the expected nisations should make clear which this end,

To effected,

essary and which are optional to the supply of the

purposes are

S0od

WITHDRAWAL OF CONSENT

E.

services. Furthermore, it must be possible for individuals to for optional purposes without concurrently having to

withdrawc o n s e n t . consent

for the necessary purposes.

withdraw

5.43 Consent for the collection,

use

and disclosure of personal data for any

purpose can be withdrawn by an individual at any time, even where e

consent has been deemed, with reasonable notice to be given to th

organisation.2 The Commission has indicated that it is difficult

the to

prescribe a specific time frame for reasonable notice to be given but, as a general nile of thumb, the Commission would consider a withdrawal

notice of at least ten business days from the day the organisaion receives the withdrawal notice to be reasonable notice. Should an organisation require more time to give effect to a withdrawal notice the organisation should inform the individual of the time frame which the withdrawal of consent will take effect.29 5.44 Organisations cannot prohibit an individual from withdrawing consent and this does not affect any legal consequences arising from such withdrawal f consent is withdrawn, then whatever legal consequences that may arise from the withdrawal will have to be borne by the

individual but upon receipt of the notice of withdrawal of consent, the organisation has the responsibility to inform the individual of the likely consequences of the withdrawal of consent, even if the consequences may already be stated in another document

of consent notice needs to be clear about what it ctive. Hence, if an individual does not to be to for it the consent has been withdrawn, it will be what purposes pecify for the withdrawal notice. The to act ificult for the organisation taken upon a busines-friendly position in mmission has, however, the withdrawal notice tor marketing is general in inctances where consent for marketing messages". The as "withdraw my such nature withdrawal of consent for marketing that consider will any

5.46

T h ewithdrawal.

pertains

Commission is worded generally

provide

33 28

Personal Data Protection Act 2012 (Act 26 of 2012) s 16(1).

29

Personal Data Protection Commission, Advisory Gruidelines om Key Concenis the Personal Data Protection Act (revised on 15 July 2016) at para 12.42. Personal Data Protection Act 2012 (Act 26 of 2012) s 16(3).

30

31 32

Personal Data Protection Commission, Advisory Guidelines on Key Comaeps in the Pesonal Data Protection Act (revised on 15 July 2016) at para 12.51.

138

via

a

particular

channel

to

only apply

to

facility

Personal Data Protection Commission,

Aduisory Guidelines on Key

Comcepts in the Personal Data Protection Act (revised on 15 July 2016) of Information, Communications

in

Personal Data Protection Act 2012 (Act 26 of 2012) s 16(3). Personal Data Protection Act 2012 (Act 26 of 2012) ss 16(2) and 16(

sent

via that channel. So, it an e-mail withdrawing consent messages the organisation is was generally worded, for marketing messages cease sending marketing messages via e-mail only. For to only obliged to all other channels, such as the withdrawal of consent to apply to need would individual explicitly state the channels of SMSes, the communications." Similarly, if an individual only indicates the withdrawal of consent for telephone related marketing purposes, then the withdrawal of consent would include telephone calls, SMS messages and any other kinds of telephone communications. f organisations a for individuals to withdraw consent, such as a web sent

4

and the

at paras 12.41-12.43; Ministry Arts, Public Consultation Issued by Ministry of Information, CommunualioS 2.55. at n the Arts: Proposed Personal Data Prolection Bill (19 March 2012) para on Ky Data Protection Commission, Advisory Guidelines Personal Coneps

in the Personal Data Protection Act (revised on 15 July 2016) at para 12.3

Data Protection Commission, Advisory Guidelines on Key Concept sonal D e Personal Data Prolection Act (revised on 15 July 2016) at para 12.49.

139

Consent Obligation

Data Protection in the Practical Context page, the organisations withdrawals.36

cOLLECTING PERSONAL DATA FROM THIRD PARTIES

should clearly indicate the scope

such

5.47 The legal consequences of the withdrawal of consent is unar

uld be exercised before great c a r e an llects personal data from a party other than the As organisation collects personal data, it must always individual. Befo. purpose of the collection to the individuals who are ovide the purp ation about themselves. This is also still the case if the noted

the provision, so if the withdrawal of consent means the individsby

will no longer be able to receive the services or if thereheis individual an termination fee that will be imposed as a result of this, the ind:.rly

4, in chapter

organis

disclosing i n f o r data

personal

is collected third

llected

ion,

must cease and ensure its data intermediaries and agents also o

collecting, using, or disclosing the personal data. There arecease no requirements for the organisation to inform third parties of. means

that

the

onus lies on

the the

individual to seek out the other organisations to withdraw consent which is quite burdensome on the individual. The individual wouid first need to request from the organisation the individual's personal

data in its possession or control as well as information concerning the ways in which his or her personal data may have been disclosed and to whom. Then the individual, armed with the list of organisations, approach the other organisations directly to withdraw consent for the collection, use or disclosure of personal data for such purposes.

Can

5.49 It should be noted that the withdrawal of consent will not affect the retention of data. Under section 25, an organisation may retain personal data, for example, if it is necessary for legal or business

purposes. Certainly, for most organisations, it would be advisable to retain the personal data for at least until the statute of limitations

expires. 5.50 The main exception to the permissibility of the withdrawal of consent the collection, use, or disclosure is required or authorised by law.40

is where

to disclos data

the personal data, the organisation

woul itself be in breach of the Act for using personal data for which it has no

personal ing the subsequently and ing collect to do so.11 permission consent

or

5.52 Organisations

ollecting personal data from third parties should

due diligernce to check and ensure that the validly disclose the personal data for use and third party mmission has recommended that disclosure. In this regard, the organisatior adopt one or more of the following measures

rcise

exerci

the

appropriate

source

can

ollecting

appropriate to (a)

Seek a

36

from a

data ispermission

5.48 Once a withdrawal of consent has been received by an organisaia.

withdrawal of consent, which

a tthird party. Furthermore, if personal party and the third party does not, in fact,

from

would have to bear the consequences."

an

term

the

circumstances

undertaking

from

at

hand:12

the

disclosing organisation through

of contract between the two organisations that the

disclosure for the stated purposes is within the scope of the

consent given by the individual to the disclosing organisation.

(b)Obtain confirmation in writing from the disclosing organisation,. c) Obtain, and document in an appropriate form, verbal

confirmation from the disclosing organisation. (d) Obtain a copy of the document(s) containing evidence of the consent given by the individuals concerned to the disclosing organisation to disclose the personal data. This often may not be possible for commercial and other reasons. 5.53 In essence, the measures that the Commission suggests are mainly

contractual or quasi-contractual measures.

Personal Data Protection Commission, Advisory Guidelines on Kq on 15 July 2016)

Concepts in the Personal Data Protection Act (revised at paras 12.47-12.48. 37 38 39 40

Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012 Personal Data Protection Act 2012

(Act 26 of 2012) s 16(3). (Act 26 of 2012) s 16(4). (Act 26 of 2012) s 25(b). (Act 26 of 2012) s 16(4).

140

Personal Data Protection Act 2012 (Act 26 of 2012) s 13. Personal Data Protection Commission, Advisory Guidelines on Key Concepts n tne Personal Data Protection Act (revised on 15 July 2016) at para l2.30.

141

Consent Obligation

Dala Prolection in the Practical Context

the extensive cxceptions to the Consent be considered in the next section.

rely

COllected in accordance with the situations set hedule can be used without consent for purposes olt nuith the purposc of the collection. Similarly, paragraph 1(s) waS a l data that

5.54

For collecting organisations, where possi ble, it may perhaps be sar. on

Obligation, whichierwillto

consistent

personal data collected in the Sch chedule to be disclosed for nsistent with the purpose of the collection. Lastly, Second Schedule allows personal data that was 1(7) of the Schedule

enables

Fourth

of

the

set

out

in

the

Second

ircumstances

G.

EXCEPTIONS TO THE CONSENT OBLIGATION

raph

paragra

disclosed

5.55

validly

section 17 situations which, in fact, refer to the circumstances in

the

Second, Third, or Fourth Schedule." It is appropriate at this junctae to consider the section 17 exemptions in their own right. The section 17 exemptions weaken considerably the power and force ofthe Singapore data protection regime, and to a certain extent, they define

the Singapore personal data protection regime. 5.56 Section 17(1) permits personal data to be collected without the consent of the individual in the circumstances set out in the Second Schedule including collection from third parties. Sections 17(2) and 178) similarly provide that personal data can be used or disclosed without consent in the circumstances set out in the Third and Fourth Schedules, respectively. As will be seen below, these Schedules contain wide exemptions, such as where the personal data is publicly available, or where the use is necessary for evaluative purposes (evaluative purposes is defined widely in the Act), or where the personal data is collected solely for artistic or literary purposes. Some of these exemptions may have materialised through pressure from industry driven by concerns

about compliance costs. These exemptions, however, are extremely broad and dilute substantially any meaningful protection accorded to personal data. This, in turn, will impact negatively on data security and cybersecurity due to the fact that once informatio is released, it is "out there" and impossible to "retrieve" or "recall" and fence in and, even worse, some personal data, like biometric data, cannot be altered. 5.57 In addition, the circumstances in the three Schedules have cumulative effect. By virtue of paragraph 1() of the Third Schedul, 43 44

Personal Data Protection Act 2012 (Act 26 of 2012) s 17. Personal Data Protection Act 2012 (Act 26 of 2012) ss 20(3) (6) and 17.

142

consistent

5.58 For

circumstances

collected

The exemptions contained in section 17 of the Act" have alread.

been mentioned in relation to the Noüfication Obligation in ter 4. For the Notification Obligation, no notification of the purposes. of collection, use, or disclosure is required if the situations fall within he

se out in the Fourth Schedulc to be without the consent of the individual for purposes of the disclosure. with the purpose

in the

nal data collected prior to he commencement of the personal

data protcction provision

person

Second

iedule, these

can

in the circumstances set out in the

also be used and discloscd.13 Under

of the Third Schedule, all such personal data is deemed accOrdance wth in paragraph 1() of the have been collectcd that all personal data collected in the means This Schedule. Third the Second Schedule prior to the out in set rcumstances of the personal data protection regime can be used commencement consistent with the purpose of the collection. Similarly for purposes Daragraph 5 of the Fourth Schedule decms all such personal data in accordance with paragraph 1(s) of the to have been collected This m e a n s that all personal data collected in the Schedule. Fourth Second Schedule the in prior to the circumstances set out data protection regime can be the of personal commencement disclosed for purposcs consistent with the purpose of the collection. Lastly, paragraph 4 of the Second Schedule deems all personal data

nhbh

paragra

disclosed prior to the commencemcnt of the personal data protection

provisions in the circumstances set out in the Fourth Schedule to have been collected in accordance with paragraph 1(7 of the Second Schedule, so that such data can continue to be collected for consistent purposes. 5.59

As will be seen below, there appcars, however, to be a gap in the exemption for personal data that was generated or produced but not disclosed prior to the commencement of the personal data protection

provisions.

Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para 3.

143

Consent Obligation

Data Protection in the Practical Context

5.60 An issue to consider here is whether personal data that falls wis circumstances of the Second, Third and Fourth Schedules tha for collection,

consent from individuals require have the consent over its collection,

wording of section

use or

individual risk for security wide-ranging purposes. Th a This

rnoses.

itself

he do

disclos re o

use or disclosure withdrawn,' can would suggest that this is not possible-t6 he 16(1)

.. an individual may at any time withdraw any consent given, or dees. have becn given under this Act, in respect of the collection to

purpose

withdrawing

not required as in the section 17 references to the Second, Third and

Fourth Schedules.

comprehensive

exemptions

The

ons in the three Schedule Indeed, some of the circumstances

isted their

are

true

For avoidance of doubt, the withdrawal of consent would not affect the collection, use or disclosure of personal data that is publicly available. In such cases, an organisation that receives a withdrawal of consent may wish to

cease further use or disclosure of the photographs or video recordings in question as a good practice.

so

broad broa

cffects

in scope and cxpressed in very general terms that

are

hitherto

unknown.

Evaluative purposes

1.

If

Schedules referred to in section 17:"

sections

Cxemptions con

5.66

5.62 This interpretation appears to be supported by the Commission, which has said, in relation to the exemption to the requirement of consent for "publicly available" personal data that appears in all three

for

cctions will examine the brcadth of some of the kev the three Schedules and will elucidate the of situations covered cxamples by the categories. rough ide is not to provid. coverage of all the intention

5.65 following

Cxemp

5.61 The withdrawal of consent provision only applies to consent given, or deemed to have been given under this Act". It.any does in instances where not state that withdrawal is permitted consent is m

challenge

cybersecurity.

disclosure by that organisation of personal data about the individal o r T any

let alone their use and disclosure indeed presents a

the

callection,

collectior

use

or

disclosure

is

necessary

for

evaluative

then no consent nor notification is required for the purposes,18 th

or disclosure of the personal data. This is one of the exemptions of the Consent Obligation. The term most in ealuative purposes" is defined very broadly section 2(1) of the Act llection,

use

far-reach

to encompass

many

situations.

5.67

the purpose of determining the suitability, eligibility or the individual to whom the data relates, "evaluative of qualifications Durposes" would include the situations of evaluation for the purposes In relation

to

of 49

5.63 This is clear indication that under the Singapore personal data protection regime, it is not possible to withdraw consent for the collection, use or disclosure of personal data that falls within the situations set out in the Second, Third and Fourth Schedules. 5.64

(a)

(b) (c) (d) (e)

This, unfortunately, leaves individuals with little control over their personal data, a "no escape" situation and, as will be seen below, an almost losing proposition. Whether an individual likes it or not, the

three Schedules give wide ambit for their personal data to be collected,

() selection for an athletic or artistic purpose; of financial or social assistance, or the delivery of appropriate health services, under any scheme adminisiered by

grant

a public agency;

used or disclosed. The resulting conglomeration of personal data is in

46 47

Personal Data Protection Act 2012 (Act 26 of 2012) s 16(1). Personal Data Protection Commission, Aduisory Guidelines on the Persona

Data Protection Ad for Selected Topics (revised on 20 December 2016) at para 4.21.

144

employment or appointment to office; promotion in employment or office or for continuance in employment or office; removal from employment or office; admission to an education institution; the award of contracts, awards, bursaries, scholarships, honours or other similar benefits;

48 49

rersonal

Data Protection Act 2012 (Act 26 of 2012) Second Sched,

para 1);Third Sched, para 1() and Fourth Sched, para 1( Data Protection Act 2012 (Act 26 of 2012) s 2(1). 145

Consent Obligation

Data Protection in the Practical Comtext

(h)

determining honour

or

whether any contract, award, other similar benefit should be

or cancelled;

(i)

bursary, scholanarst continued, mod

odified

deciding whether to insure any individual or propert or continue or renew the insurance of any individual or Dro and other simnilar purposes as may be prescribed by the

types

exemption

cluding

minister

5.68 The list of situations that come within the evaluative purmo POses exception is quite broad and encompasses a wide variety of scti. Some of these will now be considered, beginning with one of the m prominent situations in the above list, that of the employment

(a)

The

this

that can be collected and data thar reanal data covered under are extremely broad: personal data such as the and alifications; ormal education nistory, isconduct or talures during any tenure of any misc personal

ot

employment

i n d i v i d u a l' s f o r m a l

operty,

conte

or appointment to office.

5.71

Employment context

the

on nformation nployment; any i n f

inchn

be might ny that any

employec;

individual's

levant

to

releu

convictions,

convictions;

lifestyle,

individual's integrity or

the individual's and

eve

likes and dislikes,

any

standing

morality

as a model nformation on the

hobbies and

family background,

may all all be factors determining an individual's suitability for

as

these

may

employmecnt.

5.72 from the be s e e n As can ollected and accumulated

the types of personal data that can without consent are extensive, SO that employers c a n readily build a complete profile of an albeit for the purpose of evaluation for employment or individual,

foregoing,

extensive

appointment to office.

5.69

Under paragraph 1() of the Second Schedule of the Act, there is na need to obtain consent from individuals before collecting personal data from them or from any other source if it is necessary for determining the individual's suitability, eligibility or qualifications for employment or appointment to office. This would certainly cover the situation where the individual submits a job application, but it would also cover situations even where the individual is not actually looking to be a candidate for employment or appointunent to office. Thus, the exception would allow employers to conduct searches and compile liss of potential candidates without having to first obtain consent from the individuals.

5.73 Similarly, paragraph 1)

5.70 Of course, background checks can also be conducted on potential employees. There are many available sources of personal data from which employers can do this, ranging from social media networks to simple searches that trawl the whole Internet for information about individuals. There also appears to be no limits on the methods one can example, if an employer wishes to "friend" a person on the social media network Facebook, using a fictitious name in order to look into the person's private or personal life, including access to

the specific purposes, the practical enforcement and restriction of the

employ. So, for

photos or posts that may be restricted, it would appear that the

ot

the

Third Schedule allows the

use

of

individual concerned for personal data This means that after accumulating a complete evaluative purposes." on an individual, the profile containing ide-ranging personal data in organisation may use the personal data any way that is related to the determination of the individual's suitability, eligibility or qualifications for employment or appointment to office. As mentioned above, one of the biggest harms has already occurred when there is a centralised without

consent

ot

the

deposit of information concerning an individual. Once the personal data has been collected in one place, although the uses are limited by use to the specified purposes are often challenging. For organisations, to clearly define the permissible purposes attached to each piece of personal data they hold and to set systems, procedures and practices in place to limit the personal data to such purposes.

they would need

5.74

paragraph 1 (h) of the Fourth Schedule permits the isclosure of personal data for evaluative purposes without the consent

Furthermore, O the

individual.52 This

that

have

20)

and

Act 2012 (Act 26 of 2012) s200)

and

means

that the

complete profiles

employer may do so under this evaluative purposes exception. 50

Personal

Data Protection Act 2012 (Act 26 of 2012)

Second Sched, para 1().

146

s

2(1)

and

52

Data Protection Personal Third Sched, para 1( Data Protection ersonal Fourth

Sched, para 1(h).

Act 2012 (Act 26 of 2012)

147

s

Consent Obligalion

Data Protection in the Practical Context been built and used can also be disclosed for the purposes of a e . individual's suitability, cligibility or qualifications for emnlng or appointment to officc. It would not be uncommon for organi to trade such personal data for a fec. One ot the negative clte cts the evaluative purposcs exemption is that it condones the tra. irade personal data for evaluative purposes associated with employme appointment to office. In this regard, the Act effectively ran recruitment organisations a free reign over the personal daa collect, use or disclose about individuals. Thus, in Singapore, giventhey the weak laws in this area, hackers and other cyber intruders would regard the computing systems of recruitment organisations with collections of personal data as prime targets of attacks. The this is that the amassing of the personal data of individuals can e asily be used for other less savoury purposes by hackers. an

their corolla

5.78

not required

also

if

the

collectio

os of promotion

Consc

in or

use or

disclosure

removal trom

tinuance in employmen

t h ec v a l

conti

is for

employment

office. This would

Hce orrly the same position as recruitment firms in the sheput ersonal data data they can accumulate without consent and hing thc compuung systems ot human resource another vet another rich wellspring ot pesonal data to be as yet rtments for

office r

or

mploye

volume

departn

criminal

geted

for

activity.

ue that that the kinds kinds of personal data that can be collected argue may h y an employer for promoton and removal purposes should of

5.79 Some

and used

paid job description. While this may be do include codes of conduct for nany urue, to abide by and these codes of conduct would address their as convictions. or other kinds of misconduct issues such c a n De removed or demoted from their ans by which employees

be

5.75

is

valuative p u r p o s e s «

closely

aligned

with

the

employment

contracts

employees

Indeed, regarding the hack of the 1 billion accounts of Yahoo Ine security experts cautioned that "the real danger of the attack was not

that hackers gained access to Yahoo users e-mail accounts, but that they obtained the credentials to hunt doWn more lucrative information about their targets wherever it resided across the web".53

means

positions.

(b)

Insurance

5.76

Moreover, the exemption for evaluative purposes amplifies the

exemption from the operation of the Act of business contact information discussed in chapter 3. Business contact information such as those appearing on business cards can be used without consent for any purpose whatsoever and is not limited to search and hiring processes. Thus, business contact information can be used as the foundation of databases with other kinds of personal data added to it to build complete profiles of individuals. 5.77 A cautionary note for organisations such as recruitment firms which amass personal data is that they are still required to comply with the other Obligations in the Act, such as the Protection Obligation, which will be discussed in chapter 9. Thus, although organisations may collect, use or disclose personal data without consent for evaluative purposes, they still need to comply with the other rights given to individuals over their personal data in Parts V and VI of the Act.

5,80 The

definition of "evaluative purpose

in section

2(1) also includes

a

to the purpose of deciding whether to reference in subclause () individual or property or to continue o r renew the insure any or property. This provision preserves the insurance of any individual of insurance companies and underwriters of collecting, using

practices

and disclosing personal data about individuals to make sound business decisions and to guard against insurance fraud.

(c)

Remaining evaluative purposes permitted

5.81 The remaining evaluative purposes permitted without the need to

obtain consent from individuals can be loosely categorised into four broad categories. First, the conferment of bencfits such as the grant of financial or social assistance or the award of honours such as awards,

Scholarships, bursaries and whether such awards should be continued, modified or cancelled. The second broad category is for the selection

Or an athletic or artistic purpose. Both of these categories have been

agued to be necessary, especially where the awards are nominated by 53

Vindu Goel & Nicole Perlroth, "Hacked Yahoo Data is for Sale Dark Web" The New York Times (15 December 2016).

148

on the

parties and the individuals need not take any action, for exampie,

LVCTSItes may be asked to nominate their students for scholarships

149

Consent Obligalion Data Protection in the Practical Context

and bursaries, and the exemption is intended to allow this actiske continue without interference. While the purposes are honon bearing in mind that individuals cannot withdraw consent for th kinds of uses, those organisations involved in the collection, these disclosure of such personal data should take care that only releu personal data is collected and, further, that they do not engage levant in the wholesale collection of every single individual's available personal dan data, especially where the individuals have, for example, little or no cha hance of being selected for any athletic or artistic purpose.

arable,

5.82 The third broad category of admission to an education institution 1s also aimed at the practicalities of enabling education institutions to screen and select their students. Indeed, a very broad range of personal data can be collected to facilitate this purpose, but it should arguably be restricted to those individuals who have applied for admission and not a general cross-section of the public.

as been given, consent is not requiredffor the collection, tification has

sure

categorywith far-reaching implications. It is surprising that it is

grouped together with the award of awards, bursaries, scholarships and other honours in the definition in section 2(1). This category no doubt has business aims in mind as it enables organisations to screen and

assess to whom it awards conturacts by conducting background checks without the need to obtain consent. Like the purpose of evaluating admission to an education institution, in evaluating whether a contract

should be awarded, an organisation should restrict itself to only collecting, using or disclosing the personal data of those cont nders for the contracts and not simply amassing vast amounts of personal data on contractors and other parties who have not expressed any interest in the contracts or who are in no way related to the contracts.

data.

-hedule of the Act," paragraph 1(0) allows emplovers

Schea

585 Second

the.

in to

ollect

data without consent as lorng as the collection is the purpose of managing or terminating an

personal

or

reasonable

onship betwcen the organisation and the individual.

hove. paragraph 1(j) of the Third Schedule is a blanket allows personal data collected by an organisation in the clausethat Second Schedu to be used i n the Second set out by the circumstances consiste with the purposes purpose of that for of the Fourth Schedule is a Similarly, paragraph 1(s) data collected in the circumstances allows personal clause that blanket S e c o n d Schedule to be disclosed by the organisation for the set outin with the purpose of that collection.

employment

As mentioned:

organisation

collectior

ses

consistent

5.86

5.83 The fourth broad category of exemption from consent is for the evaluative purpose of the award of contracts as well as whether the contracts should be continued, modified or cancelled. This is another

of p c r s o n a l

u s e o rd i s c

data collected for the purpose of managing or relauonship between the organisation employnent terminating used and disclosed without consent. so can be and the individual consitute managing an employment Examples of what might found in the management of employer can be readily relationship For example, the allocation of computers to equipment o r resources. thereof are both aspects of managing an employees and their usage monitors the computer relationship. lf the employer

Hence,

any

personal an

employment information on which websites they usage of employees by collecting and personal data collected could then be used access, the information if they were, the to determine if any prohibited websites were accessed; terminate the or to employer could then use the information manage to the information this disclose to and employment of the employee relevant authorities. 5.87 t should be noted, however, that the exemption does not empower of of collection, use, and disclosure with unfettered

2.

Mar

agi

or terminating an employment relationship

5.84

in any In chapter 4, it was discussed that section 20(4) requires that situation where personal data is collected, used, or disclosed for the or terminating an employment relationship between the organisation and that individual, the organisation must Once the give notification and inform the individual of the purpose.

purpose of managing

150

employers e personal

rights

data of their employees to manage or terminate the

cnployment relationship. The personal data collected, used, disclosed must still comply with the other personal data protectio

or

provisions. For example, if an employer feels that an employee spernas Fersonal Data Protection Act 2012 (Act 26 of 2012). 55 stry of Information, Communications and the Arts, Pubac Consuuon ArIS: Tupoa Communications and the of Information, Po PersonalMinistry Data Protection Bill (19 March 2012) at para 2.69.

151

ConsentObligation Data Protection in the Practical Comtext inordinate amount of time in the toilet, it would not be apDron. employer to install cameras inside the toilet to check t e the employee is doing inside the toilet. what

wasadopted from the Canadian position in was no doudt anven by business efficacy t tions need not worry about

an

for the

exclusio and

This BrtishColumbia

means

cxclusion

his

TCasorno f t h e i r day-to-day

5.88 There are,

of course, grey

areas

on

what

would

be conside

idered appropriate or reasonable. Consider an organisation which has as one of its main aims to promote life and has a strong stance agains abortion. Could the organisation collect information employees' spouses and other immediate family members to ascer the certain if any of the immediate relatives are strong proponents of abortior There are arguments that this might be inappropriate or as the relatives are not employees, whilst equally valid arguments woul

aga on

unreasonah

suggest that if the employee is a senior enough employee, this wonil

be perfectly reasonable as the reputation of the organisation tarnished and the organisation might be labelled a hypocrite. just one example of the broad and uncertain scope of the exemptions contained in the three Schedules.

mighthe This

3.

to-day document crealuon processes that include

Documents produced in business, employment and

rsonal within

this

mployees. Some Some examples of documents falling

employces.

of

data

clude minutes of mectings that may contain

exclusi

whether an. an employee was absent or present and what

whether

on

have said at the meeting if he attended, e-mails might oploy ntained an employee's name, records of the times at

information

g e nerat h e

ich

that contain

records

employee' rate

rived arriv

employee

the

of pay,

and

with

at work and effectively anything in the

the human resources department, such as the been or should be the employment

increments has

any salarY documents any other

whether

whether

related to

produced in the course of and business or profession. This takes purposes for the ustrate even wider. Some examples should of the exclusio ambit the e x c l u s i o is. If an individual wishes to set up a business the how broad or retail space, then the lease of the premises andrequires be a document that is produced in the course of and for wOuld clearly of the individual 's business, as would all other documents the purposes relate to the leasing of the premises. Such as e-mails generated that and collected in all of these data produced Hence, all personal use or would not require consent for their collection, 5.91

chsion

covers documents

also

of

he

individual's

commercial.

professional settings 5.89 The Act also provides for an exemption from consent in paragraph 1(n) of the Second Schedule if personal data is included in a document that was produced and collected in the course of the individual's employment, business or professional life, as long as the personal data was produced and collected for the purposes of the individual's employment, business or profession.55 Furthermore, by virtue of the catch all provisions in the Third and Fourth Schedules, personal data that was produced and collected in this manner can also be freely used and disclosed for consistent purposes subject to any other kinds of confidentiality requirements other than the personal data protection regime." Such personal information included in work

product documents, although excuded from the requirements of

documents

use as long as the collection, with the purposes of leasing the premises.

disclosure,

or

disclosure

are

consistent

5.92

professional, say a legal or medical a practising certificate, the is application of the practising certificate is a document that produced

Similarly, if professional

the individual is and

wishes

to

a

obtain

n the course of and for the purposes of the individual's profession,

and

would fall under this exclusion, hence

tne collection,

use

and

disclosure

of

no consent

the

is

personal

required data

in

for the

consent for collection, use and disclosure, would still need to comply

application.

with the other data protection principles or Obligations in the Act

sociations do not need permission from their members to couec Se and disclose their personal data, as long as the use and disclosure ot tne iited to the purposes of collection, which is membership

such as those pertaining to access, accuracy and correction.

This

would

effectively

mean

that

all

professional

professional body.

56

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sche para I(n).

57

Personal

Data Protection Act 2012 (Act 26 of 2012) Third para 1() and Fourth Sched, para 1(s).

152

Sched

58

the Arts, Public

Lntormation, Communications and le Ministry of Information, Commaunications and the D Usonal Data Protection Bill (19 March 2012) at para 2.31.

153

Consultaton

Ats:

Froposeu

Consent Obligation

Data Protection in the Practical Context

5.93 Other

examples of documents produced the course f profession might be the reports, professional opinions assessments generated by professionals Such as doctors, architects. A doctor's medical report on a patient will engine reveal per information about the patient, such as the patient's rsonal identity, conditi symptoms, treatments and so on. It is also, however, a document tho hat is generated in the course of and for the purposes of the individal lual's (the doctor's) profession. It comprises the doctor's professioa opinion and action taken as a medical

professional. The med report will also contain the doctor's diagnosis which will refloe competency of the doctor amongst other things, and hence will althe constitute personal data about the doctor. A report such as this can h freely used and disclosed by the patient without obtaining Drio

consent from the doctor, but only for purposes consistent with the purposes for which document was created, which would likely to be the delivery of medical treatment. This, prima facie, appears to be a sensible exclusion as it would be rather tedious and an inefficient delivery of healthcare if the doctor's consent is required each time the patient visits a specialist doctor and wishes to share the first doctor's report and diagnosis with the specialist doctor.

5.94 As discussed consent

above,

specifically provides exemption from the requirement for personal data collected, used or disclosed the commencement of the personal data protection the Act

provisions.3 However, there appears to be a gap in the legislation in clearly provide that documents that were generated or

that it does not

produced prior to the commencement of the personal data protection provisions with personal data contained therein can be collected even though they can be used and disclosed without consent. Collection is not defined in the Act and it cannot be presumed to include the act of generation of documents. The Commission has said that "[c]ollecton refers to any act or set of acts through which an organisation obtains control over or possession of pesonal data". 0

This understanding of

collection" would not be helpful in the situation where documents are generated, as the generation of documents such as e-mails does not necessarily mean that the organisation has control over the personal data or has possession of the personal data. There is the further legal

Commission's interpretation of the term

the uch weight cr be disputed i t h e mat

should

in

individual's

before

issuc o f how

will

carry

5.95

the

Thi ed

effect,

In he

manncr set

Schedule, paragraph

out

consc

Paragraph lection.

collec

the Second

in

1() enables data Scheedule to be used collected in without

before the commencement of the in the he circumstances and regime

collected

data

ection

prior

purposes are consistent with the purposes of the of the Third Schedule, provides that

3

personal

personal

conditions set out in

proteo

Schedule

atisfy paragraph 1()) of the Third Sch

shall satisfy

data the

Second notwithstanding that it was not im force at the time of the collection device

appears in paragraphs 1(9) and 5 of the Fourth Schedule

Aesimilar garding disclosure.

Second Schedule. The "back-dating" nroie The anomaly is in the 4 ot Second Schedule, but it only refers et Out in paragraph Second dchedule which deals with the situation the of naragraph 1() "disclosed to the organisation" and "collected

5.96

to

wherepersonal

datavwas

Hence, in the situation where documents were nt disclosed as such but were produced in the course of and for the of the individual's employment, business or profesional life to the commencement of the any disclosure whatsoever prior by the organisation".

nurposes without Dersonal data provisions,

then, it would not be permissible to collect

the personal data contained in such documents under the Second Schedule without consent. Such personal data can, however, be used and disclosed without consent. This is yet another example of the complex and perhaps unintended scope of the exemptions in the three Schedules.

4.

Business asset transaction

5.97 The Act also allows for the "business asset transaction" exception which 1s elaborately detailed in

the

Second and Fourth Schedules. This

exception has a clearly defined life cycle and it is the only instance in the Act that requires personal data to be destroyed or returned. 5.98

59 60

Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para and Fourth Sched, para 5. Personal Data Protection Commission, Advisory Guidelines on Key Conaeya in the Personal Data Protection Act (revised on 15 July 2016) at para 7.2.

154

Aprerequisite before CIS

the business

asset transaction excepu

that both organisations must have entered into an

Teent that requires the prospective party to use or disclose the d a t a solely for purposes related to the business asset

155

Consent Obligation

Data Protection in the Practical Context

transaction. the

This is to safeguard against wTongiul use personal data by the collecting organisation.

5.99 This data

or discl. disclosure o

exception allows the collection, and disclosure of belonging to employees, customers, directors, perso offiena shareholders in the defined situation of a business asset transao This is clearly defined list of individuals; use

a

business associates and

trading partners.

missing from this n,

This means that co e and business associates such as agrent joint venture or

with with

trading partners subcontractors, agree supply agreements, purchase agreements, partnership distribution agreen management agreements, fee share agreements and other ements, party agreements that contain personal data are not relate business asset transaction exception and cannot be covered revealed wie first obtaining consent. It is unlikely that the information exemption can be uilised to coverbusiness C these Contac agreements as these agreements would usually contain more kinde ners of data than just the mere business contact information of ersonal the individh.

duals.

100

"Business

asset

transaction"

is

detined

in

paragraph 3(4)

of tho

h u d i n gp e r s o n a

business asse

102

trasaction cxception,

Um

isclose

busine

consent

to

of the

the

areholders,

ithout

a

tomers, share.

or

its

assets,

where there iv

consideration, organisation is prospectiv party certain individuals, whether they be personal data nder

the e r

permi.

rganisation an

OspcCtit

directors or officers. The the business asset in

data must, personalemployees or

question or that part of ncerns the business asset transaction and the necessary ecessary for the organisation m u s t be to data with the business asset transaction66 determine proceed etherto relate directly

he

ganisation that

however

persona

5.103

can o r neceds

on

the

to

depena

rt specific.

necessity,

the amount ent of of personal data a due be disclosed duri exercise business n a t u r e of t transacted

the requirement Given

For example,

being

diligence

and will be

very if the value of a business is directly linked to

as in the case of an tise of its staff, be necessary to disclose more then it may start-up, process than would during the due a b o u t the staff

tac

that will

information technology

diligence

personal

data

otherwise

be necessary.

the

purchase, sale, lease, merger amalgamation any other acquisition, disposal or financing of organisation portion of an or of of the business or assets of an organisation any organisation other than the personal data to be disclosed under paragraph 1(P). or

an

or

or

a

5.101 It is clear that a business asset transaction does not include the situation where the transaction concerns the personal data itself, that is, it does not cover the trading in personal data such as the purchase, sale, lease, or amalgamation of personal data. This definition of a business asset transaction does, however, include the financing of an organisation or a portion of an organisation, hence, it would cover the situation where an organisation seeks financing for its own operations, as well as where an organisation seeks financing for the purchase of

62

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 3(2) (6); Third Sched, para 1() and Fourth Sched, para 3(2) (6). Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,

63 64

paras 1(p) (i) and 3; Third Sched, para 1() and Fourth Sched, paras 1 (p) (ü) and 3. Personal Data Protection Act 2012 (Act 26 of 2012) s 4(5). Personal Data Protection Act 2012 (Act 26 of 2012) Fourth Sched,

61

nal data.

a n o t h e ro r g

the exper

Fourth Schedule to mean: ...

isation ora porttion of another.

or

para 3(4).

5,104

eally, fnancial information will be required for due diligence but. nicaly in most business transactions, the individual names and

records of employees may not be necessary for an organisation to determine whether to proceed with the business asset transaction.

instead, aggregated information about the employees of the busines, uch as deidentified information about salaries, leave entitlements and long service leave entitlements, and time and wages records would be more the norm. In addition to this, it might be necessary to reveal some individual employee records, such as key executive staff or key service personnel. If there are any agreements with employees that

contain material provisions, for example, compensation for loss of office or payment of any bonuses or profit shares, these would probably be considered necessary as well.

65

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,

paras 1(p) (ii) and 3,; Third Sched, para 1) and Fourth Sched, 66

paras 1 (p) (ii) and 3. Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,

para 3(2) (a); Third Sched, para 1() and Fourth Sched, para 3(2)(a).

156

157

Consent Obligation

Data Protection in the Practical Context

Publicly available data

5.105

Regarding

the personal data of customers, these would gcnen aggregated statistical non-personal data about the ybe customer base but, sometimes, personal data about customaor their financial information omers and might be necessary.

limited

to

Definition

(3 5.108

5.106

Where the business

ofpublicly

the

cxemppti

transaction

does not

paragraph

proceed, all ne

data collected must be destroyed or returned to the dise organisation.67 Where the transaction is entered into," the emnig and other individuals whose personal data have been disclosed ces be notified that the business asset transaction has taken place an personal data about them has been disclosed to the other parha t ha the event that excess personal data was collected for example. i he personal data collected did not relate directly to the busines asset then any such excess data must be destroyed or returned

should

heduleP Schedule,

personal

within the d

sed

use

1(d)

of

or

disclosure, which means that that comnes available" can be nition of "publicly collected, used or and p u r nose p o s e and there are no means of any stopping the or disclosure as consent cannot be withdrawn 72 or

anything

11Se or t hcollection,usc e

for

disclosure:

use

collection,

cole

2(1) defines "publicly available" in relation to personal data Sectio

individual

bout

to

mean:73

an

rsonal data that is generally available to the public, and includes which can be observed by reasonably expected means at a personal data perso

location

rather than keep or make copies of personal data.

collect,

individual.

of

5.107 As a general rule, the

disclosing organisation should try and proida only de-identified information wherever possible. It would also he good practice to allow the prospective party to only inspect document

organisations may

disclose nersonal data is publicly available without the data if the There is no restricion on the dual. T; the purposes of personal

Four

-

disclosing organisation." Of course, the recipient organisation only use or disclose the personal data collected for the same nu may for which the disclosing organisation had permission to use urposes or dieclose the data.

ontained in paragraph I() of the Second t(d of the Third Schedule and paragraph

Schedule, the

ata

1 () o f t }

Under

asset

available

or

(a)

(6)

an

event

-

individual appears; and at which the that is open to the public

5.110 The definition is in effect focused on the element of being "generally arnilable to the public" with the explicit inclusion about personal data

that Can be observed by reasonably expected means. The Commission went to great lengths to describe the meaning of the "publicly 2vailable" concept and focused at length on physical locations that

micht be in public but may or may not be considered to fall within the

noion of being "publicly available"." Much of the Commission's

67

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,

jurisprudence on this topic is reminiscent of the notions of "public" in copyright law that has developed over the decades, especially in overscas jurisdictions such as the UK and Australia."5 For example, the copyright cases had to determine whether there had been a communication or distribution or performance of the copyright

para 3(4). 68

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 3(3) and Fourth Sched, para 3(3).

69

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,

70

para 3(3) (c) and Fourth Sched, para 3(3). Data Protection Act 2012 (Act 26 of 2012) Second Sche, Persc

71

para 3(3) (6). Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 3(3)(a). 158

2 73

See the discussion on withdrawal of consent at paras 5.43-5.50 above.

Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). 4Personal Data Protection Commission, Advisory Guidelines on Key oncepis in the Personal Data Protection Act (revised on 15 July 2016) at paras 12.57-12.67.

eg ee, Telstra

cases

like APRA Ltd v Tolbush Pty Lid APRA (1997) 191 CLR 140.

Corp Ltd v

159

(1985)

62 ALR 521 and

Consent Obligation

the Practical Contex! Data Prolection in

protected work cases

to

the

"public"

or

"in public".

Many

whether issues such dealt with similar music heard by mobile or whether as

a

of

room

thes.

of a

phone

copyrights hospita subscribers

n public76 while they were waiting "on hold" fell within he definitio transmitted "to the public"" It would ot be surprising in Singapore come Commission and the courts in the future. cases such jurisprudence from

to

rely rely

on

being

some of

amount

ncommon

the

individual

that

name,

mber and residenti:

Singapore? If it is assumed for their personal data such address to be disclosed to all

considered to be members, can this personal of and above be the club entry fee Would available'? "generally available to the considered be t o be data be

2

$28,000

"publicly a

barrier

public"? Further,

it lor

have over 19,000 members," would such a number be to the data being "generally large to Commission The "? gave public" very little guidance the

personal

amournt

some

Presence of restrictions

in

members gave consent

contac

suficiently

(b)

with some clubs

WIth s o m e

ailable

to

on this.

5.111

Opening the floodgates

The Commission explained that personal data is "generally availahi..

ble to data stresed

the public if any member of the public could btain or access the with few or no restrictions"." However, the Commission also

5.114

that just because restrictions are present does not necessarily me n

that the personal data is not publicly available.79

(c

the Commission

Furthe.

mentioned

the situation where personal

closed to a single member of the public who is inadvertently data is known to the individual concerned" and concluded not personaly

5.112 To illustrate, the Commission gave a few examples. There may be a group which requires membership to Join, such as a group on social media. Although one needs to be a member to access the group and

the contents and communications addressed to the group members membership to the group can easily be obtained. Examples of this would be social media groups such as Facebook groups, where it seems almost routine for many users to add strangers as their "friend". The Commission gave a contrasting example of where personal data is disclosed to a closed circle of an individual's family and friends, and in this latter example, the personal data would not be "publicly available, even if it is inadvertently disclosed to a single member of the public who is not personally known to the individual concerned.30

dat would not be "publicly available" under this that the personal must surely be tempered by how the disclosure is circumstance. This is, for example, made to a person's social media disclosure made. If the Facebook page, which happens to have settings that enable everyone,

nen those without a Facebook account, to be able to view the person's Facebook page, the disclosure would surely become "publicly available" as anyone

would be able to

see

the disclosure.

5.113

5.115 Further, what if the disclosure was inadvertently made to ten persons not personally known to the individual concerned, would this uansiorm the personal data to become "publicly available"? The Commission did not explain whether "publicly available" will always be determined by the number of people the personal data is disclosed to. It gave the example of one person outside the circle of family and

These are simple cases at the extreme ends of the spectrum. The

friends and ruled out that one recipient could change the character of

Commission did not address the difficult situations. What if the

the personal data to be "publicly available", but it gave no guidance of

personal data is disclosed within a club amongst its members and

Wnether the number of recipients of the disclosure would be a relevant

the entrance fee to join the club is over $28,000, which is not an

cOnsideration and, if so, what the threshold number of recipients nght be for the personal data to be transformed into being "publicly

76 77 78 79 80

Duck v Bates (1884) 13 QBD 843. Telstra Corp Ldv APRA (1997) 191 CLR 140. Personal Data Protection Commission, Aduisory Guidelines on Key Gonc in the Personal Data Protection Act (revised on 15 July 2016) at para 12. Personal Data Protection Commission, Advisory Guidelines on Ney Concepis in the Persomal Data Prolection Act (revised on 15 July 2016) at pa Personal Data Protection Commission, Aduisory Guidelines on 9 ncehis m the Persornal Data 59. Protection Act (revised on 15 July 2016) at patd -

160

available". the entrance fee for the Raffles Town Club, nisChub was v Lim Eng Hock Peter [2013] 1 SLR 374 at [17]. Or

see

Rafles

Toun

example, Raffles Town lub had 19,048 members, see atjles 1 ourt

ub v Lim Eng Hock Peter [2013] 1 SLR 374 at [3].

a l Data Protection Commission, Advisory Guidelines on Key Coneps Protection Act on 2016) at para 12.59.

Fersonal Data

(revised

161

15July

Data Protection inthe I'ractical 5.116

Context

Consent Oblhgation

nersonal

to

give guidance on whethcr t h . The Commission cinitilüon could be governed by the class of of "publicly available" ersons. The ious at the obviou end is of friends the and example of family of a definition the could presence but the question remains: allow the personal data to remain not class or category of persons to 19,0 class of persons amounts the if even available", also did

ipients, a n d ,

not

spectrum,

publicly 9,000 individuals?

can,

grapple wth, especially sin ce These questions of the rights, if any, tha a clear consensus hat seems to be lacking in Singapore are aimed at data protection laws copyright law, the issue of "public" is made slightly clearer with are

dificult

to

become data

personal collected, used or

Closed for any purpose. This exemption nption efee persona gives v e r their their personal data and ntrol oover no opens up many fividuals and and data security of the individual. in the p e r s o n a l

discldry disclosed

y

all

fectively

conirol

indivie

erabilities

highlighted

should be

idition,

that the

Commission was also

there

the personal data in question cxplicit licly available at the point of collection, organisations would

aim

without consent, be publicly available at the point in time whe it is used or disclosed.*7 This, mission, is to avoid organisatüons according to the to

protectingpersonal For

the economic rights of the c of copyright law being to protect will aim to holder, thus any interpretation of "public" uphole by copyright law. economic given holder's rights copyright

copyrig)

5.118 In all, this exemption of "publicly available" is antithetical to

1nstantancously

that all the

thuss

5120

5.117

data would have

would be le". The result from the onwards, be

blicly available".

the

that in its position

In

able

to

good

data to be instantly transformed into personal data that can be free collected, used and disclosed without any restrictions whatsoever simply releasing it to the public. The personal data will then be "publicly available" and thus fall outside of the personal data protection regime forever. MICA was asked to clarify this very point br it sidestepped the issue by stating that the provisions of the Act will not override other existing laws. Of course, the perpetrator of wrongful disclosures will have to suffer the consequences of any existing laws. The question is the status of the personal data that has been wrongfully disclosed, does it fall within the purview of this exemption or not? In the absence of any confirmation to the contrary by MICA, one can only presume that such personal data will come within this very broad

exemption. 5.119

Hence, all that is needed is one unscrupulous person to upload massive amounts of personal data onto the Internet to websites such as

and

long

disclose

as

personal

notwithstanding that the personal data

a n t verify that the

ording to

personal data protection policy and makes cybersecurity near impossible. This exemption enables almost every piece of personal

use

as

the

data

may

no

longer

having

data remains publicly available which,

mmission, Comr

is an "excessively burdensome" task.88

5.121

clear that one of the rationales behind this exemption is to the burden of compliance on organisations. It has, however, the effect of chilling cybersecurity etforts and opens all personal data belonging to individuals to attack. Organisations should also be

It seem

mindful that even though the personal data regime sanctions such

collection, use or disclOsure, organisations may still be liable under other areas of law such as criminal law, contract law or even the tort of

negligence should they or their systems have played a part in harm occuring as a result of such collection, use or disclosure of personal data

(d)

Observable personal data

5.122 The definition in section 2(1) also includes be observed in public. There are two main personal data:9

personal

data that can that the

requirements,

Wikileaks,3 or to e-mail the personal data to a large number or 84 85

See ch 1.

Ministry of Information, Communications and the Arts, Public Consul by Ministry of Communications and the Ars: Fropu Personal Data ProtectionInformation, Bill (19 March 2012) at paras 2.65-2.66. See Wikileaks at Issued

86

(accessed 7July 2016).

Yee Fen Lim,

yberspace

Law:

Commentaries and Materials (Oxford

University Press, 2002) at p 132. Yee Fen Lim, Cyberspace Law: Commentaries

and Materials

(Oxford

University Press, 2002) at p 132. rganisation for Economic Co-operation and Development, The OECD Cy ramework 2013 (accessed 7 July 2016) at p8.. Asia-Pacific Economic Cooperation, APEC Privacy Framework au

184

the consent of the data subject but the collection is also limited to the

185

Consent Obligation

Data Prolection in the Practical Context the notice. Furthermore, personal data cannot be ised o for other purposes without fresh consent. This is a vast . or proces the wide sweeping exemptions in Singapore, which are alsot r e in nature, so that once a piece of personal data is collee. and disclosed for rele ed unde it can also be used

that in all aspects of the employment relationship,

without consent.

disclosirng

employve employer

from

amulatitheve

exemption,

is only ecollecting, using oro rsonal and emp relatio the cmployment n e n t cmploveea f r o m the nce the withdrawal

seems,t h e r e f 5190

h e as

long

nsent is hatsent data

as

required does not

apply to personal personal data where consent has notapply free reign to employers as they would never hesentprhis gives 170 employees. no couision

been cxempted, this oc fo n s

from their

consent

btain

Specific industry sectors

2.

have t

5.188 When

19

some

are

specific industry sectors of personal data collection,

how permissive 5.189

employers in the employees and potential

For

considered. use

ill be clear

disclosure the Ac

is.

handling of personal data data belonging employees for the purposes of. o

emplo

related purposes. th ment not for other non-employment above have elucidated how liberal are the requirements oCtons Prior to employment, in assessing and finding candidates t e hire,Act

and

prior

consent

is needed for collection,

evaluative purposes

use or

disclosure

During employment.

exemption.

notice is given, the employer can collect, use

or disclose

no

C the

long

concerned with managing the em relationship," including terminating the relationship. For 'n

data for any purpose

ona t

in other aspects of the employment relatuonship such as promotion

this would be covered by the evaluative purposes exception,l67 The evaluative purposes exception can also be used for the purpose od terminating the employment relationship. AS tor documents produced in the course of and for the purposes of the employment,8 Consent for these are also not required.

f

there is any misconduct bv

employees, any collection, use or disclosure of personal data is also permitted for any investigation or proceedings.169

164 165 166 167 168 169

See, eg, the position in the European Union. Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1(; Third Sched, para 1 (f) and Fourth Sched, para 1 (h). Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1(o); Third Sched, para 1() and Fourth Sched, para 1(s). Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1(); Third Sched, para 1() and Fourth Sched, para 1(h). Personal Data Protection Act 2012 (Act 26 of 2012) Second para 1 (n); Third Sched, para 1(j) and Fourth Sched, para 1(s). para 1(e); Third Sched, para 1 (e) and Fourth Sched para 1().

is recruitment would appear to be in

tion than other employers in general regarding

neasier reCruitment firm retains employees, no consent mpliance. f from the employees as long as the organisation

an even

casier

ld b er e q u i r e d

hevond employment related purposes with the personal

data that a recruitment firm handles about the personal c o n f i n e s of recruitment purposes, all of these the d i v i d u a l s w i thin hir from the requirement of consent for collection, use b e exempt f r o m

d o e sn o t m o v e

or

d a t a . A sf o r

purposes exemption." As discussed data that can be collected, used of the types the suitability, eligibility or of "determining disclosedfor the 1"172 for for em employment or appointment to of the aualifications wide. Ience, for an organisation whose business is extremely are. oftice arguably not need to obtain uitment services, they wou limited to collection of personal data for any of their business the nt for handle personal data for purposes other than ctivities. If they then those other ctivities would need to be assessed. under

1ative the evalua

disclosu

or

above,

personal

Durpose

individual"l72

recruitment,

5.192

equally privileged position. they For insurance companies, collected, used and disclosed for employment data Again, personal consent from their employees or related purposes would not require There are also sweeping exemptions for personal are in an

Dotential employees. data collected, used or disclosed in connection with insurance policies both prior to insuring using the evaluative purposes exemption,73 as

Sched, Sched, Sched, Sched,

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,

186

se busin business ations whose

i..

170 Personal Data Protection Act 2012 (Act 26 of 2012)

s

16(1).

71 Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 1(; Third Sched, para 1() and Fourth Sched, para 1(h).

2 Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). 173 Personal Data Protection Act 2012 (Act 26 of 2012) s2(1); Second Sched, para 1(); Third Sched, para 1() and Fourth Sched, para 1 (h).

187

Data Protection in the Practical Contex

ConsentObligation

well as all other aspects of the conterment and adm

nistraion

insurance policy using the benefit plan exemption 7strar

t o Control their personal data; and to ensure data within the EU member states. Thus, the d a t a with personal the data subject is at the hcart of the of t h e i rright

in particular,

.

t h e frce o w

o fp e r s o n a l

.193 For many organisations, especially those in the the retai

retail

sector, the cOnsent aspec personal coll disclose about customers or clients, or potential custome

EUregime.

arca they will need to scrutinise concerning the co data will likely be the personal data tho

omers or ciens

Dala

only and es

OF THE CONSENT

EUROPEAN

UNION

POSITION ON

"colle.

EU The data

IMPACT

ction Dire Directive 95/46 46/EC mandates that personal "collected for specific explicit and legitimate be processed in a way incompatiblc with those f 6urther urt data is very broadly defined'78 processin concept of

Protection 5.197

may

).

by

data

conrol

not

The

cludes collection, consultat

n, disclosure and even erasure

or

purpos

and

destruction.

5.194 As discussed in chapter 1, organisations in Sinoapproach personal data protection with a myopic view,

pore canno

expanded

territorial

reach of

Regulation 2016/679,"3

the

EU

organisations

General

woul

ta

need

especially their online activities and if they are caug

teritorial reach, to ensure they do not fall foul of of the

the

the EU.

to

Proexamitecionne

new

laws in

The EU General Data Protection Regulation 2016/679 did no the requirements and concepts concerning consent, insteadchan

confirmed the concepts and requirements in a clearer and comprehensive form. For this reason, both sets of personal more data protection will now be considered.

Consent under EU Data Protection Directive

95/46/EC

5.196

Both the

public

and

private sectors Protection Directive 95/46/EC, and

175

excessive

not

in

that personal data must be

relation

further

and/or collected,

ed

data

personal

elevant a n d

cannot

to

adequate, relevant

the purposes for which they are

This effectively means that the disclosed must be necessary and

processed.

used

or

excessive. be in any way

for when personal data may be legally conse of the data subject is one of the orocessed - the all requiring an element of criteria with the remaining ritera," is ecessary to protect the vital where processing necessitysuch as The definition of consent that must be of the data subject."* dat to be processed means "any the datasubject for personal given by informed indication" of the data subject's and specific freely given that consent must be explicit for the wishes. 181 Article 8 requires of data, such as racial or ethnic origins, processing of special categories lists the

criteria

unambiguous

interests

religious

or

philosophical

beliefs and

political affiliation.182

that member states may permit in The small number of exceptions and other issues are: measures to safeguard national consent of respect and related regulatory functions; security; defence; public security breaches of ethics for regulated professions and related regulatory functions, an important economic interest of a member state or of

Personal Data Protection Act 2012 (Act 26 of 2012) Second Sched,

para 1();Third Sched, para 1() and Fourth Sched, para 1(s). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons wiun regard to the processing of personal data and on the free movement of

Such data, and repealing Directive 95/46/EC (General Data Protecion 176

requires

5.200

covered

by the EU Daa the two objectives listed in Protection Directive 95/46/ECT are to are

Article 1 of the EU Data protect the fundamental rights and freedoms of natural persons and, 174

6(1) (c)

5.199 icle 7

5.195

1.

6.198

Article

Regulation) ("EU General Data Protection Regulation 2016/679).

EUData Protection Directive 95/46/EC, Art 1. 188

177 EU Data Protection Directive 95/46/EC, Art 6(1) (b). 178 EU Data Protection Directive 95/46/EC, Art 2(b). I79 EU Data Protection Directive 95/46/EC, Art 7(a).

80 EU Data Protection Directive 95/46/EC, Arts 7(b)-7().

EU Data Protection Directive 95/46/EC, Art 2(h). 82 EU Data Protection Directive 95/46/EC, Art 8(1). 189

Consent Obligalion

Data Prolection in the Practical Contev related regulatory lunctions; and the the EU and frecdoms of the rights and subject or of of enti ntire industries exemptions wholesale or r

others.

worded

legislation. in the Singapore

5.201

otection of the There

no idd daa

that are preserm

of

not Is T h is on s id e r a b l yb br re oader

considcrabl

Didual.

provide the oduct or servico that necessity but a testof what is sonable, the test of

necessity.

is which

on

persona

ictin g the

collected andrealisefurher

the amount ot personal data collecto purposes and to be the smallest possihl processed for the purposes To over the personal data, consent must he.

subjectcontrol given by the data subject

to

test

test

aa

consent pursuans. EU standard 95/46/EC 1s that purposes musthe the EU n Directive Protection must be legitimate purposecs I8Oficd,a to the data subject and they 184 further processed must be necesea The and data collected in relationa not excessive.185 This would resalt in the purpOses and

In summary, the

able hat is reaso

beyondWhat i s

for the

collection,

use

and

unambilosureguo

that consent ca the stated purposes,which for the ciDe dee position.Lastly, unlike the Singapore ion and of special categories of data, explicit consent i means

processing

5.204

can

med in in

more 0

the

EU regime.

Singapore, which is quite contrary nambiguous and Cxplicit consent in

decmed

of

Lastly

antithctical

than deemed

the three Schedule permienccivcd re broadly conceived. It would

Eve.

exemptions

U6 tists of o

in

is legIslation

the EU

SiDgapore

dis

to

onal perso.

the the

is restrictiv.

adhere to

the

data

apore

collecion, use

Thus, if

oor

requirementsorganisations under

the on, they would need a complete overhaul of their legisia tion practices should they come under the

ore

SU

position

simply

conser

u l e s s C

t

gthy

ingapo.

al

be

crequiremecnt onsent

protecti

data

of jurisdictions

such

as

the EU,

purn

EU General Data Protection nsent under Regulation 2016/679

5.202 The EU position sits in stark contrast to the legislative requirem

Singapore. Not only must the amount of personal data collec

ents in

and also be Unambiguous consente

processed be the bare necessary minimum, the purposes must explicit, legitimate and not overly broad.

of the

data subject must be obtained and there are no wide.e.

af

5.206

In the

consent,

the

area

2016/679

reaffirm

on Protection Directive 95/46/EC.

EU

General Data Protection and clarifies the EU Data

strengthens

Sweeping

All this serves to ensure that the smallest amoun personal data can be legitimately collected and further processed of

exceptions.

5.206 The definition

5.203 Singapore's position with respect to the purposes permitted, as will be seen in chapter 6, is that which a reasonable person would considet

of consent is largely nchanged, Article 4(11) defines

"consent" of the

data

subject

to mean:l89

appropriate in the circumstances; this is far broader than the

informed and unambiguous indication of the freely given, specific, which he or she, by a statement or by a clear subject's wishes by to the processing of personal data affirmative action, signifies agreement

EU requirement of legitimate and explicit purposes. There is no

relating to him

any

data

or

her[.]

requirement in Singapore that the personal data collected, used or disclosed be limited to that which is necessary. The only stipulation in

the Singapore legislation is that an organisation cannot, as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual

183 EU Data Protection Directive 95/46/EC, Art 13. 184 EUData Protection Directive 95/46/EC, Art 6(1) (6). 185 EU Data Protection Directive 95/46/EC, Art 6(1)(c). 186 EU Data Protection Directive 95/46/EC, Art 7(a). 187 Personal Data Protection Act 2012 (Act 26 of 2012) s 15. 188 EU Data Protection Directive 95/46/EC, Art 8(1).

190

5.207

remains equally broad and incudes The definition of "processing" disclosure.0 Article 6 sets out the and combination collection, storage, situations where the processing of personal data is lawful. It is nearly that other identical to the EU Data Protection Directive 95/46/EC in

EU Ceneral Data Protection Regulation 2016/679, Art 4(11). 190 EU General Data Protection 2016/679, Art

8

Regulation 191

4(2)

Data Protection in the Practical

than the consent the e l e m e n t

of

the data

subject, all the

2

of necessity.

Consent Obligation

lext

other

siluations Tequige

frecly

frecly

en

not

on

have

he

oro pro

of personal date of special categories The processing has data given explicit subjec unless the prohibited data for specified purn such personal processing of such as where proccssino is limited situations, other the the data subject or ane of interests vital protect the is incapable of giving consent 194 1s where the data subject constitutes specia categories The list of what the processing of genetic data, bior to include

data

coninue 93

ing

expanded

identifying

a

kept

as

neces one eto

individu consent,"" applicable of personal data has beens

atural person

the purpose of uniquely such all the other existing categories

or if

netric data tor

and it

reasonable

the

duct

or

of what is necessary. whas

of

consent

beyond what service, instead of the

EU

General

Data Protection ETI 2016/679 details of what will be requ ired to meet some of the

to the

.211 The Recitals

alsoprovidemuch

Regulation

e l e m e n t so fc o n s c n t .

hasalso

oncerning health

EU General

32 stipulates and

Regulation 2016/679 has int. introduc clarifying the concept and requiremen

Protection The EU General Data

several new requirements

provide

pro

to

to

standard

New requirements

5.209

a

i1s

higher

5.212

(a)

not nccessary

he be

can

pplicd

pore

Singa

Standard js

performa of a conditional on consentcontract, inclu to the processing

ecessary for the pertormance of that compared with section 14(2)(«) of the for provides similar restriction, 202 which except the in Singapore requirin 1s

that

This

201

i r a c t»

to sent to thbee

if if tthe

scrvic

o fa

data da1a

o f perso

5.208

p given

been

of consent. Article 7 lays down several conditi for consent to b that the data suhia lid, It specifies that the onus of showing have consented to the processing of their personal data lies organisation. Where the consent is obtained in the contevs he of a written declaration which also concerns other matters, the uest fo

oftheonsent

Regulation 2016/679208

unambiguous

act uch as clear afirmative

by a statement, whether writen or an oral statement. A form, in simple would consist of ticking a box when visiting an

processin

through

in

Data Protection

should be a freely given, specific, informed that indication of the individual's agreement to the her personal data. This indication must be of his or

hard copy,

or

method

electronic internet website

or

Recital Moreover,

orinactivity in

should

consent shall be presented in a manner which is clearly distinguishahle

personal data

from the other matters, in an intelligible and easily accessible fom

all of them.

choosing technical settings for online services ovides that silence, pre-ticked boxes not nstitute consent. Where the processing of

32 expressly

has multiple purposes, consent needs to be obtained for

using clear and plain language.Where this is not done, the Consent is

not

binding.

199

5.210 The right to withdraw consent at any time must be made known to the data subject at the time the consent was obtained and it must be as easy to withdraw consent as to give consent.200 Consent will likely be held to

191 EU Ceneral Data Protection Regulation 2016/679, Art 6(1)(a). 192 EU General Data Protection Regulation 2016/679, Arts 6(1)(b)-6(1)). 193 EU General Data Protection Regulation 2016/679, Arts 9(1) and 9(2)a 194 EU General Data Protection Regulation 2016/679, Arts 9(1) and 9(2)0). 195 BU General Data Protection Regulation 2016/679, Arts 9(1) and 9(2) 196 EU General Data Protection Regulation 2016/679, Art 9(1) 197 EU General Data Protection 2016/679, Art 7(1) 198 EU General Data Protection Regulation Art 7(2). 199 EU General Data Protection Regulation 2016/679, Art 7(Z 2016/679, Regulation 200 EU General Data Protection Regulation 2016/679, Art 7(3).

192

5.213 the organisation to ensure that the data subject The onus is also upon and the extent to which consent is given. 204 In that fact is aware of the of consent pre-formulated by the organisation declaration a particular, should be written in an intelligible and easily accessible form, using clear and plain language and should not contain unfair terms.20 The minimum information that needs to be provided to the data subject in order for the consent to be informed is the identity of the organisation and the purposes of the processing for which the personal data is intended.206

201 EU General Data Protection Regulation 2016/679, Art 7(4). U Personal Data Protection Act 2012 (Act 26 of 2012). 5 BU General Data Protection Regulation 2016/679, Recital 32.

0U General Data Protection Regulation 2016/679, Recital U General Data Protection Regulation 2016/679, Recital U

General Data Protection Regulation 2016/679, Recital 2.

193

Dala Protection in the Practicat Context

Consent Obligation

5.214

to be freely given if the Consent is not considered withdraw consent with or refuse to unable vein, consent is presumed not to be frecly given if it.

rmally

data subject is

ilar does notSimallow different personal data operations in circumstances where it is appropriate to do

separate

consent

to

be

given

to

processing

so 208

nrovided

provided

Thus,

charge

direct

object

individual requc m e a n s that

of

at a

a

distance, by

esent

online

5.215 Lastly, where personal data is collected or processed marketing purposes, the data subject shall have the ight t and at any time to the processing of perso free of

for remuneration,

recipient of services"electronic ans anddistance 215 2N5 The C e is a ided without the 216 enn a t simultaneously present.216 The service traP ust be one the arties. ission of data on that is through individual provided 217 request definition is quite broad and would cover a the wide variety of as electronic at the

seri

commerce in

goods, including aharmaceutical products, electronic commerce

luding online gambling. lt would also extend networks and even ocational training by distance learning 218

in

to social

concerning him or her for such marketing, which includes profilina

This right should be explicitly brought to the attention of subject and presented clearly and separately from anny other data information.210

5.218

special of those under 16 of age is that they may be less aware of the risks, consequences andyears safeguards in ation to the and their rights of personal concern is when personal data is used for the

Therationale for

treatment

processing

concerned

keting or creating personalhty or user profiles and wherepurposes services fered directly to a child. One ot the harms in the minds of the

New requirements for minors under 16 years old

(b)

5.216 The EU General Data Protection

Regulation 2016/679 introdticed specific protection in the context of children's personal data h putting restrictions on the validity of consent given by children21l This is something completely new in the EU data protection landscape. Article 8(1) states that when offering information society services directly to children under the age of 16, or a lower age provided by EU member state law but which may not be below 13 years, consent is only valid if it is given or authorised by the holder of parental responsibility over the child.2 The organisation bears the onus to make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into

consideration available technology.213

a s probably the rise in the number of online predators, becially sexual predators. It is interesting to note that the consent of the holder of parental responsibility is not necessary in the context of preventive or counselling services offered directly to a child.29

5.219

These new rules on minors under 16 years of age will pose challenges to those wishing to offer goods or services, even without charge, to those in the EU. Considering that teenagers are the largest consuners and, in some respects, drivers of online goods and services, whetherin terms of social media, games or the purchase of music, they represent a significant segment of the market. Organisations that need to continue to tap into those market segments will need to devise ways of with these new requirements. They would need to first

complying

establish if the person is under 16 years of age and if they are, to

5.217 Article 4(25) states that "information society service" has the same meaning as service" in another EU directive?1 and is "any service

nformation in the field of technical regulations and of rules Directive services [2015] OJ L 241/1 ("EU

ontormation Society 207

208 209

210

EU General Data EU General Data EU General Data

EU General Data Protection Regulation 2016/679, Recital

General Data Protection ZEU Regulation 2016/679, Art 8 and EU General Data 212 Protection Regulation 2016/679, Art 8(1) 213 EU General Data

214

i 216

Protection Regulation 2016/679, Recital *. Protection Regulation 2016/679, Recital 45 Protection Regulation 2016/679, Art 21 cital 38.

Protection Regulation 2016/679, Art 8(2). and of the Directive (EU) 2015/1535 of the European Council of 9 September 2015 laying down a proceParhame om the nextpag (cont'd 194

2015/1535").

EU Directive EU Directive

2015/1535, Art 1(1)(b). 2015/1535, Art EU Directive 2015/1535, Art 1(1)(b)( Council, Parliament, the OCommission Communication1(1)(b)(1) to the European COnomic and Social Committee and the Committee

t

for

4 coherent framework for building irnust in n 2012) (adoptea 1l LTC and online services (COM/2011/0942 finalJanuary 2012) at fn 1. 219 General Data Protection

gulation 2016/679,

195

Recital 38.

Consent Obligation

Dala Proteclion in the Praclical Context

cnsure

that

they obtain permiSSion no

parental responsibility. this

might

be

legislation has

This is

achieved

existed for

could some

authorisation fror om the hold casy task. Some puid.

the consent is

or

be gleaned

ume to

m

protect minors

T of

in enacted in the US

1998

to

Act

amended

where

the

to

range of operators.22

additional or

parent

legal

legal guardian

post:

guardian

address

proviso that

children

personal information. confirmatory e-mail following receipt of consent, a

to

telephone irming the parent

or

or number from the parent or

and confirminc

call.

letter or

consent

was safety.

cgulatüFTCons The

legal Organisations guardian's

can i

strengthen reol

parental

disclose

telephone by that use this notice that the must provide parent or legal guardian hod ke any consentgiven in response to the earlier

or

to mobile application devel. expanding COPPA's reach and on the collecion of personal infs. expanding the prohibition lion of without verifiah 13 under age years from children to a wider

Such

("COPPAy

protect children's onli line ("FTC enacted Rule" in 1999.

Commission

Trade The US Federal COPPA ("COPPA implementing the Rule in 2012* COPPA the

not

ons incude: include: sendine steps sending

t h e organisation.

btaining a

5.220 Children's Online Privacy Protection The

consent

does

elines on how the US,

the parent or legal guardian with

5,222 last meth

The and

it

ded

concluded

is

termed

the

that it remains

"e-mail plus" method2 the by FTC a valued and

for certain organisations.

mechanism f o r «

other methods of consent, the FT innovate

to

create

additional

However,

as

cost-effective consent it is less reliable than

"strongly encourages industry to

useful

mechanisms

as

quickly

as

p o s s i b l e "225

5.221

Some of the acceptable methods for proving "verifiable na parental

consent" include the following: 22 (a) (b)

5.223

a signed parental consent form returned to the operator hu postal mail, facsimile, or electronic scan; requiring a parent or legal guardian, in connection with

a

monetary transaction, to use a credit card, debit card, or other

(c)

(d) (e)

(f)

220

221 222 223

online payment system that provides notification of each discrete transaction to the primary account holder; having a parent or legal guardian call a toll-free telephone number staffed by trained personnel; having a parent or legal guardian connect to trained personnel via video-conference; verifying a parent or legal guardian's identity by checking a form of government-issued identification against databases of such information, where the parent or legal guardian's identification is deleted by the operator from its records promptly after such verification is complete; or an organisation may use an e-mail coupled with additional steps to provide assurances that the parent or legal guardian prova

Children's Online Privacy Protection Act 1998 15 USC (US) SS 650l-0 (2006).

Online Privacy Protection Rule 78 Children's Fed Reg 3972 (anuary 17, 2013) (US).

Children's Online Privacy Protection Rule 78 Fed Reg 3972 (anua at 3972 and 3985. Children's Online Privacy Protection Rule 16 CFR Pt 314 S)

2013) (US)

$ 312.5(b) (2) (2012).

196

Cane organisations in the US, such as social media provider Facebook,

haue Complied with COPPA by not permiting users under 13 years old to 1se their social media service. However, the screening is quite nrimiúve and appears to be bascd on the date of birth entered by the

ser and no further checks are done. It is doubtful whether such kinds of simplistic screenings will be acceptable in the EU regime and, in any event, the onus lies with the organisation to demonstrate compliance.

Thus, an ineffective measure to restrict children under 16 years of age to access the service such as this would probably not satisfy the requirements in Article 8 of the EU General Data Protection Regulation 2016/679. 5.224 lt 1s, of course, unclear how many, if any, of the methods listed by the

Cwill be found to be satisfactory to the EU regulators but they represent some of the available techniques to date. The burden will be On organisaticons that collect, use and disclose personal data to comply.

Odren's Online Privacy Protection Rule 78 Fed Reg 3972 (January1, 2013) (US) at 3990. 25 Ch

Protection

Rule 78 Fed Reg 3972 (January 17,

Oo 2013) (US Tvacy ebook Help Centre, "How do I report a child underthe age ot (acc

at (accessed 11 July 2016). 201

Consent Obligalion

Data Protection in the Practical Context matter of course. Although users can disable cookies in .

websites one can access since websiteS so

commonly

c setings (

numbercookico utilis

that that the lack of meant it was difficult for cookie a 1on accompanying a user to assess whether to accept or not accept a particular cook This situ been the technologies. It has long

case

changed somewhat in the past few years, especiz

of the

numb

their browser programs, this may drastically reduce the

information

in the EU 28

ion has

telephoncc

the

ocation

version

owser usecd, peof u l d b e r e a s o n a b l e

hese

would

5.238

mission

5.239 The Commission presents an example of how deemed consent would operate in the context of websites. For Internet activities that the user has clearly requested, there may be no need to seek consent for the use of cookies to collect, use or disclose personal data where the user is aware of the purposes because the user, having voluntarily provided such personal data, can be deemed to have consented to the collection, use or disclosure by the cookies.241

phone,

the None of the online

on.

facilitating

his his

consented

actively manage of an t the imply that the individual has consented individual

does not collect personal data, then no consent is required 29cookie Commission gave the example of cookies that "only collect and saThe technical data to play back a video on a website"0- no consent be required for such cookies.

for

also

accept.313

In Singapore, the position of the Commission is that if

necessary

opined that consent may be reflected in the wav browser to accept certain cookies but rejects a to the be found to have he may collection, use and athers; nersonal data by the cookies that he has chosen disclosurd to Commission was the caref to note that 292 However, the

5.241

usCr

Position in Singapore

vice if it is a mobile the browser and so

purchase,

configures

(b)

of

to:

his

browser

mere

settings does not collection, use and

to the his personal data by all websites for of their stated disclosure purposes.245 In fact, many users of he Internet are unaware of how to

change the

browser

settings.

5.242

Importantly, the Commission was of the view that the obligation to

ahtain the individual's consent tor the collection of his personal data lies with the organisation that is collecting such personal data24

Thus, in the situation where organisation X operates a website but organisation Y, a third party, collects personal data, then organisation Y has the obligation to obtain consent.213 5.243

5.240 It should be noted, however, that this example given by the Commission would only make sense if the cookies are only using and disclosing personal data for the purpose which iscollecting, deemed. Often, cookies collect a lot more information for many other purposes that are quite unrelated to the primary interaction. For example, if the interaction with the website is to facilitate an online purchase, it is not uncommon for cookies to collect information about the deviccs 238 239

240

241

Yee Fen

Lim, Cyberspace Law: Commentaries and Materials (Oxrord University Press, 2002) at pp 114-118. Personal Data Protection Commission, Advisory Guidelines o Personal Data Protection Act for Selected Totpics (revised on 20 Deceme 2016) at para 7.7.

Personal Data Protection Commission, Guidelines Personal Data Prolection Act for Selected Topics Advisory at para 7.7. (revised on 20 Decemoer

Personal Data Protection Personal Data Protection At

at para 7.8.

forbehavioural

212

Personal Data Protection Commission, Advisory Guidelines on the Fersonal Dala Prolection Act for Selected Topics (revised on 20 December 2016) at para 7.9.

ersonal Data Protection Commission, Advisory Guidelines on the

O a Data Protection Act for Selected Topics (revised on 20 December 2016) at para 7.9.

* O n a l Data Protection Commission, Advisory Gauidelines on the ersonal Data Protection Act for Selected Topics (revised on 20 Decemor 4UO at para 7.10.

the

Commission, Aduisory Gue for Selected Topics (revised on 20 Den 2016) 202

Lastly, the Commission made it very clear that where cookies are used targeting, the individual's consent is required for such collection, usage or disclosure of personal data.246

ersonal Data Protection Commission, Advisory Guidel1nes o

Personal Data Protection Act. for Selected opics (revised on 20 December 2016)

246

at para 7.10.

Protection Commission, Advisory Guidelines 0n the Persomlata Personal Data Protecti Act for Selected Topics (revised on 20December at para 7.11.

203

Data Protection inthe Practical Contex!

Consent Obligation

Position in the European Union

(c)

informed, be specific be of the indication freely nd individual's wishes. be anisations clear explicit, and the natu of cookies emplov compreher eir disclosures Ies employed consent their obtaining use

or

lection,

g T v C na n d

5.244 In the EU, there is a specific law that deals with cooks

relevance, Article 5(3)

was

amended

to

European Parlia

and it

is

irective ment. Of

rovide stronger protecuon

for

The law previously permitted vebsites to use cookies Where there was clear advance notice to the user. This was

users.

information nmonl ahouty

achieved by a website's privacy policy providi cookies that are employed on the website.

ensure

that

the

storing of information, in

already

transmission network,

or

of

as

society service the service.

or access

a

for

processing. sole

the

communication

over

prevent anv carrying out the electronic

purpOse

an

of

provide

5.246

as

web

beacons/bugs*"

before

they

5.247

248 250

exemptions

o r where they are in order for necessary requested of thea provider of an inlormation society service explicitly by

strictly

communica

to

provide

that

service.

5.249

T FIl Artcle

Protection

29 Data Working Party's Opinion 04/2012 anCookie Consent Exemptaon ("WP29 Opinion") has concluded that the Wo Categories of exemptüons in Article 5(3) would include the following

uypes of cookies.251

5.250 First, "user input cookies', which refers to session cookies that are used to keep track of a user's input in a series of message exchanges with a These are typically first party service provider in a consistent manner cookies relying on a session-ID, a random temporary unique number generated for the session, which expires when the session ends, although some may persist beyond the session. These first party user input session cookies are normally used to keep track of a user's input wien filling online forms over several pages, or in shopping cart Scenanios to keep track of the items the user has selected for purchase.

Article 5(3) specifically refers to the EU Data Protection Directive 95/46/EC,0 hence, the consent must be obtained prior to

249

5,248 n s 1from consent provided in Article 5(3) are wo The where cookics are used fori the sole purpose of carrying out the transmission

communications

order for the provider of an information requested by the subscriber or user to

other similar technologies such can be employed by the website.

on

uscrs'

to

the

Specifically, Article 5(3) requires prior informed consent for storage or for access to information stored on a user's terminal equipment, thus, organisations must obtain users' consent to the use of cookies and

24

prior

cauino.8aning

strictly necessary in explicidy

to

about

The WP29 Opinion or

of access to information the terminal stored, subscriber or user is only allowed on condition that the subscriher ta concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance ith Directive 95/46/EC inter alia, about the purposes of the This shall not

technical storage

and be

real

websitesp

he user

5.245 The new Article 5(3) reads:218 Member States shall

must

requires

contained in what 1s Commonly known as the e-Privam. es

which was amended in 2009 by the

lisclosure, dis

constitute a

Directive 2002/58/EC of the European Parliament and of the Coun 12 July 2002 concerning the processing of personal data and the pro of privacy in the electronic communications sector (Directive on and electronic communications) [2002] OJL 201/37 ( r Directive 2002/58/EC"). See Art 5(3) of the Yee Fen Lim,

e-Privacy Directiv 2002/58/EC. Cyberspace Law: Commentaries and University Press, 2002) at pp 118-119. Directive 95/46/EC of

24 October 1995

on

the

Materus

processing of personal 1995] OJ L 281/31.

data and

on

the free movement

of sucn 0aa

taken irom wng section on the examples of exempt cookies are 04/2014 29 WP194, Data Protection Working Party, BUArticle Opinion

1t

the Councilof the

page) (cont'd on the next

204

wDether it be filling in a form or purchasing an item online."

of

(Oxford

European Parliament and or u the protection of individuals with regard t

nese cookies are exempted because they are clearly needed to provnde an information service explicitly requested by the user,

0 C0okie Consent Exemplion (adopted on 7 June 2012) at ppoAcle 29 Data Protection Working Party, WP194, pn0

COOkie Consent Exembtion (adopted on 7 June 2012) atp 04/2012 Protection Working Party, WP194, Opinion Data on Cookie LOORie Comsent Exenption (adopted on 7 June 2012) at pb.

205

Data Protection in lhe Practical Context 5.251 authentication

cookies which

are used

Consent Obligation

dentify auser

Second, 251 into a wcbsite.254 Authenicalion cookies the user has logged once usually session okies but they are essential to allow continue

to

provide

access

example, upon logging

into

to a

the

various

pages

banking website,

of

the account balance and transacti. know it is still the s a m e user and allo

the

te to

website. Fo

next page scet records, the websi needs

access to the to transaction records webpage. The website will be able to :

through the

authentication cookie. Witho

checkbo box

balance and ascertain the authenticatio Cookithcis,

the user would have to provide a username and password

password

on cach of the bank's website that is accessed. As the authentication information service the user is an essential part of the

page

cookie is

society

requesting, it would be exempted under Article 5 (3),55

explicitly

5.252

"keep me.logged in" next Lo the

i n d i c a t ec o n s c n t , 2 5 8

the website

an overview of all accounts held. In order to move to tho access

as

such to.

5,254

type

hird yP

T h et h i r d

have h e s p

ily

b e e ne x p l i c i t l y

submit button

to

of cookie is he user centric 1ask of increasing the security the user. An requested by

security cookie 259 These of the service has example of this can bethatffound detect repeated failed login attempts on website system designed to protect the login system

okies used to m

a

o

other

from This type of cookie falls within the exempion as of websites and it is a service for the security that has been he uSer. This type of user secunty cookie lifespan in order to fulf their security purpose.20 usually has a

or some

access.

unauthorised

i is

used

requested

longe

5.255

multimedia player session coOkies are cookies used to store

technical data required to play back video or audio content, such as

The WP29 Opinion sounds a warning

authentication cookies must only use

them tor

that websites thas use

authentication

purpose poses behavioural monitoring or advertising without consent 56such For example, if a bank user is checking the toreign currency rates on an

and must not

use

the authentication cookies for other

as

hourly basis on the bank's secured website, the bank cannot ue the authentication cookies to track the welb pages visited by the conclude the user is interested in foreign currency investments

user and or

present foreign currency advertising without first obtaining consent.

quality, network link speed and bufifering parameters.261 These are commonly known as lash cookies", named after Adobe Flash hich is the most utilised platform for the delivery of Internet

image

altimedia content. These cookies should not endure for longer than the session and other additional information that are not strictly

multin

necessary for the playbacko

the media content should not be

cookie.262 included into the

to

5.253 There are, however, also authentication cookies that are used by e-mail providers and others that are stored for longer than a session; these are not exempted from the consent requirement according to the WP29 Opinion. The rationale for this is that users may not be

5.256

Fith, Ioad balancing cookies also fall within the exemption.35 The task of a load balancing cookie is to ensure that the web server requests from a specific user is always forwarded to the same server. Organisations often have a pool of machines to handle and process

web server requests. Load balancing enables the eicient allocation of resources in this regard. A load balancing gateway is used to process

immediately aware of the fact that closing the browser will not clear their authentication settings.25 Users may return to the website under the erroneous assumption that they are accessing anonymousy whereas, in fact, they are still logged in to the service. Consent can

be obtained for these kinds of persistent login cookies by using a 254

258 EU Article 29 Data Protection Working Party, WPI94, Opinion 04/2012 on Cookie Consent Exemption (adopted on 7 June 2012) at p 7. 259 EU Article 29 Data Protection Working Party, WP194, Opinion 4/2012

onCookie Consent Exemptionm (adopted on 7 June 2012) at p1.

EU Article 29 Data Protection Working Party, WP194, Opinion 04/401 0n Cookie Consent at p Exemption (adopted on 7 June 2012) 6. EU Article 29 Data Protection Working Party, WP194, Opinion U4/4u 2012

250 EU Article 29 Data Protection Working Party, WP194, Opimion U9/2012 onCookie Consent Exemption (adopted on 7June 2012) at p i.

Cookie Consent Exemplion (adopted on 7 June 2012) at pp o. /2012 256 EU Article 29 Data Protection Working Party, WP194, Oinion On Cookie Consent Exembtion (adopted on 7 June 2012) at p7 4 EU Article 29 Data Protection Working Party, WP194, Opinion.0/

onCookie Consent Exemption (adopted on 7June 2012) at p. i c l e 29 Data Protection Working Party, WP194, Opinion 04/2012 0n Cookie Consent Exemption (adopted on 7June 2012) at pi. 04/2012 29 Data Protection Working Party, WP194, Opinion

255

on

om Cookie Consent Exemption (adopted on 7June 2012) atp .

206

261

EU Article 29 Data Protection Working Party, WP194, Onion U704

c le Cookie Consent Exemption (adopted on 7June 2012) at po.

207

Consent Obligation

Data Protection in the Practical Context

web requests available

users

from

internal

and

machines

it

directs

the wch web

in the pool,261

request to one

of

5.257

a ser must be originating from specific user Often, all requests to maintain the the the consistency of p0ol s e r v e r in same to the cookice may be use load balancing a the processing. Thus, load balancer can corree! so that the server in the pool These are Session coOKIes that expire web server requests. fall within the exemption because the the session. They nave the dof sole o n e of the servers in the he pool an purpose of identifying c o m m u n i c a u o n over the the networt 26 thus to m.

forwarded

denify tthhee Trectly redirect -

necessary

carry out

by the WP29 Op on is the social type of coo last sharing ent he ent sha of a social enefit. lt should social network. be noted embers that the ogged-in nion only singled out the social plugin content sharing the these exemption; are 99 Opn within from which cookie king cial plug-in tracki requires the conscnt of the cookie discussed

the

k.

5.260

cookie. This

USCr

5.261

can

The sixth example

of

exempt

interface

C1ct.

saion

expliciuly

requested the service to remember a certain piece ofinformation

s store user's preference regarding an aspect of a :service across web pages and are not linked to other persistent identifiers such as a name. Some common examples of user intertace customisation

:

cookies re language preference cookies that are used to remember the lange

selected by a user on a multilingual website, as well as result disnia

preference cookies used in online search queries that will display a set number of results per page.267

they

are

plug-in

modules" that website

on the social network. These plug-ins the user's device in order to allow the social

connected

cookies

in

andtoaccess identify their members hen they interact with these plug

store

emption would only be available for those social network

netw

ins. This e x

example, by clicking on a button or ticking a box. These cookiee a

"social

suets to share content they like with their "friends" or those with

cookies.26 This type of cookie occurs where the user has

provide rovide

integrate into their websites, such as to allow social

integrate

users

whom

coOkies 1S user

networks

ocial Many o perators

networks

5.258

distinguished

WP20

cookie as

embers

loggea

in

who are logged in. This is so because only users who are to use and access social would expect to be able on

plug-ins

Those who are not logged in or who are not embers would not ha such an expectation. hus, for those who are ged in, the cookie is trictly necessary for a functionality explicitly the user and therefore falls within the exemption, 270

third party websites.

requested by 5.262

This type of cookie may be session cookies or have a lifespan of week or months, depending on their purpose, but since they are customised by the user, they are explicidly enabled by the user of an information

These types of cookies are session cookies because in order to serve their particular purpose, they only need to persist for as long as the user is logged in or as long as the browser is not closed. Social networks that wish to use cookies for a longer duration or for additional purposes should inform their users on the social network

5ociety service, and are strictly necessary in order for the provider of

platform itself and obtain the relevant consent.271

5.259

the service to provide that service, hence they fall within the would be for the customisation to exemption. However, the persist only for the duration of the session unless otherwise brought to norm

the attention of or

i)

requested by the user.288

Practical implementations of cookie consent in the European Union

5.263 264 265 200

267 268

EU Article 29 Data Protection

Working Party, WP194, Opinion 4/201 on Cookie Consent Exemption (adopted on 7June 2012) at p8. EU Article 29 Data Protection Working Party, WP194, Opinion 4/201 on Cookie Consent Exemption (adopted on 7June 2012) at p 8. EU Article 29 Data Protection Working Party, WP194, Opinion U 012 on Cookie Consent Exemption (adopted on 7 June 2012) at p 8.. 04/2012 EU Article 29 Data Protection Working Party, WP194, pnune o on Cookie Consent at on 7 Exemption (adopted ö.. 04/2012 EU Article 29 Data Protection Working June Party,2012) WP194, pOpinmon on

Cookie

Consent Exemption (adopted on 7June 208

2012) atp

o.

Complying with

the EU cookie law may seem daunting but it 15 not more may need to provide

particularly difficult. First, organisations

C0EU Article 29 Data Protection Working Party, WP194, Opiniom 4/2012 220ookie Consent Exemption (adopted on 7 June 2012) at pp Article 29 Data Protection Working Party, WP194, Onuon 04/2012

Cookie Consent Exemption (adopted on 7 June 2012) atp.. 271 U 04/2012 EU Article 29 WP194, Opinion Data

L0OR2

Prot

ction Working Party,

Consent Exemption (adopted on 7June 2012) at Pp 209

Data Prolection in the Practical Context

Consent Obligation

detailed information about the use of cookies in their

protection policies. Second, some form of website ban

personal tata or pop-p

notice that seeks and obtains a user's consent will be:required. will be would only need to be shown for users from the EU.

These

cific aand clear; and lastly, it must be n

i

Ist

must

be

specific

Google and Dagc annoying, b various

5.264

which is e

to install and set up. lt is a JavaScript-based kit that will automa to add a header banner available in 24 once the user has banner header disappears or re cookies used on the website. Included in the kit are the a tool to declare the cookies and provide a link to thc co

languages the web matically accepted bpage. The the

following,

noice

helps to

of cookies; a consent cookie to prevent prior storage remembe choice of the user across the website and a template for tha

he for the cookie

notice p a g e 272

uscrs

in the the

EU, the the cookie

ons functio,

5.267

ogleservices

of the cookies that

cookies more For organisations that extensively, they may d to that Google has had to emulate the types of implement as a result of requests by EU data protection authorities to practices in the EU.27" Google had been surreptütiously tracking users across websites and other applications over the years using cookies and other technologies before they were discovered. Google has, in July 2015, launched a new user consent policy for users of its AdSense. DoubleClick for Publishers and DoubleClick Ad The of cookie consent by Google may provide insight into what satisfactory compliance would entail under the EU General Data Protection Regulation 2016/679.275

the in the

Google uses

EU contain

ific disclosures specific

In the

a conscnt page that about how

obtaincd

provides users

GoOgle heir activities and toprocesses personal interact with the disclosures before they can procecd any further on the very "in your tace. The they a r e quite disclosures include website information onwhat what and how personal data i1s collected and what kind ha lot of It requires data.

users

to

pause

-

personal data collected will be put to. It provides with of the cookies and show ifthey disagree angeanytheaspect the uSCrs where they can cha settings and how to change the

choices

olso settings. It als

5.265

revocal

notices appear on almost eed click click throu. through them; some at cxplicit and specific consent may find this can be

necd to to

forthe

The European Commission ofters a "cookie consent ki" , e

page; a JavaScript API with methods and functions that

serviccs

provides users with

information

on

how

they can delete

their accounts.

use

consent

change

Exchange products

implementation

5.268

example of an explicit disclosure that is shown to EU users reads: This site uses cookies from Google to deliver its services, to personalise ads and to analyse trafic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies." This statement is then followed by two buttons which users can click on. One is "Leam More" and the other is "Got it".

.266 The kind of consent required has three main elements: it must be obtained prior to any collection, that is, before cookies can be utilised; 272

European Commission,

273

en.hun#section_4> (accessed 11 July 2016). Google, "Introducing a new user consent policy" .26. h e Personal Data Protection Act (revised on 15 July 2016) para

273

Data

Access and Coreclion Obligations

Prolection in the Practical Context

consent. This would also not be applicable in in tho the data in question is embodied The

personal

which is not publicly available as such, but

Information,

within the ample under th. CC

of presed finsuy

of

Bey

data was reco stSoougs ody of

does not make the CCTV personal data publicly available. If a person was

footage containn orded the shopping centre that day, the personal data perceived cally at the "live" and could arguably be in senseswould be public

the

area

o fm a s k i n g a

h ec o s t

such as video footage, it is embodied in

that form and

once

aterial formm the

data cannot be said to be publicly available unless the available for general viewing, such as i was

Pesonal

uploaded onto aideopubliclywas

accessible website.

.28 As neither of the two circumstances outlined by the Commise applicable, it is submitted that the better view is that such fonta before

they

can

be revealed

to

esting

hdtind

be

noted,

Shou hould

discussed

access

however,

burden

onable

to

the

an

or

organisation

request

on

to

will he

provide

access would be

disproportionate

ual's interest, and

to

disproportionate

the organisation could decline to

p r o v i d ea c c e s s ,

requesting individuals for access to

security camera ide. the access request is for a short period of time deo footage, suchas one or two minutes, the video footage will likely show the faces and of as other individuals well. This would trigger the bodies prohibition in section 21(3) (c) as it reveals personal data about another individual.2 The question then becomes whether it is possible to mask or conceal the faces and bodies of all the other people in the footage Technically, this would be possible, but external technical assistance may be needed to do this, and it is unclear the extent to which

access

a

the Act places an obligation on organisations to acquire such skill sets the tools required to achieve such results. The Commission has stated that the purpose of the fee is to allow organisations to recover or

the incremental costs of responding to the access request

8.31

provides that organisations are not required to accede request in respect of the matters specified in the although organisations may do so if they so wish.49 Fith Schedule18 alt ifaganisations take advantage of the exceptions and do not provide gan data in response to an access request, the access to personal Commission has advised that where appropriate, organisations should, as good practice, inform the individual of the relevant reason(s), so that the individual is aware of and understands the organisation's reason (s) for its decision".50 ction 21(2)

Sectios 10

an

access

It also

expressed the view that organisations are required to make the necessary arrangements to provide for standard types of access requests, but that costs incurred in capital purchases such as the purchase of new equipment in order to provide access to the requested personal data should not be transferred to individuals." Given that the

Ministry of Information, Communications and the Arts, Public Consulation ssued by Ministry of Information, Communications and the Ars: Proposed PersonalData Protection Bill (19 March 2012) at para 2.139. Personal Data Protection Regulations 2014 (S 362/2014) reg 7. Personal Data Protection Act 2012 (Act 26 of 2012) 5

Fifth Sched,

para (1) () (ii).

A4

required

providing

or

charge.

exceptions which

is not

or

unreasona

coRSidered

even if

42 43

such costs to the

allowed to

the t.17 Thus, if the time and cost of masking other is video footag for great, the example, if the video individuals in period than a few a much longer minutes, it may be for is to the organisatior

Exceptions to granting a

onc of the

organisatio expense of

individual's i n t e r c s t , 17

8.29

considering

pass

through the fee it is

howev

is that

a c e s s i ft h e

are

from

probably

Owner

v i d u a lr e q u e s t i n g

loolag

otage security cameras need to have the images of other individuale

When

camera

setuniy

through the

public. Hor personal data is no longer "live" but captured into:a

can a icw na sicw ld appear that incharge such a reasonable fee on a sis, r t vidco circumstance where footage is unlikely to be great, the

at rccovey

Shopping Centre ABC. Just because the personal data in a

Communications and the Arts ("MICA")

that organisatio

o f

Personal Data Protection Act 2012 (Act 26 of 2012) s21(3)(9. Personal Data Protection Commission, Advisory Guidelines on Key Conepis in the Personal Data Protection Act (revised on 15 July 2016) at para Personal Data Protection Commission, Advisory Guidelines on l3.i. 27n the Personal Data Protection Act (revised on 15 July 2016) at para

Ke nG

274

Personal Data Protection Act 2012 (Act 26 of 2012) s 21(2). Fersonal Data Protection Commission, Advisory Guidelines on Kiy oncepis t h e Personal Data Protection Act (revised on 15 July 2016) at para l5.23 resonal Data Protection Commission, Advisory Guidelines on Ky tndys e 2016) at para on Protection Act

PersonalData

(revised

275

15 July

i.

Data

Protection in the Practical Context

Access and Comectiom Obligation

8.32

organisation

declines to provide access to personal . request, the Commission has opined that the a the personal data in question for a 30 calendar days after rejecting the access mi request.31 This is to individual to seek a review to the Commission of This all w the the decision.2 If such an application of review is made to the sation's and if the Commission issues a Notice of Review Annl:

If

an

is s u l j e c tt o to

t

organisationdata under

mission,

organisation, the organisation should preserve the withheldion to the

data until the review by the Commission is concluded and an the individual to apply for reconsideration and appeal is exh2 For the avoidance of doubt, an organisatimay face hausted action should the review of the Commission find that there valid grounds upon which the personal data was withheld f 23 individual.54 he

personal right of

Korcement

8.33 The Commission has averred that "as good practice, the organieat'. should keep a record of all access requests received and

documenting clearly

whether the

rejected" 55

8.34 The

requested

access was

a prosecution and

isrclatea

Osccution h a v e

easonable period,hould keep

ninimaly

legal privilege;*

related

an

to

s

appcals

in

the

of

the

lated to the

proceedings and the proceedings mercial information that

been completed:58

confidential

opini

position of

or

investigat

have not

and d w o u l dr e v c a l

the proceedings

not been completed7

reasonable

a

organisation:59

person,

could,

harm the

competitive

etsonal data of the beneficiaries of a lely for the purpose ofaadministering the trust:0private trust kept eot by an arbitral institution rsonal data or a mediation 0 r e Ssolely for the purposes of arbitration or mediatio the arbitral by institution or proceedings administered

mediation

Centre

is personal data collec

he in

conduct of

appointed

to

lated

(th) i s r e l a t

act;

to

a

or created by a mediator or arbitrator

mediati.

or

any examinatio

or

arbitration for which he

conducted by

institution, examination scripts and, prior examination results, examination results.3

processod provided.

to

an

was

education

the release of

8.36

some of the key following exceptions and, like the consent from discussed in chapter 5, the exemptions reader is encouraged to closely examine each of the items listed in the Fifth Schedule.

highlights

ald be he noted here that since the Act is subject to other laws, the h should provisions

of the personal data protection regime do not affect

Hicovery obligations under other laws that the parties to a legal

dispute may have.

8.35

One group of exceptions in the Fifth Schedule covers situations where the personal data or information is in some ways confidentúial and should not therefore be revealed. These include situations where the information:

51 52

Personal Data Protection Commission, Advisory Guidelines on Key Conce in the Personal Data Protection Act (revised on 15 July 2016) at para Personal Data Protection Commission, Advisory Gauidelines on Key Concepis n the Personal Data Protection Act (revised on 15 July 2016) at para lb.3

l5.3

53

Personal Data Protection Commission, Advisory Guidelines on Key Lontye

54

Personal Data Protection Commission, Advisory Gauidelines on Key ona

55

Personal Data Protection Commission, Advisory Guidelines on he)

in the Personal Data Protection Act (revised on 15 July 2016) at para l3.0

in the Personal Data Prolection Act (revised on 15 July 2016) atpara dnaepts t

17n the Personal Data Protection Act (revised on 15July 2016) at para 10

276

S6 Personal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched,

para (1) (). 57 Personal Data Protection Act 2012 (Act para (1) (e). 8 Personal Data Protection Act 2012 (Act para (1) (h). Personal Data Protection Act 2012 (Act para (1) (g). 0Personal Data Protection Act 2012 (Act para (1) (). Data Protection Act 2012 (Act Personal para (1) (d).

62

Fersonal Data para(1)(i).

26 of 2012) Fifth Sched, 26 of 2012) Fifth Sched, 26 of 2012)

Fifth Sched,

26 of 2012)

Fih Sched,

26 of 2012) Fifth Sched,

Protection Act 2012 (Act 26 of 2012) Fifth Sched,

ersonal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched, para (1) (6). Daa Dal Data Protection Act 2012 (Act 26 of 2012) s 4(6); Personal in the Fersonau n Commission, Advisory Guidelines on Key Concepts Da Dala Protection Act (revised on 15 July 2016) at para l.0.

277

Access and orrection Obligatiom Data Protection in the Practical

Context 's background

t h e employer's

8.37 The remaining exceptions contained in the Fifth fh Schedule wide variety of situations. First, opinion data kept solel purposes are exempt irom access.

only

Lerm is not to or about individuals made in the context of evaluative broadness of the definition of "evaluative purposes" in sect: Ses. The discussed in chapter 5 on Consent Obligation and it wOuld was the exception from access would allow those

judgments opinig inions appear that making ecisions

itio

, in

an

individual

or

to

remove

individual, an individhto

employment. During the term ot employment, the reDorte from opinions guiding processes such as annual review and promarand processes, grievances, misconduct investigations and decisions afee

dle

t h eF i f t h S c h e d u l e

pupo

gricvances

edin

and

section

1 o a

can also be triggered to misconduct

2(1)

detined

of

the Act to Act to

eement

breach

encompas breaches of

so

in incdude

there

exceptions mentioned

avoid auons,

are

employment

providin dingacce ess. "investigation" is an investigation rela g no doubts

contract.

that it would

Hence,

while

oing and the appeal procesS has not yet been access can also also be denied under paragraph (1)(h) of

ivesigation exvhausted,

to

from

to the ception for opinion data kept solely for evaluative mployment context, the other

for

review of

8.38 This evalluative purposes exception would be useful for em in their deliberations on whether to hire an ployers promotion

printouts

cover

It should ho

evaluative purposes to be able to do so freely without fear of a their decisions or decision making processes later on.

as

ites.

ial media websites,

"opinion data" is not required o be provided but thitha defined in the Act. It would presumably1

ecks, such

u i l so t t h e

the investigation has also not be possible. ents may as opinion data kept

F i t hS c h e d u l e .

thedocumcnts

night be classified

nat

urpose of the

a k e nf r o m

ied,

the

access to

many Apart from informatior solely for the evaluative

investigation, if evidence or information had been

her individuals

such as employees or customers, and it 11s from the contents that the information is from those

Nould b eo b v i o u s

individuals, then access to that information can be denied in section 21 (3) (d), that is, it would lead to ound set out the af identification o f thOse individuals, even it their names have been

particular

employees individually, such as job transters, can be denied accece on the basis that they comprise opinion data solely fo evaluative purposes. For example, if an employee is posted to another division or another job role, this may have been the result of an evaluation of the employee's ability to pertorm the task required, I however, the reason for the transfer is policy-based such as the closure of a division in the organisation and not unique to the particular employee, then the employee would be able to access such information, but as a matter of best practice, most employers would, as a matter of course, inform their employees of the policy reasons in such instances.

ofthe investigating panel may also be denied because it is thereportbe considered opinion data kept solely for evaluative hkely to access to iniormation on the identity of the OuDOseS. Finally, embers of the investigation panel can also be denied based on ecion 21(3) (d). It would appear that the only sure information the

8.39 The evaluative purposes exception also means that those individuals who were unsuccessful in applying for employment positions or

841 Secondly, an organisation may reject a request for access if it would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests.5 The obvious cxample of this may be where an individual makes the same request on

employees

admission into educational institutions cannot demand to see the opinions formed that led to their unsuccessful applications. f an

the information or documents. Furthermore, access to

cmployee would be able to access is the result of the investigation, which one would hope would be made available in any event.

a weekly or fortnightly basis and there have been no changes and

employer still holds the personal data of applicants who were unsuccessful and these do not constitute opinion data, the employer

Cenls or incidents

would, however, need to provide details of these in response to an

personal data.

that would

have

changed or increased the

ganisation's holdings or use or disclosure of the individualls

access request. Some of such personal data or information may be the

65

Personal Data Protection Act 2012

para (1) (a).

(Act 26 of 2012) Fifth Schea,

66

Pers

ersonal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched,

para (1) () ().

278

279

Dala

Protection in

the Practical

Access

Context

8.42

Thirdly, access

mentioned, an organisatic where the burden or expense as

further quire.

may also refuse of

the :access

neca

the

on i

Dcan cant

purposes of the

1

quest fromn the

hay

provi

o he given ahoa footage from security cameras. In the same vein, if an to access all video footage of him or request indivic her over the past one year, this would be regarded as both unrcasonab) organisation and disproportionate to the ole to the the ime and effort that would have to be interests to s due ta individual from the footage and to conceal expended the personal ify the other individuals. of all

cORRECTION OBLIGATION

concerwasnintgo vidual

individual's

request.

making

disproportionate would be period of the

8.43

TheCorrection on

in ections

Obligation provides

that is due

to

a

right

held by

data the personal

error

or

or

for

individuals to

under the

request

controlof

omission."Organisations

an

not to correct the data.3 If an oganisation decide ides against correction, then the personal data should the correction that was requested but not made4 shoul correct the he organisation personal data as soon as and send the correctecd personal data to acticable every other the the personal data was to w h i c h disclosed by the Oganisation before one year the date the correction on within was made. if the other organisation does not need the corrected or business data for any legal purpose, then the first persona. does not need to do this.7 With the consent of the idual, an organisation ich is not a credit bureau can also send the corrected personal lata only to specific organisations to which the rsonal data was disclose by the organisation within a year before

grounds,

choose

b ea n n o t a t c

Fourthly, organisations information in response

do not need to to

an

access

provide

request

if the

rWIse, Oltherwn

personal

da.

data

information or data and information does personal is no longer required to be tion t kept by an organisation,informatir this excep provides an incentive for the to

not exist or cannot be found." For

organisation

longer than is necessary. For cxample, applicants who have been unsuccesstul in for

ception retain persanal. for the personal al data data o their not

job business or legal reasons to retain such applications i data employers should delete such personal data as soon personal as possible eliminate the burden of having to meet the Access are no

Obligation arisin from such personal data. The deletion such personal data of will also assist the organisation to minimise their in the event of liability breaches in personal data security, as will be discussed in chapter 9.

8.44

The last

two

requests

are

exceptions that organisations may rely on to deny access where the information is trivial" or where the request is otherwise frivolous or vexatious." It may be that in order to determine if a request is frivolous or vexatious, in some situations, organisations 67

Personal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched,

68

Personal Data Protection Act 2012 (Act 26 of 2012) s 4(6); Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Parsona Data Protection Act (revised on 15 July 2016) at para 15.24.

69

Correction Obliga ga lions

c n to

unreasonable to the organisation or providing individual's interests. An example of this was

there

and

para (1) () (i).

Personal Data Protection Act 2012

para (1) () (iii). 70

Personal

71

Personal Data Protection Act 2012

Data Protection Act 2012

para (1)()(iv). para (1)() (V).

280

(Act 26 of 2012) Fifth Sched, Sched, (Act 26 of 2012) Fifth Fifth Sched, (Act 26 of 2012)

oganisation

However,

oganisation

he date the

correction

was

made.77

846 When the recipient organisation receives the notice of a correction of peronal data, it also has the same choice as the first organisation as to iether to correct its records." If it does not make the corrections, it mIst also annotate the personal data in its possession or under its Control with the correction that was requested but not made7

847 There are numerous exceptions to the Correction Obligation. The first

s contained in section 22(6), which exempts organisations from having b corect or otherwise alter an opinion, including a professional Or an expert opinion. The remaining exceptions are expressed in Personal Data Protection Act 2012 (Act 26 of 2012) s 22(1). 2ersonal Data Protection Act 2012 (Act 26 of2012) ss 22(2) and 225). ersonal Data Protection Act 2012 (Act 26 of 2012) s 22(5). TSOnal Data Protection Act 2012 (Act 26 of 2012) s 22(2)(a).

ersonal Data Protection Act 2012 (Act 26 of 2012) s 22(2)(0). ersonal Data Protection Act 2012 (Act 26 of 2012) s 22(3). 3onal Data Protection Act 2012 (Act 26 of 2012) s 22(4). rersonal Data Protection Act 2012 (Act 26 of 2012) s 22(). 281

Data Protection in the

Access ana

scction 22(7) and listed in the Sixth Schedule 0 Th subset of the exceptions which are found in the re a sma the Fifth exempting organisations from the Access Scl Sixth Schedule states that the Correction does not the following. app

Obligation Obligation.SchedulThee

(a) (6)

opinion data kept solely for an evaluative purpose: any examination conducted by an education institution scripts and, prior to the release of examination ion,

results,

results;

personal«data

of the beneficiaries of

()

the

(d)

the purpose of administering the trust; personal data kept by an arbitral institution

(e)

a

for the purposes of arbitratio administered by the arbitral institution or

solely

rection Obligations

Practical Context

priva or

trust a

apply to

neous, false

the uture, tne

hat

e

as

n

in

if it

for

reeauences

negauve

Con t context,

howe..CCtn

p o r T e c u o no t h e r

fect the

be

correct

not

xamination

unnecessary

demed erroneous l c n g t h

mediation on centre mediation centre; oceedings a document related to a prosecution it all proceedings related to the prosecution have not been completed. or

«

8.48 The procedural matters in relation to a correction request are t out in the Regulations and they are the same as for the access quest The only differences are that under regulation 5,3 the irame for a response for a correction request is "as soon as so

practicable under regulation 7(4),*" an organisation cannot charge a fee under and the Correction Obligation.

since

of

"ength

of

the

For

to

seven

years. The former data because

i

example, in the employee, Sarah, who with her former requests employment employer of be r ,

years to change the

Sarah

Sarah is is no

Tvice

on

made

If the annotati

kept solely f

mediss

ce

0 ngployer;, unnce

incomplete perso data

and

accurate. This might lead individu

truce

o faO former

consider

ddoes

examination

was

longer

record to

personal

Sarah's be

service requested

itis

employee, and the unchanged at seven personal data was simply an

lett

is

changed but changes were

stating

the

actual number of without made" nething which an organisation seems to be permitted to do being

specific

Sarah was a loyal employee for seven a future the potential employer contacts the lost. be may employer to conduc background checks on Sarah, the ycars former employer will not indicate that Sarah held by the employee for seven years but was an uncommitted a loyal

years, s o

section

22(5),

under

the fact ithat

.

inlornation

had

been

who only stayed with her former employer for seyven

eremployee

months.

851

situations, the power given

In some situati

to an

organisation

to not correct

the advantage of the individual, although work nal data may to be uncertain. If an organisation holds m o r e likely are the effects that are inaccurate or incomplete, then in individuals on nersonal data the data set may be of little or less use to breach, a of security the event accumulated the utilise personal data for nefarious those who wish to this cannot be a truism to be relied upon as However, purposes. will know how to combine data sets intelligent personal data thieves that the personal data is outdated, determine to and will be able to create an even or wrong but will, nevertheless, be used incomplete of the individual with the historical or erroneous faller to

8.49 From the

foregoing, a number of points can be made about the Obligation. First, the obligation to correct is onlylimitedto errors and omissions, and thus constitute relatively narrow grounds on

Correction

which corrections can be requested. 8.50

Secondly, the Correction Obligation is by no means a strict obligation

to correct when the organisation has the power to decide thata correction should not be made, albeit on reasonable grounds, This carries both positive and negative repercussions. One negative etfect is that erroneous, false or incomplete personal data can continue to be held about an individual. Although an annotation of the correction if this is not done properly, it may be possible is

requested 80 81 82

83 84

required,

s 22(7) and Personal Data Protection Act 2012 (Act 26 of 2012) Sixth Sched. Sixth Sched, Personal Data Protection Act 2012 (Act 26 of 2012)

paras 1(a)-1(e). Personal Data Protection Regulations 2014 (S 362/2014) reg 2. Personal Data Protection Regulations 2014 (S 362/2014) reg. reg 7(4) Personal Data Protection Regulations 2014 (S 362/2014)

282

profile

personal data, whichever

case

it may be.

8.52 The third point to be made about the Correction Obigation goes to

the heart of the obligation itself. If personal data is in error the Complete and the individual has requested correction, in cation ought to be made unless it is trivial or insignificant,

or

ch case the individual would probably not have requested tne

oection in the first place. The way the Correction Obligation5 on the gned is problematic. posing a requirement By

283

Data

organisati

to

organisation*"

or

Prolection

in the

Access and Coreclion Obligations

Practical Context

send the corrected a subset thereof,*

person onal data toto to

which

it has personal data in the past one ycar, may create This means that too informed, some of which may not need many oroa

over-inclusiveness.

such as where the need for them to

create the problemoher

disclosed the

the corrected ations may the corrected persoy

longer exists, for example, if the company and the delivery has been completed or provides service for warranty purposes and the the expired.37 no

well as opinion data vould appear that the main

or Cxperto p i n i o n s ,

every

cation could be h i c hr e c t i f i c

since

personal da

organisationif thewasersonal data elivery

i t is

her

Hence,

th.

rsonal data is

or

his

given be

uhat

requested are

individual who has

at

least

without

kept solcly for

bulk of evaluative thosce of a Tsonal data for

factual nature. vested interest to

error or

this minimum ;

mount

ensure omission, individuals

of

control

should

over

personal data.

their

a

ganisation warranty orperiod

FUROPEAN UNION POSITION

has

8.53 To counter this over-inclusiveness problem, the Legislature limiter such that if the other organisation does not need the da personal data for any legal or busines requirement to send the corrected purpose, then there secied organisations. This is a convoluted way of personal data to thohose the structiring Obligation and requires more resources thar Correctic is necessary, bothi its implementation and in the decision-making process of whethae make the corrections and to ther to whom the corrected personal data be sent. For some they may find it easier to sho organisations, comply simply forwarding the corrected personal data to the other organisations it has disclosed the persornal data to in theall the past one v than to make an assessment of whether the year other

organisations need corrected personal data. Untortunately, this would individual's corrected personal data is being passed mean that an around to maaw organisations unnecessarily since they have no need of the corecte

European 855

("EU") law providesacomprehensive

Union ("EU'")

system rights In particular, the EU General Data ta subject. Protection has given individuals 2016/679 numerous new rights with corresponding on ourdens ed of

Regulation

organisations which are requirements quite detailed to be

accompanied

data. Some of the sCussion below is only intende

process p e r s o n a l

and

an

introduction to the

materials.

Right of access

The Directive

the

8.56

personal

are the EU Data Protection Directive 95/46/EC and is further trenothened in the EU General Data Protection Regulation 2016/679. stren Arnicle 12 of the EU Data Protection Directive 95/46/EC sets out the

data. This adds

to

the

availability,

individuals' personal data, thereby accessibility and increasing secuniy risks for the individuals and, ultimately, the organisations as well, as their computing systems would be a rich target for attackers.

accumulation

of

8.54 In terms of good data protection practices that foster personal data security, the individual should simply have been given the ability to have the personal data rectified, and to specify which organisations the corrected personal data should also be sent to as deemed appropriate. This would not give too much power to the individual over the personal data the organisation holds as the exceptions for the

Correction Obligation exclude opinions, whether they are profesional

The right of access for the individual has been enshrined in EU law

clements of the data subjects right of access. To be clear, there are cxceptions to the right of access that are enumerated in Article 13 and which are also applicable to other rights, but these exceptions are selfFlimiting. So, for example, Article 13(1) allows exceptions where it snecessary to safeguard national security; defence; public security; the

8

Personal Data Protection Act 2012 (Act 26 of 2012) s 22(6). Personal Data Protection Act 2012 (Act 26 of 2012) Sixth Sched, para 1 (a).

22(7) and

Regulation (EU) 2016/679 of the European Parliament and of the LOuncil of 27 April 2016 on the protection of natural persons witn egard to the processing of personal data and on the free movement or

Such data, and repealing Directive 95/46/EC (General Data Protection 85 86 87

Personal Data Protection Act 2012 (Act 26 of 2012) s 22(2)(6). Personal Data Protection Act 2012 (Act 26 of 2012)

s22(3).

Personal Data Protection Commission, Advisory Guidelines on Kry

17 the Personal Data Protection Act (revised on 15July 2016) at para l»s4

284

egulation) ("EU General Data Protection Regulaion 2016/679). 94ve95/46/EC of the European Parliament and of the Council of ctober 1995 on the protection of individuals with regara to ue proce of personal data and on the free movement of such aaa

93OJL 281/31 ("EU Data Protection Directive 95/46/ EAU 285

Data Protection in the Practical

Access and Comectiom Obligations

Contex!

prevention, investigation,

detection and prosecution of ethics for regulated financial interest of a

of breaches

8.57 Article 12(a) of the EU Data Protection Directive member states to guarantee every data a constraint and at reasonable intervals to

fessiocrins,minanal

(b) (c)

(d)

(e)

the purposes of the processing; the categories of data concerned; the recipients or categoies ot

disclosed;

data without and o

personal data it following-98

recipients

to

whom

the personal data undergoing processing and any available intormation as to the provided in source of the and

in the case of automated decisions, the

automatic processing of personal data.

the

data

s

ntelligible person- fom

logic involved

example, to saisfy Article 12(a), organisations cannot just cursorily inform the data subject that it is processing his or her name, address and date of

birth without providing the specifics of what name they hold for her, her actual address and her actual date of birth. Thus, this means that an organisation would have to tell an individual specifically, for example, that: "The name on file we have for you is Mary Magdalene, the address in our records for you is 3 Calilee Rd, Magdala, we do not have your date of birth in our records." 8.59 The other information specified in Article 12(a) such as the source of

available, but

the information would also need to be provided where data an organisation must not destroy information about the source of in order to be exempt from disclosing it, nor should it avoid keeping documentation on the source of the personal data. This provision aimed at maintaining fairness and accountability, the two principi

EU Data Protection Directive 95/46/EC, Arts 13(1) (a)-13(1)(g) EU Data Protection Directive 95/46/EC, Art 12(a).

286

the

need

to

s o u r

the on

provide

aled iafornmation

.ndergoes any processing

as well as the

processes explained in intelligible form be to the or legal jargon should end, this be avoided adeect. To where that is the on information being held by eviatu0 be explained to the data subject. Finally, where must

and

an

technical

s,

nced

decisions

aated de

he

ulomated need pocess

Kaluate

The

the

whether

have

ugem

general logic of the decision

with

the

criteria utilised

to

subject,

of the EU the

right

to

Data Protection Directive 95/46/EC access information extends to the past and

pean

arose

from

into

the

explained, along

past. This issue was Union ("CJEU") in

dear

howlong

en made,

b e e e d

5

data

vordin,

an

to the

ab

ganisatuon,

a

practical

terms, Article 12(a) requires the data to be informed about the categories of data processed as wellsubjects as about the actual content of the personal data. For

92 93

nat

the

wethouders van

in ththe

8.58 In

In

stated

subject has a right to obtain confirmation from ular, very data om the organisation whether or not personal data is being on as to process what is and information the

(a)

Sing

SCd

ersonaldata t h a t

personal other information about their personal data. In particula

concerning

Commission has explicitly

above.

and so on

subject right95/46/EC of access Tequires their

processing

be noted that the organisations do not Singapore, the personal data. source of should

It

offences, of important economic or member e EU, including monetary, budgetary and axatior ation matters or of the or

a

examin by the Court of Justice 2009 in the case of College van Rotterdam v MEE Rijkeboes ("Rijkeboer")

dispute

Rijkeboer and the College, College partially refused to provide ata relating to him in the past. Rijkeboer had between

authority, where the municipal with personal

ikeboer uested that the College inform him of all circumstances in which him had been disclosed to third parties in the two years relating to tata neceding his request. In response, the College provided Rijkeboer th the details of the recipients to whom personal data had been isdlosed, but only for the period of one year preceding his request, in accordance with national legislation. The College claimed that personal data dating back more than one year prior to his request had been, according to Dutch law, automatically erased.7 862 The issue in the CJEU was whether the national legislation, which set the time limit of one year, was compatible with Article 12(a). The

gEU outined the role of Article 12 and stated that the right of access

opersonal data is necessary to enable

the data subject to exercise the gIt to rectify, erase or block his personal data or to notify this to

"esonal Data Protection Commission, Advisory Gruidelines on KeyConaepts B Persomal Data Protection Act (revised on 15 July 2016) at para 15.7.

6U Data Protection Directive 95/46/EC, Recital 41. se C-553/07 (7 May 2009) ECLI:EU:C:2009:293.

steT en wethouders van Rotterdam C553/07 ((7 N 3/07 May 2009) ECLI:EU:C:2009:293 at |25).

v

287

MEE

Rijkeboer Case

Data

parties

third

which

Access and Corectiom

Protection in the Praclical Context

arc

contained in Articles 12(h the CJEU also and stressed that t is also necessary to enable the data to cxercio subject object to the processing of personal data his rigt in was of the view that for a data to be subject able of these sets of rights effectively, access to the personal "must of necessity relate to the past",100 ata access the data would not be in a position to exercise his personal data rectified, erased or blocked or

respectively. Secondly,

12

contained

CIEU

effectively

and obtain

acces

Article 14 to. The

exercise both

otherwise, to

bring 10i legal compensation for the damage suffered.

proceeri edings

the

length of time or subject with the

the scope, the CJEU burden of the organisation s personal data. It noted that in other parts of of the EU Data Prote Directive 95/46/EC, account may be taken of otecion the disproportion nature of burdens, and concluded that a

balan. balanced the to stOTe

right of the data

subiject's personal

disproportionate

data for

effort required

a

of

legal obligation to keen. long period of time would hethe

organisations.2

legislation of member states should strike interests of data subjects and the

a

It said

fair balance

organisations holding the personal data.0 The CEU said:101

or

that

ricted ea

anduly ataonabout

een t e processing esSing

limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information. Rules

while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the

determinations necessary.

personal data may not be rights of both parties, rtunity to obtain the personal data. oftheir

the

processing

- New European Union law

R i g h to fa c c e s s -

has

ght of acce

EU

in

the

been further

strengthened

ation 2016/679.

EU

Data

Protection

in the EU In addition to the

General

provisions

Directive 95/46/EC,

the EU

Protection Regulation 2016/679 adds a Article 156 sets out the and clarifies some rights ss by the data subject and it adds that a data subject h ofextra present

obligations.

General

1o

obtain,

where

data will personal

a

the

accCSS one's

acce

timne

The. Data P r o t e c t i o n

Regarding

to

To balano the time limits. restrictcd by a reasonable b j e c t s m u s t a l s o be given

this regara,

bject ight toSulhave

8.63

data

the right

Obligation

ermine

that

the

possible,

8.66 fa order

envisaged period

be stored or, if not

neriod16

and the

right

supervisorya u t h o r i t y . 107

expressly

possible,

of

couple

for which the

the criteria used to

lodging a complaint with

a

give organisauons some flexibility in meeting the es requirement, Recital 63 of the EU General Data Protection that where possible, the controller Reaulation 2016/679 provides remote access to a secure system which to able be provide tould to

wOuld provide the data subject with direct access to his or her personal

daa. However, this should not result in a refusal by the organisation to 108 provide all information to the data subject. 8.67

98 99

wethouders van Rotterdam v MEE Rijkeboer Case C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [51].

College van burgemeester en

College

van

College

van

burgemeester

en

burgemeester

en

wethouders

van

Rotterdam

v

MEE

C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [51]-[52]. T00

wethouders

van

Rotterdam

v

MEE

Rijkeboer \ase

MEE

Rkeboer Lase

C553/07 (7 May 2009) ECLI:EU:C:2009:293 at [54]. Rotterdam

101

Rijkeboer Case

College van burgemester en wethouders van C553/07 (7 May 2009) ECLI:EU:C:2009:293 at [54]. 102 Colege van burgemeester en wethouders van Rotterdam v MEB KIRRD0r C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [62] 103 Colege van burgemeester en wethouders van Rotterdam v MEE KyJReD0 G-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [64]. v MBE RiyReD0 van Rotterdam van burgemeester en wethouders 0LolUEge C-553/07 (7 May 2009) ECLI:EU:C:2009:293 at [70]. 288

v

ase

ase

Ihe organisation should also use all reasonable measures to verify the of a data subject who requests access, especially in the context services and online identifiers. Lastly, possibly with the

dentity aonine hgpadboer case mentioned above in mind, organisations should not cain personal data for the sole purpose of being able to react to potental access requests.

106General Data Protection Regulation 2016/679, Art 15. 07 neral Data Protection Regulation 2016/679, Art 15(1)(a). General Data Protection Regulation 2016/679, Art 1o EU General 09 EU Genera Data 2016/679,

ata

Protection Regulation Recital o Protection Regulation 2016/679, Recital 64. 289

Access and Corectom

Data Protection in the

Article 12 (5) stipulates that the information should he of charge unless the requess from a data subject are provi free unfounded or excessive, in particular because of their character.0 In such cases, a reasonable fee takino int administrative costs of providing the nformation can be account the the organisation may refuse to act on the request. This departure from the position in Singapore and complianco to be costly for organisations.

mani fesdy repeitve

narged or te a compliance mayquiprove

eciiat

8.70 onerous to

right requirements in the EU laws are quite when compared with the Singapore legislati

EU

Protection

Directive 95/46/EC

povnles t n a ld a t a

relating

accuracy

ta

the

piUcula lar

p o c e s s i n g1 . 4

The

les

ightforward exa

a

ired

to

naguired sted.

eland sabject,

name

is

of

rectification

may include where the

where here has been a of nuumber. For some rectilication, evidence may be

change

correct or

antiate the alleged inaccuracy and the changes dentiary proof required must be at an appropriate

substantiat

The evide

must

c an unreasonable burden of proof on the data

placec

not

thereby precludi

data subjects from having their data

may be demanding a birth certificate as example An where the birth certificate may have been cified. proof form of in a w a r . the only fire o r of

destroyed

in a

acccss

comply with

requirements. Organisations that find themselves falling within

the

jurisdiction of the EU laws would need to ensure that their personsl data practices are fully compliant well beforehand.

3.

Data

subjects "must be able to cxerCise the right offurther access him which are being processed, in order to ver hi to o off the data and the lawfulness of racy the

41 o f the

p e l i n go

8.69 As with all data subject rights, the information should he n the data subject without undue delay and within one month ovided of the request. That period may be extend by two further mon where necessary, taking into account the complexity and numh er of the request.

strengthened

-

Practical Context

8.68

The

Obligalio

Right to rectification The Directive

EU Data Protection Directive 95/46/EC also gives (b) of the data erased. This is often due hiects the right to have personal basis for the collection or processing of o the lack of legitimate c o n s e n t has been withdrawn, or where as where al data, such is n o longer needed for the purpose of the data he personal counter sucth a request for erasure, organisations rnlection. Thus, to the legitimacy of the processing,15 il need to show

8.71

As mentioned above in the Rijkeboer case,

the CJEU had held

that one of the reasons for the ight of access was so that data subjects could exercise their right to, amongst others, have their incorrect personal data rectified. Article 12(b) of the EU Data Protection Directive 95/46/EC provides that every data subject has the right to

obtain from the organisation, "as appropriate the recification, erasure the blocking of data the processing of which does not comply with or the of because incomplete in this of Directive, particular provisions

or

inaccurate nature of the data".13

875

data subjects the right to have personal Lastly, Article 12(b) also gives data the

that personal therefore be used for would result in further processing, especially if the processing decisions being made concerning the data subject, in particular, deleted in such a Degative decisions. The personal data will not be fair of processing, the with the Kenario but in accordance principle

da blocked. This was

incorrect

or

might

be due to

allegations

inaccurate and should

not

personal data, in accordance with Article 12(b), cannot be utilised." 8.76

concerns the right of notification to third partiesto or Upersonal data has been disclosed of any rectification, erasure

2c) 110 111 T12

113

Art 12(5). EU General Data Protection Regulation 2016/679,

EU General Data Protection Regulation 2016/679, Art 12(3). Lase Rotterdam v MEE Rijkeboer Colege van burgemeester en wethouders van ECLI:EU:C:2009:293. C-553/07 (7 May 2009) EU Data Protection Directive 95/46/EC, Art 12(6).

290

EU Data Protection Directive 95/46/EC, Recital 41. U Data Protection Directive 95/46/EC, Art 12(D). U Data Protection Directive 95/46/EC, Art 12(b). 291

Data Prolection in the

Practical Context

blocking, unless this is impossible or involves a disprono. personal data has been published on the are many and their identities unknown l17 Inteor,

rtionate elfon

such as when the recipients

and

Right to rectification-New European

4.

CHAPTER9

Union law

Care

8.77

of

Personal

Data

The right to rectification under the EU Gencral nas Data Regulation 2016/679 is far more strongly: and was in the EU Data Protection Directive than 16 of theiu EU General Data Protection Regulation 2016, that an organisation should rectify without undue dat that is inaccurate." As for incomplete personal data, into accou unt the purposes of the processing, the data subje has the to incomplete personal data completed, by means of have 20

rotecion

clearly

worded 95/46/EC.8 Article 16/679 provides

a

delay personal taking right cluding

providing

supplementary statement.

8.78

Article 16 is very clearly articulated and leaves no room for dou unlike Article 12(b) of the EU Data Protection Directive 95/46/EC

prefaced with the words "as appropriate" and which that the right to rectity, erase or block could onlv he exercised when the processing does "not comply with the provisions'n of the EU Data Protection Directive 95/46/EC. Article 16 also grants to the data subject a clear unfettered and absolute right to rectify inaccurate personal data, unlike the Singapore statute which gives the organisation an opportunity to decline correction on reasonable grounds.22 As for the right to rectification of incomplete personal data, the only criteria that can be taken into account according to Article 16 is the purpose of the processing. This is again relatively narrowly specified when compared with the Singapore legislation, where rectification can be declined on reasonable grounds. which

was

specified

h a n t e r will deal with

the tirst three Obligations in Part VI

f Personal Data) of the Personal Data Protection Act 2012 (Care of ithe "Act"), regarding accuracy, protection and retention of personal data, To a large extent, the Accuracy Obligation and the Completeness Obligation are quite lax and may not be effective in achieving their aims.

A.

ACCURACY AND COMPLETENESS OF PERSONAL DATA

9.2 The Accuracy Obligation requires organisations to make a "reasonable to ensure that personal data collected by or on bechalf of an is accurate and complete.* However, even this "reasonable

efort Organisation ettort" required

is not an absolute requirement, as organisations are

Only Tequired to do this if the personal data is likely to be used by the to make a decision that affects the individual to whom the personal data relates* or if it is likely to be disclosed by the organisation

Oganisation

to another organisation. This is indeed very weak protection for the ,

as talse and incorrect information can continue to De

and the the individual.

117 118 119

EU Data Protection Directive 95/46/EC, Art 12(c). EU Data Protection Directive 95/46/EC, Art 12(b). EU General Data Protection Regulation 2016/679, Art 16.

120

EU General Data Protection Regulation 2016/679, Art l6.

121 122

EU Data Protection Directive 95/46/EC, Art 12(b).

Personal Data Protection Act 2012 (Act 26 of 2012) s 22.

292

perpetuated without the knowledge and control of

Act 26 of 2012.

Onal Data Protection Act 2012

(Act 26 of 2012) s 23. Dal Protection Act 2012 (Act 26 of 2012) $ 23(0). Persona Data Data Protection Act 2012 (Act 26 of 2012) s 2510).

293

Data

Care of PersonalData

Protection in the Practical Context

9.3 As noted in

chapter 8, the rights rights and they would not

to

absolute rectio are that is held or used to be accurate, n especially when orga. a choice whether to correct personal incomplete. The Accuracy Obligation 1s data that i in errorhwave

Accuracy Obligation

is set at such it can achieve its stated

ecessarily engender

a

objective.

personal daa

equally relaxed

low level that it s

The

isdced

howhe Personal Data nclear Pro

Commission (the "Commission") has indicated that the e otction Accuracy Obligation is to ensure that where m of the data may personal to make a decision that affects the be used u individual, the data correct and complete so as to ensure that the asonably decision to b takes into account all relevant parts ot accurate personal data 6 made 9.4 First, imposing the obligation ot accuracy "may be used to make a decision 1s

on

only personal

a the

a

common for a data that was initially thought unlikely to be used forpiece o any decisions to be in fact used later on, King perhaps several make a decision. However, as the initial assessment years later. was that unlikely to be used for decision-making, no care was taken to it we ensure that the personal data was accurate and complete. An example of this may be information on an individual's educational qualifications for a store discount card for the purpose of sampling the of customers. This type of personal data may, however, be used years later to make decisions on which holders of the store discount card should be invited for a new co-branded credit card.

personal

malino

demographics

9.5 Secondly, if the aim is to ensure that any decision made affecting the individual takes into account all relevant parts of accurate personal data, then organisations should not be given any choice to decline the correction of personal data that is in error or incomplete. By organisations a choice, this opens the door for inaccurate and incomplete personal data to creep in.

allowing8

6

Personal Data Protection Act 2012 (Act 26 of 2012) s 22. Coma Guidelines on Ky

Data Protection Commission, Advisory rersonal in the Personal Data Protection Act (revised on 15July 2016)

recasonai

Thirdly

of

at

y

that

at pare

16.2.

not

low, well

flexible

l is

circumstances

onable eftort" entail

7TCasc Danad

The five factors

1

h a s provided a list of factors that should be taken what constitutes "a reasonable

The 9 7 Commissior.

effort".

todetermine

into accountt o

Thehirs

factor

is

that

of the nature of the

individ

the health,

it would

higher personal

effort

be

a

would

data such a

9.9

data and its

significance to

example, if the personal data relates nificant type of personal data and, presumably,

concerned,

be

for

required as compared with other types of ference for a brand of mobile phone.

person's

for which the data is

second factor is the purpose The ar disclosed. Presumably, the more

collected,

used

serious or important the purpose,

be to ensure accuracy. The third factor is higher the effort should data. The Commission has confirmed that where the of the reliability DErsonal data was obtained from the relevant individual directly, organisations may presume that the personal data is accurate.° The the

Commission also suggested the device of requiring the individual to

make a verbal or written declaration that the personal data provided is accurate and complete, especially where the personal data may have ben collected some time ago and the currency of the personal data is

important." 9.10 t would appear from this that the Commission would not require nganisations to verify the veracity of the personal data themselves as rersonal Data Protection Commission, Advisory Guidelines on Key Concepts 4 eFersonal Data Protection Act (revised on 15 July 2016) at para l0.t. sonal Data Protection Commission, Advisory Guidelines on Key oncepas e Fersonal Data Protection Act (revised on 15 July 2016) at para nal Data Protection Commission, Advisory Guidelines on Key lb.4. Con0eps Data Protection Act (revised on 15 10 Personal Per 2016) at

July para Protection Commission, Advisory Guidelines 0n Ne) p Persomal Data Protection at Act (revised 15July 2016) para 6.

in the Data

on

294

to meet is

vague,

in in naturc. The Commission has stated that what will depend on the exact entails t" at

a

delincd and,

9.8

data

sloppiness inthat handling of personal data. lt creates encouraging in hierarchy personal data and leads to double standards being appliedtheto valhu of difto fer ent types of personal data. Further, it is not

5

rganisations are required effort. This standard is

ndard that rdly, the standard

access and

295

Dala Protection in the

Care of Personal Data

Practical Context

rt of satisfying the requirement of reasonab able efforts. For there is no need for as part of organisations their reasona sight documents such as the Natio

("NRIC")

to

prove

the truth ot the

individual would suffice.

Kamyleto, Registration onable eforts personal data. ldentifica

data. AAdecaOn Card

decdaration by the

is the im impact on the individual concerned if the the or incomplete. Thi last factor is in some factor of th nature of the data and first its th e he

is factor data

is

T h el a s t

lated to personal

inaccura1

dividual concerned. For example, if the personal

indiv

to

nay3

sigznificance

the

health

9.11

Where personal data is collected from a third party instead the individual, the Commission d of from suggested confirmation from the disclosing organisation of the acuracy completeness of the personal data or it may also cond and independent verification if it deems prudent to do so.l duct further

organisations could obtain

9.12 This also raises the issue of authentücation, especially in the con online interactions. From the Commission's context of

statements, it appea s that that collect personal data online, such as thtongh their websites, can assume that they are collecting from the elevant individuals directly and the personal data is acurate and relevne comple Organisations may, for their own business purposes, implement processes that verify the personal data such as through sending an e-mail to the e-mail address provided to contirm that the owner of the e-mail account has actually signed up or provided personal data on the

organisations

organisation's website.

9.13 The fourth factor to consider is the currency of the data, this appears to suggest that if the personal data was collected some years ago, to meet the requirement of reasonable effort, the organisation would need to take steps to update the personal data. However, the Commission stated that "an organisation may not be required to check the accuracy and completeness of an individual's personal data each and every time it makes a decision about the individual"." From this,

afais

is also significant to the individual in and on the individual may concern the life and death which

related,

the impact on

he individual, and thus the impact is also significant.

oi f sel,

or we.

ors, one is, however, lett wondering what would 8.15 r e nt h e constitute

"reasonable

movable

feast.

effort" as the standard appears to be an Take the example of entering data, a simple

paper form that a customer ould "reasonable effort" require

uncertain personal data from a ansferring Wo computer system. in to a

led

in place, in addition to the data entry

t h eo r g a n i s

who

second a

Cases

as insurance, banking and health would appear to be required as the nature of the data in

some purposes such

purposes, this

These,

the personal data entered? From the

person

lactors, f o r

these

cks checks

would be quite significant

however,

are

to the individual concerned.

the straighttorward

ye25onable effort" required of utilities such as

ision provisio

cases.

What would be the as the

entry for purposes such telecommunications or Internet,

for data

or car

by the Commission do not give clear rental? The factors set out"checker" would be required for accuratee a whether uidance as to into a coomputer system in these cases. It would data entry of personal factors that would dictate a course appear that there are no overriding of action for an organisation to meet compliance. It may be that aim to meet the higher standard and ensure a checker is in place in order to avoid falling short of compliance. This

oganisations would

would, in any event, be the best course of action for the organisation in order to adequately ensure personal data is accurate.

the Commission seems to be suggesting that the factors may well on the or cancel out each other. This makes compliance based a factors relatively difficult; a factor to which the organisation may gve heavier weight may be given a lighter weight by the Commission.

balance

2.

The four aspects

9.16 addition to these five factors, the Commission also listed four lar aspects where organisations should make reasonable eftorts

TlPersonal Data Protection Commission, Advisory Guidelines on 15 July 2016) atompara Conaeps the Personal Data Protection Act (revised 12

on

7

Guidelines A Personal Data Protection Commission, Advisory 2016) at paird 172 the Personal Data Protection Act (revised on 15 July

296

297

Care of Personal Data

Data

"in order

Protection in

to ensure that

Organisations must make (a)

it

accurately

(c) (d) 9.17 The

personal

Context

personal a

records

source,

(b)

the Practical

data is accurate and reasonable effort to enSitre.

personal

.

data which it

data it collects includes all

completeness;

that:4

relevant parts thereof

shatever

rcumstances

informatüon.

Commission recommended

that

organisations perform the: their o to ensure the completeness of personal data that is likely to be usedaccuracy and decision that will affect the individual.5 The Commission to also0make a that an organisation may also not be required to review all the no data currently in its possessionn to ensure that ersonal they are accurate time it is complete each and to use

reasonable ffort

every

individual.16

likely

make

a

decision abontt the

.18 It would appear that the Commission is on the one hand espousing the ideal of making decisions about

organisations

accurate and

complete personal data,"

requiring from organisations order to achieve this.

individuals ing

but on the other hand, it is not the rigour of the standards required in

act on individuals are relatively non-significant pended satisfy

could iht be that any etfort that is hlosure of the currency of the personal data, nseriort" In terms disclost

it has taken the ensure appropriate (reasonable) steps in the to ensure the accuracy and correctness of the it has considered whether it is necessary to update the data and

risk assessment and

here t . h e naturcce 920

collccte

personal

of the personal data, purpOses of the collection use

complete

able

effort"

humb might be that any personal data more than

thum of

ould be verified wit the individual and updated as data ata is relatively static personal dar the personal anless other types of biometricdata.

rule

rough thne years o l d

a

r e q u i r e d ,u n l c s s

asthumbprints, irises

data, purposes of the collection use individuals are significant in any way, then isclosure, or the approach of doing all it can within its c o u l d adopt isations be impractical or impossible. organk imited only by what would of reasonable effort" and would be the standa above sit the

nature

ofthe

personal.

impact on

or

This

would

compliant

obligation. with the

European Union position 4.

9.22

(°EU") position on accuracy and completeness data has been well established since the EU Data Protection Article 6(1) (d) requires that personal data

Union The European of personal

Diecive 95/46/EC.8

mst be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate

3.

Compliance with Accuracy Obligation

or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified" 19

9.19 the very fact that the standard of "reasonable effort" is a variable requirement depending on the circumstances, it should be relatively easy for organisations to argue that it has complied with the Accurney not Obligation, even though the requirements for compliance are

By

9.23 TheEU General Data Protection Regulation 2016/6790 is similarly Narded in terms of the accuracy of personal data. The requirement in

entirely clear. 13

Personal Data Protection Commission, Advisory Gruidelines on Key Conas n the Personal Data Protection Act (revised on 15July 2016) at para lD.

14

Personal Data Protection Commission, Advisory Guidelines on K A in the Personal Data Protection Act (revised on 15 July 2016) at para

15 16 17

Personal Data Protection Commission, Advisory Guidelines on K

in the Personal Data Protection Act (revised on 15July 2016) at para on Ky n Advisory Gruidelines Fersonal Data Protection Commission, on 15 at 2016) parn July in the Personal Data Protection Act (revised Guidelines on K) Protection Commission, Aduisory Data Personal 2016) at pard Protection Act (revised on 15 July n the

PersonalData

298

irective 95/46/EC of the European Parliament and of the CounCil ot October 1995 on the protection of individuals with regard to the

Caing of personal data and on the free movement of such data

OJL 281/31 ("EU Data Protection Directive 95/46/EU), Art 6(1) (d).

Data Protection EU 0 Directive 95/46/EC, Art

Reg

(EU) 2016/679

of the

6(1)(d)

European Parliament

and or

uie 27 April 2016 on the Cof natural perso regard to the processing of perso protection data and onof the free movement of such d and

repealing Directive 95/46/EC (General Data Protection (cont'd on the next page) 299

Data Protection

in the

Care of Personal Data

Practical Context

EU law is clear, that personal data must be and absolute standard required. It also

vidual

accurate,

that

the an obligation organisations to keep the personal data up toimposes date where re

necessar

osed

disc

that

for

respect

to both

personal

data that was

step had

personal data that incomplete. Under the EU inaccicCurate : Protection Regulation 2016/679, for personal data that isGener Data incomo discussed in chapter 8, the data subject has the mplete, to rectification right under Article 16, manifested in the right to have

well

as

was

as

data

completed, including by

means of

statement.

incomplete personol providing a supplementay

reasonable efforts to ensure that personal data collected by or on behalf of the organisation is accurate and complete.22 To take every reasonable step is to do everything reasonably possible which entails the maximum amount of effort. To make reasonable effort, however, does not involve expending the maximum amount of effort, especially given the five factors outlined by the Commission.23

9.26

on A further point of difference is that the EU law requirements to whereas the requirement make accuracy applies to all personal data,

reasonable effort in the Singapore statute only applies to personal daa

likely

to be used

Regulation) ("EU

by

an

organisation

to

make

a decision

ulae

organisation.25

within the jurisdictional reach of the EU, it hat fallstraightforward to have one set of accuracy of

n e a t e ra n d m o r e s

that adhere to the EU standard. This would and would assist in practices minimising

personal data p r a c t i c e s rb

best

liability

a

industry

claim.

l dindividuals m a k e . eel

OF

PROTECTION

PERSONAL

DATA

B. of personal data in the Act, the the of is key provisions to the personal data Obligation, ovision mandating the security of ithout a regime. rotection data protection regime would Pldata, the whole personal

9.28 The prov

on

the

protection one

Protectio

persona

The Protection Obligation 9.29

Section 24 of the An

General

Data

Protection

Regulation 2016/0

Art 5(1)(d). Regulation 2016/679, Data EU General 2012) s 23. of 26 2012 Act (Act n Personal Data Protection Protection

magtis

Guidelines na 16.4. Commission, Advisory 2016) at pa Personal Data Protection on 15 July Protection Ad (revised 7n the Personal Data 300

Act

organisation

its control

by

provides that:

shall protect making

personal

reasonable

data in its

security

possession

arrangements

to

or

under

prevent

unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 9.30 The Protection Obligation is broadly worded to cover all kinds of

Secunity arrangements from administrative measures to physical and nical measures. The standard that organisations are held to is aOnable security arrangements". Like the standard of "reasonable the Accuracy Obligation, the Commission has stated that tor there

no single solution. Organisations are to adopt security dirents that are reasonable and appropriate in the

Art 5(1) (d). 22 23

data relates?or if it is

to another

ganisations t h a t .

ances.

21

personal

fll apart.

9.25 It should be noted that the EU requirement of taking 'every reasonable step" to ensure that personal data is accurate is quite different from the legislative requirement in Singapore of making

that is

the

organisati

iely

organisations must take everyslight differenc reasonable

inaccurate personal data, while previoue e step the EU Data Protection Directive 95/46/EC, every reasonable under sten to be taken with to

by

whom

an

be to

9.24 The EU General Data Protection Regulation 2016/679a Tmana. every reasonable step must be taken to ates that ensure that are inaccurate, having regard to the purposes forpersonal d that processed, are erased or rectified ithout delay. The which they are in the new EU law is

only with respect

to

fectsthe individual

24

Personal

Some of the factors that are relevant and can De

Data ersonal Data Protection Act 2012 (Act 26 of 2012) s 23(a). 6 Perso Act 2012 (Act 26 of 2012) s 23(6). Tsonal Data Protectic Act 2012 (Act 26 of 2012). n the TOtection Commission, Advisory Gruidelinesaton Key onapis Persomal Data Protection Act (revised on 15July 2016) para ll.6*

Protection.

Personal

301

Data Protection in the Practical

considered include the the

personal

nature of the

Care

Context

data has been collected,personal data and the

both

security arrangements. If a organisation is an employer, then all of the personal data it hol. concerning employees should be given a high level of securi protection. Similarly, the personal data held by healthcare clinics. such as medical clinics and physiotherapy clinics, would comprise largely of health related personal data and, hence, these organisations should be mindful that much of the personal data they hold is highly confidental and sensitive in nature and should implement high levels of security for the personal data. 9.32 Second, the Commission also stated that organisations should identify reliable and well-urained personnel responsible for ensuring information security.31 The Commission is clearly placing the onus on of organisations to engage personnel to manage the security personal are are appropriate personnel in that they data and to ensure that

they

where reliable and well-trained. This cannot be stressed enough ned to information Organisations utilise technology. organisations are to ensure that their computer systems engage specialised personnel that can the consequences secure from unauthorised access and all

29

30 31

Cuidelines on Ky ng Personal Data Protection Commission, Aduisory at para on 15July 2016) Act Protection (revised the n Personal Data Guidelines onm Kay ong Advisory Commission, Protection Personal Data at para Conces on 15 July 2016) in the Personal Data Protection Act (revised on Guidellnes n 7.3(a). Personal Data Protection Commission, Advisory at pa s on 15July 2016) on n the Personal Data Protection Act (revised Advisory Guidelines h) Commission, Protection 2015) at paia rersonal Data Protection Act (revised on 15 July m

the Personal Data

302

employees

as

well

as

others.

nisationss h o u l d

personal data they hold being deleted or tampered

Oganisa

he n t negatively o on the integrity of the personal

negatively albo result

impacting

hereby data.

should implement robust policies and procedures

Third, rganisations she

riate levels of security for personal daa of varying organisations«can implement such policies Before ivity.shey would need to assess their personal data

933

9.31 In terms of compliance with the Commission gave some indications of Protection Oblipatio what would be gation, the exp ected of organisations." First, organisations should security arrangements to fit the nature f the design and or personal data held by the organisation and the possible harm that result might breach0 Organisations would need to0 assess the from a s kinds of per it data holds and devise appropriate personal

from

always be mindful that unauthorised access can

therefron,

tho

individual concerned in the event possible form in which of any unauthorised disclosure, modification and so npact to the on. For example., anu access, use, on health would call for much higher levels levels of security data on an individual's favourite security than data restaurant or the one drives. Similarly, an individual's salary is mod.el of personal car tha often confidential piece of informatuon so that individual's remuneration should be well personal data data cone. conceningsan guarded.

28

Data

of Personal

and

rocedurcbtain the nature of the personal data as required by lined by the Commissio In the employment outlin

ventoryand

requirement

lirst.

the

for

example,

necessitate

might

appraisals idential employee

f o rh i g h l y c o n f i d e

the

this

hhealthcare insurance, employee health

provides employer deserve higher

rds would also

a higher level of security personal data on salaries,

levels of protection.

records

to be prepared and able to respond to organisations need reaches promptly and effectively.3 This is a formation security detailed and which will be considered1 is quite anse Dlan which

9.34

Lastly,

below.

9.35 a considerable number of the cases dealt As discussed in chapter 2, date have concerned lapses or failures to with by the Commission to included cases of data leak such as Fei Fah These data. protect personal Medical Manufacturing Pte Ltd" K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd,5 The Institution of Engineers Singapore and

Metro Ple Ltd37 In these data leak cases, the information technology Ised was not properly secured, and the cases highlight the need for

Onganisations to engage reliable, reputable and trustworthy information echnology personnel. The growing number of cases involving lapscs nthe implementation or usage of secure information technology Commission to publish, in January 2017, Cuide to Prevening

a the

o n a l Data Protection Commission, Advisory Guidelines on Key Concepis 8 33 e Personal Data Protection Act (revised on 15 July 2016) at para 17.3(c. n a Data Protection Commission, Advisory Gauidelines on Key Conces Data Protection Act (revised on 15 July 2016) at para 17.3(a). 4 9010al 2016) SGPDPC 3.

2016] SGPDPC 1. 2016] SGPDPC 2. S7 2016) SGPDPC 7.

303

Data Protection in

Care of Personal Data

the Practical Context

Accidental Disclosure when Processing and Sending Persone onal also included useful short summaries of the information failures in some of the decided cases.3 The fact that to publish such a Guide, as well as the vas a need breaches in the cthere was show that there are substantial gaps in the

Data which

l e n g e rT e c h n

af My Digital Lock Pte Lia" 1s somewhat an oddity as

technology

inable why someone would transfer information from quite unimaginable

technology knowledge of both organisations and those individmsclves, basic

the organisation who ought to have known.

reliable and reputable information technolam ensure the software programs deployed have .PesOnne safeguards in place to prevent unnecessary disclosure of pervo y The cases of Fu Kwee Kitchen Catering Services and Pixant Pte Ld" Pte T2 Orchid (S) Web Pte Ltd, Cybersite Services Pte Lud, Ltd and Ea Smiling Solbutions Pte Ltd" ABR Holdings Lid" and GMM TechnoworlH Pa 1. are cases illustrative of this simple principle. The agreements with information technology providers should also include clausee that warrant the systems deployed do indeed protect and secure data. The importance of such contractual clauses were personal played in PPebperdine Group Ple Lld," where the information provider, Ascentis, was contracted to only provide the design nology of the webpage for the respondent." This absolved Ascentis completely from

Engaging

would also

liability for the breach of the Protection Obligation.

9.37 In other

were

not

properly protected, some

place. For example, in Universal Travel Corp Pte Ld

the respondens

cross-checking, the human errors made in Singapore Compruter Socaty Personal Data Protection Commission, Guide to Preuenting Aecailena Disclosure when Processing and Sending Personal Data (issuwd on 20Jomuay

2017). Personal

Disclosure 41 42 43 44 45

46

47

of transfer,

Such

as direct connection to a

ganisatior

olicies

through C-mailing the files to oneself. Nevertheless, need to protect themselves from liability by setting still ohibit the use of any open platforms for any transfer

that prohiB

ut o fpersonal d a t a .

Id and Toh-Shi Printing Singap0re Ple Lid,

9.38

procedur

were

in

place

but

they

were

on the other hand, not

followed, hence

eed to e n s u r e employees are properly trained and are mployers ot the processing of personal data. acCOuntable at every step

proper

2.

Data protection by design approach

9.39

for personal data, much of it can be n terms of implementing security from the perspective or approach of privacy by design or

data protection by design discussed in chapter 7, and all the principles

personal

data

should have had a policy that prevented the sending of passenger lss that were not redacted. Similarl, had a policy been in place for

40

hods methods

approached cases where

of them were due to administrative human errors that could have been averted if robust policies concerning personal data handling were in

39

using an open social media platform Common sense would suggest many other better

computer to their

Faccbook.

faster

such

computer o r

9.36

38

hone

formation

s in

logies Ltd and Xirlynx Innovations;and Central Depository Shi Printing Singapore Ple Ltd would not have

Data Protection Commission, Guide to when Processing and Sending Personal Data

2017) at para 3.1. [2016] SGPDPC 14. [2016] SGPDPC 19. [2016] SCPDPC 16. [2016] SGPDPC 18. [2017] SGPDPC 2.

JPPepperdine

Group Pte Ltd

and approaches discussed there are relevant to the issue of ensuring reasonable security arrangements are in place. The Commission has given some examples of the administrative, physical and technical

measures that organisations can employ. To address the full range of

security arrangements from administrative measures to physical and technical measures in a given situation, the illustration of the employment context will be considered in more detail. The employment context provides a rich base to begin the discourse as nost organisations are also employers, so they collect, hold and

process a basic

[2017]

[2016] SGPDPC 4. [2016] SGPDPC 9.

304

at

[20].

personal

data.

Preventing (issued on 20Janely

48 49

SGPDPC 2

core of

Accidental

[2016] SGPDPC6. [20161] SGPDPC11.

50 2016)

SGPDPC 20. 2016) SGPDPC 15. Data Protection Commission. A dvisory Guidelines on Key Concepis Personal Data Protection Act((revised on 15 July 2016) at para 17.5.

a

305

Data

Protection in the

Care of Personal Dala

Practical Context

9.40 For

bly

a variety of security measures shoul De adopted o personal data from the time of collection of personal its disposal. The life cycle of personal data could dataa unil pre-application stage when employers are in the bein as the an

employer,

much personal data is collected about potential cruitmen from recruitment firms or from the emplov stage. f seanarches and background checks, best practices requir these toown be even from the prying eyes of kept employees who are not recruitment, directly or indirectly. Indecd, section 94 volved in procedures and processes to ensure that the person

employer's

exposed to unreasonable risks.

be

permissible

mobile

ch

mobile

such as salary, residenti: residential onal data n d date of birth should be SCnsiivei n f o r m a t i o n , aand the

to

aces

pers

address,

restricted

leave and to access

class of employecs.

medical by only.

loyees, eithe

ecurely,

ler pool of employeesbutto more have bile telephone numbery of their colleagues,

943

le, all computer systems holding personal data should Further, passwords should not be shared or passwords. by ted passwords, and employees should be given individual ofa breach, there is the the ability to trace that in

Asa general

be protected

a

event

commor

ords s o responsib those hold to

is

to account.

and

9.41 Where

Lid

Lid and Global Inleractive Works Pte the Cllar Door Pte was unequivocal about the necessity of the system

applicants apply for jobs using employers must ensure that the applicationspaper-based are received applicaions, secure not simply submitted or leit in exposed areas. Access yand

9.44

contents. For examnple, job applications open tray where any person, even if they are employees, and look at the contents. This is to protect not the

measures highlighted by the Commission in this of firewalls on servers, the closure of re the implementation decision 56 o n s e r v e r s and the encryption of login credentials, nused ports of Yahoo Inc, it would be advisable for the data breaches Given the utilised to be reasonably sophisticated and not encryption methods

applications

should be restricted to

only

to the

those who need to sed see he should never be

leftin

an

can walk h

only contents of the that contains the relevant personal data, but also t protect the fact that the individuals have applied for a position with the employer. This fact would be considered personal data under the Act as the individual can clearly be indentified from the data or

applications

application3 and, hence, would be protected under the Act. This would achieve the broader aim of protecting the individual as details

of employment movements are often regarded as sensitive and confidential. For applications that are submitted online such as on employers websites, the information should be encrypted to prevent eavesdropping by hackers.

9.42 During the course of employment, employers must ensure ua employees are bound by confidentiality clauses in their employmentot the sharing contracts. These should extend to prohibitions on both withn with data of people and personal passwords knowledge ensure that should and outside of the organisation. Employers that they need for neu employees only have access to personal data having layercu Work and no m o r e . This, for example, might require with different clearadin computer systems basis. In mostcasc know to need a on levels for different employees

access

53

to

information on

in s 2(1) of the Persona the wide definition of "processing" ch b. and discussed in Protection Act 2012 (Act 26 of 2012)

See

306

In The Cella Commission

administrator's

six

characters

password being strong: it had to be more than

with

a

mix of alphanumeric and special characters.35

Other essential

easily hacked.57

9.45 Employers should invest in conducting regular training sessions for employees to remind them of their obligations towards handling

personal data and

to educate

employees

on

what

are

acceptable and

unacceptable practices. For example, it should be stressed to employees the need for confidential documents to be clearly marked and to ensure that they are given higher security protection. Unacceptable practices, especially if they are known to employers, repeatedly highlighted to employees coupled with stern aings of the consequence for the employees, should they engage in case of the secretly filmed nude videos of Erin Andrews

stould be

nem. The

s e r v e as an incentive and warning for all employers to educate 54

[2016] SGPDPC 22.

larat [30]. Door Pte Lid and Global Interactive Works Pte Ltd [2016] SGPDPC 22

l a(30].rDoor Pe Lid and Global Interactive Works Pte Ld [2016) SGPDPC 22 57 paras 9.93-9.96 below:

(18Teecurity problems (18 December 2016).

Ioseph Menn, Jim Finkle & of too little, too

a

story

307

DustunReuters vo1

late

Data

thcir employees and sanctions are in

understand of

personal

and

Care

Protection in the Practical Context

to ensure

adequate

policies deter erran ant employees.andEmplo physical threats that can data. To this end, ensue ensuc from 1 the employers mu to have in phmis safeguard the security must of for place

the

to

nw.

procedures

disciplinary procedures

employees who mis

cedres, a shodd andi personal dpoligny s, and

a

Unongsr

as

an place. limited with the organisations engaging The eir liabiliy liability for any personal data was the case in bresl Challenger Technologies Ltdprotection and Xirlnx Fei Fah Medical This Manufacturing Pte Ltd and K Box Lid and Finantech Ple Lid. These cases Entertainment vations Holdings can be cont Grout the case of Central P (Pte) Ltd and Toh-Shi Printine Depository with Ltd where the Commission found that Central not in breach (Pte)e of the Protection Obligation asDepository Lud it had in the contract with its data alid clau to clauses protect The data intermediary was, intermediary dau however, found to be inpersonal data Protection Obligation. breach ofathe

bearing

full

was

9.47 The

("UOB")

Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). Personal Data Protection Act 2012 (Act 26 of 2012) ss 2(1) and 4(2) Personal Data Protection Act 2012 (Act 26 of 2012) s 4(3). [2016] SGPDPC 6. [2016] SGPDPC 3. [2016] SGPDPC 1. [2016] SGPDPC 11. Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd [2016)

SGPDPC 1l at [17]-[18]. 66

Personal Data Protection Act 2012 (Act 26 of2012) s2(1). 308

details

and

client

0ok

log-in paSswords was also found

Other items found included documents

with

otearbage

ns for its wholesale and retail banking units

idential,

which would undoubtedly have to the news report, the bank did data. al of personal data and at bag garbage the of

oncernin

hat were marked

o n t a i n c dp e r s o n a l d a t a .

the

According

e Monetary Authority of Singapore, which is ersight of of all financial institutions in Singapore,

discovery

of writing, th o td e n y

oversight ime

the

for Teyponsible Commission are

investigating the matter

and the

that

849

whole garbage since the

sinc

bag

was

filled with

the bag was perhaps intended for did not reach its destination. somehow ction but if the bag was marked as is clear it n e w s report,

ntial documents

and

aPpcar

would

dential

contidential

repor

news

the from

but this However, n f i d e n t i a l w a s te", e", the

r

tion

such

which

It

shred

being UOB

would

be

as

only one required practice and disposal of personal data,

and

handlin and sensitive

secure

oce durec o n f i d e n t i a l ially

of

9.48 In July 2016, it was reported that a large garbage bag full of unshredded bank documents from United Overseas Bank

reported

number

RIC

organisations

processing personal data can also include the destruction of personal data. Hence, organisations that utilise the services to parties process" personal data, such as the provision of of third confidential destruction of personal data, should ensure the agreements with the third parties have the necessary personal data security clauses in place,

58 59 60 61 62 63 64 65

containcd

0pica"have n e r es a i d t o

g u a r a n t o r ,h i s N R I

i p s í d et h e

organisations that to process personal data should utilis the services of ensure the parties have the necessaiy agreements wiuthi paries personal data security third parties will be clauses in third regarded data intermediaries clauses under the Act is

statements,

internal reports from the bank. The documents data such as the name of a p c r s o n a l da birth. It was also and da

thedocu.

a, inchuting

similar vein,

discovered

o u nlications a a n d int

9.46 In

the bank's head office 7

were several corporate

cred

nents

Data

2016 near

in June

ec

tre.

Under a

of Personal

data.

In

any event,

large

do outsource their confidential waste olve, at the minimum, the documents involv

banks

would

remains

to

be seen how the garbage bag full of

ended up under a tree, but the incident highlights

documents

tions having procedures and processes that ishandled in any way, especially if the not is data personal individuals concerned and, in this instance, for consequences for the will be severe and significant. For highly as well, organisation the the documents data such as barnk docunments, ronfidential personal of the confidential the lest transport chauld be shredded on site,creates more for personal opportunities site another

the importance

ensure

Hocuments

to

route. Organisations holding sensitive or be mishandled en utilise the services of mobile on-site confidential personal data c a n the destruction of its personal data but, even so, for services shredding own employees to oversee the organisations should position their destruction process as it occurs at their premises,

data

to

67

Jamie Lee, "MAS probes case of UOB's unshredded client data" Business

Times (21 July 2016). 8 Jamie Lee, "MAS probes case of UOB's unshredded client data" Busine Times (21 July 2016). 69 See further ch 7 generally.

309

Care

Data Protection in the Practical Context

of Personal Dala

he of special benetit to those holding large data

9.50

Employers

should also ensure that filing cabinets and inside secure personal data is stored premises, and not in areas in locked accessible. Where computer systems and networks are to those, including the physical rooms, utilised controls systems, security alarms and should be secured ui Ces even surveillance cam. ccess mputer networks, databases and systems themselves secured through access passwords and firewalls andshould be e anti-virus software and anti-spyware cryptio activated and kept up to date. software should be instalO Employers should and uld also also imni implement policies regarding the use of portable electronic USB devices. laptops, drives, tablets and obile devices, such : for work that store or hold data. If thesetelephones personal devices are permitod used by employees or are issued by to be employers, should be password protected and policies should be implementedthey to ensure taken by employees over their safe great care are is custody. Employers should also have in place ha that restrict processes and monitor the printing and photocopying of confidential or highly sensitive personal data. 2nd

holding

generaly

ameras. The

these types of when in transit.

personal

data should be

encrypted

when stored

and

a variety

of di fferent

kinds of personal data.

at may be considered tor such a risk assessment o f t h ef a c t o r s

the

of the organisation and the amount and type of o f th

size

hin the with access the persons itholds; personal data is or will be held and whether the eonnal data 1alf of the organisation.72 behal on

C I C r i s caa r e

organisation

data

o

thep

d by

a

third party

nent exercise is similar to the privacy impact assessment 7. Even though the term "privacy" is used, the in chapter the same: an a s s e s s m e n t of the impact of the use

9.54

T h i sr i s k a s s e s s

exercise

is

essentially

i handling

data and whether the measures in place are dat

of personal

Privacy impact assessments, however, are involve examining the whole life cycle more collected, used and closed, whereas the risk f personal data is only in relation to exercise suggested by the Commission propriate or adequate.

generally targeted

and:

esment

the security arrangements.

9.51

The destruction of personal data should also be done securely such that the personal data cannot be re-identified. The Commission has recommended that the preferred sustainable approach to the secure disposal of personal data is the use of cross-cutting shredders that slice documents in at lcast two different directions or confetti shredders, followed by the recycling of such shredded paper.70 Electronically held data should be deleted in such a way that it cannot be undeleted or otherwise retrieved. The risks associated with de-identifying personal data have been discussed in chapter 3 and the present technologies indicate that true anonymisation is extremely difficult to achieve and, hence, re-identification is a real risk.

3.

-

Personal Data Protection

9.55 la temns of compliance with the Protection Obligation, the Commission gave some indications of what would be expected of oganisations, the last one of these expectations mentioned above oncerns the requirement that organisations be prepared and able to

espond to information security breaches promptly and effectively."3 ihe Commission has prepared a Guide to Managing Data Breaches (Data Breach Guide") that is aimed at helping organisations manage personal data breaches effectively.

Risk assessment

9.52 In order for organisations to ascertain whether their intormauou

Security arrangements

are

adequate,

might be useful for organisations

the Commission to

undertake

a

suggested tnat risk

assessimene

Dala

70

Data breach notification Commission's Guide

Guide to Disposal of Personut and * Fersonal Data Protection Commission, at paras 7.2 on Physical Medium (revised on 20 January 2017)

310

1 T2

Data Protection Personal in thete k

mission, Advisory Guidelines on Key Concepis (revised on 15 July 2016) at para 17.4. mmission, Advisory Guidelines on Ky Concepts Perseonal Data Protection Act (revised on 15 July 2016) at para 17.4

Personal Data Protection Act Person Data Protection

inth

ata Protection Commission, Aduisory Guidelines on Key

Onal Data Protection Act (revised on 15July 2016) at pard Lons ersonal Data Protecti Commission, Cuide to Managing Data Breaches (8 May 2015).

311

Data

Protection in the

Care

Practical Context

and fire drills: lire cscape plans instruc t h e event of a lirc and the fire drills are the

lan fire escap¢ plai

9.56

There are no data breach in the cnts in Act and, at data breaches do not needrequirements t at the to be to the reported Commise individuals concerned. However, , ission momen or to the is standalone Cybersecurity Bill in Singapore expected to 2017,"

and table a likcly mandate data brcaches to this be renos piece of probably set out othe to the requirements inported information security breaches. In the any event, the of strongly recommended that the Data Breach Guide COmCnt sion has be advises strongly followe organisations to notify the Commission a4dit possible of any data breaches that might cause s0on where there is a risk of harm to a public conce ot group

legislation

will authorities and

alfected

individuals,7%

9.57 The Data Breach

errors.79 Regardless of the cause of data breaches, computer system they are costly and can lead to financial losses for the organisation and for the individual concerned. Individuals may also lose trust in an

organisation.

organisation

Other

may come in the form of sector-specific rules or laws that may have been breached as well as common law duies that have been breached or not been complied with.3 Data breach

pacusc runs

mission, the data ording t o the

I59

dtord

inpact, reporting

prevent

78 79 80

contain

taken to

be

steps to b e m

the breach and manage the incident.2 the

be akin to the fire wardens in a fire would be ideal for the data breach plan. It how to o u t l i n e possibledata breach plan to runs at least once a year. to hold and practise

members

emeigency

managem

respo

would

9.60

the following:83 contain a breach, including that led (a) shut down the compromised system

to

as

it is

can

aware of a be taken to

the data breach whilst

preserving evidence; the data breach in the system and, where (b) isolate the causes of applicable, change the access rights to the compromised system; (c) remove external connections to the system; (d) prevent further unauthorised access to the system such as through resetting passwords if accounts or passwords have been compromised; eestablish whether steps can be taken to recover lost data, such as from a real-time back up;

0

limit any damage caused by the breach, such as through remotely disabling a lost mobile telephone or tablet stop practices that led to the data breach; and )notify the police if criminal activity is suspected and preserve evidence for investigation.

Personal Data Protection Commission, Guide (8 May 2015) at p 9. Data Protection Commission, Guide

to

Managing Dala Breachas

to

Managing Data Brecls

Personal Data Protection Commission, Guide (8 May 2015) at p 4. Guide Personal Data Protection Commission, (8 May 2015) at p 5. Guide Personal Data Protection Commission, (8 May 2015) at p 4.

to

Managing Data

Breacio

to

Managing Data

Breae

2

Breaco

to

Managing Data

83

312

advises organisations to act as soon are a variety of measures that

There data breach.

"Parliament: New Cybersecurity Bill to be tabled next year to strengtien The Straits Times (11 April 2016).

Personal (8 May 2015).

to

The Commission

and implement a data breach

Singapore's online defences"

i

scenariosand

them

data breach Containing the

management and response plan to manage data breaches. This plan, when developed, tested and perhaps rehcarsed or practised on a regular basis, will assist organisations to handle and react more effectively to data breaches when they occur. The idea is based on the

77

containing

the incident and aluating the response and future breaches. It would be helpful for the plan futi to dataibrcach management team, indicating the ery details ofthe de ho would lead and make time-critical decisions on ns

management plan

Organisations should develop

76

as

such

brcach management plan may asscssing risks and

uhe breach,

inchude.

9.58

75

in

be

se

Guide" defined a data breach as the unauthorien a and retrieval of information that may include corporatete personal data.78 The Commission gave the three causes of data breaches as malicious activities, human errors possible and

an

to

n t ah te e d s

Thesetcam

access

costs for

done

onccpt

ne

«

(a)

of Personal Data

Protection Commision, naData (8 May 2015) at 6. p

Guide to

Managing Data Breaches

Onal Data Protection Commission, Guide to Managing Data Bredees

(8 May 2015) at p 6. ( a Data Protection Commission, Guide to Managing Data breuees (8 May 2015) at p 7.

313

Data

Protection in

the

9.61

Care ofPersonal

Practical Context necessary

This list of measures the best

practices.

provided by

For

the

Commission certainly

to be able to these measures, however,organisations the relevant will need to be executete some personnel in the son ot highly skilled, alert and Sony Online Entertainment aware. A which, in 2011. case. point is breach only some two weeks("SOE") after it occurred. The namee a data mail addresses, birth dates, telephone numbe of 25 million customers bers and otheres, addresses were stolen from "outdated database" from 2007 which servers as inform 23,400 people outside the US andcontained details of an well a inchuded 10,700 direct records for customers in proximatcly Austria, the SpainThe data set was stolen onGermany, Netherla 16 and rlands another data breach at Sony's 17 April 2011, and Playstation before its

to 19 April 2011, where 77 million Network, which occure stolen, including credit card numbers.5 dividuals' personal Sony took around two weeks to discover For both data bre

from 17

to

take. such as to

af the individualsaltectcd,

contains

ganisations

Steps

Data

notify

the

hat can be considered in assessing risks and f a c t o

These include the nature of the personal

many o fd a t a are

breache

There

hether they will

inpac

Lead to financial loss, identity theft or other lass of individuals whose personal data are

harm. The clas,

aaia, whe

on the impact of a breach; whether data may produce different

bearing have a kinds. also can breached nployces' personal ed or

ons m must u s t be aware that the risks and impact have an impact on the organisatio and trust, as well as the substano of

tomers' hey a r ec u

ces.

Organisations

on indiviat

well,i n

terms

of

reputation

the breach.

were

that its systems

compromised.6 9.62 Even

worse

than the

Sony

breaches

hadbeen

the two which were only discovered some two to three Yahoo Inc breache aches, years after the personal data theft, and only after law enforcement showed up on the doorstens of the company with copies of extracts from the stolen personal data that were for sale on the dark web. The was company totally unaware of the 2013 breach involving 1 billion users' accounts, until they were notified by the authorities.7

(c)

were

Assessing risks and impact

assessing

risks and

impact

of data breachesis

toassist

organisations to ascertain the scope of consequences to afected individuals and to the organisations. This in turn will inform the

of risks

of

apects

of data breaches and impact as risks and such issues,

organisations, apart impact of further system

technical

the from omises,

pact ofthe

or

or

other

data is likely it one

compromised

organisations,

to

personal data may be on the organisations

uch

be used by

of the key

need

how

and

processe

on

to also assess the non-technical a breach may be facilitated through rocedures, as well as determine what the

organisations

whether

inadequate

vhether the

as

compromised personal

organisations.0 This breaches at information contained in the

others to defraud other

concerns about

the wo massive data

the hackers will use the fahoo Inc, that data to launch other attacks.

stolen

Reporting the data breach

d)

9.63 The aim of

Interms

9.66 This section of the

Data

Breach

Guide

is by far the most

comprehensive and concrete. It gives clear guidance as to whatis reqired, when it is required and how to execute reporting of a data reach" It would appear that organisations are expected to follow the

84

85 86

Charles Arthur,

"Sony suffers second data

more

user details" The Guardian (3 May 2011). theft of 2óm morc Charles Arthur, "Sony suffers second data breach with user details" The Guardian (3 May 2011). more theft of 2om Charles Arthur, "Sony suffers second data breach with

user details" The Guardian (3 May 2011).

87

breach with theft of 25m

"Yahoo under scrutiny artc Greg Roumeliotis & Jessica Toonkel, December 2010). hack, Verizon seeks new deal terms" Reuters (16

314

latest

Personal Data Protection Commission, Guide to Managing Data Breaches (8 May 2015) at 8. p

onal(8 Pe

Data Protection Commission, Guide to Managing Data Breaches May 2015) at p 8.

Data Protection Commission, Guide to Managing Dala Bree (8 May l2015) at p 8.

nal (8 May Data Protection 2015) at p 9.

Commission, Guide

315

to

Managing Dala Breacns

Data

Protection in

Data

Breach Guide and the the requirements.

Care

the

Practical Context

Commission gave

9.6

The

Commission

noted that

individuals affected by take

a

it

data

1s

Some

clear reason. sons for

cialm e d i a ,

impact

breach

whose personal data cludeduals. the rties who have been may need

third and financial be înstitutions, and the to polic Commission also advised to organisations if a notify the Conm "especially data breach involves sensitive

include banks

b e

actions individuals can take.

mmission

very

was

was

clear

The notilied.

dbe w

nibena n d .

the

the

in

breach

data data

in

doing

uhe data

there

harm

urtier

oganisaluons

or

are

damage,

information

the

as possible.

should be made explicit. Lastly, of ways to contact them for

these

details should provide or

assistance.

addresses numbers, e-ma il ail

notiky,

curred, the types of personal data

occu

breach, and what the organisation has done

the risks that have arisen as a result of SDonse to there are specific facts available on thec data b ebreach. Where tho ofwill individuals can take to minimise actions specificc mised

or if

data breach involves sensitive Commission recommended that it personal data, individuals should notified immediately to enable them to take early avoid, or at least minimise, abuse of the necessary actions t potential Sensitive personal data would include credit compromised data 9 details. The period immediately after the theft card and bank accon count of data is most it is during this period that criminals would attempt to usecrucial as stolen records before customers have been notified and had a preventive measures. Thus, it is critical to shorten this chanceasto take period much

Breach Guide about what should include information on

in the Data

notificat

hrther

In terms of when to

media

tions on what

each

personal data"

9.68

through

c-ma.

d f i c a t i o n ss h o

ilease

dividuals to

should guardians or parentsorganisations of young children consider notifvino

compromised. Relevant

be

a

preventive measures to reduce the will enable to notify and may assist in indivi restoring consumer trust. of the data in some situations, may be legally bre: required to noti Oher parties that otify affected individuz

organisations

means woud

easily comprehensible, specific and provide kar astruction

generally good practice as it

breach,

possible

nails, telephone calls, faxes and letters.5 The

affected

i n h i n a i u z l sa l e

each of

ofPersonal Data

These ese

or

can

be

websites.7

through telephone

hotline

the tionale for

notification

to

the affected individuals

seem

the desire to return to individuals some control g r o u n d e d upon dearly data once there has been a data breach. Individuals The

heir personalare

ae

the o n e s

who

most negatively affected by a data breach and in

and justice, they ought to be armed with the interests of fairness since the data counter whatever harm may result, especially

the hility to

hreach occurred through

no

fault of their

own.

9.73

9.69 The Commission noted that another occasion to infom affected individuals would be when a data breach has been resolved, as

the Commission advises organisations to notify he pries, Commission as soon as possible of any data breaches that might cause

9.70

public concern or where there is a risk of harm to a group of afected individuals. To facilitate this, the Commission has provided and a telephone number for this very purpose. The m

organisations would then be in a better position to provide further details to the individuals.

email address

Regarding there

la addition to advising the affected individuals and the relevant third

the methods of notifying the data breach to individuals, effective ways organisations can inform of on the urgency of the situation and the number

individuals

are numerous

depending

lomamnision is explicit about the contents of the notification to the

rersonal Data Protection Commission, Guide to Managing Data Breaches 92

Personal Data Protection Commission, Guide

to

Managing Data

Breacns

to

Managing Data

Breates

to

Managing Data

bruuo

(8 May 2015) at p 9. 93

Personal Data Protection Commission, Guide

94

Personal

(8 May 2015) at p 9.

Data Protection Commission, Guide (8 May 2015) at p 9.

316

8 May 2015) Per

at p 9.

Data Protection Commission, Guide (8 May 2015) at 9. p

to

Managing Data

Breaches

Data Protection Commission, Guide to Managing Data Breacnes (8

98 PersMay

8 May

2015)

at p 9.

ata Protection Commission, Guide to Managing Data Breaches

2015)

at p 10.

317

Dala

Commission available:99 (a) (b) (c) (d)

Prolection in the Practical

and should

clude

extent of the data breach; type and volume of

the

Care

Context

from occurring."

following informa

measures

that

prerent

s h o u l

Commision oganisations, 104

or

terms

in

,

ced

to

and

Even where ecific information on the data brea is not the Commission has advised that yet organisations should to notification the Commission, providing a brief send anavailable int incident.100 Furthermore, the Commission stresseddescription e the that whether notification was made by an as well as organisation the organisation has adequate recovery procedures in whether place will weigh upon the Commission's decision on whether the

organisation has met

the Protection Obligation.101

9.75 The list of items to be included in the notification to the Commission appears to be aimed at imposing full transparency and accountability on organisations. Given the general manner in which the Protection Obligation is set out in section 24 of the Actl and the clear indication in the Data Breach Guide that

a

data breach notification

to

the

Commission is expected, the onus is undoubtedly placed on organisations to do all it can to protect the security of personal data and to be fully prepared for a data breach, a suitably high duty.

be

addressed

existing

weaknesses in 105 Other both

related

technology

physical

issues

be

software

9.74

rational and policy related issues, some of the nclude the frequcncy of audits on inc

of 977

.

(e)

they are not, then new

be considered. The be adopted should hould four arcas that should be considered by sets out fo

imilar breaches

personal data involved: suspected cause of whether the breach has beenthe breach; rectified; (e) measures and processes that the organisation time of the breach; had put in in () information on whether place at the affected been notified and, if individuals of the not, when the dala hu. g) contact details of persons whom organisation intends to ch have the do s further information or clarification. Commission can liaite nd cause

of Personal Data

curity to

security measures and possible

mcasures

such as the use of outdated

nsider may be whether there to prevent a recurrence of the breach

cons.

introduced

ure breaches should if futur damage mit the responsibiliti roles, the involv e d ed,

processcs

r t ol i m i t

partners are

recur. If vendors and and liability of cach

106 reviewed,

should

9.78 The

be

are the resource related issues. of issues to evaluate were enough resources to manage the data there whether ternal resources are needed to better manage whether

sond

second

nch sucth as

area

area

.

breach and

such breaches, 107

9,79

08

It is on personal data protection trained be inportant for employees skills. Employees in many ways act matters and incident management s the custodians of personal data and should be fully aware of security

Third, employee

related issues also need to be considered. to

rehated issues. The review should consider whether these areas can be improved and how to make the improvements.0

Evaluating the response and recovery

9.76 After the data breach has been resolved, the breach and the secunty arrangements should be reviewed to determine if they

are

adequate

99

Personal Data Protection Commission, Guide to Managing Dala bru

100

Personal

(8 May 2015) at p 10. Data Protection Commission, Guide

to

Managing Data

101

(8 May 2015) at p 10. Personal Data Protection Commission, Guide to Managng Due

102

(8 May 2015) at p 10. Personal Data Protection Act 2012 (Act 26 of 2012).

318

to

aches breaee

ersonal DataatProtection (8 May 2015) p 11. 04

to

Data Protection Commission, Guide to at p 11.

May 2015)

Managing Data Breaches Managing Data

Breaches

rersonal Data Protection Commission, Guide to Managing Data Breaches 8 May 2015) at 11. p a8l Data Protection Commission, Guide to Managing Data Breaches May 2015) at p 11.

ona (8 08

Breaches

Personal (8

Commission, Guide

Data Protection Commission, Guide to Managing Dala BreucneSs

May 2015)

at

11.

ersonal Data p Commissior Guide to Managing Data Breaches (8 May 2015) atProtection 09 Perso p 11. (8(8 Mav 901ea Protection Commission, Guide to Managing Data Breaches

May 2015) at p 11.

319

Data

Protection in

the

Care

Practical Context

9.80

was

Lastly, management related issues necd whether there was a clear line of during the management of the data

be

conei

and responsibility breach, both

e x t e r n a l l y . 110

required

pache persoearnal

ered, such

personal

the

ommunicaiandon

co

int

by the Protection Obligation to breach of the when

pondent he w a s in data and dat data to the third

The

to

of Personal Data

tenant. A

Obligation nancial penalty

'13 disclosed

imposcd.

he

was

ofS500 European U n i o n p o s i t i o n

Complying with

5.

Protection

Obligation Security p r i n c i p l e

9.81

From the foregoing, it can be said that the Protection Obliat. strong duty imposed upon organisations. Although the D 1 a is in couched terms Obligation of reasonable security are what would be considered reasonable has a level of heo can be gathered from industry practices. This certainty is clearly level of data acceptable personal protection than the reasonablene test in, for example, the Access and Correction

gements,

even

erroneous

personal

data

can

Obligations, where

remain uncorrected.

1

9.84

assets

such

as

trade secrets which

organisations keep guarded.

Commission has made it clear that one cannot take personal data The that one has been provided with in one's commercial capacity and chooses"

a

personal

or

domestic

capacity

"as and when

he

In Chua Yong Boon Justin,"2 the respondent was a real

estate agent who disclosed the full names and NRIC numbers of two

third tenant. The Commission made it clear that it h because of the tenancy agreement that the respondent came to nav his possession the full names and NRIC numbers of the two ten and, as such, the personal data was obtained in his co tenants

I1o

to a

Personal Data Protection Commission, Guide

to

(8 May 2015) at p 11.

[2016] SGPDPC 13 at [13]. Chua Boon justin 112 [2016]Yong SGPDPC 13.

320

Managng vue

95/46/EC stated quite explicitly the

personal data, which includes the collection

processing data, to be secure.11 Article 17 effectively sets o f the security principle in great detail. and all the r e q u i r e m e n t s iis that "such measures shall ensure a level the verriding to the risks represented by the processing and of security a p p r o p r i a t e 15 which has the same effect as be protected" to data the of storage

of

personal

requirements

out

nature

legislative he Singapore g

requirement of being "reasonable".

9.85

Data Protection Regulation 2016/679, Article 32 In the EU General of processing and is very similar to its EU Data deals with the security 95/46/EC counterpart, except it is even more Directive Protection detailed and explicit. Under Article 32, organisations "shall implement ensure a level appropriate technical and organisational m e a s u r e s to which is a long-winded wayof to the risk", appropriate ofsecurity

expressing a standard that is reasonable to the circumstances. Articles 32(1) and 32(2) list some of the issues that considered as part of the security measures, such as the technical

need to be

9.83

disclose it in

of

The need forthe

the

9.82 It would appear that as long as organisations adhere to industr standards, they would meet the Protection Obligation. It is thus essential for organisations to be aware what the of industry standards are and to engage skilled personnel where necessary, especially in specialised areas such as the management of information security. In terms of protecting personal data, organisations would do well to treat personal data like any other asset that organisations hold, whether it be physical assets that they guard under lock and key or non-tangible

Directive

Protection

EU.Data

Breachs

requirements,17 including ensuring the ongoing confidentiality,

integrity, availability and resilience of processing systems and services, 25 well as all the different ways that risks can arise, such as through loss

and alteration.118

9.86

cie 5(1)( of the EU General Data Protection Regulation 2016/679 pinciples regarding the legitimate processing of personal data

Chua Yong Boon Justin [2016] SGPDPC 13 at 114 [22J. 15 Fata Protection Directive 95/46/EC, Art 17. 16 ata Protection Directive 95/46/EC, Art 17(1). I1 General Data ilation 2016/679, Art 32(1). EU General Data Protection 118 EU 2016/679, Art 32(1). Regulation Protection e r a l Data (2). Protection Regulation 2016/679, Art o414 321

Data

standard aDDropriate security

also sets the

Care of Personal Dala

Proteclion n the Praclical Context

of

processing personal data ta to personal data includinto be or unlawtul unauthorised procesSing and destruction or damage, using appropriate against of the

9.87

which

to

EU

(d 2ddr measur

organisatioloss,nal

is

Pro code to be used a

an

otecionof

further

its p o s s i b l e

be taken

including,

adverse effects.

by

the controller

where

to

appropriate,

rOvide information is an enduring one, as where pr rovide all the information together at the same rmation may be provide in phases without undue nilar to the requirements set out by the T h i s is

delay. in

128 Singapore.

Commission

security princinle 20dn's

breach notitication

9,91

to

1s

core

a

off o

similarity in the information required in the

breach notification of the EU and the breach requirements of the Commission. The Commission information on the cause or suspected cause of the breach, is not required by the EU law, instead, the EU General Data this Dtection Regulation 2016/679 requires information o n the likely of the personal data breach, which the Commission does

supervisory authority

There

data

person,

notification

EU

requires

.

a

consequences not stipulate

a

in the EU General Data Protection Regulation 2016/679 is the duty to

maintain a record or register of all personal data breaches,129 The facts must be recorded, along with its effects and the remedial action taken. This internal breach register

relating to each personal data breach

9.89 The minimum information that

must

are:126

(b)

the

nature

(c)

of the

personal

be

provided

data breach,

enables the supervisory authority to verify whether compliance has in the notificaion

been met.130

including the categories and

(c)

approximat number of data subjects concerned and the categonies and approximate number of persornal data records concerned; the name and contact details of the data protection officer or other contact

necessary.

An additional duty required of organisations that handle personal data

natural persons.125

(a)

as

9.92

not

a

the likely consequences of the personal data breach; and

Regulation 2016/679, Art5 120 EU General Data Protection Regulation 2016/679, Art 34 35 and o E U General Data Protection Regulation 2016/679, Arts Art T22 EU General Data Protection Regulation 2016/679, 534 Art 30 23 EU General Data Protection Regulation 2016/679, 2016/679, Art 33 E U General Data Protection Regulation 125 EU General Data Protection Regulation 201b/o 38/3)

data breach is likely to result in high risk for apersonal rights and freedoms, the organisation will also have the a

vduals

ation to notify the individuals of the breach without undue Article 34 (2) mandates that the notification to affected als must contain the information that is

EU General Data Protection

EU General Data Protection

Regulation 2016/6/9, 322

Personal data breach notification to affected individuals

9.93

point where more information can be obtained;

f

126

not

it time, the in.

General Data Protection Regulation 2016/679 introduced new mandatory requirement of personal data breach notificationa all applies across that industry sectors.*" lt mandates process personal data must nouty the competentthat those who holdor supervisory authoritv without undue delay after becoming aware of personal data breachl where and, feasible, within 72 hours. If the 72-hour met, reasoned justification for the delay must be timeframe is only exemption from this requirement is where theprovided. The personal data breach is unlikely to result in a risk to the rights and freedoms of

119

mitigate

to

breach,

T h er e q u i r e m e n t t o 9.90

9.88

The

:s to

data

ental

General Data to

adherence

cerufication

Personal data

(b)

the

approved mechanism demonstrate compliance with the

or an

stecionensur agaiinnstg

proposed

tako

the personal

the meas

pOssible

Importantly, Article 32(3) of Regulation 2016/679 enables

hv

one of ens

technical or

mcasures".19

conduct

casures (d)

27

required in the

breach

eneral Data Protection Regulation 2016/679, Art 33(4). (8BMay Commission, Cuide to Managing Data Breaches May 901a 2015) atProtection p 10. EU neral Data Protection Regulation 2016/679, Art 55(9 EU 131 EU Ceneral Data Protection. gulation 2016/679, Art 33(5). General Data Protection.Regulation 2016/679, Art 34(1) 128

323

Data notification

to

the data

must

language"

Protection in the Practical Contert superviso

Care of Personal Data us

p e r s o n a l c d a t a ,1 3 9

plain

9.94 There are three exceptions to the requiremen

those measures

and organisational protecti.on

applied

were

the

to

1telihood

compromised

of

episodes

the

encryption

identity

personal

affecteasures, and encrypted, personal data, other forms ofeffectively limi the

theft or of thee Yahoo Inc data

method

was

misuse."

owever, given asily cracked

breaches, where

employed, the actual

individuals"

Sanctions

notficaion impleme

data personal data breach." An example of this is where was

encral Data

ener i s k for the

rights

:and

t0

freedoms". 110

high

affected individuals. First, where the organisatior technical

appropriate

cOmparable

the position undcr the EU Protection Rcgulation 2016/679, which uses the test of

authority and that "clear

be used.

encryption

technology

implemented would need too be asscssed. Yahoo Inc was. using discredited technology for data known rently stil as in 2013 when the breaches occurred. This was MD5 well after Mellon University's Software Engineering Institute had issued an warning in 2008 to security professionals through a US gowe alert that funded vulnerability MD5 "should be system sidered cryptographically broken and unsuitable for further use" conside

encrypting

9.97

for

for

non-compli

sanction

hefity to meet

the

personal

organisations ito

ertaking

(an

Protection Regulation 2016/679 introduced ce that should be highlighted. Failure reach notification requirements exposes data bre

Data

General EU

The

non-Compliance

administrative fine

an

enterprise

tal worldwide

annual

of

up

group of turnover of the

within

a

to

¬l0m

or

in

enterprises),

preccding

case

of

an

2% of financial year, up

to

the whichever is higher.

Carneg

PERSONAL DATA RETENTION OF

C

Retention Limitation Obligation

1.

9.95 The second

exception

which

is where the that the

organisation

has taken subseauen

high risk to the rights and freedoms of data subjects is no longer likely to materialise.50 The last exception is where notification to the affected individuals would involve measures

ensure

disproportionate effort. In such a case, there should instead be a

public communication or similar measure whereby the data subjecs are informed in an equally effective manner. 137

9.96 aim of notification to affected individuals in EU law appears be The the same as that espoused by the Commission for notfication to to

atfected individuals under the Singapore statute: to allow

atfecied

elves. individuals to take the necessary precautions to protectthemselves

Although the Commission in Singapore recommended that indido Only need to be notified if the personal data breach involves seisu

3UGeneral Data Protection Regulation 2016/679, Art34 38 EU Ceneral Data Protection Regulation 2016/679, ATt T34

135

19

9.98

the retention of The Retention Limitation Obligation concerning Act2 it requires a n and of the section 25 in out personal data is set to c e a s e to retain personal data as s o o n as it is reasonable organisation data was collected is to assume that the purpose for which the personal the of retention served no personal data and that

by

longer being

retention is no longer necessary for legal or business purposes. The legislation does not specify minimum o r maximum periods for to hold retaining personal data, but organisations may be required personal data for set periods of time under other legislation o r

Sectorial requirements. The Commission aptly warned that organisations should not retain personal data in perpetuity where it has no legal or business reasons

to

do so.113 Thus, personal data should not be

retained just in case the data is needed one day for some untoreseen

reason.

EU General Data Protection Regulation 2016/679, Atohlems a stoy

onal(8 May DataatProtection Commission,

Joseph Menn, Jim Finkle & Dustin Volz, "Yahoo securiy pa of too little, too late" Reuters (18 December 2010). UGeneral Data Protection Regulation 2016/679, Art4 c

l41 ETneral Data Protection Regulation 2016/679, Art 34( Art 83(4) (a) 42 Perso Personal Data Protection Regulation 2016/679,

a

E U General Data Protection Regulation 2016/679, ATR6 86. 138 EU General Data Protection Regulation 2016/0, * 324

2015)

143

Cuide to

Managing Dala

Breaches

p 9.

Data Protection.Act 2012 (Act 26 Personal in the Perta onps Data Protection Protectior Commission, Advisory Guidelines on Key 18.2. ETSOnal Data Protection Act (revised 15July 016) para of 2012).

on

325

at

Data

Prolection in the

Care of Personal Data

Practical Context

9.99 Section 25 establish the test for can be retained to be one of be considered a reasonable period will for collection and other legal and business retention of the personal lata may be

inte t h e i r personal data into classes so that it may mayingroup the rationale for why some personal data is kept

Oganisationsm a yg

determining how

nableness. The durlo ng personal that wouldatad depend greatlyuration on

purpose thepurposes nersonal data may need to be retained to necessary. FFor hich the generate which may entail the personal data kample, being kept for one data is required for Teports yea i personal ongoing legal action need to be retained for much involving longer.

explain

to

in

e

recor

the

organis

1S

data

nal

.

should

data

uher

personal

piece

data management to ensure that and stored in a manner which facilitates Retention Limitation Obligation. " Reviews

personal

elop procCsses

an

then it may

periods of time.'16 Organisations also need to

ively long peri

casicr

be

conducted on a regular basis to determine

o f personal

data is still needed and should be da

particular

{a eltained

9.100

The same type of personal data collected for more or or less less the purpose but collected in ditferent settings can sometimes hrin same of different conclusions what may be considered a reasonable neriod of retention. For example, security cameras in a restaurant would h the purpose of capturing incidents such as have rowdy naer leaving without paying and so on. The reasonable patrons or patrons period of retentin ention for such images may only be a very short period of time because anu incident or event requiring a review the

of images would arise quickly. In the event of incidents, the images would need to be fairlw longer for investigative and law enforcement purposes. If thiskeptis compared with images from security cameras installed to deter fraud or theft at a bank's automatic teller machine ("ATM"), the footage at

an ATM would need to be retained for at least a few months as fraudulent transactions may not come to light before victims receive

their bank statements. Further, in the event of a series of ATM

fraudulent transactions, the images may assist to determine if there is a pattern over a period of time.

8103

on hOw long it retains personal and used under the exemptions set may Third and Fourth Schedules of the Act.45 Although Second, he data can seem to be kept without constraints,

Organisations

should exercise

have

ou

of the

care

been collected

personal

data is publicly available,4 the Retention the personal. data from retained all in fact prohib. imit Obligation no longer being served or if there are is collection its Durpose for for the retention of the personal data. All n leral or business purposes such as the Protection Obligation and me

chas

where

being

personal

data Obligations to all personal data Retention Limitation Obligation apply the personal data was exempted from the whether of irespective

de personal the

Consent Obligation and the Notification Obligation. 9.104

in terms of the meaning of ceasing to retain in section 25 of the Act,150 the Commission has stated that this means no longer having access to the documents and the personal data they contain. This means that

the personal data is inaccessible or irretrievable to the The Commission gave some possibilities of what may satisfy this, and

organisation.

9 .101 144 Given that the statute of limitation is six years for contracts and torts it would seem reasonable to deduce that some personal data can

p

kept for at least this long. In this regard, the Commission appeare permit personal data relating to contracts to be retained lor e the ule years from the date of termination of the contract, gven statute of limitation period is six years." 9.102

Organisations should develop personal outlining their approach to retention periods data

retention

tiey included returning the documents to the relevant individuals,

uasterring the documents to another person on the instructions of a

SOnal Data Protection Commission, Advisory Guidelines om Ky onceps 142DePersonal Data Protection Act (revised on 15 July 2016) at para 18.8. a l Data Protection Commission, Advisory Guidelines on Key Concepis Data Protection 2016) at para 13./. on

Peeonal ersonal Data

po

for personal data

150

Act (revised 15 July rotection Act 2012 (Act 26 of 2012). Protection Act 2012 (Act 26 of 2012)

Sched, Pan1(c); Data Third Sched, ara 1(c) and Fourth Sched, para Second 1(4). Personal Data Protectior Act 2012 (Act 26 of 2012). Personal Data Protection Commission, Advisory Guidelines Key Concepis nthe Personal Data 2016) para Act (revised Protection 15 July Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Person on

144 145

Limitation Act (Cap 163, 1996 Rev Ed) s 6. Personal Data Protection Commission, Advisory 272 the Personal Data Protection Act (revised on 15July

Guidelines

326

2010)

on

ap

Key

Coneys

18.4

on

d

Protection Act

(revised on 15 July 2016) 327

18.10.

at at

para

18.12.

Data data subject, the documents

Protection in the Practical

Context

destroying the documents such ch as by de-identüilying personal data. 153 properly shredding

9.105

There

Care

they

which

or

"

r3, processing" ected

is

in

a permanent and complete manner.51

broadly defined and includes storage, statute

S Siin ng ga apore

in the the

there

restrictions

he r

as

long

rovision would be equivalent to pro that personal data should only

this

hence

nsultation,

are

chnically, depending

Personal Data

further processed".l56 As discussed in

are

very

in

also situations where an to make the organisation may have personal data inaccessible have attempied inaccessible, such as where documents but it ma may not be totally hat have remain in the been organisation's premises. shredd cd still shredder used and the thinness the shreds of of nossihle to re-access the paner the data by be all the together. To deal with suchpersonal piecing grey areas, the shred. consider four factors to determine it an Commission said it wowould retain the personal data. The factors are organisation has ceased whether the any intention to use or access the organisatio to has personal data; how much eftort resources the organisation would nced to in order to seLand expend access the personal data or again; whether third parties have been given access to the personal data; and whether the organisation has made a reasonable attempt to destroy, dispose of or delete the personal data

of

are

legal

or business purposes to do so.

as

k e pf t or,

Generah

Data

Regulation 2016/679157 is als that personal data should be kept

Protection

provides and

orded tthan han

gpnilarly longer data

are

is

necessary

ocessed".58

processed".

no

or however,

sonal

2016/679,

tjon

hegula

personal

be data will da

interest,

public bject the gauistical purposes sub in

the

The EU

purposes for which the Data Protection

General

longer periods of retention for archiving pur solely processed

Lroduced intro

tific

scientifi

the athere

for

historical

or

rescarch

purposes

or

appropriate to implementation order to safeguard the rights m e a s u r e s in of the

a n do r g a n i s a t i o n a l tecthnte

and

freedoms

of the

data subject.

159

General Data

9.109

Recital 39 of the EU however, that s t a t e s that:16 2016/679 Regulation relevant and limited to data should be adequate,

hshould be noted,

9.106 These four factors will be of great relevance in the

Protection

electronic personal data such as those residing on computer servers, portable devices such as laptops and mobile devices such as tablets and mobile phones. If personal data has simply been placed in the "rash bin" on a laptop which can be restored casily by a few clicks of the mouse, the organisation will probably not be considered to have ceased to retain the personal data.

European Union position

2. 9.107

data is

simiar

of personal position in the EU on retention The EU Data Protecton to that of the Singapore legislation. 10r data should be kept that personal Directive 95/46/ECI55 stipulates wete data for which the no longer than is necessary for the purposes The

153 54

155

Conceps 18.10. Advisory Gudetanesat Personal Data Protection Commission, 2016) para Cones on 15 July the PersOnal Data Protection Act (revised

272 Personal

Gudenesat

Data Protection Commission, Advisory 2016) on 15 July Data Protection Act (revised Personal in the Art 6(1)(¬). 95/46/EC, Directive Protection EU Data

328

pa

18.13.

what is

This requires, in personal for which they a r e processed. data are stored is necessary for the purposes the which personal that the period for Darticular, ensuring

of

electronic personal data and the techniques organisations employ to delete case

The

limited

to

a

strict

minimum.

9.110 contextualise and minimum" appears to This requirement of "strict data "for no of keeping personal qualify the general requirement the which personal data for longer than is necessary for the purposes adhere to the to are processed".ioi It places the o n u s on organisations there may be vague sinct minimum" requirement, so that even where business purposes, for Tcasons why personal data need to be retained a closer evaluation to dictate e strict minimum" requirement will

shop might argue ertain the "strict minimum". To illustrate, a pizza and addresses of all its s

business

reasons to

keep

the

names

the for a period until S Who have bought a pizza from it maximuin a limitation ends. Realistically, however, after

EU 57 EU Data Protection Directive 95/46/EC, Art 6(1) (e). 5(1)(e). gulation 2016/679, Art 158 EU General Data Protection Art 5(1) (e). 2016/679, Protection 159 EU Regulation General Data Data Protection Regulation 2016/679, Art 5(1)(e). EU General

General!

6)

Data Protection Regulation 2016/679, Recital3 EU neral eral Data Protection gulation 2016/679, Art 5(1) (e). 329

Data Protection in the Practical Context

riod of one year, there appcars

to be few reasons retain such personal data, i especially if no claims why or other incidents have of food ould need been nade it. Even ses, it may not be foor taxation to necessary retain the recor customers' names and addresses tor so In long. minimum" would likely be not more than one this case the "strictthe year. to

against

poisoning

CHAPTER1 0

Transfer Limitation Obligation

9.111 Under the EU General Data Protec ion Regulation 2016/679.1 time of personal data collection, the data subject should be at he of the envisaged retention period or, if this is not inform used to determine the retention possible, thecritena cr period. 9.112

Probably

one

of the most

in the EU

General

retention

periods

environment. chapter 11.

signiticant

Data Protection is the right to

The right

to

be

new

rights given

to

Regulation 2016/679 individel, relatedeto be forgotten

torgotten

in the n online will be

discussed

n

10.1

in the final Personal provision that was passed section 26 on the transfer of is "Act")' 2012 (the Data Protection Act The limitation on transfer was not outside Singapore. Dersonal data and one can only speculate that it may have addressed in the draft billF on the European Union-Singapore discussions the been spurred by which was completed in 2014. The Transfer Free Trade Agreement, in the Act, grouped Limitation Obligation is the last of the Obligations under Part VI (Care of Personal Data). Onc

surprising

new

10.2 Section 26(1) provides that an organisation must not transfer any outside Singapore, except in This is to requirements prescribed under the Act. ensure that organisations provide a standard of protection to personal data that is comparable with the protection under the Act in Singapore, Even when the personal data is transferred out of Singapore. However, personal data to

a

country

or

territory

accordance with

ganisations may apply to be exempt from this requirement."

10.3

ompliance with this provision falls upon the organisation sending ne personal

62 l63

EU General Data Protection Regulation EU General Data Protection Regulation

330

2016/679, Art 13(2)1a) 2016/679, Art I7.

data

overseas,

so

it would

appear

that

the Senaing

Act 26 of 2012. Publc Consullatnon o t Information, Communications and the Arts, the Ars: Proposea Communications and Information, of Mnistry Pe ersonal Data Protection Bill (19 March 2012). and 26(3). a t a Protection Act 2012 (Act 26 of 2012) ss 26(2)

331

Data

organisation

may look

undertake contractual

protection is given. A.

to

in the

TransferLimitation Obligation

Practical Context

the laws of

the mechanisms to ensure foreign i an

data is: simply atthis ersonal

ctton or

1gpears that

tistying

an

can set out

two

personal data protection provisionsto ensure that 9(1). iwill in

data remains

its

while the nen control second sonal

under its organisation must takepossession to ensure appropriate steps of the that the recini the personal data outside Singapore is bound n by legally obligations to protect the personal data in enforceahi that are at least accordance comparable to the protection underwith standard. or

Singapore.

the Act inin

10.5

the

the

seconc

taken to have satistied the first personal data is in transit or publicly available in requirement if the Singapore The tem "data in transit" has a long definition and means:3

personal

are

data transferred

through Singapore or

in the course of onward country territory outside Singapore, without the personal data being accessed or used by, or disclosed to, any organisation (other than the transferring organisation or an employee of the transferring organisation acting in the course of the employee's employment with the transferring organisation) while the personal data is in Singapore, except for the purpose of such transportation.

transportation

to

a

deal with the

requirement: Explicit

situations

requirement, the Persona Data Protection seven explicit situations where an 2014 provides have satistied this requirement. The first to taken be second

Regulations

can

where the individual consents to the transfer of is wh. in that country or territory, 10 al data to the recipientis f valid In order for such consent such c o n s e n t given However, n o t .all isation

anganis

situations

these.

the personal

have, before giving his consent, been in writing of the extent to which summary a vided with transferred to that country or territory will be be to data the to the protection under the Act in s t a n d ard r d comparable a rotected to must also not have been obtained by the valid,

the

0 be

ividual

must

reasonable

poud

persona

Ca3Dore.Consent

Organisations

to

Singapore en route

REGULATIONS 2014

Before Regulations 2014 provides requirements. vides more details it must organisation transfer satisty perOn requirements in must take data organisation regulation appropriate steps comply with the

overseas, First, the

attempt

assing through servers within

its destination overseas.

sination where

of

Personal Data Protection

of the

is an

definition convoluted

equiy

PERSONAL DATA PROTECTION

10.4

The

Protection

as

usferring organisation erice, unless the transfer

a

condition

of

providing

a

product

or

provide the reasonably individual." Finally, in obtaining the consent the to oroduct or service information to obtain the consent, false or misleading necessary to

is

or attempting

and other deceptive or misleading must not have been provided used." A classic example of where an been have not must

practices

individual would give consent is where an individual is travelling use her overseas for a holiday. For the individual to be able to

Aantomated Teller Machine ("ATM") card overseas to withdraw money, she would have to give consent to her financial institution to transfer

her personal data overseas to facilitate access to her account, including account details such as the available balance for withdrawal. 10.8

C Second situation where an organisation can be taken to have Asted the second requirement is where the transfer of the personal tothe recipient is necessary for the performance of a contract DEDWeen the individual and the transferring organisation, o i n Data Protection Commission, Advisory Guidelines on Key Concepts

S 362/2014. 5

6 8

Personal Data Protection Regulations 2014 Personal Data Protection Regulations 2014 2014 Personal Data Protection Regulations 2014 Personal Data Protection Regulations

332

(S 362/2014) reg 9 (S 362/2014) reg (S 362/2014) reg9o. (S 362/2014) reg

12 13

Peeonal Data Protection Act (revised on 15 July 2016) at para 19.7. Personal Data Protection Regulations 2014 (S 362/2014) reg 9(3) (a). Sonal Data Protection ulations 2014 (S 362/2014) reg 9(4) (a). Persona Data Protectic Perse 2014 (S 362/2014) reg 9(4)(6). Regulations ersonal Data Protection.Regulations 2014 (S 362/2014) reg 9(4)().

Person

333

Data

anything entering

example (the

at the

into a of this

Protection in the Practical

Transfer Limilation Obligation

Context

individual's request with contract with the ransferring view orgto given by the Personal

mely way" pected to with

Data Protection sation" An where an with travel In order to make s ionman the hotel agency that in inchudesindividual hotel accepupurCommi c hases the transferring organisation, reservations, travel agency, whi c h need personal data to the hotelswould he immodat ndiidhishuatiotn.h'se overscas.' in This transfer requirement regulation 9(1). would satisfy

transfer

of the

conclusion

or

the

use

a

organisation

servers are

personal

located outside

data out of

considered

analyse

to be in

of

its

is disclosure

uscor

the

sfer ing

adopt cloud-based clientis personal data and comnuia theputing dod

To transfer Singapore." the individual and on to

Singapore

the cloud servers would

the individual's interest as this would the fulfilment of the contract between the individual

organisation.

he facilitate

and he

certain

the

that the

health

or

satety

affcct

of the individual

and

consent for

or

another

the disclosure

seriously will be and b e .obtained in a timely way," the next-of-kin of data contacting the purpose of tlh for fthe for individual

cannot

the

nd ofany

is

injured

ill

or

deceased individual

or

5

to transferring the personal data overseas, the reasonable steps to ensure that the personal on must take In all sclosed by the recipient for any other o r discl. used be under one of these will n o t scenario that would fall 20 A typical is seriously injured whilst overseas and a n individ is where uires the patient history of the individual 10.11

ch

cases,

prior

Ogan

dala

situation

the overseas hospital before surgery

can

take

place.

10.12 a n organisation is taken to have seventh situations where The sixth and in regulation 9(1) are where the satisfied the second requirement the personal data is publicly where and transit" is in personal data available,3" respectively.

10.10

Fifth, the second requirement in regulation 9(1) is satisfied where the transfer overseas is necessary for a

necessary in the national interest:23 itions, there are reasonable grounds to

conditions

to

subject believe

,

third party which

to store or

the

anotherindividual;22

hl

an

the tana the request or which a reasonable is entered into at the indiui person would consider to dividual's individual's interest." The example he the which the where an Commission gNe decides to a was

solution

o r

disclosure

personal a

reasonably

the life, that threatens the

second

organisation can he in requirement regulation 9(1) is wherken data to the is recipient the of pertormance contract betweennecessary

organisation and

not

is necessaTy to respond to an emergency health or safety of the individual or

discl osure lasture be

a

The third and fourth situations where have satisfied the second

the individual would

ained

"Commission") is the situationon overseas tour

10.9

or

ithhold consent;2

a

also taken to be

disclosure in certain situations where the consent of the individual is not required use

or

under the Act. These are where:

(a)

the use or disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its use cannot be

20

2 14 15

16 17

19

Personal Data Protection Regulations 2014 (S 362/2014) reg93)0

Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para 1(a) and Fourth Sched, para 1 (a). Data Protection Act (Act 26 of 2012) Third Sched,

Personal

2012

para 1(a).

2Personal Data Protection Act 2012 (Act 26 of 2012) Third Sched, para 1 (6) and Fourth Sched, para 1(6).

Personal Data Protection Commission, Advisory Guidelines on Key Conces in the Personal Data Protection Act (revised on 15 July 2016) at para 9:

23

example 2.

Data Fersonal para 1 (c).

Personal Data Protection Regulations 2014 (S 362/2014) reg 913)G. Personal Data Protection Regulations 2014 (S 362/2014) reg 9( Guidelines on Keay Cones Personal Data Protection Com ISsion, Aduisory 1s 2016) at para n the Personal Data Protection Act (revised on 15 July

example 3. Personal Data Protection Regulations 2014

334

(S

362/2014) reg ON0

Personal para

Data Protection

Act 2012

1(d) and Fourth Sched, para 1(e).

2

Data ersonal para 1(0).

Protection

(Act 26 of 2012) Third Sched,

Act 2012 (Act

26

of 2012)

Fourth Sched,

Protection Act 2012 (Act 26 of 2012) Fourth Sched,

27Ponal Data Protection Regulations 2014 (S 362/2014) reg 9(3) (e. 28 POnal Data Protection Regulations 2014 (S 362/2014) reg 9(3)).

ersonal Data ProtectionlRegulations 2014 (S 362/2014) reg 9(3) (8). 335

Transfer Limilation Obligatia

Data Proletion inthe Practical Context

Satisfying the second requirement: "legally enforceable

2

dircctly

or indircctly, controlled

the recipicnt and the

obligations"

indire

ctly, under the

control

by the trans

ransferring of a

common

aced in the European Union

ules surface

10.13

of these seven scenas cannot tall under any one 1arios, If an organisation can sausIy the second requiremer it it ascertain in it nceds to then regulation 9(1) by taking appropriate steps to ensure that the recini ipient bound by legally enforceahi outside Singapore is of the personal data in accordance with standard data the personal obligations to protect to the protection under the Act ct in that are at least comparable Singapore.2"

10.14

examples of what would constitute lerall,. Regulation 10 provides list is fairly broad and includes any law The enforceable obligations. the recipient contract must, however, require and any contract. The transferrcd to it, a standard of data the personal to rovide to to the protection under the Act is at least comparable that protection the countries and contract must also specify in Singapore" and the transferred under the be data may the territorics

contract.

to

which

personal

would

contract To this end, the in Singapore, Act the in set out

Obligations view that if th has expressed the Protection and intermediary, only the need to be addressed. 10.15

need

to

although

address all the

the Commission

overscas recipient is a data Limitation Obligations

Retention

binding instrument. binding legally

or to the transferring organisation.3" if the recipient, directly related to the transferring organisation the recipient is, the transferring organisation;" indirectly, controls

30

Personal Data Protection Personal Data Protection

31

Personal

32 33

34 35

36

37 38

Data

Protection

Personal Data Protection Personal Data Protection Personal

Data

Concepls in the

Regulations 2014 Regulations 2014 Regulations 2014 Regulations 2014 Regulations

Protection

2014

Personal Data Protection

(S 362/2014) (S 362/2014) (S 362/2014) (S 362/2014) (S 362/2014)

Advisory Act (revised

Commission,

at paras 19.5-19.6. Personal Data Protection

reg 9(1) (6). reg 10(1) (a). reg 10(1)(6). reg 10(2)(a). reg 10(2)(6).

Guidelines on

on

15 July

201)

(S 362/2014) reg 10(1)(¢). Regulations 2014 (S 362/2014) reg l10(1)(). Personal Data Protection Regulations 10(3)(9. 2014 (S 362/2014) reg 10(4)(). Personal Data Protection Regulations 2014 (S 362/2014) reg Protection Regulations Data Personal 2014

336

or

corporate the EU pragmatic means of laws; thesc will be as

10.16 binding corporatec nules must require The evcry recipicnt of ansferred personal data to protect the the data personal transferred to it, of protection hat is at least ndard at a s t to the tion protectio theAct in Singapore The rules must also corporatc of the transferred recipients the personal data to which specily rules apply;? the countries and territories to the ding corporate which lata may be transferred under the

comparable

binding

under

binding corporate the

personal

rules"

and

obligations provided by

the rights and

corporate r u l e s , 1

10.17

binding

rules

arc usctul mechanisms in situations where a may have all of their employee or customer group data processed in one locatio which is outside Singapore. be payroll operation or customer fulfilment These could operations. be transferred fron all around the Personal data would need to world location. Under the Personal Data Protection

orate

Binding c o r p o r a t e

companies

ersonal

Regulations 2014,

t the Singapore legislation, the transter of personal data outside

enforceable obligations can other rules" as well as any corporate the recipient is related be c a n only used where data is Binding corporate nules A recipient of personal

29

discusscd below.

are, person." Bindingdirccdy

x long as binding corporate rules mect or exceed the protections

also take the form of

Legally

ng similar requirements under

meen

erring organisation;

sanisation

the Singapore will satisty

3.

second

Assessing the Transfer

requirement in regulation 9(1).

Limitation

Obligation

10.18 The Transfer Limitation Obligation is a codification of the most efiecdve and workable aspects of the solutions currently found in international practice for protecting personal data that is transferred ONerseas. The Personal Data Protection Regulations 2014 is very clear in permitting the common situations where personal data need to be

9Personal Data Protection Regulations 2014 (S 362/2014) reg 10(4) (6).

Personal Data Protection Regulations 2014 (S 362/2014) reg 10(4)(c).

Fersonal Data Protection Regulations 2014 (S 362/2014) reg 10(3)(a).

Personal Data Protection Regulations 2014 (S 362/2014) reg l0(3)(6) (7). Data Protection Regulations 2014 (S 362/2014) 4ersonal reg 10(3) (6) (in). ersonal Data Protection Regulations 2014 (S 362/2014) reg 10(3)(6)(in). 337

Data

Protection

Trans/er Limitalion Obligation in the

Practical Context

ransferred out of Singapore. In fact, reflect permitting transters of personal data that they were set

Protection Directive 95/46/EC5

the

out in

10.19

Commission has made d.

TogatDataions

the El

Indeed, the only shortcoming with the implementation of the T Limitation Obligation may be the standard of the Singapore protection iransier legislation itself: due to the relatively ed by weak given by the Singapore legislation, most protecti other jurisdiction ecion existing personal data protection laws may well with offer level of protection. a

mparable

10.20 It remains to be seen if the Commission will provide guidance forthe purposes of the second requirement in route that the EU has taken over theregulation 9(1) by taking ng ihe decades, by declaring data personal protection laws of certain jurisdictions to be comparahlethe to the protection under the Act in Singapore.16 .

B.

EUROPEAN UNION POSITION

1.

EU Data Protection Directive 95/46/EC

is the competent body to assess the level of personal data protection in and it consults the countries

through adequacy findings,

European garding Canada's

lhe

an

adequacy finding,

on

assessments with the EU Article 29 Data Protection Working Party

("WP29").

furisdictions where the Canadian legislation is

example

ould h ply European Commission also made an:adequacy finding icable.

nduct, the the US Safe Flarbour Privacy Principles" The was a voluntary scheme where US businesses would the code of conduct. However, this finding of with

conduct,

for

Code

of

a

code o fc o n d u c t

to

in

Court of Jusice of the in the Cou in Maximillian Schrems v Data Prolection Commissioner,

comply

Union

European

challenged

was adequacy

("CJE'U")

in 2015 invalidated the European Commission's

US Safe Harb decisionon the and

10.23 to Subsequentto

blished publis The

WP29

its

Privacy Principles.

EU-US Privacy Shield was created to Privacy Principles. On 13 April, the WP29 the adequacy of the EU-US Privacy Shicld.5

this decision, the

Safe replacethe US

Harbour

on opinion oubts

casted

dou

on the adequacy of this new scheme but on

the European Commission formally adopted a decision Shield.32 Organisations adequacy ot the EU-US Privacy confirming to the standards set out in the EU-US Privacy self-certify in the US may 2016. Shield from 1 August 10.24 of the long-perceived uncertainty of the It is amidst the backdrop of conduct such as the US Safe Harbour code a of adequacy of Privacy Principles that organisations within a multünational group 48

Commission Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on data provided by the Canadian the adequate protection of personal Electronic Documents Act [2002 nformation Protection and

Personal OJL 002/13.

pursuant to Commission Decision 2000/520/EC of 26 July 2000 of the Council on Drective 95/46/EC of the European Parliament and harbour e adequacy of the protection provided by the safe issued byprivacy the 50

Pnciples and related frequently asked questions US Department of Commerce [2000] OJ L 215/7. Se362/14 (6 October 2015) ECLI:EU:C:2015:650, available at p:curia.europa.eu/juris/documents.jsf?num=C-362/14> 1 June 2016).

45

the Coune Parliament and of Directive 95/46/EC of the European with regard to e individuals of 24 October 1995 on the protection movement of sucn data and on the free processing of personal Ant Protection Directive 95/46/EC), Data ("EU reg>u I995] OJL 281/31 362/2014) 2014 (S Personal Data Protection Regulations Art 25(1). EU Data Protection Directive 95/46/EC,

338

for

personal data protection legislation," so

2016, 12July the

10.21 Under the EU Data Protection Directive 95/46/EC," if a non-EU country (third country) has an adequate level of data protection, then personal data can flow freely to the third country. The requirement is of adequacy and not equivalence. In accordance with Article 25(6)od the EU Data Protection Directive 95/46/EC, the European Commision

foreign

a.22

(accessed

Article 29 Data Protection Working Party, WP238, Opinion01/20 on 13 Apnl vacy Shield draft adequacy decision (adopted 2016) 4 l 7 6 final, Commission Implementing Decision of 12July 2010 Cant to Directive 95/46/EC of the European Pariament uncil on the adequacy of the protection ovided by the

Privacy Shield.

339

EU-UJS

Data

Protection in

companies which need,

as data to and from part each corporatc rules.

personal

Transfer Limilaton Obligalion

the

Practical Context s

ot their

business processes. other, have tako aken the route ransler Binding corporate rules are of bin internal rules t

adopted by multinational tinding global policy governing thegroup of companies. These nilessaly international trar within the same iransfers of personastate the group, as it is often within the group corporate the are located in thaat countries which docase adequate level of protection as assesscd not provientities under the EU Directive 95/46/EC. Data Proan a

10.25

Under Article 26(2) of the EU Data organisations may transfer personal dataProtection to a

Directive 95/46/ third level of which da adcquate protection for country adduces adequate personal data i with safeguards to respect the personal data, and protection of th such safeguards may come fr appropriate contractualspecifically, clauses. from Essentially, not ensure an

rules is

an

alternative

having binding comora orate

to an

having to sign standard contractual clauses each time itorganisauon necds to member of its group as it can become transfer personal data to contractual clauses for each transfer madequite burdensome to Sign within a corporate rules present an alternauve mechanism group. Bindino that ensures all transfers made within a group benetit from an adequate level of protection.

their

unless amended, replaced or repealed by the

status

E u r o p e a n C o m m i s s i o n ,5 5

maintain

Gencral

M 7 U T h2 eE

2016/679 affirmed the thods of transterring personal data that are

Data

General

Cxisting

Kegulation

Protection

metho

sed, such as standard contractual clauses 6 Other other cuTent

recognised,

priatesafeguards, such g

and

enforceable

as

binding

corporate rules" and legal

instruments between public authorities,5

are

ding and ded for. Indeed, the EU General Data Protection scts out a

express ulation 2 0 1 6 / 6 7 9

long ist of the minimum Content

binding corporate rules" The EU General Data requircments for also provides two new schemes 2016/67 Regulation on

hereby transfers

will

be allowed: an approved code of conduct

in Article 40 s e t ut sctheme A r t i c l e 42. o u t in

and an approved certification mechanism

set

10.28

Protection Regulation 2016/679, the of personal data in limited ogations to similar exXisting derogations in the EU Data circumstances are Protection Directive 95/46/EC.1 These include explicit consent,

EU General Under the

permitting

Data

transters

contractual necessity," important

reasons

of

public interest

and

vital interests,65

2.

EU

General Data Protection

10.29

Regulation

Given the numerous new schemes and the explicit recognition of axisting mechanisms allowing transfer of personal data to third

10.2

Under the EU General Data Protection Regulation 2016/679, transíers of personal data to third countries continue to be restricted.5 The European Commission will continue to have the power to determine

countries, it would appear that the position in the EU is becoming more permissive and enabling of transfers to third countries than it has ever been.

that certain countries, territories, specified sectors or international

organisations offer an adequate level of protection for data transfers The countries which have previously been approved by the European Commission to have adequate protection for personal data ill

53

of of the European Parliament and the Council of 27 April 2016 on the protection of natural persons wu

Regulation (EU) 2016/679

and regard to the processing of personal data Such data, and repealing Directive 95/46/EC Regulation) ("EU General Data Protection

54

on the free movement o (General Data Protecuo Regulation 2016/b/

Arts 44-47. Art 45(1) EU General Data Protection Regulation 2016/679,

340

0 EU General Data Protection Regulation 2016/679, Art 45(9). EU General Data Protection Regulation 2016/679, Arts 46(2) (c)46(2)(d) K General Data Protection Regulation 2016/679, Arts 46(2)6) and 47. U General Data Protection Regulation 2016/679, Art 46(2)(a). RU General Data Protection Regulation 2016/679, Art 47(2). U General Data Protection Regulation 2016/679, Art 49(1). EU Data Protection Directive 95/46/EC, Art 26. 63 General Data Protection Regulation 2016/679, Art 49 64 RTTneral Data Protection Regulation 2016/679, Art 49)(D). 65 FTTCral Data Protection Regulation 2016/679, Art 49(1){d). eral Data ulation 2016/679, Art 49(1) (). Protection 341

10.30

Since for

Transfer Limitalion Obligation

Data Protection in the Practical Context

Singapore

has not yet achieved

organisations wishing for

Singapore corporate

sharing

rules would

with

to a

adequacy status under R transfer personal data tolaws,

related

organisation,

the

use of h probably be the easiest which do not have approach to: inding any entities, they would need to fall relationship with adopt. Eor scenarios, the higher standard ofback on contractual solutions t need to be the governing standard. protection under EU la

organisations

ould

C.

ASIA-PACIFIC ECONOMIC COOPERATION PRIVACYy

There

are

..only four participating APEC CBPR systemn and Janada. This number may M e x i c o , Japan

currently

0.33

U s, US,

economics: t h e

pecially since the APEC Electronic Commerce the WP29 have, in 2014, produced a common of the APEC CBPR system and the t h e requirements ering is no mutual recognition of both Binding Corporate Rules. the

reasc o v e r t i

cate Rules.There

FU B

certiicationf o r

systems

ification

The

mmOn

nmon

for

questionnaire

10.31

policy constructing barriers to information flows.

perceived

need

to

s e r v e as

the

basis for double

would

woul

nced

to

be submitted to the respective

approval is needed for Authority, binding corporate rules, as well as to the t o be nisations whose approval is needed to be granted APEC a c c o u n t a b i l i t y a g e n t , therefore, be much easier for businesses to be CBPRs. I t w o u l d , the process to obtain even systems, both with compliant u n d e r the two systems.71 different 20proval is The

qDrotection

EU Data

At this juncture, it might be useful to mention anoher the protection of data, if only in terms of the framework fo personal the arena of transfer of value it brinosi personal data. The Cooperation ("APEC") Privacy Framework was Asia-Pacificin Economic adopted 2004. As a framework, it has significant differences from the EU framework and importantly, the APEC Privacy Framework was firmly located within the context of electronic commerce and a

can

an

10.34

FRAMEwORK

referential

organisation.70

whose

granted

CBPRS.

though

avoid

10.32 The

APEC

Cross Border Privacy Rules ("CBPR")

system is It requires self-regulatory. participating businesses to develop and implement personal data

voluntary, certification-based system

a

that is

protection policies consistent with the APEC Privacy Framework. The policies and practices of these businesses are assessed against the

minimum program accountability

requirements

of the APEC CBPR

system by

an

agent. At the time of writing, there were only two accountability agents, TRUSTe in the US and JIPDEC in Japan and thus far, mainly US businesses have applied for CBPR certification.

68

ross Border

at Privacy Rules System, "For Business", available 1 June (accessed www.cbprs.org/Business/BusinessDetails.aspx>

90 2016). Border Privacy Rules System, "For Business", available 1 June 201 2016). www.cbprs.org/Business/BusinessDetails.aspx> (accessed

al

Border Privacy 1 June 2016).

Rules

System