Is there data protection law in Singapore? What are the penalties for noncompliance? How active is the authority in enforcing the law?
- Yes, there is comprehensive data protection law in Singapore. All private sector organizations that collect, use, or disclose (collectively process) personal data in Singapore have to comply with Singapore’s Personal Data Protection Act 2012 (Act).
- The Act came into full force in July 2014. The Act is expected to undergo significant amendment in 2020. Please contact the authors below to be included in our mailing list to receive timely updates on these developments.
- The maximum financial penalty for a breach of the Act is S$1 million. The highest penalty imposed to date was for the data breach involving SingHealth, where the responsible parties were fined a total of S$1 million.
- The Act is actively enforced by the Personal Data Protection Commission of Singapore (Commission). As of March 10, 2020, the Commission has published 135 of its enforcement decisions. As not all decisions by the Commission are published, the total number of enforcement cases that the Commission has investigated is likely to be significantly higher.
We have employees in Singapore, and we hold and process personal data about them. Do we need to obtain their consent to do so?
- That depends. Generally, consent from an individual is required before an organization can process their personal data. In the employment context, however, an employer can process its employees’ data without consent if:
- Such processing is reasonable for managing or terminating the employment relationship, which includes using an employee’s bank details for payroll processing, administering staff benefits, monitoring their use of company-issued devices, and posting their photographs in a staff directory;
- The processing is for evaluative purposes, which includes determining the suitability of an individual for employment, a promotion, or termination of employment; or
- The personal data is publicly available, for example, on an employee’s LinkedIn profile or blog.
- However, you should notify employees of the purposes for processing their personal data. This can be done by way of drafting appropriate provisions in your employment agreements or templates.
- Moreover, certain types of processing do not clearly fall within any of the above exceptions to consent, for instance, if your business decides to conduct an employee survey and to share the results of that survey with an external management consultancy. In such situations, you should obtain your employees’ consent.
- As for job applicants, it is good practice for an employer to review its job application forms to ensure that:
- The application does not over-collect any personal data, especially national identification information;
- The forms contain confirmations by the applicants that they have obtained the necessary consent from any third parties, for instance, character referees, former employers, and family members whose personal data may be disclosed in the forms; and
- Applicants are notified of any special purposes for which their personal data may be used, such as being shared, at the employer’s discretion, with related entities within the group or with external consultants.
- Employers should also ensure that appropriate data protection provisions are included in engagements with external recruitment consultants.
We are a multinational business and have global data privacy policies. Are there any over-and-above requirements that apply to our Singapore office?
- The answer is yes.
- As a global law firm, we are frequently asked whether – if a business already has global policies to comply with the EU’s General Data Protection Regulation (GDPR) – it needs to do anything “more” to comply with Singapore’s data protection law. While most of the obligations imposed under the Act are not as stringent as those in the GDPR, the Act does impose certain additional requirements, as follows:
- There are special rules governing the collection and use of national identification numbers in Singapore, including foreign identification numbers (for staff holding employment passes) and passport numbers. Such collection or use is only allowed if the law specifically requires it, or if there is a need to ascertain or verify identities to a high degree of fidelity, which is defined narrowly to include public safety reasons, or to avoid fraudulent claims. As the Singapore Employment Act requires an employer to maintain records of the particulars of all of its employees, an employer is allowed to collect and use its employees’ national identification information in Singapore.
- An employer needs to appoint at least one data protection officer (DPO) in Singapore. This is a mandatory obligation under the Act. Other related obligations include:
- Making its DPO’s business contact information available to the public (for example, on its website);
- Implementing policies and practices for compliance with the Act and communicating them to its employees;
- Developing a complaint process; and
- Making information available on request about its policies, practices, and complaint process.
- While the GDPR governs outbound transfers of personal data from the EU, the Act imposes a separate obligation on entities that transfer personal data from Singapore overseas. Employers in Singapore must ensure that all overseas recipients of employee data are bound by legally enforceable obligations to protect the data at a comparable standard as in the Act. This is typically done through data transfer agreements (if the recipient is a nonrelated entity) or binding corporate rules (if the recipient is a related entity).
- Currently, the Act is consent based. This means that consent is required to process any personal data, unless an exception applies (for example, if the data is publicly available). The other grounds for processing that are recognized under the GDPR, such as for the controller’s legitimate interests, are not yet available in Singapore. This will soon change, but reliance on such grounds in Singapore could be subject to specific conditions or accountability measures.
Employees are not only data subjects whose personal data we need to protect, but they could potentially also attract liability for our business. How can we protect ourselves from breaches caused by employees?
- Data breaches can be caused by the malicious acts of employees and, more often than not, human error. The issue is exacerbated by the fact that employees are defined to also include volunteers.
- Regardless of how breaches are caused, employers should protect themselves against potential exposure to liability under the Act. This can be achieved by:
- Having a tailored policy or manual to instruct employees on how to comply with the Act in connection with their day-to-day activities.
- Tip: The policy must be easy to understand and ready to implement. A policy that is full of legal jargon is unlikely to be read, let alone adopted, by employees. If appropriate, the policy should include all standard forms and templates that need to be adopted. Consider engaging external counsel to assist with the drafting and customization of the policy.
- Conducting regular training for HR on the policy or manual and the Act.
What do we need to be aware of with our former employees?
- Most employees would have access to some form of personal data that is held by an employer, for instance, a staff directory, customer database, or even in email correspondence.
- Your employment contract should be well drafted and should specify that the employee is subject to confidentiality obligations that survive their termination of employment.
- You should also have standard procedures for departing employees, for instance, exit interviews to remind employees of their continuing obligations of confidentiality, a requirement that they return all records or materials containing any personal data to which the departing employee should no longer have access, and written confirmations of the same.
- Former employees continue to have rights, post-termination, to access or correct their personal data held by an employer. The Act also confers a right on an affected individual (including a former employee) to sue an organization that has breached the Act in the Singapore courts. We therefore recommend employers to have a data retention policy requiring employee records to be purged periodically. The policy might state, for example, that employee records must not be kept for longer than seven years after the last day of employment.
Do you have any other advice for employers on data protection in Singapore?
- In addition to the requirements mentioned above, the Act also imposes other obligations, as follows:
- Accuracy: Employers must reasonably ensure that their employees’ personal data is kept accurate and complete, especially if the data is likely to be used to make a decision that affects employees, or if it is likely to be disclosed to another organization.
- Protection: Employers must make reasonable security arrangements to protect their employees’ personal data and prevent any unauthorized access, processing, or similar risks. These arrangements may comprise administrative, technical, and physical security measures.
- Access and correction: Employees have the right to request access to their personal data held by an employer, as well as to correct it. Such rights are subject to exceptions in the Act, for instance, opinion data kept solely for an evaluative purpose. This may include performance review records or interview notes with an employee and prospective employee respectively.
- Retention: Employers must cease to retain their employees’ personal data once the purpose of collecting it in the first place no longer applies and retention is no longer necessary for legal or business purposes.
- There is a voluntary, enterprise-wide certification scheme for organizations to demonstrate accountability in data protection in Singapore. Among other things, being certified could help a business increase its attractiveness as an employer in the market. For more information on how to apply, see imda.gov.sg/dptm. Singapore is also a participant in the Asia Pacific Economic Cooperation Cross Border Protection Rules and Privacy Recognition for Processors schemes, which could facilitate cross-border transfers of personal data among the participating economies. For more information, see imda.gov.sg.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2020-089